Privacy and Security Online – sub-Saharan Africa

Key Insights

Introduction

In the current data-driven era, the right to privacy has gained increasing recognition as a fundamental right, both in itself and as an enabler of other rights. This includes enabling the right to freedom of expression, for instance by allowing individuals to share views anonymously in circumstances where they may fear being censured for those views, by allowing whistle-blowers to make protected disclosures, and by enabling members of the media and activists to communicate in a secure manner beyond the reach of unlawful government interception.

The key provision under international law regarding the right to privacy is contained in article 17 of the International Covenant on Civil and Political Rights (ICCPR):

• Sub-article ¹ provides that no one shall be subjected to arbitrary or unlawful interference with his (or her) privacy, family, home or correspondence, nor to unlawful attacks on his (or her) honour and reputation.
• Sub-article ² goes on to provide that everyone has the right to the protection of the law against such interference or attacks.

As technology rapidly evolves so do the considerations for the right to privacy, which has remained high on the international human rights law agenda in recent years. In 2016, the United Nations (UN) General Assembly passed a resolution advocating for the protection of the right to privacy, particularly in the digital realm, urging states to enact measures to prevent violations of this right.¹ In 2018, the United Nations High Commissioner for Human Rights released a report emphasizing the challenges facing privacy in the digital age.² This report outlined key issues such as growing digital footprints, data sharing, and biometric projects lacking adequate safeguards. Additionally, it highlighted concerns about mass surveillance, cybercrimes, and attempts to undermine encryption and anonymity. In 2020, the High Commissioner’s report on the impact of new technologies on human rights in assemblies underscored the importance of secure communications in organizing peaceful protests.³ It cautioned against technology-enabled surveillance, which poses significant risks to human rights during assemblies and contributes to the constriction of civic space in many countries.

In 2021, the UN High Commissioner for Human Rights presented the report on Privacy in the Digital Age, which builds on reports from previous reports but focuses on artificial intelligence (AI) in recognition that “AI systems can facilitate and deepen privacy intrusions”.⁴ Such intrusions could include “entirely new applications as well as features of AI systems that expand, intensify or incentivize interference with the right to privacy, most notably through increased collection and use of personal data.”

The 2022 report on Privacy in the Digital Age focused on the misuse of intrusive hacking tools; the critical role of encryption in safeguarding the right to privacy and other rights; and extensive monitoring of public areas.⁵ The report underscores the potential dangers of establishing pervasive surveillance and control systems, which could jeopardize the cultivation of vibrant and rights-respecting societies. Also 2022, in reaction to the swift and extensive gathering of personal data purportedly aimed at addressing the COVID-19 crisis between 2020 and 2022, the United Nations Special Rapporteur on Privacy published a document detailing the application of principles such as restricting data usage to specific purposes, erasing data, and exhibiting or pre-emptively ensuring accountability in the handling of personal information collected by governmental bodies during the pandemic.⁶

In the African context, the African Charter on Human and Peoples’ Rights (African Charter) does not contain an express provision for the right to privacy. However, it has been argued that the right can – and should – be read into the African Charter through to the right to respect for life and integrity of the person, the right to dignity, and the right to liberty and security of the person.⁷ This argument is based on the approach taken by the African Commission on Human and Peoples’ Rights (African Commission) in Social and Economic Rights Action Centre and Another v Nigeria and the comparative jurisprudence from the Supreme Court of India in Justice KS Puttaswamy (Retd) and Another v Union of India and Others.⁸

It bears mention that other African regional instruments do recognise the right to privacy.⁹

For example, article 10 of the African Charter on the Rights and Welfare of the Child provides that: 


No child shall be subject to arbitrary or unlawful interference with his privacy, family home or correspondence, or to the attacks upon his honour or reputation, provided that parents or legal guardians shall have the right to exercise reasonable supervision over the conduct of their children. The child has the right to the protection of the law against such interference or attacks.

In February 2021, the African Commission on Human and Peoples’ Rights (ACHPR) passed Resolution No. 473, highlighting the imperative to confront the human rights ramifications of AI, robotics, and other emerging technologies in Africa.¹⁰ The resolution underscores apprehension regarding the extensive impact of AI technologies, robotics, and other emerging technologies on human rights, including the right to privacy.

Notably, the long-awaited African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) was enacted in 2023. It recognises in its preamble the commitment of the AU to build an information society and to protect “the privacy of its citizens in their daily or professional lives while guaranteeing the free flow of information”. If further endeavours to establish a comprehensive legal structure for electronic commerce, data protection, and the regulation of cybercrime and cybersecurity across the continent. It mandates member states to adopt domestic legislation in each of these policy domains, aligning with the diverse standards and principles delineated within the convention. At the domestic level, more than 50 African constitutions, inclusive of amendments and recent reviews, include reference to the right to privacy.¹¹ Out of 55 African states, 36 have data protection laws, with 3 states having draft laws.¹²

It is highly likely that fighting for the right to privacy will continue to be a pressing battle as new and more complex digital advancements attempt to erode this fundamental right and all it enables. It is equally likely that the regulation of technology may have implications for the right to privacy – both positive and negative.

Data Protection

Key principles for data protection

Data protection is one of the primary measures through which the right to privacy is given effect. Data protection laws are aimed at protecting and safeguarding the processing of personal information (or personal data).

Although the specific definitions and terms may vary, most data protection laws set out similar basic concepts:

• Personal information or an equivalent term generally refers to any information relating to an identified or identifiable natural person which can be used to identify them, whether directly or indirectly, such as their name, contact details, age, race, gender, sexual orientation, health information, financial information, employment details, political or religious views, or biometric information.
• A data subject is any person to whom this information relates – in other words, a person whose rights are at stake.
• A data controller, which can typically be either a public or private body, is the person or entity responsible for processing the personal information about the data subject.
• Processing usually refers to a wide range of actions that can be performed on personal information including collection, organisation, storage, alteration, retrieval, sending, or deletion, and includes both manual and automated means.
• A data protection authority is a type of independent authority or public body established to monitor and enforce compliance with a data protection framework. This module explores data protection authorities in more detail below under Use of data protection authorities to vindicate the right to privacy.

While there may be differences across jurisdictions, there are also several governing principles that appear in most data protection frameworks. The Personal Data Protection Guidelines for Africa¹³ (Data Protection Guidelines), a joint initiative of the Internet Society (ISOC) and the AU, sets out key data protection principles that appear across most frameworks:¹⁴

• Collection limitation: Personal data must be obtained and processed lawfully, fairly, and, to the extent possible, transparently.
• Data Quality: Personal data must be accurate at the point of collection, and reasonable steps must be taken to ensure its accuracy is maintained over the period of retention.
• Purpose specification: Personal data must be collected only for specified, explicit, and legitimate purposes. Personal data should only be used for such other purposes as are compatible with applicable laws, such as archiving data that is in the public interest, or for scientific research.
• Use limitation: Personal data must not be disclosed, made available, or used for other purposes except with the consent of the individual or where authorised by law.
• Security safeguards: Personal data should be protected by reasonable security safeguards to maintain its integrity and confidentiality.
• Openness: There should be a general policy of openness about developments, practices, and policies with respect to personal data.
• Individual participation: Individuals must have the right to obtain information about their personal data held by others. This data must be provided within a reasonable period of time, in a form that is readily intelligible, and at a cost that is not excessive. Data subjects have the right to challenge their data and to have it amended if it is inaccurate, or erased if that is appropriate.
• Accountability: Those who collect and process personal data must be able to demonstrate their compliance with these principles.

In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to information. Most data protection laws provide for data subjects to request and be given access to the information being held about them by a controller. This mechanism can enable data subjects to determine whether their personal information is being processed in line with applicable data protection laws and whether their rights are being upheld.

Another key principle of data protection frameworks is that personal data should not be transferred to a country that does not ensure an adequate level of protection for the rights and freedoms of data subjects when it comes to the processing of personal information.¹⁵

Data protection frameworks in Africa

A growing number of African states have enacted data protection laws, and more are in the process of doing so. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection.

As noted in the Data Protection Guidelines, in considering the relevant data protection framework, it is necessary to understand the African context and the particular characteristics that arise:¹⁸

• Significant cultural and legal diversity across the continent, with different privacy expectations.
• Variations in access to technology and online services among member states.
• Sensitivities regarding ethnicity and profiling of citizens without consent.
• Different levels of capability in areas such as technology and technology-related law and governance.
• Risks arising from high dependency on non-African manufacturers and service providers, including the limited ability of African states to influence the behaviour of external service providers, and the potentially increased risk of data misuse where content and services are solely provided by foreign companies.

According to the Data Protection Guidelines, this context presents unique challenges to the enforcement of local data protection laws that may make such enforcement more difficult.

The Malabo Convention provides useful guidance at the regional level to states looking to implement data protection frameworks at the domestic level. Chapter II of the Malabo Convention sets out the principles relevant to data protection. As set out in article 8¹, the objective of the Convention is for each state party to commit itself to establishing a legal framework “aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and punish any violation of privacy with prejudice to the principle of the free flow of personal data.”

Article 13 of the AU Data Protection Convention¹⁹ sets out the following basic principles governing the processing of personal data:

• Principle 1: Principle of consent and legitimacy of personal data processing.
• Principle 2: Principle of lawfulness and fairness of personal data processing.
• Principle 3: Principle of purpose, relevance and storage of processed personal data.
• Principle 4: Principle of accuracy of personal data.
• Principle 5: Principle of transparency of personal data processing.
• Principle 6: Principle of confidentiality and security of personal data processing.

Articles 16 to 19 of the  Malabo Convention set out the rights of data subjects, namely the right to information; the right of access; the right to object; and the right of rectification or erasure. Articles 20 to 23 go on to set out the obligations of personal data controllers, namely the confidentiality obligations; the security obligations; the storage obligations; and the sustainability obligations.

In respect of cross-border data transfers, article 14⁶(a) provides that: “The data controller shall not transfer personal data to a non-Member State of the African Union unless such a State ensures an adequate level of protection of the privacy, freedoms and fundamental rights of the persons whose data are being or are likely to be processed”. Sub-article (b) goes on to provide that the prohibition does not apply if the data controller has requested authorisation for the transfer from the relevant data protection authority before the data has been transferred.

Extra-territorial application of data protection frameworks in Europe

There are two key European instruments in respect of data protection that have extra-territorial application for African states: Convention 108 and the GDPR.

The Convention for the Protection of Individuals with regard to the Processing of Personal Data²⁰ – commonly referred to as Convention 108 – is an instrument of the Council of Europe (COE). Convention 108 opened for signature in 1981 and was the first legally binding instrument in the data protection field.²¹ The purpose of Convention 108 is to “protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.²² Convention 108 provides for the free flow of personal data between state parties to the Convention.

A key feature of Convention 108 is that, in addition to the members of the COE, it also provides that non-European states may accede to it. For example, in the African context, Cape Verde, Mauritius, and Senegal have all acceded to it. This is of relevance for several reasons: it is a recognition of the adequacy of their data protection frameworks; it adds an additional bulwark of protection for persons within those states, and; it can serve to facilitate cross-border data transfers between those African states and Europe. Convention 108 remains open for accession to other African states that meet the necessary requirements.

The second key instrument, the European Union General Data Protection Regulation 2016/679²³ (GDPR), is an effort to harmonise all data protection laws across the European Union and has been applicable to all EU member states since 25 May 2018. As explained in article 1 of the GDPR, its purpose is to lay down rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free movement of personal data. In particular, article 1² makes clear that the GDPR is intended to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.

Chapter II of the GDPR sets out the following principles:

• Article 5: Principles relating to the processing of personal data.
• Article 6: Lawfulness of processing.
• Article 7: Conditions for consent.
• Article 8: Conditions applicable to a child’s consent in relation to information society services.
• Article 9: Processing of special categories of personal data.
• Article 10: Processing of personal data relating to criminal convictions and offences.
• Article 11: Processing which does not require identification.

The conditions for consent bear special emphasis. Importantly, the data controller bears the burden of demonstrating that the data subject has consented to the processing of his or her personal data.²⁴ Where written consent is sought, the GDPR provides that this request for consent “shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” in order for it to be binding.²⁵ The data subject has the right to withdraw consent at any time, and it is required that it be made as easy to withdraw consent as it is to give consent.²⁶ Added to this, the GDPR provides that when assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract or provision of a service “is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.²⁷

A unique and notable inclusion in the GDPR is that, per Article 3, it seeks to apply extra-territorially, to data controllers that are not established in the EU, regardless of whether the processing takes place in the EU or not.

Failure to comply with the GDPR carries significant penalties, including administrative fines of up to €20 000 or 4% of the transgressor’s total worldwide turnover of the preceding year, whichever is higher.²⁸

Use of data protection authorities to vindicate the right to privacy

Data protection frameworks typically provide for the establishment of a data protection authority (DPA) to oversee and enforce the relevant framework. Such DPAs are typically given a range of powers, including to be notified in the event of a data breach, to adjudicate complaints, and to impose penalties where a data controller is found to be non-compliant with the data protection framework.

In states with established DPAs, this may be an avenue to vindicate the right to privacy. In the event of a data breach or another infringement of the data protection framework, data subjects may be assisted with lodging complaints to the relevant DPA. This quasi-judicial forum can present a relatively quick and cost-effective remedy for the data subject.

In 2023, Tools for Humanity initiated a trial of a fresh cryptocurrency initiative known as Worldcoin.³⁰ This campaign offered individuals a small sum of cryptocurrency in exchange for allowing their biometric data to be gathered. Thousands of people participated in this opportunity, despite having limited information about how their data would be utilised. In May, Kenya’s Office of the Data Protection Commissioner (OPDC) instructed the company to cease processing data, a directive that allegedly went unheeded. It wasn’t until August, when the Ministry of the Interior intervened and ordered the suspension of Worldcoin’s activities in the country due to data protection concerns, that the company finally ceased data collection. Subsequently, the OPDC initiated legal proceedings against Tools for Humanity in the High Court.³¹

Data Retention

Data retention is typically described as “the process through which governments and businesses (especially telecommunication and internet providers) record and store various data (usually related to individuals).”³⁴ As explained by Privacy International:(35)

The practice of data retention involves the gathering and storing of communications data for extended periods for the purpose of future access. Metadata tells the story about your data and answers the who, when, what, and how of a specific communication.

While the specific terms and definitions vary, most legal frameworks on data retention relating to communications provide for two categories of information – the ‘content’ of the communication itself, and information about the communication. This second category, often called communication data or communication metadata, includes a wide range of information which is often deeply revealing, such as the identities or identifiers of those involved, the times and durations of their interactions, locational information, and any technology or services involved. While data retention can be important for criminal investigations, it also gives more power to governments to monitor the public and takes away their rights to online privacy.³⁶ The practice of mandating the retention of communications data raises significant privacy, transparency and security concerns. In turn, this may affect the ways in which people exercise their rights online and poses a risk of leading to self-censorship.

It has been noted that: “Data retention laws are different from country to country, but they ultimately have the same goal: A better grip on the digital world at the expense of privacy and freedom of speech”.³⁷ Privacy International explains that the mass retention of individuals’ communications records, outside the context of any criminal investigation or business purpose, “amounts to the compilation of dossiers on each and every one of us, our friends, family and colleagues”.(38) Privacy International goes on to explain that:

The potential harms associated with data retention and access are significant.  In a context where the gathering and exploitation of data by private companies becomes increasingly privacy intrusive and widespread, data retention poses serious risks to individual privacy and data security.  The data opens the door for governments and third parties to make intimate inferences about individuals, to engage in profiling and to otherwise intrude on people’s private lives.  If the information is not properly protected there is the potential of unauthorised access to troves of information by third parties, including cyber-criminals.

Most data protection frameworks provide that data should only be collected for specified, explicit and legitimate purposes and that such data should, in the ordinary course, be deleted when this is no longer the case. Additionally, data ought not to be kept for longer than it is needed. For example, article 5¹(e) of the GDPR provides that personal data shall be–

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes … subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).

In general, there are two key factors that determine an appropriate data retention period: (i) the purpose for processing the data; and (ii) any legal or regulatory requirements for retaining it. In respect of the latter, various countries have mandatory data retention laws that require telecommunication and internet service providers to retain certain types of data – such as metadata – for stipulated periods of time.

Importantly, there have been at least two significant judgments of the CJEU — Digital Rights Ireland³⁹ and Tele2 Sverige AB⁴⁰ — that have reaffirmed the requirement that all data retention regimes must comply with the principles of legality, necessity and proportionality.⁴¹ Appropriate safeguards are also needed to protect the data that has been retained.

Surveillance

Government-led digital surveillance

Communications surveillance encompasses the monitoring, intercepting, collecting, analysing, retention, or similar actions, of a person’s communications in the past, present, or future.⁴³ Online surveillance has been a central issue for human rights activists for years, but the Snowden revelations about the extent and scope of global mass surveillance brought new urgency and awareness to the issue and sparked a wave of policy change and jurisprudence in many jurisdictions.

Surveillance constitutes an obvious interference with the right to privacy. Further, it also infringes on the right to hold opinions without interference and the right to freedom of expression. With particular reference to the right to hold opinions without interference, surveillance systems, both targeted and mass, may undermine the right to form an opinion, as the fear of unwilling disclosure of online activity, such as search and browsing, can create a chilling effect by deterring a person from accessing information, particularly where such surveillance leads to repressive outcomes. The knowledge, or even the perception, of being surveilled can lead to self-censorship. Accordingly, emerging jurisprudence on communications surveillance has also often paid special attention to media freedom considerations:

• United Kingdom: In Big Brother Watch and Others v. the United Kingdom the Grand Chamber of the ECtHR found inter alia that the UK’s bulk surveillance regime contravened article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms because it did not adequately protect confidential journalistic material from collection and inspection in the course of bulk monitoring of communications data undertaken by UK intelligence agencies.
• South Africa: In amaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others (discussed in further detail below), the High Court of South Africa found that the need of journalists and their sources for confidential communications required special protections against surveillance abuses, remarking that:

In a country that is as wracked by corruption in both our public institutions and in our private institutions as ours is, and where the unearthing of wrongdoing is significantly the work of investigative journalists, in an otherwise, seemingly, empty field, it is hypocritical to both laud the press and ignore their special needs to be an effective prop of the democratic process.

• India: In Sharma v Union of India the Supreme Court of India, in ordering an independent inquiry into allegations that the government deployed the Pegasus spyware against various journalists, politicians and dissidents, similarly found that the free press’s democratic function was at stake, and that “such chilling effect on the freedom of speech is an assault on the vital public watchdog role of the press, which may undermine the ability of the press to provide accurate and reliable information.”(44) Although the findings of the Court’s investigation have not been made public, evidence has since come to light of the continued use of the Pegasus software to surveil journalists.(45)

It has been noted that many frameworks create a legal distinction between communications information that is deemed to be ‘content’ and information that is about the communication (communication data or metadata). This second category is often subject to fewer legal and social protections than information deemed to be ‘content’. Yet communication data may give detailed insights into a person’s behaviour, social relationships, private preferences and identity – either when analysed in bulk or in some cases in individual parts.⁴⁶ In addition, the two legal distinctions are arbitrary and ill-suited to many types of communication information in the context of the modern digital age, where certain types of data could fall into either legal category.⁴⁷

General Comment No 16 to the ICCPR provides that “[s]urveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.”⁵¹ In the digital age, Information and Communications Technologies (ICTs) have enhanced the capacity of governments, corporations and individuals to conduct surveillance, interception, and data collection, and have meant that the effectiveness of conducting such surveillance is no longer limited by scale or duration. Surveillance – both bulk (or mass) collection of data or targeted collection of data – interferes directly with the privacy and security necessary for freedom of opinion and expression. As such, in all its forms surveillance must be considered against the three-part test established in international law to assess the permissibility of a restriction on human rights, namely that the limitation is:

• Provided by law.
• Pursues a legitimate aim.
• Necessary and proportionate to achieving the aim.

In order to meet the condition of legality, many states have taken steps to reform their surveillance laws to allow for the powers required to conduct surveillance activities. For instance, in the judgment of amaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others, the Constitutional Court of South Africa upheld a ruling of the High Court that the exercise of bulk surveillance in South Africa was unlawful because of the absence of any empowering legal framework to authorise such surveillance to take place.⁵²

Necessary and proportionate

The Necessary and Proportionate Principles are a set of 13 international principles on the application of human rights to communications surveillance, especially in the context of the ever-advancing mass surveillance capabilities shown by states and private-sector operators in the modern digital era.⁵³ The principles advise among other things that all powers of communications surveillance must be prescribed and regulated by law, be necessary and proportionate and pursue a legitimate aim, and be subject to certain safeguards, including that the powers are subject to a competent judicial authority, and necessary transparency and public oversight measures.

Principle 3 establishes necessity, explaining that surveillance laws, regulations, activities, powers, or authorities must be limited to those which are strictly and demonstrably necessary to achieve a legitimate aim. As such, surveillance should only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification rests on the state. Principle 5 establishes proportionality: surveillance should be regarded as a highly intrusive act, and in order to meet the threshold of proportionality, the state should be required at a minimum to establish the following information to a competent judicial authority prior to conducting any communications surveillance:(54)

• There is a high degree of probability that a serious crime or specific threat to a legitimate aim has been or will be carried out.
• There is a high degree of probability that evidence relevant and material to such a serious crime or specific threat to a legitimate aim would be obtained by accessing the protected information sought.
• Other less invasive techniques have been exhausted or would be futile, such that the technique used is the least invasive option.
• Information accessed will be confined to that which is relevant and material to the serious crime or specific threat to a legitimate aim alleged.
• Any excess information collected will not be retained but instead will be promptly destroyed or returned.
• Information will be accessed only by the specified authority and used only for the purpose and duration for which authorisation was given.
• The surveillance activities requested, and techniques proposed do not undermine the essence of the right to privacy or of fundamental freedoms.

Safeguards and oversight

Privacy International sets out the following ten safeguards that should be implemented for any government hacking or surveillance regime:(55)

• Legality: Government hacking powers must be explicitly prescribed by law and limited to those strictly and demonstrably necessary to achieve a legitimate aim. That law must be accessible to the public and sufficiently clear and precise to enable persons to foresee its application and the extent of the interference. It should be subject to periodic review by means of a participatory legislative process.
• Security and integrity of systems: Prior to carrying out a hacking measure, government authorities must assess the potential risks and damage to the security and integrity of the target system and systems generally, as well as of data on the target system and systems generally, and how those risks and/or damage will be mitigated or corrected. Government authorities must include this assessment in any application in support of a proposed hacking measure. Government authorities must not compel hardware or software manufacturers or service providers to facilitate government hacking, including by compromising the security and integrity of their products and services.
• Necessity and proportionality: Prior to carrying out a hacking measure, government authorities must, at a minimum, establish a high degree of probability that: (i) serious crime or act(s) amounting to a specific, serious threat to national security has been or will be carried out; (ii) the system used by the person suspected of committing the serious crime or act(s) amounting to a specific, serious threat to national security contains evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security interest alleged; and (iii) evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security alleged will be obtained by hacking the target system.
• Judicial authorisation: Prior to carrying out a hacking measure, government authorities must make an application, setting forth the necessity and proportionality of the proposed measure to an impartial and independent judicial authority, who shall determine whether to approve such measure and oversee its implementation. The judicial authority must be able to consult persons with technical expertise in the relevant technologies, who may assist the judicial authority in understanding how the proposed measure will affect the target system and systems generally, as well as data on the target system and systems generally. The judicial authority must also be able to consult persons with expertise in privacy and human rights, who may assist the judicial authority in understanding how the proposed measure will interfere with the rights of the target person and other persons.
• Integrity of information: Government authorities must not add, alter or delete data on the target system, except to the extent technically necessary to carry out the authorised hacking measure. They must maintain an independently verifiable audit trail to record their hacking activities, including any necessary additions, alterations or deletions. Where government authorities rely on data obtained through an authorised hacking measure, they must disclose the method, extent and duration of the hacking measure and their audit trail so that the target person can understand the nature of the data obtained and investigate additions, alterations or deletions to information or breaches of the chain of custody, as appropriate.
• Notification: Government authorities must notify the person(s) whose system(s) have been subject to interference pursuant to an authorised hacking measure, regardless of where the person(s) reside, that the authorities have interfered with such system(s). Government authorities must also notify affected software and hardware manufacturers and service providers, with details regarding the method, extent and duration of the hacking measure, including the specific configurations of the target system. Delay in notification is only justified where notification would seriously jeopardise the purpose for which the hacking measure was authorised or there is an imminent risk of danger to human life and authorisation to delay notification is granted by an impartial and independent judicial authority.
• Destruction and return of data: Government authorities must immediately destroy any irrelevant or immaterial data that is obtained pursuant to an authorised hacking measure. That destruction must be recorded in the independently verifiable audit trail of hacking activities. After government authorities have used data obtained through an authorised hacking measure for the purpose for which authorisation was given, they must return this data to the target person and destroy any other copies of the data.
• Oversight and transparency: Government authorities must be transparent about the scope and use of their hacking powers and activities and subject those powers and activities to independent oversight. They should regularly publish, at a minimum, information on the number of applications to authorise hacking approved and rejected; the identity of the applying government authorities; the offences specified in the applications; and the method, extent and duration of authorised hacking measures, including the specific configurations of target systems.
• Extraterritoriality: When conducting an extraterritorial hacking measure, government authorities must always comply with their international legal obligations, including the principles of sovereignty and non-intervention, which express limitations on the exercise of extraterritorial jurisdiction. Government authorities must not use hacking to circumvent other legal mechanisms – such as mutual legal assistance treaties or other consent-based mechanisms – for obtaining data located outside their territory. These mechanisms must be clearly documented, publicly available, and subject to guarantees of procedural and substantive fairness.
• Effective remedy: Persons who have been subject to unlawful government hacking, regardless of where they reside, must have access to an effective remedy.

Covert recordings

There are various domestic laws and international standards that require that individuals be notified of covert recordings, including video surveillance.(58) However, there is no consistent position on this issue. There are two key recent decisions of the Grand Chamber of the ECtHR that are relevant in this regard:(59)

• Antović and Mirković v Montenegro:⁶⁰ This case concerned an invasion of privacy complaint by two professors at the University of Montenegro’s School of Mathematics after video surveillance had been installed in areas where they taught. They stated that they had no effective control over the information collected and that the surveillance had been unlawful. The domestic courts rejected a compensation claim, finding that the question of private life had not been at issue as the auditoriums where the applicants taught were public areas. The ECtHR made the following findings:
  • It held that there had been a violation of article 8 of the European Convention, finding that the camera surveillance had not been in accordance with the law.
  • The ECtHR rejected the government’s argument that the case was inadmissible because no privacy issue had been at stake as the area under surveillance had been a public, working area, noting that it had previously found that private life might include professional activities and considered this to apply to the applicants’ situation. Article 8 of the European Convention was therefore applicable.
  • On the merits of the case, the ECtHR found that the camera surveillance had amounted to an interference with the applicants’ right to privacy and that the evidence showed that the surveillance had violated the provisions of domestic law. According to the ECtHR, the domestic courts had not considered any legal justification for the surveillance because they had decided from the outset that there had been no invasion of privacy.
• Ribalda and Others v Spain:(61) This case concerned covert video surveillance of a group of employees at a supermarket, which led to their dismissal. The applicants complained about the covert video surveillance and about the Spanish courts’ use of the footage to find that their dismissals had been fair. Several applicants who had signed settlement agreements also complained that the agreements had been made under duress owing to the video material and should not have been accepted as evidence that their dismissals had been fair. The Grand Chamber made the following findings:
  • It held that there had been no violation of article 8 of the European Convention in respect of the five applicants. It found in particular that the Spanish courts had carefully balanced the rights of the applicants – who had been suspected of theft by their employer – and those of the employer and thoroughly examined the justification for the video surveillance.
  • A key argument by the applicants was that they had not been given prior notice of the surveillance, despite such a legal requirement, but the ECtHR found that the measure was justified owing to a reasonable suspicion of serious misconduct and to the losses involved, taking account of the extent and the consequences of the measure.
  • The ECtHR concluded that, in the present case, the domestic courts had not exceeded their power of discretion or margin of appreciation in finding that the covert video surveillance was proportionate and legitimate.

In respect of the media, considerations of public interest and the public status of individuals are key in determining whether information should be published. This was affirmed, for instance, in Radio Twist v Slovakia,(62) where the ECtHR had cause to consider the unlawful recording of a telephone call that had been broadcast on the radio. The recording was of a conversation among several senior government officials about the privatisation of an insurance company. The recording had been shared anonymously with the radio station. The ECtHR had particular regard to the context and content of the conversation being clearly political in nature, and the subject matter of the conversation being of general interest.(63) As to whether the recording was illegal, the ECtHR stated that it was not convinced that the mere fact that the recording had been obtained by a third party contrary to the law justified the applicant’s being deprived of its right to freedom of expression.⁶⁴ The ECtHR, therefore, held that the radio station had not violated the rights of the persons who were recorded.

Principle 12(a) of the Global Principles lists the following factors to consider in balancing the rights to freedom of expression and privacy, in situations concerning the publication of personal information:

• The extent to which the publication contributes to a debate of public interest; the degree of notoriety or vulnerability of the person affected;
• The subject covered by the publication and the extent of the private nature of the information at issue;
• The prior conduct of the person concerned;
• The content, form, and consequences of the publication;
• The way in which the information was obtained;
• The intent of the individual or entity disseminating the information at issue, and in particular whether it was malicious; and
• The extent to which the individual whose privacy is at issue is a public figure.(68)

Furthermore, Principle 12 provides that when dealing with the publication of photographs, video footage, or sound recordings, there should be consideration of whether the recording was made voluntarily and with consent. The use of privacy-invasive techniques, such as hidden cameras or undercover reporting, should only be permitted where there is an overriding public interest in the dissemination of the information sought or discovered which could not have been obtained by less invasive means, and where efforts have been made to address or minimise any privacy implications.⁶⁹

Collection of Biometric Data and Facial Recognition

Despite the nascent use of biometrics, including facial recognition technology (FRT), many African states lack sufficient regulatory measures.⁷⁰ Instead, authorities in various instances are moving towards integrating biometric surveillance into SIM card registration systems, a longstanding concern for digital rights advocates. For instance:

• In Malawi, the National Registration and Identification System has been operational since 2017, linking biometric data to voter registration, revenue collection, immigration records, and SIM card registration, as well as banking and financial inclusion programs.⁷¹ This system, criticized for its mass data collection without data protection legislation, enables widespread surveillance.
• Similarly, Tanzania mandates SIM card registration under the Electronic and Postal Communications (SIM Card Registration) Regulations, 2020, requiring verification against the National Identification Authority (NIDA) database.⁷²

Mandatory SIM card registration

Mandatory SIM card registration is a widespread policy that requires real-name registration for online activity.⁷³ Mandatory SIM card registration laws typically require that people link their identity to their SIM card in order to activate it, by providing personal information such as a valid identity document, proof of address or biometrics, when purchasing a SIM card for a mobile device.⁷⁴ As noted by Privacy International, “[p]repaid SIM card use and mandatory SIM card registration laws are especially widespread in African countries: these two factors can allow for a more pervasive system of mass surveillance of people who can access pre-paid SIM cards, as well as exclusion from important civic spaces, social networks, and education and health care for people who cannot.”⁷⁵

Mandatory SIM card registration severely undermines the ability to be anonymous online. It has been explained that: “If almost every mobile device has its SIM card registered to a particular person, and the government can get access to that mobile subscriber information, the people who own and use such devices can be more easily tracked and monitored. Not all people with mobile devices may fall equally under the watchful eye of such surveillance systems: people advocating for change, people who disagree with the government’s policies, religious or ethnic minorities, journalists, and human rights defenders are particularly vulnerable.”⁷⁶

As of 2022, at least 51 countries in Africa had introduced laws or regulations mandating SIM card registration,⁷⁷ with Lesotho and Namibia beginning rollouts in 2022.(78) Among African states, Cabo Verde and Comoros were reported not to be considering SIM registration policies, while the situation in Djibouti was inconclusive.(79)

Facial recognition is a form of biometric system that attracts particular concern for its use in surveillance.(80)Facial recognition technology refers to a wide range of software that can be linked to camera networks; the software analyses live or recorded images and footage of people from a camera network and matches these against images in a pre-existing database in order to identify specific people from the footage.(81) As noted by Privacy International, facial recognition cameras are far more intrusive than regular CCTV: they scan distinct, specific features of your face, such as face shape, to create a detailed map of it – “which means that being captured by these cameras is like being fingerprinted, without your knowledge or consent.”(82)

In this regard, unlike many other biometric systems, facial recognition can be used for general surveillance in combination with public video cameras, and it can be used in a passive way that doesn’t require the knowledge, consent, or participation of the subject.(84) As noted by the American Civil Liberties Union, this creates the risk for the technology to be used for general surveillance of a population that is not suspected of any specific wrongdoing. For example, most motor vehicle agencies have high-quality photographs of large numbers of people, which can be a natural source for facial recognition programmes and could easily be combined with public or private surveillance camera networks to create a comprehensive system of identification and tracking. Law enforcement agencies also regularly use photographs scraped from social media sites as well.

Interpol has noted that computerised facial recognition as a relatively new technology which was introduced by law enforcement agencies around the world in order to identify persons of interest, including criminals, fugitives and missing persons.(85) The Interpol Facial Recognition System contains facial images received from more than 160 countries, and coupled with an automatic biometric software application, the system is capable of identifying or verifying a person comparing and analysing patterns, shapes and proportions of their facial features and contours.⁸⁶ Unlike fingerprints and DNA, which do not change during a person’s life, facial recognition has to take into account different factors, such as ageing, plastic surgery, cosmetics, the effects of drug abuse or smoking, and the pose of the subject.⁸⁷

However, facial recognition technology has also been linked to inaccuracies and biases which raise serious discrimination concerns. A study commissioned by a public agency in the United States found “empirical evidence” that most widely used facial recognition algorithms exhibit “demographic differentials that can worsen their accuracy based on a person’s age, gender, or race.⁸⁸ Some of the specific findings included the following:

• Facial-recognition systems misidentified people of colour more often than white people. Asian and African American people were up to 100 times more likely to be misidentified than white men, depending on the particular algorithm and type of search.
• The faces of African American women were falsely identified more often in the kinds of searches used by police investigators, where an image is compared to thousands or millions of others in hopes of identifying a suspect.
• Women were more likely to be falsely identified than men, and the elderly and children were more likely to be misidentified than those in other age groups.

Privacy International notes that the use of facial recognition technology impacts the exercise of at least the following rights:⁸⁹

• Privacy: According to Privacy International, “[t]he use of facial recognition in public spaces makes a mockery of our privacy rights”. It is a disproportionate crime-fighting technique, as it scans the face of every person who passes by the camera, whether or not they are suspected of any wrongdoing. The biometric data that it collects can be as uniquely identifying as DNA or a fingerprint, and is typically done without consent or knowledge of the data subject.
• Freedom of expression: Being watched and identified in public spaces is likely to lead us to change our behaviour, limiting where we go, what we do and with whom we engage. For example, persons might be unwilling to participate in a particular protest action if facial recognition is being used in the area.
• Equality and non-discrimination: It has been found that facial recognition software is more likely to misidentify women and black people. There are also concerns that the police use facial recognition to target particular communities.

The roll-out of facial recognition technology is often done without any empowering legal framework to authorise it and is arguably a disproportionate limitation on the right to privacy and other associated rights. In this regard, potential litigation to challenge the use of facial recognition technology may seek to show that it does not meet the threshold of the three-part test for a justifiable limitation, even when used for security purposes.

Encryption and Anonymity on the Internet

The interplay between encryption and anonymity

Encryption and anonymity are necessary tools for the full enjoyment of digital rights and enjoy protection by virtue of their critical role in securing the rights to freedom of expression and privacy. As described by the United Nations Special Rapporteur (UNSR) on Freedom of Expression:⁹⁰

Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief. For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment. The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality. Artists rely on encryption and anonymity to safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also society that does not tolerate unconventional opinions or expression.

Encryption and anonymity are especially useful for the development and sharing of opinions online, particularly in circumstances where a person fears that their communications may be subject to interference or attack by state or non-state actors. These are, therefore, specific tools through which individuals may exercise their rights. Accordingly, restrictions on encryption and anonymity must meet the three-part test to justify the restriction.

According to the UNSR on Freedom of Expression, while encryption and anonymity may frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public justification to support any relevant restrictions or to identify situations where the restriction has been necessary to achieve a legitimate goal.⁹¹ The UNSR on Freedom of Expression has therefore called on states to promote strong encryption and anonymity and noted that decryption orders should only be permissible when they result from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a mass of people), and subject to a judicial warrant and the protection of due process rights.(92)

Encryption

Encryption refers to a mathematical process of converting messages, information or data into a form unreadable by anyone except the intended recipient, which in doing so protects the confidentiality and integrity of content against third-party access or manipulation.(93) With “public key encryption” – the dominant form of end-to-end security for data in transit – the sender uses the recipient’s public key to encrypt the message and its attachments, and the recipient uses her or his own private key to decrypt them.⁹⁴ It is also possible to encrypt data at rest that is stored on one’s device, such as a laptop or hard drive.⁹⁵

Outright prohibitions on the individual use of encryption technology disproportionately restrict the right to freedom of expression as it deprives all online users in a particular jurisdiction of the right to carve out a safe space for opinion and expression.⁹⁶ Likewise, state regulation of encryption may be tantamount to a ban, for example through requiring licences for encryption use, setting weak technical standards for encryption or controlling the import and export of encryption tools.(97)

It should further be noted that some states have implemented – or proposed implementing – so-called ‘back door access’ in commercially available products, forcing developers to install weaknesses that allow government authorities access to encrypted communications. While the states supporting such measures typically claim that such a framework is necessary to intercept the content of encrypted communications, the UNSR on Freedom of Expression notes that such states have failed to demonstrate that criminal or terrorist use of encryption serves an insuperable barrier to law enforcement objectives.⁹⁸ Creating an intentional mechanism to allow a state to bypass security measures would inevitably undermine the security of all users online, with respect to both state and non-state actors.(99)

Further, there is a key role for encryption to play in data protection. It has been noted that companies can reduce both the probability and the harm of a data breach, and thus reduce the risk of fines in the future if they choose to encrypt any personal data in their possession.(100)

Encryption of personal data has additional benefits for controllers or processors; for example, the loss of a state of the art encrypted mobile storage medium which holds personal data may not necessarily be considered a data breach that must be reported to the DPA.(101) In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per article 83²(c) of the GDPR.(102)

In 2018, the DPAs of the EU, represented in the Article 29 Working Party (WP29), published a statement framing strong and efficient encryption as a vital tool for upholding data protection and privacy rights(103) noting three key points:

• Strong encryption ensures a secure, free flow of data between citizens, businesses and governments: The WP29 noted that there is a strong public interest in the implementation of encryption, as it is crucial to ensure a reasonable guarantee that everyday activities – like buying goods online, filing taxes, using banking services, sending or receiving emails or making an appointment with a physician – can be done securely. The WP29 described encryption as “absolutely necessary and irreplaceable for guaranteeing strong confidentiality and integrity when data are transferred across open networks like the Internet or stored in mobile devices like smartphones”. According to the WP29, encryption should ideally always cover the entire communication, from the device of the sender to that of the recipient, commonly referred to as end-to-end-encryption.
• Backdoors and master keys deprive encryption of its utility: The WP29 countered the argument that law enforcement should be able to access the encrypted data of suspected criminals by requiring technology providers to implement ‘back doors’ (i.e. security vulnerabilities deliberately built into a particular software) or ‘master keys’ (i.e. design features to enable the central decryption of all data encrypted with specific software) in encryption software. The WP29 argued that there is significant historical evidence that master keys and backdoors cannot be kept secure and that there is no way for these technological features to be implemented at any scale without significant risks of compromising people’s security. The WP29 also raises concerns that imposing backdoors and master keys on the general population would not be an effective measure against criminals, as criminals would use or adapt to the state-of-the-art encryption to protect their data, which in turn would only harm ‘the honest citizen’ by making their data vulnerable.
• Law enforcement agencies already have legal powers and targeted tools to address the challenge of encryption: According to the WP29, law enforcement agencies can be legally empowered in other ways to obtain access to data otherwise encrypted, including personal data, for investigations in targeted circumstances. While these powers may raise serious privacy concerns in themselves, the WP29 argues that they appear more proportionate and less dangerous than backdoors or master keys.

Based on the above, the WP29 concluded that encryption must remain standardised, strong and efficient, and encryption providers should never be compelled to include master keys and backdoors in their software.

Anonymity

In digital contexts, anonymity can be defined either as acting or communicating without using or presenting one’s name or identity, as acting or communicating in a way that protects the determination of one’s name or identity, or using an invented or assumed name that may not necessarily be associated with one’s legal or customary identity(104) Anonymity may be distinguished from pseudo-anonymity: the former refers to taking no name at all, while the latter refers to taking an assumed name.(105)

Anonymity has been recognised for the important role it plays in safeguarding and advancing privacy, free expression, political accountability, public participation and debate. As explained by the American Civil Liberties Union (ACLU):(106)

The right to remain anonymous is a fundamental component of our right to free speech, and it applies every bit as much in the digital world as it does in the physical one.  In the words of the U.S. Supreme Court in McIntyre v. Ohio Elections Commission, “Anonymity is a shield from the tyranny of the majority.”

Unfortunately, the right to remain anonymous has been under steady attack in the online world. Governments and corporations have attempted to unmask unpopular speakers through subpoenas directed at the websites they visit.

Anonymity is especially critical in repressive environments in which certain types of protected expression are outlawed, and lack of anonymity could lead to criminal charges or other consequences.(107) Attempts to ban anonymous speech have particularly been seen during times of protest as a measure aimed at protestors and activists.(108)

Intermediary liability is again of concern in relation to anonymous users, as some states have moved towards imposing responsibilities on internet service providers (ISPs) and media platforms to regulate online comments by anonymous users. For instance, in Delfi v Estonia, the ECtHR upheld an Estonian law that imposes liability on a media platform for anonymous defamatory statements posted on its site.(109) However, the ECtHR has also upheld that, while there is no absolute guarantee of online anonymity, the right of freedom of expression should be taken into consideration in decisions to revoke anonymity. This informed the ECtHR’s 2021 finding that an Austrian news site should not have been forced to disclose the identity of online commenters who had posted offensive and hateful messages to the platform.(110) In its third-party submissions in that case, Media Defence had previously argued that a court should only order an ISP to disclose user data where:(111)

• An applicant is able to demonstrate to a sufficient degree that a wrongful act has been committed against them, and that the information is sought to enable them to seek redress for that wrongful act;
• The anonymous user has been notified, and has had an opportunity to respond to the application;
• There is no less restrictive means of obtaining the information sought; and
• The applicant’s interest in disclosure has been sufficiently balanced against the rights to freedom of expression and privacy.

Source Protection and the Protection of Journalistic Materials

The confidentiality of journalistic sources is central to journalists’ ability to properly investigate stories, and to the protection of individuals and whistleblowers who provide information to them.(112) Efforts to compel the disclosure of sources have a chilling effect on freedom of speech and media freedom and hinder the free flow of information.(113)

In this regard, General Comment No. 34 to the ICCPR provides that states parties “should recognise and respect that element of the right of freedom of expression that embraces the limited journalistic privilege not to disclose sources.” Furthermore, the Africa Commission on Human and Peoples’ Rights issued the Declaration of Principles on Freedom of Expression in Africa in 2019, which deals with the issue of protection of sources by providing as follows:

Journalists and other media practitioners shall not be required to reveal confidential sources of information or to disclose other material held for journalistic purposes except where disclosure has been ordered by a court after a full and fair public hearing.(114)

The Declaration emphasises that this should only take place where the identity of the source is necessary for the investigation or prosecution of a serious crime, where the information can’t be obtained from elsewhere, and whether the public interest in disclosure outweighs the harm to freedom of expression.

It is important to note that the protection of sources has acquired new significance in the digital age in the context of the right to privacy of communications as surveillance technologies whose development is justified in terms of national security can be used to target journalists and their confidential sources.(115) The Secretary-General of the UN has noted surveillance activities can have a chilling effect on media freedom and makes it more difficult for journalists to communicate with sources and share and develop ideas, which may lead to self-censorship.(116) Similarly, a UN General Assembly resolution on the safety of journalists emphasised that journalists in the digital age are particularly vulnerable to becoming targets of unlawful or arbitrary surveillance, in violation of their rights to privacy and freedom of expression.(117) The resolution further noted that encryption and anonymity tools have become vital to journalists to secure their communications and protect the confidentiality of their sources.

Surveillance activities carried out against journalists run the risk of fundamentally undermining the source protection to which journalists are otherwise entitled. Principle 9 of the Global Principles on the Protection of Freedom of Expression and Privacy provides the following about the protection of sources:

“9.1.     The right to freedom of expression implies that everyone who obtains information from confidential sources with a view to exercising a journalistic activity has, subject to Principles 9.2 (a) and (b), a duty not to disclose the identity of their confidential sources and a right not to be required to do so.

9.2.      States should provide for the protection of the confidentiality of sources in their legislation and ensure that:

(a)          Any restriction on the right to protection of sources complies with the three-part test under international human rights law…;

(b)          The confidentiality of sources should only be lifted in exceptional circumstances and only by a court order, which complies with the requirements of a legitimate aim, necessity, and proportionality.  The same protections should apply to access to journalistic material;

(c)          The right not to disclose the identity of sources and the protection of journalistic material requires that the privacy and security of the communications of anyone engaged in journalistic activity, including access to their communications data and metadata, must be protected.  Circumventions, such as secret surveillance or analysis of communications data not authorised by judicial authorities according to clear and narrow legal rules, must not be used to undermine source confidentiality; and

(d)          Any court order under 9.2 (b) and (c) must only be granted after a fair hearing where sufficient notice has been given to the journalist in question, except in genuine emergencies.”

Further to this, the United Nations Educational, Scientific and Cultural Organization (UNESCO) has set out that a robust and comprehensive source protection framework would encompass the need to:(120)

• Recognise the value to the public interest of source protection, with its legal foundation in the right to freedom of expression (including press freedom), and to privacy. These protections should also be embedded within a country’s constitution and/or national law.
• Recognise that source protection should extend to all acts of journalism and across all platforms, services and mediums (of data storage and publication), and that it includes digital data and meta-data.
• Recognise that source protection does not entail registration or licensing of practitioners of journalism.
• Recognise the potential detrimental impact on public interest journalism, and on society, of source-related information being caught up in bulk data recording, tracking, storage and collection.
• Affirm that State and corporate actors (including third-party intermediaries), who capture journalistic digital data must treat it confidentially (also acknowledging the desirability of the storage and use of such data being consistent with the general right to privacy).
• Shield acts of journalism from targeted surveillance, data retention and handover of material connected to confidential sources.
• Define exceptions to all the above very narrowly, so as to preserve the principle of source protection as the effective norm and standard.
• Define exceptions as needing to conform to a provision of “necessity” and “proportionality” — in other words, when no alternative to disclosure is possible, when there is a greater public interest in disclosure than in protection, and when the terms and extent of disclosure still preserve confidentiality as much as possible.
• Define a transparent and independent judicial process with appeal potential for authorised exceptions, and ensure that law-enforcement agents and judicial actors are educated about the principles involved.
• Criminalise arbitrary, unauthorised and wilful violations of confidentiality of sources by third-party actors.
• Recognise that source protection laws can be strengthened by complementary whistleblower legislation.

UNESCO has further noted that there is a particular gender dimension that arises in respect of source protection in the digital age. Women journalists face additional risks in the course of their work, both on- and offline: in the physical realm, these risks include sexual harassment, physical assault and rape, which may limit their physical mobility; and in the digital sphere, acts of harassment and threats of violence are rampant.(121) Similarly, female sources face increased risks when acting as whistleblowers or confidential informants.(122) As such, women journalists need to be able to rely on secure, non-physical forms of communications with their sources, in particular secure digital communications, to be able to engage with their sources.(123)

Online Harassment

Harassment, threats, and online violence severely restrict the enjoyment that persons have of their rights online, particularly vulnerable, and marginalised groups, including women and members of sexual minorities.

Social media platforms are especially fertile ground for online harassment, but these behaviours occur in a wide range of online venues.(126) For those who experience online harassment directly, these encounters can have profound real-world consequences, ranging from mental or emotional stress to reputational damage or even fear for one’s personal safety. Furthermore, whether one is affected directly or indirectly by it, it can lead to significant self-censorship to avoid incurring such harassment.

While the internet provides a forum for people to seek information about their identities and sexual orientation, and to express themselves on these topics, many people suffer a wide range of attacks in doing so, including attacks on sexuality, exposing personal information, and the manipulation of images that are then used for blackmail and destroying credibility. Furthermore, a common trend amongst children using the internet involves so-called ‘cyberbullying’. Research has shown that online harassment is often focused on personal or physical characteristics, with political views, gender, physical appearance, and race being among the most common.(127) Furthermore, women encounter sexualised forms of online harassment at much higher rates than men.(128)

A particular form of online harassment, typically towards women, is that of the non-consensual publication of a person’s intimate or sexually explicit photographs or videos. This constitutes a gross violation of a person’s privacy, often for the purposes of extortion, blackmail, and/or humiliation. Several recently enacted cybercrime laws in Southern Africa criminalise the non-consensual distribution of private sexual photographs and films – most notably in Botswana and South Africa.(129)

Ongoing harassment and attacks on members of the media have become a particularly worrying trend. As stated in the preamble to the 2011 African Commission Resolution on the Safety of Journalists and Media Practitioners in Africa.(130) freedom of expression, press freedom and access to information can only be enjoyed when journalists and media practitioners are free from intimidation, pressure, and coercion.

Arguably, one of the key challenges is in getting lawmakers and law enforcement officials to recognise the severity of such harassment and threats, and to treat it with the appropriate levels of concern, recognising that the real and persistent harm suffered applies whether the harassment and threats take place online or offline. Two further challenges that arise that are exacerbated in the online sphere relate to the volume of threats that can be received, given the relative ease with which this can be done via social media platforms, for instance; and the concurrent difficulties in identifying perpetrators who are sometimes able to mask their online identities.

This ties in with the issue of anonymity online. This is because one of the particular challenges with online harassment is that perpetrators may mask their identities, making it difficult for law enforcement officials to apprehend them. This, however, should not be seen as a sufficient basis to allow for a blanket ban on anonymity or encryption online. The UNSR on Freedom of Expression has responded to this concern and has stated that:(131)

The “dark” side of encryption and anonymity is a reflection of the fact that wrongdoing offline takes place online as well.  Law enforcement and counter-terrorism officials express concern that terrorists and ordinary criminals use encryption and anonymity to hide their activities, making it difficult for Governments to prevent and conduct investigations into terrorism, the illegal drug trade, organized crime and child pornography, among other government objectives. Harassment and cyberbullying may rely on anonymity as a cowardly mask for discrimination, particularly against members of vulnerable groups. At the same time, however, law enforcement often uses the same tools to ensure their own operational security in undercover operations, while members of vulnerable groups may use the tools to ensure their privacy in the face of harassment. Moreover, Governments have at their disposal a broad set of alternative tools, such as wiretapping, geo-location and tracking, data-mining, traditional physical surveillance and many others, which strengthen contemporary law enforcement and counter-terrorism.

Where journalists allege imminent threats to their safety, courts are empowered to grant interdictory relief in appropriate circumstances and subject to the relevant legal requirements. For instance, in the matter of South African National Editors Forum and Others v Black Land First and Others,(132) the South African high court granted an interdict in favour of the media broadly, in terms of which the respondents were interdicted from “engaging in any of the following acts directed towards the applicants: Intimidation; Harassment; Assaults; Threats; Coming to their homes; or acting in any manner that would constitute an infringement of their personal liberty”, and from “making any threatening or intimidating gestures on social media … that references any violence, harm and threat”.(133)

As stated in the 2016 UN Resolution on the Safety of Journalists, impunity for attacks against journalists constitutes one of the greatest challenges to the safety of journalists and ensuring accountability for crimes committed against journalists is a key element in preventing future attacks.

Principle 20 of the Declaration of Principles on Freedom of Expression in Africa provides that states must guarantee the safety of journalists and take measures to prevent attacks on them, as well as take effective legal steps to investigate and prosecute attacks against journalists. It further calls on states to take specific measures to ensure the safety of female journalists by addressing gender-specific safety concerns, including sexual and gender-based violence, intimidation, and harassment.(134)

General Comment No. 34 provides that an attack on any person because of the exercise of his or her right to freedom of expression, including forms of attack such as arbitrary arrest, torture, threats to life and killing, cannot be justified under article 19 of the ICCPR.(135) It states further that journalists, as well as other persons involved in gathering and analysing information about human rights situations such as lawyers and judges, are frequently subjected to threats, intimidation and attacks because of their activities.(136)

Although it is clear that what is required in the face of online attacks is swift and firm justice, the reality is that many perpetrators commit such with impunity.(137) Impunity perpetuates a cycle of violence: it raises serious concern that such attacks going unpunished sends a public signal that the state and public authorities do not take such attacks seriously.(138)

There is therefore clear guidance under international law that states must take measures to protect persons, including members of the media, against such harassment and attacks. This is so whether the harassment takes place offline or online.

Conclusion

The right to privacy has encountered many new challenges in the digital era. The rapid and widespread adoption of data processing has raised concerns for the protection of personal information, leading to a raft of new data protection laws being passed across the world, and efforts to engender accountability for government and private-sector-led surveillance based on invasive new technologies including facial recognition.

It has also resulted in a need to find the appropriate balance between protecting freedom of expression by enabling anonymity and encryption online while ensuring accountability for crimes committed in the digital sphere. Generally, wholesale prohibitions on anonymity and encryption are seen as disproportionate infringements on the right to freedom of expression, and in recent years international law guidance for states and private actors on these issues has become robust.

These digital rights challenges have particular resonance for journalists who operate online and often bear the brunt of efforts to surveil or intrude in their private communications, including facing high levels of online abuse and harassment. Women journalists are particularly targeted in this regard. It is vital that states take steps to protect journalists in the online sphere and to align their legislative frameworks with the international guidance that exists in order to ensure the protection of freedom of expression in the modern era.