Back to main site

    Data Protection

    Module 4: Privacy and Security Online

    Key principles for data protection

    Data protection is one of the primary measures through which the right to privacy is given effect. Data protection laws are aimed at protecting and safeguarding the processing of personal information (or personal data).

    Although the specific definitions and terms may vary, most data protection laws set out similar basic concepts:

    • Personal information or an equivalent term generally refers to any information relating to an identified or identifiable natural person which can be used to identify them, whether directly or indirectly, such as their name, contact details, age, race, gender, sexual orientation, health information, financial information, employment details, political or religious views, or biometric information.
    • A data subject is any person to whom this information relates – in other words, a person whose rights are at stake.
    • A data controller, which can typically be either a public or private body, is the person or entity responsible for processing the personal information about the data subject.
    • Processing usually refers to a wide range of actions that can be performed on personal information including collection, organisation, storage, alteration, retrieval, sending, or deletion, and includes both manual and automated means.
    • A data protection authority is a type of independent authority or public body established to monitor and enforce compliance with a data protection framework. This module explores data protection authorities in more detail below under Use of data protection authorities to vindicate the right to privacy.

    While there may be differences across jurisdictions, there are also several governing principles that appear in most data protection frameworks. The Personal Data Protection Guidelines for Africa(1) (Data Protection Guidelines), a joint initiative of the Internet Society (ISOC) and the AU, sets out key data protection principles that appear across most frameworks:(2)

    • Collection limitation: Personal data must be obtained and processed lawfully, fairly, and, to the extent possible, transparently.
    • Data Quality: Personal data must be accurate at the point of collection, and reasonable steps must be taken to ensure its accuracy is maintained over the period of retention.
    • Purpose specification: Personal data must be collected only for specified, explicit, and legitimate purposes. Personal data should only be used for such other purposes as are compatible with applicable laws, such as archiving data that is in the public interest, or for scientific research.
    • Use limitation: Personal data must not be disclosed, made available, or used for other purposes except with the consent of the individual or where authorised by law.
    • Security safeguards: Personal data should be protected by reasonable security safeguards to maintain its integrity and confidentiality.
    • Openness: There should be a general policy of openness about developments, practices, and policies with respect to personal data.
    • Individual participation: Individuals must have the right to obtain information about their personal data held by others. This data must be provided within a reasonable period of time, in a form that is readily intelligible, and at a cost that is not excessive. Data subjects have the right to challenge their data and to have it amended if it is inaccurate, or erased if that is appropriate.
    • Accountability: Those who collect and process personal data must be able to demonstrate their compliance with these principles.

    In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to information. Most data protection laws provide for data subjects to request and be given access to the information being held about them by a controller. This mechanism can enable data subjects to determine whether their personal information is being processed in line with applicable data protection laws and whether their rights are being upheld.

    Another key principle of data protection frameworks is that personal data should not be transferred to a country that does not ensure an adequate level of protection for the rights and freedoms of data subjects when it comes to the processing of personal information.(3)

    Cross-border data transfers: The case of Max Schrems

    In Maximillian Schrems v Data Protection Commissioner, Mr Schrems – a European citizen – lodged a complaint with the Irish Data Protection Commissioner that some or all of the data that he had provided to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States of America (US), where it was processed. As the US does not have a comprehensive data protection law, Mr Schrems argued that the law and practice in the US did not offer sufficient protection against surveillance by the US public authorities and did not meet the test for adequacy as contemplated under European law.

    The Court of Justice of the European Union (CJEU) upheld the claim, noting that the protective rules laid out in the data sharing arrangement between the European Union (EU) and the US (known as the ‘Safe Harbour Agreement’) could be disregarded by the US where they conflicted with national security, public interest and law enforcement requirements of the US. The CJEU held that any legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the right to privacy. Furthermore, the CJEU found that legislation that does not provide for an individual to pursue legal remedies to access their personal information, or to have such information rectified or erased, compromises the essence of the right to effective judicial protection.

    Accordingly, the CJEU declared the Safe Harbour Decision invalid, with immediate effect. In line with this judgment, the threshold that has been established for determining the adequacy of protection is to ascertain whether it is “essentially equivalent.”

    This decision was subsequently followed up by another dubbed ‘Schrems II’ which speaks to the use of “standard contractual clauses” to transfer data between Europe and the US.

    In 2023, Ireland’s Data Protection Commissioner (DPC) issued Meta (formerly Facebook) a substantial $1.3 billion fine for actively breaching the EU’s data privacy laws, particularly regarding the transfer of data across borders.(4) This penalty stands out as one of the most significant regulatory actions under the General Data Protection Regulation (GDPR) in the past five years since its enactment. Meta was given a five-month grace period to halt the transfer of data collected from European Facebook users to the US. Additionally, within six months of the DPC’s notification to Meta, the company must cease the unlawful processing and storage of personal data in the US. However, this ruling does not affect data transfers on Instagram and WhatsApp, other major platforms owned by Meta. Meta has stated its intention to appeal the decision and the fine, deeming them unjustified and unnecessary. The ruling emphasised that Meta violated Article 46(1) of the GDPR by persisting in cross-border data transfers to the US from the EU/EEA, contrary to the European Court of Justice’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II).

    Data protection frameworks in Africa

    A growing number of African states have enacted data protection laws, and more are in the process of doing so. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection.

    Data protection in Africa

    As of January 2024, 36 out of 55 African countries (65%) have implemented data protection laws, signifying significant progress. Additionally, three countries (Ethiopia, Namibia, and Malawi) are currently considering draft legislation in this regard. However, 16 countries (29%) in Africa have yet to make headway in enacting data protection laws, highlighting an area for improvement. Over the past decade, there has been a notable increase in the adoption of data protection laws across Africa, with the number more than doubling. Remarkably, a third of these laws were enacted within the last five years. Regional disparities exist, with some areas demonstrating greater success in passing this vital legislation. Notably, 75% of traditionally Francophone countries have implemented data protection laws, with many among the earliest adopters. While Southern African countries have more recently embraced data protection laws, 73% now have such legislation in place. In contrast, only 54% of East African countries have enacted similar laws.(5)

    For a full overview of the data protection landscape in Africa, visit Data Protection Africa: https://dataprotection.africa/.

    As noted in the Data Protection Guidelines, in considering the relevant data protection framework, it is necessary to understand the African context and the particular characteristics that arise:(6)

    • Significant cultural and legal diversity across the continent, with different privacy expectations.
    • Variations in access to technology and online services among member states.
    • Sensitivities regarding ethnicity and profiling of citizens without consent.
    • Different levels of capability in areas such as technology and technology-related law and governance.
    • Risks arising from high dependency on non-African manufacturers and service providers, including the limited ability of African states to influence the behaviour of external service providers, and the potentially increased risk of data misuse where content and services are solely provided by foreign companies.

    According to the Data Protection Guidelines, this context presents unique challenges to the enforcement of local data protection laws that may make such enforcement more difficult.

    The Malabo Convention provides useful guidance at the regional level to states looking to implement data protection frameworks at the domestic level. Chapter II of the Malabo Convention sets out the principles relevant to data protection. As set out in article 8(1), the objective of the Convention is for each state party to commit itself to establishing a legal framework “aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and punish any violation of privacy with prejudice to the principle of the free flow of personal data.”

    Article 13 of the AU Data Protection Convention(7) sets out the following basic principles governing the processing of personal data:

    • Principle 1: Principle of consent and legitimacy of personal data processing.
    • Principle 2: Principle of lawfulness and fairness of personal data processing.
    • Principle 3: Principle of purpose, relevance and storage of processed personal data.
    • Principle 4: Principle of accuracy of personal data.
    • Principle 5: Principle of transparency of personal data processing.
    • Principle 6: Principle of confidentiality and security of personal data processing.

    Articles 16 to 19 of the  Malabo Convention set out the rights of data subjects, namely the right to information; the right of access; the right to object; and the right of rectification or erasure. Articles 20 to 23 go on to set out the obligations of personal data controllers, namely the confidentiality obligations; the security obligations; the storage obligations; and the sustainability obligations.

    In respect of cross-border data transfers, article 14(6)(a) provides that: “The data controller shall not transfer personal data to a non-Member State of the African Union unless such a State ensures an adequate level of protection of the privacy, freedoms and fundamental rights of the persons whose data are being or are likely to be processed”. Sub-article (b) goes on to provide that the prohibition does not apply if the data controller has requested authorisation for the transfer from the relevant data protection authority before the data has been transferred.

    Processing for journalistic, research, artistic or literary purposes

    Article 14(3) of the Malabo Convention provides for a specific exemption that applies to the processing of personal data for journalistic, research, artistic or literary purposes. It provides that: “Personal data processing for journalistic purposes or for the purposes of research or artistic or literary expression shall be acceptable where the processing is solely for literary or artistic expression or for the professional exercise of journalistic or research activity, in accordance with the code of conduct of these professions.”

    Article 14(4) goes on to provide that the provisions of the Convention “shall not preclude the application of national legislations with regard to the print media or the audio-visual sector, as well as the provisions of the criminal code which provide for the conditions for exercise of the right of reply, and which prevent, limit, compensate for and, where necessary, repress breaches of privacy and damage to personal reputation.”

    Extra-territorial application of data protection frameworks in Europe

    There are two key European instruments in respect of data protection that have extra-territorial application for African states: Convention 108 and the GDPR.

    The Convention for the Protection of Individuals with regard to the Processing of Personal Data(8) – commonly referred to as Convention 108 – is an instrument of the Council of Europe (COE). Convention 108 opened for signature in 1981 and was the first legally binding instrument in the data protection field.(9) The purpose of Convention 108 is to “protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.(10) Convention 108 provides for the free flow of personal data between state parties to the Convention.

    A key feature of Convention 108 is that, in addition to the members of the COE, it also provides that non-European states may accede to it. For example, in the African context, Cape Verde, Mauritius, and Senegal have all acceded to it. This is of relevance for several reasons: it is a recognition of the adequacy of their data protection frameworks; it adds an additional bulwark of protection for persons within those states, and; it can serve to facilitate cross-border data transfers between those African states and Europe. Convention 108 remains open for accession to other African states that meet the necessary requirements.

    Modernisation of Convention 108

    In May 2018, the COE published Convention 108+, in an effort to update and modernise Convention 108 given that it was opened for signature over 35 year previously. The modernisation effort gives new considerations to automated processing, cross-border data flows, and the need to strengthen the Convention’s evaluation and follow-up mechanisms.

    The second key instrument, the European Union General Data Protection Regulation 2016/679(11) (GDPR), is an effort to harmonise all data protection laws across the European Union and has been applicable to all EU member states since 25 May 2018. As explained in article 1 of the GDPR, its purpose is to lay down rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free movement of personal data. In particular, article 1(2) makes clear that the GDPR is intended to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.

    Chapter II of the GDPR sets out the following principles:

    • Article 5: Principles relating to the processing of personal data.
    • Article 6: Lawfulness of processing.
    • Article 7: Conditions for consent.
    • Article 8: Conditions applicable to a child’s consent in relation to information society services.
    • Article 9: Processing of special categories of personal data.
    • Article 10: Processing of personal data relating to criminal convictions and offences.
    • Article 11: Processing which does not require identification.

    The conditions for consent bear special emphasis. Importantly, the data controller bears the burden of demonstrating that the data subject has consented to the processing of his or her personal data.(12) Where written consent is sought, the GDPR provides that this request for consent “shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” in order for it to be binding.(13) The data subject has the right to withdraw consent at any time, and it is required that it be made as easy to withdraw consent as it is to give consent.(14) Added to this, the GDPR provides that when assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract or provision of a service “is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.(15)

    A unique and notable inclusion in the GDPR is that, per Article 3, it seeks to apply extra-territorially, to data controllers that are not established in the EU, regardless of whether the processing takes place in the EU or not.

    Failure to comply with the GDPR carries significant penalties, including administrative fines of up to €20 000 or 4% of the transgressor’s total worldwide turnover of the preceding year, whichever is higher.(16)

    Influence of the GDPR on African Data Privacy Laws

    According to data protection experts, several African countries have implemented data protection laws that bear similarities to the GDPR:(17)

    • In Rwanda, the Protection of Personal Data and Privacy law follows a framework akin to the GDPR.
    • Uganda’s Data Protection and Privacy Act aims to safeguard individual privacy and personal data, drawing inspiration from the GDPR in certain limited aspects.
    • In Mauritius, the Data Privacy Act aligns with international standards, including the GDPR and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. However, certain provisions in the Act differ from those in the GDPR. For instance, it does not include the hefty administrative penalties found in the GDPR, mandates registration with the Data Protection Office prior to data processing, and lacks automatic transfer to countries offering an adequate level of protection determined by the Data Protection Office.
    • The Nigerian Data Protection Regulation closely resembles the GDPR in its structure and core principles. Both laws aim to afford data subjects a certain level of protection concerning their personal data, with consistent definitions and principles regarding the processing of personal data.

    Use of data protection authorities to vindicate the right to privacy

    Data protection frameworks typically provide for the establishment of a data protection authority (DPA) to oversee and enforce the relevant framework. Such DPAs are typically given a range of powers, including to be notified in the event of a data breach, to adjudicate complaints, and to impose penalties where a data controller is found to be non-compliant with the data protection framework.

    In states with established DPAs, this may be an avenue to vindicate the right to privacy. In the event of a data breach or another infringement of the data protection framework, data subjects may be assisted with lodging complaints to the relevant DPA. This quasi-judicial forum can present a relatively quick and cost-effective remedy for the data subject.

    In 2023, Tools for Humanity initiated a trial of a fresh cryptocurrency initiative known as Worldcoin.(18) This campaign offered individuals a small sum of cryptocurrency in exchange for allowing their biometric data to be gathered. Thousands of people participated in this opportunity, despite having limited information about how their data would be utilised. In May, Kenya’s Office of the Data Protection Commissioner (OPDC) instructed the company to cease processing data, a directive that allegedly went unheeded. It wasn’t until August, when the Ministry of the Interior intervened and ordered the suspension of Worldcoin’s activities in the country due to data protection concerns, that the company finally ceased data collection. Subsequently, the OPDC initiated legal proceedings against Tools for Humanity in the High Court.(19)

    Data protection litigation in Africa

    Because many data protection laws, and accompanying authorities, are relatively new in Africa and have often faced implementation challenges, there has been limited data protection litigation on the continent to date. However, cases are beginning to appear from various countries, setting a reassuring precedent for the protection of human rights.

    • In Uganda, the Initiative for Social and Economic Rights, The Unwanted Witness, and the Health Equity and Policy Initiative – have taken legal action against the Ugandan Attorney General and the National Identification Registration Authority (NIRA), which is responsible for issuing IDs in Uganda.(20) Ugandan law recognises the concept of ‘Amicus Curiae’, allowing individuals or organizations not directly involved in a lawsuit to participate by providing the court with pertinent information to aid in its decision-making process. In a brief submitted to the court, these organisations requested permission to present information addressing three crucial questions in the ongoing case. These questions pertain to the national digital ID programs’ impact on the right to privacy, freedom of expression, and related economic, social, and cultural rights. The organisations emphasise that any court ruling must consider the human rights implications of the mandatory, yet exclusionary, digital ID system.
    • In Ghana, lawyer Francis Kwarteng Arthur filed a suit challenging the government’s collection of personal data from mobile phone subscribers. In August 2021, the High Court ruled that the National Communications Authority (NCA) had to stop collecting personal information from mobile phone subscribers and ordered the government to delete data already collected within fourteen days of the judgement.(21)
    • In Kenya, a series of successful legal challenges to a new national biometric identity programme known as the Huduma Namba, led to the courts ordering delays and conditions to the programme’s rollout.

    More Resources on Data Protection

    Footnotes

    1. ISOC and AU, ‘Personal Data Protection Guidelines for Africa’ (2018) (accessible Back
    2. Data Protection Principles at pp 9-10. Back
    3. Information Commissioner’s Office, ‘Data protection principles’, (accessible Back
    4. Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR) Back
    5. Data Protection Africa, ‘Mapping the progress (and delays) for data protection in Africa’ (2024) (accessible Back
    6. COE, ‘Convention 108 and protocols: Background’, accessible at https://www.coe.int/en/web/data-protection/convention108/background. Back
    7. Article 1 of Convention 108. Back
    8. Article 7(1) of the GDPR. Back
    9. Article 7(2) of the GDPR. Back
    10. Article 7(3) of the GDPR. Back
    11. Article 7(4) of the GDPR. Back
    12. Article 83 of the GDPR. Back
    13. Webb du Preez, ‘How the European Union’s General Data Protection Regulations influenced data privacy law in Africa’ (2022) (accessible Back
    14. Kenya Ministry of Interior, ‘Statement on Worldcoin,’ (2023) (accessible at https://twitter.com/InteriorKE/status/1686709534075629568). Back
    15. TechCrunch, ‘Worldcoin ignored initial order to stop iris scans in Kenya, records show,’ (2023) (accessible at https://techcrunch.com/2023/08/15/worldcoin-in-kenya/?guccounter=1). Back
    16. Access Now “Privacy first: Ugandan court hears civil society’s human rights warnings on digital identity system” 2023 (accessible at https://www.accessnow.org/press-release/uganda-digital-identity-system-human-rights-warnings/). Back
    17. Kwarteng v Ghana Telecommunications Company and Others, (2021) (accessible at https://kasapafmonline.com/wp-content/uploads/2021/07/FRANCIS-KWARTENG-ARTHUR-V.-GHANA-TELECOMMUNICATIONS-COMPANY-LTD..pdf). Back