Why Africa’s private sector should be concerned about more than the GDPR

The European Union General Data Protection Regulation (GDPR) has generated strong interest in Africa’s private sector. However, the bigger picture shows massive gaps across Africa’s data privacy landscape. This article highlights some of the key challenges that could stifle Africa’s adoption of leading international good practice regarding data protection and privacy.

globe
Pixabay (Creative Commons BY or BY-SA)

After landing at Nigeria’s Murtala Muhammed International Airport Lagos and successfully navigating your way past border control and luggage collection, you have the chance to purchase a subscriber identification module (SIM) card in the arrival hall on the landside.

Welcome! Can we have your fingerprints please?

Before you can start using any of the voice and data services provided by any one of Nigeria’s multiple telecoms networks however, the law requires that you register your SIM card. This process involves the collection of multiple personal data elements including your fingerprints, a facial image, mother’s maiden name, gender, date of birth and a physical address.

There is no information provided to the subscriber about the security or privacy of the data being collected; a source of concern to anyone remotely concerned about data privacy.

In 2011, as part of efforts to combat crime and identity fraud and improve public safety, the local telecoms regulator, the Nigerian Communications Commission (NCC) ordered local operators to register existing and newly issued SIM cards. That began a multi-year project which included collecting biometric data from tens of millions of subscribers.

Interestingly, one of the objectives of the NCC’s SIM card registration exercise was to provide a reliable national identification database that could support the identity verification requirements of other government agencies including the Federal Road Safety Commission (FRSC), National Identity Management Commission (NIMC), and the Independent National Electoral Commission (INEC).

Unfortunately, as is usually the case in Nigeria and many parts of Africa, policy formulation does not always translate into effective policy execution. Not only is phone related crime still a problem in Nigeria, but the lack of harmonized policies meant that other government agencies and private organizations that could have relied on the NCC’s database went ahead with duplicate national identification projects of their own.

In fact, within the last decade, Nigerians have had to give up the same biometric data to obtain passports, drivers’ licenses, national identity cards and bank verification.

The general state of data privacy and protection in Africa

In this Nigerian example, concerns have since arisen about the security and quality of personal data collected by various public and private organizations.

More concerning is the absence of transparency over the collection, use, accuracy, storage and transfer of sensitive biometric data from both data controllers and processors.

How is it that sensitive personal data can be exposed in this way? The root cause is the absence of an enabling legal or regulatory framework. Even though Section 37 of the Nigerian Constitution broadly guarantees the protection of the privacy of her citizens, comprehensive data privacy and data protection law is yet to be enacted.

The Nigerian situation is far from being an isolated case in Africa. Numerous examples involving the potential misuse or exposure of personal data exist across the continent, many involving biometric data.

In 2016, Privacy International and ARTICLE 19 made a submission to Ghana’s Parliament, urging them to reconsider the privacy issues surrounding a new surveillance bill involving mass personal data collection which was being rushed through.

In 2017, security researcher Troy Hunt described his research into a database containing the personal data of a large percentage of South Africa’s population that somehow ended up being exposed online.

More recently, in Kenya, the Centre for Intellectual Property and Information Technology Law at Strathmore University raised privacy concerns about the misuse of biometric data collected by the country’s Independent Electoral and Boundaries Commission (IEBC).

Some challenges are not easy to overcome

Some member states of the African Union (AU) are signatories to the 2014 AU Convention on Cyber Security and Personal Data Protection. However, the Convention is not enforceable without enablement through local legislation in those countries, many of whom have laws stuck in various bureaucratic processes.

In addition to the legal and regulatory gap highlighted above, inharmonious government policies, weak law enforcement capability, ill-conceived public-private partnerships and self-serving mass surveillance projects further exacerbate the problems surrounding data privacy in Africa.

There is also the issue of awareness (or the lack of it). In many African countries, even where laws exist, data subjects are often unaware of their privacy rights or are unaware of options for recourse in situations where their rights and freedoms have been abused. This problem was highlighted in research conducted by the World Wide Web Foundation and The Paradigm Initiative which highlighted the need to raise public awareness through civil society groups.

Another challenge is the weakness or underfunding (where they exist) of the institutions responsible for regulation and enforcement.

In many industries in Africa, it is not uncommon for private sector organizations to be proactive where government policy is unclear or non-existent. However, situations where the private sector funds local regulator activities could result in a lack of independence and impartiality when adjudicating on privacy matters.

Lastly, the human angle cannot be ignored. Discussing personal attitudes toward privacy with a leading risk management professional in Nigeria, he put things in perspective by pointing out that more pressing socio-economic issues have reduced concerns about the subject to a level of apathy. Inevitably, cultural attitudes towards privacy are shaped by environmental factors.

Technology growth inspires optimism and opportunities

Observers of development in Africa, a continent of over 1 billion people, have reason to be optimistic about the potential of technology to transform the continent’s economies.

Worldwide, international internet capacity growth continues to slow down. However, in Africa the growth rate is exponential. Notably, the penetration of cloud technology is helping to improve efficiency in Africa’s public and private sectors while the explosive growth of mobile payment platforms in countries like Kenya and Zimbabwe is driving social inclusion and enabling effective digital service delivery channels.

However, while technology creates new opportunities it also introduces concerns. For example the recent Cambridge Analytica scandal cast a shadow over the personal data of Facebook’s over 170 million subscribers on the continent.

There is some hope that as technology penetration continues to increase, more opportunities will arise to push for better legislation and public awareness about data privacy.

Africa’s businesses should be concerned about more than just the GDPR

While international privacy laws like the GDPR have generated strong interest in Africa’s private sector, changing the landscape of data privacy across Africa must begin with enshrining this fundamental human right within federal and state laws.

While there is evidence of progress with regard to privacy legislation (South Africa recently enacted into the law the Protection of Personal Information Act (POPI Act)), there is still a huge disparity across the continent’s 54 countries.

Africa’s private sector, who are typically miles ahead of government policy anyway, can leverage leading international data protection practice (e.g., the GDPR) to build trust and protect the privacy rights of the customers and communities they serve.

Although the applicability of the GDPR in Africa is limited to businesses processing the personal data of (or targeting their goods or services at) EU data subjects, there are many other data controller/data processor scenarios to consider. For example, the GDPR will apply to data processed about Africans living in Africa (data subjects) whose data is processed by establishments in the EU.

However, before getting tied up in knots about complying with the GDPR, Africa's businesses should start by asking tough questions about their own stewardship of the personal data of African data subjects and their role in protecting the rights and freedoms of their customers and employees.

In a 2018 joint initiative, the Internet Society and the Commission of the AU published Personal Data Protection Guidelines for Africa. This document seeks to facilitate the implementation of the 2014 Convention. It claims to take into account, “the significant cultural and legal diversity across the continent”.

Despite needing a privacy foundation to facilitate digital growth, awareness and uptake of these guidelines remains low across the continent. Privacy law and guidance designed for Africa and with an African context is a good place to begin for the vast number of organisations not affected by the GDPR.

Social media evidence suggests that the GDPR has reenergized the conversation about privacy across Africa.

While laws need to catch up with private sector movement in this space, on their own they are insufficient. Legal frameworks must be supplemented by public awareness and this is where civil society and consumer advocacy groups have a key role to play.

Perhaps next time I need to get a SIM card in Nigeria, my questions about the privacy of my data will not be met with blank looks and deafening silence.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart