Robust Data Protection Standards Could Spur Regional Economic Integration

By Edrine Wanyama |

Leaders in charge of various data protection agencies and Civil Society Organisations (CSOs) who met at the East African Exchange on Data Protection held in Kampala, Uganda on March 6, 2024, recognised the need to buttress data protection by promoting the right to privacy in the region. 

The event drew representatives of government agencies and CSOs from Burundi, the Democratic Republic of Congo, Kenya, Rwanda, Somalia, South Sudan, Tanzania, and Uganda. Speaking to the importance of the Data Exchange programme, Stella Alibateese, the Director of the National Personal Data Protection Office in Uganda emphasised the need to enhance the right to privacy. 

“As we navigate these waters, we must recognise the diverse stages of development and implementation of data protection and privacy laws across our partner states in the East African Community,” she said. “Yet, within this diversity lies our strength – the unparalleled opportunity for knowledge exchange, peer learning, and collective growth.”

Dr. Chris Baryomunsi, Uganda’s Minister of ICT and National Guidance, underscored the need for collaboration in dealing with the complexities of data protection. “As a bloc, we must therefore embrace innovative solutions and continue these collaborative efforts amongst regulators, development partners, businesses, and the general public so as to achieve effective data protection and respect for privacy rights,” said Baryomunsi. “I am confident that the outcomes of this knowledge exchange will go a long way in defining a regional approach to addressing emerging threats in data protection.”

Data privacy is necessary for enhancing state relations in trade and business. This includes e-commerce, transport, movement of goods and services, efficiency of service delivery, movement of persons and labour, and information exchange for a quicker economic integration process.

While the East Africa Community (EAC) stands on four pillars (the Customs Union, the Common Market, Monetary Union and Political Federation), which are the core foundations for economic development, the Customs Union, movement of persons, movement workers and the Monetary Union involve mass collection of personal data including in trade and business and travel. 

Additionally, not all the states in the region have established strong safeguards on data protection and privacy. For instance, while Kenya, Rwanda, Somalia, South Sudan, Tanzania, and Uganda have specific legislation on data protection, some of the laws are criticised for failing to meet internationally accepted standards by, among others, not having clear and independent authorities to oversee and manage personal data and privacy. Another concern is that Burundi and the Democratic Republic of Congo are yet to enact specific laws on data protection, which puts data movement in the region at risk. 

At the regional level, the Draft EAC Legal Framework For Cyber Laws of 2008 has been largely unimplemented. Also, Rwanda is the only country within the EAC that has signed and ratified the African Union Convention on Cyber Security and Personal Data Protection, (the Malabo Convention). As such there is no unified code or standard on data protection and privacy in the region.

Nevertheless, according to Annette Ssemuwemba, Deputy Secretary General for Customs, Trade and Monetary Affairs at the EAC, the bloc is undertaking measures to come up with a harmonised framework on data security. She said such a harmonised framework has the potential to inform data protection practices across the region with high chances of setting a common standard amongst the member states. 

Meanwhile, the existing data protection agencies in the EAC Member States face common challenges. These include limited financial resources, lack of sufficient technical and competent staff with a firm grasp of data protection and privacy issues, and receiving of complaints which are not necessarily related to the right to privacy. These challenges have undermined the potential of a transformational data privacy era in the region including in carrying out investigations into data breaches and adjudicating complaints. 

Nevertheless, the need to leverage more opportunities for data exchange were highlighted. These include through knowledge exchange, collaboration, governments’ political will, professionalisation of the technology sector, independence of the data protection agencies, ratification of the Malabo Convention, picking lessons from the General Data Protection Regulation (GDPR) of the European Union and the adoption of a uniform code for personal data protection in the region. Such measures could spur the protection and promotion of the right to privacy nationally, regionally, and internationally. Similarly, EAC countries without data protection should swiftly enact them to be on the same page with the rest.

State of Internet Freedom in Africa 2022: The Rise of Biometric Surveillance

FIFAfrica22 |

Digital biometric data collection programmes are becoming increasingly popular across the African continent. Governments are investing in diverse digital programmes to enable the capture of biometric information of their citizens for various purposes.

A new report by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) documents the emerging and current trends in biometric data collection and processing in Africa. It focuses on the deployment of national biometric technology-based programmes in 16 African countries, namely Angola, Cameroon, Central African Republic, Democratic Republic of Congo, Kenya, Lesotho, Liberia, Mozambique, Nigeria, Senegal, Sierra Leone, Tanzania, Togo, Tunisia, Uganda, and Zambia.

The report published today is the ninth consecutive one issued by CIPESA since 2014 under the State of Internet Freedom in Africa series. It was released at the Forum on Internet Freedom in Africa (FIFAfrica), which is taking place in Lusaka, Zambia.

The biometric data collection programmes reviewed by the report include those related to civil registrations, such as the issuance of National Identity cards, biometric voter registration and identification programmes, government-led CCTV programmes with facial recognition capabilities, national ePassport initiatives, refugees’ registration, and mandatory biometric SIM card registration.

The report highlights the key trends, potential risks, challenges and gaps relating to biometric data collection projects in the continent. These include limited public engagement and awareness campaigns; inadequate legal frameworks that heighten risks to privacy; exclusion from accessing essential services; enhanced surveillance, profiling and targeting; conflicting interests and the wide powers of third parties; and limited capacity and training. 

Consequently, the study notes that these biometric programmes are being implemented in countries with poor digital rights records, declining democracy and rising digital authoritarianism, which casts doubt on the integrity of biometric data collection programmes and the resultant databases. Thus, viewed collectively, the developments, trends and risks outlined in the report heighten concern over the growing threats to the right to privacy of personal data and potential violations of digital rights on the continent. 

Finally, the report presents recommendations to various stakeholders including the government, civil society, the media, the private sector and academia, which, if implemented, will go a long way in addressing data protection and privacy gaps, risks and challenges in the study countries. 

The key recommendations include a call to:

  • Governments to implement the laws and policy frameworks on identity systems and data protection and privacy while paying keen attention to compliance with regionally and internationally recognised principles and minimum standards on data protection and privacy for biometric data collection and require the adoption of human rights-based approaches. 
  • Countries without data protection and privacy laws such as Liberia, Mozambique, Sierra Leone and Tanzania should expedite the process of enacting appropriate data protection laws so as to guarantee the data protection and privacy rights of their citizens. 
  • Governments to ratify the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention) to ensure government commitment to regional data protection and privacy as a means to hold them accountable.
  • Governments to establish independent and robust oversight data protection bodies to regulate data and privacy protection including biometric data.
  • Civil society to engage in advocacy and lobby governments to develop, implement and enforce privacy and data protection policies, laws and institutional frameworks that are in compliance with regional and international minimum human rights standards.
  • Civil society to monitor, document and report on the risks, threats, abuses and violations of privacy and human rights associated with biometric data collection programmes, and propose effective solutions to safeguard rights in line with international human rights standards.
  • The media to progressively document and report on initiatives such as advocacy by civil society and other stakeholders to keep track of developments. 
  • The media to conduct investigative journalism to identify and expose privacy violations arising from the implementation of biometric data collection programmes.
  • The private sector to take deliberate efforts to ensure that all their respective biometric data collection programmes and systems are developed implemented and managed in compliance with best practices prescribed by the national, regional and international human rights standards and practices on privacy and data protection, including the UN Guiding Principles on Business and Human Rights.
  • The private sector to ensure that they progressively adopt and develop comprehensive internal privacy policies to guide the collection, storing and processing of personal data. 
  • The private sector to take deliberate efforts aimed at involving data subjects in the control and management of their personal data by providing timely information on external requests for information. 
  • Academia to conduct evidence-based research on data protection and privacy including biometrics, highlighting the challenges, risks, benefits and trends in biometric data collection programmes. 

The full State of Internet Freedom in Africa 2022 Report can be accessed here.

FIFAfrica22: Recognising Access To Information As A Fundamental Digital Right

Greetings from #FIFAfrica22 |

On September 28 the International Day for Universal Access To Information (IDUAI) will be commemorated globally. The day was proclaimed by the United Nations Educational and Scientific and Cultural Organisation (UNESCO) General Conference in 2015, following the adoption of the 38 C/Resolution 57 which recognised the significance of access to information. The 2022 edition of the Forum on Internet Freedom in Africa (FIFAfrica) will also commemorate this day through a series of discussions pertaining to access to information as a fundamental digital right.
Since its inception, FIFAfrica has coincided with  IDUAI commemorations every September 28 during which it has endevoured to create awareness about access to information offline and online and its connection to wider freedoms and democratic participation. These engagements have drawn consistent partnerships from UNESCO, among other global and regional actors.

In 2017, the African Commission Special Rapporteur for Freedom of Expression and Access to Information, Advocate Pansy Tlakula, addressed FIFAfrica, where she received special recognition for her contributions to promoting access to information.

The theme for IDUAI 2022 is “Artificial Intelligence, e-Governance and Access to Information” which echoes various sessions that will feature at FIFAfrica22.

The opening of FIFAfrica22 will feature Honourable Ourveena Geereesha Topsy-Sonoo, the Africa Commission on Human and Peoples Rights (ACHPR) Commissioner on Freedom of Expression and Access to Information. Further sessions like Building Resilient Access to Information Legislation in the Digital Age; The Internet as a Tool for Promoting Information Integrity, Addressing Information Pollution Online and Offline; Artificial Intelligence Policy and Practice: Towards a Rights-Based Approach in Africa; Data Protection Trends and Advocacy in Africa; and Digital Inclusion: Acces, Data Governance and Ethical Innovation in Africa which resonate with this year’s global IDUAI theme will form part of the discussions at FIFAfrica22.

Speakers at the sessions will represent a diversity of actors working on advancing the free flow of information,  each of whom brings new insights and approaches to addressing practice and policy gaps affecting the realization of access to information in Africa.  The speaker lineup includes representatives from  Panos Institute, Africa Freedom of Information Centre (AFIC), African Centre for Media Excellence (ACME), Bloggers of Zambia, International Training Programme on Media Development in a Democratic Framework (ITP), International Centre for Non-For-Profit Law (ICNL), ALT Advisory, Center for Intellectual Property and Information Technology (CIPIT), Paradigm Initiative, Lawyers Hub Kenya, World Benchmarking Alliance, Development Initiatives, Data Science for Health Discovery and Innovation in Africa (DSI-Africa), Internet & Jurisdiction Policy Network, Internews, and Access Now.

Be part of the online conversation using #FIFAfrica22 and share your vision for #InternetFreedomAfrica! | Follow @cipesaug on FacebookTwitterLinkedInVisit the event website

About FIFAfrica
The Forum on Internet Freedom in Africa (FIFAfrica) is an annual landmark event which convenes a spectrum of stakeholders from across the internet governance and digital rights arenas in Africa and beyond. Hosted the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the Forum will offer a platform for government representatives, civic actors, journalists, policymakers and technologies to come face to face.

Lawyers Trained to Defend Digital Freedoms 

By Edrine Wanyama |

On July 28, 2022, 82 practicing advocates in Uganda were trained on defending digital rights and freedoms. The training was organised by the International Senior Lawyers Project, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), Uganda Law Society, and the Centre for Law and Democracy.

The sessions included an assessment of Uganda’s digital rights landscape, human rights issues affecting women journalists in Uganda, international freedom of expression norms, using international law to defend freedom of expression, and practices for shaping the legal framework for cybersecurity to effectively defend human rights.

In her opening remarks, the Uganda Law Society (ULS) vice president Diana Angwech stressed that it was crucial for the society to promote digital rights as they continued to face challenges.  She added that rights abuses tend to grow during certain seasons such as elections. The ULS Rule of Law Report of 2021 documented abuses such as the state revoking of broadcasting licenses without due process, attacks on journalists, including the assault of over 20 journalists and the shooting of journalists by state security agents while covering opposition campaigns and proceedings in 2021.

In setting the pace for the capacity building training, CIPESA unpacked Uganda’s legal regime for digital rights. The session covered the meaning, scope and importance of digital rights and emerging issues for lawyers’ attention. The rights covered include freedom of expression, access to information, data protection and privacy, rights of children and their protection, intellectual property, assembly and association, the right to be forgotten, anonymity, and equal access to digital technologies.

Uganda’s constitution provides for the rights to privacy, freedom of expression, and the right of access to information. However, the country’s legislation including the Press and Journalist Act, Penal Code Act, Data Protection and Privacy Act, 2019, Anti-Terrorism Act 2002 as amended 2015 and 2016, the Access to Information Act, 2005, the Official Secrets Act, Uganda Communications Act, 2013, Regulation of Interception of Communications Act, 2010, the Computer Misuse Act, 2011, the Anti-Pornography Act, 2014 and the Public Health (Control of COVID-19l) Rules 2021 limit the enjoyment of digital rights. These laws are largely marred by vague provisions and wide limitations which enable communications monitoring and interception, and undermine free expression.

Catherine Anite of the Small Media Foundation spoke about how Uganda was experiencing a deterioration in respect for press freedom. In 2022 Uganda fell seven places on the World Press Freedom Index ranking at 132 out of 180 countries analysed.

According to Anite, while gender equality is a prerequisite for human rights, democracy and social justice, gender disparities remain evident in the media. Female journalists across the globe face similar challenges, in addition to increased and appalling levels of violence both online and offline when compared to their male counterparts. She noted:

“Female journalists have reported suffering physical and online violence perpetrated by colleagues, public figures, strangers, anonymous perpetrators. We might be speaking about journalists but as lawyers some of these things apply to our contexts as well but we don’t speak about them. These trends have negatively impacted on diversity in media because of the exodus of female journalists, which has affected their equal participation in reporting, civil and political participation due to fears of violence.”

Toby Mendel and Raphael Vagliano, from the Centre for Law and Democracy, discussed international and regional laws  on freedom of expression which are applicable to Uganda. They highlighted provisions of such as  the Universal Declaration of Human Rights (Article 19), the International Covenant on Civil and Political Rights (Article 19), the African Charter on Human and Peoples’ Rights (Article 9), and the Declaration of Principles of Freedom of Expression and Access to Information in Africa which, among others, require member states to facilitate the rights to freedom of expression and access to information online. Under these instruments Uganda is obligated to respect, protect, promote and fulfill rights.

Richard Wingfield, the Head of the Media Law Working Group at the International Senior Lawyers Project (ISLP), explored case studies on using international law to defend freedom of expression, including approaches to arguments, support and intervention as well as the filing of amicus briefs to support litigation. He explained that lawyers in Uganda could support litigation, even in cases where they are not directly involved such as by offering professional support towards impactful and successful litigation, so as to contribute to the realisation of justice for freedom of expression rights.

Practices for shaping the legal framework for cybersecurity to effectively defend human rights were discussed. Cybersecurity is critical for ensuring confidentiality of personal data at all levels.

Advanced digital surveillance and forensic tools are needed to deal with modern cyber  threats; but governments can abuse those tools if government authority is not adequately checked by confidence-inducing institutions.

Tools for cyber security such as BitDefender, malware-bytes, full disk encryption with bitlocker or file vault and strong password are critical tools for cyber security. Individuals must always be aware of potential data breaches by state authorities which often compromise individual privacy through surveillance and forensics. Common state excuses for cyber security violations were often justified by a need to protect national security, crime prevention and public order. Similarly, while laws create obligations for collectors and processors of personal data, those actors often violate the laws and, this necessitates legal intervention.

The lawyers were called upon to pay particular attention to problematic laws and policies, bills and practices so as to challenge them with the aim of establishing an enabling environment for the protection and enjoyment of digital rights.

The specific key emerging recommendations for lawyers from the capacity building training included to:

  • Collaborate with other stakeholders like civil society and academia to engage in litigation to promote freedom of expression, data and privacy rights.
  • Analyse bills and laws to establish gaps and push for repeal of regressive laws and amendment of regressive provisions.
  • Constantly write on topical issues on freedom of expression, data protection and privacy so as to raise awareness among individuals of their rights and expose any cases of violation for enhanced accountability and transparency.
  • Push telecommunication companies and internet service providers to comply with human rights when doing business, in compliance with the UN Guiding Principles on Business and Human Rights.
  • Respect individual data protection and privacy rights in their dealings to minimise conflict with the Data Protection and Privacy Act, 2019 and regional and international human rights instruments on freedom of expressions, data protections and other human rights.
  • Make use of human rights reporting mechanisms such as the Universal Periodic Review and Special Rapporteur engagements to hold the government accountable for decisions undertaken in respect to digital rights.
  • Push and demand that the government complies with regional and international human rights standards, and signs and ratifies key instruments such as the African Union Convention on Cyber Security and Personal Data Protection so as to enhance digital rights protection.

Take deliberate efforts aimed at skilling themselves in the digital rights field. This will ensure that they are equipped with knowledge and skills on dealing with issues that affect digital rights.

Data Protection Policy Developed to Guide FinTechs in Ghana

by Ashnah Kalemera and Edrine Wanyama |

The Financial Inclusion Forum Africa, through an Africa Digital Rights Fund (ADRF) grant, has drafted a Data Protection and Privacy Policy to serve as an internal guide on how digital financial service providers in Ghana should collect, store and process individuals’ data. The ADRF is an initiative of the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) which provides flexible and rapid response grants for the advancement of digital rights in Africa.

The policy outlines principles on the management of personal data in compliance with Ghana’s Data Protection Act 2012 and the International Organization for Standardization and International Electrotechnical Commission Standards for Information Security Management – ISO 27001:2013.

The policy outlines data protection principles including accountability by jurisdiction of data subject; lawfulness of processing through consent; disclosure of purpose; compliance with further processing; accuracy and completeness; openness; safeguards; and correction as well as deletion. The principles of privacy outlined are legal compliance; limitations of purpose; adequacy; and retention. 

The policy requires mandatory and frequent information security awareness training for staff and the constitution of an Information Security team responsible for implementing the policy and incident response. Roles and responsibilities are also outlined for risk and compliance, heads of departments, and employees. Provisions for the rights of data subjects include the right of access, rectification, cessation of processing and prevention of automated decision making. In the event of violation of the provisions, the policy provides for internal investigations and sanctions under the law. 

The policy was previewed at the Data Protection and Privacy Roundtable, which saw leading digital financial service providers such as Appruve, Jumo, Vodaphone Cash, and G Money, alongside industry experts and regulators such as the eCrime Bureau, RegTheory, and CUTS (Consumer Unit and Trust Society) Ghana provide insights into its viability and applicability. Discussions drew on real-life experiences of service providers and key feedback was incorporated into a revised version of the policy.

Commenting on the policy, Dr. William Derban, Chairperson of the Financial Inclusion Forum Africa, stated that data privacy and protection was “critical to financial inclusion”, as data was the cornerstone of innovation in digital financial services delivery. “These guidelines [the policy] serve as a template to enable fintechs who are developing such services to ensure that all our data is being protected,” he added. 

With data breaches, including by business entities, a growing concern among users of digital services across the African continent, the policy can go a long way in addressing the live issues in protecting the privacy of data in the financial sector in Ghana, if widely adopted by service providers.

As data becomes increasingly pivotal to the digital economy and digital rights, it is becoming essential to develop sector-specific data protection guidelines. The fintech sector, which is growing exponentially in Africa, is one of these sectors. Such guidelines are essential to buttress existing legislation, which in Ghana’s case includes the Payment Systems and Services Act, 2019Data Protection Act, 2012, Electronic Communications Amendment Act. 2016, Electronic Transactions Act, 2008 and the Anti-Money Laundering Act, 2008.

While the policy is not binding, it is anticipated that through ongoing data protection and privacy campaigns, it will draw stakeholder buy-in and implementation, as it is in harmony and gives effect to various local laws while also reflecting the General Data Protection Regulation of the European Union and the African Convention on Cyber Security and Personal Data Protection which Ghana has signed and ratified.

1 2 3 5