Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: Data privacy

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Data privacy
11Oct

“Fake News” and Internet Shutdowns in Africa – What is to be Done?

Author admin Posted on

By Jimmy Kainja |
Malawian lecturer and  blogger, Jimmy Kainja participated at the Forum on Internet Freedom in Africa 2017. He shares some insights on fake news and internet shutdowns post the Forum.

In 2016 after attending my first Re:publica, a techie conference in Berlin, I wrote of a need for Africa to have what I called a “collective thinking space” where like-minded actors on the African continent would converge to share ideas and inspire each other. The Forum on Internet Freedom in Africa, 2017 (FIFAfrica17) which was held in Johannesburg, South Africa which I recently attended was the type of gathering that I wrote about in 2016.

Organised by Corroboration on International ICT Policy for East and Southern Africa (CIPESA) and co-hosted by the Association for Progressive Communication(APC), the peak of FIFAfrica17 was the launch of two important reports by CIPESA: State of Internet Freedom in Africa 2017 and the Cost of Internet Shutdowns in Africa. The reports highlight how influential new technologies, specifically the Internet have become in African politics over the years. Speaking at the Forum, Google’s Fortune Mgwili-Sibanda, observed that not withstanding the low Internet penetration rate on the continent, the Internet today has become important to African politics in a similar way that broadcasting was in the age of coups in Africa.

State broadcasting stations were always among the first institutions to be ceased by successful coup leaders so they could announce their victories and spread propaganda. Today, noted Mgwili-Sibanda, authoritarian states are quick to shutdown the Internet to maintain power and control. The age of the Internet has arrived in Africa and it is only right that Africans engage with new technologies critically – FIFAfrica17 provided that space.

Apart from critical issues concerning security and gender equality online, cost of the Internet, freedom of expression, access to information and privacy online, there were two specific issues that stood-out for me: “fake news” and of Internet shutdown. “Fake news”, perhaps I happened to sit on its discussion panel and Internet shutdowns because for the first-time I got to meet people who have directly been affected by fake news and they spoke passionately about it.

Some thoughts on these two issues:

“Fake news”

We must first understand that the central problem with “fake news”, and this is why it matters, is the centrality of access to information in democratic societies. Information is a pre-requisite for citizen’s public participation, and meaningful public participation can only be realised when citizens have accurate and critical information. This can only be realised through free and independent media providing accurate and verified information, not “fake news”.

Of course “fake news” has always been around in various forms and guises – it is still the same today. There are “fake news” producers only using it as click-baits, the motive here is nothing more than monetising. Then there is “fake news” informed by cultural myths – in Africa, certainly in Malawi where I come from, you always have media reporting on cases such as witchcraft planes having landed somewhere, is this not “fake news”? Then the most critical one: deliberate “fake news” aimed at deceiving the audience, harming someone, maintaining or attaining power.

The first version of “fake news” is likely to drift away as society figures out this disruptive technology. The second version is harmless – societies are bound and they exist by cultural beliefs and myths. We must be worried with the third version of “fake news” as it is politically motivated and its consequences have a greater impact in society.

In some cases there is nothing that media institutions can do to stop the spread of “fake news”, and this is one of the reasons that the “fake news” phenomenon is technology specific – the Internet. Yet, this also emphasises the critical role that journalists have in ensuring that the public have access to accurate and credible information.

Verification and fact-checking in journalism have never been so important. It is also the only way that journalism is going to maintain its credibility intact. As the saying goes, it is better to be late and accurate than break inaccurate or incorrect news.

Internet Shutdowns

The cost of Internet shutdowns is colossal as indicated in the report launched at FIFAfrica17. Yet, for paranoid political leader trying to maintain control and power, there is no price that cannot be paid.

But then it is crucial to appreciate that Internet shutdowns involve two players – government and service providers. Governments are interested is shutting down the Internet to close off citizens expressing their dissatisfaction and misgivings about the government. While service providers have to abide by government orders or risk loosing operating licenses. Service providers are not charity organisations – their prime motive is to make profits.

This leaves civil society to battle for open and accessible Internet for all, against the collusion between governments and service providers. Gatherings such as FIFAfrica17, though seemingly techie niche, are thus very important for activists, civil society groups, academia etc. to bang heads, share experiences and chart the way forward.

If everything in the past has failed to bring about African consciousness and solidarity among the huge diversity of Africans then Internet is proving an exception. According to a 2015 Portland Communication study, “Africa Tweets” the political #hashtags in Africa show that there is more solidarity among Africans online – or at least on Twitter. South Africa’s #feesmustfall hashtag was more popular in Egypt than South Africa itself, for example.

This article was first published on Jimmy Kainja’s blog Spirit of Umunthu

17Sep

Bridging Cyber Security Gaps: The Commonwealth Telecommunications Organization Trains SMEs in Uganda

Author admin Posted on

By Edrine Wanyama |

Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.

Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.

The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards.

Currently, possible cyber risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.

Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, the Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.

According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiment held by civil society orgnaisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents.

In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include know how on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.

Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.

As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s.

CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.

In the meantime, the Ministry of ICT & National Guidance on August 20, 2017 held an Awareness Workshop on Cyber Laws such as the Constitution of the Republic of Uganda 1995, National Information Technology Authority, Uganda Communications Act 2013, Electronic Signatures Act, Computer Misuse Act, Registration of Persons Act, Electronic Transactions Act, Electronic Transaction Regulations 2013, Electronic Signatures Regulations 2013, Open Data Policy, 2017, ICT for Disability Policy Draft and the Data Protection and Privacy Bill, 2015, to sensitize member of the public, private sector, academia, government officials and other stakeholders on information security threats and how to best combat them. The work shop put emphasis on the need to know, learn and understand existing and upcoming laws, policies and guidelines that regulate cyber security and how they can be best applied.

 
 
 

02Sep

Bridging Cyber Security Gaps: SMEs Trained in Uganda

Author admin Posted on

By Edrine Wanyama |
Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.
Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.
The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards
Possible risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.
Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, The Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.
According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiments held by civil society organisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents according research conducted by the Collaboration for International ICT Policy in East and Southern Africa (CIPESA). It revealed that various CSOs were concerned about, or had been victims of hacking attempts on their email accounts and internal networks, that they had been targeted by phishing emails, and that they feared their activities were being surveilled by authorities
In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include knowhow on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.
Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.
As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s. CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.
 

27Jul

What African Countries Can Learn from European Privacy Laws and Policies

Author admin Posted on

By Edrine Wanyama |
The General Data Protection Regulation (GDPR) came into force in the European Union (EU) in May 2016. The 28 EU member states have until May 2018 to apply the Regulation to existing national laws to ensure the protection of citizens with regard to the processing of personal data and its transfer within the EU and beyond.
In Africa, only 14 countries (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe) have enacted data protection and privacy laws. Others, including Kenya, Niger, Nigeria, Tanzania and Uganda, have bills that are yet to be passed into law.
Whereas a continent-wide convention on Cyber Security and Personal Data protection was adopted by the African Union back in 2014, only eight countries (Benin, Chad, Congo, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe and Zambia) are signatories and only one (Senegal) has ratified the convention.
Meanwhile, as part of efforts to ensure data protection within the different regional blocs, the Southern African Development Community (SADC) has developed a model law on data protection while as of 2010, the Economic Community of West African States (ECOWAS) had the  Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. Unlike its regional bloc counterparts in the south and west, the East African Community (EAC) has not adopted legislation on data protection and privacy – it only has a Framework for Cyberlaws which calls for member states to enact laws that protect personal data.
Meanwhile, some of the proposed and existing national laws fall short of comprehensively protecting data and privacy. For instance, Uganda’s Data Protection Bill, 2015 and Ghana’s Data Protection Act, 2012 lack succinct clauses on key areas such as notification of breach and data portability, and also have limitations on the right to access, among others. Despite this, mass collection of personal data continues across the continent, leaving the majority of Africans vulnerable to the violation of their data privacy.
This contrasting state of affairs formed part of the discussions at a July 2017 convening of lawyers, government officials, civil society representatives, academics, and students at the Institute for Information Law at the University of Amsterdam for a five-day training course on issues pertaining to privacy and data protection law relate to the internet and electronic communications.
For over 60 years, the European Convention on Human Rights (1950) has functioned as the framework to guarantee the right of privacy for private and family life. More recently, the European Charter of Fundamental Rights, 2000 has reinforced this right. These instruments are the basis of the robust protections provided for under the GDPR. In Africa similar frameworks which address privacy are less than 15 years old, such as the Declaration of Principles on Freedom of Expression in Africa (2002) (Part V), the  Resolution on the Right to Freedom of Information and Expression on the Internet in Africa – ACHPR/Res. 362(LIX) 2016, and the civil society led African Declaration on Internet Rights and Freedoms.
However, where European instruments have been largely endorsed and supported by member states, many African instruments still struggle to gain similar recognition by member states.  As in the EU, African countries need to uphold the principles laid down in these instruments towards the recognition and enforcement of citizens’ right to privacy and data protection.
Further, per the GDPR, European states are required to establish Data Protection Authorities (DPAs) to ensure that safeguards are in place to protect user data including across different jurisdictions. African states should embrace similar measures to guard against infringement on citizens’ privacy.

Data Protection Authorities are mandated to independently monitor, raise awareness, handle complaints and conduct investigations, among others, to uphold personal data protection.

Overall, the course highlighted the need for a robust privacy regime across the world to ensure that citizens enjoy due protection of their online data. It also highlighted the need for more efforts in citizen sensitisation on data protection and privacy alongside better frameworks in the African context to support these rights.
CIPESA participated in the course together with representatives from Ohio State Moritz College of Law and Capital University Law School; Global Privacy Practice, Covington & Burling; Institute for Information Law, University of Amsterdam; Berkeley Center for Law & Technology, UC Berkeley School of Law; Dutch Data Protection Authority; and the Washington University Law School, among others.
There are lessons for Africa to learn from the European experience, including the establishment of state and regional mechanisms that strengthen data protection frameworks. However, it is integral that more African countries enact data protection laws, and for countries that have with this law, it should be implemented with oversight from independent bodies as more user data is generated and stored online.
 
 

15Jun

DR Congo Parliament Urged to Pass Laws That Support Citizens’ Rights Online

Author admin Posted on

Statement |
Civil society actors in the Congolese town of Goma have urged the Government of the Democratic Republic of Congo (DRC) to make amendments to its current laws governing Information and Communication Technologies (ICT) to make them favourable to the growth of internet usage, as well as online privacy, access to information and freedom of expression.
The civil society actors, including journalists, digital rights activists and bloggers, also urged the country’s Parliament and the Ministry for ICT to offer meaningful avenues for citizens to provide inputs to proposed new laws related to the telecommunications industry.
The Government has recently sent to the Parliament the Telecommunications and ICT Bill which is aimed at updating the Framework Law 013/2002 on Telecommunications, as well as the e-Transactions Bill, and a law amending the Act that set up the regulator – the Authority of the Post and Telecommunications of Congo (ARPTC). However, neither the Parliament, nor the Ministry, have announced opportunities for other stakeholders to make comments or submissions on these draft laws.
The importance of stakeholder consultations in Congo’s policy-making processes was among the issues that emerged during a two-day ICT policy and advocacy training workshop hosted in Goma on June 10- 11, 2017, by Rudi International and the Collaboration on International ICT Policy for East and Southern Africa (CIPESA). Participants noted that the exclusion of private sector and civil society actors from the law-making process could lead to the passing of laws that are detrimental to internet access and usage in the central African country.
Presently, ICT adoption in DRC faces several challenges including unreasonably high data costs which have largely contributed to the low internet penetration rate of 4.2% as of 2016. The Framework Law 013/2002 on Telecommunications and the Law 14/2002 on the Regulator are the primary laws governing online communication but they do not adequately provide for citizens’ rights to privacy, nor do they provide a conducive environment for citizens to enjoy the right to free expression.
Further, these laws contain vague clauses such as ‘public interest’, ‘disruption of public order’, ‘ultimate truth’, and ‘national security’ which create the latitude for unwarranted abuse of the laws including through censorship and surveillance. Meanwhile, internet and telecommunications services providers lack protection from undue state interference as has been evidenced by the evolution of communications shutdowns in recent years.
The proposed new laws are welcome because they present an opportunity to expunge retrogressive articles from the existing laws and to address the current gaps. However, the current drafts neither reflect sufficient protections for citizens’ rights to privacy and freedom of expression, nor do they adequately support the free flow of information online. For instance, the Telecommunications and ICT Bill contains several problematic clauses, including granting the minister excessive powers over the interception of communications and interruptions to communications. The minister and the regulator also maintain strong over the operations of service providers. Furthermore, there are weak provisions related to data protection, with the bill lacking independent oversight mechanisms particularly with regards to the state making user information requests to service providers.
The lack of independent oversight mechanisms to safeguard against the abuse of the excessive power by the minister fails to ensure that citizens are protected against unwarranted interception of communication.
While article 175 of the proposed ICT and Telecommunications law recognises the right of a citizen to demand for information on their personal data from the state or another entity, there are no clear provisions on how this information can be requested or whether the holders of this information are obliged to respond to an information request within a specified timeframe.
Secure online communication is prioritised in articles 116–117. However, clauses which permit the state to intercept private communication with limited safeguards are also included. Further, article 119 includes a provision for the General Prosecutor to designate a chief magistrate who can instruct any qualified agent from the Ministry of ICT or a telecommunications company to put in place mechanisms that allow for interception of citizens’ online communication.
During the training workshop, the civil society actors noted that these clauses contravene international human rights standards as set out in a number of instruments including the Universal Declaration of Human Rights, African Charter on Human and Peoples’ Rights and the African Declaration on Internet Rights and Freedoms. As such, they recommended that:

  • There should be increased participation by more stakeholders in the law development process, as well as regular multi-stakeholder engagements between government, service providers and civil society;
  • Government, particularly the Ministry of ICT and Parliament, should widely circulate the three bills, create awareness about their objectives and invite comments on the draft laws from various stakeholders;
  • The legislature should ensure that  vague terminologies in the bills, including “national security”, “illicit” and “public order interference”, are defined before they are passed;
  • Since in its current form the Telecommunications and ICT bill creates room for abuse by giving excessive powers to the regulator and the Ministers of Interior, Defence and Security Affairs, the judiciary and Parliament should be granted wider oversight mandate over the regulator and the minister.
  • A specific law on data protection should be enacted to  ensure that citizens’ personal data and privacy are safeguarded;
  • The ICT and telecommunications bill should specify the procedures for citizens to request for information from the state, and the release of such information by the state;
  • The three laws under consideration by Parliament should include clauses that protect the right to freedom of expression and the free flow of information.
  • Clauses on non-discrimination and equality should be introduced in the proposed law on Telecommunications and ICT specifically through criminalising actions that promote cyber bullying, cyber stalking, revenge pornography, and other acts that constitute online violence against women and other minority and vulnerable groups.

These recommendations echo those made by CIPESA in the State of Internet Freedom in DR Congo 2016 report, which also called for the Parliament to work with more stakeholders including civil society, internet users, private sector, academics and the media to review laws and amend those that limit and restrict citizens’ rights to privacy, assembly, expression and access to information. The report also stated that the drafting and amendment of laws should meet acceptable international human rights standards.

1 13 14 15 16