AfDec takes data protection to the regional internet governance forum

In Africa, the need for robust data protection regulations has been exacerbated by the COVID-19 pandemic. As the pandemic continues to move most human interaction online, efforts to mitigate the risks and effects of the Covid-19 virus have involved the use of digital technologies to manage large data sets of personal information. At this year’s Africa Internet Governance Forum (AfIGF), the African Declaration on Internet Rights and Freedom (AfDec) coalition hosted a session titled Key issues in data protection policy making and implementation, that explored key data protection policy making and implementation issues on the continent.

In the session, panellists underlined cybersecurity and personal data protection as a crucial cross-cutting theme for Africa digital and economic transformation by referring to key recommendations in Africa’s Digital Transformation Strategy. This included the need for the evelopment and implementation of data protection and privacy policy and regulation in line with the Malabo Convention, strengthening of collaboration between African Institutions and regulators in charge of digitalization and the protection of personal data and the need to provide e-services hosted by African countries. The Digital Transformation Strategy was a central focus at this years AfIGF.

Human rights-based approach to data protection

As part of its efforts to influence regional internet-related policy processes that respect human rights online, the AfDec Coalition has over the last quarter undertaken a process to develop a Privacy and personal data protection in Africa Advocacy Toolkit. Development of the toolkit has been led by two of the Coalitions members, the Centre for Human Rights, University of Pretoria and Alt Advisory, both of whom have engaged in data protection issues throughout 2020. Lead consultant on the project, Hlengiwe Dube from the Centre for Human rights, in her outline of the project emphasised the need for the setting of standards for data protection and privacy on the continent with emphasis on a human rights-based approach to data protection in Africa.

“The toolkit will be a useful resource for a range of stakeholders including civil society actors, legal practitioners, policy makers and human rights practitioners. It will ensure greater appreciation of the rights of data subjects by duty bearers and data collectors as they process and citizens personal data,” she said.

Gender, AI and data protection

Mozilla Tech Fellow and gender researcher, Chenai Chair, highlighted the links between on artificial intelligence (AI), gender and the right to privacy. She noted that while African states were under pressure to enact data protection laws that comply with international human rights standards, there was need to take heed of the context in which the laws are being implemented. She emphasised that African societies are heavily characterised by digital inequalities, which have in the recent years with the emergence of AI, increased the vulnerability of gender and sexual minorities.

“Daily AI aggregates data and algorithms which detects social identifiers or markers, which if no measures are put in place, put marginal groups at greater risk. In that respect, locating inequalities at the intersection of race, gender, religion, and sexuality is an important aspect of data protection policy formulation, and in the adoption of technologies in African states.”

The two panellists agreed that a gendered and human rights-based approach to data protection in Africa can be achieved if states employ a holistic approach in both the formulation and implementation of policy. This would include identification and training of all key data protection role players, breaking down existing data governance silos that have confined data protection to mainstream information, communication and technology institutions and collaboration between a wider range of sectors including technologists, government, human rights defenders and business. Oversight bodies were noted as an integral stakeholder in the monitoring and evaluation of the policies.

Business data protection trends

In her presentation on data protection concerns for African business, Telco Pvt Ltd Business Development Director, Dumisani Nkala underlined the need for data protection advocates to appreciate the categories that business in Africa takes. She said that understanding the characteristics of African business would assist stakeholders to understand business response’ in data protection and privacy policy making and implementation processes.

“African businesses are not homogenous. We have the informal sector which makes up to 80 percent of the businesses on the continent, public enterprises, small to medium enterprises, and large enterprises. Each of these should be viewed and targeted differently,” she said.

She noted that even though there is a tacit acknowledgement of the importance of data protection and privacy across the business sector on continent, the attitude was overall ‘casual’. This, she attributed to the failure by the sector to recognise and assume responsibility as a gatekeeper of personal data. A situation, worsened by a lack of control of data stores, limited capacity to interface with international market and weak national and regional oversight institutions and mechanisms to ensure compliance. Dumisani said, it was also important to note that the cost of compliance with data protection regulation, the world over, is high and ideally institutional assistance for especially smaller businesses was necessary.

Regulatory realities

Chairperson of the South African Information Regulator, Advocate Pansy Tlakula, shared experiences of regulating data protection policy. She emphasised that the importance of the independence of the regulatory body at both normative and functional levels.

“The appointment process of members of the regulator plays a huge role in determining citizens levels of trust in the authority; and the extent to which it can effectively carry out its mandate to promote, protect and enforce both the right to privacy and access to information,” she said.

She explained that at a a normative level, the methods of appointment of a data protection authority must be open and transparent, and in South Africa this was done via a nomination and open commentary process from the public. The role of the information regulator is to protect, promote and enforce two rights - the right to privacy and the right that relates to the protection of personal information and access to information. To ensure the independence of data protection authorities, the data protection authority should not report to parliament, but to the national assembly, and it is important that they have a broad and open ended mandate to carry out their duties. The data protection authority must also have the power to compel persons to appear before it, must be able to investigate complaints,  and have effective enforcement powers. Further, they must be able to make binding decisions which should only be reversed by a court of law.

Advocate Tlakula noted the importance of public awareness and emphasised the need for mainstream civil society and other data protection activists needed to increase awareness raising initiatives among ordinary citizens. She highlighted that in the case of South Africa, the regulator had dealt with about 35 breaches since the beginning of the year, and that problematic sectors include Mobile Network Operators, the direct marketing sector, the financial sector and gated communities.

 

Watch video of the session