Across Africa, the fast-evolving technology landscape has created pressure to adopt appropriate legislation to keep up with the pace of technological development. However, these efforts are being shackled by numerous challenges, including silo approaches to policy development, limited citizens’ inclusion in policy formulation, failure to harmonise stakeholder positions, ad hoc advocacy efforts by Civil Society Organisations (CSOs), and the failure to leverage the influence of private sector actors.
At the Forum on Internet Freedom in Africa 2022 (FIFAfrica22), digital rights activists and policymakers examined how existing processes and mechanisms that provide input into digital policies can be improved. In a panel session organised by the Centre for International Private Enterprise (CIPE), participants explored experiences and practical tips for policy engagement that upholds democratic values.
A key concern was that, on the one hand, Africa’s digital rights landscape has for years remained unregulated, leading to resistance to efforts to regulate it, and yet the absence of laws creates room for violation of rights online and abuse by state and non-state actors. On the other hand, where laws have been enacted, implementation and enforcement have been weaponised to target critics and dissent, as reflected in the continued infringement of rights online. This creates the need for proactive multi-stakeholder efforts in pushing back against regressive developments.
“While we should be [engaged] at the beginning of the process, we are ignored and when we enact a law, CSOs come to challenge it, yet if they involve us early enough, we would all be in agreement,” said Neema Lugangira, Member of Parliament from Tanzania and Chair of the African Parliamentary Network on Internet Governance (APNIG).
She noted that with a negative attitude towards each other, many parliamentarians question the motives of CSOs in pushing certain agendas and called for a change in approach. “I want to champion issues in which I have been involved. How do we make your agenda my agenda? You can scream whatever you want but you cannot get legislative change without working with Parliament,” said Lugangira.
Indeed, Boye Adegoke from Paradigm Initiative reiterated that one of the pitfalls of policy advocacy was to adopt the angel/devil relationship approach. He added that many CSOs lack adequate knowledge and skills to engage in policy processes. In turn, he called for more proactive efforts in tracking parliamentary debates and business related to digital policy and undertaking research to inform policy advocacy.
Building alliances, including with the local business and the tech community, was also cited as critical to strategic support for policy influence. “When they [business and tech community] speak, they tend to be listened to and governments tend to respect their views,” said Nashilongo Gervasius, a Namibian technology policy researcher and founder of NamTshuwe Media.
Equally emphasised was the need to leverage the power and influence of private sector players at international level, where the quality of policy negotiations by some African governments remains wanting, as noted by Ayaan Khalif, the Co-Founder of Digital Shelter, a digital rights group in Somalia. Citing the example of the 15% tax agreement between OECD countries and multinational companies, Ayaan stated that African countries and CSOs must bring the continent’s big market potential to the “negotiating table” in order to tap into the multinationals’ revenue.
Away from negotiations, the need to increase inclusive participation in public policy processes was also stressed. As Khalif stated, “Holistic stakeholder involvement should clearly define those being involved, ensure that they are actually given the opportunity to make meaningful input and outline the issues being addressed”.
Ultimately, context remains paramount given that most countries on the continent are at different levels of democracy and what is possible in one may not be tenable in another. What is important is to understand the policy making ecosystem and respond appropriately. “Policy advocacy is about incremental wins. If you are not invited to the table you can bring your own chair to the table, or you can set up your own table and bring people to it,” concluded Adegoke.
In many countries across Africa, identity systems have largely been paper-based. It is estimated by the World Bank that at least 500 million people in Sub-Saharan Africa lack proof of legal identification. In order to bridge this gap, several countries have adopted some form of digital identity (ID) system for civil registration, including birth, national IDs, voting purposes, incorporating biometrics such as fingerprint, facial or iris recognition as a form of authentication. Indeed, the systems have gained popularity given their benefits as part of digital transformation journeys to promote accessibility, efficiency, and transparency in service delivery – in health, migration, education, social security, and elections.
Lesotho’s national ID has so far covered 85% of the eligible population. Mozambique has a digital ID card with a Unique Citizen Identification Number (NUIC), assigned during birth registration. This national identification number is used on NID cards, health cards, driver’s licenses, and passports. The country also has the National Immigration Service (SENAMI), for its immigration system for travel documents and residence permits; as well as the Electronic System for Civil Registration and Vital Statistics (e-SIRCEV) for civil registration. Birth certificates are a prerequisite for obtaining NIDs. The NID is valid for five years for individuals below 40 years of age and valid for 10 years for individuals between the ages of 40 and 50 years.
Tanzania introduced its biometric national ID programme in 2013 and started issuing cards in 2016.. As of 2020, at least 22.1 million individuals or 80% of the adult population had been registered for the National Identification Number (NIN). Also, mandatory SIM card registration requires the collection of fingerprint data in addition to official documentation such as national identity cards, birth certificates, driver’s licenses or passports.
Zambia introduced its National Registration Card (NRC), in 2013. The USD 54.8 million Integrated National Registration Information System (INRIS) replaced the paper-based system introduced in 1965 and would issue biometric-based documents such as national registration cards, birth and death certificates, and facilitate voter registration.
In the early 2000s, the Zimbabwean government introduced biometric IDs by the then Registrar General, Tobaiwa Mudede, as a formalised transition to reportedly enhance issues of e-governance. Unfortunately, there was very limited publicity and awareness on this transition, as well as transparency about the tendering and procurement processes. In 2018, the government also adopted a biometric system for the registration of voters, and for the registration of civil servants in 2019.
It is worth noting that these systems, despite their benefits, present risks which were previously not common in paper-based identity systems. Some common risks to digitalised personal data include data breaches, surveillance, misuse of personal information, unwarranted intrusion, and financial harm. These risks may be amplified in the absence of comprehensive policy, legal and institutional frameworks for privacy and data protection. Notably, even where laws exist, if they are weak, fragmented, outdated, poorly enforced, lack strong and independent oversight mechanisms, or fail to provide effective remedies, the risk of harm to the data collected is heightened.
Also, the use of centralised databases, weak information-sharing safeguards, and the lack of transparency and accountability in the management of identity databases have been documented as loopholes that could inevitably create opportunities for abuse by state and non-state actors with access to the information.
Furthermore, the incomprehensive implementation of biometric digital ID programmes could entrench digital exclusion and discrimination of vulnerable groups, such as the elderly and refugees, from accessing government services due to lack of a national ID as the case was in Uganda. In Zimbabwe, the country’s Human Rights Commission’s (ZHRC) inquiry into access to documentation revealed that there is often neglect and marginalisation of people living with disabilities and members of minority groups. In Mozambique for example, studies showed that citizens who live in remote areas are more at risk of exclusion than others, as they have to travel further, and possibly a number of times, to complete the registration, and thus, bear higher costs.
Currently, 30 African countries have enacted data protection laws and policies. One of the early adopters of data protection laws is Lesotho, which adopted its Data Protection Act, in 2011. Uganda adopted its Data Protection and Privacy Act in 2019. Zambia and Zimbabwe adopted their Data Protection Acts in 2021, while Tanzania adopted its Personal Data Protection Bill in 2022. However, not all these countries have adopted the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention).So far, only Mozambique and Zambia have signed the Convention and deposited the instruments of ratification. Lesotho, Tanzania, Uganda and Zimbabwe are yet to sign or ratify the convention.
Whereas having data protection laws is critical, African countries should also have in place appropriate policy, regulatory and institutional frameworks for the implementation of their digital identity programmes. Such frameworks are essential for fostering public trust and confidence in the use of digital identity systems, especially in the digital economy.
However, enactment of the relevant laws and policies (including reviewing the existing ones) is just the first step in harnessing the dividends of biometrics and digital ID systems. States need to ensure that the implementation of digital ID systems meets certain thresholds.
Biometrics and digital identity systems should be user-centric, rights-respecting, privacy-respecting by default and by design, and secure throughout their lifecycle.
Developers of such systems should anticipate and recognise potential privacy risks such as data breaches and fraud, and address them within the existing systems and frameworks. In addition, the developers should adopt a distributed and federated approach rather than a centralised approach.
Further, there should be a clear governance framework, with independent oversight, well-defined roles and responsibilities, rules and standards. In addition, the systems should entrench accountability, including compliance with data protection laws and the conduct of data protection impact assessments (DPIAs).
Countries should establish independent and robust oversight data protection bodies to regulate data and privacy protection including biometric data. The bodies should be given a commendable level of autonomy and facilitated sufficiently with the required resources to ensure that they function effectively, independently and with minimal external influence over their mandate.
In countries where digital identity systems were implemented prior to the enactment of data protection laws, the existing processes should be reviewed to ensure compliance with data protection laws. Key aspects to be considered include the conduct of DPIAs, review of data-sharing arrangements, compliance with data protection principles on consent, accuracy, purpose limitation, automated data processing, children, lawfulness, fairness and transparency, data minimisation, storage limitation, and security.
In addition, countries should review the emerging best practices in the implementation of digital identity systems, learn from other countries and adopt those suitable for their context.
Countries should build the capacity of government officials responsible for biometric digital ID systems, including data protection bodies, law enforcement, prosecution, regulators, and the Judiciary in effective data protection, with skills and knowledge in key principles of data protection and the rights of data subjects.
Programme implementation should proactively plan and ease the accessibility of services by the most vulnerable and marginalised groups – elderly, persons with disabilities, women, those in remote areas. This would include phased implementation of digital ID systems, wide distribution of enrollment centers in disability and poor-friendly environments, as well as cost waivers.
Finally, stakeholder engagement and proactive disclosure of information relating to such programmes should always be integrated into the design and deployment of the programmes.
Over three years since the ouster of long-term authoritarian president Omar al-Bashir, Sudan’s ongoing political crisis continues to present challenges for internet freedom in the country. Initial positive reforms initiated by the transitional government led by Prime Minister Abdalla Hamdok have been clawed back since a military coup in October 2021. The new military government has weaponised laws, continues to institute network disruptions, and is clamping down on civil society organisations so as to consolidate its grip on power and silence critics.
The political situation in the country has had a marked correlation with the state of internet freedom in the north African state, whose record was largely poor even before the crisis deepened. According to the Freedom On The Net 2022 report, Sudan scored 29 out of 100 on internet freedom, thus continuing its classification on the index as “Not Free”. Developments in 2022 signalled a rapid decline from the progress recorded in 2021 and2020, when the country scored 33 and 30 respectively on the index, up from a lower score of 25 in 2019.
The Cybercrime Law Continues to Repress
One of the measures adopted by Sudanese authorities has been the use of internet-related laws as a weapon for repression. The cybercrimes law, which first came into force in the final days of al-Bashir’s regime in 2018, and its amendments in subsequent years, appear to be aimed at thwarting mass protests and restricting critical opinion of the government and its officials. The most recent amendment to the law, which contains vague provisions, was first announced in April 2022, with some reports stating that it was intended to criminalise acts such as insulting the leaders of the state and undermining the prestige of the state.
On November 2, 2022, the government spokesperson announced that the cabinet had adopted the amendments. The announcement stated that the law was necessary to address the proliferation of information-related crimes and the concealment of their perpetrators through the use of modern computer applications. Also, it claimed that it was necessary to address the shortcomings of the application of court fines that had failed to achieve complete deterrence. The amendment obliges courts to imprison offenders where the victim of defamation or fake news is a governmental public figure. As of December 2022, the amendment law is yet to be published and is awaiting the final approval of the President of the Sovereign Council.
Article 21 of the cybercrime law provides that: “Whoever prepares or uses the information or communications network or any information means or any applications to publish or promote ideas, programs, words or actions contrary to public order or morals, shall be punished with imprisonment for a period not exceeding six years”. Under article 24, “Anyone who publishes lies or fake news in cyberspace will be punished [with imprisonment of] four years, fined or both”.
Meanwhile, article 25 states that “Whoever prepares or uses the information or communications network, or any information means or applications to defame any person shall be punished with imprisonment for a term not exceeding six years.” The law also imposes a penalty of up to seven years imprisonment for anyone who obtains data or information that affects the “economy or the national security” of the country, which terms are not defined.
These articles limit access to information and freedom of expression as they fail to provide a clear definition of the acts constituting the offence, are excessive, and use undefined terms such as “public order” and “morals”, which can be interpreted subjectively by security and prosecutorial agencies and applied to punish legitimate expression.
Censorship
The contentious provisions of the cybercrime law have been used to limit press freedom through the blockage of access to online news websites. In September 2022, the public prosecutor ordered the blockage of the website of the Al-Sudani newspaper, one of the most respected dailies in Sudan, without even notifying the newspaper’s management. The Sudanese Electronic Press Association condemned the order, stating: “We reject prior trials and convictions from any party except the judiciary”. Ultimately, the website was not blocked after the leakage of the prosecutor’s order.
In the same month, Abdalrahman Al-Aqib, a journalist, was arrested by police after publishing an investigative article on corruption at the Ministry of Minerals in a local daily and on his Facebook account. Al-Aqib was charged under articles 24 and 25 of the cybercrimes law for publishing lies and fake news. Following his arrest, the Sudanese Journalists Syndicate condemned the actions of the police. It stated: “Al-Aqib was treated in a humiliating manner, and they did not respect his most fundamental rights, amid delays from the police’s duty officer, so as not to obtain his legal right to the guarantee”.
In both cases, the government’s response was primarily reprisal as opposed to offering counter-responses to the allegations raised in the stories. Notably, authorities did not use the press law against the journalist, perhaps because it prescribes less penalties in comparison to the harsh penalties under the cybercrimes law. The press law does not provide for imprisonment of journalists; rather, it stipulates disciplinary sanctions, such as fines and suspending a journalist from publishing for a specific period.
Network Disruptions
Disruptions to internet access and blockage of social media continues unabated, with authorities justifying them as necessary to ensure “national security and emergency state”. Five have been recorded during the past 15 months.
During the October 2021 coup, the army imposed a nationwide internet shutdown to isolate the protestors from mobilisation to resist the coup. The shutdown lasted 25 days, and after access was restored, some social media platforms remained blocked for two more days. On the one year anniversary of the coup, the authorities shut down the internet for eight hours during a public march organised by pro-democracy groups against the coup. Earlier the same month on October 18, 2022, a regional internet shutdown was imposed in Wad Al-Mahi, a governorate in the Blue Nile region. The shutdown was in response to tribal conflict in several villages in the area. It could not be independently verified when access was restored.
Also, on June 11, 2022, the public prosecutor ordered the shutdown of the internet for three hours on a daily basis, over a 12-day period. The reason given was that it was necessary to prevent cheating during the national secondary school exams. Following the 12-day period, the internet was again disrupted for 25 hours on June 30, 2022, during the “Million Man March” to mark the anniversary of the 2019 massacre of protestors by the military.
Catalogue of Internet Disruptions in Sudan Since October 2021
These recent incidents mirror Sudan’s long history of instituting network disruptions, rivalled only by neighbouring Ethiopia. Crucially, the disruptions are indicative of the current regime’s bias and disregard for freedom of association and assembly. Three of the internet disruptions (October 2021, June 2022 and October 2022) were in response to protests against military rule. In contrast, the military did not implement any disruptions on October 29, 2022, when the Sudan People’s Appeal Initiative held protests. The initiative comprises supporters of former president Al-Bashir’s ousted regime, who protested in Khartoum demanding that the United Nations not interfere in Sudanese affairs.
Crackdown on Civil Society
The government has also led an onslaught against civil society organisations. For example, on October 23, 2022, the Human Aid Commission (HAC), which is the regulator of non-governmental organisations in Sudan, notified the director of the Sudanese Consumers Protection Society (SCPS) of its decision to cancel SCPS’s registration, seize its assets and properties and freeze its bank accounts inside and outside Sudan. The SCPS has been at the forefront of advocating against network disruptions by pushing for the enforcement of contractual obligations of Internet Service Providers (ISPs) to provide services to their customers.
Looking Ahead
The affronts by the Sudanese government on internet freedom and civic space go against its obligations under international human rights law. The design and deployment of punitive laws by authorities to target and silence activists, government critics, journalists, human rights defenders (HRDs), and the political opposition create an environment of fear and self-censorship. Equally, responses such as the deregistration of civil society organisations only serve as a threat to other civil society organisations, of possible sanctions. Lastly, these actions together with internet shutdowns and the repression of digital rights through the cybercrime laws constitute unjustifiable limitations of freedom of expression, assembly, association, access to information, rights of the media, and rights to political participation.
In order to chart a democratic path in the coming years, the Sudanese government must show commitment to uphold media and internet freedom. Policy reforms should repeal regressive provisions such as the cybercrimes law. Sudan should also desist from interrupting access to the internet and social media.
+ Khattab Hamad is a journalist and digital rights researcher who has recently co-founded the Digital Rights Lab Sudan.
The session, which took place on 2 December 2022 in a hybrid format, brought together over 60 organisations for an open exchange of ideas, experiences, and lessons on how to address disinformation through a multi-stakeholder and human-centric approach. In particular, the debate focused on how Africa-Europe partnerships can help tackle the issue, in light of the AU-EU D4D Hub’s mandate to foster digital cooperation between both continents.
The panellists explained how fact-checking has grown dramatically in recent years, becoming one of the most common measures to tackle disinformation. Nevertheless, more than effective fact-checking is needed, they warned. Africa-Europe cooperation should adopt a comprehensive approach integrating multiple complementary measures, such as building digital literacy for all (including the most vulnerable), holding those who profit from disinformation accountable, and the involvement of all stakeholders in devising solutions.
Bringing all actors to the table
Simone Toussi, Project Officer for Francophone Africa at the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) highlighted how “disinformation is a multi-faceted phenomenon that directly threatens democracy and human rights and affects all stakeholders in society”.
“Disinformation manifests in many ways, and can be perpetrated by a diversity of actors,” she added.
As such, she argued that countering fake narratives needs both online and offline efforts undertaken in a coordinated manner by governments, intergovernmental organisations, civil society, media, academia, and private sector. “Multi-stakeholder collaboration is crucial to bring together different views and understanding of the roles that each actor plays,” she said.
Toussi presented research findings proving that measures to tackle disinformation can be ineffective or inadequate when they only consider the point of view of a single stakeholder. For example, fact-checking is sometimes challenged by lack of access to information. Media and civil society participation can help ensure that governments treat information as a public good.
Engaging with the private sector… how?
The debate also touched on the essential role that technology companies play in keeping disinformation from spreading. Ongoing efforts by private sector include partnering with civil society and fact-checkers — including through multi-stakeholder collaborations as proposed by Toussi.
Nevertheless, for Odanga Madung, journalist and Mozilla Foundation fellow, such measures are not enough. He argued that one of the major contributing factors to disinformation is that fake or misleading information is algorithmically amplified by big companies.
“Big companies and social media platforms profit from the spread of disinformation. It is part of their business model, which is a very serious problem,” he said.
For Madung, tackling disinformation requires strong regulations to protect users and their rights, addressing big technology companies’ dominance, encouraging competition, fostering new ideas on different business models, and decentralising the Internet.
Planting the seeds of change
Charlotte Carnehl, Operations Director at Lie Detectors, proposed further investments in training teachers and fostering exchanges between journalists and school-age kids: “Countering the corrosive effect of disinformation and polarisation on democracy requires empowering school kids and their teachers to tell facts from fake online.”
She argued that enabling journalists to visit schools to explain how professional journalism works is a win-win situation. It can help journalists to learn about how the younger generation accesses and consumes information, while teachers and children can gain practical skills in identifying fake or misleading information online.
“Everybody needs the skills to assess and critically think about information,” Carnehl said. “Kids are actually a high-risk group for disinformation because they are targeted on channels that can’t be monitored, and they are largely navigating them by themselves without their teachers or even their parents present.”
When questioned on the short-term impact of such measures by a member of the audience, Carnehl acknowledged that it’s a long-term investment, “like planting the seeds of a tree”. However, she argued that there are also some immediate positive effects for children.
Finally, Carnehl called for special attention to be paid to marginalised groups, such as rural populations. Civil society organisations could help ensure that everyone can access reliable information, she said.
The global internet governance community is set to convene in Addis Ababa, Ethiopia, for the 17th Internet Governance Forum (IGF) from November 28-December 2, 2022. Ethiopia is hosting the IGF 2022 against a backdrop of internet freedom reforms, a recently liberalised telecommunications sector and an ongoing conflict that has seen the Tigray region without internet access for two years.
Connecting All People and Safeguarding Human Rights
Avoiding Internet Fragmentation
Governing Data and Protecting Privacy
Enabling Safety, Security and Accountability
Addressing Advanced Technologies, including Artificial Intelligence (AI)
CIPESA will co-convene and participate in various sessions at the IGF 2022 to showcase its work that supports the ambitions of the GDC.
A joint effort by DefendDefenders, Greenhost, Digital Society of Africa, Dig/Sec Initiative, Digital Security Alliance, AccessNow, CChub, Center for Digital Resilience, and CIPESA will run an onsite digital security hub to build the digital resilience of at-risk groups and organisations.
At a session titled “Jointly tackling disinformation and promoting human rights” facilitated by the AU-EU Digital for Development (D4D) Hub, CIPESA will contribute in an open exchange of ideas, experiences and lessons learned on how to address disinformation through a multi-stakeholder and human-centric approach.
The CIPESA team will also feature on a panel discussion on technology and human rights as part of the Peer Learning Event for National Human Rights Institutions (NHRIs) hosted by Danish Institute for Human Rights.
Further, CIPESA will participate at the Africa member convening of the Association for Progressive Communications (APC) and at a Digital ID Civil Society Summit hosted by the Open Society Foundations, under the auspices of an external digital ID fund and initiative (DIDIF), housed at Rockefeller Philanthropic Advisors.
