By Pam Dixon, Executive Director, World Privacy Forum
African countries have been steadily enacting data protection laws that bring their respective privacy and data protection requirements up to date with Europe’s General Data Protection Regulation (GDPR), [1] which is widely considered to be the baseline privacy standard of today. But that is not the main headline of what has been happening on the continent of Africa. Many African countries, having passed new privacy laws after the GDPR was negotiated, [2] have broken new ground by advancing privacy thought in new and important ways which stretch past the boundaries of the GDPR and contextualize privacy for African contexts. [3]
The Mauritius Data Protection Act, [4] which passed in late 2017, is striking in its elegance of privacy thought. The Mauritian law is important because it has provided a GDPR-aware privacy law roadmap for other jurisdictions in Africa. It has been deeply influential. The Mauritian law has also been influential in its inclusion and further development of GDPR’s code of conduct and certification language [5]. In Mauritius, regulated entities may seek a voluntary certification valid for 3 years. The data protection office creates the standards for the certificate. The topic of codes of conduct and certificates is becoming increasingly important as Data Protection Authorities around the world seek to create practical implementations of GDPR-style privacy laws. This year, the Mauritius Data Protection Authority provided further leadership in its release of a Toolkit which includes practical case studies and bite-sized interpretations of the Mauritian law in multiple languages and formats [6].
Kenya passed its Data Protection Act of 2019 [7] after ten years of deliberations. It contains many elements of the GDPR and it has made localized adaptations. Notably, the broad definition of “data processor” under the Kenya law includes “public authority, agency, or other body.” Because of this breadth, combined with a requirement for risk assessments of activities that have the potential to create high risk to the rights and freedoms of data subjects, the government would be required to conduct data protection impact assessments, or DPIAs, on its own programs. This would include government-run identity programs such as the Huduma Namba [8]. Going forward, if the law is robustly implemented, the newer privacy thought and localizations could create a strong fabric of privacy for Kenyans across public and private sectors [9].
Togo’s new Law 2019-014 Relating to Personal Data Protection, [10] advances privacy thought in meaningful ways. First, the Togolaise law has a broader scope than the GDPR. The Togolaise law’s scope incorporates “any collection, any processing, any transmission, any storage, and any use of personal data by a natural person, by the State, the local authorities, legal persons under public law or private law;” as well as any automated or non-automated data in its scope, as well as other inclusions [11]. Notable in the Togolaise law is a separate definition and article regarding the interconnection of personal data. This is an important post-GDPR addition, one which lays out protections specific to data linking mechanisms in data processing, whether by linking by data processors or linking by purpose of processing.
Article 33 of the law sets requirements for data controllers to obtain a specific interconnection (or linking) authorization which includes information about the nature of the data to be linked, the purpose of the request to link data, the period of time the linking is permitted, and any conditions and terms regarding how the protections of rights and freedoms, including privacy, of individuals and or third parties is being carried out. Article 34 of the law conditions that any linking of data must not violate human rights or privacy. The new Council of Europe Convention 108+ contains the germ of this idea, but the Togolaise law has further developed it [12]. The ideas articulated regarding linkage in the Togolaise law have the potential to be influential and important in many jurisdictions around the world.
African countries are enacting modern privacy laws that are informed by GDPR, but are not carbon copies of it. The new African laws exhibit their own thought and approaches on some of the most pressing and emergent privacy issues of today, adapted for the African context. For African jurisdictions that have not yet done so, putting modern, baseline data protection legislation in place and empowering country level Data Protection Authorities with independence to enforce the law and provide ongoing guidance is essential. Modern data protection will go far to ensuring that identity and other digital ecosystems do no harm, and work to create public good. Properly implemented, the new post-GDPR laws in Africa can help create an environment that facilitates trust and the flourishing of digital economies.
Facilitating and keeping public trust is particularly important in light of the COVID-19 crisis, which has created a major public health challenge in Africa and the world, and a privacy and data protection challenge as well. In a public health crisis, the tendency is almost always to loosen data protections. The use of identity data will almost always be involved in some way. While some loosening of protections may be warranted, a balance must be found, and this is difficult to achieve.
Africa’s data protection authorities are the privacy leaders who can address these challenges by working together to craft detailed sectoral guidance that keeps a balance between emergency data uses and essential data protections, including in identity systems. Practical data controls such as codes of conduct, which the data protection authorities in Africa are already working on, can be of great help to all countries in Africa in this crisis. By successfully utilizing the existing laws and welcoming the ongoing assistance of the African data protection experts who are in a position to be most familiar with what is needed to find a balance, Africa can address the problems caused by the pandemic in a way that is respectful of privacy and facilitates trust.
References:
EU General Data Protection Regulation, (EU-GDPR). Available at: http://www.privacy-regulation.eu/en/index.htm.
See History of the GDPR, European Data Protection Supervisor. Available at: https://edps.europa.eu/data-protection/dataprotection/legislation/history-general-data-protection-regulation_en.
As of March 2020, 143 countries have passed modern data protection regulations. Egypt’s Personal Data Protection Law is the most recent addition as of February 2020. See Egypt Law No. 181/2018. See also: Graham Greenleaf, Global Data Privacy Laws 2019: 132 National Laws & Many Bills, Privacy Laws & Business International Report, 14-18. February 8, 2019. Available at SSRN: https://ssrn.com/abstract=3381593.
Mauritius Data Protection Act of 2017. Data Protection Office, Mauritius. Available at: http://dataprotection.govmu.org/English/Legislation/Pages/Data-Protection-Act-2017-.aspx.
The discussion of certificates can be found in Article 42 of the GDPR.
Data Protection Training Toolkit, Data Protection Office, Mauritius. Available at: http://dataprotection.govmu.org/English/Pages/Data-Protection-Training-Toolkit.aspx.
Data Protection Act of 2019, Republic of Kenya, National council for Law Reporting Library. Available at: http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/2019/TheDataProtectionAct__No24of2019.pdf.
Huduma Namba home page. Available at: https://www.hudumanamba.go.ke.
For more details about the Kenyan law, see Isaac Rutenberg, Expert Commentary: Kenya follows the path of European-Style data protection, World Privacy Forum. November 22, 2019. Available at: https://www.worldprivacyforum.org/2019/11/expertcommentary-kenya-follows-the-path-of-european-style-data-protection/.
Loi No. 2019-014 du 29 Octobre 2019 Relative a la Protection des Donnees a Caractere Personnel. Actes du Gouvernement de la Republique Togolaise. Available at: https://jo.gouv.tg/sites/default/files/JO/JOS_29_10_2019-64E%20ANNEEN°26%20TER.pdf#page=1.
From Article 2: “Sont soumis à la présente loi : Toute collecte, tout traitement, toute transmission, tout stockage et toute utilisation des données à caractère personnel par une personne physique, par l’Etat, les collectivités locales, les personnes morales de droit public ou de droit privé.” This is 1 of 5 inclusions.
Convention 108+ for the Protection of Individuals with regard to the processing of data, Council of Europe. June 2018. Available at: https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1.