Digitalization in Africa Raises Privacy Concerns

 A report by CIPESA (Collaboration on International ICT Policy for East and Southern Africa) highlighting the policies and legal frameworks on data privacy and protection of 23 African countries warns that African privacy is imperiled. 

A report by CIPESA (Collaboration on International ICT Policy for East and Southern Africa) highlighting the policies and legal frameworks on data privacy and protection of 23 African countries warns that African privacy is imperiled.    

Digital identifications and security cameras being utilized in many parts of Africa often collect sensitive information including biometric data without proper safeguarding mechanisms in place. Identifications issue unique numbers that are used for different services like telecommunication (mandatory SIM card registration/mobile devices that use SIM cards), driving license, electronic authentication, voter registration, targeted food distribution (in South Sudan), and banking.

The right to privacy in Africa suffers from the absence of specific provisions on human rights at regional level, delay in ratification of regional conventions, protection laws that don’t comply with international standards, lack of proper implementation, and laws and regulations enabling authorized surveillance. This allows governments to abuse the digital information of citizens with the notion of legal enforcement, national defence, public security, and political control. 

Surveillance is regularly undertaken by government authorities in several African countries. For instance, the Gabonese Presidency has had a communication interception center for decades that was accused of electoral manipulation. Guinea Conakry and Ivory Coast require prior identification of persons using cybercafé services, limiting access to information and freedom of expression. Telecommunication services and online content is under surveillance in Mauritius.   

In counties that undertake surveillance when required for the due process of law, authorities who can do surveillance are often vaguely defined and their activity is not overseen by judicial powers.  For instance, in Angola, “surveillance must be done in coordination with the DPA which must submit an annual report on its overall activities to the National Assembly. However, this has not happened since the Authority’s establishment in 2016.” 

Regarding data localization, most countries allow the transfer of personal data beyond borders if the recipient county has similar or a higher level of data protection. A country that has a properly established list of countries safe for data transfer is in Morocco:

“The National Commission for the Protection of Personal Data (CNDP) establishes the list of counties that offer a sufficient level of protection and complies with the requirements of Moroccan legislation relating to processing of personal data. In its Decision No. 236-2015 of 2015, the CNDP listed 32 countries considered to satisfy these requirements. No African country was included on the list.”

Transfer of personal data beyond borders to a country that doesn’t properly safeguard it is made possible if the data is not massive, consented by the data subject, necessary for the execution of contract, or is in the public interest. When there are no clear regulations, banks are usually allowed to transfer personal data of users to their branches overseas. 

The report fails to indicate the state of data privacy framework in Ethiopia. Ethiopia is some of the countries in Africa that don’t have a comprehensive data protection law. Its first data protection law has been in the making since 2020. The draft law has been criticized for failing to establish an independent organization that will be tasked with overseeing data protection regulations. 

In closing, the report highlights its recommendation for government, private sector actors and civil society organizations. 

  • Government should Swiftly enact data protection laws
  • Civil society organizations should continuously monitor and document privacy rights violations through evidence-based research, and report to the African Commission on Human and Peoples Rights and other human rights monitoring mechanisms and Participate in law making processes by conducting analysis of proposed laws on surveillance, data protection, privacy, and encryption to identify the gaps and make proposals for reform before they are enacted into law
  •   Private sector players should Develop, publish and strictly implement internal privacy and data protection policies and best practices and develop technologies and solutions and use privacy-enhancing technologies

Read the full report here.  

Leave a Reply

Your email address will not be published. Required fields are marked *