Trends

Home  /  Trends

Introduction

Statistics indicate there has been a significant increase in internet penetration in Africa.  This has made the free flow of information between individuals and public and private entities easier. It offers anyone with an internet connection the ability to gather and share information, including personal information. However, recent incidents indicate that the lack of adequate regulations for the collection and processing of personal information can have significant ramifications. These incidents have been a catalyst for the significant changes that the data protection landscape in Africa is currently undergoing.

Current trends indicate that increasingly African countries are enacting comprehensive data privacy laws and establishing fully functioning data protection authorities.  This is in response to the growing need for states to protect people’s data by providing individuals with rights over their data, imposing rules regarding how companies and governments use data, and establishing regulators to enforce these laws. We detail below some of these emergent trends.

New data protection legislation

Kenya and the Togolese Republic are the latest to join the list of African countries to enact data protection laws.

  • Kenya: The Kenyan Data Protection Act was signed into law in November 2019. It is the first legislation of its nature in Kenya; setting out the regulatory framework for data protection and the guidelines on how personally identifiable data can be used, stored or shared. It further establishes the office of the Data Protection Commissioner, which has enforcement powers and may investigate complains about regulatory violations.
  • Togolese Republic: Togo passed its data protection legislation (Law No. 2019-014) in October 2019. The law regulates the collection, processing, transmission, storage and use of personal data. It applies to natural persons, the state, local authorities, legal entities governed by public or private laws, as well as automated or non-automated processing of data carried out in the territory of Togo or any jurisdiction where Togolese law applies. The law establishes the Personal Data Protection Authority, an independent administrative authority responsible for ensuring that the processing of personal is carried out in compliance with the law.
  • Egypt: Egypt’s House of Representatives is reported to have approved the country’s first legislation providing legal protection for online personal data. It reportedly aims to keep pace with current international standards for the protection of personal information. This law is modelled on European privacy law and will take effect three months after its publication. It prohibits the collection, processing or distribution of personal data without permission except in specific cases. It was approved on 24 February 2020. (We are awaiting further information.)

Proposed data protection legislation

Although some countries have established fully functioning data protection regimes, others like Zimbabwe and Namibia are still in the process of drafting data protection legislation.

  • Zimbabwe: The Draft Data Protection Bill has been under consideration by the cabinet since 2015. It aims to govern the processing of personal information by both private and public bodies. If it is passed, the law will aim to prevent unauthorised use, collection, transmission, processing and storage of data of identifiable persons. It will further establish the Data Protection Authority which will have the mandate to regulate data protection in Zimbabwe.
  • Namibia: The Ministry of Information and Communication Technology is reportedly finalising a draft Data Protection Bill that will be published in 2020. The bill is expected to protect citizens from abuse of their personal information, and to harmonise Namibia’s data protection policy and legal framework with regional and international standards to promote the free flow of personal data under conditions of assurance and trust.

Enforcement

Although several countries have enacted data protection legislation, such legislation is only enforceable in limited instances. In South Africa, the Protection of Personal Information Act was passed in 2013 and the Information Regulator, which is the data protection authority in terms of the Act, was established in 2016. However, seven years later the substantive provisions of the Act are still not in force. Other countries where there is a lack of enforcement of data protection legislation include Botswana, Uganda, Lesotho and Angola, among others.

Threats to Data Privacy

The advent of the digital age has brought about increasingly powerful technologies that pose unprecedented threats to the right to privacy. Trends indicate that there is an increase in the use of sophisticated surveillance technologies in countries such as Kenya. In South Africa, the right to privacy is confronted by the exercise of surveillance powers without adequate safeguards. Other threats to the right to privacy include the use of biometric technologies, without proper safeguards in place to protect people’s rights to privacy; and internet shutdowns that are currently prevalent in Africa.

Surveillance

  • Kenya: The Kenyan government sanctioned the installation and operation of 1800 CCTV cameras in Nairobi. Framed within the government’s strategies to combat terrorism, the cameras have facial and motor vehicle number plate recognition capabilities. Although the government maintains that the goal of the project is to enable law enforcement to identify terrorists, the unregulated use of facial recognition technology presents an unprecedented threat to the right to privacy. This is exacerbated by the lack of a comprehensive regulatory framework for the installation and operation of CCTV cameras and guidelines as to the use, treatment, processing, use and storage of the data collected by the cameras.
  • South Africa: A case that challenges the broad surveillance of communications recently came before the courts in South Africa. In September 2019, the High Court in Pretoria ruled in favour of the applicants and held that that bulk interception of information by the South African National Communications Centre is unlawful and invalid. The High court also held that certain sections of the Regulation of Interception of Communications and Provisions of Communications and Related Information Act (RICA) are unconstitutional because they allow surveillance to be conducted without sufficient oversight. This case is currently before the Constitutional Court for confirmation of the findings by the High Court.

Biometrics

Biometrics refers to the data generated from the physiological and behavioural characteristics of humans that may be used to track and profile people across their lives. The use of biometrics is a threat to the right to privacy because its adoption, in many African countries, is rarely preceded by the adoption and implementation of any regulatory framework. Nonetheless, the use of biometric technology is an area that has attracted a lot of interest and many countries have adopted the use of biometric technology for various purposes. Recent examples include the use of biometrics to roll out pension payments in Zambia and perhaps the most noteworthy example is the establishment of the Kenya National Integrated Identity Management Scheme (NIIMS), a biometric database that is aimed at giving every person in Kenya a unique “Huduma Namba” for accessing services.

  • Kenya: A Kenyan court recently handed down judgement in a matter regarding the implementation of NIIMS and the privacy concerns surrounding the project. The court highlighted the absence of clear safeguards anchored in legislation to govern the implementation of the project and, as a result, held that the implementation of the project cannot proceed until there is an appropriate and comprehensive regulatory framework governing its implementation. This judgement has significant implications for Kenya and many African countries in that it adds to the growing body of cases around the world that deals with challenges that are posed by the use of biometric technology.

Internet shutdowns

Trends indicate that there has been an increase in the number of internet shutdowns in Africa. Recent reports indicate that internet shutdowns in Africa grew by 47% in 2019. There were 25 reported incidents of internet shutdowns in 2019, with the number of countries that shutdown the internet increasing from 10 countries in 2018 to 14 countries in 2019. Of the 14 countries, at least seven shutdown the internet for the first time in 2019. This is particularly alarming because growth in the number of countrywide internet shutdowns indicates that the shutdowns are not only increasing in numbers, but they are also expanding in scope and thereby affecting more and more people.

There has been a significant increase in the implementation of data-intensive technologies in Africa. Trends in the data protection landscape in Africa indicate an alarming increase in the implementation of such technologies without proper regulatory frameworks to ensure that the right to privacy is protected from any possible threats and to ensure that the people’s data is protected. This is evidenced by the number of African countries in which these technologies are not preceded by proper frameworks that outline appropriate and human-rights compliant guidelines for the use of such technologies and impact assessments to evaluate the risk that these technologies pose to fundamental human rights.

As privacy awareness grows, so do threats. We will do well to continue to advocate for stronger and enforceable data protection laws in Africa and the full realisation of the right to privacy.

Compiled by Tshepiso Hadebe

The Constitutional Court | Courtesy of Michael Power