People like to say that data is the new gold, or the new oil, and we hear this phrase more and more as societies undergo increasing digitisation. But looking at personal data as nothing more than an economic and development enabler is putting people’s data, privacy, and in some cases, even their lives at risk. It’s of paramount importance to ensure data protection regimes are robust and keep people safe. In Access Now’s new policy brief, Strengthening data protection In Africa: key issues for implementation, we examine data protection frameworks across the region, offering case studies to show how they can be strengthened.
African countries are taking leadership on data protection. Over the past 10 years, we have seen 35 countries enact modern data protection laws in Africa, beginning with Cabo Verde in 2001. In addition, the Malabo convention recently came into force, which makes passing or strengthening data protection laws a top priority, and marks a new age for data protection in Africa. Since many of the laws on the books are relatively young, and others are under development, lawmakers have the opportunity now to shape them in ways that reinforce, rather than undermine, human rights.
As we explore in our brief, one of the biggest concerns we have with the way many regional data protection laws are constructed is the inclusion of broad or dangerous exemption clauses. When lawmakers introduce exemptions for national security or public interest purposes, it is vitally important to build in safeguards to ensure they cannot be exploited for corrupt purposes or arbitrarily applied. Otherwise, we will see human rights defenders, dissidents, journalists, and others become targets for improper surveillance and other forms of abuse. This type of abuse is a threat to our democracies.
Another key issue as Africa moves to digitise and automate public services is ensuring that governments, and the companies they work with, collect only the data necessary to make these programmes work, use it for only the stated purpose, and make sure it does not fall into the wrong hands, in line with the data protection principles of minimisation, fairness, and integrity. In addition, it’s important that lawmakers do not see data protection laws as a replacement for privacy protections, but instead as a complementary regime designed to mitigate the specific risks associated with mass data collection and processing — an issue Access Now highlighted in our 2023 amicus brief filing in a court case on the digital ID programme in Uganda.
Of course, lawmakers across the region can learn from governments that are successfully implementing aspects of their data protection regimes. In our brief, we discuss how Kenya’s Office of the Data Privacy Commissioner has helped protect people who use digital lending and financial platforms, for example, while also acknowledging that in many African countries, more needs to be done ensure data protection authorities (DPAs) are structurally independent — especially when there are other government agencies that breach data or skirt data protection regulations.
Finally, we highlight how the transparency and accountability measures in some data protection regimes have the potential — albeit limited — for mitigating risks associated with the use of automated decision-making systems, or ADMs.
To learn more about use cases and the opportunities African policymakers have to centre human rights in data protection regimes, read the full report.