Module 4: Data Privacy and Data Protection
Data protection laws are aimed at protecting and safeguarding the processing of personal information (or personal data). This refers to any information relating to an identified or identifiable natural person — i.e. the data subject — by which the data subject can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. A data controller, which can typically be either a public or private body, refers to the person or entity responsible for processing the personal information about the data subject.
Data protection is one of the primary measures through which the right to privacy is given effect. There have already been a number of African states that have enacted data protection laws, and more that are in the process of doing so.(1)
In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection.
In relation to data protection of personal information, General Comment No. 16 on article 17 of the ICCPR (General Comment No. 16) provides as follows:(2)
“The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.”
Most comprehensive data protection laws typically make provision for the following principles:(3)
- Personal information must be processed fairly and lawfully, and must not be processed unless the stipulated conditions are met.
- Personal information must be obtained for a specified purpose (or purposes), and must not be further processed in any manner incompatible with that purpose.
- Personal data must be adequate, relevant and not excessive in relation to the purpose (or purposes) for which it is processed.
- Personal information must be accurate and, where necessary, kept up to date.
- Personal information must not be kept for longer than is necessary for the purpose of collection.
- Personal information must be processed in accordance with the rights of data subjects provided for under the data protection law.
- Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data must not be transferred to another country that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.
There are a number of African regional instruments that deal with data protection:
- AU Convention on Cyber Security and Personal Data Protection 2014(4) (AU Convention or “Malabo Convention”): This instrument, aimed at a continental level, includes provisions relating to data protection, e-transactions, cybercrimes and cybersecurity. The provisions relating to data protection are contained in Chapter II, and contain the conditions for the lawful processing of personal information, as well as the rights afforded to data subjects. Although it has not entered into force as yet, it may potentially in future be a binding legal instrument on data protection in Africa.
- Draft EAC Legal Framework for Cyberlaws 2008(5) (EAC Legal Framework): This instrument covers topics relating to data protection, electronic commerce, data security and consumer protection. It is not intended to be a model law but instead provides guidance and recommendations to states to assist with informing the development of their laws. Data protection is dealt with briefly at paragraph 2.5 of the EAC Legal Framework.
- Supplementary Act on Personal Data Protection within ECOWAS 2010(6) (ECOWAS Supplementary Act): This instrument is designed to be directly transposed into a domestic context, and, in a similar vein to the AU Convention, provides in detail for the conditions for lawful processing of personal information and the rights of data subjects.
- SADC Data Protection Model Law 2013(7) (SADC Model Law): This instrument is a model law that can be utilised in a national context by member states. It seeks to ensure the harmonisations of information and communications technologies (ICT) policies, and recognises that ICT developments impact the rights and protection of personal data, including in government and commercial activities. In addition to setting out the conditions for lawful processing of personal information and the rights of data subjects, it also deals with whistle-blowing, providing that the data protection authority must establish rules giving authorisation for and governing the whistleblowing system which preserve the data protection principles, including the principles of fairness, lawfulness, purpose-specification, proportionality and openness.
In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to information. In this regard, most data protection laws provide for data subjects to request, and be given access to, the information being held about them by a controller. This mechanism can enable data subjects to ascertain whether their personal information is being processed in accordance with the applicable data protection laws, and whether their rights are indeed being upheld.