Ralph Mupita
Group President and Chief Executive Officer
MTN Group Limited
Gauteng, South Africa.
CC: Karl Toriola, Vice President, Francophone Africa, MTN Group; Lele Modise, Group Chief Legal and Regulatory Affairs Officer, MTN Group; Nompilo Morafo, Group Chief Sustainability and Corporate Affairs Officer, MTN Group; Mohammed Rufai, Managing Director, MTN Congo; Nora Mabiala, Director of Legal and Compliance or Regulatory Affairs, MTN Congo
Dear Mr. Mupita,
We, the undersigned, are writing to you to raise the alarm over allegations of MTN Congo’s enabling of human rights abuses, and to request transparency on the company’s data sharing practices.
Background
Between September and October 2025, reports emerged of an operation that is being conducted by the General Directorate of Presidential Security (DGSP) in Brazzaville, Congo, targeting people who are suspected of being part of the “Kuluna” or “Bébés Noirs” gang. Although there was no formal announcement of the operation by the government, in statements made to journalists on 24 October, 2025, President Denis Sassou N’Guesso has since confirmed that he gave instructions to the DGSP to enforce the crackdown. He further stated that the deployment of the DGSP is now a “permanent mechanism” that is necessary to mitigate urban banditry and violent crimes in the country’s capital and its environs. According to eyewitness statements, sightings of DGSP officers carrying out the operation began on 22 September, 2025. The President has claimed that the deployment of the DGSP is necessary due to the limited manpower of the national police force. However, it is important to note that the DGSP is tasked with the protection of the President’s security, not the maintenance of public order and safety, which rests with the national police according to Law No. 6-2011 of March 2, 2011, Establishing the missions, organization, and functioning of the national police. Authorities have also claimed that the crackdown has led to a reduction in criminal activities. Notwithstanding, these operations are outside of the DGSP’s mandate and are being carried out without judicial oversight. Human rights organizations in Congo such as Centre d’actions pour le Développement (CAD) and the Congolese Observatory for Human Rights (OCDH) have already reported on extra-judicial killings carried out by soldiers of the DGSP, in violation of Articles 8 and Article 9 of the Constitution of the Republic of Congo of 2015, which provide for the protection of the right to life, the abolition of capital punishment, as well as the rights of arrested persons.
MTN Congo’s potential contravention of its policies and the law
As a telecommunications provider in the Republic of Congo, MTN provides mobile and internet connectivity services to its customers in the country. According to the Decree No. 554 of 26 July 2010, mobile service subscribers are required to register their SIM cards with their telecommunications providers, using a legally recognized identity document in order to access these services. Many authorities in Africa, including Congo’s Agence de régulation des postes et des communications électroniques (ARPCE), claim that mandatory SIM registration is necessary to address issues such as cyberfraud. In practice, digital rights experts have actually found that these practices do not mitigate crime and instead enable risks such as data breaches and unlawful surveillance.
MTN is a signatory to the United Nations’ Global Compact and has committed to upholding the UN Guiding Principles on Business and Human Rights (UNGPs), which require companies to prevent or mitigate adverse human rights impacts that may arise as a result of their activities. MTN’s Digital Human Rights Position Statement also states that the company has a responsibility to ensure that it does not infringe on human rights. Furthermore, as a member of the Global Network Initiative (GNI), MTN has committed to upholding the core principles of respecting users’ freedom of expression and privacy rights.
Given these explicit commitments and policies, it is concerning that MTN could have potentially played a role in enabling violations of the very rights it has committed to uphold. According to accounts documented by journalists and human rights organizations such as CAD, the DGSP sent mass SMSs via the official messaging service of MTN Congo to residents of Brazzaville, urging them to send information about suspected “Kuluna” gang members to authorities in exchange for a reward of up to 1,000,000 FCFA (about 1760 USD). As of 2022, MTN Congo had approximately 3,288,000 subscribers, accounting for more than half of the country’s mobile telecom market share. The company’s potential complicity in inducing people to participate in the DGSP’s bounty scheme, in a context where approximately 46.8% of the population lives below the poverty line, can be considered an abuse of its market position and duty of care to its customers. This is particularly concerning, where there have been documented cases of extrajudicial killings carried out by the DGSP during the crackdown on suspected “Kuluna” gang members.
MTN Congo’s actions must remain in line with the principles that govern the processing of personal data as provided by Title 2, Article 5 of the country’s Law No. 29-2019 on Data protection. Congo’s data protection law, along with founding the principles of lawfulness, transparency, and fairness, contains robust provisions on special categories of data, which include data relating to offences. The law also spells out various data subject rights and obligations on data processors in Title III, including data subject rights to be informed, object, and rectify their data. Data controllers and processors such as MTN are charged with the duty to carry out a data protection impact assessment if the processing they intend to carry out results in a high risk to the rights and freedoms of a natural person. On a procedural and administrative note, the data protection law also envisions data processing on behalf of the state, as was supposedly carried out by MTN in this case; and Title II Cap 4 Sec 4 of the same law makes provisions for how this may be done compliantly.
Additionally, they violate regional and international law, in particular: Article 13 of the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), and the right to privacy as provided by Article 26 of the Constitution of the Republic of Congo of 2015, and Article 17 of the International Covenant of Civil and Political Rights (ICCPR). They also violate the right of data subjects to be informed before their personal data is shared with third parties, such as the DGSP, and to object to such disclosures as provided by Article 18 of the Malabo Convention and Article 15 of Congo’s Data Protection Law. Furthermore, in contexts where authorities have been previously reported to conduct extrajudicial killings, MTN has a duty to prioritize the rights and safety of its customers to ensure that they are not exposed to violations by the DGSP.
Requests
MTN’s Digital Human Rights Due Diligence Framework allows non-governmental entities to report incidents that violate freedom of expression, opinion, data privacy, and information security. The company is then required to assess these incidents and provide remedies to affected customers.
Both the MTN Group and MTN Congo are members of the Global System for Mobile Communications Association (GSMA). The GSMA’s Human Rights Guidance for the Mobile Industry provides members with guidelines to minimize negative impacts on consumers by respecting the rights to privacy and freedom of expression, particularly with regard to law enforcement authorities accessing or restricting information. The GSMA’s “Speak Up” Policy & Procedure for Members and Business Partners allows individuals to report cases of suspected violations of the association’s code of conduct by members. As the parent company of MTN Congo, MTN Group has a responsibility to ensure that its subsidiary’s more than 3.2 million subscribers are protected. To this end, we are requesting that MTN Group:
- Provide a publicly accessible statement explaining how the DGSP was able to send mass SMSs to MTN Congo mobile service subscribers, who received the bounty text messages from the DGSP from September 2025 onwards.
- The commissioning of an independent and publicly accessible investigation into MTN Congo’s potential sharing of subscriber data to law enforcement authorities, examining particularly:
- instances in which law enforcement authorities have been provided with access to subscriber data without judicial oversight;
- the justifications for emergency access requests and the overriding of protocol in these instances, and;
- cases involving disclosure of data to law enforcement authorities regarding persons later subject to abduction, torture, detention, or enforced disappearances.
- An urgent review and ongoing reforms of relevant MTN Group’s policies and practices impacting customer privacy, law enforcement assistance, and transparency and accountability on human rights.
- Outline steps the company will take at the Group level to ensure that subsidiaries adhere to the company’s own policies and commitments.
- Work with civil society and other stakeholders to push back against improper government requests for user data.
We welcome a public response to the serious issues raised in this letter, as a way to show your stakeholders that you take their rights seriously. We would greatly appreciate a formal response from MTN Group for publication by 8 December, 2025. We will make this letter public on 15 December, 2025.
Signatories
Access Now
Centre d’Action pour le développement (CAD)
Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
Forum 2000
Opening Central Africa
Paradigm Initiative (PIN)
Sassoufit Collective