Privacy & Personal Data Protection Guidelines for Africa Verengai Mabika Senior Policy Advisor - Africa

Increase in data Breaches

Personal Data is a Commodity Every day, personal data is being shared and used several degrees of separation away from the point of collection, often without the knowledge of the data subject. This is because: Data can be stored cheaply and retained for longer periods, Data can be shared and distributed more easily, and There are more and more sensors in Internet-connected devices. Personal data has become a profitable commodity. As our use of the Internet has grown, digital technologies have enhanced our lives. However, digital technologies have also brought new privacy challenges. Information gathering today is faster, easier, and less expensive than ever before in history. This is a result of progress on a variety of technological fronts: Data storage is cheaper than ever, which means data can be retained for long periods of time, Data sharing can be fast and distributed, enabling data to easily proliferate, and There are more and more sensors in objects and mobile devices connected to the Internet. Information is not only being gathered. We are able to make sense of this data as well: Internet search tools can recognize images, faces, sound, voice, and movement, making it easy to track devices and individuals online over time and across locations, Sophisticated tools are being developed to link, correlate, and aggregate seemingly unrelated data on a vast scale, and It is getting ever easier to identify individuals – and classes of individuals – from supposedly anonymized or de-identified data sets. Every day, users are sharing more and more personal data online, often unknowingly, and the Internet of Things will increase this dramatically. These factors have the potential to expose personal data and to create privacy challenges on a greater scale than ever before.

Personal Data Protection laws: There are currently 17 countries in Africa that have enacted comprehensive personal data protection legislation, namely Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia and Western Sahara.v  v Cynthia Rich (2016) Privacy Laws in Africa and the Near East (16) 6 Bloomberg BNA World Data Protection Report, 1    . The Internet Society was founded by some of the Internet's earliest pioneers to help drive the Internet's development around the world. It is also the organizational home of the Internet Engineering Task Force (IETF). Working through a global community of chapters and members bound by a common purpose, the Internet Society coordinates across a broad range of different groups to promote the technologies that keep the Internet safe and secure, advocate for policies that enable universal access and champion an open Internet at all. The Internet Society believes that an Internet of opportunity should be available to everyone, everywhere and it is the Internet Society's mission to make that vision a reality.  2

What we know Three countries, Kenya, Uganda and Zimbabwe, have already enacted personal data protection legislation, the promulgation of which has not yet been made effective, as the laws are still in the form of bills. Tanzania is in the process of enacting personal data protection legislation. Nigeria - the African country with the most Internet users, does not have a data protection law and a data-protection bill that was introduced in 2010 is still making its way through parliament

Other existing Privacy laws and frameworks in Africa include; SADC Model Law on Data Protection (2010) ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection (2010) EAC Framework for Cyberlaws (2008)

Privacy helps reinforce user trust in online services. Introduction: Privacy is an essential enabling right which underpins an individual’s autonomy, dignity, personal security, and freedom of expression. However, there is no universally agreed definition of privacy. In the online context, a common understanding of privacy is: “The right to control when, how, and to what extent personal data is shared with others.” However, our privacy online is at risk of being undermined. To protect and foster online privacy, we need to: Promote strong, technology-neutral data privacy laws, Privacy-by-design principles, and Ethical data collection and handling principles.

The Guidelines As a new step towards developing national legislative frameworks and helping African countries transpose the provisions of the Malabo Convention into national law, the African Union Commission Internet Society (ISOC), Jointly developed the “Personal Data Protection Guidelines for Africa”, which is a detailed set of best practice guidelines on personal data protection.

Why the Guidelines Matter The Guidelines were developed to help facilitate implementation of the Convention, with its recommended actions tailored to the African environment's unique features, including: a shortage of skilled human resources in the area of personal data protection, limited resources (including financial) for governments, organizations, and other stakeholders, limited levels of awareness of online privacy issues among stakeholders, and a general lack of awareness of the risks involved in the use of ICTs. The Guidelines were created by a multistakeholder group with contributions from regional and global privacy experts, including industry privacy specialists, academics and civil society groups. 

The Guidelines recommend the most critical actions to take on Personal Data Protection at the regional, national, and organizational levels. The Guidelines emphasize the importance of the multistakeholder model and provides recommendations for Governments and policymakers, Data protection authorities (DPAs), Data controllers and their partners and Citizens and Civil Society 

Key Considerations Collection Limitation Data Quality Purpose Specification Use Limitation 100100 101010 001001 01010 01000110 10111001 10111001 Security Safeguards Openness Individual Participation Accountability Key Considerations: It is important to encourage the development and application of privacy frameworks that apply an ethical approach to data collection and handling. There are no universal privacy or data protection laws that apply across the Internet. However, a number of national and international privacy frameworks have converged to form a set of core, baseline privacy principles. The Organisation for Economic Co-operation and Development (OECD) has developed guidelines which are a good foundation for developing online privacy policies and practices: Collection limitation There should be limits to the collection of personal data. Any such data should be obtained through lawful and fair means and, where appropriate, with the knowledge and consent of the data subject. Data quality Personal data collected should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date. Purpose specification The purposes for which personal data is collected should be specified. The use should be limited to those purposes. Use limitation Personal data should not be disclosed, made available, or used for other purposes except with the consent of the individual or where required by law. Security safeguards Personal data should be protected through reasonable security safeguards. Openness There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individual participation Individuals should have the right to obtain information about their personal data held by others and to have it erased, rectified, completed, or amended, as appropriate. Accountability Those who collect personal data should be held accountable for complying with these principles. Source: OECD Privacy Guidelines (2013).

Guiding Principles Global interoperability Data minimization 1 Global interoperability Data minimization Collaboration Choice Ethics Legal environment Privacy impact Technical environment Anonymity and pseudonymity Business environment 6 2 7 3 8 4 9 Guiding Principles: It is a challenge to ensure that Internet users’ personal data is only collected and used appropriately. Here are 12 guiding principles: Global interoperability: Encourage openly-developed, globally-interoperable privacy standards (both technical and regulatory) that facilitate trans-border data flows while protecting privacy. Collaboration: Foster multistakeholder collaboration and a holistic approach that ensures value to all stakeholders. Ethics: Encourage the development of privacy frameworks that apply an ethical approach to data collection and handling. Ethical approaches incorporate, among other things, the concepts of fairness, transparency, participation, accountability, and legitimacy in the collection and handling of data. Privacy impact: Understand the privacy impact of personal data collection and use. Consider the privacy implications of metadata. Recognize that even the mere possibility of personal data collection could interfere with the right to privacy. Further, understand that an individual’s privacy may be impacted even if he or she is not identifiable, but can be singled out. Anonymity and Pseudonymity: Individuals should have the ability to communicate confidentially, anonymously, and, if they desire, pseudonymously, on the Internet. Data minimization: Encourage data minimization practices. Insist on selective data collection, and use the necessary data only for as long as it is needed. Choice: Empower users to be able to negotiate fair data collection and handling terms on an equal footing with data collectors. Ensure users can give meaningful consent. Legal environment: Promote strong, technology-neutral laws, compliance, and effective enforcement. These laws should focus on desired privacy outcomes, rather than specifying particular technological means to direct privacy practices. Technical environment: Encourage open environments that support the voluntary, consensus-based development of protocols and standards that support privacy-enhancing solutions. Business environment: Encourage businesses to recognize that privacy-respecting approaches can provide competitive advantages and may lower their exposure to legal risk. 5 10

The Guidelines set out 18 recommendations, grouped under three headings: Multi-stakeholder solutions; Wellbeing of the digital citizen; and Enabling and sustaining measures. Eight recommendations for action by the following stakeholders: Governments and policymakers Data Protection Authorities (DPAs) Data controllers and data processors

Focused Capacity session Ask member states have an interest in exploring this subject may reach out to AUC or ISOC Focused Capacity session Introduction: Privacy is an essential enabling right which underpins an individual’s autonomy, dignity, personal security, and freedom of expression. However, there is no universally agreed definition of privacy. In the online context, a common understanding of privacy is: “The right to control when, how, and to what extent personal data is shared with others.” However, our privacy online is at risk of being undermined. To protect and foster online privacy, we need to: Promote strong, technology-neutral data privacy laws, Privacy-by-design principles, and Ethical data collection and handling principles.

Read the full policy brief: www.internetsociety.org/policybriefs/privacy/ Thank You: In today’s digital age, while there are beneficial economic and social opportunities that may arise from new uses of personal data, it is important that we address the privacy challenges. The Internet Society has published a number of papers and additional content related to this issue. A good starting point is the Internet Society’s policy brief on this topic.