Abuja, Nigeria
This month, the European Union is introducing a landmark privacy law, the General Data Protection Regulation (GDPR), which will reshape how technology companies store, process, and profit from users’ personal information. It will also enshrine the “right to be forgotten,” and entitle consumers with the power to withdraw their data and give it to another organization.
Across Africa, where many nations either don’t have or enforce comprehensive data safety laws, there are legitimate concerns about how consumers should and could be protected. Africa has the lowest internet penetration rates globally, but improved digital infrastructure, increased smartphone uptake, and the proliferation of innovation spaces have made the internet a rapidly transformative tool.
The question to strengthen online privacy rights comes at a time when African governments and activists are clashing over issues including information censorship, surveillance, data retention, interception, and internet shutdowns. The current uproar over digital privacy has also been amplified following recent revelations that data mining company Cambridge Analytica harvested millions of Facebook profiles and worked to fix elections in Kenya and Nigeria.
As the internet boosts employment opportunities in Africa, especially through e-commerce, there are also concerns about how laws like the GDPR will affect the cross-border transfer of personal data particularly among multinationals with a global footprint.
Patchwork of laws
The biggest weakness to preventing the fraudulent use of data in Africa is the lack of a blanket regulatory framework, besides piecemeal efforts by governments to implement their own policies. Currently, only 23 out of 55 nations have passed or drafted personal privacy laws, and only nine of them have data protection authorities says Ephraim Kenyanito, a program officer with digital rights advocacy Article 19 in Nairobi. “Africa is really vulnerable to data breaches, and the lack of robust laws could have devastating implications,” Kenyanito says.
Progressive laws like the African Union’s convention on cybersecurity and personal data have not taken off too, with only 10 nations signing it since it was adopted in 2014. And unlike the GDPR, the AU law is not automatically enforceable and can only be potentially transposed into specific country legislation. These drawbacks negatively impact users’ privileges online, giving companies the leeway to abuse them without consequence.
For instance, internet companies and telcos are currently facing tough questions over whether they are on the side of government or consumers when it comes to data protection. A recent study of Orange and Vodafone subsidiaries by the Internet Sans Frontières (ISF) advocacy group shows they granted Africans fewer digital rights than their European subscribers.
This was evident with both Orange in Senegal and Safaricom (a Vodafone subsidiary) in Kenya. Neither published the terms of use for their prepaid services, provided few details on the nature of data they collected, the third parties who had access to it and the security measures they implemented to protect that data. And even though the companies have rebuffed the allegations, it doesn’t mask from fears over government efforts to snoop on the public.
Bad data management
Even in cases when laws are passed to make governance systems more efficient, failing to take privacy implications into account could have severe consequences. Ahead of its tense 2017 elections, Kenya amended its electoral laws to introduce biometrics in order to instill trust in the voting system.
But a joint Strathmore University and Privacy International report show there was no framework to protect the alphanumeric data in the voter register, and that a redacted version was even available for sale under the Access to Information (ATI) law. And even though the electoral commission made efforts to redact the information available as required under the ATI regime, voters who hadn’t subscribed to political texts received unsolicited messages from politicians through their mobile phone numbers. The messages sent to the respondents frequently contained information identifying their names, addresses, and polling stations.
Such practices exemplify the ethical and practical challenges of new technologies, and how micro-targeting, consumer profiling, and data caching can be abused. Arthur Gwagwa, a senior research fellow with the center for intellectual property and information technology law (CIPIT) at Kenya’s Strathmore University says in the era of big data and artificial intelligence, there’s need to synthesize privacy concerns with existing technologies.
“Africa has always been lagging when it comes to innovating around and addressing privacy issues,” Gwagwa says. But the continent, he adds, can’t afford that now, given states’ ability to surveil and censor data traffic for self-serving purposes. “We need data laws that reflect the African reality.”
Kenyanito says educating consumers on the existing laws and their rights is the first step to addressing the data privacy challenges online. In return, users, he says, would be able to hold companies and governments accountable, stand in solidarity with others whose rights are infringed on, and use platforms judiciously while giving minimum information to third-party sources.
As GDPR comes into force in late May, the debate over information safety will take center stage too. Julie Owono, the executive director of ISF, says this is the right time to take online advocacy offline and to connect with both high-level government officials and ordinary users.
“It’s now we are building the internet of tomorrow that we want to see in our continent,” she said.