Promoting Effective and Inclusive ICT Policy in Africa

Category Archives: News

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Blog  /  News
19Aug

Leveraging Digital Technologies to Enhance Data Governance Practices in Africa

Author CIPESA Posted on

By Paul Kimumwe |

Data governance policies and practices in many African countries have continued to attract attention due to their inadequacy in ensuring the protection and respect for the rights of individual data subjects. Key concerns have been raised regarding the data management practices, particularly related to biometrics, that have undermined the safety, confidentiality, accuracy, accessibility, and reliability of personal data, which are critical principles in data governance.

Several studies have documented cases of misuse of digitalised personal data, including data breaches, surveillance, misuse of personal information, unwarranted intrusion, and financial harm. Despite these misgivings, digitisation of data has been recognised within the African Union’s Digital Transformation Strategy for Africa (2020-2030) as critical in promoting and building confidence for the continent’s digital economy. For many governments, the desire to transform service delivery and enhance public participation has been a key driver for the adoption of biometric data collection and digital identities for purposes of issuing National Identity cards and updating of biometric voter registration and identification programmes.

In this blog, we highlight the critical areas in which advances in digital technologies can enhance data governance practices in Africa.

Understanding Data Governance

Data governance refers to the holistic approach to data management that entails the development and implementation of relevant norms, procedures, and standards to ensure that data is secure, accurate, reliable and consistently available, particularly spelling out clear standards and protocols that govern data collection, storage, and management, resulting in accurate, consistent, and up-to-date data. There is a growing concern that without a robust data governance framework, the continent risks missing out on maximising the benefits from its own datasets as they would be prone to abuse and misuse by poorly regulated data collectors and controllers.

Demand for a Robust Data Governance Framework

In Africa, the demand for a robust data governance framework has gained traction as a response to several countries moving away from paper-based to more digitised data management practices, raising concerns about the rights of data subjects, particularly the safety and confidentiality of user data.

While progress has been registered normatively – with the adoption of regional instruments such as the African Union Convention on Cyber Security and Personal Data Protection and the AU Data Policy Framework, both of which provide frameworks for rights’ respecting data protection practices, and with several countries adopting relevant privacy and data protection laws – full implementation remains a challenge.

In addition, the African Union’s Digital Transformation Strategy for Africa (2020-2030) calls upon states to “promote open data policies that can ensure the mandate and sustainability of data exchange platforms or initiatives to enable new local business models, while ensuring data protection and cyber resilience to protect citizens from misuse of data and businesses from cybercrime.”

Unfortunately, several laws contain problematic and vague provisions that provide for sharing of sensitive information and data localisation that are prone to abuse and misinterpretation. For example, provisions such as section 18 of Algeria’s Law No. 18-07 of 2018 on the protection of personal data, sections 44-47 of Kenya’s Data Protection Act 2019, and section 9 of Uganda’s Data Protection and Privacy Act, 2019, provide for circumstances under which sensitive personal information can be accessed, such as safeguarding national security, public interest, enforcement of the law, and conduct of criminal investigations. In addition, in many countries, biometric data collection programmes were initiated before the enactment of relevant data protection laws.

Leveraging Digital Technologies

While for the most part digital technologies have been used by various states to undermine the legitimacy and enjoyment of digital rights through surveillance and interception of communication, internet shutdowns, and data breaches, there is a growing belief that these technologies can be instrumental in building a robust data governance framework if applied correctly.

Ease of Authentication

Recent technological advancements including the multi-factor authentications (MFA) that enable secure access to services on the go are critical in facilitating seamless data collection, processing, verification and enhancing the authenticity and reliability of data compared to paper-based identifiers. Data subjects can easily request access to and verify their digitised data in the possession of data controllers. As technology becomes more accessible and affordable, governments and private entities can leverage biometrics and biometric technologies for functional and foundational identity purposes, and for an expanding array of applications.

Improving Data Storage and Confidentiality

Data storage is a key pillar within the data governance framework as it easily allows data subjects to exercise their individual rights to request and obtain their personal data in the hands of data controllers in a structured, commonly used, and machine-readable format, as well as request that their data be transferred directly to another organisation. With advances in technology, data controllers can easily encrypt, de-identify and destroy personal data in their possession. Technologies such as the Identity Management Systems (IDMS) facilitate interoperability, allowing seamless integration between different data management systems used by data controllers. In addition, new technologies such as blockchain facilitate the secure storage of datasets in blocks that are connected through cryptography.

Ease of Data Rectification

One of the fundamental rights of data subjects is the right to request data controllers to correct any inaccurate and incomplete data the data controller may have collected. Under Principles 5 and 16 of the European Union’s General Data Protection Regulation (GDPR), data controllers are required to keep personal data accurate and up-to-date,  and to take “every reasonable step” to ensure that inaccurate personal data is erased or rectified.

In many countries, data controllers have been accused of collecting and processing inaccurate and incomplete personal data due to the analogue way data is collected. The adoption of digital technologies and use of biometric data identifiers such as fingerprint, facial, or iris recognition become critical forms of authentication in issuing different forms of identities as well as easing on the verification and rectification processes by both data subjects and controllers.

As Africa strives to improve its data governance framework, it is important that we leverage on the new and emerging technologies such as biometric data collection, blockchain, and identify management systems to enhance the safety, security, accuracy, reliability and confidentiality of personal data.

19Aug

CIPESA Engages Ugandan Parliamentarians on Rights-Respecting Digital Laws

Author CIPESA Posted on

By Patricia Ainembabazi |

On August 14, 2024, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) convened a meeting with Uganda’s Members of Parliament, representatives of civil society, and the private sector to discuss laws that impact the digital civic space. In particular, the meeting discussed how the country’s digital laws can be more supportive of human rights.

Digital technologies have become integral to modern life, facilitating communication, access to information, education, and economic activities. They are key enablers of civil, political, social, and economic rights, but also present challenges, including aiding the proliferation of hate speech, disinformation, and cyber-attacks.

In Uganda, the internet faces multiple challenges including repressive controls, limited access and connectivity, and high taxes on data connectivity. Moreover, the country’s laws governing the digital domain contribute to the suppression of digital rights.

Accordingly, the discussions focused on laws such as the Computer Misuse Act 2011, the Anti-Terrorism Act 2002, the Penal Code (Amendment) Act 2007, the Uganda Communications Act 2013, and the Regulation of Interception of Communications Act (RICA). These laws have been widely criticised for their ambiguous and broad provisions that prioritise control as opposed to protection of rights. The laws have also been used to target political dissidents and silence critical voices.

The meeting, which included 20 Members of Parliament, 11 parliamentary staff, as well we 16 civil society and private sector actors, stressed the need for Uganda to align its laws with regional and international frameworks, such as the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) and Europe’s General Data Protection Regulation (GDPR). There was also a discussion on key digital rights, including the right to access and connectivity, freedom of expression, privacy and data protection, security, and online safety, all of which are crucial for a rights-respecting digital environment.

Parliament plays a pivotal role in enacting laws that promote good governance, accountability, transparency, and protection of human rights. As such, it should be at the forefront of enacting, revising or repealing regressive laws that stifle the digital civic space to pave the way for progressive legal regimes.

Civil society organisations (CSOs) were recognised as government watchdogs that should be crucial in advocating for digital policy reforms. Their role extends to conducting evidence-based research on digital rights violations, engaging in strategic litigation to challenge repressive laws, and raising awareness among the public and other stakeholders. Furthermore, CSOs were also encouraged to build strong consumer advocacy movements and initiatives to push for progressive changes in the laws and to engage more deeply with Parliament on legislative reforms.

Collaborative engagements and partnerships with stakeholders including the judiciary, CSOs, telecommunication companies, internet service providers, and the Uganda Communications Commission were emphasised as essential for promoting digital policy reforms and the enhancement of progressive legal regimes.

The August convening followed earlier efforts geared towards facilitating a favourable environment for digital rights in the country. For instance, in June 2024, CIPESA conducted a litigation surgery that explored potential litigation related to issues that undermine Uganda’s digital rights space. Participants at the surgery made proposals to engage the parliament on legislative reforms. 

CIPESA remains committed to continuous engagements with the parliament and other stakeholders to push for digital policy reforms that uphold the rights of all its citizens, foster innovation and development, and address the complexities of the digital age.

12Aug

Rollout of Digital Number Plates Poses Privacy Concerns in Uganda

Author CIPESA Posted on

By CIPESA Writer |

The rollout of the digital number plate system in Uganda is well underway. At a press conference last month, the Ministry of Works and Transport announced January 2025 as the deadline for full roll out. The system – over two years in the making – is a joint project between the government of Uganda and Russian company Joint Stock Company Global Security and has caused alarm among rights activists as it introduces another layer of massive personal data collection and processing amidst weak controls.

The stated objective of the Intelligent Transport Monitoring System (ITMS) is to improve the country’s transport management systems and security by enabling the authorities to “swiftly identify vehicles involved in criminal activities and improve traffic management through efficient ticketing and revenue collection”. It will involve the installation of digital number plates on all vehicles and motorcycles in the country, allowing security agencies to track and pinpoint their location at any one time.

  Overview of ITMS
Digital Number Plate ComponentsStatus of Fitment on Government Vehicles as at June 2024Target Installations (Registered Vehicles as at July 2024)
Aluminium plates – front and back1,0912,145, 988
A tracker
A sim chip
Bluetooth beacons – front and back
Snap locks

Once rolled out, the digital plates will add to the catalogue of surveillance apparatus in Uganda. The country already has a plethora of retrogressive laws, such as the Regulation of Interception of Communications Act 2010 and the Anti-Terrorism Act 2002 that require communication service providers to aid in intercepting communication by ensuring that their systems are always technically capable of supporting lawful interception. The laws also grant powers to an authorised officer to intercept the communications of a person and to conduct surveillance of individuals.

The components of the digital number plates will enable the government through its security agencies, such as the police, to swiftly identify vehicles and their owners. Instantaneous data exchanges pose major challenges to data privacy, especially in cases where there are calculated targets such as civil society organisations (CSOs), human rights defenders (HRDs), activists, and political opponents, government critics, or dissidents.

An added concern is that, according to the Uganda Police, the digital number plate system will be integrated with the Closed Circuit Television System (CCTV) system and others such as the motor vehicle registration system, the e-tax system managed by the Uganda Revenue Authority (URA) and the national identity database managed by the National Identification and Registration Authority (NIRA) to “ensure comprehensive vehicle and personal identification.” Given weak controls over data held by public bodies and rare punishment for data breaches and unauthorised access, linking these databases absent clear data-sharing frameworks and robust controls poses grave concerns. Notably, Uganda does not have a law or regulations governing CCTV/ video surveillance.

Whereas there are efforts to localise parts of the system through the establishment of a local production facility for the various components, the partnership with Joint Stock Company Global Security underscores Uganda’s reliance on foreign entities for purposes of conducting surveillance and interception of private communication of its citizens. For example, in August 2022, there were reports that the Uganda Police had purchased UFED, a technology developed by the Israeli firm Cellebrite that enables authorities to hack into password-protected smartphones.

Earlier, starting in 2018, Uganda turned to a Chinese company, Huawei, for the supply and installation of CCTV across major cities. The decision to install the CCTV cameras came on the heels of a spate of murders that had engulfed the country, with the security forces keen on using the CCTV cameras to improve security in the country. Like many other government security procurements, the CCTV deal raised a lot of transparency and accountability issues, including the secrecy that surrounded the entire process.

Additionally, there were reports that security agencies were working with Huawei technicians in Uganda to spy on opposition critics by intercepting encrypted communications and using cell data to track their movements. This appeared to be the continuation of a trend that was documented earlier in 2012, when the Uganda government reportedly relied on a Germany-made spyware, FinFisher, which it is said to have covertly installed in various places, including hotels, the parliament and key government institutions, for purposes of surveilling on its opponents, including politicians, civil society, and the media.

Given the country’s history of repressing the civic space and harassing political opponents, CSOs and HRDs, the ITMS digital number plates could further the suppression of civil liberties, including political participation, freedom of expression, access to information and assembly and association. Moreover, deeper democratic regression could occur since these liberties largely depend on privacy and the ability to express oneself with minimal interruptions or interference.

While the government has a legitimate desire to improve the security of its people and transport management, recent events as discussed above where the same government has used the acquired technologies to surveil its citizens and undermine digital rights, it is critical that any future attempt to enhance its surveillance apparatus is anchored in law with clear oversight mechanisms. This is because the deployment of surveillance technologies such as ITMS, FinFisher, and Huawei’s CCTV present a veritable avenue for economic and political exploitation by collecting extensive data on people’s behaviour, location, activities, and interests online and offline. This makes the risk of violation of privacy apparent, rendering citizens helpless because they essentially have no control over how the data will be used, even when they are aware that data is being collected.

It is, therefore, important that the government reduce its reliance on foreign-manufactured surveillance technologies, particularly from countries whose human rights record is wanting, as these have tended to use these tools to suppress civic spaces. In addition, the government should reconsider its regulatory framework to ensure it conforms to international standards on privacy and data protection, especially during the procurement and deployment of potentially intrusive technology that is prone to abuse.

12Aug

Portal on Gender-Based Violence in Africa Expanded with ADRF Support

Author CIPESA Posted on

Update |

The Covid-19 pandemic was characterised by a sharp increase in gender-based violence (GBV) in Kenya, Nigeria, and South Africa, as well as other countries across the world. This was largely attributed to lockdown restrictions, which left victims isolated in the same physical space as their abusers, reduced availability of shelters and other support mechanisms, and exacerbated economic anxiety and mental health pressures – all key drivers of GBV.

The pandemic also accelerated digitalisation, which widened the scope of Technology-Facilitated Gender-Based Violence (TFGBV). According to UN Women, in Africa, online abuse, harassment and exploitation increased as learning went online during the pandemic. Similar  concerns about online harms are discussed in the African Union Guidelines on Gender-Responsive Responses to COVID-19.

Alt Advisory, a South Africa based public interest advisory firm, launched the endgbv.africa as a resource on domestic and international responses to GBV online and offline before, during and after the pandemic. At the time of its launch in 2022, the portal featured GBV mapping and assessments on the legal and policy developments, trends and statistics as well as key terminologies on six African countries – Malawi, Mozambique, Namibia, South Africa, Zambia, and Zimbabwe.

With a grant from the Africa Digital Rights Fund (ADRF) – an initiative of the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) –  Alt Advisory has revamped and expanded the portal to cover an additional seven countries – Eswatini, Ethiopia, Ghana, Kenya, Mauritius, Nigeria and Uganda. The project has also featured a spotlight series on experiences of sexual minorities in Botswana and Uganda.

The new seven country factsheets were developed in collaboration with researchers from various fields, with multidisciplinary perspectives regarding GBV, thereby expanding the breadth of information relating to organisations and movements hitherto unknown due to varied degrees of online visibility. This collaborative approach has strengthened the regional network of gender rights advocates beyond national borders.

“Our hope is that the project’s focus on TFGBV enabled researchers to develop their own insights on emergent forms of harm which may potentially enrich future policy advocacy in their contexts,” said S’lindile Khumalo, a Senior Associate at Alt Advisory.

Alt Advisory’s Equity and Inclusion as well as Media teams are working to publicise the portal to maximise uptake and impact. The firm will also continue to fundraise to expand the portal’s coverage to the full African continent and translate the resources to increase relevance and accessibility to a diversity of audiences. All this, in tandem with efforts in law and policy reform, advocacy, and activism on GBV and related issues. “As the portal undergoes further development, we hope that it contributes to the end of GBV in our lifetime,” concluded Khumalo.

30Jul

East and Southern African National Human Rights Commissions Trained in Digital Rights Protection

Author CIPESA Posted on

By CIPESA Writer |

As part of its ongoing efforts to enhance the ability of African National Human Rights Institutions (NHRIs) to monitor, protect, and promote digital freedoms, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) last month conducted a two-day capacity-building training that attracted NHRI representatives from Lesotho, Mozambique, Tanzania, Uganda, Zimbabwe, and Zambia.

The two-day training that was held in Nairobi, Kenya, on June 25 and 26, 2024, sought to empower staff of NHRIs in the region to engage with the opportunities and challenges that digital technology poses for human rights protection and monitoring of digital rights. In his opening remarks, CIPESA Executive Director Dr. Wairagala Wakabi noted that NHRIs play a critical role in the protection and promotion of human rights, and given the deteriorating state of digital rights in the region, it was important that they are equipped to deal with the intersection between the digital and the traditional human rights. According to the Paris Principles, NHRIs are required to have a broad mandate that allows them to effectively execute their mandate of promoting and protecting human rights, both offline and online.

The Nairobi training followed a similar training that CIPESA conducted in Ethiopia for staff of the Ethiopian Human Rights Commission (EHRC), who identified key actions the commission could integrate in its annual work plans, such as digital rights monitoring, advocacy for enabling laws to be enacted, and developing tools for follow up on implementation of recommendations on digital rights by treaty bodies and the United Nations Human Rights Council.

Digital Rights as Human Rights

Digital rights have been recognised at both international and regional levels. For example, in 2018, during its 38th session, the United Nations Human Rights Council adopted resolution A/HRC/RES/38/7 that reaffirmed that “the same rights that people have offline must also be protected online.” In 2016, the United Nations General Assembly passed a non-binding resolution on “the promotion, protection, and enjoyment of human rights on the Internet,” condemning any measures taken by state parties to prevent or disrupt internet access and calling upon them to refrain from and cease any such measures.

In March 2024, the African Commission on Human and Peoples’ Rights passed resolution ACHPR.Res.580 (LXXVIII)2024 on Internet Shutdowns and Elections in Africa “reaffirming the importance of access to the internet in the digital age and its implication for the realisation of human rights”. The resolution called upon member states to “refrain from ordering the interruption of telecommunications services, shutting down the internet, and/or disrupting access to any other digital communication platforms before, during or after the elections.”

Challenges Facing NHRIs

In many cases, African NHRIs have found themselves operating in an increasingly hostile environment with limited funding and hostility from state agencies, who sometimes view their role as countering and incriminating the government in human rights violations. In addition, because of the limited funding, many NHRIs are not in a position to recruit or improve the level of expertise among their staff members, especially when it comes to new and emerging technologies and how they affect the enjoyment of human rights. Participants acknowledged that, in many cases, they are always playing catch-up when it comes to legislation, yet they are supposed to be the primary advisors and reviewers of draft laws related to human rights.

In his remarks, Victor Kapiyo, one of the trainers, noted that the adoption of digital technologies has brought up new human rights issues, particularly as governments have reacted by enacting laws that have, for the most part, served to stifle human rights as opposed to facilitating their enjoyment. On the other hand, digital technologies have also facilitated the spread of hate speech, disinformation, and technology-facilitated gender-based violence. It is important that NHRIs keep enhancing their capacity to monitor, investigate, and protect against violations of digital rights by both governments and private actors, including big tech companies.

Practical Strategies for NHRIs

During the training, participants discussed an array of strategies that they can adopt to monitor, document, and protect digital rights, including the use of practical legal and policy guidance set out in the Rabat Plan of Action, as well as Guiding Principles on Business and Human Rights when engaging with governments and business entities especially technological companies in regards to their obligations to respect, protect and promote human rights.

Participants also noted the need to engage with security agencies, the justice department, and policymakers on issues of digital rights. It was noted that because the concept of digital rights in Africa is new and evolving with limited understanding and jurisprudence, NHRIs need to constantly retool themselves on the emerging issues if they are to execute their mandates effectively. Other strategies included building coalitions and collaborations with civil society actors, the media and academia to help unpack and create awareness about digital rights.

The training was facilitated by trainers from CIPESA, Internews, the International Centre for Non-Profit Law, and the Kenya National Cohesion and Integration Commission (NCIC).

1 4 5 6 7 8 112