How Surveillance, Collection of Biometric Data and Limitation of Encryption are Undermining Privacy Rights in Africa

By Paul Kimumwe |

The right to privacy online has become a critical human rights issue, given its intricate connection with, and its being a foundation for the realisation of other rights including the rights to freedoms of expression, information, assembly, and association and preservation of human dignity. However, many African countries have steadily taken measures to undermine this right, including enacting retrogressive laws and policies that facilitate surveillance and the collection of biometric data, and others that limit the use of encryption

The advent of the Covid-19 pandemic has exacerbated the privacy concerns yet in several countries, digital rights were already under steady attack, including via internet shutdowns, criminalisation of “false news”, misinformation and disinformation campaigns by state and non-state actors, harassment and prosecution of social media users, and growing state surveillance.

In responding to the pandemic, many countries adopted regulations and practices, including deploying surveillance technologies and untested applications, to enable them collect and process personal data for purposes of tracing, contacting, and isolating those suspected to be carrying the virus and those confirmed to carry it. These measures were quickly adopted, often without adequate regulation or oversight.

In this research report, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has analysed laws and policies that impact on privacy, notably those that regulate surveillance, data localisation, biometric databases, and encryption.

The research covered 19 countries – Cameroon, Chad, Egypt, Ethiopia, Kenya, Ghana, Malawi, Mali, Mozambique, Namibia, Nigeria, Rwanda, Senegal, Tanzania, Tunisia, Uganda, Zambia, Zimbabwe, and South Africa.

Summary findings

Growing Surveillance: The research findings show that overall, there has been notable progress in the enactment of specific laws and policies safeguarding the right to privacy, including requiring judicial authority to authorise surveillance in countries such as Kenya, Nigeria, Tanzania, Tunisia and Uganda.

However, there are a few cases, such as in Zimbabwe, where authorisation for monitoring and intercepting communications is offered by non-independent and partial actors such as ministers. In addition, many of the countries’ laws do not measure up to international human rights standards and fail to establish clear and appropriate oversight, redress, and remedy mechanisms.

Indeed, “national security” considerations have been employed in laws in various countries broadly to justify and authorise the interception of communication, restrict privacy rights, grant wide search and seizure powers to law enforcement agencies, mandate intermediaries such as telecommunication service providers to facilitate interception, and to require data localisation.

In addition, while various countries have criminalised illegal surveillance and placed various safeguards on the conduct of state surveillance, many of them still contain retrogressive provisions that leave scope for intrusion, including enabling state surveillance with limited safeguards.

Limitation of Encryption Anonymity and the use of encryption in digital communications are critical in advancing both the right to freedom of expression and right to privacy. In the absence of these rights,  the capacity of individuals to communicate anonymously and without fear of their communications being intercepted cannot be guaranteed.

There are few positive provisions in some countries that require the protection of personal data through technical security measures which include encryption. On the other hand, many countries in the study have passed legislation that limit anonymity and the use of encryption through criminalisation of possession and use of cryptographic software or hardware, providing for fines and prison sentences.

The findings show that in countries like Chad, Malawi, Senegal, Tanzania, Tunisia and Zambia, there are penalties for offering cryptographic services without licensing, registration or authorisation. Interception of communications provisions often require service providers to decrypt any encrypted information that they may intercept in the course of offering assistance to lawful interception. In countries such as Mali and Tanzania, the laws require the encryption service providers, upon registration with the authorities, to disclose the technologies they plan to use for encryption.

Data Localisation The findings show that a growing number of African countries have been legislating on data localisation, which has mostly taken the form of a requirement to store data locally and forbidding unauthorised cross-border data transfers. Various countries have specified the conditions for authorising transfer, mostly where the data subject has offered consent and where an adequate level of protection is assured in the recipient country or international organisation.

Several African countries have adopted different approaches towards data localisation. Several countries use laws on financial services (Nigeria, Ethiopia and Rwanda), cybersecurity and cybercrimes (Rwanda, Zambia and Zimbabwe), telecommunications (Cameroon, Rwanda and Nigeria) and data protection (Kenya, South Africa, Tunisia and Uganda) to place restrictions on cross-border transfer of data.

Some countries have specified the data that cannot be exported without authorisation. Kenya specifies all public data; Nigeria mentions all government data and all subscriber and consumer data; while Zimbabwe, Malawi and Tunisia cite personal information.

Establishment of Biometric Databases  In several countries, government agencies are collecting and processing personal data without adequate data protection laws, amidst limited oversight mechanisms and inadequate remedies. While many have recently passed data protection laws and policies, implementation is not effective, and the safeguards are not water-tight as required under international human rights law.

Some laws in countries such as Chad, Kenya, Tunisia, Uganda, South Africa, and Zimbabwe, prohibit the collection of certain categories of data, including specific types of biometric data generally, or where certain conditions are not complied with. In the other countries studied, the laws require the mandatory collection of biometric information for the registration of telecommunications subscribers, for digital identity programmes and during voters’ registration. Several laws and policies on biometric data collection contain provisions on sanctions and penalties for breach.

Weak Oversight, Transparency and Accountability Mechanisms The study found that countries have adopted different approaches to oversight, including specifying courts, data protection authorities, sector regulators and administrative bodies as key oversight bodies. Some of these bodies are located within the executive, and therefore may lack the proper legal, financial, and institutional independence to stem violations within government, and especially by state security agencies. The laws in most countries require judicial authorities to issue a warrant for interception or monitoring of communications. However, in some countries interception orders can be issued by non-judicial officials, such as ministers.

The deficiency of accountability and transparency is among the weakest links in the various countries’ surveillance laws. While some countries, such as Nigeria, Rwanda, Tunisia, Zimbabwe, have commendable oversight and accountability provisions, it is not known whether they are applied. No entity in any of the countries studied permits public access to records on interception which the laws require state authorities to compile periodically, or publishes any data related to interception warrants issued and if at all they do record such data, they are categorised as classified information under state secrets laws. Thus, the public and oversight institutions such as judiciaries and parliaments remain in the dark about the extent and legality of the conduct of surveillance in the respective countries.

Recommendations

  • Governments should review existing laws, policies and practices on surveillance, including Covid-19 surveillance, biometric data collection, encryption and data localisation to ensure they comply with the principles in the African Commission on Human and Peoples’ Rights (ACHPR) Declaration on Principles of Freedom of Expression and Access to Information in Africa and international human rights standards.
  • Governments should also adopt multi-stakeholder approaches to ensure meaningful participation of all stakeholders in the development of policies and laws that affect the right to privacy and data protection.
  • Civil society actors should use strategic public interest litigation as an avenue to challenge laws that violate privacy rights and push for policies and practices reforms that uphold privacy.
  • Civil society actors should also monitor and document privacy rights violations through evidence-based research, and report on state compliance with their obligations to human rights monitoring bodies.

See the full research report here.

Data Protection Policy Developed to Guide FinTechs in Ghana

by Ashnah Kalemera and Edrine Wanyama |

The Financial Inclusion Forum Africa, through an Africa Digital Rights Fund (ADRF) grant, has drafted a Data Protection and Privacy Policy to serve as an internal guide on how digital financial service providers in Ghana should collect, store and process individuals’ data. The ADRF is an initiative of the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) which provides flexible and rapid response grants for the advancement of digital rights in Africa.

The policy outlines principles on the management of personal data in compliance with Ghana’s Data Protection Act 2012 and the International Organization for Standardization and International Electrotechnical Commission Standards for Information Security Management – ISO 27001:2013.

The policy outlines data protection principles including accountability by jurisdiction of data subject; lawfulness of processing through consent; disclosure of purpose; compliance with further processing; accuracy and completeness; openness; safeguards; and correction as well as deletion. The principles of privacy outlined are legal compliance; limitations of purpose; adequacy; and retention. 

The policy requires mandatory and frequent information security awareness training for staff and the constitution of an Information Security team responsible for implementing the policy and incident response. Roles and responsibilities are also outlined for risk and compliance, heads of departments, and employees. Provisions for the rights of data subjects include the right of access, rectification, cessation of processing and prevention of automated decision making. In the event of violation of the provisions, the policy provides for internal investigations and sanctions under the law. 

The policy was previewed at the Data Protection and Privacy Roundtable, which saw leading digital financial service providers such as Appruve, Jumo, Vodaphone Cash, and G Money, alongside industry experts and regulators such as the eCrime Bureau, RegTheory, and CUTS (Consumer Unit and Trust Society) Ghana provide insights into its viability and applicability. Discussions drew on real-life experiences of service providers and key feedback was incorporated into a revised version of the policy.

Commenting on the policy, Dr. William Derban, Chairperson of the Financial Inclusion Forum Africa, stated that data privacy and protection was “critical to financial inclusion”, as data was the cornerstone of innovation in digital financial services delivery. “These guidelines [the policy] serve as a template to enable fintechs who are developing such services to ensure that all our data is being protected,” he added. 

With data breaches, including by business entities, a growing concern among users of digital services across the African continent, the policy can go a long way in addressing the live issues in protecting the privacy of data in the financial sector in Ghana, if widely adopted by service providers.

As data becomes increasingly pivotal to the digital economy and digital rights, it is becoming essential to develop sector-specific data protection guidelines. The fintech sector, which is growing exponentially in Africa, is one of these sectors. Such guidelines are essential to buttress existing legislation, which in Ghana’s case includes the Payment Systems and Services Act, 2019Data Protection Act, 2012, Electronic Communications Amendment Act. 2016, Electronic Transactions Act, 2008 and the Anti-Money Laundering Act, 2008.

While the policy is not binding, it is anticipated that through ongoing data protection and privacy campaigns, it will draw stakeholder buy-in and implementation, as it is in harmony and gives effect to various local laws while also reflecting the General Data Protection Regulation of the European Union and the African Convention on Cyber Security and Personal Data Protection which Ghana has signed and ratified.

Register for The Data Privacy Summit 2021

Online Event |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) alongside Article 19, Facebook, FGI Benin are pleased to host the Data Privacy Summit 2021 (#DataPrivacySummit21) in commemoration of Data Privacy Day.

Data Privacy Day was launched by the Committee of Ministers of the Council of Europe on 26th April 2006, to be celebrated each year on 28th January; the anniversary of the signing of Convention 108 – the first legally binding international treaty on privacy and data protection. Since then, this day has come to represent international efforts to empower individuals and businesses to respect privacy, safeguard data and build trust.

Data Privacy Summit 2021, thus aims to raise awareness on contemporary privacy and data protection issues in Africa and the Middle East, as well as to inspire individuals, policymakers, organisations to take action and adopt best practices that protect privacy while promoting innovation in a manner that mitigates risks in the increasing use of digital technologies.

To see the lineup of sessions and speakers, register here.

African Civic Tech and COVID-19: Five Emerging Trends

By Melissa Zisengwe |

Africa has a growing civic tech community that focuses on issues such as accountability and transparency, data journalism, citizen participation, and public services monitoring. Since the outbreak of COVID-19, various technologies have been deployed by citizens, civil society organisation, start-ups, private companies, universities and governments to aid the fight against COVID-19.  Specifically, the civic tech community has created several innovations or adapted and repurposed existing resources to confront the COVID-19 pandemic.

The findings resulting from interviews conducted with civic tech innovations from Kenya, Nigeria, South Africa and Uganda indicate that the potential for technology to facilitate the fight against COVID-19 is clear. Across the continent, the emerging trends include contact tracing, instant messaging, digital governance, information dashboards and predictions and debunking misinformation.

For instance, platforms leveraging instant messaging applications such as GovChat and Grassroot in South Africa, as well as Uganda’s Ministry of Health Chatbot have supported remote government-citizen interactions, community organising and access to information, respectively in compliance with national COVID-19 standard operating procedures. Similarly, there has been a shift in governments’ adoption and use of technology, with many operations such as  the judiciary in Kenya and emergency services in Uganda moving online.

Further, the use of data mining and spatial analysis techniques to aid analysis into  the spread of the virus at provincial level in South Africa, and functioning of health centres in Burkina Faso indicates that the civic tech community, along with the private sector and the government, appreciate the importance of access to information in a pandemic.

While dashboards are keeping citizens updated on Coronavirus related news, some organisations are taking it a step further to ensure that citizens receive the accurate information and stop the spread of the disinfodemic, which is the spread of unverified, untrue information about the disease. This is being achieved through virtual games in Uganda and live guides among others.

 In several countries, organisations, governments and companies are reported to have employed digital contact tracing measures. Although the extent of this trend is unknown, common practices include contact tracing apps, CCTV surveillance, and cell phone location data tracking.

While these contact tracing apps and efforts could indeed aid the countries in their fight against COVID-19, they present some concerns over data privacy and surveillance. Tracking via mobile technology means personal information such as an individual’s location and movements, and their COVID-19 status could be disclosed without consent and oversight mechanisms for protection and accountability.

The trends above show that the civic tech community in Africa is willing to do their part in society and that innovation is not always a shiny new app or product; rather, sometimes it is existing tools and methodologies which can be repurposed to respond to  emerging needs. While these tools have been instrumental in shaping the fight against COVID-19, user sensitisation towards increased adoption during and in the aftermath of the pandemic remains crucial.

Read the full brief here.


Melissa Zisengwe is a 2020 CIPESA Fellow focussing on the area of civic technology in Africa.

Joint Civil Society Statement: States Use of Digital Surveillance Technologies to Fight Pandemic Must Respect Human Rights

Joint Statement |

The COVID-19 pandemic is a global public health emergency that requires a coordinated and large-scale response by governments worldwide. However, States’ efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance.

We, the undersigned organizations, urge governments to show leadership in tackling the pandemic in a way that ensures that the use of digital technologies to track and monitor individuals and populations is carried out strictly in line with human rights.

Technology can and should play an important role during this effort to save lives, such as to spread public health messages and increase access to health care. However, an increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities – undermining the effectiveness of any public health response. Such measures also pose a risk of discrimination and may disproportionately harm already marginalized communities.

These are extraordinary times, but human rights law still applies. Indeed, the human rights framework is designed to ensure that different rights can be carefully balanced to protect individuals and wider societies. States cannot simply disregard rights such as privacy and freedom of expression in the name of tackling a public health crisis. On the contrary, protecting human rights also promotes public health. Now more than ever, governments must rigorously ensure that any restrictions to these rights is in line with long-established human rights safeguards.

This crisis offers an opportunity to demonstrate our shared humanity. We can make extraordinary efforts to fight this pandemic that are consistent with human rights standards and the rule of law. The decisions that governments make now to confront the pandemic will shape what the world looks like in the future.

We call on all governments not to respond to the COVID-19 pandemic with increased digital surveillance unless the following conditions are met:

  1. Surveillance measures adopted to address the pandemic must be lawful, necessary and proportionate. They must be provided for by law and must be justified by legitimate public health objectives, as determined by the appropriate public health authorities, and be proportionate to those needs. Governments must be transparent about the measures they are taking so that they can be scrutinized and if appropriate later modified, retracted, or overturned. We cannot allow the COVID-19 pandemic to serve as an excuse for indiscriminate mass surveillance.
  2. If governments expand monitoring and surveillance powers then such powers must be time-bound, and only continue for as long as necessary to address the current pandemic. We cannot allow the COVID-19 pandemic to serve as an excuse for indefinite surveillance
  3. States must ensure that increased collection, retention, and aggregation of personal data, including health data, is only used for the purposes of responding to the COVID-19 pandemic. Data collected, Fed, and aggregated to respond to the pandemic must be limited in scope, time-bound in relation to the pandemic and must not be used for commercial or any other purposes. We cannot allow the COVID-19 pandemic to serve as an excuse to gut individual’s right to privacy.
  4. Governments must take every effort to protect people’s data, including ensuring sufficient security of any personal data collected and of any devices, applications, networks, or services involved in collection, transmission, processing, and storage. Any claims that data is anonymous must be based on evidence and supported with sufficient information regarding how it has been anonymized. We cannot allow attempts to respond to this pandemic to be used as justification for compromising people’s digital safety.
  5. Any use of digital surveillance technologies in responding to COVID-19, including big data and artificial intelligence systems, must address the risk that these tools will facilitate discrimination and other rights abuses against racial minorities, people living in poverty, and other marginalized populations, whose needs and lived realities may be obscured or misrepresented in large datasets. We cannot allow the COVID-19 pandemic to further increase the gap in the enjoyment of human rights between different groups in society.
  6. If governments enter into data sharing agreements with other public or private sector entities, they must be based on law, and the existence of these agreements and information necessary to assess their impact on privacy and human rights must be publicly disclosed – in writing, with sunset clauses, public oversight and other safeguards by default. Businesses involved in efforts by governments to tackle COVID-19 must undertake due diligence to ensure they respect human rights, and ensure any intervention is firewalled from other business and commercial interests. We cannot allow the COVID-19 pandemic to serve as an excuse for keeping people in the dark about what information their governments are gathering and sharing with third parties.
  7. Any response must incorporate accountability protections and safeguards against abuse. Increased surveillance efforts related to COVID-19 should not fall under the domain of security or intelligence agencies and must be subject to effective oversight by appropriate independent bodies. Further, individuals must be given the opportunity to know about and challenge any COVID-19 related measures to collect, aggregate, and retain, and use data. Individuals who have been subjected to surveillance must have access to effective remedies.
  8. COVID-19 related responses that include data collection efforts should include means for free, active, and meaningful participation of relevant stakeholders, in particular experts in the public health sector and the most marginalized population groups.

Signatories:

7amleh – Arab Center for Social Media Advancement

Access Now

African Declaration on Internet Rights and Freedoms Coalition

AI Now

Algorithm Watch

Alternatif Bilisim

Amnesty International

ApTI

ARTICLE 19

Asociación para una Ciudadanía Participativa, ACI Participa

Association for Progressive Communications (APC)

ASUTIC, Senegal

Athan – Freedom of Expression Activist Organization

Barracón Digital

Big Brother Watch

Bits of Freedom

Center for Advancement of Rights and Democracy (CARD)

Center for Digital Democracy

Center for Economic Justice

Centro De Estudios Constitucionales y de Derechos Humanos de Rosario

Chaos Computer Club – CCC

Citizen D / Državljan D

Civil Liberties Union for Europe

CódigoSur

Coding Rights

Coletivo Brasil de Comunicação Social

Collaboration on International ICT Policy for East and Southern Africa (CIPESA)

Comité por la Libre Expresión (C-Libre)

Committee to Protect Journalists

Consumer Action

Consumer Federation of America

Cooperativa Tierra Común

Creative Commons Uruguay

D3 – Defesa dos Direitos Digitais

Data Privacy Brasil

Democratic Transition and Human Rights Support Center “DAAM”

Derechos Digitales

Digital Rights Lawyers Initiative (DRLI)

Digital Security Lab Ukraine

Digitalcourage

EPIC

epicenter.works

European Digital Rights – EDRi

Fitug

Foundation for Information Policy Research

Foundation for Media Alternatives

Fundación Acceso (Centroamérica)

Fundación Ciudadanía y Desarrollo, Ecuador

Fundación Datos Protegidos

Fundación Internet Bolivia

Fundación Taigüey, República Dominicana

Fundación Vía Libre

Hermes Center

Hiperderecho

Homo Digitalis

Human Rights Watch

Hungarian Civil Liberties Union

ImpACT International for Human Rights Policies

Index on Censorship

Initiative für Netzfreiheit

Innovation for Change – Middle East and North Africa

International Commission of Jurists

International Service for Human Rights (ISHR)

Intervozes – Coletivo Brasil de Comunicação Social

Ipandetec

IPPF

Irish Council for Civil Liberties (ICCL)

IT-Political Association of Denmark

Iuridicum Remedium z.s. (IURE)

Karisma

La Quadrature du Net

Liberia Information Technology Student Union

Liberty

Luchadoras

Majal.org

Masaar “Community for Technology and Law”

Media Rights Agenda (Nigeria)

MENA Rights Group

Metamorphosis Foundation

New America’s Open Technology Institute

Observacom

Open Data Institute

Open Rights Group

OpenMedia

OutRight Action International

Pangea

Panoptykon Foundation

Paradigm Initiative (PIN)

PEN International

Privacy International

Public Citizen

Public Knowledge

R3D: Red en Defensa de los Derechos Digitales

RedesAyuda

SHARE Foundation

Skyline International for Human Rights

Sursiendo

Swedish Consumers’ Association

Tahrir Institute for Middle East Policy (TIMEP)

Tech Inquiry

TechHerNG

TEDIC

The Bachchao Project

Unwanted Witness, Uganda

WITNESS

World Wide Web Foundation