This piece was originally published by APC member CIPESA.
In an increasingly digitised world, safeguarding data rights has become central to protecting individuals’ rights to access and share information, express themselves, and associate using the internet and related platforms.
Advances in technology, alongside growth in mobile subscriptions and increased use of smartphones have pushed individuals online to shop, interact, share and search for information, learn, and work, alongside digitalisation of more sectors of economies and public services. As a result, there is increased collection, processing and sharing of personal data. With many users of Information and Communications Technology (ICT) not aware of the implications of their use of digital technologies and how their rights are compromised, the potential for the data to be manipulated and abused by individuals, private companies and governments is ever-present.
At the end of 2019, 477 million people in Sub-Saharan Africa were subscribed to mobile services, accounting for 45% of the region’s population. According to the GSMA, the group that represents the interests of mobile operators worldwide, smartphone adoption continues to rise rapidly in the region, reaching 50% of total connections in 2020. Meanwhile, as of 2019, there were 469 million registered mobile money accounts in Sub-Saharan Africa, a figure that was expected to reach half a billion in 2020.
From the provision of e-services, to digital identity (or digital ID), voters registration, drivers’ license applications and issuance, through to mobile phone SIM card registration, public and private service bodies including immigration authorities, law and security enforcement, health service providers, telecom operators, and digital financial service providers are among the big collectors and processors of personal data in Africa. Increasingly, the nature of personal data being collected is expanding, to include biometric data such as facial images or fingerprints.
What is personal data?
Personal data refers to information that relates to an identified or identifiable natural person by which that person can be identified, “in particular by reference to an identification or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.”
Upholding individuals’ data rights implies their personal data must be kept private and should not be known, stored, or used by unauthorised parties. Upholding data rights is then a central pillar of the long-recognised right to privacy, which national laws and international human rights frameworks such as the international bill of rights guarantee. Notably, the right to privacy is pivotal in a democratic society as it is both an enabler and reliant on the enjoyment of other rights, such as freedom of expression, information and association.
"As businesses, governments, and civil society organisations seek to maximise value of increased data flows, the dangers of cyberthreats, cybercrimes, surveillance, and general data misuse pose threats that require national, regional, and international action to address. At the same time, excessive restrictions on the flow of data between countries can undermine regional economic benefits if no best practices are adopted on how data should flow, be stored, protected, and disposed." – Building an Enabling Environment for Inclusive Digital Transformation in Africa
Poor or missing legal protections for personal data, abuse of existing laws by state agencies including security agencies and by private companies, and poor digital security practices by citizens, are exacerbating the erosion of many African citizens’ data rights. With increased data collection has come increased state surveillance and data privacy breaches. Worryingly, many African states are increasingly using data to undermine citizens’ digital freedoms, such as by conducting real-time monitoring, surveillance of citizens’ social media and intercepting telephone communications. In some instances, this has led to arbitrary arrests and prosecutions of individuals.
Moreover, telecoms and internet service providers are required by law to comply with user information requests or requests for assistance from the government, including the common requirement to install software to facilitate the state’s conduct of surveillance and monitoring of citizens’ communications. Many governments are indeed accessing subscribers’ data from telecom companies with limited oversight and hardly any transparency. Even where service providers feel constrained about regulator directives, they are often overcome by the need to continue operations and agree to restrict data rights.
In such countries, digital rights are under threat and, resultantly, citizens are losing the appetite to participate in public affairs, and they often practice self-censorship in their engagements over digital platforms. This undermines the philosophy of a free and open internet that drives innovation, enables the enjoyment of rights and improvement of livelihoods.
In many countries, the digital rights situation worsened during the Covid-19 pandemic, as governments suspended respect for several rights, collected lots of private data and conducted surveillance without sufficient oversight, safeguards, or transparency.
The State of Internet Freedom in Africa 2020 Report found that the fight against Covid-19 has had a fundamental impact on digital rights and freedoms including freedom of expression, access to information, privacy, assembly and association. It has also undermined civic participation and, in many countries, deepened the democracy deficit.
"In responding to the Covid-19 pandemic, countries across the continent adopted a series of Covid-19 regulations and practices, including deploying surveillance technologies and untested applications, to enable them conduct lawful collection and processing of personal data for purposes of tracing, contacting, isolating and treating those found to be positive or their contacts. These measures were quickly adopted and the collection of personal information continues, and in some cases without adequate regulation or oversight." – State of Internet Freedom in Africa 2020: Resetting Digital Rights Amidst the Covid-19 Fallout
In several African countries, there are inadequate safeguards and limited oversight to guard against potential violations of digital rights arising out of the implementation of laws, regulations, systems, and practices imposed to fight Covid-19. According to the United Nations, the use of emergency powers and tools of surveillance technology to track the spread of Covid-19 must be non-intrusive, limited in time and purpose and abide to the strictest protections and international human rights standards governing privacy and personal data.
Concerns over data handling during the fight against Covid-19 and how that harmed digital rights informed the formation of the #RestoreDataRights movement, that is promoted by a group of African and international civil society, academic and philanthropic partners. Launched at the end of 2020, it is premised on the conviction that our fundamental human rights – including those exercised in cyberspace and over our personal and sensitive data – should be respected and upheld during and after the Covid-19 public health emergency. Furthermore, decision-making processes around how sensitive data are collected, shared and used to tackle the Covid-19 pandemic in Africa should be transparent, inclusive and accountable.
There has also been a proliferation of retrogressive laws, procedures and practices such as the systematic criminalisation of online communication and dissent, the arbitrary arrest, illegal detention, flawed prosecution and excessive punishment of government critics. On a continent where digital authoritarianism is rising, the legitimisation of surveillance, censorship, and breaches in the rule of law during the coronavirus crisis could create a new normal that erodes internet freedom for years to come.
There is therefore a need to have strong data protection laws; to educate citizens to protect their data and to demand their digital rights; and to have strong, well-resourced and independent data protection authorities. It is also crucial to establish clear and well-publicised complaint mechanisms in cases of data privacy breaches. Meanwhile, private companies should institute stringent measures to protect data privacy and integrate ‘privacy by design’ in any applications they develop, partner with civic actors and public officials to promote digital rights, and be transparent about their data handling practices.
These measures would enable accountable data governance that respects citizens’ data rights and advances wider internet freedoms in Africa. Further, they would enable robust protection of digital rights and data rights, while providing scope for data openness that enables harnessing of data to serve the legitimate public interest.