Skip to main content
SpringerLink
Log in

Africa’s Multilateral Legal Framework on Personal Data Security: What Prospects for the Digital Environment?

  • Conference paper
  • First Online:
e-Infrastructure and e-Services for Developing Countries (AFRICOMM 2019)

Abstract

As the African continent continues to embrace technological innovations and corresponding infrastructures like the Internet of Things, certain concerns have been raised as regards the security risks related to critical ICT network infrastructures in the continent, as well as the safeguarding of the fundamental rights of Africans through the protection of their personal data, especially those shared online. One of such concerns is personal data security, which becomes more crucial as huge amounts of sensitive personal data are increasingly generated across the continent, especially with the proliferation of mobile banking. In response to these developments, African intergovernmental organizations have developed legal frameworks on personal data protection: the Economic Community of West African States (ECOWAS) has adopted a Supplementary Data Protection Act, while the African Union (AU) has adopted a Convention on Cyber Security and Personal Data Protection. However, while other aspects of data protection law are more or less addressed in these instruments, relatively very little focus is put on managing and safeguarding personal data security.

This paper, in an attempt to present a critique of the state of affairs as regards personal data security regulation and online trustworthiness in Africa, strives to show that the above African instruments do not provide a satisfactory response to current personal data security challenges Africa faces. Both instruments can hardly be said to ensure a trustworthy environment for data sharing, as they lack essential pre-breach and post-breach regulation mechanisms, including breach reporting, liability for mismanagement of personal data and available remedies for affected data subjects. The paper concludes by recommending that these deficiencies be addressed in additional protocols to these instruments or in relevant future texts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    ITU GLOBAL AND REGIONAL ICT DATA, retrieved from https://www.itu.int/en/ITUD/Statistics/Documents/statistics/2018/ITU_Key_2005-2018_ICT_data_with%20LDCs_rev27Nov2018.xls. Accessed 5/5/2019.

  2. 2.

    Defined by Stuckmann, Peter, and Rainer Zimmermann in: “European research on future internet design.” IEEE Wireless Communications 16, no. 5 (2009): 14 as a ‘world-wide network of uniquely addressable and interconnected objects, based on standard communication protocols”. This enables applications involving real-world objects, but also business applications based on network-assisted machine-to-machine interaction.

  3. 3.

    The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28th January 1981.

  4. 4.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

  5. 5.

    Economic Community of West African States.

  6. 6.

    The Organisation for Economic Cooperation and Development.

  7. 7.

    Article 4(1), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR)).

  8. 8.

    Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data (Adopted on 20th June 2007).

  9. 9.

    See the OECD Privacy Framework. Retrieved from http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf. Accessed 2/11/2019. Page 20.

  10. 10.

    Article 8 of the European Convention on Human Rights of 4 November 1950.

  11. 11.

    See the White House, ‘Executive Office of the President. Big Data: Seizing Opportunities, Preserving Values’ (2014). 55–56. http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf. Accessed 2/11/2019.

  12. 12.

    European Commission Joint Statement on the final adoption of the new EU rules for personal data protection. (Brussels, 14 April 2016). Available at https://europa.eu/rapid/press-release_STATEMENT-16-1403_de.htm. Accessed on 3/6/2019. Also see Recital 7 of the GDPR.

  13. 13.

    See Article 5, GDPR.

  14. 14.

    Article 2(i) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

  15. 15.

    See UNCTAD. (2018) Cybercrime Laws. [online] Available from: http://www.unctad.org/en/Docs/Cyberlaw/CC.xlsx [Accessed on 6 June 2018]. See ITU. (2018) Cybersecurity Country Profiles. [online] Available from: https://www.itu/en/ITU-D/Cybersecurity/Documents/CountryProfiles/ [Accessed 6 June 2019].

  16. 16.

    For example Article 12 of the 1996 Constitution of Cameroon, Article 28 of the revised 1992 Constitution of the Republic of Togo, Article 31 of the 2010 Constitution of the Republic of Togo.

  17. 17.

    Paragraph 14 of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (hereinafter the OECD Data Protection Guidelines). Also Article 5(2) of the EU GDPR.

  18. 18.

    Established by the Treaty of Lagos on 28 May 1975, ECOWAS is the main intergovernmental organization of West Africa currently comprising of 15 sovereign West African States namely: Benin, Burkina Faso, Cape Verde, Cote d’Ivoire, the Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mail, Niger, Nigeria, Senegal, Sierra Leone and Togo. (Www.Ecowas.Int).

  19. 19.

    Benin, Burkina Faso, Cape Verde, Cote d’Ivoire, Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone and Togo.

  20. 20.

    Treaty of ECOWAS (28 May 1975) 14 ILM 1200; revised 24 July 1993, 35 ILM 660, (1996).

  21. 21.

    Paragraph 10, Preamble, ECOWAS Data Protection Act.

  22. 22.

    Paragraphs 8–11, Preamble, ECOWAS Data Protection Act.

  23. 23.

    See for example Section 12 of the Constitution of the Federal Republic of Nigeria.

  24. 24.

    Preamble, Additional Protocol to the Council of European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows.

  25. 25.

    See the EU Article 29 Working Party Opinion 03/2014 on Personal Data Breach Notification (WP213), p. 3.

  26. 26.

    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

  27. 27.

    European Commission, Commission Staff Working Paper SEC (2012) 72 final. Impact Assessment Accompanying the General Data Protection Regulation (2012) p.100.

  28. 28.

    The principle of accountability requires controllers to be able to actively demonstrate compliance to personal data protection rules without waiting on data subjects or supervisory authorities to point out shortcomings.

  29. 29.

    Recital 46 of EU Directive 95/46/EC adopted in 24th October 1995 requires data security measures be taken at the time of designing the processing system as well as during processing itself.

  30. 30.

    See for example Article 25 of the Ghanaian Data Protection Act 2012 and Article 41 of the Kenyan Data Protection Bill 2019.

  31. 31.

    Also see Article 32 GDPR.

  32. 32.

    See Recital 100 GDPR.

  33. 33.

    See for example Recital 55 of the 1995 European Data Protection Directive.

References

  1. Adesoji, A.: Mobile technology, social media and 180 million people. J. Bus. Adm. Manag. Sci. 6, 82–85 (2017)

    Google Scholar 

  2. Kayisire, D., Wei, J.: ICT adoption and usage in Africa: towards an efficiency assessment. Inf. Technol. Dev. 22(4), 630–653, 641 (2016)

    Google Scholar 

  3. Harris, A., Goodman, S., Traynor, P.: Privacy and security concerns associated with mobile money applications in Africa. Wash. J. Law Technol. Arts 8, 245–246 (2012)

    Google Scholar 

  4. Tchouassi, G.: Can mobile phones really work to extend banking services to the unbanked? Empirical lessons from selected Sub-Saharan Africa Countries. Int. J. Dev. Soc. 1(2), 70–81 (2012)

    Google Scholar 

  5. GSMA: The Mobile Economy Report 2013, p. 3. A.T. Kearney, London, United Kingdom (2013)

    Google Scholar 

  6. Ericson Mobility Report, June 2017. https://www.ericsson.com/en/mobility-report/internet-of-things-outlook. Accessed 26 June 2019

  7. Madakam, S., Ramaswamy, R., Tripathi, S.: Internet of Things (IoT): a literature review. J. Comput. Commun. 3(05), 164 (2015)

    Article  Google Scholar 

  8. Emiliani, P.L., Stephanidis, C.: Universal access to ambient intelligence environments: opportunities and challenges for people with disabilities. IBM Syst. J. 44(3), 605–619 (2005)

    Article  Google Scholar 

  9. Orji, U.J.: The African union convention on cybersecurity: a regional response towards cyber stability. Masaryk UJL Technol. 12, 91 (2018)

    Google Scholar 

  10. Orji, U.J.: Multilateral legal responses to cyber security in Africa: any hope for effective international cooperation? In: 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace (CyCon), pp. 105–118. IEEE (2015)

    Google Scholar 

  11. Goodman, S., Harris, A.: The coming African tsunami of information insecurity. Commun. ACM 53(12), 24–27 (2010)

    Article  Google Scholar 

  12. Fuster, G.: The Emergence of Personal Data Protection as a Fundamental Right of the EU, vol. 16. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05023-2

    Book  Google Scholar 

  13. Lynskey, O.: The Foundations of EU Data Protection Law. Oxford University Press, Oxford (2015)

    Google Scholar 

  14. Rich, C.: Privacy laws in Africa and the Middle East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg (2015)

    Google Scholar 

  15. Schwartz, P.M., Solove, D.J.: The PII problem: privacy and a new concept of personally identifiable information. NYUL Rev. 86, 1814 (2011)

    Google Scholar 

  16. Purtova, N.: The law of everything. Broad concept of personal data and future of EU data protection law. Law Innov. Technol. 10(1), 40–81 (2018)

    Article  Google Scholar 

  17. Hustinx, P.: EU data protection law: the review of directive 95/46/EC and the proposed general data protection regulation. Collected courses of the European University Institute’s Academy of European Law, 24th Session on European Union Law, pp. 1–12 (2013)

    Google Scholar 

  18. Solove, D.J.: The new vulnerability: data security and personal information. In: Chander, A., Gelman, L., Radin, M.J. (eds.) Securing Privacy in the Internet Age. Stanford University Press, Palo Alto (2008)

    Google Scholar 

  19. De Hert, P., Gutwirth, S.: Data protection in the case law of Strasbourg and Luxemburg: constitutionalisation in action. In: Gutwirth, S., Poullet, Y., De Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 3–44. Springer, Dordrecht (2009). https://doi.org/10.1007/978-1-4020-9498-9_1

    Chapter  Google Scholar 

  20. Mantelero, A.: The future of consumer data protection in the EU Re-thinking the “notice and consent” paradigm in the new era of predictive analytics. Comput. Law Secur. Rev. 30(6), 643–660 (2014)

    Article  Google Scholar 

  21. Soeder, M.O.: Privacy challenges and approaches to the consent dilemma. Masters thesis. SSRN 3442612 (2019)

    Google Scholar 

  22. Whitman, M., Mattord, H.: Principles of Information Security. Thompson Course Technology, Boston (2009)

    Google Scholar 

  23. Gady, F.: Africa’s cyber WMD. Foreign Policy, 24 March 2010

    Google Scholar 

  24. Dalton, W., van Vuuren, J.J., Westcott, J.: Building cybersecurity resilience in Africa. In: 12th International Conference on Cyber Warfare and Security 2017 Proceedings, pp. 112–120. Academic Conferences and Publishing International Limited, Reading (2017)

    Google Scholar 

  25. Makulilo, A.B.: The Context of Data Privacy in Africa. In: Makulilo, A.B. (ed.) African Data Privacy Laws. LGTS, vol. 33, pp. 3–23. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47317-8_1. (citing Westin’s Privacy and Freedom (1967)

    Chapter  Google Scholar 

  26. Makulilo, A.: Privacy and data protection in Africa: a state of the art. Int. Data Priv. Law 2(3), 163–178 (2012)

    Article  Google Scholar 

  27. Kamwangamalu, N.M.: Ubuntu in South Africa: a sociolinguistic perspective to a pan-African concept. Crit. Arts 13(2), 24–41 (1999)

    Article  Google Scholar 

  28. Olinger, H.N., Britz, J.J., Olivier, M.S.: Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa. Int. Inf. Libr. Rev. 39(1), 31–43 (2007)

    Article  Google Scholar 

  29. Bakibinga, E.M.: Managing electronic privacy in the telecommunications sub-sector: the Ugandan perspective. In: Africa Electronic Privacy and Public Voice Symposium (2004)

    Google Scholar 

  30. Makulilo, A.B.: A person is a person through other persons-a critical analysis of privacy and culture in Africa. Beijing L. Rev. 7, 192 (2016)

    Article  Google Scholar 

  31. Rich, C.: Privacy laws in Africa and the Near East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg, September 2017

    Google Scholar 

  32. Rich, C.: Privacy laws in Africa and the Middle East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg, June 2015

    Google Scholar 

  33. Adejumobi, S.: Engendering accountable governance in Africa. In: International Institute for Democracy and Electoral Assistance (IDEA) and Development Policy Management Forum (DPMF) Regional Conference on “Democracy, Poverty and Social Exclusion”: Is Democracy the Missing Link (2000)

    Google Scholar 

  34. Abdulrauf, L.A., Fombad, C.M.: The African Union’s data protection convention 2014: a possible cause for celebration of human rights in Africa? J. Media Law 8(1), 67–97 (2016)

    Article  Google Scholar 

  35. Banisar, D.: Linking ICTs, the right to privacy, freedom of expression and access to information. East Afr. J. Peace Hum. Rights 16(1) (2010)

    Google Scholar 

  36. Sutherland, E.: Digital privacy in Africa: cybersecurity, data protection & surveillance. LINK Centre (2018)

    Google Scholar 

  37. Makulilo, A.B.: Myth and reality of harmonisation of data privacy policies in Africa. Comput. Law Secur. Rev. 31(1), 78–89 (2015)

    Article  Google Scholar 

  38. Hustinx, P.: The role of data protection authorities. In: Gutwirth, S., Poullet, Y., De Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 131–137. Springer, Dordrecht (2009). https://doi.org/10.1007/978-1-4020-9498-9_7

    Chapter  Google Scholar 

  39. Stevens, G.M.: Data security breach notification laws. Congressional Research Service (2012)

    Google Scholar 

  40. Esayas, S.: Breach notification requirements under the European Union legal framework: convergence, conflicts, and complexity in compliance. John Marshall J. Inf. Technol. Priv. Law 31, 317–368 (2014)

    Google Scholar 

  41. Schwartz, P., Janger, E.: Notification of data security breaches. Mich. Law Rev. 105, 913 (2006)

    Google Scholar 

  42. Boillat, P., Kjaerum, M.: Handbook on European Data Protection Law, p. 77. Publications Office of the European Union, Luxembourg (2014)

    Google Scholar 

  43. See for example Paragraph 44, EU Article 29 Working Party. The future of privacy, WP 168. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf. Accessed 1 December 2009

  44. Cunningham, M.: Privacy in the age of the hacker: balancing global privacy and data security Law. George Wash. Int. Law Rev. 44, 643 (2012)

    Google Scholar 

  45. Weber, R.H.: Internet of things: privacy issues revisited. Comput. Law Secur. Rev. 31(5), 618–627 (2015)

    Article  Google Scholar 

  46. Europa, Privacy Enhancing Technologies (PETs), 2 May 2007. http://europa.eu/rapid/pressrelease_MEMO-07-159_en.htm. Accessed 24 Feb 2019

  47. Gellert, R.: We have always managed risks in data protection law: understanding the similarities and differences between the rights-based and the risk-based approaches to data protection. Eur. Data Prot. L. Rev. 2, 481 (2016)

    Article  Google Scholar 

  48. Rodrigues, R., Wright, D., Wadhwa, K.: Developing a privacy seal scheme (that works). Int. Data Priv. Law 3(2), 100–116 (2013)

    Article  Google Scholar 

  49. Rodrigues, R., Barnard-Wills, D., De Hert, P., Papakonstantinou, V.: The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR. Int. Rev. Law Comput. Technol. 30(3), 248–270 (2016)

    Article  Google Scholar 

Download references

Acknowledgments

This research is funded by the Erasmus Mundus program LAST-JD (Joint International Ph.D. in Law, Science and Technology) coordinated by the University of Bologna.

Author information

Authors and Affiliations

  1. LAST-JD Program, CIRSFID, University of Bologna, Lungo Dora Siena 100A, Turin, Italy

    Rogers Alunge

Authors
  1. Rogers Alunge
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rogers Alunge .

Editor information

Editors and Affiliations

  1. ECE Paris Graduate School of Engineering, Paris, France

    Rafik Zitouni

  2. EFREI Paris, Paris, France

    Max Agueh

  3. Institut de Mathématiques et de Sciences Physiques (IMSP), Porto-Novo, Benin

    Pélagie Houngue

  4. Institut de Mathématiques et de Sciences Physiques (IMSP), Porto-Novo, Benin

    Hénoc Soude

Rights and permissions

Reprints and permissions

Copyright information

© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alunge, R. (2020). Africa’s Multilateral Legal Framework on Personal Data Security: What Prospects for the Digital Environment?. In: Zitouni, R., Agueh, M., Houngue, P., Soude, H. (eds) e-Infrastructure and e-Services for Developing Countries. AFRICOMM 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 311. Springer, Cham. https://doi.org/10.1007/978-3-030-41593-8_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41593-8_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41592-1

  • Online ISBN: 978-3-030-41593-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation