Data Protection

Data protection laws are aimed at protecting and safeguarding the processing of personal information (or personal data). Personal information includes any information relating to an identified or identifiable natural person – i.e. the data subject – by which the data subject can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. A data controller, which can typically be either a public or private body, is any person or entity responsible for processing personal information about the data subject.

Most comprehensive data protection laws make provision for the following principles:(1)

• Personal information must be processed fairly and lawfully and must not be processed unless the stipulated conditions are met.
• Personal information must be obtained for a specified purpose (or purposes) and must not be further processed in any manner incompatible with that purpose.
• Personal data must be adequate, relevant and not excessive in relation to the purpose (or purposes) for which it is processed.
• Personal information must be accurate and, where necessary, kept up to date.
• Personal information must not be kept for longer than is necessary for the purpose of collection.
• Personal information must be processed in accordance with the rights of data subjects provided for under the data protection law.
• Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• Personal data must not be transferred to another country that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

Additionally, most data protection laws establish a regulatory body to monitor and enforce the provisions of the law: this type of regulatory body is often referred to as a data protection authority (DPA).

The United Nations Special Rapporteur on the Right to Privacy in 2022 released a report providing an in-depth analysis of the principles of legality, lawfulness and legitimacy, consent, transparency, purpose, fairness, proportionality, minimisation, quality, responsibility, and security in the context of data protection legislation, which serves as a seminal guide for the development and harmonisation of data protection regulations around the world.(2)

Data protection is one of the primary measures through which the right to privacy is given effect. At least 33 African states have so far enacted data protection laws, and more are in the process of doing so.(3)

In addition to giving effect to the right to privacy, data protection legislation also facilitates trade among states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection – or framed more positively, data protection laws enable the regulated transfer of personal information across borders where both jurisdictions have put in place adequate data protection laws and procedures.

In relation to the protection of personal information, General Comment No. 16 on article 17 of the ICCPR (General Comment No. 16) provides as follows:(4)

“The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.”

There are a number of African regional instruments that deal with data protection:

• AU Convention on Cyber Security and Personal Data Protection 2014(5) (the Malabo Convention): This instrument, aimed at a continental level, includes provisions relating to data protection, e-transactions, cybercrimes and cybersecurity. The provisions relating to data protection are contained in Chapter II and contain the conditions for the lawful processing of personal information, as well as the rights afforded to data subjects. Although it has not entered into force as yet, once it is brought into operation it would be a binding legal instrument for data protection in Africa.(6)

• Draft EAC Legal Framework for Cyberlaws 2008(7) (EAC Legal Framework): This instrument covers topics relating to data protection, electronic commerce, data security and consumer protection. It is not intended to be a model law but instead provides guidance and recommendations to states to inform the development of their laws. Data protection is dealt with briefly at paragraph 2.5 of the EAC Legal Framework.

• Supplementary Act on Personal Data Protection within ECOWAS 2010(8)(ECOWAS Supplementary Act): This instrument is designed to be directly transposed into a domestic context among West African states, and provides in detail for the conditions for lawful processing of personal information and the rights of data subjects.

• SADC Data Protection Model Law 2013(9) (SADC Model Law): This instrument is a model law that can be adapted into domestic contexts among Southern African states. It seeks to ensure the harmonisation of information and communications technologies (ICT) policies and recognises that ICT developments impact the protection of personal data, including in government and commercial activities. It also deals with whistle-blowing, by providing that the data protection authority must establish rules to govern the whistleblowing system that preserve data protection principles, including the principles of fairness, lawfulness, purpose specification, proportionality, and openness.

In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to information, by providing for data subjects to request, and be given access to, the information being held about them by a controller. This mechanism can enable data subjects to determine whether their personal information is being processed in line with applicable data protection laws and whether their rights are being upheld.