‘Privacy Is a Human Right and Should Be Considered as One’
By Maureen Nkatha
Ridwan Oloyede is cofounder of Tech-Hive Advisory, a consulting firm in Nigeria. He advocates for enforcement of data-privacy laws in Africa.
The European Union’s data-protection law, which took effect in May 2018, is forcing many nations to review their privacy laws — but Oloyede said this was proving difficult for most African countries.
Nigeria, for instance, adopted its first data-protection law in early 2019, but enforcing it has been challenging, he said, because of lack of government funding and little clarity on what constitutes a data breach.
Oloyede, who also is a research fellow at the African Academic Network on Internet Policy (AANOIP), told Digital Privacy News that only 17 of the 31 African countries with such laws have a data-protection authority.
In a continent where internet access is still a problem, how can digital inclusion and access to the internet be solved?
Solving the problem requires a multi-pronged approach from all stakeholders working together for a common cause.
An integrated solution should solve consumer barriers, network infrastructure — and policy, taxation and local content challenges.
Government policies should be geared at unlocking opportunities.
There has to be cross-sector integration.
For example, the provision of good electricity should tie into road and national broadband policies.
The government can directly subsidize broadband rollout in uneconomic areas to increase network coverage and design policies to solve the affordability problem.
“Government policies should be geared at unlocking opportunities.”
Mobile operators should consider SMS and interactive voice response (IVR) infrastructure sharing — and the use of renewable energy to power off-grid towers.
Since much of the digital inclusion is happening through the expansion of cellphones, what is the privacy situation involving them? The iPhone, for instance, is the only platform with serious privacy safeguards built in — but that’s an expensive technology.
Privacy risks abound, regardless of the device or the operating system.
There are apps and mobile phones available in the African market embedded with trackers and excessive permissions.
Websites enable fingerprinting and cookies to track and honor third-party requests without an appropriate lawful basis.
All these, when aggregated, can profile users uniquely and provide rich insight into their behavior.
Any other risks?
There is also the lack of transparency — where privacy notices are absent, incomplete or not genuinely reflective of processing activities.
Another spin to the problem is the mass availability of cheap smartphones reported to have poor privacy and security practices.
“It is insufficient to have an authority if they do not enforce the law.”
Privacy is a human right and should be considered as one.
No trade-offs and no zero-sum game.
What does the standard cellphone infrastructure look like in developing areas with regards to privacy? Are service providers exploiting personal data? To what extent?
The extent of this cannot be ascertained until we have major whistleblowing or research dedicated to that.
In Nigeria, we recently researched the pervasive practices of digital lending companies — and we found poor privacy, security and consumer-protection practices.
The problem is further exacerbated on the continent by the absence of a law or regulator, where there is a law — and, in some cases, poor enforcement by the regulator.
The bigger problem is the lack of awareness of the extent of the risk and danger.
On a different issue, Africa is very much a testing ground for software produced in China and other Western countries. This means people’s personal data, including health information, is stored in databases across the world. What can be done to ensure that the data collected is not misused and only is used for its intended purposes?
More African countries now have data-protection laws, which is a good starting point.
However, of the 31 African countries with specific data-protection laws, only 17 have a data-protection authority.
It is insufficient to have an authority if they do not enforce the law — or because they lack the competence, independence, or financial and human resources to do their jobs.
We need to start having conversations around the international transfer of data and demand these foreign entities comply with existing local laws, remain accountable and uphold the standard.
The courts should also be progressive in advancing human rights.
Is this why Africa is most vulnerable when it comes to data privacy?
Abuse and misuse of personal data exist virtually everywhere.
The European Union, with its acclaimed “gold standard” data-protection law, suffers the same.
“We need to start having conversations around the international transfer of data and demand these foreign entities comply with existing local laws … .”
The extent of enforcement has not wholly halted the abuse, going by performance reports of their supervisory authorities, unresolved complaints — and a litany of research exposing violations of the law.
However, compared to the EU, the existing enforcement framework across the continent is weaker.
How much data exporting to China is happening de facto under its “Silk Road” initiatives in Africa? Can it be stopped?
I do not know the extent.
But again, there is research pointing towards different play that could signal what has been described as “digital colonialism.”
A number of African countries are reported to be using surveillance tools or have some other core infrastructure built by state-backed entities.
There are reports about the deployment of artificially intelligent surveillance systems (AISS), facial-recognition technology, video surveillance cameras and various African governments’ tools for different reasons.
There are reports of close ties between private companies and the government and how the companies act as proxies for the government to obtain data on an international scale.
“A number of African countries are reported to be using surveillance tools or have some other core infrastructure built by state-backed entities.”
The existence of mandatory legal requirements for organizations to make data available to the Chinese government by the National Intelligence Law (2017) and the Counter-Espionage Law (2014) lends credence to the fear.
The report about the African Union building in Ethiopia being bugged between 2012 and 2017 further lends credence to this.
Again, independent research or disclosure is the closest thing that could give us a genuine picture of the full extent of what is going on.
Maureen Nkatha is a writer in Nairobi, Kenya.
- Privacy International: 2020 is a crucial year to fight for data protection in Africa
- KPMG Nigeria: The Nigeria Data Protection Regulation