Abstract
As the African continent continues to embrace technological innovations and corresponding infrastructures like the Internet of Things, certain concerns have been raised as regards the security risks related to critical ICT network infrastructures in the continent, as well as the safeguarding of the fundamental rights of Africans through the protection of their personal data, especially those shared online. One of such concerns is personal data security, which becomes more crucial as huge amounts of sensitive personal data are increasingly generated across the continent, especially with the proliferation of mobile banking. In response to these developments, African intergovernmental organizations have developed legal frameworks on personal data protection: the Economic Community of West African States (ECOWAS) has adopted a Supplementary Data Protection Act, while the African Union (AU) has adopted a Convention on Cyber Security and Personal Data Protection. However, while other aspects of data protection law are more or less addressed in these instruments, relatively very little focus is put on managing and safeguarding personal data security.
This paper, in an attempt to present a critique of the state of affairs as regards personal data security regulation and online trustworthiness in Africa, strives to show that the above African instruments do not provide a satisfactory response to current personal data security challenges Africa faces. Both instruments can hardly be said to ensure a trustworthy environment for data sharing, as they lack essential pre-breach and post-breach regulation mechanisms, including breach reporting, liability for mismanagement of personal data and available remedies for affected data subjects. The paper concludes by recommending that these deficiencies be addressed in additional protocols to these instruments or in relevant future texts.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
ITU GLOBAL AND REGIONAL ICT DATA, retrieved from https://www.itu.int/en/ITUD/Statistics/Documents/statistics/2018/ITU_Key_2005-2018_ICT_data_with%20LDCs_rev27Nov2018.xls. Accessed 5/5/2019.
- 2.
Defined by Stuckmann, Peter, and Rainer Zimmermann in: “European research on future internet design.” IEEE Wireless Communications 16, no. 5 (2009): 14 as a ‘world-wide network of uniquely addressable and interconnected objects, based on standard communication protocols”. This enables applications involving real-world objects, but also business applications based on network-assisted machine-to-machine interaction.
- 3.
The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28th January 1981.
- 4.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- 5.
Economic Community of West African States.
- 6.
The Organisation for Economic Cooperation and Development.
- 7.
Article 4(1), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR)).
- 8.
Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data (Adopted on 20th June 2007).
- 9.
See the OECD Privacy Framework. Retrieved from http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf. Accessed 2/11/2019. Page 20.
- 10.
Article 8 of the European Convention on Human Rights of 4 November 1950.
- 11.
See the White House, ‘Executive Office of the President. Big Data: Seizing Opportunities, Preserving Values’ (2014). 55–56. http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf. Accessed 2/11/2019.
- 12.
European Commission Joint Statement on the final adoption of the new EU rules for personal data protection. (Brussels, 14 April 2016). Available at https://europa.eu/rapid/press-release_STATEMENT-16-1403_de.htm. Accessed on 3/6/2019. Also see Recital 7 of the GDPR.
- 13.
See Article 5, GDPR.
- 14.
Article 2(i) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
- 15.
See UNCTAD. (2018) Cybercrime Laws. [online] Available from: http://www.unctad.org/en/Docs/Cyberlaw/CC.xlsx [Accessed on 6 June 2018]. See ITU. (2018) Cybersecurity Country Profiles. [online] Available from: https://www.itu/en/ITU-D/Cybersecurity/Documents/CountryProfiles/ [Accessed 6 June 2019].
- 16.
For example Article 12 of the 1996 Constitution of Cameroon, Article 28 of the revised 1992 Constitution of the Republic of Togo, Article 31 of the 2010 Constitution of the Republic of Togo.
- 17.
Paragraph 14 of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (hereinafter the OECD Data Protection Guidelines). Also Article 5(2) of the EU GDPR.
- 18.
Established by the Treaty of Lagos on 28 May 1975, ECOWAS is the main intergovernmental organization of West Africa currently comprising of 15 sovereign West African States namely: Benin, Burkina Faso, Cape Verde, Cote d’Ivoire, the Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mail, Niger, Nigeria, Senegal, Sierra Leone and Togo. (Www.Ecowas.Int).
- 19.
Benin, Burkina Faso, Cape Verde, Cote d’Ivoire, Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone and Togo.
- 20.
Treaty of ECOWAS (28 May 1975) 14 ILM 1200; revised 24 July 1993, 35 ILM 660, (1996).
- 21.
Paragraph 10, Preamble, ECOWAS Data Protection Act.
- 22.
Paragraphs 8–11, Preamble, ECOWAS Data Protection Act.
- 23.
See for example Section 12 of the Constitution of the Federal Republic of Nigeria.
- 24.
Preamble, Additional Protocol to the Council of European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows.
- 25.
See the EU Article 29 Working Party Opinion 03/2014 on Personal Data Breach Notification (WP213), p. 3.
- 26.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
- 27.
European Commission, Commission Staff Working Paper SEC (2012) 72 final. Impact Assessment Accompanying the General Data Protection Regulation (2012) p.100.
- 28.
The principle of accountability requires controllers to be able to actively demonstrate compliance to personal data protection rules without waiting on data subjects or supervisory authorities to point out shortcomings.
- 29.
Recital 46 of EU Directive 95/46/EC adopted in 24th October 1995 requires data security measures be taken at the time of designing the processing system as well as during processing itself.
- 30.
See for example Article 25 of the Ghanaian Data Protection Act 2012 and Article 41 of the Kenyan Data Protection Bill 2019.
- 31.
Also see Article 32 GDPR.
- 32.
See Recital 100 GDPR.
- 33.
See for example Recital 55 of the 1995 European Data Protection Directive.
References
Adesoji, A.: Mobile technology, social media and 180 million people. J. Bus. Adm. Manag. Sci. 6, 82–85 (2017)
Kayisire, D., Wei, J.: ICT adoption and usage in Africa: towards an efficiency assessment. Inf. Technol. Dev. 22(4), 630–653, 641 (2016)
Harris, A., Goodman, S., Traynor, P.: Privacy and security concerns associated with mobile money applications in Africa. Wash. J. Law Technol. Arts 8, 245–246 (2012)
Tchouassi, G.: Can mobile phones really work to extend banking services to the unbanked? Empirical lessons from selected Sub-Saharan Africa Countries. Int. J. Dev. Soc. 1(2), 70–81 (2012)
GSMA: The Mobile Economy Report 2013, p. 3. A.T. Kearney, London, United Kingdom (2013)
Ericson Mobility Report, June 2017. https://www.ericsson.com/en/mobility-report/internet-of-things-outlook. Accessed 26 June 2019
Madakam, S., Ramaswamy, R., Tripathi, S.: Internet of Things (IoT): a literature review. J. Comput. Commun. 3(05), 164 (2015)
Emiliani, P.L., Stephanidis, C.: Universal access to ambient intelligence environments: opportunities and challenges for people with disabilities. IBM Syst. J. 44(3), 605–619 (2005)
Orji, U.J.: The African union convention on cybersecurity: a regional response towards cyber stability. Masaryk UJL Technol. 12, 91 (2018)
Orji, U.J.: Multilateral legal responses to cyber security in Africa: any hope for effective international cooperation? In: 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace (CyCon), pp. 105–118. IEEE (2015)
Goodman, S., Harris, A.: The coming African tsunami of information insecurity. Commun. ACM 53(12), 24–27 (2010)
Fuster, G.: The Emergence of Personal Data Protection as a Fundamental Right of the EU, vol. 16. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05023-2
Lynskey, O.: The Foundations of EU Data Protection Law. Oxford University Press, Oxford (2015)
Rich, C.: Privacy laws in Africa and the Middle East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg (2015)
Schwartz, P.M., Solove, D.J.: The PII problem: privacy and a new concept of personally identifiable information. NYUL Rev. 86, 1814 (2011)
Purtova, N.: The law of everything. Broad concept of personal data and future of EU data protection law. Law Innov. Technol. 10(1), 40–81 (2018)
Hustinx, P.: EU data protection law: the review of directive 95/46/EC and the proposed general data protection regulation. Collected courses of the European University Institute’s Academy of European Law, 24th Session on European Union Law, pp. 1–12 (2013)
Solove, D.J.: The new vulnerability: data security and personal information. In: Chander, A., Gelman, L., Radin, M.J. (eds.) Securing Privacy in the Internet Age. Stanford University Press, Palo Alto (2008)
De Hert, P., Gutwirth, S.: Data protection in the case law of Strasbourg and Luxemburg: constitutionalisation in action. In: Gutwirth, S., Poullet, Y., De Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 3–44. Springer, Dordrecht (2009). https://doi.org/10.1007/978-1-4020-9498-9_1
Mantelero, A.: The future of consumer data protection in the EU Re-thinking the “notice and consent” paradigm in the new era of predictive analytics. Comput. Law Secur. Rev. 30(6), 643–660 (2014)
Soeder, M.O.: Privacy challenges and approaches to the consent dilemma. Masters thesis. SSRN 3442612 (2019)
Whitman, M., Mattord, H.: Principles of Information Security. Thompson Course Technology, Boston (2009)
Gady, F.: Africa’s cyber WMD. Foreign Policy, 24 March 2010
Dalton, W., van Vuuren, J.J., Westcott, J.: Building cybersecurity resilience in Africa. In: 12th International Conference on Cyber Warfare and Security 2017 Proceedings, pp. 112–120. Academic Conferences and Publishing International Limited, Reading (2017)
Makulilo, A.B.: The Context of Data Privacy in Africa. In: Makulilo, A.B. (ed.) African Data Privacy Laws. LGTS, vol. 33, pp. 3–23. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47317-8_1. (citing Westin’s Privacy and Freedom (1967)
Makulilo, A.: Privacy and data protection in Africa: a state of the art. Int. Data Priv. Law 2(3), 163–178 (2012)
Kamwangamalu, N.M.: Ubuntu in South Africa: a sociolinguistic perspective to a pan-African concept. Crit. Arts 13(2), 24–41 (1999)
Olinger, H.N., Britz, J.J., Olivier, M.S.: Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa. Int. Inf. Libr. Rev. 39(1), 31–43 (2007)
Bakibinga, E.M.: Managing electronic privacy in the telecommunications sub-sector: the Ugandan perspective. In: Africa Electronic Privacy and Public Voice Symposium (2004)
Makulilo, A.B.: A person is a person through other persons-a critical analysis of privacy and culture in Africa. Beijing L. Rev. 7, 192 (2016)
Rich, C.: Privacy laws in Africa and the Near East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg, September 2017
Rich, C.: Privacy laws in Africa and the Middle East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg, June 2015
Adejumobi, S.: Engendering accountable governance in Africa. In: International Institute for Democracy and Electoral Assistance (IDEA) and Development Policy Management Forum (DPMF) Regional Conference on “Democracy, Poverty and Social Exclusion”: Is Democracy the Missing Link (2000)
Abdulrauf, L.A., Fombad, C.M.: The African Union’s data protection convention 2014: a possible cause for celebration of human rights in Africa? J. Media Law 8(1), 67–97 (2016)
Banisar, D.: Linking ICTs, the right to privacy, freedom of expression and access to information. East Afr. J. Peace Hum. Rights 16(1) (2010)
Sutherland, E.: Digital privacy in Africa: cybersecurity, data protection & surveillance. LINK Centre (2018)
Makulilo, A.B.: Myth and reality of harmonisation of data privacy policies in Africa. Comput. Law Secur. Rev. 31(1), 78–89 (2015)
Hustinx, P.: The role of data protection authorities. In: Gutwirth, S., Poullet, Y., De Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 131–137. Springer, Dordrecht (2009). https://doi.org/10.1007/978-1-4020-9498-9_7
Stevens, G.M.: Data security breach notification laws. Congressional Research Service (2012)
Esayas, S.: Breach notification requirements under the European Union legal framework: convergence, conflicts, and complexity in compliance. John Marshall J. Inf. Technol. Priv. Law 31, 317–368 (2014)
Schwartz, P., Janger, E.: Notification of data security breaches. Mich. Law Rev. 105, 913 (2006)
Boillat, P., Kjaerum, M.: Handbook on European Data Protection Law, p. 77. Publications Office of the European Union, Luxembourg (2014)
See for example Paragraph 44, EU Article 29 Working Party. The future of privacy, WP 168. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf. Accessed 1 December 2009
Cunningham, M.: Privacy in the age of the hacker: balancing global privacy and data security Law. George Wash. Int. Law Rev. 44, 643 (2012)
Weber, R.H.: Internet of things: privacy issues revisited. Comput. Law Secur. Rev. 31(5), 618–627 (2015)
Europa, Privacy Enhancing Technologies (PETs), 2 May 2007. http://europa.eu/rapid/pressrelease_MEMO-07-159_en.htm. Accessed 24 Feb 2019
Gellert, R.: We have always managed risks in data protection law: understanding the similarities and differences between the rights-based and the risk-based approaches to data protection. Eur. Data Prot. L. Rev. 2, 481 (2016)
Rodrigues, R., Wright, D., Wadhwa, K.: Developing a privacy seal scheme (that works). Int. Data Priv. Law 3(2), 100–116 (2013)
Rodrigues, R., Barnard-Wills, D., De Hert, P., Papakonstantinou, V.: The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR. Int. Rev. Law Comput. Technol. 30(3), 248–270 (2016)
Acknowledgments
This research is funded by the Erasmus Mundus program LAST-JD (Joint International Ph.D. in Law, Science and Technology) coordinated by the University of Bologna.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Alunge, R. (2020). Africa’s Multilateral Legal Framework on Personal Data Security: What Prospects for the Digital Environment?. In: Zitouni, R., Agueh, M., Houngue, P., Soude, H. (eds) e-Infrastructure and e-Services for Developing Countries. AFRICOMM 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 311. Springer, Cham. https://doi.org/10.1007/978-3-030-41593-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-41593-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41592-1
Online ISBN: 978-3-030-41593-8
eBook Packages: Computer ScienceComputer Science (R0)