By Boel McAteer and Jean-Benoît Falisse |
As the Covid-19 pandemic spread around the world in the early part of 2020, governments and companies invested substantial resources in gathering data about suspected and confirmed cases, and related behaviours. Learning more about how the virus was spreading was a top priority around the world, and with this came new practices of sharing medical records, tracking people’s movements and tracing their contacts. This has created new norms for data governance in many countries, and in this brave new world of disease surveillance, it is more important than ever to understand data protection and privacy, and where these concepts fit in with the new priorities of managing the pandemic.
The Covid Governance research project has gathered information about country-level data protection and Covid-19 practices across the world. Covering over 200 countries and territories, the project’s Data Protection Explorer Tool provides a snapshot of the legal environment surrounding data protection and privacy, and how it is changing in response to Covid-19. Crucially, it focuses on restrictions on data collection, processing and cross-border transfers. It also captures digital monitoring measures in place for Covid-19, such as contact tracing, and who owns that data. This will help form a picture of what has changed within data ethics and surveillance during the pandemic, and in the long term what those changes might mean.
So what are some of the key patterns that we can see so far? A joint statement on Data Protection and Privacy in the Covid-19 Response from a number of United Nations (UN) organisations states that any changed practices due to Covid-19 should be legalised and rooted in human rights. However, the information collected via the Data Protection Explorer Tool shows that about a third of Africa’s 54 countries did not have comprehensive data protection laws enforced or in place before the pandemic. During the pandemic, constitutional rights have often been backtracked as a part of the crisis response.
The Explorer’s data also shows that African countries without specific data protection laws are particularly exposed. Take Namibia for example, whereas no comprehensive data protection law inlaw is in place. There is, however, a draft bill in the works and public consultations were conducted in 2020. In the absence of a dedicated data protection framework, t does not mean data protection is inexistant: as in other African countries, there are provisions in other Namibian laws related to personal data of citizens in specific sectors of the economy such as accounting and banking (the Banking Institutions Act, 1998 and 2010 amendment) or the legal professions and accounting (Legal Practitioners Act, 15 of 1995 as amended).
The right to personal privacy is also enshrined in Namibia’s constitution as a human right, but this right is limited including in the interests of health and public safety. This allows the government to legally prioritise public health over other human rights throughout the pandemic. Indeed, when Namibia declared a state of emergency in March 2020, many constitutional freedoms were temporarily suspended. For instance, access to education could not be guaranteed anymore and places of worship (constitutive of religious freedom) were closed.
Covid-19 tracing and surveillance mostly occurred offline but the University of Namibia (UNAM) successfully launched a mobile app, named “NamCotrace”, that collects substantial personal information such as the geolocation of users. The app is connected to epidemiological data and the national healthcare system in real time. Whereas it is alleged that “privacy by design” is core to the app, Namibia’s prevailing privacy and data protection legislative environment leaves room for arbitrary abuse. Similarly, Nigeria has developed various Covid-19 apps but with minimal data protection legal safeguards in place, there is ample room for misuse.
The Data Protection Explorer Tool also shows that countries with data protection laws remain vulnerable too. In many instances, the laws have been amended to allow practices that were previously prohibited to take place during the pandemic. In South Africa for instance, the response to Covid-19 has been governed through the Disaster Management Act from 2002 that allows the National Disaster Management Centre to request from individuals or organs of state information it “reasonably requires” and to escalate the matter to parliament in case of failure.
In April 2020 a regulation was introduced to legalise contact tracing in South Africa. This created a tracing database of Covid-19 cases, managed by the National Department of Health, where personal information is gathered from anyone tested for Covid-19. Information collected and stored in the database includes name, residential address, ID and passport number. This means that even though the information is collected legally without consent from the individuals, it would be unlawful to use that data for any other purpose than the one specified in the regulation. Despite these provisions, concerns have been raised that the contact tracing enables government surveillance of the population, since the Director General of Health can track the location of anyone suspected to have Covid-19 through phone service providers.
At the other end of the continent, Iin West Africa’s Burkina Faso, the data protection law prohibits collection of personal data relating to health. It had not, at the time of writing, been amended. However, since 2019, a digital platform for health surveillance has been is in place.: One Health is funded by USAID and combines data from three ministries concerned with zoonotic disease control. in the same place. When the first cases of Covid-19 were detected in the country in 2020, however, the platform was adapted to include data on the new virus, tracing cases, and their contacts. This is, obviously, raising privacy (and legality) concerns.
There are also some inspiring examples. The B’Safe app in Botswana was developed as an alternative to a manual Covid-19 tracing system. Described as privacy-friendly and in line with the country’s data protection (and privacy) law that pre-dates the pandemic, the app recorded a decent initial adoption rate. However, without an established data protection authority to enforce the law and oversee the app’s roll out, security vulnerabilities within the app led to private citizens lodging a court case against the country’s Covid-19 task force challenging the apps its safety. The progress of the case remains unclear to-date. However, it highlights the importance of independent data protection authorities, good examples of which include in Angola and Senegal, and the pandemic potentially being a decisive push in countries where they are yet to be established.
Where are we heading now? Data protection laws in Africa were rapidly developing in the years leading up to the pandemic, with many new laws influenced by the European Union’s General Data Protection Regulation (GDPR) which was adopted in 2016. The examples above show the many ways in which the data protection environment in Africa is changing with the pandemic.
As the general state of democracy and freedoms is deemed to be worsening since the outbreak of Covid-19, it will be important to continue to monitor developments in data protection and privacy: the pandemic could be the opportunity to speed up the process of establishing much-needed laws and enforcement agencies but it could also lead to them being less protective of citizens (and more permissive for government) than in the pre-Covid-19 world.
The Covid Governance Project is an initiative of the University of Edinburgh. It was developed with support from the Foreign Commonwealth and Development Office (FDCD), the Global Challenges Research Fund – Scottish Funding Council, and the University of Edinburgh’s Challenge Investment Fund. Explore the Data Protection Explorer Tool.