Reflecting on the Forum on Internet Freedom in Africa (FIFAfrica) at the Internet Governance Forum 2017

IGF Pre-event |
Join the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) at the Internet Governance Forum 2017 where we will share on the evolution of the Forum on Internet Freedom in Africa (FIFAfrica) at a pre-event on December 17, 2017!
We’ll explore insights from our latest report on the State of Internet Freedom in Africa 2017 themed Intermediaries’ Role In Advancing Internet Freedom – Challenges And Prospects as well as uncover what is sometimes left out of discussions on the economic impacts of internet shutdowns in Sub-Saharan Africa. For this discussion we’ll reference a new framework we developed this year. You can see more about it here: Calculating the Economic Impact of Internet Disruptions in Sub-Saharan Africa.
Are you keen on going into the IGF with a solid background on the internet freedom landscape in Africa?  Join us as we reflect on the Forum on Internet Freedom in Africa (FIFAfrica), discuss its evolution, the lessons learnt, the gaps and opportunities that lie ahead for policy development and practical advancement of digital rights in  Africa.

  • Venue: Join us at Room 18, Centre International de Conférences Genève (CICG)
  • Location:  17 rue de Varembé, CH – 1211 Genève 20
  • Date: Sunday, December 17, 2017
  • Time: 13h30 – 14h30

We’ll also share how various organisations have supported the growth of the FIFAfrica in various ways ranging from increasing participation of African delegates, in-depth research and analysis, unique workshops, through to skills exchange and network building.
To confirm attendance, please register here. 

Research Methods Workshop for Internet Policy And Advocacy in Africa

Call for Applications  |
The Annenberg School for Communication’s Internet Policy Observatory, the Collaboration on
International ICT Policy in East and Southern Africa (CIPESA), Research ICT Africa, Kenya ICT Action Network (KICTANet), Unwanted Witness, Paradigm Initiative, and
Young ICT Advocates seek applications from young scholars, activists, lawyers, and technologists working across Africa for an intensive practicum on using research for digital rights advocacy.
The workshop seeks to provide a venue for stakeholders in the region to build collaborative possibilities across sectors, expand research capacity within practitioner and digital rights advocacy communities, and to provide the skills and know-how to more strategically use research and data to advance advocacy efforts. Sessions will cover both qualitative and quantitative methods and will provide the space for hands-on activities and the development of individual and group research interests. In this way, the workshop seeks to provide opportunities to connect scholarly expertise with policymakers and advocates and improve working synergies between emerging African networks of civil society organizations, academic centers and think-tanks.
Sessions will include workshops on stakeholder analysis, conducting interviews, researching laws and regulations, social network analysis, network measurement, survey methods, data visualization, and strategic communication for policy impact.
We encourage individuals from Africa in the academic (early career), NGO, technology, and public policy sectors to apply. Prospective applicants should have a particular area of interest related to internet governance and policymaking, censorship, surveillance, internet access, political engagement online, protection of human rights online, and/or corporate governance in the ICT sector. Applicants will be asked to bring a specific research question to the program to be developed and operationalized through trainings, group projects, and one-on-one mentorship with top researchers and experts from around the world. Several partial and full scholarships will be made for the most competitive applicants to participate.
The course will be conducted in English and applicants should have high proficiency in English in order to interact with experts, lecturers and other participants who will come from diverse backgrounds. Please also note that we require all participants to have a laptop to use for the duration of the program.
Application Deadline: November 10, 2017
Workshop Dates: Feb 26 – Mar 3, 2018 | Location: Kampala, Uganda
To apply for the program, please fill this form.
For questions, please email Laura at [email protected].
 

Bridging Cyber Security Gaps: The Commonwealth Telecommunications Organization Trains SMEs in Uganda

By Edrine Wanyama |

Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.

Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.

The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards.

Currently, possible cyber risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.

Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, the Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.

According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiment held by civil society orgnaisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents.

In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include know how on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.

Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.

As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s.

CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.

In the meantime, the Ministry of ICT & National Guidance on August 20, 2017 held an Awareness Workshop on Cyber Laws such as the Constitution of the Republic of Uganda 1995, National Information Technology Authority, Uganda Communications Act 2013, Electronic Signatures Act, Computer Misuse Act, Registration of Persons Act, Electronic Transactions Act, Electronic Transaction Regulations 2013, Electronic Signatures Regulations 2013, Open Data Policy, 2017, ICT for Disability Policy Draft and the Data Protection and Privacy Bill, 2015, to sensitize member of the public, private sector, academia, government officials and other stakeholders on information security threats and how to best combat them. The work shop put emphasis on the need to know, learn and understand existing and upcoming laws, policies and guidelines that regulate cyber security and how they can be best applied.

 
 
 

What African Countries Can Learn from European Privacy Laws and Policies

By Edrine Wanyama |
The General Data Protection Regulation (GDPR) came into force in the European Union (EU) in May 2016. The 28 EU member states have until May 2018 to apply the Regulation to existing national laws to ensure the protection of citizens with regard to the processing of personal data and its transfer within the EU and beyond.
In Africa, only 14 countries (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe) have enacted data protection and privacy laws. Others, including Kenya, Niger, Nigeria, Tanzania and Uganda, have bills that are yet to be passed into law.
Whereas a continent-wide convention on Cyber Security and Personal Data protection was adopted by the African Union back in 2014, only eight countries (Benin, Chad, Congo, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe and Zambia) are signatories and only one (Senegal) has ratified the convention.
Meanwhile, as part of efforts to ensure data protection within the different regional blocs, the Southern African Development Community (SADC) has developed a model law on data protection while as of 2010, the Economic Community of West African States (ECOWAS) had the  Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. Unlike its regional bloc counterparts in the south and west, the East African Community (EAC) has not adopted legislation on data protection and privacy – it only has a Framework for Cyberlaws which calls for member states to enact laws that protect personal data.
Meanwhile, some of the proposed and existing national laws fall short of comprehensively protecting data and privacy. For instance, Uganda’s Data Protection Bill, 2015 and Ghana’s Data Protection Act, 2012 lack succinct clauses on key areas such as notification of breach and data portability, and also have limitations on the right to access, among others. Despite this, mass collection of personal data continues across the continent, leaving the majority of Africans vulnerable to the violation of their data privacy.
This contrasting state of affairs formed part of the discussions at a July 2017 convening of lawyers, government officials, civil society representatives, academics, and students at the Institute for Information Law at the University of Amsterdam for a five-day training course on issues pertaining to privacy and data protection law relate to the internet and electronic communications.
For over 60 years, the European Convention on Human Rights (1950) has functioned as the framework to guarantee the right of privacy for private and family life. More recently, the European Charter of Fundamental Rights, 2000 has reinforced this right. These instruments are the basis of the robust protections provided for under the GDPR. In Africa similar frameworks which address privacy are less than 15 years old, such as the Declaration of Principles on Freedom of Expression in Africa (2002) (Part V), the  Resolution on the Right to Freedom of Information and Expression on the Internet in Africa – ACHPR/Res. 362(LIX) 2016, and the civil society led African Declaration on Internet Rights and Freedoms.
However, where European instruments have been largely endorsed and supported by member states, many African instruments still struggle to gain similar recognition by member states.  As in the EU, African countries need to uphold the principles laid down in these instruments towards the recognition and enforcement of citizens’ right to privacy and data protection.
Further, per the GDPR, European states are required to establish Data Protection Authorities (DPAs) to ensure that safeguards are in place to protect user data including across different jurisdictions. African states should embrace similar measures to guard against infringement on citizens’ privacy.

Data Protection Authorities are mandated to independently monitor, raise awareness, handle complaints and conduct investigations, among others, to uphold personal data protection.

Overall, the course highlighted the need for a robust privacy regime across the world to ensure that citizens enjoy due protection of their online data. It also highlighted the need for more efforts in citizen sensitisation on data protection and privacy alongside better frameworks in the African context to support these rights.
CIPESA participated in the course together with representatives from Ohio State Moritz College of Law and Capital University Law School; Global Privacy Practice, Covington & Burling; Institute for Information Law, University of Amsterdam; Berkeley Center for Law & Technology, UC Berkeley School of Law; Dutch Data Protection Authority; and the Washington University Law School, among others.
There are lessons for Africa to learn from the European experience, including the establishment of state and regional mechanisms that strengthen data protection frameworks. However, it is integral that more African countries enact data protection laws, and for countries that have with this law, it should be implemented with oversight from independent bodies as more user data is generated and stored online.
 
 

Rwanda’s Communications Regulator Dismisses Electoral Commission’s Directives on Suppressing Free Speech Online

By Ashnah Kalemera |
The Rwanda Utilities Regulatory Authority (RURA), the body that regulates telecommunication services, has dismissed a statement by the country’s electoral body regarding vetting of social media posts by candidates in the upcoming elections. This principled move by RURA needs to be commended, and just like the authority has steadfastly held service providers to their licensing obligations and protected digital technology users’ interests, RURA stands well positioned to be the champion of the free flow of information and ideas online in Rwanda.
“The National Electoral Commission (NEC) has no mandate to regulate or interrupt the use of social media by citizens,” reads RURA’s May 31 statement. The authority goes on to state that as the body in charge of communications, it has not had any discussions with NEC on the matter and to “reaffirm the right of citizens express themselves on social media and other ICT [Information and Communication Technologies] platforms, while respecting existing laws.”
The statement by RURA follows a directive by the electoral body requiring that campaign posts by candidates, including text, photographs and videos must be sent to a team of analysts prior to publishing on Facebook, Twitter, YouTube, WhatsApp, Instagram or on candidates’  websites.
“The candidates will have to send their messages to our team 24 hours before the time they expect to post them – and then they give us another 24 hours to give them feedback,” a NEC official is quoted as having told journalists. The commission head stated that candidates risked having their social media accounts blocked if they failed to comply with the instructions. According to officials, NEC’s directive was “not censorship”, but rather, aimed at ensuring that “messages posted on social media are not poisoning people.”
The electoral body’s move deserves condemnation for infringing on free speech and aiming to curtail the free flow of information and opinion in the lead up to presidential elections scheduled for August 2017. Article 38 of the Rwanda constitution guarantees freedom of the press, of expression and of access to information. The Media Law of 2013 further extends these rights to the media, including online platforms, as provided for under Article 19.
Whereas these rights need to be respected at all times, it is especially critical to uphold them at election times to enable politicians easily reach out to voters and for citizens to have ample access to competing ideas so as to make informed choices of who to vote for as their leaders. This is why RURA’s dismissal of the electoral body’s overtures to curtail free expression online is particularly welcome, and yet there is need to work on other fronts to ensure that the country’s laws, and the practices of its institutions and leaders, promote free expression online.
Presently, there are gaps in laws such as the 2013 Media Law, the Penal Code, and the law on interception of communications which pose a threat to the online operations of media and civil society. Over the years numerous blogs and websites with content deemed critical of the state have been blocked Recent years have also seen some online publishers being arrested and charged, with some fleeing into exile. See 2017 report on Safeguarding Civil Society: Assessing Internet Freedom and Digital Resilience of Civil Society in East Africa.
Nonetheless, RURA’s statement is a positive development in the country that has put ICT at the forefront of its socio-economic development. As of December 2016, Rwanda had a mobile phone penetration rate of 79%, while internet penetration stood at 37%, according to RURA’s 4th quarter 2016 report.
In October 2015, Rwanda launched its ICT Master Plan – Vision 2020. Among the priority areas is improved ICT access especially via mobile. Meanwhile, Rwanda’s Universal Service Fund, which is aimed at extending connectivity to rural and underserved communities, is funded by up to 2% levy of operator turnover.
Meanwhile, the RURA actively enforces operator licensing requirements and regulations, and issues notices and penalties for non compliance with quality of service obligations. In June 2016 notices to MTN Rwanda and Airtel Rwanda, the operators were ordered to comply with obligations within 15 calendar days and submit to the authority short term implementation reports and in the longer term, implementation plans. The notice to MTN also stipulated a penalty of approx. USD 6,300 per day for “major network outage and service degradation.”
To fully realise the benefits of these initiatives, citizens need to be free to express themselves online and to have trust in using online tools and platforms without fear for their privacy and safety.
Established under the 2001 law governing telecommunications, RURA’s mandate was extended under a 2013 amendment to include “telecommunications, information technology, broadcasting and converging electronic technologies including the Internet and any other information and communication technology.”