For the fifth year in a row, the Collaboration on International ICT policy for East and Southern Africa (CIPESA) has produced a research report on the State of Internet Freedom in Africa, with the 2018 edition focusing on privacy and data protection on the continent. The report was launched at the annual Forum on Internet Freedom in Africa (FIFAfrica), which took place in Accra, Ghana, at the end of September and can be found here.
It is here!!! Launched at #FIFAfrica18 – the 2018 edition of the @cipesaug State of #InternetFreedomAfrica Report. The research documents #dataprivacy and #dataprotection in select African countries. Find it in our library: https://t.co/EKJx0q5rXA pic.twitter.com/0fgizbyvTW
— CIPESA (@cipesaug) September 28, 2018
While the use of Information and Communications Technology (ICT) is fast growing in Africa, there are several challenges related to privacy and data protection. According to the GSMA, at the end of 2017 Sub-Saharan Africa had over 444 million mobile subscribers representing a 44% penetration rate, while the International Telecommunications Union (ITU) reports that 21.8% of individuals in the continent use the internet. However, as more users come online, many remain unaware of how their privacy rights could be affected by their use of digital technologies.
The report tracks key trends and challenges in recent years that have shaped this area of internet governance and use in the continent.
The report points out that the state of personal data protection tends to mirror – and to aﬀect – the state of internet freedom in a country. It notes that various African countries are witnessing worrying developments on the internet freedom front including an increase in digital rights violations such as arrests and intimidation of online users, internet blockages and social media shutdowns, and a proliferation of laws and regulations that undermine internet access and aﬀordability, and weaken ICT’s potential to improve livelihoods, catalyse free expression and civic participation.
The countries studied are Burundi, the DRC, Ethiopia, Ghana, Kenya, Malawi, Nigeria, Rwanda, Senegal, Tanzania, Uganda, Zambia, and Zimbabwe. Findings indicate that many states are legitimising and increasing their surveillance capacity, including by requiring mandatory registration of personal details and increasingly compelling service providers to hand over users’ data. The surveillance is often not guided by judicial or other independent oversight, and in some instances there is no clarity as to which individuals and government departments have the authority to order surveillance or demand customers’ meta data from telecom companies.
This means that many government departments make such orders to the operators, who do not have the latitude to reject such requests. Telecom and ISPs are required by law to comply with information requests or requests for surveillance assistance, including the common requirement to install software with the technical capacity to conduct surveillance and to enable active communications monitoring, and to hand over data when asked.
In all countries reviewed, these requests are kept secret so it is difficult to establish the full extent of government requests for users’ data, the surveillance of citizens’ communications, and censorship of content. What is clear though, is that the trend is on the increase, and the types of user’s’ information which governments request is varied.
Additionally, a common trend in the countries studied, as well as around Africa, is the adoption of mandatory SIM card registration which requires that subscribers furnish telecom companies with extensive personal details, including names, home addresses and their National Identiﬁcation details. In the absence of comprehensive privacy and data protection laws (and accompanying practice by government agencies and telcos that robustly protects such data), this data is at tremendous risk of abuse by state and non-state actors.
Despite the constitutions of numerous countries containing provisions that uphold the protection of the rights to privacy, of the 13 countries studied, only Ghana and Senegal have comprehensive privacy and data protection laws. The lack of a comprehensive standalone policy or legislation to protect the right to privacy and data protection was identiﬁed as a major weakness, since the provisions were fragmented and contained in various laws and policies, and did not adequately provide for protection of the right. Some countries such as Kenya, Malawi, Nigeria, and Uganda have data protection bills but the proposed laws have for years failed to progress through their parliaments.
The report noted the low levels of public awareness about privacy and data protection, with many citizens tending to be indiﬀerent to privacy and data protection issues. This low level of awareness among the public of privacy issues in the digital environment, a lack of transparency by data controllers, insuﬃcient procedural guarantees, and limited independent oversight over the implementation of privacy and data protection, mirrors many other facets of the internet governance arena, and negatively impacts users’ digital rights. In turn, efforts to promote strong privacy and data protection regimes should go in tandem with multi-stakeholder efforts to advance broader internet freedoms in Africa.
See the full report which includes the various African Instruments on Privacy and Personal Data Protection, data collection programmes by governments, legal responsibilities of business entities as well as recommendations to the state, civil society, academia, the tech community and civil society.