RESOURCE HUB
DONATE
GET HELP

Data Privacy and Data Protection – sub-Saharan Africa

  • The right to privacy and data protection is a growing concern due to increasing data flows and the resulting need for the protection of personal information.

  • In the African context, there are multiple instruments which govern data protection, notably the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention).

  • Importantly, states should ensure that their domestic legislation provides for the lawful processing of personal information and that they keep step with data protection developments.

  • Allied with data protection are the concepts of the ‘right to be forgotten,’ encryption, and government-led surveillance.

  • Communications surveillance has special risks for freedom of expression in journalistic contexts due to the potential disclosure of confidential sources and the risk of a chilling effect on media freedom.

Introduction

The right to privacy and the concomitant requirement to protect personal information has become increasingly relevant in the information age. As access to the internet has expanded and many parts of public and private life have become increasingly digitised, there has been a sharp increase in online information-sharing and data collection, with the associated risk that this information can be accessed and abused by hostile actors. At the same time, legislative developments have failed to keep pace and adequately protect personal information. However, in recent years, the passing of data protection legislation by many African states, as well as the development of guidelines and instruments by regional and continental bodies, have provided some protections to remedy and vindicate the privacy rights of African peoples.

This module focuses on the right to privacy in the digital age in Africa by evaluating the state of data protection, the related concepts of the ‘right to be forgotten’ and encryption assesses the growing risks of government and commercial surveillance as well as the emerging challenges of the use of artificial intelligence (AI) to perpetrate privacy violations, and sets out emerging principles and safeguards in this rapidly advancing digital environment.

The Right to Privacy

Around the world, there is an increasing recognition that the right to privacy is vital both in itself and due to its role in facilitating the right to freedom of expression. For instance, the right to privacy allows individuals to share views anonymously in circumstances where they may face repression or discrimination for those views; it also allows whistle-blowers to make protected disclosures and enables journalists and activists to communicate securely beyond the reach of unlawful government interception. It is also an inherent part of the right to dignity.

The right to privacy is contained in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which provides:

1 No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2 Everyone has the right to the protection of the law against such interference or attacks.

Although the right to privacy is not explicitly contained in the African Charter on Human and Peoples’ Rights (African Charter), article 9 of the Charter does encode protections for the right to receive information and express opinions:

1 Every individual shall have the right to receive information. Every individual shall have the right to express and disseminate his opinions within the law.

These, in addition to the African Charter’s protections for freedom against discrimination, liberty and security, freedom of assembly, health, and others, have prompted the argument that the implicit right to privacy should be ‘read into’ the African Charter as an inalienable component of those other rights.1

‘Reading in’ the right to privacy: the example of India

While his approach has not been ested in relation o he African Charter, it would follow he approach of he Supreme Court of India in its 2017 ruling hat he right o privacy is protected as an intrinsic part of he right o life and personal liberty, and as part of he fundamental freedoms guaranteed by Part III of he Constitution of India.2   As such, although he Constitution of India does not expressly contain a right o privacy, he right can nevertheless be read when considered in he context of he other rights and freedoms hat are constitutionally guaranteed.

The right to privacy of children is, however, explicitly contained in other regional and continental instruments. For example, article 10 of the African Charter on the Rights and Welfare of the Child (ACRWC) provides that:

No child shall be subject to arbitrary or unlawful interference with his privacy, family home or correspondence, or to the attacks upon his honour or reputation, provided that parents or legal guardians shall have the right to exercise reasonable supervision over the conduct of their children. The child has the right to the protection of the law against such interference or attacks.

The revised 2019 Declaration of Principles on Freedom of Expression and Access to Information in Africa, adopted by the African Commission on Human and Peoples’ Rights (ACHPR), also explicitly acknowledges the right to privacy and calls on states to provide extensive protections for privacy and personal information.3 Moreover, all but one African state guarantees this right under their domestic constitutions.4

As with the right to freedom of expression, a limitation of the right to privacy must comply with the three-part test for a justifiable limitation. According to the South African Constitutional Court:5

A very high level of protection is given to the individual’s intimate personal sphere of life and the maintenance of its basic preconditions and there is a final untouchable sphere of human freedom that is beyond interference from any public authority. So much so that, in regard to this most intimate core of privacy, no justifiable limitation thereof can take place. But this most intimate core is narrowly construed. This inviolable core is left behind once an individual enters into relationships with persons outside this closest intimate sphere; the individual’s activities then acquire a social dimension and the right of privacy in this context becomes subject to limitation.

Set out in the following pages, we consider specific aspects of the right to privacy and the impact of the internet on the enjoyment of this right.

Data Protection

Data protection is one of the primary ways through which the right to privacy is given effect. At least 36 African states have so far enacted data protection laws, and more are in the process of doing so.6 In addition to giving effect to the right to privacy, data protection legislation also facilitates trade among states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection. Framed more positively, data protection laws enable the regulated transfer of personal information across borders where both jurisdictions have put in place adequate data protection laws and procedures to protect data subjects’ rights.

Key data protection principles

Data protection laws are aimed at protecting and safeguarding the processing of personal information (also sometimes called personal data). Personal information is typically defined as any information relating to an identified or identifiable natural person — i.e. the data subject — by which the data subject can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity. A data controller, also sometimes called the responsible party, can typically be either a public or private body and is the person or entity responsible for processing personal information about the data subject.

Key data protection principles

Most comprehensive data protection laws in Africa make provision for a core set of principles which can be summarised as follows:7
  • Personal information must be processed fairly and lawfully and must not be processed unless he stipulated conditions are met.
  • Personal information must be obtained for a specified purpose (or purposes) and must not be further processed in any manner incompatible with hat purpose.
  • Personal data must be adequate, relevant, and not excessive in relation o he purpose (or purposes) for which it was collected.
  • Personal information must be accurate and, where necessary, kept up o date.
  • Personal information must not be kept for longer han is necessary for he purpose.
  • Personal information must be processed in accordance with he rights of data subjects provided for under he data protection law.
  • The data controller must ake appropriate echnical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage o, personal data.
  • Personal data must not be ransferred o another country hat does not ensure an adequate level of protection for he rights and freedoms of data subjects.

In addition, most data protection laws establish a regulatory body to monitor and enforce the provisions of the law: this type of regulatory body is often referred to as a data protection authority (DPA).

International law standards

The United Nations Special Rapporteur (UNSR) on the Right to Privacy released a report in 2022 providing an in-depth analysis of the principles of legality, lawfulness and legitimacy, consent, transparency, purpose, fairness, proportionality, minimisation, quality, responsibility, and security in the context of data protection legislation, which serves as a seminal guide for the development and harmonisation of data protection regulations around the world.8

In relation to the protection of personal information, General Comment No. 16 on Article 17 of the ICCPR (General Comment No. 16) provides as follows:9

The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.

In 2023, in response to the rapid and widespread collection of personal information ostensibly to combat the COVID-19 pandemic from 2020-2022, the UNSR on Privacy released a report elaborating on the implementation of the principles of purpose limitation, deletion of data and demonstrated or proactive accountability in the processing of personal data collected by public entities in the context of the pandemic.10

Regional law standards

There are several African regional instruments that deal with data protection:

  • The African Union (AU) Convention on Cyber Security and Personal Data Protection 201411 (the Malabo Convention): This instrument, aimed at a continental level, includes provisions relating to data protection, e-transactions, cybercrimes and cybersecurity. The provisions relating to data protection are contained in Chapter II and contain the conditions for the lawful processing of personal information, as well as the rights afforded to data subjects. After finally receiving ratification from the required 15th state, the Malabo Convention came into force in 2023.12

  • EAC Legal Framework for Cyberlaws 200813 (EAC Legal Framework): This instrument covers topics relating to data protection, electronic commerce, data security and consumer protection. It is not intended to be a model law but instead provides guidance and recommendations to states to inform the development of their laws. Data protection is dealt with briefly in paragraph 2.5 of the EAC Legal Framework, as part of Phase I which was adopted by the EAC Council of Ministers in 2010.14

  • Supplementary Act on Personal Data Protection within ECOWAS 201015 (ECOWAS Supplementary Act): This instrument is designed to be directly transposed into a domestic context among West African states and provides in detail the conditions for the lawful processing of personal information and the rights of data subjects. Importantly, it is also legally binding on ECOWAS States. ECOWAS also adopted the Directive on Fighting Cyber Crime in 2011 in an effort to harmonise member states’ cybercrime legislation.

  • SADC Data Protection Model Law 201316 (SADC Model Law): This is a model law that can be adapted into domestic contexts among southern African states. It seeks to ensure the harmonisation of information and communications technologies (ICT) policies and recognises that ICT developments impact the protection of personal data, including in government and commercial activities. It also deals with whistle-blowing, by providing that the data protection authority must establish rules to govern the whistleblowing system that preserve data protection principles, including the principles of fairness, lawfulness, purpose specification, proportionality, and openness.

In addition to giving effect to the right to privacy, data protection laws also often further facilitate a right of access to information, by providing for data subjects to request, and be given access to, the information being held about them by a controller. This mechanism can enable data subjects to determine whether their personal information is being processed in line with applicable data protection laws and whether their rights are being upheld.

Mapping the state of data protection in Africa

Given he importance of data protection legislation in protecting he right o privacy in he digital age, as well as he rapid progression of legislation and regulation in his area, it can be hard o keep up o date with he state of data protection in Africa.   Data Protection Africa is an open, online resource hat aims o provide a detailed analysis of he gove ance of data protection across he continent, mapping and analysing he legislation in place in all 55 member states of he African Union. As of February 2024, it notes hat 36 out of he 55 AU-recognised states have passed data protection legislation, with hree draft bills also being under consideration.

Emerging challenges to data protection

As more states across the continent have passed data protection legislation, so too have the risks and challenges of regulating and protecting privacy in the digital age become more complex. Many states, particularly those in West Africa, passed their laws some time ago,17 raising concerns that they may no longer be suited to the challenges of the modern age. In South Africa, for example, the Protection of Personal Information Act was passed in 2013 but only came into effect in July 2020 with a further grace period given for full compliance. This has raised concerns among critics that the Act already requires amendments to stay up to date with new issues such as AI.18

In addition, the enforcement challenges of these many new data protection laws have become increasingly apparent. For example, research has found that 14 countries’ laws provide for the data protection authority to be established within or to receive instructions from another public body, such as a government ministry, raising questions about regulatory independence.19 11 countries were found not to have adequate protections in place to prevent the undue removal of members of the Authority for political or other reasons.20

Enforcement challenges: example from Kenya

Many data protection authorities across he content have struggled o meaningfully hold accountable violators of data protection legislation, particularly powerful multinational corporations.   For example, in 2023, Tools for Humanity piloted a new cryptocurrency campaign called Worldcoin hat paid people a small sum of money in he cryptocurrency o have heir biometric data collected, resulting in housands aking up he opportunity,21 with very little information about how he data would be used. In May, Kenya’s Office of he Data Protection Commissioner (OPDC) ordered he company o halt processing,22 an order which was reportedly ignored. The company finally stopped data collection only when, in August, he Ministry of he Interior ordered he suspension of Worldcoin’s operations in he country, citing data protection conce s.23 The OPDC subsequently launched litigation against Tools for Humanity in he High Court.24   This demonstrates he challenges data protection authorities face in holding hese powerful inte ational companies o account.

Another barrier to the advancement of data protection on the continent is the limited scope of data protection laws, with many containing extensive national security or private sector exemptions that undermine their efficacy. In this regard, it is also important to note the track record on the continent of national security justifications being abused.

The Right to be Forgotten

The ‘right to be forgotten’25 — which can also be described as ‘the right to erasure’ or ‘the right to be de-listed’ — entails the right of a data subject to request that commercial search engines or other websites that gather or publish personal information remove links to the personal information relating to the subject on request. The issue is highly contextual and often fraught because it usually involves a complicated balancing of public and individual interests. The right to be forgotten progresses from the right of data subjects contained in many data protection laws that personal information held about a person should be erased in circumstances in which it is inadequate, irrelevant, no longer relevant, or excessive in relation to purposes for which it was collected. However, in some cases, there may be a valid justification for keeping the information in the public domain because it is in the public interest.

Establishing the right to be forgotten in the EU

The right o be forgotten was established in a 2014 ruling of he Court of Justice of he European Union (CJEU) in he case of Google Spain v Gonzalez.26   Mr Gonzalez, a Spanish national, lodged a complaint in 2010 with he Spanish information regulator. The cause of Mr Gonzalez’s complaint was hat any search for his name on Google’s search engine prominently displayed old news articles about debt proceedings against him. Mr Gonzalez requested hat he personal data relating o him, which was over a decade old, be removed or concealed because he proceedings had been fully resolved and he reference o him was now irrelevant.   The CJEU upheld he claim, relying on he European Union data protection law in effect at he ime. The CJEU noted hat he very display of personal information on a search results page constitutes he processing of he information27 and hat here was no reason why a search engine should not be subject o he obligations and guarantees laid out under he law.28   Further, it was noted hat he processing of personal information carried out by a search engine can significantly affect he fundamental rights o privacy and he protection of personal data when a search is carried out of a person’s name, as it enables any inte et user o establish a profile of he person.29   According o he CJEU, he effect of he interference “is heightened aking into account he important role played by he inte et and search engines in mode society, which render he information contained in such a list of results ubiquitous.”30   With regard o de-listing, he CJEU held hat he removal of links from he list of results could, depending on he information at issue, have effects on he legitimate interests of inte et users seeking access o hat information.31   This would require a fair balance o be struck between hose interests and he data subject’s fundamental rights, aking into account he nature of he information, its sensitivity o he data subject’s private life, and he interest of he public in having hat information, which may vary according o he role played by he data subject in public life.32   The CJEU went on o hold hat a data subject is permitted o request hat information about hem be removed from search results where, having regard o all he circumstances, he information appears o be inadequate, irrelevant or no longer relevant, or excessive in relation o purposes of he processing carried out by he operator of he search engine.33   In such circumstances, he information and links conce ed in he list of results must be erased.34   Since hen, he jurisprudence on he right o be forgotten has developed significantly, particularly in he EU. See he European Court of Human Rights’ Guide o he Case Law on Data Protection for some examples of he nuances hat have since been developed.

A growing body of jurisprudence

The right to be forgotten has also been recognised in domestic contexts, although not as yet in sub-Saharan Africa. However, it has been recognised in South America in, for example, the State Court of Appeals of São Paulo, Brazil.35

Of relevance to the media, the Supreme Court of Chile, in 2019, made an order requiring several digital media outlets to update the information they had published about a person involved in a criminal case in order to achieve a balance between the right to information that was in the public interest and the right to honour.36

Non-consensual dissemination of intimate images (NCII)

A growing body of case law is also beginning to recognise the right to be forgotten in cases of the non-consensual sharing of intimate images (NCII), such as X v. Union of India and X v. YouTube, both in the High Court of Delhi in India.

Litigating NCII in Kenya

In 2016, he High Court of Kenya determined a case, Roshanara Ebrahim v Ashleys Kenya Limited & 3 others (2016), involving he non-consensual distribution of he petitioner’s nude photographs by an ex-boyfriend, resulting in her dethronement as Miss World Kenya 2015.37   The Court held hat Ebrahim had a legitimate expectation of privacy, hat she did not waive her right o protection of privacy by aking nude photographs, and did not consent o heir dissemination o hird parties, and as such, her right o privacy under Article 31 of he Constitution of Kenya had been violated. It further ordered he ex-boyfriend o pay damages and directed he organisers of he Miss World Kenya not o publish he nude photographs in heir possession.   The case provides valuable insights into he ‘reasonable expectation of privacy,’ whether images are obtained in an intrusive manner, and whether he presence of illegalities may invalidate a right o privacy claim.38

Limits on the right to be forgotten

As jurisprudence around the world has developed, lines have begun to be drawn identifying the limits of the right to be forgotten. In 2017, the CJEU declined to uphold a request to erase, anonymise, or block any data linking the plaintiff to the liquidation of his company contained in the companies register in the case of Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni.(39) The CJEU held that in light of the range of possible legitimate uses for data in company registers and the different limitation periods applicable to such records, it was impossible to identify a suitable maximum retention period. Accordingly, the CJEU declined to find that there is a general right to be forgotten from public company registers.

Furthermore, other jurisdictions have refused to uphold a right to be forgotten against search engines:

  • In Brazil, for example, it was held that search engines cannot be compelled to remove search results relating to a specific term or expression.40

  • Similarly, the Supreme Court of Japan declined to enforce the right to be forgotten against Google, finding that deletion “can be allowed only when the value of privacy protection significantly outweighs that of information disclosure”.41

According to the Global Principles of Freedom of Expression and Privacy (Global Principles),42 the right — to the extent that it is recognised in a particular jurisdiction — should be limited to the right of individuals under data protection law to request search engines to delist inaccurate or out-of-date search results produced on the basis of a search for their name43 and should be limited in scope to the domain name corresponding to the country where the right is recognised and the individual has established substantial damage.44

It states further that de-listing requests should be subject to ultimate adjudication by a court or independent adjudicatory body with relevant expertise in freedom of expression and data protection law.45

Encryption and Anonymity on the Internet

Encryption refers to a mathematical process of converting messages, information or data into a form unreadable by anyone except the intended recipient, and in doing so protecting the confidentiality and integrity of content against third-party access or manipulation.46 With “public key encryption” — the dominant form of end-to-end security for data in transit — the sender uses the recipient’s public key to encrypt the message and its attachments, and the recipient uses her or his own private key to decrypt them.47 It is also possible to encrypt data at rest that is stored on one’s device, such as a laptop or hard drive.48

Anonymity can be defined either as acting or communicating without using or presenting one’s name or identity, as acting or communicating in a way that protects the determination of one’s name or identity or as using an invented or assumed name that may not necessarily be associated with one’s legal or customary identity.49 Anonymity may be distinguished from pseudo‑anonymity: the former refers to taking no name at all, while the latter refers to taking an assumed name.50

Importance of freedom of expression

Encryption and anonymity are necessary tools for the full enjoyment of digital rights and deserve protection by virtue of the critical role that they play in securing the rights to freedom of expression and privacy. As described by the UNSR on FreeEX:51

Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief. For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment. The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality. Artists rely on encryption and anonymity to safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also a society that does not tolerate unconventional opinions or expression.

Encryption and anonymity are especially useful for the development and sharing of opinions online, particularly in circumstances where a person fears that their communications may be subject to interference or attack by state or non-state actors. These are therefore specific technologies through which individuals may exercise their rights, and are particularly important for journalists communicating online to be protected from surveillance and to maintain the confidentiality of journalistic sources. Accordingly, under international human rights law, restrictions on encryption and anonymity must meet the three-part test to justify the restriction.

Balancing security with freedom of expression

According to the UNSR on FreeEX, while encryption and anonymity may have the potential to frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public safety justifications to support any restrictions or to identify situations where the restriction has been necessary to achieve a legitimate goal.52 Outright prohibitions on the individual use of encryption technology disproportionately restrict the right to freedom of expression as they deprive all online users in a particular jurisdiction of the right to carve out a space for opinion and expression, without any particular claim of the use of encryption being for unlawful ends.53

Likewise, state regulation of encryption may be tantamount to a ban, for example, through requiring licences for encryption use, setting weak technical standards for encryption, or controlling the import and export of encryption tools.54

The use of encryption and anonymity by journalists

In he 2015 case of Federal Prosecutor v Soleyana Shimeles Gebremariam and others (Zone 9 Bloggers) in Ethiopia, in which nine bloggers were charged with planning, preparing, conspiring, and inciting o execute errorism, it is notable hat he prosecutor in he case cited he bloggers’ use of encryption ools o protect he confidentiality of heir data as evidence hat hey were undertaking covert acts against he gove ment. Ultimately, all charges were either dropped or he defendants were acquitted due o a lack of evidence.55   Since 2015, awareness and understanding of he use of encryption ools has advanced, and it is, in most cases, no longer seen as an inherent indication of having something o hide. However, jou alists continue o face many challenges in using fully secure and protected encryption and anonymity ools in practice, with constant hreats from law enforcement agencies seeking ‘back doors’ into such ools.   Regardless, he principle of he confidentiality of jou alistic sources is well established in case law, including in Africa. In he 2023 case of Mazetti Management Services. amaBhungane Centre for Investigative Jou alism in South Africa he High Court set aside an interim injunction ordering a media organisation o retu documents in its possession and confirmed hat he confidentiality of sources is a key and important feature of investigative jou alism.56   An amicus curiae in he case made submissions on he importance of he confidentiality of jou alistic sources as set out in inte ational human rights law.

The UNSR on FreeEX has, therefore, called on states to promote strong encryption and anonymity, and noted that decryption orders should only be permissible when they result from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a mass of people), and subject to a judicial warrant and the protection of due process rights.57

The 2019 ACHPR Declaration of Principles on Freedom of Expression and Access to Information likewise provides that states should not adopt laws or other measures prohibiting or weakening encryption, including backdoors or key escrows unless such measures are justifiable and compatible with international human rights law and standards.58

Despite this clear mandate, many countries in sub-Saharan Africa continue to regulate or limit the use of encryption. For example, some require the registration and licensing of encryption service providers or have laws that compel service providers to hand over secret codes to state authorities.59 According to the Global Partners Digital World Map of Encryption, at least 27 countries in Africa have laws and policies enabling widespread restrictions on the use of encryption tools.60

A new form of surveillance: SIM card registration

In virtually all African countries, here is mandatory SIM card registration, during which a horde of identifying data is collected.61 While he surge in cybercrimes prompted SIM registration, he data requirements for registration are huge yet he data protection practices are poor with no specific data protection laws. Even in countries with data protection laws, implementation is often poor and many laws fall short of established human rights standards. Moreover, he rends in data collection seem o be changing with several countries increasingly pegging service delivery o data which is collected and stored in various databases. Of itself, SIM registration in effect eradicates he ability of mobile phone users o communicate anonymously and facilitates mass surveillance, making racking and monitoring of all users easier for law enforcement and security agencies.   Another conce relates o he growing preference for African gove ments o implement data localisation regulations which mandate hat personal data be stored within he country. While ostensibly his is o ensure he protection of personal information, it may also enable easier access o data for decryption and surveillance.

Government & Corporate Surveillance

Communications surveillance encompasses the monitoring, intercepting, collecting, analysing, retention, or similar actions, of a person’s communications in the past, present, or future.62 This relates to both the content of communications and communication metadata – which is information about a communication, such as the identities of the parties, the time or duration or location of the communication, and technical services used. It has been noted that even communication metadata can give detailed insights into an individual’s behaviour, social relationships, private preferences and identity. Taken as a whole, it may allow very precise conclusions to be drawn concerning the private life of the person.63

In recent years, the use of sophisticated surveillance technology on mobile phones has gained increasing prominence amidst concerns about its extensive abuse to monitor political opponents and activists.

The Pegasus scandal

In 2021, news broke hat at least 180 jou alists as well as political leaders had been argeted for surveillance by Pegasus spyware, a system hat can be remotely installed on a smartphone enabling complete control over he device.64 The news attracted widespread condemnation, including, for example, he Supreme Court of India in 2021 ordered an independent inquiry into allegations hat he gove ment deployed he Pegasus spyware against various jou alists, politicians, and dissidents because of he deeply chilling effects its use could have on freedom of expression.65   Although he findings of he Court’s investigation have not been made public, evidence has since come o light of he continued use of he Pegasus software o surveil jou alists.66 In 2019, Meta launched litigation against he NSO Group, he maker of Pegasus software, claiming hat it was responsible for a series of cyber-attacks which violated American law.67   The litigation is as of 2024 still ongoing. In February 2024, NSO Group was ordered o hand over its code for Pegasus and other spyware products, as well as information conce ing he full functionality of he relevant spyware.68   African activists and jou alists were among some of he argets identified in he Pegasus scandal, as were powerful politicians and state officials revealed o be users of he ools. In 2024, Reporters without Borders found spyware races on he phones of wo Togolese jou alists while hey were on rial for defamation against a gove ment minister.69

International law position

General Comment No. 16 provides that “[s]urveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.”70 Surveillance — both bulk (or mass) collection of data71 or targeted collection of data — interferes directly with the privacy and security necessary for freedom of opinion and expression, and must be considered against the three-part test to assess the permissibility of the restriction.

In the digital age, ICTs have enhanced the capacity of governments, corporations, and individuals to conduct surveillance, interception and data collection, and have meant that the effectiveness of conducting such surveillance is no longer limited by scale or duration.

In Africa, some countries have even passed legislation enabling digital surveillance of targeted groups; for example, the United Nations Special Rapporteur on Privacy has noted with concern the Anti-Cybercrime Law enacted in Egypt in 2018 which reportedly enables surveillance of the LGBTQI community.72

In a resolution adopted by the UN General Assembly (UNGA) on the right to privacy in the digital age, the UNGA emphasised that unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, are highly intrusive acts, violate the right to privacy, can interfere with the right to freedom of expression, and may contradict the tenets of a democratic society, including when undertaken on a mass scale.73 It noted further that surveillance of digital communications must be consistent with international human rights obligations and must be conducted on the basis of a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.

In order to meet the condition of legality, many states have taken steps to reform their surveillance laws to allow for the powers required to conduct surveillance activities. According to the Necessary and Proportionate Principles, a civil society initiative to document the principles that apply to any limitation on freedom of expression, communications surveillance should be regarded as a highly intrusive act, and in order to meet the threshold of proportionality, the state should be required at a minimum to establish the following information to a competent judicial authority prior to conducting any communications surveillance:74

  • There is a high degree of probability that a serious crime or specific threat to a legitimate aim has been or will be carried out.

  • There is a high degree of probability that evidence relevant and material to such a serious crime or specific threat to a legitimate aim would be obtained by accessing the protected information sought.

  • Other less invasive techniques have been exhausted or would be futile, such that the technique used is the least invasive option.

  • Information accessed will be confined to that which is relevant and material to the serious crime or specific threat to a legitimate aim alleged.

  • Any excess information collected will not be retained but instead will be promptly destroyed or returned.

  • Information will be accessed only by the specified authority and used only for the purpose and duration for which authorisation was given.

  • The surveillance activities requested, and techniques proposed do not undermine the essence of the right to privacy or of fundamental freedoms.

The importance of independent oversight and subject notification

In addition o he principles discussed above, he groundbreaking case of amaBhungane Centre for Investigative Jou alism v Minister of Justice and Correctional Services emphasised wo additional principles hat are critical o ensuring legitimate and rights-respecting argeted surveillance. First, he Constitutional Court of South Africa emphasised he need for a clear and independent process for appointing he designated judge o oversee requests for surveillance by law enforcement. Second, it highlighted hat he law should accommodate he notification of subjects of surveillance hat hey have been surveilled after he fact and when such notification will no longer hreaten he investigation.   It is notable hat he Court reflected on he need for enhanced protections for lawyers and jou alists as a result of he importance of confidentiality in hese professions, and hat legislation should herefore provide additional safeguards in such cases.

Surveillance constitutes an obvious interference with the right to privacy. Further, it also constitutes an interference with the right to hold opinions without interference and the right to freedom of expression. With particular reference to the right to hold opinions without interference, surveillance systems, both targeted and mass, may undermine the right to form an opinion, as the fear of unwilling disclosure of online activity, such as search and browsing, likely deters individuals from accessing information, particularly where such surveillance leads to repressive outcomes.75

As emphasised in the amaBhungane case, the interference with the right to freedom of expression is particularly apparent in the context of journalists who may be placed under surveillance as a result of their journalistic activities. The disclosure or surveillance of journalistic sources can have negative consequences for the right to freedom of expression due to a breach of an individual’s confidentiality in their communications.76

This is the same for cases concerning the disclosure of anonymous user data. Once confidentiality is undermined, it cannot be restored. It is therefore of utmost importance that measures that undermine confidentiality are not taken arbitrarily.

The importance of source protection has been well-established. For example, in Bosasa Operation (Pty) Ltd v Basson and Another, the South Africa High Court held that journalists are not required to reveal their sources, subject to certain exceptions.77 The court stated in this regard that:

If indeed freedom of the press is fundamental and sine qua non for democracy, it is essential that in carrying out this public duty for the public good, the identity of their sources should not be revealed, particularly, when the information so revealed, would not have been publicly known. This essential and critical role of the media, which is more pronounced in our nascent democracy, founded on openness, where corruption has become cancerous, needs to be fostered rather than denuded.

Surveillance activities carried out against journalists have the risk of fundamentally undermining the source protection to which journalists are otherwise entitled.

Jurisprudence on journalism and the right to privacy

The linkages between journalistic freedoms and the right to privacy are a common theme in emerging litigation and jurisprudence against unlawful or abusive surveillance. For example:

  • In two cases both dealing with the planned roll-out by the Communications Authority of Kenya of a system to provide it with access to mobile service subscribers’ data, the High Court of Kenya held that the system was “a threat to subscribers’ privacy,” that there were fewer restriction measures to implement the Authority’s goals of identifying illicit devices, and that the system was unlawful, unreasonable, and disproportionate.78

  • In ordering the independent inquiry into allegations that the government deployed the Pegasus spyware against various journalists, politicians and dissidents, the Supreme Court of India found that the free press’s democratic function was at stake, and that “such chilling effect on the freedom of speech is an assault on the vital public watchdog role of the press, which may undermine the ability of the press to provide accurate and reliable information.”79

  • The European Court of Human Rights (ECtHR) found some aspects of the United Kingdom’s mass surveillance regime to be in violation of the right to privacy and the right to freedom of expression under the European Convention on Human Rights, holding that although bulk interception regimes are not in themselves incompatible with those rights, the lack of independent oversight and the fact that the regime’s use was not limited to combatting “serious crime” and did not sufficiently protect journalists’ confidential communication resulted in it constituting a violation.80

Privacy & Artificial Intelligence

The privacy risks of AI

As the sophistication and usage of artificial intelligence (AI) has increased rapidly in recent years, concerns about both the use of personal information in the development of such tools as well as the ability of such tools to implement privacy violations have become more prominent. In particular, the launch of the public ChatGPT, alongside similar models, has raised alarm bells on several fronts.

  • First, because such systems rely on vast quantities of information to train their algorithms and continuously improve performance, particularly information scraped from the internet, critics have highlighted that even publicly-available information, such as posts on social media, was never posted with the intent, and hence consent, of the data subjects for its usage by large-language models.

  • Second, the collection and storage of such large quantities of information, including personal information, raise concerns about storage security and the implications if such data were to be accessed by unauthorised parties through hacking or other security breaches. Facial recognition technology, which also often relies on sophisticated algorithms to process large quantities of data, is increasingly in use across the continent by governments ostensibly for law enforcement and security purposes, but they also have the potential to be used for real-time, intrusive tracking and surveillance that risks several human rights including the rights to privacy, freedom of movement, and freedom of association.

  • Third, AI tools such as these are able to rapidly generate images and content about a person based on its training data that may have little correlation to the truth, raising concerns about mis- and disinformation and the portrayal of personal information in the online ecosystem. AI’s ability to rapidly analyse and make sense of large quantities of data can lead to the ability to infer personal information about a person that they never provided themselves, beyond the scope of consent requirements set out in data protection laws.

Developing international standards

As a result of these risks, AI has recently garnered increased attention from international and regional human rights bodies seeking to provide guidance and standards to protect the affected rights and ensure the responsible development of these new technologies. For example:

  • In 2021 the UN Special Rapporteur on the Right to Privacy published a report on AI and privacy and children’s privacy that provides guidance on data protection standards for AI at the domestic level as well as calls on states and companies to develop AI solutions ethically and responsibly within a human rights framework.81

  • Also in 2021, the UN High Commissioner for Human Rights released a report on the right to privacy in the digital age that analysed how the widespread use of AI affects the right to privacy and other fundamental rights, noting that issued a set of recommendations for states and businesses to design and implement rights safeguards.82 The report notes that AI systems “[incentivise] widespread data collection, storage, and processing,” contrary to the principle of data minimisation, and highlights concerns in the sectors of law enforcement, public services, employment, and online information management systems.

  • Building on this, in 2023 the new Special Rapporteur submitted her report to the United Nations General Assembly (UNGA) that highlighted the need for transparency and explainability in the use of AI in order for data subjects to be able to exercise their rights over the use of their personal information in such systems.83

Notably, the African Union Commission on Human and Peoples’ Rights (ACHPR) has also taken steps to interrogate the risks of AI by passing Resolution ACHPR/Res. 473 (EXT.OS/ XXXI) 2021: on the need to undertake a Study on human and peoples’ rights and artificial intelligence (AI), robotics and other new and emerging technologies in Africa in 2021.84 In it, the ACHPR—

  • acknowledges the myriad risks for human rights not limited to privacy;

  • calls on states to put in place mechanisms to ensure the rights-respecting development and use of such technologies in Africa, including by working towards a comprehensive legal and ethical governance framework for AI; and

  • commits to undertake a study to develop guidelines on AI.

The study officially began in June 2023.85

Conclusion

As more of the world moves online and increasingly sophisticated new tools for processing personal information become more widely available, data protection is becoming ever more necessary. In the African context, some headway has been made in the passing of 36 data protection laws as well as the coming into force of the Malabo Convention in 2023.86 However, with the growth and increasing sophistication of technologies and practices related to data harvesting and profiling, legislators are some way behind in fully protecting and promoting data privacy and data protection. As we move forward, digital rights activists have a significant role to play in ensuring that states keep step with data protection developments and enact legislative frameworks that fully protect and promote people’s rights to privacy.

References

  1. Ayalew, ‘Untrodden Paths Towards the Right to Privacy in the Digital Era under African Human Rights Law’ 12 International Data Privacy Law 1 (2022) (accessible at https://ssrn.com/abstract=3993942).
  2. Justice K.S. Puttaswamy and Another v Union of India and Others, Petition No. 494/2012 (2017) (accessible at http://supremecourtofindia.nic.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf).
  3. ACHRP, ‘Declaration of Principles on Freedom of Expression and Access to Information in Africa 2019’ (2019) (accessible at https://achpr.au.int/en/node/902) at Principles 40-42.
  4. ALT Advisory, ‘Data Protection Africa,’ (accessible at https://dataprotection.africa/).
  5. NM and Others v Smith and Others, [2007] ZACC 6 (accessible at https://www.saflii.org/za/cases/ZACC/2007/6.html) at para 33, citing with approval Bernstein and Others v Bester NO and Others, [1996] ZACC 2 (accessible at https://www.saflii.org/za/cases/ZACC/1996/2.html) at para 77.
  6. See https://dataprotection.africa/ for more information.
  7. Information Commissioner’s Office, ‘A guide to the data protection principles’ (accessible at https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/).
  8. UNSR on Privacy, ‘Promotion and protection of human rights: human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms’ (2022) (accessible at https://documents.un.org/doc/undoc/gen/n22/594/48/pdf/n2259448.pdf?token=u1h0GXrW9xSVX7VFHW&fe=true).
  9. UNHCHR, ‘CCPR General Comment No. 16: Article 17 (Right to Privacy)’ (1988) (accessible at https://www.refworld.org/legal/general/hrc/1988/en/27539) at para 10.
  10. UNSR on Privacy, ‘A/HRC/52/37: Implementation of the principles of purpose limitation, deletion of data and demonstrated or proactive accountability in the processing of personal data collected by public entities in the context of the COVID-19 pandemic – Report of the Special Rapporteur on the right to privacy’ (2023) (accessible at https://www.ohchr.org/en/documents/thematic-reports/ahrc5237-implementation-principles-purpose-limitation-deletion-data-and).
  11. AU, ‘African Union Convention on Cyber Security and Personal Data Protection’ (2014 ) (accessible at https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf).
  12. ALT Advisory, ‘Africa: AU’s Malabo Convention set to enter force after nine years’ (2023) (accessible at https://altadvisory.africa/2023/05/19/malabo-convention-set-to-enter-force/).
  13. EAC, ‘EAC Legal Framework for Cyberlaws’ (20228) (accessible at http://repository.eac.int:8080/bitstream/handle/11671/1815/EAC Framework for Cyberlaws.pdf?sequence=1&isAllowed=y).
  14. UNCTAD, ‘Harmonizing Cyberlaws and Regulations: The experience of the East African Community’ (2012) (accessible at https://au.int/sites/default/files/newsevents/workingdocuments/27223-wd-harmonizing_cyberlaws_regulations_the_experience_of_eac1.pdf).
  15. ECOWAS, ‘Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWS’ (2010) (accessible at http://www.statewatch.org/news/2013/mar/ecowas-dp-act.pdf).
  16. HIPSSA, ‘Data Protection: SADC Model Law’ (2013) (accessible at https://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/Documents/FINAL DOCUMENTS/FINAL DOCS ENGLISH/sadc_model_law_data_protection.pdf).
  17. Data Protection Africa, ‘Standing Alone: The Independence of African Data Protection Authorities’ (2024) (accessible at https://dataprotection.africa/standing-alone-the-independence-of-african-data-protection-authorities/).
  18. IT Web, ‘POPIA principles must align with AI governance, say experts,’ (2023) (accessible at https://www.itweb.co.za/article/popia-principles-must-align-with-ai-governance-say-experts/RgeVDvPRrn8MKJN3).
  19. See above n 17.
  20. Id.
  21. Njenga, Schmitz, ‘Worldcoin: Thousands flock KICC to have eyeballs scanned for Ksh.7k’ (2023) (accessible at https://www.citizen.digital/news/worlcoin-thousands-flock-kicc-to-have-eyeballs-scanned-for-ksh7k-n32464 3).
  22. TechCrunch, ‘Worldcoin ignored initial order to stop iris scans in Kenya, records show’ (2023) (accessible at https://techcrunch.com/2023/08/15/worldcoin-in-kenya/?guccounter=1).
  23. Kenya Ministry of Interior, ‘Statement on Worldcoin’ (2023) (accessible at https://twitter.com/InteriorKE/status/1686709534075629568).
  24. See above n 22.
  25. For more on this topic see Media Defence ‘Training Manual on Digital Rights and Freedom of expression Online: Litigating digital rights and online freedom of expression in East, West and Southern Africa’ (accessible at https://www.mediadefence.org/wp-content/uploads/2020/06/MLDI-Training-Manual-on-Digital-Rights-and-Freedom-of-Expression-Online.pdf).
  26. Google Spain SL and Another v Agencia Española de Protección de Datos (AEPD) and Another, Case No. C-131/12, (2014) (accessible at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0131).
  27. Id at para 57.
  28. Id at para 58.
  29. Id at para 80.
  30. Id.
  31. Id at para 81.
  32. Id.
  33. Id at para 94.
  34. Id at para 94.
  35. De Queiroz v. Google Brasil Internet Ltd. Case No. 0004144-77.2015.8.26.0297 (2016) (accessible at https://globalfreedomofexpression.columbia.edu/cases/de-queiroz-v-google-brasil-internet-ltda/).
  36. Surgeon v. Court of Appeals of Santiago, Case No. Rol No. 1279-2019 (2019) (accessible at https://globalfreedomofexpression.columbia.edu/cases/surgeon-v-court-of-appeals-of-santiago/).
  37. Roshanara Ebrahim v Ashleys Kenya Limited & 3 others [2016] eKLR (accessible at http://kenyalaw.org/caselaw/cases/view/129282/).
  38. For further information on the use of the ‘tort of invasion of privacy,’ the public disclosure of embarrassing facts, breaches of the torts of breach of confidence and intentional infliction of mental distress, see: Jane Doe 464533 v. D. (N.) (accessible at https://globalfreedomofexpression.columbia.edu/cases/jane-doe-464533-v-d-n/); see also: Equality Project ‘Technologically-Facilitated Violence: Non-Consensual Distribution of Intimate Images Case Law’ (2019) (accessible at http://www.equalityproject.ca/wp-content/uploads/2019/01/TFVAW-Non-Consensual-Distribution-of-Intimate-Images-6-March-2018.pdf).
  39. Case No. C-385-15, (2017) (accessible at https://curia.europa.eu/juris/document/document.jsf?text=&docid=188750&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=446798).
  40. Ministra Nancy Andrighi v Google Brasil Internet Ltd and Others, 2011/0307909-6, (2012) (accessible at https://www.internetlab.org.br/wp-content/uploads/2017/02/STJ-REsp-1316921.pdf).
  41. The Japan Times, ‘Top court rejects ‘right to be forgotten’ demand’ (2017) (accessible at https://www.japantimes.co.jp/news/2017/02/01/national/crime-legal/top-court-rejects-right-forgotten-demand/#.WqZQXehubIV).
  42. Article19 ‘The Global Principles’ (accessible at https://www.article19.org/data/files/medialibrary/38657/Expression-and-Privacy-Principles-1.pdf). The Global Principles were developed by civil society, led by ARTICLE19, in cooperation with high-level experts from around the world.
  43. Id at Principle 18(1).
  44. Id at Principle 18(4).
  45. Id at Principle 18(2).
  46. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32, (2015) (accessible at http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx) at para 7. For further discussion and resources, see UCI Law International Justice Clinic, ‘Selected references: Unofficial companion report to Report of the Special Rapporteur (A/HRC/29/32) on encryption, anonymity and freedom of expression’ (accessible at http://www.ohchr.org/Documents/Issues/Opinion/Communications/States/Selected_References_SR_Report.pdf).
  47. Id.
  48. Id.
  49. Electronic Frontier Foundation, ‘Anonymity and encryption’ (2015) (accessible at https://www.ohchr.org/Documents/Issues/Opinion/Communications/EFF.pdf) at p 3.
  50. Id.
  51. See above UNSR Report on Anonymity and Encryption n 47 at para 12.
  52. Id at para 36.
  53. Id at para 40.
  54. Id at para 41.
  55. Federal Prosecutor v. Soleyana Shimeles Gebremariam and others (Zone 9 Bloggers) (2015) (accessible at https://globalfreedomofexpression.columbia.edu/cases/federal-prosecutor-v-soleyana-shimeles-gebremariam-and-others-zone-9-bloggers/).
  56. Mazetti Management Services v. amaBhungane Centre for Investigative Journalism (2023) (accessible at https://globalfreedomofexpression.columbia.edu/cases/mazetti-management-services-v-amabhungane-centre-for-investigative-journalism/).
  57. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32, (2015) (accessible at http://www.ohchr.org/Documents/Issues/Opinion/Communications/States/Selected_References_SR_Report.pdf) at paras 59-60.
  58. See Principle 40, accessible at https://achpr.au.int/en/node/902.
  59. CIPESA, ‘How African Governments Undermine the Use of Encryption’ (2021) (accessible at https://cipesa.org/wp-content/files/briefs/How_Africa_Government_Undermine_the_Use_of_Encryption_2021.pdf).
  60. Global Partners Digital, ‘World Map of Encryption’ (accessible at https://www.gp-digital.org/world-map-of-encryption/).
  61. CIPESA, ‘How African Governments Undermine the Use of Encryption’ (2021) (accessible at https://cipesa.org/wp-content/files/briefs/How_Africa_Government_Undermine_the_Use_of_Encryption_2021.pdf)
  62. Article19 et al, ‘Necessary and proportionate: International principles on the application of human rights to communications surveillance’ (2014) (accessible at https://necessaryandproportionate.org/files/2016/03/04/en_principles_2014.pdf) at p 4.
  63. For more on this topic see Media Defence ‘Training Manual on Digital Rights and Freedom of expression Online: Litigating digital rights and online freedom of expression in East, West and Southern Africa’ (accessible at https://www.mediadefence.org/wp-content/uploads/2020/06/MLDI-Training-Manual-on-Digital-Rights-and-Freedom-of-Expression-Online.pdf).
  64. Forbidden Stories, ‘Journalists Under Surveillance’ (2021) (accessible at https://forbiddenstories.org/pegasus-journalists-under-surveillance/).
  65. Sharma v Union of India and Others, Writ Petition (CRL.) No. 314 (2021) (accessible at https://main.sci.gov.in/supremecourt/2021/16884/16884_2021_1_1501_30827_Judgement_27-Oct-2021.pdf).
  66. Amnesty International, ‘India: Damning new forensic investigation reveals repeated use of Pegasus spyware to target high-profile journalists’ (2023) (accessible at https://www.amnesty.org/en/latest/news/2023/12/india-damning-new-forensic-investigation-reveals-repeated-use-of-pegasus-spyware-to-target-high-profile-journalists/).
  67. Nick Hopkins and Stephanie Kirchgaessner, ‘WhatsApp sues Israeli firm, accursing it of hacking activists’ phones’ The Guardian (2019) (accessible at https://www.theguardian.com/technology/2019/oct/29/whatsapp-sues-israeli-firm-accusing-it-of-hacking-activists-phones).
  68. Stephanie Kirchgaessner, ‘Court orders maker of Pegasus spyware to hand over code to Whatsapp’ The Guardian (2024) (accessible at https://www.theguardian.com/technology/2024/feb/29/pegasus-surveillance-code-whatsapp-meta-lawsuit-nso-group).
  69. RSF, ‘In first for Togo, RSF identifies spyware on phones of two Togolese journalists’ (2024) (accessible at https://rsf.org/en/first-togo-rsf-identifies-spyware-phones-two-togolese-journalists).
  70. See above n 9 at para 8.
  71. Revelations be whistle-blowers, such as Edward Snowden, have revealed that the National Security Agency in the USA and the General Communications Headquarters in the United Kingdom had developed technologies allowing access to much global internet traffic, calling records in the United States, individuals’ electronic address books and huge volumes of other digital communications content. These technologies are deployed through a transnational network comprising strategic intelligence relationships between governments and other role-players. This is referred to as bulk or mass surveillance. See above n 47 at para 4.
  72. UNSR on Privacy, ‘Report prepared pursuant to Human Rights Council resolutions 28/16 and 37/2’ (20190 (accessible at https://documents.un.org/doc/undoc/gen/g19/307/40/pdf/g1930740.pdf?token=Llio29GStCcXeab4uk&fe=true) at p 14.
  73. UNGA, ‘Resolution on the right to privacy in the digital age’ A/C.3/71/L.39/Rev.1, (2016) (accessible at http://www.un.org/ga/search/view_doc.asp?symbol=A/C.3/71/L.39/Rev.1).
  74. See above n 65 at Principle 5.
  75. See above n 47 at para 21.
  76. For more, see Big Brother Watch v United Kingdom in the ECtHR (2018) (accessible at https://globalfreedomofexpression.columbia.edu/cases/big-brother-watch-v-united-kingdom/)) and amaBhungane Centre for Investigative Journalism v Minister of Justice in South Africa (2019) (accessible at http://www.saflii.org/za/cases/ZAGPPHC/2019/384.html).
  77. [2012] ZAGPJHC 71, (2012) (accessible at http://www.saflii.org/za/cases/ZAGPJHC/2012/71.html).
  78. Kenya Human Rights Commission v. Communications Authority of Kenya (2018) (accessible at https://globalfreedomofexpression.columbia.edu/cases/kenya-human-rights-commission-v-communications-authority-kenya/) and Okoiti v. Communications Authority of Kenya (2018) (accessible at https://globalfreedomofexpression.columbia.edu/cases/okoiti-v-communications-authority-kenya/).
  79. Writ Petition (Crl.) No. 314 of 2021, (2021) (accessible at https://main.sci.gov.in/supremecourt/2021/16884/16884_2021_1_1501_30827_Judgement_27-Oct-2021.pdf).
  80. Big Brother Watch v. The United Kingdom (Big Brother I) App nos. 58170/13, 62322/14 and 24960/15 (2018) (accessible at https://globalfreedomofexpression.columbia.edu/cases/big-brother-watch-v-united-kingdom/).
  81. UNSR on Privacy ‘Artificial intelligence and privacy, and children’s privacy’ (2021) (accessible at https://undocs.org/Home/Mobile?FinalSymbol=A/HRC/46/37&Language=E&DeviceType=Desktop&LangRequested=False).
  82. Report of the UN High Commissioner for Human Rights ‘The right to privacy in the digital age ‘(2021) (accessible at https://www.undocs.org/Home/Mobile?FinalSymbol=A/HRC/48/31&Language=E&DeviceType=Desktop&LangRequested=False).
  83. UNSR on Privacy ‘Right to privacy,’ (2023) (accessible at https://undocs.org/Home/Mobile?FinalSymbol=A/78/310&Language=E&DeviceType=Desktop&LangRequested=False).
  84. ACHR, ‘Resolution on the need to undertake a Study on huma and peoples’ rights and artificial intelligence (AI), robotics and other new and emerging technologies in Africa’ ACHR/Res. 473 (EXT.OS/XXXI) (2021) (accessible at https://achpr.au.int/en/adopted-resolutions/473-resolution-need-undertake-study-human-and-peoples-rights-and-art).
  85. ACHPR, ‘PRESS RELEASE: Inception Workshop and Experts’ Consultation on the Study on human and peoples’ rights and artificial intelligence (AI), robotics and other new and emerging technologies in Africa, 08 – 09 June 2023 Nairobi, Kenya’ (2023) (accessible at https://achpr.au.int/en/news/press-releases/2023-06-08/inception-workshop-and-experts-consultation-artificial-intelligence).
  86. See https://dataprotection.africa/ for more information.

Table of Contents

Related Resources

MENA

ماژول‌های آموزشی درباره‌ی دادخواهی مربوط به آزادی بیان و حقوق دیجیتال

واحد آموزشی ۱: اصول اساسی حقوق بین‌الملل و آزادی بیان واحد آموزشی ۲: مقدمه‌ای بر حقوق دیجیتال واحد آموزشی ۳: دسترسی به اینترنت واحد آموزشی ۴: حریم خصوصی داده‌ها و حفاظت از داده‌ها واحد آموزشی ۵: افترا واحد آموزشی ۶:

Read more

MENA

وحدات تعليمية حول التقاضي بشأن حرية التعبير والحقوق الرقمية

الوحدة التعليمية 1: المبادئ األساسية للقانون الدولي وحرية التعبير الوحدة التعليمية 2: مقدمة في الحقوق الرقمية الوحدة التعليمية 3: الوصول إلى اإلنترنت الوحدة التعليمية 4: خصوصية البيانات وحماية البيانات الوحدة التعليمية 5: التشهير الوحدة التعليمية 6: خطاب الكراهية الوحدة التعليمية

Read more

Latin America

Privacidad y Protección de datos y vigilancia – Latinoamérica

Privacidad y Protección de datos y vigilancia Introducción El derecho a la privacidad y el requisito concomitante de proteger la información personal ha atraído una atención significativa en la era de la información. Si bien en Internet el intercambio de

Read more
Resource Hub
Donate