The Internet Society and the African Union Commission (AUC) today launched the Personal Data Protection Guidelines for Africa (“the Guidelines”) at the Africa Internet Summit in Dakar, Senegal. Grounded on principles of privacy, trust and responsible use, the Guidelines introduced another step in securing the African Internet infrastructure and emphasized the notion that good data protection strengthens trust in online services and contributes to sustainable growth of the digital economy. This timely development follows a recent massive privacy breach at Facebook and the much talked about Cambridge Analytica saga which mishandled the data of millions of Facebook users, including many on the African continent.
Speaking at the launch event, the Director for Africa Regional Bureau, Dawit Bekele, applauded Senegal for becoming the first country in Africa to show leadership and commitment towards building a solid information society. “Africa – indeed like the rest of the world – considers personal data protection as key in securing the Internet infrastructure and Senegal has shown us the way by being the first African country to ratify the Malabo Convention.”
The African digital economy is continuing to grow, with the potential to reach $300 billion or 10% of GDP of the African economy by 2025. While digital technologies expand the possibilities for people to enjoy freedoms of expression and the right to access information, some state and non-state actors are moving to curtail what individuals may do online, thus inhibiting the right to privacy and undermining the potential of ICT to contribute to the enjoyment of citizens’ digital rights. Currently, an estimated 25.1% of African individuals use the Internet as of 2017, a small fraction compared to the “developed world” (81%). However, Internet access in Africa is increasing rapidly with sustained double-digit growth over the last 10 years. (Growth has fluctuated between 15%-50% over the last 10 years. Slowing down between 2010 and 2015, and speeding up between 2015-2016. Global Internet Report and ITU Facts & Figures, pages 32-33.)
Within the African privacy and data protection landscape, only 17 of the 55 countries have enacted comprehensive personal data protection legislation, namely: Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia, and Western Sahara.” (Cynthia Rich (2016) Privacy Laws in Africa and the Near East (16) 6 Bloomberg BNA World Data Protection Report). Three countries, Kenya, Uganda, and Zimbabwe, have proposed personal data protection legislation, but at the time of this writing, these laws are still in the form of bills (and not enacted). Tanzania is in the process of enacting personal data protection legislation. Nigeria, the African country with the most Internet users, does not have a data protection law, and a data protection bill that was introduced in 2010 is still making its way through its parliament at the time of writing.
At the launch, African Union Commission representative Souhila Amazouz noted that the African Union Convention on Cyber Security and Personal Data Protection “is considered an important first step at creating a uniform system of data processing in Africa.” The Malabo Convention is a common set of rules to govern cross-border transfer of personal data at the continental (African) level.
To facilitate implementation of the Convention, the African Union Commission invited the Internet Society to help develop Personal Data Protection Guidelines for Africa. The Guidelines emphasize the importance of ensuring trust in online services as a key factor in sustaining a productive and beneficial digital economy. The protection of online privacy and personal data is a fundamental right and a long-term basis for trust in the use of ICTs. This is a prerequisite for a thriving information society in Africa, particularly with regard to social factors such as ethnicity, vulnerability, disability, and disadvantage. Misuse of personal data threatens fundamental rights, undermines trust, and damages the digital economy.
The Guidelines are framed in an African context and values the significant cultural, legal diversity across the continent, variations in access to technology and online services, and sensitivities regarding ethnicity. Africa also has different levels of capabilities in technology-related law and governance and most countries dependent on non-African manufacturers and service providers. This makes is difficult for member states to develop policies and regulation on data protection.
Among some of the recommendations, the Guidelines emphasize the importance of the multistakeholder model, and provide specific recommendations for governments and policymakers, data protection authorities (DPAs), data controllers and their partners, and citizens and civil society. Central to the Guidelines are its essential principles relating to online personal data protection:
- Consent and legitimacy
- Fair and lawful processing
- Purpose and relevance of data
- Management of the data lifecycle (retention, accuracy, deletion)
- Transparency of processing
- Confidentiality and security of personal data
The Internet Society believes that good data protection is a cornerstone to the information society and that the Guidelines are a new step in Africa, and build on experience from other regions and jurisdictions.
Read the Personal Data Protection Guidelines for Africa and the 18 recommendations, then read the Internet Infrastructure Security Guidelines for Africa, a joint initiative of the Internet Society and the Commission of the African Union.