By Juliet Nanfuka |
In recent years, the threats to data privacy have evolved at a quicker pace than the development of regulatory frameworks dedicated to safeguarding the right to privacy, especially in the digital era. Currently, just over half of African countries have enacted privacy laws and policies. Still, the right to privacy is repeatedly under threat through the introduction of new laws that facilitate surveillance and the collection of biometric data and limit the use of encryption. There are growing concerns that in several African countries, government agencies and private entities are collecting and processing personal data without adequate data protection frameworks, amidst weak oversight mechanisms and inadequate remedies.
Most African countries are parties to international human rights instruments such as the International Covenant on Civil and Political Rights (ICCPR) and the Universal Declaration of Human Rights (UDHR) which provide for the right to privacy. However, the African Charter on Human and Peoples’ Rights does not provide for the right to privacy, although its article 9 has been interpreted to encompass the right to privacy.
Meanwhile, the continent’s model instrument on privacy and data protection, the African Union Convention on Cybersecurity and Personal Data Protection, has been signed by 14 countries and only eight countries had ratified it by June 2020. Indeed, adherence to these instruments remains low.
Increased digitalisation, which was accelerated by Covid-19, has seen rising use of technology in health, business, education, and civic participation and engagement, necessitating greater need for progressive personal data privacy policies and practices. However, as many positive developments emerged in the region so did gaps in the respect for data protection and privacy in the numerous state responses.
For example, Ethiopia has embarked on a national digital identification (ID) biometric-based project which it argues will support access to services for citizens and hasten trade relations with other nations on the continent. However, the country has no comprehensive data protection law. In 2020, the government published the draft Personal Data Protection Proclamation which is yet to come into force.
In Kenya, the Data Protection Act, 2019 which establishes the Office of the Data Protection Commissioner also prohibits the sharing of data with third parties without consent of the data subjects and requires that individuals are informed when their data is being shared and for what purposes. In December, an amendment to the Central Bank of Kenya Act addresses digital lenders that share personal data of loan defaulters with third parties could have their licenses revoked. Tactics used by lenders reportedly included calling friends and family, to shame and compel their borrowers to repay the loans.
In South Africa, the data privacy debate recently surged when the Department of Basic Education stated that high school leaving exam (National Senior Certificate) results would no longer be published on media platforms, in line with the Protection of Personal Information Act (POPIA). However, a court ruled against the department and instructed that the results be published publicly on media platforms and newspapers. Historically, the results have been made available with students identified through their ID numbers or exam numbers. The Department argued that in order to publish the results, it would have to seek consent from every pupil per the POPIA.
Private entities in South Africa have also come under scrutiny for their surveillance systems’ compliance with privacy regulations and their data privacy practices. Among these entities is Vumacam, which in 2021 announced that it was gearing up to instal additional “hundreds of thousands of cameras” in the country. Vumacam currently has over 5,000 cameras that have been installed in Johannesburg suburbs since 2019.
The concerns raised about private surveillance actors in South Africa echo those that have emerged about state actors in Botswana, Equatorial Guinea, Kenya, Morocco, Nigeria, Uganda, Zambia, and Zimbabwe who have heavily invested in state-run video surveillance systems commonly referred to as “Safe Cities” – which in the absence of sufficient safeguards, present risks through their collection and processing of personal data.
Indeed, there are concerns on the true extent to which governments are committed to ensuring citizens’ data privacy rights. In 2019, Clément Voule, the United Nations Special Rapporteur on the Rights to Freedom of Peaceful Assembly and of Association, stated that a surge in legislation and policies aimed at combating cybercrime had also opened the door to punishing and surveilling activists and protesters in many countries around the world.
Among the ways in which data privacy is being undermined through legislation and policy is by increasing restrictions to the use of anonymity and encryption – both of which are fundamental to upholding other rights including press freedom, access to information and freedom of expression. States fear the use of anonymisation and encryption tools will hamper their capacity to fight terrorism and crime.
Anonymity and encryption protect privacy, and without effective protection of the right to privacy, the right of individuals to communicate anonymously and without fear of their communications being unlawfully detected cannot be guaranteed. Whether used to protect sensitive information or to verify identities, individuals and corporations alike benefit from cryptographic software in a world that is becoming increasingly networked.
In the absence of robust oversight, legal and practical safeguards, and the selective application of data protection laws, data privacy remains a primary concern for digital users in several African countries. This is compounded by governments who continue to encourage and support an enabling environment that facilitates efforts by state and non-state actors to undermine privacy-related rights at the cost of numerous digital rights in Africa.
This Data Privacy Day (January 28), the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) reaffirms its commitment towards advancing effective policy that shapes and informs a progressive data privacy landscape in Africa. See some of our blogs and indepth research reports on data privacy and protection in Africa.