Module 4: Privacy and Security Online
Key principles for data protection
Data protection is one of the primary measures through which the right to privacy is given effect. Data protection laws are aimed at protecting and safeguarding the processing of personal information (or personal data). This refers to any information relating to an identified or identifiable natural person – i.e. the data subject – by which the data subject can be identified, directly or indirectly. A data controller, which can typically be either a public or private body, refers to the person or entity responsible for processing the personal information about the data subject.
In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to information. In this regard, most data protection laws provide for data subjects to request, and be given access to, the information being held about them by a controller. This mechanism can enable data subjects to ascertain whether their personal information is being processed in accordance with the applicable data protection laws, and whether their rights are indeed being upheld.
There have already been a number of African states that have enacted data protection laws, and more that are in the process of doing so. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection.
Data Protection Africa
There are currently approximately 32 countries in Africa that either have an existing or draft data protection framework in place or which make reference to data privacy in existing laws. However, even the countries with a data protection framework in place are facing challenges with resource constraints, delayed implementation or a lack of appointment of the regulatory authorities. Key questions to consider that may differ in different jurisdictions include what constitutes personal information in a particular jurisdiction; the exemptions that may apply; the conditions for the lawful process of data; how that data can be transferred across borders; whether breach notification is required, and if so, what requirements apply. For a full review of the data protection landscape in Africa, visit Data Protection Africa: https://dataprotection.africa/.
While there may be differences in different jurisdictions, there are a number of key principles that appear in most data protection frameworks. A useful resource in this regard – compiled as a joint initiative of the Internet Society (ISOC) and the AU – are the Personal Data Protection Guidelines for Africa(1) (Data Protection Guidelines).
As set out in the Data Protection Guidelines, the key privacy principles that appear across most data protection frameworks include the following:(2)
- Collection limitation: Personal data must be obtained and processed lawfully, fairly, and, to the extent possible, transparently.
- Data quality: Personal data must be accurate at the point of collection, and reasonable steps must be taken to ensure its accuracy is maintained over the period of retention.
- Purpose specification: Personal data must be collected only for specified, explicit, and legitimate purposes. Personal data should only be used for such other purposes as are compatible with applicable laws, such as archiving data that is in the public interest, or for scientific research.
- Use limitation: Personal data must not be disclosed, made available, or used for other purposes except with the consent of the individual or where authorised by law.
- Security safeguards: Personal data should be protected by reasonable security safeguards to maintain its integrity and confidentiality.
- Openness: There should be a general policy of openness about developments, practices, and policies with respect to personal data.
- Individual participation: Individuals must have the right to obtain information about their personal data held by others. This data must be provided within a reasonable period of time, in a form that is readily intelligible, and at a cost that is not excessive. Data subjects have the right to challenge their data and to have it amended if it is inaccurate, or erased if that is appropriate.
- Accountability: Those who collect and process personal data must be able to demonstrate their compliance with these principles.
Another key principle of data protection frameworks is that personal data should not be transferred to a country that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.(3)
Cross-border data transfers: The case of Max Schrems
Source: Case No. C-362/14, 6 October 2015, accessible at: http://curia.europa.eu/juris/document/document.jsf?docid=169195&doclang=EN
In Maximillian Schrems v Data Protection Commissioner, Mr Schrems – a European citizen – lodged a complaint with the Irish Data Protection Commissioner that some or all of the data that he had provided to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States of America (US), where it was processed. As the US does not have a comprehensive data protection law, Mr Schrems argued that the law and practice in the US did not offer sufficient protection against surveillance by the US public authorities, and did not meet the test for adequacy as contemplated under European law.
The Court of Justice of the European Union (CJEU) upheld the claim, noting that the protective rules laid out in the data sharing arrangement between the European Union (EU) and the US (known as the ‘Safe Harbour Agreement’) could be disregarded by the US where they conflicted with national security, public interest and law enforcement requirements of the US. The CJEU held that any legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the right to privacy. Furthermore, the CJEU was of the view that legislation that does not provide for an individual to pursue legal remedies to access one’s personal information, or to have such information rectified or erased, compromises the essence of the right to effective judicial protection.
Accordingly, the CJEU declared the Safe Harbour Decision invalid, with immediate effect. In line with this judgment, the threshold that has been established for determining the adequacy of protection is to ascertain whether it is “essentially equivalent.”
Regional data protection frameworks in Africa
As noted in the Data Protection Guidelines, in considering the relevant data protection framework, it is necessary to understand the African context and the particular characteristics that arise:(4)
- Significant cultural and legal diversity across the continent, with different privacy expectations.
- Variations in access to technology and online services among member states.
- Sensitivities regarding ethnicity and profiling of citizens without consent.
- Different levels of capability in areas such as technology and technology-related law and governance.
- Risks arising from high dependency on non-African manufacturers and service providers, including the limited ability of African states to influence the behaviour of external service providers, and the potentially increased risk of data misuse where content and services are solely provided by foreign companies.
According to the Data Protection Guidelines, this context presents unique challenges to the enforcement of local data protection laws that may make such enforcement more difficult.
While the AU Data Protection Convention is not yet in force, it still provides useful guidance at the regional level, as well as to states looking to implement data protection frameworks at the domestic level. Chapter II of the AU Data Protection Convention sets out the principles relevant to data protection. As set out in article 8(1), the objective of the AU Data Protection Convention is for each state party to commit itself to establishing a legal framework “aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and punish any violation of privacy with prejudice to the principle of the free flow of personal data.”
- Principle 1: Principle of consent and legitimacy of personal data processing.
- Principle 2: Principle of lawfulness and fairness of personal data processing.
- Principle 3: Principle of purpose, relevance and storage of processed personal data.
- Principle 4: Principle of accuracy of personal data.
- Principle 5: Principle of transparency of personal data processing.
- Principle 6: Principle of confidentiality and security of personal data processing.
Articles 16 to 19 of the AU Data Protection Convention set out the rights of data subjects, namely the right to information; the right of access; the right to object; and the right of rectification or erasure. Articles 20 to 23 go on to set out the obligations of personal data controllers, namely the confidentiality obligations; the security obligations; the storage obligations; and the sustainability obligations.
In respect of cross-border data transfers, article 14(6)(a) provides that: “The data controller shall not transfer personal data to a non-Member State of the African Union unless such a State ensures an adequate level of protection of the privacy, freedoms and fundamental rights of the persons whose data are being or are likely to be processed”. Sub-article (b) goes on to provide that the prohibition does not apply if the data controller has requested authorisation for the transfer from the relevant data protection authority before the data has been transferred.
Processing for journalistic, research, artistic or literary purposes
Article 14(3) of the AU Data Protection Convention provides for a specific exemption that applies to the processing of personal data for journalistic, research, artistic or literary purposes. It provides that: “Personal data processing for journalistic purposes or for the purposes of research or artistic or literary expression shall be acceptable where the processing is solely for literary or artistic expression or for professional exercise of journalistic or research activity, in accordance with the code of conduct of these professions.”
Article 14(4) goes on to the provide that the provisions of the AU Data Protection Convention “shall not preclude the application of national legislations with regard to the print media or the audio-visual sector, as well as the provisions of the criminal code which provide for the conditions for exercise of the right of reply, and which prevent, limit, compensate for and, where necessary, repress breaches of privacy and damage to personal reputation.”
Extra-territorial application of data protection frameworks in Europe
There are two key European instruments in respect of data protection that have extra-territorial application for African states. The first is the Convention for the Protection of Individuals with regard to the Processing of Personal Data(6) – commonly referred to as Convention 108 – which is an instrument of the Council of Europe (COE). Convention 108 opened for signature on 28 January 1981, and was the first legally binding instrument in the data protection field.(7) The purpose of Convention 108 is to “protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.(8) Convention 108 provides for the free flow of personal data between states parties to the Convention.
A key feature of Convention 108 is that, in addition to the members of the COE, it also provides that non-European states may accede to it. For example, in the African context, Cape Verde, Mauritius and Senegal have all acceded to it. This is of relevance for several reasons: it is a recognition of the adequacy of their data protection frameworks; it adds an additional bulwark of protection of persons within those states; and it can serve to facilitate cross-border data transfers between those African states and Europe. Convention 108 remains open for accession to other African states that may meet the necessary requirements.
Modernisation of Convention 108
In May 2018, the COE published Convention 108+, in an effort to update and modernise Convention 108. Key issues for consideration in this regard were the automatic processing of personal data and cross-border data transfers. As noted in the explanatory report to Convention 108+: “In the 35 years that have elapsed since the Convention for the Protection of Individuals with regard to Automated Processing of Personal Data, also known as Convention 108 (hereafter also referred to as “the Convention”) was opened for signature, the Convention has served as the foundation for international data protection law in over 40 European countries. It has also influenced policy and legislation far beyond Europe’s shores. With new challenges to human rights and fundamental freedoms, notably to the right to private life, arising every day, it appeared clear that the Convention should be modernised in order to better address emerging privacy challenges resulting from the increasing use of new information and communication technologies (IT), the globalisation of processing operations and the ever greater flows of personal data, and, at the same time, to strengthen the Convention’s evaluation and follow-up mechanism.”
The second key instrument is the European Union General Data Protection Regulation 2016/679(9) (GDPR). The GDPR is applicable to all member states of the EU as of 25 May 2018 and is an effort to harmonise all data protection laws across Europe. As explained in article 1 of the GDPR, its purpose is to lay down rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free movement of personal data. In particular, article 1(2) makes clear that the GDPR is intended to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.
Chapter II of the GDPR sets out the following principles:
- Article 5: Principles relating to the processing of personal data.
- Article 6: Lawfulness of processing.
- Article 7: Conditions for consent.
- Article 8: Conditions applicable to a child’s consent in relation to information society services.
- Article 9: Processing of special categories of personal data.
- Article 10: Processing of personal data relating to criminal convictions and offences.
- Article 11: Processing which does not require identification.
The conditions for consent bear special emphasis. Importantly, the data controller bears the burden of demonstrating that the data subject has consented to the processing of his or her personal data.(10) Where written consent is sought, the GDPR provides that this request for consent “shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” in order for it to be binding.(11) The data subject has the right to withdraw consent at any time, and it is required that it be made as easy to withdraw consent as it is to give consent.(12) Added to this, the GDPR provides that when assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract or provision of a service “is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.(13)
A unique and notable inclusion in the GDPR is that it seeks to apply extra-territorially, to data controllers that are not established in the EU, regardless of whether the processing takes place in the EU or not. In this regard, article 3 of the GDPR provides as follows:
“(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
Recital 23 to the GDPR explains that the purpose of this provision is to ensure that natural persons are not deprived of the protection to which they are entitled under the GDPR. In respect of article 3(2)(a) of the GDPR, recital 23 explains as follows:
“In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
Recital 24 to the GDPR goes on to provide an explanation of article 3(2)(b) of the GDPR. It explains that: “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
The failure to comply with the GDPR carries with it significant penalties, including administrative fines of up to €20 000 or 4% of the total worldwide annual turnover of the preceding year, whichever is higher.(14)
Representation of data subjects in terms of the GDPR
Article 80 of the GDPR deals with the representation of data subjects. Article 80(1) provides that a data subject has a right to mandate a not-for-profit body, organisation or association – which has been properly constituted within the law of a member state, has statutory objectives in the public interest and is active in the field of data protection – to exercise the data subject’s rights on his or her behalf. This opens the door for class action litigation to be brought as a result of an infringement of a provision of the GDPR.
Article 80(2) further gives member states the option to allow anybody, organisation or association referred to in article 80(1) to lodge a complaint independently of a data subject’s mandate, if it appears that there has been an infringement of a right as a result of data processing. However, as explained in recital 142, that body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.
Use of data protection authorities to vindicate the right to privacy
Data protection frameworks typically provide for the establishment of a data protection authority (DPA) to oversee and enforce the relevant framework. Such DPAs are typically given a range of powers, including to be notified in the event of a data breach, to adjudicate complaints and to impose penalties where a data controller is found to be non-compliant with the data protection framework.
In states with established DPAs, it should be noted that this may be an avenue to vindicate the right to privacy. In the event of a data breach or another infringement of the data protection framework, data subjects may be assisted with lodging complaints to the relevant DPA. This quasi-judicial forum can present a relatively quick and cost-effective remedy for the data subject.