Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa

Policy Brief |
Privacy is a fundamental human right guaranteed by international human rights instruments including the Universal Declaration of Human Rights in its article 12 and the International Covenant on Civil and Political Rights, in its article 17. Further, these provisions have been embedded in different jurisdictions in national constitutions and in acts of Parliament.
In Africa, regional bodies have invested efforts in ensuring that data protection and privacy are prioritised by Member States. For instance, in 2014 the African Union (AU) adopted the Convention on Cybersecurity and Personal Data Protection. In 2010, the Southern African Development Community (SADC) developed a model law on data protection which it adopted in 2013. Also in 2010, the Economic Community of West African States (ECOWAS) adopted the Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. The East African Community, in 2008, developed a Framework for Cyberlaws. Notwithstanding these efforts, many countries on the continent are still grappling with enacting specific legislation to regulate the collection, control and processing of individuals’ data.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. The GDPR is likely to force African countries, especially those with strong trade ties to the EU, to prioritise data privacy and to more decisively meet their duties and obligations to ensure compliance.
See this brief on the Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa, where we explore the consequences of GDPR for African states and business entities.

Sections of Kenya’s Computer Misuse and Cybercrimes Act, 2018 Temporarily Suspended

By Juliet Nanfuka |
Barely two weeks after the presidential assent to the Computer Misuse and Cybercrimes Act, 2018, a High Court judge has issued a conservatory order suspending the entry into force of 26 sections of Kenya’s contentious Computer Misuse and Cybercrimes Act, 2018. The order by Judge Chacha Mwita, suspending the sections until July 18, follows a petition filed by the Bloggers Association of Kenya (BAKE), which challenged the law for contravening constitutional provisions on freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property and the right to a fair hearing.
In the order issued on May 29, the judge certified BAKE’s petition as urgent, and stated that  respondents (who include the Attorney General, the Speaker of the National Assembly, the head of the National Police Service, and the Director of Public Prosecutions) be served immediately. The respondents would have seven days from receipt to file written submissions. Hearing of the petition is scheduled for July 18, 2018.
Although the conservatory order only stalls the enforcement and could be lifted or maintained thereafter, it nonetheless represents a win for digital rights advocates in Kenya, as they have in the interim satisfied the judge that there is an arguable case to be made against the constitutionality of the recently enacted law. The order also marks another landmark ruling in the litigation towards respect and realisation of digital rights across Africa.

According to the  order, the suspended sections are: 5, 16, 17, 22, 23, 24, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 48, 49, 50, 51, 52 & 53.

Various organisations criticised the bill prior to its assent on May 16, 2018 calling it unconstitutional. Among the organisations were the Kenya ICT Action Network (KICTANET), Article 19 Eastern Africa, BAKE and the Centre to Protect Journalists (CPJ) who deemed numerous sections unconstitutional and detrimental to Kenyan citizens’ digital rights. They said it infringed on the privacy of individuals, freedom of expression, speech, opinion and access to information online.
Kenya already has a history of stifling online critics of the state and state actors, as echoed by James Wamathai, the Director of Partnerships at BAKE. In a statement, he said: “In the past several years, there have been attempts by the government to clamp down on the freedom of expression online. This Act is a testament of these efforts, especially after other sections were declared unconstitutional by the courts.
Among the prevailing concerns on the law is the use of vague language on issues such as “false” or “fictitious” content and false publications in Section 22 and 23, accompanied with heavy obligations on users to verify truthfulness or untruthfulness of information before disseminating. As per section 12, failure to comply would result in a fine of five million Kenyan shilling (USD 50,000), up to two years in prison, or both.
The  court order comes on the heels of the two judgments (Okiya Omtatah Okoiti v The Communication Authority of Kenya and 3 others Constitutional Petition No. 53 of 2017 and Kenya Human Rights Commission v Communications Authority of Kenya and 3 others no. 86 of 2017) by the Kenya High Court in which the petitioners successfully challenged the installation on mobile phone networks of a communication surveillance system dubbed Device Management System (DMS), by the Communications Authority (CA) Kenya (CA). The petitioners argued that, through this system, the authority would have undue access to the communications of citizens.
As more countries in Sub-Saharan Africa develop technology related laws, it is fundamental that the laws uphold human rights standards prescribed at global and regional levels, including in the International Covenant on Civil and Political Rights (ICCPR), the African Charter on Human and Peoples Rights (ACHPR), and African Union Convention on Cybersecurity and Personal Data Protection. However, recent developments such as has been witnessed in East Africa appear to prioritise the criminalisation and penalisation of internet use rather than encourage its adoption as a tool for greater access to information, and for expanding free expression and civic engagement.
Kenya’s neighbours Tanzania and Uganda have this year taken actions detrimental to digital rights. In Uganda, social media taxes that could be introduced in July 2018 threaten internet access and affordability while in in Tanzania, online content producers will have to pay over USD 900 to register with the state for permissions to maintain their platforms, according to new regulations.

The Stampede for SIM Card Registration: A Major Question for Africa

By Edrine Wanyama |
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. As of 2017,  Sub-Saharan Africa (SSA) had  a mobile subscription rate of 44% which is projected to reach  52% by 2025. Further, SSA’s mobile internet penetration by 2017 stood at 21% and is anticipated to increase to 40% by 2025.  However, the region has registered the largest number of cases of mandatory SIM card registration yet it suffers some of biggest challenges in personal data protection and privacy.
The benefits of SIM card registration include facilitation of citizens’ access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks. In addition, it aids combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services. Accordingly, many governments argue that mandatory SIM card registration is for purposes of safeguarding digital and physical security. However, critics argue that when SIM card registration is effected without due safeguards, it poses a threat to privacy and freedom of expression.
Indeed, in 2013 Mexico repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” Finland has not enforced compulsory SIM card registration and nonetheless, through voluntary mobile signatures, service providers has succeeded in facilitating user’s access to relevant retail, banking and e-Government services.
Globally, over 90 countries conduct compulsory SIM card registration yet some remain without clear policy on its implementation. Amidst criticisms that mandatory registration does not necessary combat cybercrime, as criminals take the necessary precautions to avoid being detected and circumvent mandatory SIM card registration, African countries continue to proactively enforce SIM card registration. Among the prevailing challenges on the continent is the difficulty in validating identity documents in an environment with a wide range of service providers who create room for potential circumvention.
Mandatory registration has negatively affected access and usage of mobile telecommunication services due to the tedious process which entails the production of documentation such as passports and national identity cards prior to registration, which sometimes results in failure to attain a SIM card, disconnection, or  deactivation of SIM cards.
Additionally, there have been repetitive calls for registration of SIM cards in countries such as Uganda and Nigeria with personal data being collected  more than once. In Uganda, despite government explanation that SIM card verification is aimed at ensuring secure and safer communications, citizens have unanswered questions on the exercise. Suspicion arises due to a fresh validation of SIM card registration using national identity cards subsequent to registration which was initially done using valid documents such as students’ identity cards, driving permits and passports.
Double collection of personal data may partly imply collection of data beyond what is necessary for the purpose contrary to the internationally established data protection principles such as those set out in the Organisation for Economic Co-Operation and Development (OECD) Data Protection Principles. Further, there is no guarantee of individual privacy as most of the African countries do not have data protection laws. Moreover, most of the existing data protection laws do not meet internationally recognised standards considered sufficient to guarantee personal data protection and are therefore regarded as offering moderate or limited protection.
Meanwhile, efforts to buttress data protection in Africa have not yielded much. Out of 54 countries on the continent, only 14 have data protection laws (Angola, Benin, Burkina FasoMali, Gabon, GhanaIvory Coast, Lesotho, Madagascar, MoroccoSenegalSouth AfricaTunisia and Zimbabwe). A few others such as Uganda, Kenya, Nigeria, Tanzania and Niger have Bills. Regional efforts have also not yielded much. The Convention on Cyber Security and Personal Data Protection which was adopted by the African Union in 2014 has registered only 10 signatories (Benin, Chad, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, Zambia and Comoros) and one ratification by Senegal.
Ultimately, there is need to reconcile state interests with citizens’ personal data and privacy rights. Mandatory registration, especially in the absence of clear registration guidelines and the lack of data protection laws, puts personal data at risk. African governments need to learn from other jurisdictions such as Europe with regards to processing of personal data as part of SIM card registration. In enforcing SIM card registration, there should be a clear set registration timelines, clear and unambiguous registration requirements.

Uganda Moves to Register Online Content Providers  

By Daniel Mwesigwa |
Uganda has become the latest East African country to threaten access to information and free speech online by putting in place measures that require the registration of online content providers. In a notice issued earlier this month, the Uganda Communications Commission (UCC) called for online publishers, news platforms, radio and television operators to “apply and obtain authorization” for provision of services.
Without specifying the requirements necessary for application, the UCC indicates that within a month of issuance of the notice, measures will be enforced against non-compliant service providers and this “may entail directing Internet Service Providers (ISP) to block access to such websites and/or streams.”
The UCC is mandated under Section 5 of the Uganda Communications Act 2013 (UCC Act) to monitor, inspect, license, supervise, control and regulate all communications services. This mandate extends to audio, visual or data content production or dissemination through traditional broadcast media as well as internet based platforms.
According to the notice, registration of the various operators which the UCC classifies as “online data communication and broadcast content providers”, is within the regulator’s mandate to set standards and enforce compliance relating to content.
Over the years, UCC’s regulatory role has come under criticism over its lack of independence. Its establishing Act gives powers to the minister in charge of ICT to appoint the commission’s executive director and board members and to approve its budgets.  In April 2017, the parliament of Uganda passed the Uganda Communications (Amendment) Bill (2016) which further gave the minister the power to single handedly make regulations for the sector without parliamentary oversight.
More recently, UCC instructed telecommunications service providers to enforce two social media shutdowns during the presidential elections in 2016, and in September 2017 barred live broadcasts of parliamentary proceedings on the Presidential age limit amendment bill. National security and public safety have been cited as the grounds for the various directives.
There are an estimated 24 million mobile subscriptions and 18.1 million  internet users in Uganda, reflecting an internet penetration rate of 48%. The country has licensed over 40 TV and 300 FM radio stations, many of which maintain online presences through live streaming on platforms such as YouTube, Facebook and Twitter.
Meanwhile, licensed print operators maintain online portals whilst there is a growing number of independent online news publishers and bloggers. Growing media convergence has seen traditional media maintain a dominance online as was witnessed during the Uganda Presidential debate in 2016, where the television stations NTV and NBS TV influenced narrative according to a Twitter sentiment analysis.
However, without regulations in place to guide the proposed registration, it remains to be seen what obligations will be put forth for online content providers and the resultant impact that the registration will have on the country’s growing media landscape as well as the rights of users. Nonetheless, the move is a regressive development for digital rights in the country. It reflects a growing trend in neighbouring countries that are seeking to regulate online content through requirements for registration of users and service providers as well as accreditation to practice journalism.
In 2017, Tanzania published draft regulations on Electronic and Postal Communications (Online Content). The proposed regulations confer powers upon the Tanzania Communications Regulatory Authority (TCRA) to regulate online content, including through registration of users and platforms, and taking action against non-compliance with the obligations, such as ordering the removal of “prohibited content.”
A more targeted avenue has been used in Burundi, through the Press Law of 2015 which calls for all media practitioners to be accredited, including those operational purely in the online domain. A similar stance exists in Rwanda where even social media posts are theoretically regulated by the country’s National Communication Council (CNC).
The move by Uganda, proposed measures in Tanzania and existing practices in Burundi and Rwanda restrict the number of content providers online and thus inhibit the diversity and wider availability of information online. Furthermore, there is the potential for such practices to engender censorship to legitimate content which might be critical of public officials and bodies.

CIPESA Submits Comments On The Uganda Data Protection and Privacy Bill, 2015

Official Submission |
Article 27 of Uganda’s constitution provides for citizens’ right to privacy, however, there is no law to protect an individual’s data privacy despite the large amounts of citizen data collected by government departments and private entities on a regular basis. More concerning, is that this data is collected with no guarantee of its protection and privacy.
Some existing legislation, for instance the Computer Misuse Act, 2011 (section 18); Access to Information Act, 2005 (section 26); Uganda Communications Act, 2013 (section 79); Electronic Signatures Act, 2011 (section 81); and the Regulation of Interception of Communications Act, 2010 (section 2) prohibit unauthorised access and disclosure of information. However, the provisions in these laws are not elaborate and do not adequately protect personal data.
The publication of the draft Data Protection and Privacy Bill 2014 was therefore a milestone. Accordingly, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) submitted comments to that version of the bill. Various concerns were raised including vague wording which left the bill open to misinterpretation, unclear procedural processes for collection and retention, as well as the costs associated with accessing personal data.
More recently on , CIPESA welcomes the Parliament of Uganda’s call for submissions on the Draft Data Protection and Privacy Bill, 2015. It once again gives opportunity for stakeholders to provide input to ensure that the law, when enacted, measures up to internationally acceptable standards of data protection.
In our latest submission, we highlight some of the positive principles and provisions of the Bill. Furthermore, we indicate areas of concern and suggest amendments to ensure that if the bill is passed into law, there are sufficient safeguards to regulate the collection, storage and use of data towards upholding citizens’ right to privacy.
See the full submission made on the Uganda Data Protection and Privacy Bill, 2015 presented to the Committee on Information and Communication Technologies (ICT) in the Parliament of the Republic of Uganda