Attending an ITechLaw conference is “an exciting opportunity to meet colleagues and friends across the globe who are similarly passionate about law and technology. Click here to read more on the event.
By Paul Kimumwe |
Although Africa has registered remarkable growth in digitisation with increased internet penetration and use of Information and Communication Technologies (ICT), the proliferation of ICT and other new and emerging technologies has significantly expanded states’ toolkit for repression and social control, deepening human rights challenges.
Several African governments have embraced digital authoritarianism characterised by aggressive and sophisticated measures that curtail internet freedoms. These have included using digital technologies to surveil, repress and manipulate domestic and foreign populations. Although state surveillance is not new, it has dramatically expanded with the increased digitisation.
Further, surveillance has been digitalised and automated, making mass surveillance possible. Numerous countries across the continent have adopted policies and enacted laws that permit states and their respective agencies, especially security services, to use ICT to conduct surveillance; impose liability on telecommunication intermediaries to facilitate the interception of communication; stipulate the mandatory collection of biometric data; limit the use of encryption; require the localisation of personal data; and grant law enforcement agents broad search and seizure powers.
In this brief CIPESA discusses the key control measures adopted by some African states in enforcing digital authoritarianism and their effect on democratic participation.
The brief notes that the rise of digital authoritarianism has greatly undermined citizens’ rights to enjoy the benefits of digital technology. Several of the tools and control measures that states have employed include the surveillance and interception of communications, poorly regulated collection and processing of personal data including biometrics, as well as the weaponisation of laws that have fundamentally undermined the enjoyment of fundamental freedoms such as freedom of expression, assembly, and association. Collectively, these controls measures have continued to undermine citizens’ digital rights and democratic participation and cement authoritarians’ hold on political power.
Read the full report here: Digital Authoritarianism And Democratic Participation in Africa
By Afi Edoh |
For four years Togo has been inching towards issuing a digital identity (ID) card. While there are indications that 2022 may be the year in which the west African country finally delivers the long-awaited digital ID, the road ahead remains uncertain. Challenges lie both in bureaucratic delays and citizens’ caginess about handing their data to a government with a penchant for surveilling citizens and shutting down digital communications.
The Togolese government announced the e-ID Togo project in 2018, but it was not until mid 2021 that the Ministry of the Digital Economy and Digital Transformation initiated efforts to recruit a communications consultant to devise an awareness campaign to precede the registration stage and a technology solutions service provider. The International Institute of Information Technology Bangalore was awarded the system contract in December 2021.
According to the government, the e-ID project will simplify the process of updating the electoral register, facilitate access to public services and to credit, reduce fraud in the financial sector, and facilitate the targeting of social protection beneficiaries. Only 25% of the country’s population of eight million has a form of identification, with women less likely to have an identification document, which hinders their ability to open bank accounts, enrol children in school, benefit from health insurance, or get a mobile phone number. In recognition of the gaps in civil registration among citizens, the government set out to enrol citizens for e-ID even without proof of birth registration.
Togo passed Law No. 2019-014 relating to the protection of personal data in October 2019. In 2020, parliament passed Law No. 2020-009 relating to the biometric identification of natural persons, whose objective is to establish a system for identification and authentication of natural persons. The law aims to establish a “secure and reliable methodology” for obtaining, maintaining, storing and updating data on the identity of registered individuals. The law requires all citizens and residents in Togo to obtain a Unique Identification Number (NIU) by submitting their demographic and biometric data (Article 4). The biometric data specified for purposes of obtaining a NIU are photograph and / or facial recognition, fingerprints, and iris scan. The National Identification Agency (ANID) is mandated to collect biometric data for the NIU.
SIM Card Registration
In July 2021, a SIM card registration and limitation of subscriptions per individual and network campaign was launched by the telecommunications regulatory authority ARCEP, supported by leading telecom operators Moov Africa Togo and TogoCom. The SIM registration requirements include a national identity card or passport and collection of biometric and demographic data.
But this extensive collection of individuals’ personal data raises concerns for the safety of such data. These concerns are not unfounded and they partly arise from the state’s record on respect for digital rights, which have seen it order network disruptions and use malware to target opponents and dissidents.
In 2020, lingering suspicions that the Togolese government was undertaking interceptions of communications gained credence when the Citizen Lab revealed that Israeli-made spyware Pegasus, supplied by the NSO Group, was used between April and May 2019 to target Togolese civil society, including a Catholic bishop and a priest, as well as two members of Togo’s political opposition. The surveillance reportedly coincided with nationwide pro-reform protests that were forcibly dispersed. The Togolese government did not respond to the allegations, which nonetheless sparked debate within Togolese media and civil society.
Further, in October 2021, Amnesty International research found that Togolese activists had been targeted with spyware by the Donot Team hacker group based in India – the first time that Donot Team spyware was found in use outside of South Asia. According to the report, the activists’ devices were targeted between December 2019 and January 2020, during a tense political climate ahead of the 2020 presidential election.
During the February 2020 elections, authorities disrupted access to messaging services (WhatsApp, Facebook Messenger, and Telegram). Later that year, the Economic Community of West African States (ECOWAS) Court of Justice ruled that the 2017 internet shutdown in Togo was illegal and an affront on the right of freedom to expression.
According to Access Now, the court ordered the government of Togo to pay two million francs (USD 3,459) to the plaintiffs as compensation, and to take all the necessary measures to guarantee the implementation of safeguards with respect to the right to freedom of expression of the Togolese people.
Privacy and Data Protection
Togo’s laws provide safeguards against unlawful surveillance and unauthorised access to data whilst also granting authorities sweeping powers to violate privacy. Law No. 2012-018 on electronic communications provides for privacy of communications but article 92 empowers the Prime Minister, and the Ministers responsible for the economy and finance, defence, justice, and security and civil protection, to trigger the interception of communications and electronic content.
The biometrics identification law requires the National Identification Agency to encode and encrypt data on its registry and only allows access to authorised agents (article 10, 21 & 22). Violation of the obligation of non-disclosure of personal data, identity theft and unauthorised processing of personal data are punishable with fines ranging from one million to 10 million Central African Francs (USD 1,747 to 17,472), imprisonment between one and five years, or both.
Article 94 of Togo’s 2012 electronic communication law obliges encryption service providers to comply with lawful interception orders, with refusal to provide secret decryption codes to government agencies punishable with a fine of between USD 3,544 and USD 14,178. Cryptology services providers are required to retain for one year, content and data allowing the identification of anyone who has used their services, and to provide the technical means that enable the identification of those users. The service providers are required to avail this data, on request, to the investigating judge, Prime Minister, Minister for the Economy and Finance, the Minister of Defence, the Minister of Justice, and the Minister of Security. The multiple officials who access data – similar to the various officials that can trigger the interception of communications – offers wide latitude for abuse of citizens’ data privacy rights.
In the wake of Covid-19, Togo initiated a relief programme for vulnerable citizens whose livelihoods were affected by the state of emergency. As at March 2021, the programme, known as NOVISSI, had disbursed a total of 13.3 billion francs (USD 22 million) to 819,972 citizens via mobile money.
However, the programme was criticised for requiring applicants to possess a voter’s ID card. During the last electoral census, opposition parties called on the population to boycott the exercise, which meant that some citizens had not renewed their voter ID cards. There were also cases of unscrupulous individuals utilising the voter’s ID details of other citizens to fraudulently benefit from the programme. As a result, the government temporarily halted the program to allow for physical verification of beneficiaries at dedicated centres.
Whereas the various sanctions within the existing legal framework might be a deterrent against unauthorised access to and misuse of personal data, there is wide latitude for state agencies and officials to access the data, which could be abused. This calls for a review of the provisions to ensure they uphold citizens’ right to privacy and data protection, with adequate oversight and redress mechanisms. Further, the e-ID should be rolled out in a manner that ensures agency and dignity, without enhancing exclusion and surveillance.
The Collaboration on International ICT Policy for East & Southern Africa (CIPESA) has made submissions to the Office of the United Nations High Commissioner for Human Rights (OHCHR) on how businesses in the technology sector can improve the observance of human rights.
The submissions, made in February 2022 in response to a call for inputs on the application of the United Nations Guiding Principles on Business and Human Rights (UNGPs) to the activities of technology companies, will feed into a report the OHCHR will submit to the Human Rights Council in June 2022.
Below is a summary of CIPESA’s submission.
The digital age presents new challenges and ways of working that necessitate a review of how the UNGPs can be applied in the technology sector. Increasingly, states have become purchasers of digital technologies from technology companies to facilitate the implementation of various national programmes which present previously unforeseen risks to privacy as they facilitate mass surveillance. Commonly implemented national programmes posing threats to individual privacy include national digital identification systems, voter registration using digital biometric systems, mandatory SIM card registration, smart cities programmes, and installation of national video surveillance (CCTV) programmes integrating facial recognition systems.
Furthermore, digital technologies have fallen prey to retrogressive legal measures undertaken by states. Across Africa, countries have enacted legislation which compel telecommunications service providers to embed capability within their systems to facilitate the interception of communications by state security agencies, and the state acquisition of software and hardware equipment to facilitate surveillance and interception.
In addition, some states have taken advantage of digital tools to carry out cyber attacks, censor online content, disseminate propaganda and disinformation. Moreover, many African governments have adopted laws limiting anonymity and the use of encryption.
Pressure on tech companies
Some governments continue to apply undue pressure on technology companies including social media platforms to provide personal information, take down content, and shut down the internet. Others have adopted repressive legislation to control the spread of information on social media, or to regulate internet intermediaries by placing undue liability on them for content on their platforms. During the Covid-19 pandemic, states developed various contact tracing systems and applications without adequate legal frameworks, or an assessment of the human rights impact of the applications. Also, state responses to hold companies accountable remain ad hoc, fragmented and not aligned with international standards.
Questionable company practices
Across the continent, social media, online search, fintech and advertising companies have adopted business models that are based on surveillance capitalism and thus continue to threaten the privacy of users, in some cases without users’ explicit knowledge or consent. Further, social media platforms have also contributed to the spread of harmful content online, which companies have failed to take effective measures to address. Also, social media content policies do not always adopt definitions of content that are rights-respecting, and their practices around content moderation are problematic. Content is often moderated using automated systems which lack local context, are discriminatory and embed bias.
Moreover, some platforms’ practices around content takedowns remain inaccessible, their content policies are not uniformly applied, and redress mechanisms do not always apply the rules of natural justice. In addition, some companies have continued to develop and sell surveillance technology to autocratic governments on the continent, which is subsequently used against human rights activists, government critics, and opposition leaders, which further exacerbates risks to human rights.
Trade of privacy for business continuity
The total sum of the government measures coupled with the pressure imposed on tech sector players is continent-wide trade of privacy for business continuity by technology companies. This is commonly seen in state surveillance through electronic technologies, including interception of communications, hacking of information of target persons especially political dissidents, activists and human rights defenders. The tech sector has, however, not done enough to ensure that individual privacy is guaranteed for their customers.
In a continent where strong privacy laws remain scanty, the increased usage of online platforms and social media in the absence of adequate safeguards and oversight over companies remains a critical risk for privacy rights. The enjoyment of human rights and freedoms, especially freedom of expression and access to information, association, assembly and movement have sharply declined.
Addressing human rights risks in business models:
- The commitment to respect human rights as envisaged by the UNGPs should be integrated at all levels in the company hierarchy and embedded across all its functions and processes.
- Companies should take steps to mitigate risks within their existing business models, and continuously innovate new business models that are rights-respecting.
- There is a need for continued research to promote greater understanding of the human rights risks in technology business models on the continent.
- Multistakeholder engagement should be promoted as it is a critical avenue to promote shared understanding of the human rights risks and impacts of technology in Africa.
Human Rights Due Diligence and end-use
Companies should do the following:
- Conduct due diligence to identify, prevent or mitigate risks of harmful impact on their business. The due diligence should be conducted from project design and development phase of new products, services and solutions, and thereafter periodically through the lifecycle including promotion, deployment, sale and use.
- Assess and monitor the effectiveness of their responses to human rights risks, with results of
such assessments guiding decision-making.
- Review their state clients’ human rights records and ensure they do not develop, sell or offer
them technology products, services or solutions that contribute to or result in adverse human
Accountability and remedy
- Companies should be transparent and accountable in how they address their human rights impact. Such transparency and accountability can be enhanced through periodic reporting to external stakeholders including through public reports.
- Create platforms and avenues for engagement, information sharing and feedback between technology companies and various stakeholders.
- Implement credible and effective complaints reporting and handling mechanisms.
- Companies should put in place measures to monitor and promote rights-respecting and responsible business practices and culture, and to remedy and mitigate adverse impacts caused by their actions.
The State’s duty to protect
- Put in place administrative, policy, legislative, institutions to hold technology companies accountable for human rights violations, provide effective remedies for victims of rights violations related to technology, require companies to conduct due diligence and to have proper safeguards to protect the public from harm.
- Develop laws, policies, regulations, standards, and guidance, including at the regional level to embed and ensure responsible business practices by technology companies and greater respect for human rights in the digital context.
- Take measures to promote the use and adoption of digital technologies and address the growing digital divide, including by removing barriers to internet access and digital technologies.
See the full submission here.
By Ashnah Kalemera |
The role of technology in driving social, economic and political transformation in Africa is widely recognised. Continent-wide efforts including the Digital Transformation Strategy for Africa (2020-2030) and the Africa Continental Free Trade Agreement (AfCFTA) present opportunities to re-shape countries’ interventions in harnessing technology for transparency and accountability, citizens’ participation, service delivery, innovation and respect for human rights.
However, there remain various challenges to digitalisation in the social, public and private sectors across the continent. According to stakeholder engagements and documentation on digital transformation which were conducted by grantees of the Africa Digital Rights Fund (ADRF) during 2021 and 2022, key challenges include conflict and instability, illiteracy, poor infrastructure, and inadequate policy and legislative frameworks.
Using its second grant from the ADRF, Digitally Yours analysed government and civil society technology initiatives in Algeria, Egypt, Libya, Morocco, Tunisia, and Sudan to establish the reality beyond the hype. The findings are captured in Arabic, English and French language podcasts that feature speakers from the United Nations Economic and Social Commission for Western Asia (UNESCWA), the Open Government Unit at the Organisation for Economic Co-operation and Development (OECD) and the Arab Centre for Cyberspace Research, among others.
The podcasts indicate that in Libya, political instability coupled with limited infrastructure roll-out and a weak legal and regulatory environment have limited public and private sector adoption of technology. Despite the prevailing challenges, notable initiatives include Hexa Connection which is at the forefront of promoting technology for entrepreneurship, governance, civic engagement and innovation; and Lawyers for Justice Libya, whose Adala Academy serves as an online education platform for human rights. Technology is also playing a crucial role in pushing back against racial discrimination in Libya.
The podcast series also documents technology-enabled citizen journalism and cultural and creative expression in Tunisia, online citizen-parliamentary engagement in Morocco, and how internet shutdowns have undermined media and researchers’ roles in the context of Sudan’s political contestations. The podcasts underscore the importance of open government, data protection and privacy for refugees, national cyber security strategies that are protective rather than oppressive, and fact-checking in pursuit of effective digitalisation in the region.
Away from North Africa, Somalia boasts a fast-evolving technology sector, with affordable internet and active efforts to mainstream digital rights. The 2020 eGovernment Survey, which measures eGovernment developments and performance, ranked Somalia 191st globally out of 193 countries. In line with the objectives of Somalia’s ICT Policy and Strategy 2019-2024, ADRF grantee Bareedo Platform engaged the public, local government authorities, the media, academia and civil society organisations on digital transformation.
Bareedo initiated awareness campaigns on eGovernment and how its adoption at local government levels can transform and facilitate more accessible public services, allow greater public access to information, and promote duty bearer-citizen interactions. The campaigns were coupled with roundtables in Garowe and Mogadishu on digitalisation for service delivery. In Garowe, the capital of semi-autonomous Puntland, it emerged that local authorities had spearheaded digitalisation programmes in taxation, land and property registration, as well as public consultations and public expenditure.
In Somalia’s capital Mogadishu, the move to online services was seen as an opportunity to overcome some of the challenges linked to terrorism in the city. For instance, a 2019 terrorist attack at the Mogadishu local government building disrupted service delivery to residents. The two local government authorities committed to advancing digitalisation and enabling ICT policies, and identified registration of births, applications for business permits and revenue collection as the priority services for digitalisation. Digital illiteracy and the lack of harmonisation in platform roll-out were highlighted as the key barriers to increased adoption of the various online service offerings.
In neighbouring Kenya, despite the existence of a Digital Economy Blueprint whose vision is a “digitally empowered citizenry living in a digitally enabled society”, the country introduced an inhibitive digital taxation regime in 2020. With support from the ADRF, Mzalendo Trust worked to highlight the opportunities and challenges faced in Kenya’s digital economy. In a policy brief on the Digital and Data Policies for Promoting a Secure and Inclusive Digital Economy in Kenya, Mzalendo Trust documented the exclusion of women and youth from Kenya’s digital economy due to cultural biases, mobility restrictions, security risks and time limitations, among other factors. On the other hand, the digital economy was found to present new opportunities for women and youth, opening up external and internal digital markets to serve small and medium enterprises.
Based on the findings of the policy brief, Mzalendo Trust convened two stakeholder forums bringing together innovators, private sector associations, civil society organisations, economic think-tanks, state agencies and policy makers to deliberate on inclusion in the digital economy and the need for supportive policy frameworks.
Mzalendo Trust’s digital economy work echoes that of CUTs International Kenya, which, with support from ADRF worked to raise the visibility of consumer protection in the digital financial sector through op-eds and a policy brief, alongside stakeholder engagements with digital financial services stakeholders including the Capital Markets Authority (CMA), Retirement Benefits Authority (RBA), Financial Sector Deepening (FSD), Kenya Bankers Association (KBA), FinTech Association of Kenya (FAK) and Competition Authority of Kenya (CAK).
Meanwhile, building on the foundations of its civic engagement and data journalism efforts, ADISI-Camero promoted data journalism, social accountability and citizen-duty bearer engagement beyond Cameroon’s economic capital Douala. The initiative built the capacity of youth leaders in digital advocacy, public policy participation, and access to information. A Memorandum of Understanding signed with Deseka Municipality supported the evaluation and redesign of http://www.communedeseka.org to promote transparency and accountability.
The success of the ADISI-Cameroon-Deseka Municipality model saw other municipalities – Dschang, d’Edéa 1er and Loum – express interest in forging partnerships to promote citizen-duty bearer engagement. According to ADISI-Cameroon’s Executive Secretary Paul-Joel Kamtchang, “the extension of this [Eseka] model to other municipalities in the country would allow us to constitute a “Hub of Open Councils”.
Recommendations emerging from the various ADRF grantee interventions include operationalisation of supporting frameworks such as for cyber security, data protection and privacy; increased participation of minority and marginalised groups in the design of initiatives; multi-stakeholder collaboration; harmonisation of national and local government plans; and digital literacy skills building.
Launched in April 2019, the ADRF supports advocacy, skills development, and movement building to effectively influence policy and practice for digital rights protection in Africa by offering flexible and rapid response grants. As at August 2021, ADRF had supported 45 initiatives with a total sum of USD 564,000.
Past grantee efforts have included studying the role of technology in human trafficking, promoting data protection in digital financial services, digital rights coalition building, confronting online abuse against women, capacity development in digital literacy and security for refugees and pushing back agaisnt barriers to digital accessibility for persons with disabilities.