Building a Robust Data Protection Regime in Senegal

By Simone Toussi |
Across Africa, there is a push for digitalisation with different countries at various stages of technology adoption and varying levels of legislative regimes that uphold human rights in the digital sphere.
Senegal is among the African countries that remain committed to upgrading legal and institutional frameworks governing the technology sector. Senegal passed a data protection law twelve years ago and was among the  first African states and the first African Francophone country to ratify the Africa Union Convention on Cyber Security and Personal Data Protection in 2016. It has therefore established itself among the pioneers in data governance in Africa.
Given rapid developments related to biometrics, big data, artificial intelligence, and cloud computing, among others, the government of Senegal is in the process of repealing law n° 2008-12 of January 25, 2008 which governs personal data protection. A draft bill published at the tail end of 2019 to replace the preceding law is currently under public consultation.
On February 27 – 28, 2020, Jonction Senegal, in partnership with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and Facebook hosted a workshop to review the Personal Data Protection Bill, 2019 and make relevant recommendations from a digital rights perspective. The workshop brought together 25 participants including officials from the Personal Data Commission (CDP), the Ministry of Digital Economy and Telecommunications, the Ministry of Women, Family and Gender, the Ministry of Justice, and representatives from the private sector, and civil society organisations including human rights defenders, lawyers, academia, bloggers and journalists.
Opening the workshop, Professor Mamadou Niane, Director of the Legal Department of the CDP justified the draft bill, citing inadequacies in the 2008 law given the dynamic digital environment and emergence of a diversity of players and threats. Furthermore, he noted the need for convergence with regional and international data protection developments and standards such as those laid out in the General Data Protection Regulation (GDPR), the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data signed and ratified by Senegal in 2016, the Budapest Convention, and the African Union Convention on Cyber Security and Personal Data Protection. According to Prof. Niane, other considerations for a new law related to the composition and oversight powers of the CDP and compliance monitoring mechanisms are also to be addressed. He stated that the draft bill provided for data protection principles in the proposed article 7 including the need for processing within the legal requirements, seeking consent, and necessity with exceptions tied to processing for lawful purpose.
Indeed, Diagne El Hadji Daouda, a cybersecurity specialist from the Computech Institute highlighted the importance of data security and commended the draft bill for outlining the principles of identification and authentication, confidentiality, availability and integrity (non-alteration or modification of the data during processing) under Articles 42 and 43. He also commended the proposed obligations for data controllers to put in place encryption measures and regularly review them to ensure data security; and the notification of breaches  to data subjects and authorities (Article 44). However, Daouda noted that despite these provisions, the draft bill did not incorporate the principle of anonymisation, which is crucial for preserving personal data confidentiality and guaranteeing its security.
The draft bill proposes the establishment of the Personal Data Protection Authority (APDP) to replace the CDP – with a diverse member composition including non-governmental representation. Member nomination is by decree of the president (Article 52). However, a number of provisions in the draft bill refer to a Control Authority and a Protection Authority, which seem separate from the APDP.
Dr. Ndiogou Thierno Amadou, Lecturer and Researcher at the Faculty of Legal and Political Sciences of Cheikh Anta Diop University (UCAD), raised concerns about the distinction between the three different authorities mentioned in the draft bill. Participants therefore urged for clarity on the role of the Control Authority (Article 44), as well as a clear definition and distinction between the APDP and the Protection Authority (Article 62) to avoid ambiguities. The  CDP’s Prof. Niane clarified that all mentions of an authority  in the draft bill refer to the APDP and that the necessary revisions would be made in the next draft.
The need to strike a balance between freedom of expression and personal data protection also emerged.  In his presentation, independent journalist and Director of PressAfrik.com Faye Ibrahima Lissa cited the continent-wide trend in legislative restrictions to freedom of expression on grounds of national security and public order. He emphasised that exemptions under the proposed article 105 of the draft bill relating to personal data for the purposes of journalism, research, artistic or literary expression should be precise to avoid them being used to persecute critical voices.
Similarly, Joe Marone, a media trainer and head of online radio Futurs Media noted the fundamental role of journalists in seeking the truth and being the moral conscience of public opinion and civil society. In this regard, journalism ethics and code of conduct pre-empt personal data protection through protection of sources. However, given the advent of data journalism and citizen journalists, the draft bill serves to better guarantee personal data protection within the profession.
Other issues that emerged included age of consent to data collection. Consent is defined as a declaration or clear affirmative action, either orally or in writing that gives permission to process personal data (article 8). The age of consent is not provided for in the draft bill.  Prof. Niane stated that ongoing efforts at the CDP and Ministry of Justice in partnership with the Ministry of Digital Economy and Telecommunications seek to establish a Children’s Code and related strategy dedicated to minors’ protection in the context of data protection and privacy.
The workshop participants made the following formal recommendations for revision in the next draft of the bill:

  • Set a minimum age of consent
  • The president of the ADPD should be appointed through an internal election by members in order to guarantee the authority’s autonomy.
  • Provide for adequate resource allocation to the APDP to facilitate smooth implementation and enforcement of the law
  • Provide for APDP oversight in procurement and contracting of public or government projects involving personal data collection and processing
  • Provide for authority of the APDP to collect and recover financial penalties imposed on offenders and pass them on to the victims of data breaches.
  • Strengthen the financial autonomy of the APDP by granting it 50% of the amounts recovered from any data protection operations
  • Provide for legal personality of the ADPD to give it perpetual succession with capacity to sue and be sued in its name.

Representatives of the CDP and the Ministry of Digital Economy and Telecommunications welcomed the recommendations and committed to including them in the next draft of the bill, before submission to the General Secretariat of the Presidency of Senegal.

New Mali Cybercrime Law Potentially Problematic to Digital Rights

By Simone Toussi |

On December 5, 2019, the president of Mali promulgated Law n° 2019-056 on the Suppression of Cybercrime. Although timely and relevant, a number of provisions pose potential threats to privacy and freedom of expression online, especially in view of Mali’s democracy deficits and low press freedom ranking.

The new law, applies to “any offence committed by means of Information and Communication Technologies (ICT) in whole or part on the territory of Mali, to any offence committed in cyberspace and whose effects occur on the national territory” (article 2).  It is part of a legislative framework deemed necessary to support reforms in the technology sector, pursuant to the 2000  Mali Telecommunications Sector Policy Declaration.

From Privacy Breaches to Digital Authoritarianism

Mali’s Constitution provides for privacy of communications under Article 6 while the Personal Data Protection Act of 2013 under article 5 and the Telecommunications Act, 1999 in article 1 buttress the constitutional provision. Unfortunately, the cybercrime law conflicts with these existing right to privacy guarantees.

The Cybercrime Law in articles 74 to 78 authorises search of computers and seizure of data as part of criminal investigations. Moreover, under article 75, data may be copied and stored where “seizure of the medium seems inappropriate”. The law does not provide for how the copied data should be stored, processed or disposed of upon conclusion of investigations. This undermines the data protection principle laid down in article 7 of the  Personal Data Protection Act – that personal data must only be kept for a specified period and purpose.

Further, articles 83 to 86 suggest real-time surveillance through interception of communications. Service providers are required to cooperate with authorities, including through ensuring that they have in place the necessary technical means to facilitate interception of communications. These wide powers double as an addition to those given to authorities under article 4 of the Telecommunications Act. This article which states: “When public security or the defense of the territory of Mali so requires, the Government may, for a limited period, requisition all the telecommunications networks established in the territory of Mali, as well as the equipment connected to it and / or prohibit the provision of telecommunications service.” This article has in the past been evoked when the government ordered  social media disruptions in 2016 during public protests and more recently during the 2018 elections when it ordered an internet shutdown.

Furthermore, communications service providers are required to put in place mechanisms to monitor systems for potential illegal activity, with failure to inform authorities of illegal activities being punishable by a prison sentence of between six months and two years, a fine of Central African Francs (CFA) 500,000 to 2,000,000  (USD 830 to 3,318 ) or both (article 25).

Warnings for Freedom of Expression

Although Mali’s constitution guarantees freedom of expression and opinion (article 4), the Law on the Press Regime and Press Offences (2000) is vague as it does not explicitly guarantee freedom of the press or media pluralism, nor does it define press offences. It also does not contain any provisions on online media. This constitutes a vacuum preceding the law on the Suppression of Cybercrime which, for its part, contains provisions which directly affect freedom of expression and opinion.

Articles 20 and 21 of the new law punish threats and insults made through an information system, with penalties ranging from six months to 10 years imprisonment, a fine of CFA 1,000,000 to 10,000,000 CFA (USD 1,680 to 16,800), or both. Without a clear definition and detail of the constituent elements of ‘threat’ or ‘insult’, these provisions are open to interpretation that can hinder freedom of expression. This is all the more critical since these terms are also not defined by the law on the press regime and press offences, in its article 33 on incitement and article 38 on defamation.

Moreover, articles 55 and 56 condemn the “public dissemination” of “all printed matter, all writings, drawings, posters, engravings, paintings, photographs, films or stereotypes, matrices or photographic reproductions, emblems, all objects or images that do not tie with good morality.” The corresponding penalties range from six months to seven years imprisonment, a fine of CFA 500,000 to 10,000,000 (USD 840 to 16,800), or both.

Article 54 of the cybercrime law states that “press offenses, committed through information and communication technologies, with the exception of those committed by the press on the internet, are punishable by ordinary law”. Given that the Press Law does not include provisions for online press, it is unclear what the distinction is between press offences via ICT and press offences via the internet. Furthermore, there is a lack of precision on the determination as to whether an offense falls under the cybercrime law, ordinary law, or press law.

Article 23 provides for a fine of CFA 200,000 to 2,000,000 (USD 332 to 3,318), imprisonment of between six months and one year, or both, for fake reports of illegal activity or content online, “with the aim of obtaining its withdrawal or having it stopped by a public eCommunications service provider”. However, activities and contents considered as illegal are not defined by the law, and therefore subject to denunciation.

Way forward

The law is well intentioned in seeking to ensure safe and secure use of ICT in Mali. However, it comes into effect in a fragile context. Provisions relating to data processing as part of criminal investigations pose significant risk to personal data integrity, security and privacy. Further, the law places a huge burden on telecommunications intermediaries to track and monitor network activity, and holds these intermediaries liable for the actions of their clients. Provisions relating to online press offences are inconsistent with legislating the media in the age of digitalisation. The new law and existing related laws therefore require revisions to safeguard and uphold constitutional guarantees of freedom of expression and privacy, online and offline.

Senegal to Review Data Protection Law

By Thomas Robertson |

Twelve years after being among the first African countries to enact data protection legislation, Senegal has published a bill to replace the 2008 Personal Data Protection Law. The Personal Data Protection Bill of 2019 is part of the government’s goal of upgrading the legal and institutional framework of the technology and telecommunications sector by 2025 as part of “Digital Senegal 2016-2025 Strategic Plan” and seeks to address key emerging digital issues including biometrics, big data, artificial intelligence, geo-location and cloud computing. Further, the bill seeks to address  gaps in the existing legislation related to the composition and independence  of the oversight authority, mechanisms for self-referral, and cross-border cooperation.

In January 2008, Senegal adopted Law No. 2008-12 of 25 which provides a legal and institutional framework for the protection of personal data. The law established an independent authority known as the Commission of Personal Data (CDP) whose mandate is to ensure that the processing of personal data is implemented in accordance with the provisions of this law, and upholds the rights of data subjects and the obligations of data processors. A few years later in 2016, Senegal went on to become the first African country to ratify the continent-wide convention on Cyber Security and Personal Data Protection, which was adopted by the African Union in 2014.

Despite being a pioneer on data governance in Africa, implementation and enforcement of the law has remained a challenge. There have been reports of resource limitations for the CDP to sufficiently fulfill its mandate. In February 2018, CDP president Awa Ndiaye made a plea for government assistance to support efforts for sensitisation and compliance monitoring.

Meanwhile, the country has recorded a growing telecommunications sector, with a 2018 internet penetration rate of 68.49%, a diverse digital media and technology innovation landscape. However, several private and public actors continue to collect personal data in Senegal without any regulatory enforcement by the CDP. This is the case for mandatory SIM card registration implemented by the Regulatory Authority for Telecommunications and Posts (ARTP) through mobile telecom operators, which is  linked to the national identity database.

The principles of the bill state that collection, registration, processing, storage and transmission of personal data must be done in a lawful, fair and non-fraudulent manner. According to Article 7 of the bill, personal data processing is defined as lawful if “consent is given, processing is necessary for legal obligations, a task of public interest, a task related to exercising public authority, the implementation of policy, or in order to protect the interest of fundamental rights and liberties of the person whose data is being processed”.

Consent is defined as a declaration or clear affirmative action, either orally or in writing, that gives permission to process personal data (Article 8). The data processed must be stored securely and confidentially, be limited to data relevant to the task at hand, and be stored only within the period necessary (Articles 10-12). The bill also addresses third party processing of data and mandates a contract between the data controller and subcontractor that guarantees compliance with the law (Article 16). Article 110 maintains the rights of a data subject to access data held about them and to monitor its accuracy.

Section 1 of the bill proposes the establishment of the Personal Data Protection Authority (APDP) to replace the existing CDP. The APDP would operate much like the CDP, but its member composition is different in size and selection. The APDP would have 12 members, one more than the CDP. The APDP’s composition would be two presidential representatives, and one representative each from the National Assembly, the Finance Ministry, the Justice Ministry, the Ministry of Telecommunications and Digital Economy, a business organisation, a digital media organisation, a medical organisation, a human rights organisation, a civil society organisation and the Bar Association of Senegal. On the CDP, there are three presidential representatives, a deputy nominated by the head of the National Assembly, a Senator nominated by the head of the Senate, one magistrate member each from the Council of State and the Court of Cassation, the Director of the State Digital Information Agency (ADIE), a lawyer nominated by the Chairman of the Bar Association of Senegal and one representative each from a business organisation and a human rights organization.

The proposed constitution of the APDP is a four-member increase in the non-governmental representation in the oversight body, replacing seats formerly taken by government representatives and presidential advisors. Even if these non-governmental representatives must be nominated by decree of the president, the inclusion of non-state actors in APDP’s membership bodes well for incorporating the interests of civil society into the work of the Authority. Moreover, the 2019 bill builds on the 2008 law’s promise of CDP’s impartiality and protection of members’ freedom of expression by guaranteeing that members cannot be detained, arrested, or punished based on their opinions or decisions made.

Under the proposed law, exemptions apply when processing personal data for the purposes of journalism, research, artistic or literary expression, if implemented within “the ethical standards of these professions” (Article 105). Exemptions under the existing law are outlined under Article 2, which states that “any processing of data relating to public security, defense, investigation and prosecution of criminal offenses or state security, as well as significant economic or financial interests of the State, is subject to the exceptions defined by this law and specific provisions on the matter set by other laws.”

Provisions proposed under Section 6 specifically speak to personal data and law enforcement. Section 6  states that data collection as part of crime prevention, investigation and punishment must respect the principles of necessity and proportionality as well as follow a legitimate goal. Although both the 2008 law and 2019 bill do well in defining technical terms, “legitimate goal” is undefined in the bill, and as such, is a vague description that may be subject to abuse by the government.

The bill also introduces regulation of video surveillance, with a requirement for a visible  notification of the presence of the surveillance system, a receipt reference issued by the Authority, and contact details of the person or service responsible for the “rights of access, opposition and deletion” of content from the video system (Article 121). Other than for purposes of safety of property and people, the installation of video surveillance for “systematic, deliberate and permanent monitoring” at places of work as defined in the Labor Code is outlawed (Article 120). Video monitoring at workplaces was a contentious issue in Senegal in 2019.

Article 128 expands the definition of “sensitive data,” which is illegal to process, to include familial descent and genetic data. Article 129 allows the processing of genetic data only in order to verify the existence of genetic connections in the context of court proceedings or criminal investigations. This expanded definition of “sensitive data” builds upon how it was defined under the previous law, where sensitive data was defined as personal data relating to religious, philosophical, political, and labor union activities, as well as sexual life, race, and health.

In a move to promote research and collaboration, the management of big data is also included in the bill, mandating that risks of big data collection and processing must be identified and evaluated (Article 114). Additionally, Article 118 sets out the conditions  for the use and reuse of open data.

Overall, the bill is a significant step towards establishing a modernised data protection framework for Senegal that is rights respecting, and provides a conducive environment to support innovation amidst an increasingly digitised environment. Public consultations on the bill are ongoing and it remains to be seen whether ongoing drafting will incorporate recommendations and provide clarity on ambiguous/vague provisions.

Thomas Roberston is a fourth-year undergraduate student studying international affairs and foreign languages at Occidental College in Los Angeles, California, United States. He is currently interning with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) as part of research on his final year composition paper on digital expression and China-Africa relations. 

New Law Holds Promise for Improved Data Governance in Kenya

By CIPESA Writer |

Following a seven-year, windy journey, on November 8, 2019, Kenya got a data protection law. The Data Protection Act, 2019 has various positive elements and can go a long way in addressing the live issues in protecting the privacy of data in Kenya.

The law came at a time of widespread concern about privacy in the country, including the fragmented oversight over privacy and data protection; increased mass data collection programmes by the government; enhanced state surveillance capacity; rampant privacy breaches including by business entities; limited dispute resolution mechanisms and the deficiency of remedies in case of breach of privacy.

The new law provides a comprehensive framework to regulate the processing of personal data and the protection of individuals’ privacy. It consolidates the law on privacy in the country and articulates several principles of personal data protection, as the minimum standard which all data controllers or processors must abide by.

Further, the Act provides for autonomy of the data subject over their data. It defines what constitutes consent, and makes the requirement of consent mandatory. This potentially addresses situations where personal data is collected arbitrarily and without the explicit consent of users. The law also prohibits the use of personal data for commercial purposes without the consent of the data subject. It places the burden of proof for establishing a data subject’s consent on the data controller or processor, while allowing the subject to withdraw consent at any time.

Also key is that the Data Protection Act, 2019 amends other legislation that have an impact on privacy, meaning that institutions responsible for handling the registration of individuals at birth and death, issuance of national identity cards and passports, Huduma Namba registration, registration of students at all levels, and the registration of telecommunication services consumers, will need to review their current policies, practices and procedures to ensure compliance with the principles in the Act.

The law establishes an independent office of the Data Protection Commissioner. Hitherto, the lack of an oversight body and the fragmented oversight over privacy in the country meant that every institution collecting personal data “owned” and used such data as they wished.

However, whereas the Act hold much promise for improved personal data governance in Kenya, state agencies, including the communications regulator, as well private actors and civil society all have a role to play in its implementation.

This brief recounts Kenya’s journey and efforts to develop a data protection law. It also provides an overview of the implication of the new law to the protection of privacy and data rights in the East African country.

Overview of Cameroon’s Digital Landscape

By Simone Toussi |

The Information and Communications Technology (ICT) sector in Cameroon has evolved considerably since 2010, despite the persistence of the digital divide and affronts to freedom of expression online. The country’s digital landscape was  boosted by the launch in May 2016 of the National ICT Strategic Plan 2020, which recognised the digital economy as a driver for development. The country has registered increased investments in  telecommunication and ICT infrastructure, including extension of the national optical fibre backbone to about 12,000 km, connecting 209 of the country’s 360 sub-divisions, and neighbouring countries such as Chad, Gabon, Equatorial Guinea, the Central African Republic and Nigeria. 

By 2018, the Ministry of Posts and Telecommunications reported that mobile phone  subscribers stood at 18.8 million representing a penetration rate of 83%, while internet penetration was 35%. There are four big telecommunications service providers in Cameroon – MTN, Orange, Viettel and the state-owned CAMTEL. With 48% of the mobile market share or 8.7 million subscribers, MTN is the leading service provider, according to its report for the first quarter of 2019. 

Over the years, Cameroon has scored some improvements in ICT development and affordability. For instance, on the ICT Development Index (IDI) of  the International Telecommunications Union (ITU), its value improved from 1.54 in 2010 to 2.38 in 2017 – against the highest global value of 8.98 for Iceland, and between the highest African value of 5.88 for Mauritius and the lowest 0.96 for Eritrea. Cameroon thus ranked at 149  out of the 176 countries assessed, with more than twenty African countries ranked above it. On affordability of the internet, Cameroon’s ranking has also slightly improved – currently ranked 50, up from 53 in 2015, out of 60 countries. This still makes internet access in Cameroon among the most expensive of the countries surveyed.

Meanwhile, internet shutdowns, arrests and intimidation of online critics, and censorship of online content  raise concerns about the government’s commitment to nurturing a sustainable and inclusive digital society.

ICT Legal and Regulatory Frameworks

The Cameroonian Constitution provides for freedom of expression, freedom of the press and of communication. It states: “the freedom of communication, of expression, of the press, of assembly, of association, and of trade unionism, as well as the right to strike shall be guaranteed under the conditions fixed by law”. 

Relevant agencies governing the sector include the Telecommunication Regulatory Agency (ART), and the National Telecommunications Agency (ANTIC) – both under the mandate of the Ministry of Posts and Telecommunications (MINPOSTEL). Other entities such as the Ministry of Communication and the National Council of Communication also has regulatory and advisory roles with regards to media. 

These agencies are guided by key laws that govern ICT including  Law n° 98/014 of July 14, 1998 governing telecommunications and its amendment of December 29, 2005;  Law n° 2010/013 of  December 21, 2010 on e-Communications, and its amendment of April 2015;  Law n° 2010/012 of  December 21, 2010 on Cyber Security and Cybercrime; and Law n° 2010/021 of December 21 2010 governing e-Commerce. Other legalisation related to ICT are the Framework Law n° 2011/012 of May 6, 2011 on Consumer Protection,  Law n° 2001 / 0130 of July 23, 2001 establishing the minimum service in telecommunications, and Law n° 98/013 of July 14, 1998 on competition which governs all sectors of the national economy.

The 2014 Law on the Suppression of Terrorist Acts, which was enacted to support the fight against terrorism and growing threats from the jihadist group Boko Haram, has been used as a tool to suppress journalism and opinion critical of the government under the guise of preventing the spread of fake news and threatening national security. In January 2018, the Minister of Justice issued a directive to magistrates to “commit, after clear identification by the security services, to legally prosecute any person residing in Cameroon who uses social media to spread fake news”. 

A new law is the  2019 Finance Act, which under Section 8, introduces taxation on software and application downloads produced outside of Cameroon, at a flat rate of 200 Central African Francs (CFA), equivalent to USD 0.34, per download. Whereas the government is yet to issue implementation guidelines for the taxes, once in effect, they  will result in additional costs for digital platform users.

Access and Affordability 

Article 4 of the 2010 eCommunications law states that every citizen “has the right to benefit from electronic communications services”. The same law establishes a Universal Service Access Fund, aimed at ensuring equal, quality and affordable access to services (Articles 27-29). Whereas internet and mobile telephony have registered growth, access and affordability remain a challenge, especially among rural and poor communities. Currently, the average cost of 1GB of data is 2,000 CFA (USD 3.4) per month, and with the proposed levy of 200 CFAs (USD 0.34) on software and application downloads, costs are expected to further increase. With an estimated per capita income of USD 1,500 in 2018, the prevailing rates are over and above the Alliance for Affordable Internet’s recommendation of 1GB of data costing 2% or less of average monthly income.  

Gender Digital Divide

A 2015 report by the Web Foundation found that in Cameroon only 36% of women compared to 45% of men were internet users. The key factors inhibiting women’s access to the internet and digital devices in Cameroon included literacy levels, cost relative to income, access to devices, perceived relevance and usefulness, lack of time and poor infrastructure. Towards addressing the digital gender divide, the National ICT Strategic Plan 2020 states among its objectives the need to “support the development of female skills in the field of digital engineering“, and to “support technological and scientific vocations for women“. However, these objectives are not linked to any specific projects within the plan’s priority action areas. 

Meanwhile, without much in the way of provisions for gender, cultural and linguistic diversity, the country’s ICT laws remain largely silent on diversity and inclusion within the ICT sector. Further, seven years since its passing, the Framework Law on Consumer Protection, which includes provisions on consumer rights and quality of services within the technology sector, remains largely unenforced due to the absence of  implementation guidelines.

Privacy and Data Protection

Cameroon has no data protection or privacy law. However, the national Constitution amended by the Law N°. 96-06 of 18 January 1996, guarantees privacy of communications in its preamble, stating that “the privacy of all correspondence is inviolate. No interference may be allowed except by virtue of decisions emanating from the Judicial Power”. The 2010 Cybersecurity and Cybercrime law also provides for the privacy of communications under Article 41 and outlaws the interception of communications under Article 44. The obligation for service providers to guarantee users’ privacy and the confidentiality of information is covered under Articles 42 and 26.  

According to Article 26(1); “Information system operators shall take all technical and administrative measures to ensure the security of the services offered. To this end, they should be equipped with standardised systems that enable them to identify, evaluate, process and continuously manage the risks related to the security of information systems in the context of services offered directly or indirectly”. However, the law does not specify the guiding principles for the collection and processing of personal data, nor users’ right to access and update such data. 

Network Disruptions

The government of Cameroon has in the past initiated two internet shutdowns in the Anglophone region of the country, which together lasted 240 days and drew international condemnation. The shutdowns were imposed in the wake of ongoing strikes, fatal violence and protest action against the alleged “francophonisation” and marginalisation of English speakers who claim that “the central government privileges the majority French-speaking population and eight other regions.” It is estimated that the regional internet shutdown cost USD 38.8 million in addition to affecting access to public services, education, and daily livelihoods. 

Guaranteeing an Inclusive Digital Space in Cameroon

Cameroon’s government has professed its intention to leverage the digital economy for sustainable development and to establish  an enabling legal and regulatory framework. However, developments such as taxation of application downloads, internet disruptions, and limited efforts to bridge the digital gender divide, indicate a shrinking digital space and are likely obstacles to the uptake of ICT. Efforts are thus necessary to ensure a digital environment that is both open and accessible to all, upholds users’ safety and security, and guarantees constitutional rights. These efforts should include a strengthened legal framework with implementation guidelines to ensure enforcement, compliance monitoring, and accountability. 

Moreover, the adoption of a specific law on privacy and data protection is recommended, so as to guarantee the principles of anonymity and consent, and in line with international best practice. For civil society organisations, it is recommended to intensify advocacy against regressive policy and practice including internet disruptions,  and the enforcement of consumer protection and universal services. Crucially, civil society should play an active role in policy consultative processes and citizen sensitisation on digital rights and literacy.