In this digital age, data is the new currency and largely an asset for most companies. If you look around you, top money-making companies are either controllers or processors of data. It is therefore obvious that most companies today are baying for personal information to advance their commercial and economic interests. In some instances, this push for more data has ended up infringing human rights to privacy across nations.
In the interest of data protection and privacy, Unwanted Witness has been on the frontline campaigning for privacy as a fundamental human right. The Ugandan-based institution has been on an intense drive to see that companies as well as governments in Africa align their interests with the already existing Data Protection Acts (DPAs)
This year’s Privacy Symposium Africa brought together major stakeholders in the data industry; Data controllers, Data processors, Policy makers, Data regulators, and Data subjects. The event was spearheaded by Unwanted Witness in collaboration with the Centre for Intellectual Property and Information Technology Law (CIPIT) at Strathmore University.
The 4th Privacy Symposium Africa ignited important conversations around Data Protection from; Online Gender-Based Violence, Use of data in digital ID and humanitarian works, Data sovereignty in the cloud, public and private surveillance and human rights, challenges faced by data protection regulators, Data Protection Acts compliance for SMEs among other discussions held through the three-day convention. The event also saw the launch of the 2022 Privacy Scorecard Report, a monitoring tool set to determine the legal protections of personal data and privacy.
Lack of Political Will
In the PSA 2022 discussions that involved multiple African data protection regulators, the lack of political will to harmonize the legal framework has been blamed for little or no enforcement of data protection law on offenders.
Lack of political will has resulted in the absence of; robust oversight, legal and practical safeguards, encouragement of selective application of data protection laws, and data privacy infringement among other risky practices putting data subjects at risk.
Without the will of legislators, data protection laws will continue being toothless and unapplicable by already established regulators and commissioners. During the just-ended symposium, for example, legislators were not in attendance except Tanzania’s Neema Lugangira who has been on the frontline fighting for the Data Protection Act that is yet to be enacted in her country.
The Chair of the African Parliamentary Network on Internet Governance, Hon Lugangira in her speech, emphasized the importance of the Legislator’s inclusion in the ongoing debate on data protection. Saying that watchdogs should work with, and not without legislators.
Stella Alibateese, Director of the National Personal Data Protection Office also echoed Lugangira’s sentiments saying, “There’s a need for capacity building or awareness and it shouldn’t only be for the technocrats. It should start with the political leadership because they are the ones that make the decisions.”
According to data regulators sitting on the 4th Privacy Symposium Africa panel, harmonization of data protection laws is a way forward as a solution to the lack of political will in order to trigger the involvement of legislators.
“On harmonization, what is privacy varies from jurisdiction to jurisdiction, as a result of different, social, economic and political conditions & this is part of the reason why we are yet to have the momentum to implement the Malabo convention”-Babatunde Bamigboye, Nigeria
Kenya’s data commissioner Immaculate Kassait, also sitting on the Privacy Symposium Africa emphasized the need to take steps towards harmonization of data protection laws. Kassait said that having the conversation as data protection regulators in Africa is on the right path as the stakeholders look for common aspects that can be harmonized.
“While each country has its own uniqueness, harmonization of data protection laws should consider commonalities that will guide the establishment of a common framework; we cannot evade seamless flow of data across the region,” said Immaculate Kassait, Data Commissioner, Kenya.
According to data regulators across African countries, there is a need to change legislation relevant to some area of common concern to conform to their statutes and to facilitate compliance and enforcement across borders.
“We need to make use of the existing frameworks, like NADPA which is a network for African data protection authorities & let us encourage countries to join this group & advocate for the implementation of this policy framework.” Stella Alibateese Director of National Personal Data Protection Office.
The other common challenge shared by data regulators across the African continent is the lack of independence of policing bodies; regulators and commissioners. These institutions expected to push for law and order have been put under the Ministries of Information Communication and Technology (ICT) which are directly governed by governments.
This, therefore, births a bias when it comes to enforcement and litigation when handling offenses. Political interference continues to obstruct a free and fair process to ensure companies and institutions comply with the Data Protection Acts. Due to a lot of political involvement in data protection enforcement, there has been a lack of political will to fully give power to relevant institutions through the constitution. This is because some of the data companies in the million-dollar business are owned or co-owned by politicians or associates.
Through person-to-person conversations and international discussions, the Privacy Symposium Africa Continues to draw attention back to the Malabo Convention. The call for action envisions Africa as a single entity in terms of data and privacy protection and calls for a harmonized, independent, and robust legal framework which protects all people from processors and data controllers.
“The low pace for the adoption of the Malabo convention indicates that sustained commitment is missing since only 5 states have ratified the convention out of 15 required to make it enforceable ” Tsitsi Mariwi, Zimbabwe
The Data Protection Act(s) proposed, enacted, and enforced across countries is important because it provides guidance and best practices for organizations and governments to follow on how to use personal data. The political will to have the said Acts enacted and enforced is equally important because then there will be; regulation in processing personal data, protection of data subject rights, enabling authorities to enforce rules, and holding organizations and institutions culpable if rules are breached.