By Edrine Wanyama |
The General Data Protection Regulation (GDPR) came into force in the European Union (EU) in May 2016. The 28 EU member states have until May 2018 to apply the Regulation to existing national laws to ensure the protection of citizens with regard to the processing of personal data and its transfer within the EU and beyond.
In Africa, only 14 countries (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe) have enacted data protection and privacy laws. Others, including Kenya, Niger, Nigeria, Tanzania and Uganda, have bills that are yet to be passed into law.
Whereas a continent-wide convention on Cyber Security and Personal Data protection was adopted by the African Union back in 2014, only eight countries (Benin, Chad, Congo, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe and Zambia) are signatories and only one (Senegal) has ratified the convention.
Meanwhile, as part of efforts to ensure data protection within the different regional blocs, the Southern African Development Community (SADC) has developed a model law on data protection while as of 2010, the Economic Community of West African States (ECOWAS) had the Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. Unlike its regional bloc counterparts in the south and west, the East African Community (EAC) has not adopted legislation on data protection and privacy – it only has a Framework for Cyberlaws which calls for member states to enact laws that protect personal data.
Meanwhile, some of the proposed and existing national laws fall short of comprehensively protecting data and privacy. For instance, Uganda’s Data Protection Bill, 2015 and Ghana’s Data Protection Act, 2012 lack succinct clauses on key areas such as notification of breach and data portability, and also have limitations on the right to access, among others. Despite this, mass collection of personal data continues across the continent, leaving the majority of Africans vulnerable to the violation of their data privacy.
This contrasting state of affairs formed part of the discussions at a July 2017 convening of lawyers, government officials, civil society representatives, academics, and students at the Institute for Information Law at the University of Amsterdam for a five-day training course on issues pertaining to privacy and data protection law relate to the internet and electronic communications.
For over 60 years, the European Convention on Human Rights (1950) has functioned as the framework to guarantee the right of privacy for private and family life. More recently, the European Charter of Fundamental Rights, 2000 has reinforced this right. These instruments are the basis of the robust protections provided for under the GDPR. In Africa similar frameworks which address privacy are less than 15 years old, such as the Declaration of Principles on Freedom of Expression in Africa (2002) (Part V), the Resolution on the Right to Freedom of Information and Expression on the Internet in Africa – ACHPR/Res. 362(LIX) 2016, and the civil society led African Declaration on Internet Rights and Freedoms.
However, where European instruments have been largely endorsed and supported by member states, many African instruments still struggle to gain similar recognition by member states. As in the EU, African countries need to uphold the principles laid down in these instruments towards the recognition and enforcement of citizens’ right to privacy and data protection.
Further, per the GDPR, European states are required to establish Data Protection Authorities (DPAs) to ensure that safeguards are in place to protect user data including across different jurisdictions. African states should embrace similar measures to guard against infringement on citizens’ privacy.
Data Protection Authorities are mandated to independently monitor, raise awareness, handle complaints and conduct investigations, among others, to uphold personal data protection.
Overall, the course highlighted the need for a robust privacy regime across the world to ensure that citizens enjoy due protection of their online data. It also highlighted the need for more efforts in citizen sensitisation on data protection and privacy alongside better frameworks in the African context to support these rights.
CIPESA participated in the course together with representatives from Ohio State Moritz College of Law and Capital University Law School; Global Privacy Practice, Covington & Burling; Institute for Information Law, University of Amsterdam; Berkeley Center for Law & Technology, UC Berkeley School of Law; Dutch Data Protection Authority; and the Washington University Law School, among others.
There are lessons for Africa to learn from the European experience, including the establishment of state and regional mechanisms that strengthen data protection frameworks. However, it is integral that more African countries enact data protection laws, and for countries that have with this law, it should be implemented with oversight from independent bodies as more user data is generated and stored online.