Call for researchers - Fostering a Rights-Based Approach to Data Protection in Africa: Country Reports

The Secretariat of the African Declaration on Internet Rights and Freedoms Coalition (hereafter referred to as ‘AfDec’) seeks to strengthen a rights-based approach to data protection in Africa, in line with  its Principle 8 on Privacy and personal data protection. 

Principle 8: Everyone has the right to privacy online, including the right to the protection of personal data concerning him or her. Everyone has the right to communicate anonymously on the Internet, and to use appropriate technology to ensure secure, private and anonymous communication. The right to privacy on the Internet should not be subject to any restrictions, except those that are provided by law, pursue a legitimate aim as expressly listed under international human rights law, (as specified in Article 3 of this Declaration) and are necessary and proportionate in pursuance of a legitimate aim.

Application of the principle: Personal data or information shall only be collected and/or processed by states and non-state actors such as access providers, mail providers, hosts and other intermediaries, in compliance with well-established data protection principles, including the following: personal data or information must be processed fairly and lawfully; personal data or information must be obtained only for one or more specified and lawful purposes; personal data or information must not be excessive in relation to the purpose or purposes for which they are processed; and personal data or information must be deleted when no longer necessary for the purposes for which it is collected. The collection, retention, use and disclosure of personal data or information must comply with a transparent privacy policy which allows people to find out what data or information is collected about them, to correct inaccurate information, and to protect such data or information from disclosure that they have not authorised. The public should be warned about the potential for misuse of data that they supply online. Government bodies and non-state actors collecting, retaining, processing or disclosing data have a responsibility to notify the concerned party when the personal data or information collected about them has been abused, lost or stolen. Mass or indiscriminate surveillance of individuals or the monitoring of their communications, constitutes a disproportionate interference, and thus a violation, of the right to privacy, freedom of expression and other human rights. Mass surveillance shall be prohibited by law. The collection, interception and retention of communications data amounts to an interference with the right to privacy and freedom of expression whether or not the data is subsequently examined or used. In order to meet the requirements of international human rights law, targeted surveillance of online communications must be governed by clear and transparent laws which, at a minimum, comply with the following basic principles: first, communications surveillance must be both targeted and based on reasonable suspicion of commission or involvement in the commission of serious crime; second, communications surveillance must be judicially authorised and individuals placed under surveillance must be notified that their communications have been monitored as soon as practicable after the conclusion of the surveillance operation; third, the application of surveillance laws must be subject to strong parliamentary oversight to prevent abuse and ensure the accountability of intelligence services and law enforcement agencies. It should also be recognised that for the enjoyment of their right to privacy, individuals must be protected from unlawful surveillance by other individuals, private entities or institutions, including in their place of work or study and in public internet access points.1

In this regard, AfDec seeks to commission the preparation of ten ‘state of privacy’ country reports, in the jurisdictions set out below, to offer an in-depth rights-based analysis of the status of privacy and data protection in the identified countries. For more information on the meaning and scope of privacy and data protection we recommend the resources developed by Privacy International: Data protection and Privacy.



The country reports form part of a broader project aimed at increasing the understanding of the importance of a rights-based approach to data protection among duty-bearers and rights-holders. It will prioritise reaching national and regional human rights institutions and mechanisms and human rights defenders. The country reports are intended to inform and strengthen regional and policy debates and advocacy initiatives in the region and promote the idea of using the HRBA in internet-related policy and regulation.

It is anticipated that the country reports, once finalised, will be a useful resource for AfDec members, regional bodies, national human rights institutions, data protection authorities, digital rights activists, civil society organisation, media rights, journalists and bloggers concerned with human rights and internet governance.


A rights-based approach to privacy and data protection

The African Declaration approaches privacy and data protection from a human rights perspective. For the purpose of this initiative, researchers are expected to go beyond that, and assess the extent to which a human rights-based approach (HRBA) is, or is not, being applied to privacy and data protection in internet-related policy and regulation.

The HRBA is a conceptual framework developed to help promote and protect human rights through putting state’s obligations with regard to human rights at the centre of policy and regulation in any sector. The HRBA has been applied to health policy, poverty reduction strategies, and development policy more broadly. For the purpose of this study we would like researchers to explore how it can be applied to internet-related privacy and data protection policy and regulation.

The two primary objectives of the HRBA are to:

  • Empower rights-holders – the individuals or groups that have entitlements in relation to duty-bearers - to claim and exercise their rights

  • Strengthen the capacity of duty-bearers – the state or non-state actors that have the obligation to uphold the human rights of rights holders – to promote and protect those rights2

  • In the context of the country reports this means that as a starting point, researchers would need to specify who the rights-holders and duty-bearers are that their research covers.

The five basic principles of the HRBA which we would like researchers to approach from the perspective of the development and application of privacy and data protection regulation are:

  • Participation – everyone is entitled to active participation in decision-making processes which affect the enjoyment of their rights.

  • Accountability – duty-bearers are held accountable for failing to fulfil their obligations towards rights-holders. There should be effective remedies in place when human rights breaches occur.

  • Non-discrimination and equality – all individuals are entitled to their rights without discrimination of any kind. All types of discrimination should be prohibited, prevented and eliminated.

  • Empowerment – everyone is entitled to claim and exercise their rights. Individuals and communities need to understand their rights and participate in the development of policies which affect their lives.

  • Legality – approaches should be in line with the legal rights set out in domestic and international laws3.

Researchers will be asked to look at how this principles have been applied in data protection policy and regulation.


Countries covered

Researchers can select among following countries and can apply to cover more than one country. Only one research study per country will be selected and only ten studies (one per country will be selected. Research can cover countries that have recently passed data protection legislation4 like Kenya, Nigeria and the Togolese Republic or countries where legislation has been proposed like Zimbabwe and Namibia. But it is also useful to look at countries that have legislation including cases where it is not effectively being enforced such as South Africa, Botswana, Uganda, Lesotho and Angola.

Prospective researchers can select any of these countries, or any other country in sub-Saharan Africa. The expression of interest form will ask researchers to provide a rationale for their selection of country or countries.


Expression of interest

Interested researchers are invited to submit an expression of interest for the preparation of the above-mentioned country reports, setting out the following information:

  • The country they want to research and a short explanation of why they want to work on this particular country

  • Which rights-holders and duty-bearers their research will prioritise (e.g. private sector actors, or public institutions)

  • What aspects of privacy and data protection their research will cover (e.g. policy development, application, remedy etc.

  • Whether they will look at a particular sector, e.g. health, or provide a general overview of the state of data protection in the country

  • The relevant data protection expertise that the researcher has in the identified country

  • An  overview of the methodology that the researcher intends to apply in preparing the country report; and

  • Any previous experience or engagement that the researcher has had with AfDec

A curriculum vitae (not exceeding 3 pages) of the lead researcher should be submitted with the expression of interest.

Please note, all researchers will be expected to submit their researches in English.

AfDec will pay $2000 per country report, which will be published on the AfDec website and other public sources. The researcher may also be requested to participate in an online discussion regarding the findings made in the country report. Expression of interest should be submitted by 10 August 2020 at this link.

Any inquiries should be directed to Valeria Betancourt at and copied to Janny Montinat at