In assessing the various laws and policies, CIPESA’s new report – Privacy Imperilled: Analysis of Surveillance, Encryption and Data Localisation Laws in Africa – referenced the recently revised Declaration of Principles of Freedom of Expression and Access to Information in Africa (the Declaration) of the African Commission on Human and Peoples’ Rights (ACHPR). The Declaration sets common benchmarks by expounding on the obligations of Member States with respect to article 9 of the African Charter which African countries should comply with to protect and promote citizens’ digital rights.
Using a recognised and standardised continental Declaration as the frame for the analysis makes the results relevant to litigation and advocacy and also enhances the possibilities for further research and documentation. In particular, principles 37 to 42 of the Declaration were identified as the principal lens of analysis. These principles focus on the rights to freedom of expression and access to information in the internet age, with principles 40 to 42 dealing with the right to privacy specifically.
The research employed a qualitative approach and specific interest was in provisions on surveillance, data localisation, biometric databases, and limitations on encryption. The study covers 23 countries – Algeria, Angola, Benin, Burkina Faso, Burundi, Cape Verde, the Central African Republic (CAR), Congo Brazzaville, the Democratic Republic of Congo (DRC), Gabon, Guinea Conakry, Ivory Coast, Lesotho, Liberia, Madagascar, Mauritius, Morocco, Niger, Sao Tome & Principe, Sierra Leone, South Sudan, Sudan, and Togo.
Biometric Data Collection in 23 African Countries
In all the countries studied there has been mass collection of data amidst lack of adequate data protection safeguards, both legal and practical. The common grounds for data collection include registration of persons for purposes of issuing national identity cards, drivers’ licenses and passports, as well as SIM card registration. Thus, there has been massive collection, storage and processing of personal data in some instances without proper oversight mechanisms and provision for remedies in case of data breaches.
Most of the countries studied fall short of prescribed safeguards under international human rights law and there are insufficient checks and balances on collection, processing, and access to personal data. It can thus be deduced that a number of countries studied fail to comply with Principle 40 of the Declaration, which recognises everyone’s right to privacy, including the confidentiality of their communications and the protection of their personal information.
Equally, several countries also fail to meet the expectations of Principle 42 of the Declaration, which enjoins states to adopt laws to protect the personal information of individuals in accordance with international human rights law and standards. Some of the laws in place have flaws, while others are partially implemented, thereby undermining their effectiveness. Principle 42 requires that these laws should provide effective remedies and adequate oversight for the protection of personal information. In numerous countries, the element of adequate oversight is hugely lacking.
Governments Collect Data Without Safeguards
Indeed, consistent with previous research, the present study found that government agencies in most countries are collecting and processing personal data without adequate data protection laws, amidst limited oversight mechanisms and inadequate remedies; and while many have in the recent past passed data protection laws and policies, implementation is not effective, and the safeguards are not water-tight as required under international human rights law.
Mandatory SIM card registration is a common denominator around the continent, and the SIM registration data is linked in many countries to other databases and services provision. The SIM card registration requires a national ID or passport or driving licence in such countries as Algeria, Angola, Burundi, Gabon, Guinea Conakry, Ivory Coast, Liberia, Niger, Sao Tome, Sierra, and Togo.
Among the attendant worries is that the threshold for access to information in the SIM card databases is low in some countries, with the regulatory authority often having the powers to direct telecom operators to hand over such data. Similarly worrying is the ease of access to this data by security agencies, particularly in instances where there is no robust judicial oversight. This goes against best principles that would require judicial authorisation for access to such sensitive data.
Data Protection Laws Are Inadequate
The continent has in recent years seen countries enact data protection laws including in Kenya, Gabon, Uganda, Lesotho, Mauritius, Morocco, Niger, Sao Tome, Togo, Algeria, Congo Brazzaville and Ivory Coast. However, some of these laws fall short of minimum standards for the guarantee of the right to privacy. Indeed, the respective countries have other pieces of legislation which facilitate access to personal data by the state and its agencies, such as security entities, in the name of keeping national security and maintaining law and order and the general public good.
For instance, in Algeria, under article 18 of the Law No. 18-07 of 2018 on protection of personal data, sensitive personal data may be processed in public interest. The country started issuing biometric passports in 2012 and in 2017, a national biometric electronic identity card was established, and then in 2019 the country embarked on converting driving licences to biometric format. Morocco similarly has a biometric ID, e-passport, and voters registration system, while in Algeria there is an electronic biometric passport, national ID, and biometric card for justice sector professionals.
Mass Data Collection is a Threat to Privacy
Mass data collection and storage is a major threat to individual privacy since data subjects have limited control over their data and given the poor data protection practices. Indeed, in most cases state agencies are given an upper hand of control over access to personal data, as well as surveillance and interception of communications, as opposed to placing complete oversight in the judiciary. For instance, under article 14 of Ivory’s Coast 2017 decree on SIM card registration, subscriber data can only be accessed by third parties in the event of an investigation or judicial process, upon written request from the competent judicial authority, and by agents appointed by the regulator, ARTCI.
A lightly edited finding from CIPESA’s new report – Privacy Imperilled: Analysis of Surveillance, Encryption and Data Localisation Laws in Africa
Sorry, the comment form is closed at this time.