Module 4: Privacy and Security Online
Key principles for data protection
Data protection is one of the primary measures through which the right to privacy is given effect. Data protection laws are aimed at protecting and safeguarding the processing of personal information (or personal data).
Although the specific definitions and terms may vary, most data protection laws set out similar basic concepts:
- Personal information or an equivalent term generally refers to any information relating to an identified or identifiable natural person which can be used to identify them, whether directly or indirectly, such as their name, contact details, age, race, gender, sexual orientation, health information, financial information, employment details, political or religious views, or biometric information.
- A data subject is any person to whom this information relates – in other words, a person whose rights are at stake.
- A data controller, which can typically be either a public or private body, is the person or entity responsible for processing the personal information about the data subject.
- Processing usually refers to a wide range ofactions that can be performed on personal information including collection, organisation, storage, alteration, retrieval, sending, or deletion, and includes both manual and automated means.
- A data protection authority is a type of independent authority or public body established to monitor and enforce compliance with a data protection framework. This module explores data protection authorities in more detail below under Use of data protection authorities to vindicate the right to privacy.
While there may be differences across jurisdictions, there are also a number of governing principles that appear in most data protection frameworks. The Personal Data Protection Guidelines for Africa(1) (Data Protection Guidelines), a joint initiative of the Internet Society (ISOC) and the AU, sets out key data protection principles that appear across most frameworks:(2)
- Collection limitation: Personal data must be obtained and processed lawfully, fairly, and, to the extent possible, transparently.
- Data quality: Personal data must be accurate at the point of collection, and reasonable steps must be taken to ensure its accuracy is maintained over the period of retention.
- Purpose specification: Personal data must be collected only for specified, explicit, and legitimate purposes. Personal data should only be used for such other purposes as are compatible with applicable laws, such as archiving data that is in the public interest, or for scientific research.
- Use limitation: Personal data must not be disclosed, made available, or used for other purposes except with the consent of the individual or where authorised by law.
- Security safeguards: Personal data should be protected by reasonable security safeguards to maintain its integrity and confidentiality.
- Openness: There should be a general policy of openness about developments, practices, and policies with respect to personal data.
- Individual participation: Individuals must have the right to obtain information about their personal data held by others. This data must be provided within a reasonable period of time, in a form that is readily intelligible, and at a cost that is not excessive. Data subjects have the right to challenge their data and to have it amended if it is inaccurate, or erased if that is appropriate.
- Accountability: Those who collect and process personal data must be able to demonstrate their compliance with these principles.
In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to information. Most data protection laws provide for data subjects to request and be given access to the information being held about them by a controller. This mechanism can enable data subjects to determine whether their personal information is being processed in line with applicable data protection laws and whether their rights are being upheld. Another key principle of data protection frameworks is that personal data should not be transferred to a country that does not ensure an adequate level of protection for the rights and freedoms of data subjects when it comes to the processing of personal information.(3)
Cross-border data transfers: The case of Max Schrems
Source: Case No. C-362/14, 6 October 2015, accessible at: http://curia.europa.eu/juris/document/document.jsf?docid=169195&doclang=EN
In Maximillian Schrems v Data Protection Commissioner, Mr Schrems – a European citizen – lodged a complaint with the Irish Data Protection Commissioner that some or all of the data that he had provided to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States of America (US), where it was processed. As the US does not have a comprehensive data protection law, Mr Schrems argued that the law and practice in the US did not offer sufficient protection against surveillance by the US public authorities and did not meet the test for adequacy as contemplated under European law.
The Court of Justice of the European Union (CJEU) upheld the claim, noting that the protective rules laid out in the data sharing arrangement between the European Union (EU) and the US (known as the ‘Safe Harbour Agreement’) could be disregarded by the US where they conflicted with national security, public interest and law enforcement requirements of the US. The CJEU held that any legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the right to privacy. Furthermore, the CJEU found that legislation that does not provide for an individual to pursue legal remedies to access their personal information, or to have such information rectified or erased, compromises the essence of the right to effective judicial protection.
Accordingly, the CJEU declared the Safe Harbour Decision invalid, with immediate effect. In line with this judgment, the threshold that has been established for determining the adequacy of protection is to ascertain whether it is “essentially equivalent.”
This decision was subsequently followed up by another dubbed ‘Schrems II’ which speaks to the use of “standard contractual clauses” to transfer data between Europe and the US.
Data protection frameworks in Africa
A growing number of African states have enacted data protection laws, and more are in the process of doing so. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection.
Data Protection Africa
Many countries in Africa have either an existing or draft data protection framework in place or make reference to data privacy in other sectoral laws. However, even countries with a data protection framework in place are facing challenges with resource constraints, delayed implementation, or a failure to appoint or capacitate the regulatory authorities. Key questions to consider that may differ across jurisdictions include what constitutes personal information in a particular jurisdiction; the exemptions that may apply; the conditions for the lawful processing of data; how that data can be transferred across borders; whether breach notification is required, and if so, what requirements apply.
For a full overview of the data protection landscape in Africa, visit Data Protection Africa: https://dataprotection.africa/.
As noted in the Data Protection Guidelines, in considering the relevant data protection framework, it is necessary to understand the African context and the particular characteristics that arise:(4)
- Significant cultural and legal diversity across the continent, with different privacy expectations.
- Variations in access to technology and online services among member states.
- Sensitivities regarding ethnicity and profiling of citizens without consent.
- Different levels of capability in areas such as technology and technology-related law and governance.
- Risks arising from high dependency on non-African manufacturers and service providers, including the limited ability of African states to influence the behaviour of external service providers, and the potentially increased risk of data misuse where content and services are solely provided by foreign companies.
According to the Data Protection Guidelines, this context presents unique challenges to the enforcement of local data protection laws that may make such enforcement more difficult.
While the Malabo Convention(5) is not yet in force, it still provides useful guidance at the regional level to states looking to implement data protection frameworks at the domestic level. Chapter II of the Malabo Convention sets out the principles relevant to data protection. As set out in article 8(1), the objective of the Convention is for each state party to commit itself to establish a legal framework “aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and punish any violation of privacy with prejudice to the principle of the free flow of personal data.”
- Principle 1: Principle of consent and legitimacy of personal data processing.
- Principle 2: Principle of lawfulness and fairness of personal data processing.
- Principle 3: Principle of purpose, relevance and storage of processed personal data.
- Principle 4: Principle of accuracy of personal data.
- Principle 5: Principle of transparency of personal data processing.
- Principle 6: Principle of confidentiality and security of personal data processing.
Articles 16 to 19 of the Malabo Convention set out the rights of data subjects, namely the right to information; the right of access; the right to object; and the right of rectification or erasure. Articles 20 to 23 go on to set out the obligations of personal data controllers, namely the confidentiality obligations; the security obligations; the storage obligations; and the sustainability obligations.
In respect of cross-border data transfers, article 14(6)(a) provides that: “The data controller shall not transfer personal data to a non-Member State of the African Union unless such a State ensures an adequate level of protection of the privacy, freedoms and fundamental rights of the persons whose data are being or are likely to be processed”. Sub-article (b) goes on to provide that the prohibition does not apply if the data controller has requested authorisation for the transfer from the relevant data protection authority before the data has been transferred.
Processing for journalistic, research, artistic or literary purposes
Article 14(3) of the Malabo Convention provides for a specific exemption that applies to the processing of personal data for journalistic, research, artistic or literary purposes. It provides that: “Personal data processing for journalistic purposes or for the purposes of research or artistic or literary expression shall be acceptable where the processing is solely for literary or artistic expression or for professional exercise of journalistic or research activity, in accordance with the code of conduct of these professions.”
Article 14(4) goes on to provide that the provisions of the Convention “shall not preclude the application of national legislations with regard to the print media or the audio-visual sector, as well as the provisions of the criminal code which provide for the conditions for exercise of the right of reply, and which prevent, limit, compensate for and, where necessary, repress breaches of privacy and damage to personal reputation.”
Extra-territorial application of data protection frameworks in Europe
There are two key European instruments in respect of data protection that have extra-territorial application for African states: Convention 108 and the GDPR.
The Convention for the Protection of Individuals with regard to the Processing of Personal Data(7) – commonly referred to as Convention 108 – is an instrument of the Council of Europe (COE). Convention 108 opened for signature in 1981 and was the first legally binding instrument in the data protection field.(8) The purpose of Convention 108 is to “protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.(9) Convention 108 provides for the free flow of personal data between state parties to the Convention.
A key feature of Convention 108 is that, in addition to the members of the COE, it also provides that non-European states may accede to it. For example, in the African context, Cape Verde, Mauritius, and Senegal have all acceded to it. This is of relevance for several reasons: it is a recognition of the adequacy of their data protection frameworks; it adds an additional bulwark of protection for persons within those states, and; it can serve to facilitate cross-border data transfers between those African states and Europe. Convention 108 remains open for accession to other African states that meet the necessary requirements.
Modernisation of Convention 108
In May 2018, the COE published Convention 108+, in an effort to update and modernise Convention 108 given that it was opened for signature over 35 year previously. The modernisation effort gives new considerations to automated processing, cross-border data flows, and the need to strengthen the Convention’s evaluation and follow-up mechanisms.
The second key instrument, the European Union General Data Protection Regulation 2016/679(10) (GDPR), is an effort to harmonise all data protection laws across the European Union and has been applicable to all EU member states since 25 May 2018. As explained in article 1 of the GDPR, its purpose is to lay down rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free movement of personal data. In particular, article 1(2) makes clear that the GDPR is intended to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.
Chapter II of the GDPR sets out the following principles:
- Article 5: Principles relating to the processing of personal data.
- Article 6: Lawfulness of processing.
- Article 7: Conditions for consent.
- Article 8: Conditions applicable to a child’s consent in relation to information society services.
- Article 9: Processing of special categories of personal data.
- Article 10: Processing of personal data relating to criminal convictions and offences.
- Article 11: Processing which does not require identification.
The conditions for consent bear special emphasis. Importantly, the data controller bears the burden of demonstrating that the data subject has consented to the processing of his or her personal data.(11) Where written consent is sought, the GDPR provides that this request for consent “shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” in order for it to be binding.(12) The data subject has the right to withdraw consent at any time, and it is required that it be made as easy to withdraw consent as it is to give consent.(13) Added to this, the GDPR provides that when assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract or provision of a service “is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.(14)
A unique and notable inclusion in the GDPR is that, per Article 3, it seeks to apply extra-territorially, to data controllers that are not established in the EU, regardless of whether the processing takes place in the EU or not.
Failure to comply with the GDPR carries significant penalties, including administrative fines of up to €20 000 or 4% of the transgressor’s total worldwide turnover of the preceding year, whichever is higher.(15)
Representation of data subjects in terms of the GDPR
Article 80 of the GDPR deals with the representation of data subjects. Article 80(1) provides that a data subject has a right to mandate a not-for-profit body, organisation or association – which has been properly constituted within the law of a member state, has statutory objectives in the public interest and is active in the field of data protection – to exercise the data subject’s rights on his or her behalf. This opens the door for class action litigation to be brought as a result of an infringement of a provision of the GDPR.
Article 80(2) further gives member states the option to allow anybody, organisation or association referred to in article 80(1) to lodge a complaint independently of a data subject’s mandate, if it appears that there has been an infringement of a right as a result of data processing. However, as explained in recital 142, that body, organisation, or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.
Use of data protection authorities to vindicate the right to privacy
Data protection frameworks typically provide for the establishment of a data protection authority (DPA) to oversee and enforce the relevant framework. Such DPAs are typically given a range of powers, including to be notified in the event of a data breach, to adjudicate complaints, and to impose penalties where a data controller is found to be non-compliant with the data protection framework.
In states with established DPAs, this may be an avenue to vindicate the right to privacy. In the event of a data breach or another infringement of the data protection framework, data subjects may be assisted with lodging complaints to the relevant DPA. This quasi-judicial forum can present a relatively quick and cost-effective remedy for the data subject.
Data protection litigation in Africa
Because many data protection laws, and accompanying authorities, are relatively new in Africa, and have often faced implementation challenges, there has been limited data protection litigation on the continent to date. However, cases are beginning to appear from various countries, setting a reassuring precedent for the protection of human rights.
- In Ghana, lawyer Francis Kwarteng Arthur filed a suit challenging the government’s collection of personal data from mobile phone subscribers. In August 2021, the High Court ruled that the National Communications Authority (NCA) had to stop collecting personal information from mobile phone subscribers and ordered the government to delete data already collected within fourteen days of the judgement.(16)
- In Kenya, a series of successful legal challenges to a new national biometric identity programme known as the Huduma Namba, led to the courts ordering delays and conditions to the programme’s rollout.