Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: Data protection

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Data protection
02Sep

Lawyers Trained to Defend Digital Freedoms 

Author CIPESA Posted on

By Edrine Wanyama |

On July 28, 2022, 82 practicing advocates in Uganda were trained on defending digital rights and freedoms. The training was organised by the International Senior Lawyers Project, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), Uganda Law Society, and the Centre for Law and Democracy.

The sessions included an assessment of Uganda’s digital rights landscape, human rights issues affecting women journalists in Uganda, international freedom of expression norms, using international law to defend freedom of expression, and practices for shaping the legal framework for cybersecurity to effectively defend human rights.

In her opening remarks, the Uganda Law Society (ULS) vice president Diana Angwech stressed that it was crucial for the society to promote digital rights as they continued to face challenges.  She added that rights abuses tend to grow during certain seasons such as elections. The ULS Rule of Law Report of 2021 documented abuses such as the state revoking of broadcasting licenses without due process, attacks on journalists, including the assault of over 20 journalists and the shooting of journalists by state security agents while covering opposition campaigns and proceedings in 2021.

In setting the pace for the capacity building training, CIPESA unpacked Uganda’s legal regime for digital rights. The session covered the meaning, scope and importance of digital rights and emerging issues for lawyers’ attention. The rights covered include freedom of expression, access to information, data protection and privacy, rights of children and their protection, intellectual property, assembly and association, the right to be forgotten, anonymity, and equal access to digital technologies.

Uganda’s constitution provides for the rights to privacy, freedom of expression, and the right of access to information. However, the country’s legislation including the Press and Journalist Act, Penal Code Act, Data Protection and Privacy Act, 2019, Anti-Terrorism Act 2002 as amended 2015 and 2016, the Access to Information Act, 2005, the Official Secrets Act, Uganda Communications Act, 2013, Regulation of Interception of Communications Act, 2010, the Computer Misuse Act, 2011, the Anti-Pornography Act, 2014 and the Public Health (Control of COVID-19l) Rules 2021 limit the enjoyment of digital rights. These laws are largely marred by vague provisions and wide limitations which enable communications monitoring and interception, and undermine free expression.

Catherine Anite of the Small Media Foundation spoke about how Uganda was experiencing a deterioration in respect for press freedom. In 2022 Uganda fell seven places on the World Press Freedom Index ranking at 132 out of 180 countries analysed.

According to Anite, while gender equality is a prerequisite for human rights, democracy and social justice, gender disparities remain evident in the media. Female journalists across the globe face similar challenges, in addition to increased and appalling levels of violence both online and offline when compared to their male counterparts. She noted:

“Female journalists have reported suffering physical and online violence perpetrated by colleagues, public figures, strangers, anonymous perpetrators. We might be speaking about journalists but as lawyers some of these things apply to our contexts as well but we don’t speak about them. These trends have negatively impacted on diversity in media because of the exodus of female journalists, which has affected their equal participation in reporting, civil and political participation due to fears of violence.”

Toby Mendel and Raphael Vagliano, from the Centre for Law and Democracy, discussed international and regional laws  on freedom of expression which are applicable to Uganda. They highlighted provisions of such as  the Universal Declaration of Human Rights (Article 19), the International Covenant on Civil and Political Rights (Article 19), the African Charter on Human and Peoples’ Rights (Article 9), and the Declaration of Principles of Freedom of Expression and Access to Information in Africa which, among others, require member states to facilitate the rights to freedom of expression and access to information online. Under these instruments Uganda is obligated to respect, protect, promote and fulfill rights.

Richard Wingfield, the Head of the Media Law Working Group at the International Senior Lawyers Project (ISLP), explored case studies on using international law to defend freedom of expression, including approaches to arguments, support and intervention as well as the filing of amicus briefs to support litigation. He explained that lawyers in Uganda could support litigation, even in cases where they are not directly involved such as by offering professional support towards impactful and successful litigation, so as to contribute to the realisation of justice for freedom of expression rights.

Practices for shaping the legal framework for cybersecurity to effectively defend human rights were discussed. Cybersecurity is critical for ensuring confidentiality of personal data at all levels.

Advanced digital surveillance and forensic tools are needed to deal with modern cyber  threats; but governments can abuse those tools if government authority is not adequately checked by confidence-inducing institutions.

Tools for cyber security such as BitDefender, malware-bytes, full disk encryption with bitlocker or file vault and strong password are critical tools for cyber security. Individuals must always be aware of potential data breaches by state authorities which often compromise individual privacy through surveillance and forensics. Common state excuses for cyber security violations were often justified by a need to protect national security, crime prevention and public order. Similarly, while laws create obligations for collectors and processors of personal data, those actors often violate the laws and, this necessitates legal intervention.

The lawyers were called upon to pay particular attention to problematic laws and policies, bills and practices so as to challenge them with the aim of establishing an enabling environment for the protection and enjoyment of digital rights.

The specific key emerging recommendations for lawyers from the capacity building training included to:

  • Collaborate with other stakeholders like civil society and academia to engage in litigation to promote freedom of expression, data and privacy rights.
  • Analyse bills and laws to establish gaps and push for repeal of regressive laws and amendment of regressive provisions.
  • Constantly write on topical issues on freedom of expression, data protection and privacy so as to raise awareness among individuals of their rights and expose any cases of violation for enhanced accountability and transparency.
  • Push telecommunication companies and internet service providers to comply with human rights when doing business, in compliance with the UN Guiding Principles on Business and Human Rights.
  • Respect individual data protection and privacy rights in their dealings to minimise conflict with the Data Protection and Privacy Act, 2019 and regional and international human rights instruments on freedom of expressions, data protections and other human rights.
  • Make use of human rights reporting mechanisms such as the Universal Periodic Review and Special Rapporteur engagements to hold the government accountable for decisions undertaken in respect to digital rights.
  • Push and demand that the government complies with regional and international human rights standards, and signs and ratifies key instruments such as the African Union Convention on Cyber Security and Personal Data Protection so as to enhance digital rights protection.

Take deliberate efforts aimed at skilling themselves in the digital rights field. This will ensure that they are equipped with knowledge and skills on dealing with issues that affect digital rights.

04Jun

Data Protection Policy Developed to Guide FinTechs in Ghana

Author CIPESA Posted on

by Ashnah Kalemera and Edrine Wanyama |

The Financial Inclusion Forum Africa, through an Africa Digital Rights Fund (ADRF) grant, has drafted a Data Protection and Privacy Policy to serve as an internal guide on how digital financial service providers in Ghana should collect, store and process individuals’ data. The ADRF is an initiative of the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) which provides flexible and rapid response grants for the advancement of digital rights in Africa.

The policy outlines principles on the management of personal data in compliance with Ghana’s Data Protection Act 2012 and the International Organization for Standardization and International Electrotechnical Commission Standards for Information Security Management – ISO 27001:2013.

The policy outlines data protection principles including accountability by jurisdiction of data subject; lawfulness of processing through consent; disclosure of purpose; compliance with further processing; accuracy and completeness; openness; safeguards; and correction as well as deletion. The principles of privacy outlined are legal compliance; limitations of purpose; adequacy; and retention. 

The policy requires mandatory and frequent information security awareness training for staff and the constitution of an Information Security team responsible for implementing the policy and incident response. Roles and responsibilities are also outlined for risk and compliance, heads of departments, and employees. Provisions for the rights of data subjects include the right of access, rectification, cessation of processing and prevention of automated decision making. In the event of violation of the provisions, the policy provides for internal investigations and sanctions under the law. 

The policy was previewed at the Data Protection and Privacy Roundtable, which saw leading digital financial service providers such as Appruve, Jumo, Vodaphone Cash, and G Money, alongside industry experts and regulators such as the eCrime Bureau, RegTheory, and CUTS (Consumer Unit and Trust Society) Ghana provide insights into its viability and applicability. Discussions drew on real-life experiences of service providers and key feedback was incorporated into a revised version of the policy.

Commenting on the policy, Dr. William Derban, Chairperson of the Financial Inclusion Forum Africa, stated that data privacy and protection was “critical to financial inclusion”, as data was the cornerstone of innovation in digital financial services delivery. “These guidelines [the policy] serve as a template to enable fintechs who are developing such services to ensure that all our data is being protected,” he added. 

With data breaches, including by business entities, a growing concern among users of digital services across the African continent, the policy can go a long way in addressing the live issues in protecting the privacy of data in the financial sector in Ghana, if widely adopted by service providers.

As data becomes increasingly pivotal to the digital economy and digital rights, it is becoming essential to develop sector-specific data protection guidelines. The fintech sector, which is growing exponentially in Africa, is one of these sectors. Such guidelines are essential to buttress existing legislation, which in Ghana’s case includes the Payment Systems and Services Act, 2019Data Protection Act, 2012, Electronic Communications Amendment Act. 2016, Electronic Transactions Act, 2008 and the Anti-Money Laundering Act, 2008.

While the policy is not binding, it is anticipated that through ongoing data protection and privacy campaigns, it will draw stakeholder buy-in and implementation, as it is in harmony and gives effect to various local laws while also reflecting the General Data Protection Regulation of the European Union and the African Convention on Cyber Security and Personal Data Protection which Ghana has signed and ratified.

05May

Why Data Rights are Central to Protection of Online Freedom

Author CIPESA Posted on

By CIPESA Staff Writer |

In an increasingly digitised world, safeguarding data rights has become central to protecting individuals’ rights to access and share information, express themselves, and associate using the internet and related platforms.

Advances in technology, alongside growth in mobile subscriptions and increased use of smartphones have pushed individuals online to shop, interact, share and search for information, learn, and work, alongside digitalisation of more sectors of economies and public services. As a result, there is increased collection, processing and sharing of personal data. With many users of Information and Communications Technology (ICT) not aware of the implications of their use of digital technologies and how their rights are compromised, the potential for the data to be manipulated and abused by individuals, private companies and governments is ever-present. 

At the end of 2019, 477 million people in Sub-Saharan Africa were subscribed to mobile services, accounting for 45% of the region’s population. According to the GSMA, the group that represents the interests of mobile operators worldwide, smartphone adoption continues to rise rapidly in the region, reaching 50% of total connections in 2020. Meanwhile, as of 2019, there were 469 million registered mobile money accounts in Sub-Saharan Africa, a figure that was expected to reach half a billion in 2020.

From the provision of eServices, to digital identity (or digital ID), voters registration, drivers’ license applications and issuance, through to mobile phone SIM card registration, public and private service bodies including immigration authorities, law and security enforcement, health service providers, telecom operators, and digital financial service providers are among the big collectors and processors of personal data in Africa. Increasingly, the nature of personal data being collected is expanding, to include biometric data such as facial images or fingerprints.

What is Personal Data?

Personal data refers to information that relates to an identified or identifiable natural person by which that person can be identified, “in particular by reference to an identification or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.”

Upholding individuals’ data rights implies their personal data must be kept private and should not be known, stored, or used by unauthorised parties. Upholding data rights is then a central pillar of the long-recognised right to privacy, which national laws and international human rights frameworks such as the international bill of rights guarantee. Notably, the right to privacy is pivotal in a democratic society as it is both an enabler and reliant on the enjoyment of other rights, such as freedom of expression, information and association.

As businesses, governments, and civil society organisations seek to maximise value of increased data flows, the dangers of cyberthreats, cybercrimes, surveillance, and general data misuse pose threats that require national, regional, and international action to address. At the same time, excessive restrictions on the flow of data between countries can undermine regional economic benefits if no best practices are adopted on how data should flow, be stored, protected, and disposed – Building an Enabling Environment for Inclusive Digital Transformation in Africa.

Poor or missing legal protections for personal data, abuse of existing laws by state agencies including security agencies and by private companies, and poor digital security practices by citizens, are exacerbating the erosion of many African citizens’ data rights. With increased data collection has come increased state surveillance and data privacy breaches. Worryingly, many African states are increasingly using data to undermine citizens’ digital freedoms, such as by conducting real-time monitoring, surveillance of citizens’ social media and intercepting telephone communications. In some instances, this has led to arbitrary arrests and prosecutions of individuals.

Moreover, telecoms and internet service providers are required by law to comply with user information requests or requests for assistance from the government, including the common requirement to install software to facilitate the state’s conduct of surveillance and monitoring of citizens’ communications. Many governments are indeed accessing subscribers’ data from telecom companies with limited oversight and hardly any transparency. Even where service providers feel constrained about regulator directives, they are often overcome by the need to continue operations and agree to restrict data rights. 

In such countries, digital rights are under threat and, resultantly, citizens are losing the appetite to participate in public affairs, and they often practice self-censorship in their engagements over digital platforms. This undermines the philosophy of a free and open internet that drives innovation, enables the enjoyment of rights and improvement of livelihoods.

In many countries, the digital rights situation worsened during the Covid-19 pandemic, as governments suspended respect for several rights, collected lots of private data and conducted surveillance without sufficient oversight, safeguards, or transparency.

The State of Internet Freedom in Africa 2020 Report found that the fight against Covid-19 has had a fundamental impact on digital rights and freedoms including freedom of expression, access to information, privacy, assembly and association. It has also undermined civic participation and, in many countries, deepened the democracy deficit.

In responding to the Covid-19 pandemic, countries across the continent adopted a series of Covid-19 regulations and practices, including deploying surveillance technologies and untested applications, to enable them conduct lawful collection and processing of personal data for purposes of tracing, contacting, isolating and treating those found to be positive or their contacts. These measures were quickly adopted and the collection of personal information continues, and in some cases without adequate regulation or oversight – State of Internet Freedom in Africa 2020: Resetting Digital Rights Amidst the Covid-19 Fallout

In several African countries, there are inadequate safeguards and limited oversight to guard against potential violations of digital rights arising out of the implementation of laws, regulations, systems, and practices imposed to fight Covid-19. According to the United Nations, the use of emergency powers and tools of surveillance technology to track the spread of Covid-19 must be non-intrusive, limited in time and purpose and abide to the strictest protections and international human rights standards governing privacy and personal data.

Concerns over data handling during the fight against Covid-19 and how that harmed digital rights informed the formation of the #RestoreDataRights movement, that is promoted by a group of African and international civil society, academic and philanthropic partners. Launched at the end of 2020, it is premised on the conviction that our fundamental human rights – including those exercised in cyberspace and over our personal and sensitive data – should be respected and upheld during and after the Covid-19 public health emergency. Furthermore, decision-making processes around how sensitive data are collected, shared and used to tackle the Covid-19 pandemic in Africa should be transparent, inclusive and accountable.

There has also been a proliferation of retrogressive laws, procedures and practices such as the systematic criminalisation of online communication and dissent, the arbitrary arrest, illegal detention, flawed prosecution and excessive punishment of government critics. On a continent where digital authoritarianism is rising, the legitimisation of surveillance, censorship, and breaches in the rule of law during the coronavirus crisis could create a new normal that erodes internet freedom for years to come. 

There is therefore a need to have strong data protection laws; to educate citizens to protect their data and to demand their digital rights; and to have strong, well-resourced and independent data protection authorities. It is also crucial to establish clear and well-publicised complaint mechanisms in cases of data privacy breaches. Meanwhile, private companies should institute stringent measures to protect data privacy and integrate ‘privacy by design’ in any applications they develop, partner with civic actors and public officials to promote digital rights, and be transparent about their data handling practices.

These measures would enable accountable data governance that respects citizens’ data rights and advances wider internet freedoms in Africa. Further, they would enable robust protection of digital rights and data rights, while providing scope for data openness that enables harnessing of data to serve the legitimate public interest.

10Mar

Building a Robust Data Protection Regime in Senegal

Author admin Posted on

By Simone Toussi |
Across Africa, there is a push for digitalisation with different countries at various stages of technology adoption and varying levels of legislative regimes that uphold human rights in the digital sphere.
Senegal is among the African countries that remain committed to upgrading legal and institutional frameworks governing the technology sector. Senegal passed a data protection law twelve years ago and was among the  first African states and the first African Francophone country to ratify the Africa Union Convention on Cyber Security and Personal Data Protection in 2016. It has therefore established itself among the pioneers in data governance in Africa.
Given rapid developments related to biometrics, big data, artificial intelligence, and cloud computing, among others, the government of Senegal is in the process of repealing law n° 2008-12 of January 25, 2008 which governs personal data protection. A draft bill published at the tail end of 2019 to replace the preceding law is currently under public consultation.
On February 27 – 28, 2020, Jonction Senegal, in partnership with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and Facebook hosted a workshop to review the Personal Data Protection Bill, 2019 and make relevant recommendations from a digital rights perspective. The workshop brought together 25 participants including officials from the Personal Data Commission (CDP), the Ministry of Digital Economy and Telecommunications, the Ministry of Women, Family and Gender, the Ministry of Justice, and representatives from the private sector, and civil society organisations including human rights defenders, lawyers, academia, bloggers and journalists.
Opening the workshop, Professor Mamadou Niane, Director of the Legal Department of the CDP justified the draft bill, citing inadequacies in the 2008 law given the dynamic digital environment and emergence of a diversity of players and threats. Furthermore, he noted the need for convergence with regional and international data protection developments and standards such as those laid out in the General Data Protection Regulation (GDPR), the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data signed and ratified by Senegal in 2016, the Budapest Convention, and the African Union Convention on Cyber Security and Personal Data Protection. According to Prof. Niane, other considerations for a new law related to the composition and oversight powers of the CDP and compliance monitoring mechanisms are also to be addressed. He stated that the draft bill provided for data protection principles in the proposed article 7 including the need for processing within the legal requirements, seeking consent, and necessity with exceptions tied to processing for lawful purpose.
Indeed, Diagne El Hadji Daouda, a cybersecurity specialist from the Computech Institute highlighted the importance of data security and commended the draft bill for outlining the principles of identification and authentication, confidentiality, availability and integrity (non-alteration or modification of the data during processing) under Articles 42 and 43. He also commended the proposed obligations for data controllers to put in place encryption measures and regularly review them to ensure data security; and the notification of breaches  to data subjects and authorities (Article 44). However, Daouda noted that despite these provisions, the draft bill did not incorporate the principle of anonymisation, which is crucial for preserving personal data confidentiality and guaranteeing its security.
The draft bill proposes the establishment of the Personal Data Protection Authority (APDP) to replace the CDP – with a diverse member composition including non-governmental representation. Member nomination is by decree of the president (Article 52). However, a number of provisions in the draft bill refer to a Control Authority and a Protection Authority, which seem separate from the APDP.
Dr. Ndiogou Thierno Amadou, Lecturer and Researcher at the Faculty of Legal and Political Sciences of Cheikh Anta Diop University (UCAD), raised concerns about the distinction between the three different authorities mentioned in the draft bill. Participants therefore urged for clarity on the role of the Control Authority (Article 44), as well as a clear definition and distinction between the APDP and the Protection Authority (Article 62) to avoid ambiguities. The  CDP’s Prof. Niane clarified that all mentions of an authority  in the draft bill refer to the APDP and that the necessary revisions would be made in the next draft.
The need to strike a balance between freedom of expression and personal data protection also emerged.  In his presentation, independent journalist and Director of PressAfrik.com Faye Ibrahima Lissa cited the continent-wide trend in legislative restrictions to freedom of expression on grounds of national security and public order. He emphasised that exemptions under the proposed article 105 of the draft bill relating to personal data for the purposes of journalism, research, artistic or literary expression should be precise to avoid them being used to persecute critical voices.
Similarly, Joe Marone, a media trainer and head of online radio Futurs Media noted the fundamental role of journalists in seeking the truth and being the moral conscience of public opinion and civil society. In this regard, journalism ethics and code of conduct pre-empt personal data protection through protection of sources. However, given the advent of data journalism and citizen journalists, the draft bill serves to better guarantee personal data protection within the profession.
Other issues that emerged included age of consent to data collection. Consent is defined as a declaration or clear affirmative action, either orally or in writing that gives permission to process personal data (article 8). The age of consent is not provided for in the draft bill.  Prof. Niane stated that ongoing efforts at the CDP and Ministry of Justice in partnership with the Ministry of Digital Economy and Telecommunications seek to establish a Children’s Code and related strategy dedicated to minors’ protection in the context of data protection and privacy.
The workshop participants made the following formal recommendations for revision in the next draft of the bill:

  • Set a minimum age of consent
  • The president of the ADPD should be appointed through an internal election by members in order to guarantee the authority’s autonomy.
  • Provide for adequate resource allocation to the APDP to facilitate smooth implementation and enforcement of the law
  • Provide for APDP oversight in procurement and contracting of public or government projects involving personal data collection and processing
  • Provide for authority of the APDP to collect and recover financial penalties imposed on offenders and pass them on to the victims of data breaches.
  • Strengthen the financial autonomy of the APDP by granting it 50% of the amounts recovered from any data protection operations
  • Provide for legal personality of the ADPD to give it perpetual succession with capacity to sue and be sued in its name.

Representatives of the CDP and the Ministry of Digital Economy and Telecommunications welcomed the recommendations and committed to including them in the next draft of the bill, before submission to the General Secretariat of the Presidency of Senegal.

21Feb

New Mali Cybercrime Law Potentially Problematic to Digital Rights

Author admin Posted on

By Simone Toussi |

On December 5, 2019, the president of Mali promulgated Law n° 2019-056 on the Suppression of Cybercrime. Although timely and relevant, a number of provisions pose potential threats to privacy and freedom of expression online, especially in view of Mali’s democracy deficits and low press freedom ranking.

The new law, applies to “any offence committed by means of Information and Communication Technologies (ICT) in whole or part on the territory of Mali, to any offence committed in cyberspace and whose effects occur on the national territory” (article 2).  It is part of a legislative framework deemed necessary to support reforms in the technology sector, pursuant to the 2000  Mali Telecommunications Sector Policy Declaration.

From Privacy Breaches to Digital Authoritarianism

Mali’s Constitution provides for privacy of communications under Article 6 while the Personal Data Protection Act of 2013 under article 5 and the Telecommunications Act, 1999 in article 1 buttress the constitutional provision. Unfortunately, the cybercrime law conflicts with these existing right to privacy guarantees.

The Cybercrime Law in articles 74 to 78 authorises search of computers and seizure of data as part of criminal investigations. Moreover, under article 75, data may be copied and stored where “seizure of the medium seems inappropriate”. The law does not provide for how the copied data should be stored, processed or disposed of upon conclusion of investigations. This undermines the data protection principle laid down in article 7 of the  Personal Data Protection Act – that personal data must only be kept for a specified period and purpose.

Further, articles 83 to 86 suggest real-time surveillance through interception of communications. Service providers are required to cooperate with authorities, including through ensuring that they have in place the necessary technical means to facilitate interception of communications. These wide powers double as an addition to those given to authorities under article 4 of the Telecommunications Act. This article which states: “When public security or the defense of the territory of Mali so requires, the Government may, for a limited period, requisition all the telecommunications networks established in the territory of Mali, as well as the equipment connected to it and / or prohibit the provision of telecommunications service.” This article has in the past been evoked when the government ordered  social media disruptions in 2016 during public protests and more recently during the 2018 elections when it ordered an internet shutdown.

Furthermore, communications service providers are required to put in place mechanisms to monitor systems for potential illegal activity, with failure to inform authorities of illegal activities being punishable by a prison sentence of between six months and two years, a fine of Central African Francs (CFA) 500,000 to 2,000,000  (USD 830 to 3,318 ) or both (article 25).

Warnings for Freedom of Expression

Although Mali’s constitution guarantees freedom of expression and opinion (article 4), the Law on the Press Regime and Press Offences (2000) is vague as it does not explicitly guarantee freedom of the press or media pluralism, nor does it define press offences. It also does not contain any provisions on online media. This constitutes a vacuum preceding the law on the Suppression of Cybercrime which, for its part, contains provisions which directly affect freedom of expression and opinion.

Articles 20 and 21 of the new law punish threats and insults made through an information system, with penalties ranging from six months to 10 years imprisonment, a fine of CFA 1,000,000 to 10,000,000 CFA (USD 1,680 to 16,800), or both. Without a clear definition and detail of the constituent elements of ‘threat’ or ‘insult’, these provisions are open to interpretation that can hinder freedom of expression. This is all the more critical since these terms are also not defined by the law on the press regime and press offences, in its article 33 on incitement and article 38 on defamation.

Moreover, articles 55 and 56 condemn the “public dissemination” of “all printed matter, all writings, drawings, posters, engravings, paintings, photographs, films or stereotypes, matrices or photographic reproductions, emblems, all objects or images that do not tie with good morality.” The corresponding penalties range from six months to seven years imprisonment, a fine of CFA 500,000 to 10,000,000 (USD 840 to 16,800), or both.

Article 54 of the cybercrime law states that “press offenses, committed through information and communication technologies, with the exception of those committed by the press on the internet, are punishable by ordinary law”. Given that the Press Law does not include provisions for online press, it is unclear what the distinction is between press offences via ICT and press offences via the internet. Furthermore, there is a lack of precision on the determination as to whether an offense falls under the cybercrime law, ordinary law, or press law.

Article 23 provides for a fine of CFA 200,000 to 2,000,000 (USD 332 to 3,318), imprisonment of between six months and one year, or both, for fake reports of illegal activity or content online, “with the aim of obtaining its withdrawal or having it stopped by a public eCommunications service provider”. However, activities and contents considered as illegal are not defined by the law, and therefore subject to denunciation.

Way forward

The law is well intentioned in seeking to ensure safe and secure use of ICT in Mali. However, it comes into effect in a fragile context. Provisions relating to data processing as part of criminal investigations pose significant risk to personal data integrity, security and privacy. Further, the law places a huge burden on telecommunications intermediaries to track and monitor network activity, and holds these intermediaries liable for the actions of their clients. Provisions relating to online press offences are inconsistent with legislating the media in the age of digitalisation. The new law and existing related laws therefore require revisions to safeguard and uphold constitutional guarantees of freedom of expression and privacy, online and offline.

1 2 3 4 5