Southern Africa Digital Rights Issue Number 1: Data and online privacy under attack

Digital rights are under threat everywhere across the African continent at the moment. This is borne out and underscored by a string of influential reports over recent years from prominent regional and global civil society, multilateral and digital rights non-governmental organisations. The constricting of digital civic spaces through lawfare, the use of sophisticated spyware by some governments to invasively and violatingly intrude into and monitor people’s lives, pervasive social media mediated disinformation souring online experiences, rampant cyber criminal attacks and the dehumanising commercial surveillance economy all combine to degrade Africans’ online lives.

This is happening at a time when cyberspace also still shows so much promise as an avenue for achieving broad-based social justice, as well as unlocking socio-political and economic freedoms. African internet users remain resilient in the face of all manner of state-sponsored and private tech-enabled cyber threats and obstacles, and civil society actors across various countries continue to raise and amplify their voices and the hopes and aspirations of their constituencies even as their spaces for free expression, both online and offline, are being squeezed tighter and tighter by a range of malevolent actors and forces.

This project – an initiative of the African Declaration (AfDec) Coalition, supported by the Association for Progressive Communications (APC) and the Namibia Media Trust (NMT), and funded by the Open Society Initiative of Southern Africa (OSISA) – seeks to open up another avenue for elevating the voices of African civil society actors, specifically those scattered across six southern African countries in most of which democratic engagement spaces are increasingly, and in some severely, constrained. The project brings together civil society and digital rights researchers, activists and advocates from about 10 organisations spread over Botswana, Eswatini, Malawi, Namibia, Zambia and Zimbabwe.

These individuals and organisations are partnering and collaborating to shine a bright spotlight on the individual country-level digital rights and online civic spaces in which they operate. This six-country digital rights collage captures and portrays broader regional narrative streams in the quest to democratise the sub-regional cyber space. As part of our collaboration we will be bringing you regular updates concerning access to the internet and the state of data and online privacy in our respective countries. We will be bringing you these updates through six regional digests, of which this is the first, that we will be producing until May 2023.

In this first edition, we look at how civil society in Botswana, with regional support, managed to convince the government to make significant and meaningful changes to draft criminal procedures law that would have been a death-knell to digital privacy. We also discuss how in the wake of uprising and unrest ordinary citizens in Eswatini have to navigate a new reality under a newly imposed cybercrime law. Then there is the discussion of how the arrests of journalists and social media users are problematically characterising the digital rights space in Malawi.

In the same vein, Namibia is introducing mandatory SIM card registration and data retention regulations that could become a violation of the constitutionally enshrined right to privacy. In Zambia, civil society actors are pushing for the review and repeal of a cybercrime law that was brought in to suppress legitimate political expression. And from Zimbabwe, we bring you a discussion of how a complex range of issues are impacting the exercising of digital rights in the country. While all this might not make for happy reading, it certainly is important reading, and it showcases the will and commitment of those in each of the countries who continue to fight for freedoms, both online and offline. With all that said, we bring you Digital Rights Southern Africa.

 

Available in this first edition:

 

Editorial

Showcasing the will and commitment of those fighting (By Frederico Links)

 

Botswana CSOs rebuff criminal procedures bill

The draft bill would have enabled surveillance abuse and privacy violations (By Thapelo Ndlovu)

 

Eswatini passes cyber laws under dark clouds

Kingdom enacts cyber crime and data protection laws in a climate of suspicion and unrest (By Ndimphiwe Shabangu)

 

Arrests mar Malawi’s digital rights landscape

Two recent cases point to concerning state surveillance practices and the undermining of free expression online (By Jimmy Kainja)

 

New surveillance regulations lurk threateningly in Namibia

The measures attack anonymity online and undermine the constitutional right to privacy (By Frederico Links)

 

Lungu law looms dangerously over Zambian digital rights

The previous administration brought in a cyber crime law that weaponised the internet (By Susan Mwape)

 

Affordable connectivity and privacy violations plague Zimbabwe

A complex range of issues are impacting the exercising of digital rights in the country (By Otto Saki and Nompilo Simanje)

 

Southern Africa Digital Rights is produced under ‘The African Declaration on Internet Rights and Freedoms: Fostering a human rights-centred approach to privacy, data protection and access to the internet in Southern Africa’ project.

Call on the Nigerian Government to Rescind its Indefinite Suspension of Twitter’s Operations in Nigeria.

In a letter to Nigerian president and other prominent departments of ministry within the Nigerian government, Paradigm Initiative in lieu with fellow undersigned organizations have gone on to ask the state authorities to rescind their suspension on Twitter access and operations in the African country.

Privacy and Personal Data Protection in Africa: A Rights-based Survey of Legislation in Eight Countries

The country reports collected here offer an in-depth rights-based analysis of the status of privacy and data protection legislation in Ethiopia, Kenya, Namibia, Nigeria, South Africa, Tanzania, Togo and Uganda. This publication was part of a project by the African Declaration on Internet Rights and Freedom (AfDec) Coalition, “Strengthening a rights-based approach to data protection in Africa”, whose objective was to foster a rights-based approach to the adoption and implementation of this legislation.

In assessing country contexts, the authors gave an analysis of a state’s regional and global commitments to privacy, and the impact of the country’s legislative environment on privacy. They also undertook a specific analysis of the data protection laws as they exist in each country, identified key privacy rights actors and institutions, evaluated data protection practices in internet country code top level domain name (ccTLD) registration, and analysed the status of the country’s data protection authority.

Two key frameworks were used for analysis for this research: Principle 8 of the African Declaration on Internet Rights and Freedoms, which deals with privacy and personal data protection, and the human rights-based approach to policy and legislative development, whose basic principles include participation, accountability, non-discrimination and equality, empowerment and legality.

Each report ends with a series of recommendations to different stakeholders in the respective countries. A key role for civil society identified in the reports’ recommendations is that of monitoring the implementation of privacy laws and other related legislation in order to hold governments to account at different levels. At the local and national level, part of this monitoring involves documenting and reporting breaches of data protection and privacy legislation. At the regional and international levels, the reports note a need for the formation of coalitions by civil society groups in order to strengthen their capacity to monitor implementation of the laws, and increase their engagement with both regional and international human rights mechanisms, such as through submissions to the Human Rights Council’s Universal Periodic Review when countries are due to report.

This research provides an important benchmark for this future advocacy.

This publication was produced with support from the Deutsche Gesellschaft für Internationale Zusammenarbeit GmbH (GIZ).

Author: 

African Declaration on Internet Rights and Freedoms Coalition

Publisher: 

APC

 

Privacy and Personal Data Protection in Africa - Advocacy Toolkit

New toolkit offers insights into advocacy around the growing need for privacy and personal data protection in Africa

As online interactions form an ever greater part of our daily lives, a growing amount of our personal data is being collected, stored and mined by different public and private sector players. As a result, issues regarding the right to privacy and personal data protection have become increasingly relevant. The COVID-19 pandemic has sped up this shift to the digital sphere significantly around the world, and Africa is no exception. This makes the recent launch of the Privacy and personal data protection in Africa: Advocacy toolkit especially timely.

The toolkit was developed by the African Declaration on Internet Rights and Freedoms (AfDec) Coalition. It provides an overview of all relevant national, regional and international mechanisms, duty bearers and rights holders, and a checklist for analysing data protection and privacy-related policy and legislation using the human rights-based approach (HRBA).

The two lead consultants in the development of the toolkit, the University of Pretoria Centre for Human Rights and ALT Advisory, have been prominently involved in privacy and data protection in Africa.

A broad range of African stakeholders from diverse geographical and professional backgrounds validated the toolkit, which is meant to raise awareness among civil society actors, policy makers and human rights activists on the HRBA.

This advocacy toolkit provides an overview of the legal standards concerning the right of privacy and personal data protection in Africa and offers a set of practical tools for stakeholders in the formulation and implementation of data protection frameworks.

At the same time, the toolkit is a guide to engage with, advocate for, and inform policy makers on data protection and privacy in Africa, and can also be used as a manual by trainers in the understanding of data protection and privacy for various actors.

The toolkit is divided into three parts, with the first one providing an introduction to the international and regional human rights frameworks, while part two delves into the content of the right to privacy and personal data protection. Part three, on the other hand, deals with duty bearers and rights holders. It focuses on issues such as data protection terminology; key principles of data protection law; the rights of data subjects and obligations of duty bearers; and policy guidelines on data protection and privacy.

The toolkit draws lessons from the European frameworks relating to data protection such as the General Data Protection Regulation (GDPR), which is intended to harmonise the collection, storage, use, sharing and processing of personal information across Europe.

The toolkit also highlights the existing African frameworks on data protection, including the revised Declaration of Principles on Freedom of Expression and Access to Information in Africa adopted by the African Commission on Human and Peoples’ Rights, as well as the African Union Convention on Cyber Security and Personal Data Protection.

Several recommendations are offered, among them, the need for the African Union Commission to incorporate the right to privacy in the work of other special mechanisms beyond the Special Rapporteur on Freedom of Expression and Access to Information. 

It also recommends that the Pan African Parliament, the legislative body of the African Union, develop programmes on privacy, data protection, consumer protection, electronic commerce, cybercrime, the fourth industrial revolution and the implications of technology on privacy and data protection.

On national data protection agencies, the toolkit recommends that their powers, tasks and responsibilities should be to supervise and monitor the application of data protection laws and implementation of sanctions in cases of non-compliance.

The toolkit also spells out the role of law enforcement agencies, which should including working with the data protection agencies and processing personal information in a lawful, fair and transparent manner.

For their part, national human rights institutions are urged to see privacy and data protection as human rights concerns that should fall within the scope of their mandate.

A Safer Web for Women

This comic strip was produced by the Kenya ICT Action Network, and can be used as a training tool.

Most women will attest to being sexualized long before they knew they were women - or being treated less, long before they ever considered what they were or were not capable of. This reality is no different online. In fact, it is amplified. Actions expressing long-established stereotypes of women's worth deriving from their purity, ability to find and keep a husband, bear children and to make and stay at a home are exacerbated online. The domination of patriarchy through violence is magnified online in ways that would not be possible or at least to the same extent in the physical world. In this story of three differently-aged, differently-shaped, and differently-employed women we see what that violence can look like online, how the seemingly harmless can actually contribute to it and what we can all do to prevent it and to create a safer space for women online. As a society, we are only as strong as our least powerful person and we can only hope for a better tomorrow if we stop disempowering them through our actions both online and offline.

Read below about  Lulu, Amani, and Pendo's story to learn about online gender-based violence and creating safe spaces for women online

The struggle for the realisation of the right to freedom of expression in Southern Africa

The right to freedom of expression is enshrined as a cornerstone of democracy. This is because of its intrinsic importance in informing the public and encouraging debate. Inherent in the right to freedom of expression is the notion of access to information and press freedom. Freedom of expression also underpins a range of other rights, thereby enabling the full realisation of fundamental rights. It is by now well-established by the UN and the African Commission on Human and Peoples’ Rights (ACHPR) that rights, particularly the right to freedom of expression, apply equally online and offline. As set out in the African Declaration on Internet Rights and Freedoms:

  • Everyone has the right to hold opinions without interference.
  • Everyone has a right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds through the Internet and digital technologies and regardless of frontiers.
  • The exercise of this right should not be subject to any restrictions, except those which are provided by law, pursue a legitimate aim as expressly listed under international human rights law (namely the rights or reputations of others, the protection of national security, or of public order, public health or morals) and are necessary and proportionate in pursuance of a legitimate aim.
  • The exercise of the right to freedom of expression can, at times, require tolerance from others. As has been explained by the Constitutional Court of South Africa, the right to receive or impart information or ideas is applicable “not only to ‘information’ or ‘ideas’ that are favourably received or regarded as inoffensive or as a matter of indifference, but also to those that offend, shock or disturb.”

Indeed, the right extends even where those views are controversial: The corollary of the freedom of expression and its related rights is tolerance by society of different views. Tolerance, of course, does not require approbation of a particular view. In essence, it requires the acceptance of the public airing of disagreements and the refusal to silence unpopular views.

Notably, however, the right to freedom of expression is not absolute. It must necessarily be balanced against competing rights and interests. Some forms of speech do not enjoy any protection under international law, while other restrictions to the right to freedom of expression are only permissible under certain circumstances.

The challenge being experienced in Southern Africa – and indeed globally – is that states and private sector actors are adopting laws, policies and other measures that unjustifiably restrict the right to freedom of expression. This is typically done under the guise of, for instance, national security or the protection of reputation, but it encroaches far beyond that which is permitted under the law  These unjustifiable restrictions have a chilling effect on the free flow of ideas and meaningful discourse, and have the potential to severely undermine the full realisation of the right.

This report focuses on the content of the right to freedom of expression and gives an assessment of restrictions to the right. In Part I, we look at the international human rights framework on the right to freedom of expression as set out in international treaties and other appropriate resources, in order to distil the key elements of the right. In Part II, we set out the legal position on the circumstances under which the right to freedom of expression may be limited. In Part III, we explore key case studies across Southern Africa that raise serious concerns about existing or prospective laws that will restrict the right to freedom of expression. Lastly, in Part IV, we will take a forward-looking approach to consider what strategies can be used to safeguard the right to freedom of expression at its essence, and set out our recommendations for different stakeholder groups. This report does not purport to cover all laws in the respective countries in Southern Africa. Instead, the researchers have had the discretion to identify those laws that are seen to be of most concern in the present time, taking into account the political, social and economic landscape in the country at the moment. Through this report, we have identified key trends and recommendations for states, private sector actors and civil society to consider in the development of laws, policies and measures that impact the right to freedom of expression.

The need for this report was identified at a meeting of the Southern African members of the African Declaration on Internet Rights and Freedoms (AfDec) Coalition. It was recognised that while the right to freedom of expression is firmly entrenched at the domestic, regional and international levels, the realisation of this right remains a struggle in practice, particularly in the digital era. 

Lived experience of advocating for data protection in Uganda

By Dorothy Mukasa

Data privacy is a global policy issue, and during the past 30 years, data protection laws started gaining ground on the African continent. At the East African level, Uganda became the first country in the region to enact a comprehensive data protection law in February 2019.

The Data Protection and Privacy Act, 2019 reinforces Article 27 of the 1995 Ugandan constitution, which guarantees citizens’ right to privacy. It thus took the authorities 24 years after promulgation of the national constitution to regulate data protection and 20 years for the drafting of the bill, placing vulnerable communities at risk.

Throughout the legislative process, Unwanted Witness Uganda and other civil society actors undertook a series of advocacy efforts aimed at fostering a rights-based approach to data protection, given the fact that privacy is a fundamental human right. At this year’s workshop on “Privacy and data protection in Africa: Challenges and prospects”, organised by the University of Pretoria and the African Declaration on Internet Rights and Freedoms (AfDec) Coalition, we shared Uganda’s lived experience advocating for data protection legislation.

Changes at the policy making level

In accordance with Uganda’s electoral laws, the country conducts general elections every five years, and the changes usually eliminate over 70% of incumbents. This coupled with a prolonged policy-making process affected the already established networks as well as the advocacy strides made, since a new breed of leaders assumed legislative positions.  

The advocacy strategy then had to be revised from simply targeting only policy makers to also include the technical personnel at parliament, since they are more permanent compared to members of parliament.

Technical capacity

The majority of policy makers are elected to parliament for different reasons other than their legislative capacity. This lack of technical capacity is particularly concerning when it comes to regulating technology and human rights – a relatively new policy area in the country. Therefore, capacity building and awareness raising became a critical advocacy approach to achieving comprehensive data protection legislation.

Building an active citizenry

While privacy is as old as creation, the low level of data privacy consciousness in the digital era among the public is glaring. Citizens are not aware of the social contract between them, the state and tech companies, creating a lot of power imbalance and subsequent abuse of the right to privacy. Research exposing the effects of unregulated data-intensive systems on citizens’ privacy and subsequent media campaigns greatly contributed to raising privacy awareness among the public. The change in public attitude and perception about data privacy culminated in demanding accountability from both state and non-state data collectors and processors.

Working with the national human rights institution

The Uganda Human Rights Commission is a constitutional body mandated to, among other roles, monitor the government’s compliance with international treaty and convention obligations on human rights and recommend to parliament effective measures to promote human rights. We engaged the commission through sharing our research findings and recommendations and constantly raising the need to monitor and provide recommendations for safeguarding the right to privacy in the digital age. The commission is important because recommendations made in its annual report are debated and implemented by policy makers.

Coalition building

We spearheaded the formation of the privacy coalition with the aim of having a strong and unified voice. The coalition comprises civil society actors working on different thematic areas including health care, media freedom, freedom of association and assembly, education and migration, among others.

Creating a link between the right to privacy and the enjoyment of other human rights was an opportunity to amplify data privacy as a fundamental human right that needs to be advocated for by all right holders and not a reserve for only digital rights advocates.

Law and compliance

Passage of the data protection law remains a milestone for the different advocates over the years. However, the biggest hurdle still remains: enforcement/compliance.

The new law lacks an independent oversight mechanism as it simply establishes a Data Protection Office (DPO) within an existing government agency, raising concerns around conflict of interest, effective compliance, resource capacity and transparency for the appointment of members of the authority.

Indeed, to effectively protect the right to privacy, more strategic advocacy is required during the law enforcement stage. This therefore makes the privacy and personal data protection in Africa advocacy toolkit, as designed by the AfDec initiative, very relevant in shaping the data protection legal regime.      

 

Key Issues in Data Protection Policy-Making and Implementation: lessons from Dr Ian Brown

Dr. Ian Brown, a data protection expert and a trainer with the African School on Internet Governance, gave a presentation at the Conference on Privacy and Data Protection in Africa organized by The Centre for Human Rights, University of Pretoria in collaboration with the African Declaration on Internet Rights and Freedoms Coalition. The conference brought together academics, students, policymakers, and practitioners working in key areas related to privacy and data protection in Africa including big data, information technology, artificial intelligence, cybersecurity and human rights law.

Dr Brown discussed key policy and implementation issues from recent data protection events in Europe and gave a projection of warnings from problems seen in the European Union as a guide for better policy-making and implementation of data protection in Africa. He emphasized the issue of children and data protection, using the example of the Children's Commissioner for England’s appointment and role, to look out for children’s needs and rights, especially in the digital age. Another highlighted area was the need for the appointment of specialist technology regulators by African countries to better enforce our data protection laws. He noted, however, that these appointments require significant budget allocations. Budgetary constraints have already been cited as one of the main hindrances to the work of data protection authorities on the African continent and the enforcement of data protection laws in turn. Dr Brown’s presentation concluded with praise for the African Union’s commitment to cybersecurity regulation to underpin data protection on the continent.

You can access all the recordings of the Conference on Privacy and Data Protection in Africa here

See Dr. Ian Brown's presentation on SlideShare or download the original here.

Letter to MTN's CEO - Dialogue on Human Rights

The African Declaration on Internet Rights and Freedoms Coalition (AfDec) co-signed a letter from Access Now to the newly appointed CEO of telecom giant, MTN, Ralph Mupita, alongside eight other civil society organizations. The letter highlights civil society’s concerns with how MTN has enabled the violation of human rights and democracy, and it also offers guidance on how MTN can better respect the human rights of their users