Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa

Policy Brief |
Privacy is a fundamental human right guaranteed by international human rights instruments including the Universal Declaration of Human Rights in its article 12 and the International Covenant on Civil and Political Rights, in its article 17. Further, these provisions have been embedded in different jurisdictions in national constitutions and in acts of Parliament.
In Africa, regional bodies have invested efforts in ensuring that data protection and privacy are prioritised by Member States. For instance, in 2014 the African Union (AU) adopted the Convention on Cybersecurity and Personal Data Protection. In 2010, the Southern African Development Community (SADC) developed a model law on data protection which it adopted in 2013. Also in 2010, the Economic Community of West African States (ECOWAS) adopted the Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. The East African Community, in 2008, developed a Framework for Cyberlaws. Notwithstanding these efforts, many countries on the continent are still grappling with enacting specific legislation to regulate the collection, control and processing of individuals’ data.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. The GDPR is likely to force African countries, especially those with strong trade ties to the EU, to prioritise data privacy and to more decisively meet their duties and obligations to ensure compliance.
See this brief on the Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa, where we explore the consequences of GDPR for African states and business entities.

Sections of Kenya’s Computer Misuse and Cybercrimes Act, 2018 Temporarily Suspended

By Juliet Nanfuka |
Barely two weeks after the presidential assent to the Computer Misuse and Cybercrimes Act, 2018, a High Court judge has issued a conservatory order suspending the entry into force of 26 sections of Kenya’s contentious Computer Misuse and Cybercrimes Act, 2018. The order by Judge Chacha Mwita, suspending the sections until July 18, follows a petition filed by the Bloggers Association of Kenya (BAKE), which challenged the law for contravening constitutional provisions on freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property and the right to a fair hearing.
In the order issued on May 29, the judge certified BAKE’s petition as urgent, and stated that  respondents (who include the Attorney General, the Speaker of the National Assembly, the head of the National Police Service, and the Director of Public Prosecutions) be served immediately. The respondents would have seven days from receipt to file written submissions. Hearing of the petition is scheduled for July 18, 2018.
Although the conservatory order only stalls the enforcement and could be lifted or maintained thereafter, it nonetheless represents a win for digital rights advocates in Kenya, as they have in the interim satisfied the judge that there is an arguable case to be made against the constitutionality of the recently enacted law. The order also marks another landmark ruling in the litigation towards respect and realisation of digital rights across Africa.

According to the  order, the suspended sections are: 5, 16, 17, 22, 23, 24, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 48, 49, 50, 51, 52 & 53.


Various organisations criticised the bill prior to its assent on May 16, 2018 calling it unconstitutional. Among the organisations were the Kenya ICT Action Network (KICTANET), Article 19 Eastern Africa, BAKE and the Centre to Protect Journalists (CPJ) who deemed numerous sections unconstitutional and detrimental to Kenyan citizens’ digital rights. They said it infringed on the privacy of individuals, freedom of expression, speech, opinion and access to information online.
Kenya already has a history of stifling online critics of the state and state actors, as echoed by James Wamathai, the Director of Partnerships at BAKE. In a statement, he said: “In the past several years, there have been attempts by the government to clamp down on the freedom of expression online. This Act is a testament of these efforts, especially after other sections were declared unconstitutional by the courts.
Among the prevailing concerns on the law is the use of vague language on issues such as “false” or “fictitious” content and false publications in Section 22 and 23, accompanied with heavy obligations on users to verify truthfulness or untruthfulness of information before disseminating. As per section 12, failure to comply would result in a fine of five million Kenyan shilling (USD 50,000), up to two years in prison, or both.
The  court order comes on the heels of the two judgments (Okiya Omtatah Okoiti v The Communication Authority of Kenya and 3 others Constitutional Petition No. 53 of 2017 and Kenya Human Rights Commission v Communications Authority of Kenya and 3 others no. 86 of 2017) by the Kenya High Court in which the petitioners successfully challenged the installation on mobile phone networks of a communication surveillance system dubbed Device Management System (DMS), by the Communications Authority (CA) Kenya (CA). The petitioners argued that, through this system, the authority would have undue access to the communications of citizens.
As more countries in Sub-Saharan Africa develop technology related laws, it is fundamental that the laws uphold human rights standards prescribed at global and regional levels, including in the International Covenant on Civil and Political Rights (ICCPR), the African Charter on Human and Peoples Rights (ACHPR), and African Union Convention on Cybersecurity and Personal Data Protection. However, recent developments such as has been witnessed in East Africa appear to prioritise the criminalisation and penalisation of internet use rather than encourage its adoption as a tool for greater access to information, and for expanding free expression and civic engagement.
Kenya’s neighbours Tanzania and Uganda have this year taken actions detrimental to digital rights. In Uganda, social media taxes that could be introduced in July 2018 threaten internet access and affordability while in in Tanzania, online content producers will have to pay over USD 900 to register with the state for permissions to maintain their platforms, according to new regulations.
 

Let Us Bring People To The Centre Of The Digital Future

Joint Call |
The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) is part of a call urging G20 countries to place citizens and consumers at the centre of decisions around the digital society.
The call states, “For the digital society to be open, safe, and empowering for everyone, policies for the digital age must be trusted and trustworthy – putting the interests of people and their rights first. Governments should intensify efforts to assure that the Internet is not fragmented and that people and their rights are at its centre.”
See the complete document here.

Privacy & Protection: Do Ugandans Care What Happens to Their Data?

By Neema Iyer |

Let’s be honest.

When was the last time you read the “Terms and Conditions” before you signed up for a new service online?

We don’t blame you. It’s easy to get lost in the legal jargon.

But do you know what happens to your personal data every time you click on “I have agreed to terms and conditions”? Did you know at the mere click to accept, you could have given a way a portion of your vital information and put your data privacy in absolute jeopardy?

Today, it’s hard to raise the issue of data privacy without putting a thought on the recent Facebook-Cambridge Analytica scandal that made many people realize the power of data. Even with as much information spewed out explaining what the scandal was about, very few took a note to learn from.

A recent allegation from the Cambridge Analytica scandal pins the Uhuru Kenyatta presidential campaign to have employed social media surveillance results to target campaign messages to different profiles of voters. This was possible because Facebook monitors your social media activity and can predict your behavior from that, hence such information is used to target messages that speak to your interests and emotions to sway major decisions such as election outcomes. This isn’t just happening on our doorsteps, allegations claim similar outcomes in the United States and the UK.

The EU revised as much on data privacy and protection in Europe and promised to give users more power over their data. While Europe seems to take quick action, down in Uganda and Africa at large, we continue to grapple with weak data privacy and protection laws, a citizenry that is not well-informed on data privacy, a delay in passing necessary bills and weak implementation processes. Unfortunately, a majority of African countries lack the necessary mechanisms for the inclusive participation of citizens and other stakeholders in the processes of formulating the very laws on internet and digital rights that directly affect them.

Do we care about Data Privacy and Protection?

In December 2017, Unwanted Witness, an activists group petitioned the Uganda Human Rights Commission (UHRC) to compel Parliament to speed up the enactment of privacy and data protection law.

They argued that without a governing law, citizens’ personal data is exposed to abuse without collection and protection safeguards. They further asked UHRC to prioritize privacy and recognize it as a fundamental right under attack in the country. However, to date, we are yet to see significant action taken to build an informed citizenry on their digital rights and to provide appropriate protections.

When talk about data arises, many are not really willing to delve further into the ethics surrounding the topic. This can and will still be attributed to the high illiteracy levels in the country and because many don’t know what data is or how valuable it might be on the long run, they will give it away easily. Funny as it may sound, a majority internet users think ‘data’ is the a term tied to the internet bundles that the ISPs provide and it’s that school of thought that has stuck with them. Whether their data gets in the hands of the wrong or the right people, it’s the least of their concerns.

Data Protection basically means to ensure the right to privacy, respect to confidentiality principles in various relations such as doctor patient, employer-employee and service providers with their clients generally.

Did you know that privacy is your human right?

The right to privacy refers to the concept that one’s personal information is protected from public scrutiny. It is essentially, your right to be left alone. Privacy is a core aspect of human dignity and values such as freedom of association and freedom of speech.

One would wonder, even with the data privacy breaches, are there really laws in place to curb and punish those that are misusing people’s data and evading on their privacy or we are simply looking while our data gets tampered with and is easily handed to the wrong hands.

Are there Laws in Place?

Yes! There is a Ugandan Data Protection and Privacy Bill that was tabled before parliament in 2015 and although the Bill needs to be revised and aligned better with human rights provisions, comments have been raised on the need to balance civil liberties, national security and data protection and privacy.

According to a paper published a couple of years ago by Dr Ronald Kakungulu Mayambala a Senior Lecturer of Human Rights and Peace Centre at Makerere University, Article 27 of the Constitution guarantees the right to privacy of person, home and other property. In particular, article 27(2) of the Constitution provides that a person shall not be subjected to interference with the privacy of that person’s home, correspondence, communication or other property.

Unfortunately there is no comprehensive law giving effect to article 27, yet a lot of data concerning individuals are collected, stored or processed regularly by various institutions in the private and public sector, including banks, hospitals, insurance companies, the Uganda Citizenship and Immigration Control Board, the Uganda Revenue Authority, Uganda Registration Services Bureau, the Electoral Commission, utility service providers and telecommunications companies under the SIM card registration exercise

The Bill seeks to protect the privacy of the individual and personal data by regulating the collection and processing of personal information. It provides for the rights of persons whose data is collected and the obligations of data collectors and data processors; and regulates the use or disclosure of personal information.

However even with these laws and bills in place, further questions continue to be raised on whether they even hold any solid ground in implementation, especially, if there has not been enough sensitization of the bills and data literacy.

 

What do some people think about data privacy in Uganda?

A chat with a few random Ugandans around town shows you just how long of a way we have to go with the data privacy and protection talk.

“I honestly have nothing to hide with my data and anyone who wants to access it can go ahead and access it. Your data can only be private if you choose to keep it private but if you choose to put it out there and later claim for privacy, then you are playing yourself” — Lisa

“Whatever you put out there is public. I don’t really care who gets my data because once Ipost anything on social media, it’s no longer in any way private. I get a need for data privacy if it comes to my business data like emails. That is when i need some real privacy” — Hans

“Data privacy is not even a topic of debating here in Uganda because people don’t really care what happens with their data. Because we have a huge Internet penetration gap, very many people don’t even know what data is in most parts of africa.” — Emmanuel


 

CIPESA Submits Comments On The Uganda Data Protection and Privacy Bill, 2015

Official Submission |
Article 27 of Uganda’s constitution provides for citizens’ right to privacy, however, there is no law to protect an individual’s data privacy despite the large amounts of citizen data collected by government departments and private entities on a regular basis. More concerning, is that this data is collected with no guarantee of its protection and privacy.
Some existing legislation, for instance the Computer Misuse Act, 2011 (section 18); Access to Information Act, 2005 (section 26); Uganda Communications Act, 2013 (section 79); Electronic Signatures Act, 2011 (section 81); and the Regulation of Interception of Communications Act, 2010 (section 2) prohibit unauthorised access and disclosure of information. However, the provisions in these laws are not elaborate and do not adequately protect personal data.
The publication of the draft Data Protection and Privacy Bill 2014 was therefore a milestone. Accordingly, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) submitted comments to that version of the bill. Various concerns were raised including vague wording which left the bill open to misinterpretation, unclear procedural processes for collection and retention, as well as the costs associated with accessing personal data.
More recently on , CIPESA welcomes the Parliament of Uganda’s call for submissions on the Draft Data Protection and Privacy Bill, 2015. It once again gives opportunity for stakeholders to provide input to ensure that the law, when enacted, measures up to internationally acceptable standards of data protection.
In our latest submission, we highlight some of the positive principles and provisions of the Bill. Furthermore, we indicate areas of concern and suggest amendments to ensure that if the bill is passed into law, there are sufficient safeguards to regulate the collection, storage and use of data towards upholding citizens’ right to privacy.
See the full submission made on the Uganda Data Protection and Privacy Bill, 2015 presented to the Committee on Information and Communication Technologies (ICT) in the Parliament of the Republic of Uganda