What African Countries Can Learn from European Privacy Laws and Policies

By Edrine Wanyama |
The General Data Protection Regulation (GDPR) came into force in the European Union (EU) in May 2016. The 28 EU member states have until May 2018 to apply the Regulation to existing national laws to ensure the protection of citizens with regard to the processing of personal data and its transfer within the EU and beyond.
In Africa, only 14 countries (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe) have enacted data protection and privacy laws. Others, including Kenya, Niger, Nigeria, Tanzania and Uganda, have bills that are yet to be passed into law.
Whereas a continent-wide convention on Cyber Security and Personal Data protection was adopted by the African Union back in 2014, only eight countries (Benin, Chad, Congo, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe and Zambia) are signatories and only one (Senegal) has ratified the convention.
Meanwhile, as part of efforts to ensure data protection within the different regional blocs, the Southern African Development Community (SADC) has developed a model law on data protection while as of 2010, the Economic Community of West African States (ECOWAS) had the  Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. Unlike its regional bloc counterparts in the south and west, the East African Community (EAC) has not adopted legislation on data protection and privacy – it only has a Framework for Cyberlaws which calls for member states to enact laws that protect personal data.
Meanwhile, some of the proposed and existing national laws fall short of comprehensively protecting data and privacy. For instance, Uganda’s Data Protection Bill, 2015 and Ghana’s Data Protection Act, 2012 lack succinct clauses on key areas such as notification of breach and data portability, and also have limitations on the right to access, among others. Despite this, mass collection of personal data continues across the continent, leaving the majority of Africans vulnerable to the violation of their data privacy.
This contrasting state of affairs formed part of the discussions at a July 2017 convening of lawyers, government officials, civil society representatives, academics, and students at the Institute for Information Law at the University of Amsterdam for a five-day training course on issues pertaining to privacy and data protection law relate to the internet and electronic communications.
For over 60 years, the European Convention on Human Rights (1950) has functioned as the framework to guarantee the right of privacy for private and family life. More recently, the European Charter of Fundamental Rights, 2000 has reinforced this right. These instruments are the basis of the robust protections provided for under the GDPR. In Africa similar frameworks which address privacy are less than 15 years old, such as the Declaration of Principles on Freedom of Expression in Africa (2002) (Part V), the  Resolution on the Right to Freedom of Information and Expression on the Internet in Africa – ACHPR/Res. 362(LIX) 2016, and the civil society led African Declaration on Internet Rights and Freedoms.
However, where European instruments have been largely endorsed and supported by member states, many African instruments still struggle to gain similar recognition by member states.  As in the EU, African countries need to uphold the principles laid down in these instruments towards the recognition and enforcement of citizens’ right to privacy and data protection.
Further, per the GDPR, European states are required to establish Data Protection Authorities (DPAs) to ensure that safeguards are in place to protect user data including across different jurisdictions. African states should embrace similar measures to guard against infringement on citizens’ privacy.

Data Protection Authorities are mandated to independently monitor, raise awareness, handle complaints and conduct investigations, among others, to uphold personal data protection.

Overall, the course highlighted the need for a robust privacy regime across the world to ensure that citizens enjoy due protection of their online data. It also highlighted the need for more efforts in citizen sensitisation on data protection and privacy alongside better frameworks in the African context to support these rights.
CIPESA participated in the course together with representatives from Ohio State Moritz College of Law and Capital University Law School; Global Privacy Practice, Covington & Burling; Institute for Information Law, University of Amsterdam; Berkeley Center for Law & Technology, UC Berkeley School of Law; Dutch Data Protection Authority; and the Washington University Law School, among others.
There are lessons for Africa to learn from the European experience, including the establishment of state and regional mechanisms that strengthen data protection frameworks. However, it is integral that more African countries enact data protection laws, and for countries that have with this law, it should be implemented with oversight from independent bodies as more user data is generated and stored online.
 
 

DR Congo Parliament Urged to Pass Laws That Support Citizens’ Rights Online

Statement |
Civil society actors in the Congolese town of Goma have urged the Government of the Democratic Republic of Congo (DRC) to make amendments to its current laws governing Information and Communication Technologies (ICT) to make them favourable to the growth of internet usage, as well as online privacy, access to information and freedom of expression.
The civil society actors, including journalists, digital rights activists and bloggers, also urged the country’s Parliament and the Ministry for ICT to offer meaningful avenues for citizens to provide inputs to proposed new laws related to the telecommunications industry.
The Government has recently sent to the Parliament the Telecommunications and ICT Bill which is aimed at updating the Framework Law 013/2002 on Telecommunications, as well as the e-Transactions Bill, and a law amending the Act that set up the regulator – the Authority of the Post and Telecommunications of Congo (ARPTC). However, neither the Parliament, nor the Ministry, have announced opportunities for other stakeholders to make comments or submissions on these draft laws.
The importance of stakeholder consultations in Congo’s policy-making processes was among the issues that emerged during a two-day ICT policy and advocacy training workshop hosted in Goma on June 10- 11, 2017, by Rudi International and the Collaboration on International ICT Policy for East and Southern Africa (CIPESA). Participants noted that the exclusion of private sector and civil society actors from the law-making process could lead to the passing of laws that are detrimental to internet access and usage in the central African country.
Presently, ICT adoption in DRC faces several challenges including unreasonably high data costs which have largely contributed to the low internet penetration rate of 4.2% as of 2016. The Framework Law 013/2002 on Telecommunications and the Law 14/2002 on the Regulator are the primary laws governing online communication but they do not adequately provide for citizens’ rights to privacy, nor do they provide a conducive environment for citizens to enjoy the right to free expression.
Further, these laws contain vague clauses such as ‘public interest’, ‘disruption of public order’, ‘ultimate truth’, and ‘national security’ which create the latitude for unwarranted abuse of the laws including through censorship and surveillance. Meanwhile, internet and telecommunications services providers lack protection from undue state interference as has been evidenced by the evolution of communications shutdowns in recent years.
The proposed new laws are welcome because they present an opportunity to expunge retrogressive articles from the existing laws and to address the current gaps. However, the current drafts neither reflect sufficient protections for citizens’ rights to privacy and freedom of expression, nor do they adequately support the free flow of information online. For instance, the Telecommunications and ICT Bill contains several problematic clauses, including granting the minister excessive powers over the interception of communications and interruptions to communications. The minister and the regulator also maintain strong over the operations of service providers. Furthermore, there are weak provisions related to data protection, with the bill lacking independent oversight mechanisms particularly with regards to the state making user information requests to service providers.
The lack of independent oversight mechanisms to safeguard against the abuse of the excessive power by the minister fails to ensure that citizens are protected against unwarranted interception of communication.
While article 175 of the proposed ICT and Telecommunications law recognises the right of a citizen to demand for information on their personal data from the state or another entity, there are no clear provisions on how this information can be requested or whether the holders of this information are obliged to respond to an information request within a specified timeframe.
Secure online communication is prioritised in articles 116–117. However, clauses which permit the state to intercept private communication with limited safeguards are also included. Further, article 119 includes a provision for the General Prosecutor to designate a chief magistrate who can instruct any qualified agent from the Ministry of ICT or a telecommunications company to put in place mechanisms that allow for interception of citizens’ online communication.
During the training workshop, the civil society actors noted that these clauses contravene international human rights standards as set out in a number of instruments including the Universal Declaration of Human Rights, African Charter on Human and Peoples’ Rights and the African Declaration on Internet Rights and Freedoms. As such, they recommended that:

  • There should be increased participation by more stakeholders in the law development process, as well as regular multi-stakeholder engagements between government, service providers and civil society;
  • Government, particularly the Ministry of ICT and Parliament, should widely circulate the three bills, create awareness about their objectives and invite comments on the draft laws from various stakeholders;
  • The legislature should ensure that  vague terminologies in the bills, including “national security”, “illicit” and “public order interference”, are defined before they are passed;
  • Since in its current form the Telecommunications and ICT bill creates room for abuse by giving excessive powers to the regulator and the Ministers of Interior, Defence and Security Affairs, the judiciary and Parliament should be granted wider oversight mandate over the regulator and the minister.
  • A specific law on data protection should be enacted to  ensure that citizens’ personal data and privacy are safeguarded;
  • The ICT and telecommunications bill should specify the procedures for citizens to request for information from the state, and the release of such information by the state;
  • The three laws under consideration by Parliament should include clauses that protect the right to freedom of expression and the free flow of information.
  • Clauses on non-discrimination and equality should be introduced in the proposed law on Telecommunications and ICT specifically through criminalising actions that promote cyber bullying, cyber stalking, revenge pornography, and other acts that constitute online violence against women and other minority and vulnerable groups.

These recommendations echo those made by CIPESA in the State of Internet Freedom in DR Congo 2016 report, which also called for the Parliament to work with more stakeholders including civil society, internet users, private sector, academics and the media to review laws and amend those that limit and restrict citizens’ rights to privacy, assembly, expression and access to information. The report also stated that the drafting and amendment of laws should meet acceptable international human rights standards.

Recent Developments in Telecoms Regulation Threaten Online Rights in Uganda

By Edrine Wanyama |
In April 2017, the parliament of Uganda gave the minister in charge of Information and Communication Technologies (ICT) powers to single-handedly make regulations that govern the telecommunications sector. Hitherto, regulations proposed by the minister had to receive parliamentary approval.
The Uganda Communications (Amendment) Bill (2016), which parliament passed on April 6, 2017, means that making regulations for the telecommunications sector is in the sole preserve of the minister. Among others, such regulations are related to licensing and fees, operator obligations, competition, consumer rights and protection. It is for this reason that the newly passed law, which was gazzetted back in February 2016 when still a bill faced criticism from civil society.

The Minister may, after consultation with the Commission and with the approval of Parliament, by statutory instrument, make regulations for better carrying into effect the provisions of this Act.” Section 93(1) of the Uganda Communications Act 2013

  “The Minister may, after consultation with the Commission, by statutory instrument, make regulations for better carrying into effect the provisions of this Act.” Section 93(1) of the Uganda Communications (Amendment) Bill (2016)

The authority, Uganda Communications Commission (UCC), was set up in 1997 by the now repealed Communications Act, Cap. 106 (section 3) and now established by the Uganda Communications Act, 2013 (section 4) (the Act)  as the regulator of the communications sector but has since inception faced criticism over lack of independence from the government. The Act gives extensive powers to the minister of ICT, including to appoint the commission’s executive director and board members and to approve its budgets.

Meanwhile, there are growing concerns about mass surveillance particularly in the absence of a data protection and privacy  law to safeguard citizen data collected by the state and private parties. These are further aggravated by the haphazard implementation of laws which have an impact on citizens’ communications.
On April 12, 2017, the telecom industry regulator Uganda Communications Commission (UCC) announced a seven-day deadline for subscribers to update their registration details using national identity (ID) cards in a move reportedly to address cybercrime. Mandatory SIM card registration has been in force since March 2012. At the time of the original deadline for conclusion of the exercise in August 2013, the commission reported that 92% of SIM cards were registered. However, investigations into past and recent crimes have revealed the continued existence and use of unregistered SIM cards.
The April 12 directive raised concerns about the conflicting requirements for the validation of SIM cards, with subscribers pointing out that various other forms of identification other than a national ID should be recognised. Pursuant to the Regulation of Interception of Communications Act 2010, Section 9(1), SIM card registration requires the subscriber’s full name, residential address, business address, postal address and identity number as contained in an identity document. Other forms of identification  that have previously been used by subscribers have included employer identity cards, driving licenses, students’ identity cards and passports.
However, following an interim order as well as public statements by the Uganda Law Society and other stakeholders, the Prime Minister issued a directive extending the SIM card verification and validation deadline for a month to May 19, 2017.
The SIM card registration exercise has attracted criticisms from human rights defenders who claim it violates freedom of expression and goes against Article 27 of the Constitution which guarantees the right to privacy by possibly enabling mass surveillance of communications. Further, the absence of a data protection and privacy law continues to expose citizens’ data which is increasingly and now repeatedly being collected by the state. There is accordingly no guarantee that personal data will not be unlawfully processes and used.
Over the past year, national security has been cited as the basis for directives by the UCC including instructions given to telecommunications service providers to enforce two social media shutdowns during 2016.
Although Uganda has signed and ratified the African Charter on Human and Peoples Rights and also fully subscribes to the international bill of rights, specifically the Universal Declaration for Human Rights and the International Covenant on Civil and Political Rights there are repeated affronts to the rights enshrined in these instruments.
It is for this reason that the Collaboration on International Policy for East and Southern Africa (CIPESA) calls for the following actions to be taken:

  1. The Government should adopt a multistakeholder approach in decisions affecting the ICT industry in Uganda. Decisions that affect the rights of citizens should be evidence-based and reached in consultation with other stakeholders including academia, civil society, media and the private sector.
  2. The Parliament should immediately pass the Data Protection and Privacy Bill, 2015 subject to the proposed amendments from the citizenry.
  3. Government should harmonise the implementation of laws pertaining to registration of data of citizens, refugees and non-citizens in Uganda, including the Regulation of Interception of Communications Act (2010) and the Registration of Persons Act (2015).
  4. There is a need to reinstate the oversight role of the Parliament over the Minister for ICT in making regulations for the ICT sector. Failure to do so will leave excessive powers within the ambit of the minister and resultantly, lead to abuse.

Read more on the State of Internet Freedom Uganda 2016.
 

CIPESA Convenes Journalists to Discuss Uganda’s Data Protection Bill

By Esther Nakkazi |
Ugandan citizens’ personal data may be at risk of misuse if the Uganda Data protection and Privacy Bill (2014) to be tabled before parliament is passed in current form. Currently, large entities like telecommunications service providers, insurers, hospitals and even schools retain the information of millions of citizens who remain unaware of how secure their information is, especially as more of it becomes digitised.
While Uganda called for comments to the Bill in late 2014, little progress was made on it over the course of 2015. According to Gloria Katuuku from the Ministry of ICT, the comments received have been incorporated into a revision of the bill. “We brought this Bill before the public so that we get conclusive remarks. The bill has been gazetted and will be tabled in parliament, meaning at this time we shall just compile the concerns,” said Katuuku. She was speaking at a workshop convened by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) where Ugandan parliamentary journalists discussed data protection and privacy with reference to the bill.

CIPESA Policy Officer being interviewed by journalists
CIPESA Policy Officer being interviewed by journalists

The workshop was organised in conjunction
with the Uganda Parliamentary Press Association (UPPA) and aimed to create awareness among parliament journalists about clauses in the proposed law that contravene citizens’ rights, including to privacy. Few journalists were aware that government had drafted the law and called for robust media engagement with Members of Parliament so as to generate debate on data protection and privacy issues.
The former Chairman of parliament’s ICT Committee, Edward Baliddawa, said the data protection law should have been the basis for other cyber laws in Uganda. He added that as the country edges towards e-commerce, such as business process outsourcing, there is a need to regulate data controllers.
“This Bill is good for our safety and privacy as individuals and to become an e-commerce country,” he said. However,he also called for continuous engagement with all stakeholders across the lifespan of the bill – drafting, tabling to parliament and any eventual amendments.
Although existing laws such the Electronic Signatures Act, 2011, the Computer Misuse Act, 2011, the Regulation of Interception of Communications Act 2010 and the Communications Commission Act 2013 cover aspects of data protection and privacy, they contain contradictions and potentially expose users’ information to unwarranted access and misuse by authorities. Lillian Nalwoga, CIPESA’s Policy Officer, said of the laws: “These laws have broad terminologies that should be amended to repeal contradictory provisions and this can be done within the Data protection and Privacy Bill, 2014 in the contexts of data users and collectors, and to prevent abuse.”

See this Overview of How ICT Policies Infringe on Online Privacy and Data Protection in Uganda

But the proposed data protection and privacy law that is meant to address privacy of citizens’ communications and data still has ambiguous terminologies, unclear definitions and arbitration issues that will negate its purpose.
According to CIPESA officials, the drafting phrase should further engage with and seek consultations with different stakeholders including civil society, private sector, the media and academia for an extended period prior to tabling it before parliament. This would  ensure that the law passed “is inclusive, accommodative and addresses the concerns raised by all the stockholders,” said Wakabi Wairagala, the head of CIPESA.
At the workshop, CIPESA officials referred journalists to various areas of concern in the draft bill including some of its ambiguous terminologies, such as Section 4 (2) which  states that personal data may be collected or processed where necessary for ’national security’ or for the  ‘proper performance’ of a public duty’ by a public body. However, these words can be misinterpreted and leave room for the access to and abuse of citizens’ information.
Meanwhile, Section 7 (2) says data can be collected from another person, source or public body in certain circumstances without the consent of the owner. The length of time that the collected personal data can be retained is also not indicated. Section 14 (1) states that the data cannot be held for a period longer than is necessary and says it will be retained for national security purposes.
Overall, the bill does not explicitly state what constitutes a ‘privacy infringement’, thereby leaving users’ data open to abuse by data collectors and processors. It also does not state the procedures for citizens to access their data.

See CIPESA’s review of the Bill: Reflections on the Draft Data Protection and Privacy Bill