State of Surveillance Tunisia




The State of Surveillance in Tunisia is the result of a collaboration by Privacy International and Nawaat.

Right to Privacy

The constitution

The Constitution of the Second Republic of Tunisia was adopted in January 2014 with a large majority, exactly two years after the coup that removed President Ben Ali from power.

The new Constitution established human rights as a supreme guiding principle. Article 24 enshrines the right to privacy, making the State responsible for:

"... protect[ing] the privacy and inviolability of the home and confidentiality of correspondence, communications and personal data."

Article 32 guarantees the right of access to information:

“The state guarantees the right to information and the right of access to information and communication networks.”

However, Article 49 underlines the necessity and proportionality of limitations to those rights and highlights the discretionary role of the judiciary in any such limitations:

“The limitations that can be imposed on the exercise of the rights and freedoms guaranteed in this Constitution will be established by law, without compromising their essence.

“Any such limitations can only be put in place for reasons necessary to a civil and democratic state and with the aim of protecting the rights of others, or based on the requirements of public order, national defence, public health or public morals, and provided there is proportionality between these restrictions and the objective sought.

“Judicial authorities ensure that rights and freedoms are protected from all violations."

“No amendment may undermine the human rights and freedoms guaranteed in this Constitution.”

Finally, Articles 128 establishes the Human Rights Commission which oversees respect for human rights and conducts investigations into alleged human rights violations.

Regional and international conventions

Tunisia is a signatory of a number of international instruments with privacy implications, including:


Communication Surveillance


The number of individuals using the internet in Tunisia is estimated at 5.4 million — approximately 48.5% of a population of the total 11.15 million population.

The number of data subscriptions has reached 7.8 million by mid-2016. Mobile-broadband plans (3G and 4G) represent 93 % of subscriptions, while 7% are fixed broadband (ADSL). The fixed broadband penetration rate is estimated at 16.2 %, while mobile broadband has reached 64.5 %. 

Three internet service providers (ISPs) share the market of telephony and mobile internet services in Tunisia: Tunisie Télécom (38.8 % of market share), Ooredoo Tunisie (31.8 %), and Orange Tunisie (29.3 %). 

Seven ISPs share the fixed broadband market as follows: Globalnet (17.7 %), Hexabyte (8 %), Ooredoo Internet (4.4 %), Orange Internet (17.4 %), Topnet (49.3 %), FSI Publics (2 %), and Tunisie Télécom (1 %). Since December 2015, British Lycamobile launched services in Tunisia, offering international and domestic calls, as well as data services. 

During the first half of 2016, the INT noted a negative trend in the evolution of the telecom market with an overall stagnation in the number of subscriptions and decline in revenue for operators.

Surveillance laws

A large corpus of laws and amendments governs the telecommunications sector in Tunisia. Though no legislation addresses the intelligence sector per se, many do have privacy implications. These include:

Surveillance actors

Intelligence and security agencies

The DSE, the largest intelligence agency under President Ben Ali was abolished immediately after the revolution in 2012. During the months of confusion that followed his departure, the Minister of Interior, Farhat Rahji froze the activities of several intelligence services including the Directorate General of Specialized Affairs (DGAS), an important intelligence unit within the ministry.

The Directorate General of Anti-Terrorist Prevention (DPAT) and the Joint Committee For Intelligence and Border Control (CCRF) headed by the Central Directorate of General Intelligence (DCRG) were also disbanded.

The Tunisian interim government was quickly faced with a serious security crisis, having to strengthen its intelligence capabilities in the face of mounting jihadist attacks and security challenges, while also ensuring that past abuses would not be repeated.

By the spring of 2012, the government embarked on drafting plans for the creation of a new spy agency —the National Intelligence Agency (ANR), which would be devoted to the defense of national security. The future agency, the government promised, would be accountable, transparent, and politically neutral. It would be responsible for establishing operational units to intervene on the ground while also coordinating surveillance efforts.

By late November 2014, the government set up a new military intelligence agencycalled Agence des Renseignements et de la Sécurité pour la Défense (ARSD) working under the authority of the Ministry of Defence. The new body replaces the old regime military intelligence apparatus.

The same month, the Ministry of Interior announced the creation of a central Strategic Planning Unit to drive a strategic reform plan aimed at the security sector. The Unit was created with the support of the British government. The Unit would work to improve “the Ministry’s efficiency and effectiveness, to manage risk, pre-emptively tackle security threats through forward planning, address key threats such as border security and terrorism, and improve security for all Tunisians.” The UK-funded plan was implemented by British security company Aktis Strategy.

In December 2014, the government of then-Prime Minister Mehdi Jomaa decided to consolidate the intelligence structures in an effort to coordinate the fight against jihadism and organized crime, bringing together the Interior, Defence, Justice and Foreign Affairs under two “poles”: the Pôle sécuritaire (Security unit) and Pôle Judiciaire (Judicial unit).

In November 2015, a deadly blast ripped through a bus carrying security officers tasked with guarding the Tunisian President. A state of emergency was declared for a period of a month. A few days afterwards, Abderrahmen Ben Hadj, a former security official during the Ben Ali era, was appointed to lead “State Security,” raising fears of a return to the repressive practices of the past.

Plans for the creation of a national intelligence agency, approved by the cabinet in 2014, were still under review by the National Security Council in mid-2016. The proposed agency would no longer fall under the authority of Ministry of Interior, but rather would report directly to the President of the Republic. It would be subject to strict controls by the ministry and parliament.

Armed forces

The Tunisian armed forces, generally well-respected among the population because of their distance from the old regime, have historically been subordinated to civilian authority. They have provided a critical internal security function during the transitional period following the revolution. In recent years their role subsided, however, in favor of the Ministry of Interior.

Internal security forces

The internal security forces under the authority of the Ministry of Interior include:

  • the police, operating in urban areas;
  • the National Guard, or gendarmerie, which operates in rural areas;
  • the Judicial Police, the investigative arm of the judiciary and the security services;
  • the Intervention Forces (SWAT forces); and
  • the Presidential Guard Forces, whose duty is to protect the President and his family.

The legacy of the old regime remains palpable years after the revolution. The lack of transparency, and lack of parliamentary or government oversight over these forces perpetuates fear and mistrust among Tunisians.

Surveillance capabilities

Under President Ben Ali’s rule, political opponents were placed under physical and electronic surveillance. 'Big Brother' had an alias: Ammar 404, named for the error message which occurred when internet users would attempt to connect to a censored website.

Dissident bloggers and activists were often arrested and forced to give up the passwords to their email and social media accounts. Through the mid-2000s, the regime reportedly used “homemade solutions,” to peer into the content of emails. Tunisian software developers used Postfix, a free, open-source mail management program, to scan traffic.

Emails of political dissidents were routinely hacked or intercepted in transit using deep-packet inspection (DPI) technology —sometimes their content was tampered with. DPI infrastructure was provided to the Tunisian government by the American companies Blue Coat System and Netapp and by the German company Utimaco Gmbh.

Trovicor, a former subsidiary of Siemens AG and Nokia Siemens Network, a company headquartered in Munich, specializing in computer monitoring techniques, also provided the government with voice and data interception technologies. The company also provided Tunisia's phone companies with eavesdropping capabilities and maintained their technical ability to feed data to listening stations, one of which was Ben Ali's own presidential palace.

Another company, Sundby ETI A/S, a Denmark-based subsidiary of BAE Systems, supplied the government with mobile data interception technlogy. ETI’s product(thought to be named “X-Stream”) is said to be capable of tracking users’ browsing habits and recording logs of emails.

In September 2013, Wikileaks published the “Spy Files”, a trove of documents from 92 global intelligence contractors. Among these documents was evidence that that German company ATIS Huer sold a surveillance system named Klarios to Ben Ali’s government. The system “integrate[d] lawful interception and monitoring.” It included “satellite monitoring, data retention and traffic monitoring.” 

The monitoring of the Web was made easy by the very infrastructure of Tunisia’s data flow. The government channelled virtually all traffic through the National Internet Agency (ATI). The ATI, created by Ben Ali in 1996, was the principal national internet service provider that also acted as an internet exchange point and the official registrar and manager of national domain names.

Run by the Ministry of Communications, it served for over a decade as the epicenter of internet censorship and surveillance. After the revolution, the agency opened its doors and, under a new leadership, tried to change its mission to become a champion of technological innovation.

However, a decision of the Court of Appeals of 15 August 2011 to prohibit access to pornographic content seemed to be dragging the ATI back to one of its original roles: censorship. The court ordered the ATI to implement a filtering system to prevent access to pornographic content —a decision that Human rights organisations condemned as a return to internet filtering practices.

Due to technical difficulties and to the colossal cost that the filtering order would have entailed, the court decision was never implemented. In recent years, the agency changed its name to Société Tunisie Internet. It also embarked on an ambitious mission to promote internet usage at all levels of society.

Surveillance oversight, checks and balances

Criminal investigations

The government announced the creation of the Technical Agency for Telecommunications (ATT), through Decree No. 2013-4506 in November 2013.

The ATT, which works under the supervision of the Ministry of Communication and Information Technologies, is the technical arm of the judicial branch. In practice, it conducts communications surveillance operations on behalf of the prosecution to collect data that can later serve as evidence before the courts.

The ATT is required to comply with international treaties relating to human rights and to the protection of personal data. However, the relative legal vacuum still surrounding the issue of privacy and the lack of a clear legal definition of cybercrime have led many in Tunisia to view the powers granted the agency with apprehension.

To dispel fears, the government embarked in January 2014 in the drafting of a “cyber law”, a bill “inspired by the Budapest Convention on Cybercrime” that would also govern the work of the ATT, according to one official.

A draft of the law leaked to the media in July 2014 seemed to only further confuse the matter, as it included language that many saw as “an open door to repression on the Net and to future legal entanglements.”

While the bill was being discussed, a commission was setup on 30 July 2014 to monitor and control the work of the ATT, pursuant to Decree 2014-2891.

Security and intelligence operations

In the summer of 2015, a new piece of legislation was enacted by the parliament: Law No. 26 on the Fight Against Terrorism. The new law describes the legal framework for the interception and the monitoring of communications as part of a criminal investigations relating to a terrorist threat.

Lawful surveillance is subject to the oversight and authority of the judicial branch. It must be warranted by a judicial order issued by either an Investigative Judge or the Prosecutor of the Republic. The order must identify the specific types of communications subject to interception and/or monitoring for a period that cannot exceed four months, and that can only be renewed once.

Data can be collected by the ATT, and from the servers of telecom operators and internet service providers. The law requires investigators to keep a written record of their surveillance operation at all times.

The new law also set up the National Commission to Fight Terrorism, an anti-terrorist standing committee tasked with leading the antiterrorism effort. Privacy advocates have, however, strongly denounced "the vast powers the law has granted security forces." They identified a number of provisions within the law that, they say, may open the door for abuse. For example, the new legislation provides wide-ranging immunity to investigators. It provides vast discretionary powers to the police. It challenges, in the name of vague concepts like “national security” and “public order”, many of the achievements brought about by the 2014 Constitution and the data protection law—in particular, it threatens the right to privacy by making surveillance, especially the use of techniques like wiretapping, administratively simple. It also sidelines the data protection authority, INPDP, which, conspicuously enough, was not made party to the anti-terrorist standing committee.

Safeguards regarding service providers

The Instance Nationale des Télécommunications (INT) is the telecommunications regulator. The authority was created pursuant to Article 63 of the Telecommunications Code enacted in 2001.

The INT is involved in promoting the development of the sector. It adjudicates competition matters between market players. In addition, the INT is endowed with law enforcement powers. It investigates telecommunications operators and monitors their compliance with the law in terms of quality and safety of service.

However, many of INT’s injunctions against offending operators have remained unanswered, raising serious questions about the authority’s ability to enforce its decisions.

Surveillance case law

We are not aware of any specific examples of surveillance case law in Tunisia. Please send any tips or information to:

Examples of surveillance

Under the government of President Ben Ali, multiple examples ofsurveillance of citizens were reported. Bloggers and activists were arrested and detained and requested to disclose the passwords to their email and Facebook accounts. Diplomatic cables from the US embassy in Tunisia released by WikiLeaks have also documented surveillance of activists who had been trying to reach out to foreign diplomats for help. One cable condemned the situation as “a culture of paranoia about dealing with foreign governments” originating from the Ministry of Interior.

The surveillance and pressure on embassy workers is also described at great length. In another cable, US diplomats described the surveillance of the embassy observation teams, in charge of monitoring the proper proceedings of the national elections in 2009. In a 2009 report about the state of human rights in Tunisia, the US embassy mentioned that human rights groups were surveilled by the government.

The post-revolution era brought about a shift in priorities. The government seems to be now focused on the fight against terrorism. In May 2016, the government announced the installation of over 1,000 surveillance cameras in 300 “electronic checkpoints” all across the capital city, Tunis, and in “sensitive” governorates across the country in Kasserine, Kef, Jendouba and Sidi Bouzid —an apparent prelude to their installation throughout the entire national territory. Little is known of any oversight mechanism regarding this measure.


Data Protection

Data protection laws

The National Authority for Personal Data Protection (INPDP) was created in 2004 through Law No. 63 which established the personal data protection regime. In 2007, Decree No. 3003 defined its organization and functioning.

The law requires private data controllers to apply for authorisation from the INPDP prior to processing personal data or transferring it abroad.

The INPDP is also mandated to investigate privacy violations and to report to the government. It can also bring violators before the courts. At a rare press conference in May 2016 in Tunis, the head of the INPDP, Chawki Gaddes, listed some of the “most serious” violations that his institution has confronted. They included, among other violations, the unlawful harvesting of biometric data; the unlawful installation of surveillance cameras; the illegal use of personal data by telemarketers; the “wild transfers” of personal data abroad through offshore data servers; and the unauthorized transfer of patients’ medical data between healthcare providers.

Unlike the private sector, the government enjoys large exemptions with regards to the processing of personal data. The executive branch and the judicial branch are granted vast discretionary powers in matters related to “national security”, and in dealing with “sensitive data.” Privacy advocates have long called for a review of Law No. 63 to give the INPDP more independence from the executive branch and to expand its field of intervention so as to hold the government more accountable.

Accountability mechanisms

Freedom of information

Under President Ben Ali, there was no legal framework to guarantee freedom of information. It took a revolution for laws restricting both freedom of expression and information to be abrogated and for a new culture of accountability and transparency to begin to emerge.

Decree-Law No. 41 on the Access to Administrative Documents of Government Bodies was issued only a few months after the toppling of the old regime. It came into effect on 26 May 2011

Under the new law, citizens were able to access “all documents produced or received by government agencies as part of their public service duty, whatever the date of the said documents, their form or medium.” The government followed up one year later by a directive (No. 25) calling on all government institutions and agencies to grant citizens access to publicly held information. The directive defined the scope of administrative information that the government must make public if requested.

As early as November 2011, the restrictive Press Code in force under the previous government was abrogated. Decree No 2011-115 Relating to Freedom of the Press, Printing and Publishing was enacted reaffirming the right of access to information and granting journalists explicit protections with regards to their sources.

A new constitution adopted in January 2014 stated in its Article 32 that "The state guarantees the right to information and the right of access to information and communication networks.” After much debate, Law No. 2016-22 on the Right of Access to Information was finally adopted by parliament in March 2016. The next step will involve the creation of an independent authority to oversee the proper implementation of the law.

Public institutions subject to the law include the Presidency, the Prime Minister’s office, the judiciary, the parliament, local and regional governorates, as well as all publicly-funded organisations, including NGOs that receive state subsidies.

Requirements that requesters provide their ID number were dropped, as were requirements that requests for information be justified. The onus is on the state to justify a refusal to disclose publicly-held information. Requesting information is free of charge.

Limitations on the right to access information are fairly limited but remain open to interpretation, according to Article 24:

“The relevant body shall not refuse access to information unless such access could damage the public security or the national defense or International related relations or Rights of others in protecting their private life and personal data and their intellectual property rights.”

These limitations are not absolute, however. The law underlines the fact that exemptions shall be subject to a “prejudice test”: the damage that can be caused by the disclosure of the information “shall be submitted to the evaluation of the general public” before providing or refusing the access. Also taken into account is “the proportionality between the interests to be protected and the purpose of the request.”

Consumer protection Consumer protection law in Tunisia dates back to 1992. Law No. 63 (2004) establishing the data protection authority, INPDP, has offered a legal framework for ensuring that the processing of consumers’ personal data is in line with their fundamental rights.   In a recent public statement, Chawki Gaddes, the head of the INPDP, laid out an assessment of the complaints received by his organisation. Most were related to “harassment through unsolicited SMS text messages”.   The INPDP also identified a series of behaviors prejudicial to the privacy of consumers. For example, some banks published clients’ national ID numbers, which were consequently made available online and easily retrievable through popular web search engines. The INPDP also established that 92 % of respondents to market surveys were not given the opportunity to consent to, or otherwise reject the use of their personal data. Also, membership forms provided to clients often did not provide an option for consumers to decide on the fate of their personal data.


The INPDP also identified the widespread illegal practice of tying the provision of services and advantages by companies to a client’s acceptance of the processing of personal data or their use for purposes other than those for which they were collected. In another case, the INPDP found that the health data of patients was posted on the website of a private testing laboratory.

Human rights provisions

Article 128 of the Tunisian Constitution establishes the Human Rights Commission, an authority with investigative and law enforcement powers, responsible for making sure that the government as well as the private sector respect citizens’ fundamental rights, including the right to privacy.

Moreover, Organic Law No. 2013-53 on the Establishment of Transitional Justice stipulates that, even in the context of the right of access to information, the protection of privacy and the protection of the dignity of victims which comes with it are paramount.  It states:

"The revelation of the truth about violations is a right guaranteed by the law for all citizens, taking into account the interests and dignity of victims and without prejudice to the protection of personal data"

Finally, Article 14 of Organic Law No. 2013-43 on the National Authority for the Prevention of Torture protects whistleblowers who reveal serious human rights violations:

"While respecting legislation on the protection of personal data, no person can be prosecuted for having disclosed information or exposing secrets relating to the practice of torture or informing about its authors."

Data breaches: case law

We are not aware of any specific examples of case law related to data breaches in Tunisia. Please send any tips or information to:

Examples of data breaches

We are not aware of any specific examples of data breaches in Tunisia. Please send any tips or information to:


Identification Schemes

ID cards and databases

In December 2014, the Tunisian government revealed that the country was set to launch an electronic ID card and biometric passports by the end of 2016. The new biometric documents (containing each a photograph and scanned fingerprints) will gradually replace the current identity papers.

According to one U.S. State Department report on terrorism published in June 2016, Tunisia maintains a DNA database and has expressed an interest in becoming a Combined DNA Index System member. The system (also known as CODIS) is an American program (and software) run by the US' Federal Bureau of Investigation to support members’ criminal justice DNA databases.

The same report claims that, as of late 2015, Tunisia did not share its biometric data with other countries.

Voter registration

The High Independent Authority for the Elections (ISIE) is a constitutional body created in 2012. It is responsible for the monitoring of the elections in Tunisia.

Election law (Organic Law No. 2012-23) stipulates in its Article 23 that "It is forbidden to use personal data collected from the High Independent Authority for the Elections outside of the electoral process, in accordance with the legislation on the protection of personal data."

In 2014, the ISIE recommended the adoption of a system with a unique identifier (or IUC) for voters. The IUC identifier could draw data from a set of documents including the national ID card, the passport, the civil registration record. The ISIE made its recommendations as part of a final report on the parliamentary and presidential elections of 2014. The system is set to be put in place in time for the upcoming municipal elections due in October 2016.

This decision raised serious concerns among privacy advocates who denounced the legal vacuum surrounding the proposed system.

SIM card registration

Mobile phone customers in Tunisia are required to present documentary evidence to prove their identity upon purchase of a SIM card. Telecom operators keep records of customers’ data, including identities, dates of birth, postal addresses, and national identity numbers (CIN).

In March 2014, the government tightened the rules required for allocating SIM cards in an apparent effort to fight terrorism. Pursuant to that effort, in July 2014, the telecom regulator INT threatened operators who failed to comply with the regulations with sanctions. Orange Tunisia, in particular, was required to impose stricter rules in identifying its customers.


Policies and Sectoral Initiatives

Cybersecurity policy

The National Agency for Computer Security (ANSI) was created in 1999 pursuant to Decree 99-2768.

Its role is the controlling the nation's information systems and ensuring the implementation of a general security strategy. It does also conduct periodic audits of the systems.

ANSI also hosts "TunCERT", the emergency response team responsible for monitoring and supervising responses to cyber attacks. TunCERT also offers advice on how to prevent such attacks on vulnerable or sensitive infrastructure.


A draft law on cybercrime has been under development since 2014. The public had the opportunity to take a look at an early draft of the law when it was leaked to the media in the summer of 2014.

The document raised concerns among freedom of expression and privacy advocates who saw in the vague provisions an open door for abuse.The leaked document provided for heavy prison sentences and hefty fines for the spreading of content “showing obscene acts and assaulting good morals,” or that which “incites to immorality.” The draft also seems to grant the government broad discretionary powers and unwarranted access to communications data.

The government promised in late 2015 to submit the bill to public debate and to include civil society organisations before submitting it to the parliament for adoption.


The Telecommunications Code, first enacted in 2001, details the conditions and procedures pertaining to the encryption of communications, among other provisions.

Under the Code, the unauthorized use of cryptography is punishable by up to 5 years in jail. Any use of such means requires a prior permission from the authorities. The Agence Nationale de Certification (ANC) is the authority that can grant such permissions.

Many freedom of expression and privacy advocates including members of the press have called for an amendment of the law that would decriminalize the use of encryption following the example of many democratic countries.

Licensing of industry

The end of the government’s monopoly over the telecom market dates back to 1997, with the signature of a convention with the World Trade Organization. This convention created a roadmap for the liberalization of the sector.

The Telecommunications Code was promulgated shortly afterwards, in 2001, and the National Telecommunications Authority (INT), the telecom regulator, was created.

E-governance/digital agenda

As early as 2005, a special unit attached to the Prime Minister's office was created to coordinate and spearhead efforts to develop an “electronic government” program to make more services available online and boost the government’s digital readiness.

After more than a decade, the results are somewhat mixed. According to the World Economic Forum's Networked Readiness Index, regarded as one of the most authoritative indicators of the propensity of countries to exploit the opportunities offered by information and communications technologies (ICTs), most of the progress was achieved in terms of the affordability of the service (the cost of accessing ICTs). Much remains to be done in terms of the political and regulatory environment and the infrastructure and digital content.

Health sector and e-health

In August 2016 a pilot e-Health program entitled “Yezzi!” (“Enough!”) was launched using SMS communication aimed at helping smokers quit using cigarettes. The program was developed in cooperation with the World Health Organisation and the International Telecommunication Union. Text messages are sent to participants upon requests for information or help. They include tips on withdrawal procedures and interactive motivational messages. The phone-based system is being backed by mass-media campaigns.

Very little is known, however, about the precautions taken by the Ministry of Health, which is leading the project, to protect personal data. Very little is known either about the involvement, or lack thereof, of the INPDP in the project. A similar program aimed at patients with Diabetes is scheduled to begin by the end of 2016.

Smart policing

We are not aware of any specific examples of smart policing in Tunisia. Please send any tips or information to:


We are not aware of any specific examples of privacy issues in transport in Tunisia. Please send any tips or information to:

Smart cities

We are not aware of any specific examples of smart city issues in Tunisia. Please send any tips or information to:


We are not aware of any specific examples of privacy issues related to migration in Tunisia. Please send any tips or information to:

Emergency response

We are not aware of any specific examples of privacy issues related to emergency response in Tunisia. Please send any tips or information to:

Humanitarian and development programmes

We are not aware of any specific examples of privacy issues related to humanitarian and development programmes in Tunisia. Please send any tips or information to:

Social media

According to the Arab Social Media Report 2015, Facebook is the most popular social network in the country (with 89 % of social media users having an account), followed closely by WhatsApp (78 %) and Youtube (53 %), than Instagram (37 %) and Twitter (34 %).

89 % of respondents to the survey said they access social networks (Facebook) on a daily basis, 83 % of which were via smartphone.