Privacy Imperilled: Analysis of Surveillance, Encryption and Data Localisation Laws in Africa

By Evelyn Lirri |

Across Africa, the proliferation of digital technologies is being matched by state measures that negate the right to privacy. The accelerated adoption of digital technologies has come with increased collection and sharing of large quantities of personal data, which is a major concern as several countries lack data privacy laws and many that have them are not implementing the laws. 

As a result, the right to privacy has come under growing siege, which is in turn negatively impacting the enjoyment of other rights, including freedom of expression, association, and access to information online.

In this report, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) analyses country-specific laws that various governments on the continent have enacted and how they impact privacy and data security through surveillance, restrictions on encryption, data localisation, and biometric databases. The report covers 23 countries – Algeria, Angola, Benin, Burkina Faso, Burundi, Cape Verde, the Central Africa Republic (CAR), Congo Brazzaville, the Democratic Republic of Congo (DRC), Gabon, Guinea Conakry, Ivory Coast, Lesotho, Liberia, Madagascar, Mauritania, Morocco, Niger, Sao Tome and Principe, Sierra Leone, South Sudan, and Togo.

According to the report, governments across the continent continue to collect and process personal data, intercept communications and permit surveillance without putting in place the requisite oversight mechanisms and adequate remedies, despite being signatories to regional and international conventions that recognise the right to privacy and provide safeguards for data protection, such as the revised Declaration of Principles of Freedom of Expression and Access to Information in Africa, the International Covenant on Civil and Political Rights, and the Universal Declaration of Human Rights.

Weak Oversight of Surveillance Operations 

One of the emerging concerns is the lack of independent judicial oversight over surveillance operations. In some countries, surveillance operations are entirely carried out and overseen by bodies within the executive, with parliaments and courts of law excluded. In Lesotho, interception warrants may be issued by the Minister responsible for the National Security Services, while in Niger, interception is ordered by the President. In South Sudan, this responsibility is vested with the Director General of the National Security Service, while in The Gambia it lies with the Minister of Interior. In Togo, the Prime Minister, and the Ministers responsible for the economy and finance, defence, justice, and security and civil protection can trigger interception of communications.

In countries such as Benin, the Democratic Republic of the Congo (DRC), Morocco, Niger, and Togo, justification for surveillance is specified under the law. The reasons provided include the preservation of national security or defence, investigation of crimes, prevention of terrorism, organised crime, and activities that undermine public peace or public order. However, these crimes are not defined or are vaguely defined, which gives latitude to state authorities to broadly interpret the laws in undermining the rights of critics and opponents.

 Limitations on Encryption

The use of encryption is critical in helping citizens to protect their data and communications while enjoying the right to privacy and freedom of expression. In several countries, however, this right is being threatened as governments impose restrictions that require the registration of encryption service providers, ban certain types of encryptions, and compel service providers to hand over decrypted data.

In Algeria, individuals and organisations that want to acquire and use encryption services must be granted authorisation by the country’s Regulatory Authority of Post and Electronic Communications. On the other hand, in countries such as the Democratic Republic of Congo, the Central Africa Republic, Niger, Benin, Guinea Conakry, Ivory Coast, Congo-Brazzaville, Morocco, Togo and Burkina Faso, an authorisation may be sought if the encryption is not exclusively for providing authentication or integrity control functions. Failure to seek authorisation or using prohibited encryption could attract a heavy penalty including jail time, a fine, or both.

Countries like Mali, Tanzania, and Malawi also require service providers to disclose specific software to be used for encryption. Such prohibitive provisions undermine privacy and freedom of expression that access to encryption accords.

Compelled Assistance by Service Providers

Governments are also using compelled assistance – where state agencies seek access to data from service providers, including through courts of law and regulators, to gain access to individuals’ private data. This includes access to the secret code of encrypted data, or to decrypted data, and generally requiring service providers to render assistance to state agencies in the interception of communications.     

Laws in countries like Benin, Ivory Coast, Congo-Brazzaville, Gabon, Guinea Conakry, and Sierra Leone specify grounds on which the state can access encrypted data of individuals and also facilitate lawful interception of communications. Laws in several countries require intermediaries such as telecom companies and Internet Service Providers (ISPs) to facilitate surveillance.

 As the report notes, compelled service provider assistance as stipulated in some countries’ laws is quite worrisome as it gives governments and their agencies unfettered access to individuals’ private data beyond limits prescribed by law or permissible by international standards.

Data Localisation

Various countries have enacted laws to control the cross-border transfer of personal data for a multitude of reasons, including national security, personal data protection, and data sovereignty. Algeria, Niger, Morocco, Benin, Cape Verde, Madagascar, Guinea Conakry, Ivory Coast, Congo Brazzaville, Sao Tome & Principe and Togo have laws that prohibit cross-border transfer of personal data unless authorised by data protection authorities.

However, as the report’s findings show, despite having laws in place, enforcement remains weak. Further, data localisation requirements could, in the absence of robust legal and practical safeguards, further facilitate efforts by state and non-state actors to undermine privacy-related rights. Morocco, Algeria, and Ivory Coast are some of the countries where data localisation measures are being implemented.

 Biometric Data Collection

Recent years have seen a number of African countries undertake mass collection, processing and storage of personal data through initiatives such as mandatory SIM card registration, electronic biometric passports, IDs, and driving licences. Although many countries have also passed laws on data protection and privacy, weak implementation mechanisms, coupled with the absence of the requisite safeguards, remain a threat to individual privacy. This is particularly so in instances where regulatory authorities have the power to direct telecom operators to hand over information such as that contained in the SIM card databases.  

Furthermore, the existing oversight mechanisms and provisions for remedies in the case of data breaches have not been effective enough to protect the personal information and communication of individuals in line with internationally recognised human rights standards.    Many countries have enacted data protection laws but have additional legislation that gives the state and its agencies power to access citizens’ biometric information, often under the guise of protecting national security. This is the case with countries such as Kenya, Gabon, Uganda, Lesotho, Mauritius, Morocco, Niger, Sao Tome, Togo, Algeria, Congo Brazzaville, and Ivory Coast.

 Recommendations

 Government:

  • Enact data protection laws in countries such as Liberia, Sierra Leone and South Sudan to provide for and guarantee protection of personal data.
  • Review existing laws, policies and practices on surveillance, including COVID-19 surveillance, biometric data collection, encryption and data localisation, to ensure they comply with article 9 of the African Charter and with the principles in the African Commission on Human and Peoples’ Rights Declaration of Principles on Freedom of Expression and Access to Information in Africa 2019.
  • Cease blanket compelled service provider assistance and provide for clear, activity-bound and court-mandated assistance.
  • Submit periodic reports to the different international human rights treaty body monitoring mechanisms such as the African Commission on Human and Peoples’ Rights, the Human Rights Committee and the Universal Periodic Review process, on the measures taken to guarantee the right to privacy and data protection.

Civil Society:

  • Work collaboratively with stakeholders such as the private sector and academia, including through litigation to challenge laws and measures that violate privacy rights.
  • Monitor and document privacy rights violations through evidence-based research.
  • Conduct regular analysis of proposed laws to identify the gaps and propose revisions before they are enacted into law.
  • Advocate for the promotion and protection of the right to privacy and data protection through various advocacy engagements.

Private Sector: 

  • Develop, publish and implement internal privacy and data protection policies and best practices in handling customer data so as to guarantee customers’ data protection and privacy.
  • Regularly publish transparency reports that highlight all cases of personal data and information disclosure to government agencies as well as other assistance offered to governments to enable communication interception and monitoring.
  • Develop technologies and solutions and use privacy-enhancing technologies that embed and integrate privacy principles by design and default.
  • Comply with the United Nations Business and Human Rights Principles by conducting human rights impact assessments to ensure that measures undertaken do not harm individual rights to privacy and data protection.

Find the full report here: Privacy Imperilled: Analysis of Surveillance, Encryption And Data Localization Laws in Africa  

See another CIPESA report Mapping and Analysis of Privacy Laws in Africa that maps privacy-related laws in 19 other countries.

Policy Brief: How African States Are Undermining the Use of Encryption

By Lillian Nalwoga |

Encryption enables internet users to protect their data and communications from unauthorised access. Accordingly, anonymity and the use of encryption in digital communications are key enablers of citizens’ enjoyment of the right to privacy.

Worryingly, many African countries have passed legislation that limits anonymity and the use of encryption, purportedly to aid governments’ efforts to combat terrorism and crime. Other governments in the region limit the use of encryption to enable them to monitor the communications of critical journalists, human rights defenders, and opposition politicians.

In commemoration of the inaugural Global Encryption Day, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has published a policy brief that highlights restrictions to encryption and what needs to be done by governments in Africa to promote the use of encryption. The brief shows that encryption laws and government practices in several countries undermine the privacy rights of citizens, which in turn hampers their right to free expression and to secure use of digital technologies.

The importance of the right to anonymity in the digital era has been recognised in the Declaration of Principles on Freedom of Expression and Access to Information in Africa of the African Commission on Human and Peoples’ Rights. Principle 40(3) provides that: “States shall not adopt laws or other measures prohibiting or weakening encryption, including backdoors, key escrows, and data localisation requirements unless such measures are justifiable and compatible with international human rights law and standards.”

However, encryption is under threat from governments in Africa, as indeed in other parts of the world. Among the concerns cited by the brief are legislation and regulations that require registration and licensing of encryption service providers before they can offer cryptographic services. This is the case in Benin, Chad,  Cameroon, Congo Brazzaville, Democratic Republic of Congo (DR Congo), Ethiopia, Guinea, Ivory Coast, Malawi, Mali, Morocco, Senegal, South Africa, Tanzania, Tunisia and Zambia, among others. Offering encryption services without a license attracts penalties, as does failure to hand over secret encryption codes to state authorities, or using prohibited encryption tools.

Encryption in Africa

The requirement for registration of encryption services providers makes it easy for regulators and other government agencies to access information held by these service providers, including decryption keys and encrypted data. This undermines best practices which require governments to reject laws, policies, and practices that limit access to or undermine encryption and other secure communications tools and technologies. 

Further, the brief points to how governments in Africa prohibit the use of some types of encryption and require disclosure to regulators of the characteristics of cryptology. Crucially, governments should not prohibit the use of encryption by grade or type. Further, governments should not mandate insecure encryption algorithms, standards, tools, or technologies. 

Meanwhile, laws on interception of communications across the continent including in Benin, Cameroon, Chad, Ivory Coast, Malawi, Mali, Niger, Nigeria, Rwanda, Senegal, Tanzania, Togo, Tunisia, Uganda, Zambia and Zimbabwe require communication service providers to put in place mechanisms, including the installation of software, which facilitates access and interception of communications by state agencies. Indeed, state agencies in several countries can request for decryption of data held by service providers, which poses a big concern. 

For instance, Zimbabwe’s Interception of Communications Act requires cryptography services providers to decrypt data at judicial authorities’ request or provide them with the codes allowing the decryption of data they have encrypted (article 78). Section 11(1)(d) permits security agents to demand that information is decrypted before it is handed to them, where the disclosure is necessary for national security, to prevent or detect a severe criminal offense, or in the interests of the country’s economic well being. Failure to comply is punishable with up to five years’ imprisonment, a fine not exceeding USD 373, or both. Similar provisions are found in the laws of several other countries.

Such compelled assistance from service providers has been reinforced with mandatory SIM card registration of phone users around the continent, as well as data localisation requirements amidst ineffective safeguards.

 In some countries, if the private communications of human rights defenders and opposition politicians fall into the hands of state agencies, the consequences can be dire. The brief cites Rwanda, where the private communications of musician Kizito Mihigo, opposition leader Diane Rwigara, and two former army officers were used in their separate prosecutions. In Ethiopia, the Zone 9 bloggers were detained and prosecuted, among others, for using encrypted communications.

Meanwhile, Uganda instituted a ban on use of Virtual Partial Networks (VPNs) in the face of internet taxes and network disruptions. For its part, Zimbabwe barred telecom operator Econet Wireless from introducing the Blackberry Messenger service, which provided encrypted messaging, arguing that it contravened the southern African country’s interception of communications law which bars provision of services which the communications regulator can not intercept. Another example cited is Mauritius, which this year attempted to introduce a controversial lawful interception mechanism that would decrypt and re-encrypt all social media traffic. 

In light of the above concerns, the CIPESA brief is urging governments to repeal or amend provisions that place undue restrictions on the use of encryption tools; cease blanket compelled service providers and intermediary assistance to state agents and instead provide for clear and activity-bound assistance; and enact data protection and privacy laws that robustly promote the use of strong encryption. 

The full brief can be accessed here.

How Surveillance, Collection of Biometric Data and Limitation of Encryption are Undermining Privacy Rights in Africa

By Paul Kimumwe |

The right to privacy online has become a critical human rights issue, given its intricate connection with, and its being a foundation for the realisation of other rights including the rights to freedoms of expression, information, assembly, and association and preservation of human dignity. However, many African countries have steadily taken measures to undermine this right, including enacting retrogressive laws and policies that facilitate surveillance and the collection of biometric data, and others that limit the use of encryption

The advent of the Covid-19 pandemic has exacerbated the privacy concerns yet in several countries, digital rights were already under steady attack, including via internet shutdowns, criminalisation of “false news”, misinformation and disinformation campaigns by state and non-state actors, harassment and prosecution of social media users, and growing state surveillance.

In responding to the pandemic, many countries adopted regulations and practices, including deploying surveillance technologies and untested applications, to enable them collect and process personal data for purposes of tracing, contacting, and isolating those suspected to be carrying the virus and those confirmed to carry it. These measures were quickly adopted, often without adequate regulation or oversight.

In this research report, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has analysed laws and policies that impact on privacy, notably those that regulate surveillance, data localisation, biometric databases, and encryption.

The research covered 19 countries – Cameroon, Chad, Egypt, Ethiopia, Kenya, Ghana, Malawi, Mali, Mozambique, Namibia, Nigeria, Rwanda, Senegal, Tanzania, Tunisia, Uganda, Zambia, Zimbabwe, and South Africa.

Summary findings

Growing Surveillance: The research findings show that overall, there has been notable progress in the enactment of specific laws and policies safeguarding the right to privacy, including requiring judicial authority to authorise surveillance in countries such as Kenya, Nigeria, Tanzania, Tunisia and Uganda.

However, there are a few cases, such as in Zimbabwe, where authorisation for monitoring and intercepting communications is offered by non-independent and partial actors such as ministers. In addition, many of the countries’ laws do not measure up to international human rights standards and fail to establish clear and appropriate oversight, redress, and remedy mechanisms.

Indeed, “national security” considerations have been employed in laws in various countries broadly to justify and authorise the interception of communication, restrict privacy rights, grant wide search and seizure powers to law enforcement agencies, mandate intermediaries such as telecommunication service providers to facilitate interception, and to require data localisation.

In addition, while various countries have criminalised illegal surveillance and placed various safeguards on the conduct of state surveillance, many of them still contain retrogressive provisions that leave scope for intrusion, including enabling state surveillance with limited safeguards.

Limitation of Encryption Anonymity and the use of encryption in digital communications are critical in advancing both the right to freedom of expression and right to privacy. In the absence of these rights,  the capacity of individuals to communicate anonymously and without fear of their communications being intercepted cannot be guaranteed.

There are few positive provisions in some countries that require the protection of personal data through technical security measures which include encryption. On the other hand, many countries in the study have passed legislation that limit anonymity and the use of encryption through criminalisation of possession and use of cryptographic software or hardware, providing for fines and prison sentences.

The findings show that in countries like Chad, Malawi, Senegal, Tanzania, Tunisia and Zambia, there are penalties for offering cryptographic services without licensing, registration or authorisation. Interception of communications provisions often require service providers to decrypt any encrypted information that they may intercept in the course of offering assistance to lawful interception. In countries such as Mali and Tanzania, the laws require the encryption service providers, upon registration with the authorities, to disclose the technologies they plan to use for encryption.

Data Localisation The findings show that a growing number of African countries have been legislating on data localisation, which has mostly taken the form of a requirement to store data locally and forbidding unauthorised cross-border data transfers. Various countries have specified the conditions for authorising transfer, mostly where the data subject has offered consent and where an adequate level of protection is assured in the recipient country or international organisation.

Several African countries have adopted different approaches towards data localisation. Several countries use laws on financial services (Nigeria, Ethiopia and Rwanda), cybersecurity and cybercrimes (Rwanda, Zambia and Zimbabwe), telecommunications (Cameroon, Rwanda and Nigeria) and data protection (Kenya, South Africa, Tunisia and Uganda) to place restrictions on cross-border transfer of data.

Some countries have specified the data that cannot be exported without authorisation. Kenya specifies all public data; Nigeria mentions all government data and all subscriber and consumer data; while Zimbabwe, Malawi and Tunisia cite personal information.

Establishment of Biometric Databases  In several countries, government agencies are collecting and processing personal data without adequate data protection laws, amidst limited oversight mechanisms and inadequate remedies. While many have recently passed data protection laws and policies, implementation is not effective, and the safeguards are not water-tight as required under international human rights law.

Some laws in countries such as Chad, Kenya, Tunisia, Uganda, South Africa, and Zimbabwe, prohibit the collection of certain categories of data, including specific types of biometric data generally, or where certain conditions are not complied with. In the other countries studied, the laws require the mandatory collection of biometric information for the registration of telecommunications subscribers, for digital identity programmes and during voters’ registration. Several laws and policies on biometric data collection contain provisions on sanctions and penalties for breach.

Weak Oversight, Transparency and Accountability Mechanisms The study found that countries have adopted different approaches to oversight, including specifying courts, data protection authorities, sector regulators and administrative bodies as key oversight bodies. Some of these bodies are located within the executive, and therefore may lack the proper legal, financial, and institutional independence to stem violations within government, and especially by state security agencies. The laws in most countries require judicial authorities to issue a warrant for interception or monitoring of communications. However, in some countries interception orders can be issued by non-judicial officials, such as ministers.

The deficiency of accountability and transparency is among the weakest links in the various countries’ surveillance laws. While some countries, such as Nigeria, Rwanda, Tunisia, Zimbabwe, have commendable oversight and accountability provisions, it is not known whether they are applied. No entity in any of the countries studied permits public access to records on interception which the laws require state authorities to compile periodically, or publishes any data related to interception warrants issued and if at all they do record such data, they are categorised as classified information under state secrets laws. Thus, the public and oversight institutions such as judiciaries and parliaments remain in the dark about the extent and legality of the conduct of surveillance in the respective countries.

Recommendations

  • Governments should review existing laws, policies and practices on surveillance, including Covid-19 surveillance, biometric data collection, encryption and data localisation to ensure they comply with the principles in the African Commission on Human and Peoples’ Rights (ACHPR) Declaration on Principles of Freedom of Expression and Access to Information in Africa and international human rights standards.
  • Governments should also adopt multi-stakeholder approaches to ensure meaningful participation of all stakeholders in the development of policies and laws that affect the right to privacy and data protection.
  • Civil society actors should use strategic public interest litigation as an avenue to challenge laws that violate privacy rights and push for policies and practices reforms that uphold privacy.
  • Civil society actors should also monitor and document privacy rights violations through evidence-based research, and report on state compliance with their obligations to human rights monitoring bodies.

See the full research report here.

CIPESA Conducts Digital Safety Training for Journalists and Activists in Tanzania and Uganda

By Ashnah Kalemera |
This month, the Collaboration on International ICT Policy in East and Southern Africa (CIPESA) has given training to human rights defenders, journalists, bloggers and media practitioners in Tanzania and Uganda in safety and security tactics to promote privacy and freedom of expression online.
The training, conducted in Kampala on April 10 and in Dar es Salaam on April 14 and 15, also helped participants to understand the laws and policies governing digital communications in the two east African countries.
The trainings explored basic computer security for operating systems, data storage and software updates. In addition, safety and security tips for using social media such as Facebook and Twitter, email and mobile communications were shared. Strong emphasis was placed on ensuring privacy of these communication tools and creating strong passwords. The trainings also explored techniques for responding to surveillance and censorship using anonymous browser tools, Virtual Private Networks (VPN) and Encryption.
Participants in the two countries shared their experiences – with varying levels of expertise – in securing their communications.
“I do not share my laptop regardless of who you are,” stated one Ugandan participant. He added that he did not access his email on phone or at internet cafes, cautioning the participants who did. “Any email has to wait until I get to my encrypted laptop,” he said.
A Tanzanian journalist said that whereas she makes the effort to secure all her devices and online user accounts, she often used the same password across board. This highlighted the shortage of digital safety skills among some of the most regular users of digital technologies in the country.
Participants in both trainings noted that in some cases, civil society organisations were “lazy” in adopting the latest technology to ensure the safety and security of their operations and their staff online. In other cases, financial resources were a limitation. Another challenge highlighted was the slow internet speeds in both countries, hence forcing users to access the internet on several devices.
On the legal and regulatory front, discussions centered around the proposed Cyber Crime Bill in Tanzania and the Uganda Data Protection and Privacy Bill and the need for the two countries to adopt laws that support internet freedoms.
Participants also raised concern about recent developments in neighbouring Kenya and their potential impact on the use of information and communication technologies (ICT) across all member states of the East African Community.
Participants in both the Tanzania and Uganda trainings called for increased awareness of online freedom amongst internet users, particularly vulnerable groups such as women and youth to promote greater appreciation for the need to adopt safety and security practices online.
Overview of training beneficiaries
Individuals from 27 organisations benefited from the training, out of which an average of 33% were women and 67% were men.
Figure 1: Training beneficiaries by gender
gender
Figure 2: Training Beneficiaries by user/organisation category
TZ
 
UG
The trainings were organised by CIPESA in partnership with the Pan African Human Rights Defenders Project and Jamii Forums in Uganda and Tanzania respectively in the context of CIPESA’s OpenNet Africa project supported by Hivos, the Open Technology Fund and the Association for Progressive Communications.
Upcoming digital safety skills engagements include for journalists in Uganda (to coincide with World Press Freedom Day on May 3) and for the local tech community.