In the context of inadequate legal protections for personal data combined with the abuse of existing laws by state agencies or companies, the issue of privacy and online safety is a critical issue to consider in the regional context of sub-Saharan Africa. This factsheet aims to provide a brief overview of the regional and national standards applicable specifically to privacy and online safety, as well as platform and intermediary liability with a special focus on Kenya, Uganda, Nigeria, and Ghana. In general, the countries highlighted seem to have taken a similar approach, as they all utilise the criminal justice system and the civil court processes as avenues for ventilation of privacy and online safety claims. With this approach, it is therefore fair to state that the approaches have been greatly influenced by the demands on States as enshrined in the Malabo Convention.
Data Security and Privacy Laws
At the African Regional Level, the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention)[1] was enacted with the aim of defining the objectives of the information society in Africa and strengthening existing legislations on information and communication technologies of the Member States and the regional economic communities. The Convention sets out the security rules essential for establishing a credible digital space for electronic transactions, personal data protection[2] and combating cybercrime. The Convention furthermore acknowledges the absence of specific rules that protect consumers, intellectual property rights, personal data, and information systems in Africa in general.
In Kenya, the key laws governing data and privacy are Article 31 of the Constitution of Kenya, 2010[3] and the Data Protection Act, 2019[4]. The Data Protection Act was enacted to give effect to Article 31 (c) and (d) of the Constitution of Kenya, to establish the office of the Data Commissioner, to make provision for the regulation of the processing of personal data, as well as to provide for the rights of data subjects and obligations of data controllers and processors and for connected purposes.
In Nigeria, the key laws that regulate data security and privacy in Nigeria are the Nigeria Data Protection Act 2023, the Constitution of the Federal Republic of Nigeria 1999 (as amended)[5], the Child Rights Act 2003[6], the Cybercrimes (Prohibition, Prevention) Act 2015 (“the Cybercrimes Act”)[7], the Freedom of Information Act, 2011[8] and the National Health Act, 2014[9]. These laws guarantee the right and freedom of privacy for all persons.
In Uganda, the Constitution of the Republic of Uganda[10] provides that no person shall be subjected to interference with the privacy of that person’s home, correspondence, communication or other property. The Data Protection and Privacy Act 2019 and the Data Protection and Privacy Regulations 2021 were enacted to particularly regulate the collection, processing, use and disclosure of personal data.
The Constitution[11] provides for the protection of freedom of conscience, expression, movement, religion, assembly and association. Other related laws include the Press and Journalist Act Cap 105, the National Information Technology Authority-Uganda (NITA-U) Act 2009, the Access to Information Act 2005, the Regulation of Interception of Communications Act 2010, the Computer Misuse Act 2011 (as amended), the Registration of Persons Act 2015, the Electronic Transactions Act 2011, the Human Rights (Enforcement) Act 2019 as well as the Uganda Communication and telecommunications Act 2023.
In Ghana, the Data Protection Act, 2012 (Act 843)[12] is the key law that regulates data security and privacy in Ghana. Although Article 18(2) of Ghana’s 1992 Constitution[13] guarantees the right of privacy to the home, property, correspondence or communication, the Constitution does not categorically provide data privacy rights. The Data Protection Act, however, specifically addresses this issue. This Act also establishes a Data Protection Commission[14] that is mandated to among other things investigate complaints, monitor compliance, and enforce provisions of the Data Protection Act.
The Electronic Transactions Act, 2008 (Act 772)[15] contains provisions on takedown notifications,[16] preservation of evidence by service providers,[17] disclosure of electronic content[18] and information,[19] false representation, [20] criminal negligence, [21] and unauthorised access.[22] Also, the Cybersecurity Act 2020 (Act 1038)[23]has provisions prohibiting sexual extortion,[24] non-consensual sharing of intimate images,[25] retention of content/data by service providers,[26] and unlawful access.[27]
Legal Mechanisms for Enforcement of Rights Violations in Context of Privacy and Online Safety
At the African Regional Level, Article 25 of the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention)[28] mandates member state parties to adopt such legislative and/or regulatory measures by considering as substantive criminal offences acts which affect the confidentiality, integrity, availability, and survival of information and communication technology systems, the data they process, and the underlying network infrastructure, as well as effective procedural measures to pursue and prosecute offenders. Article 27 (2) therein further mandates member state parties to adopt such measures they deem necessary in order to establish appropriate institutions to combat cyber-crime, ensure monitoring and a response to incidents and alerts, national, and cross-border coordination of cyber security problems, as well as global cooperation. Article 29 (2) of the Convention further requires member state parties to take necessary legislative and/or regulatory measures to provide for penal criminal consequences for data protection violations and related offences.
In Kenya, the Office of the Data Commissioner is charged with the mandate of overseeing the implementation of the Data Protection Act, to receive and investigate any complaint by any person on infringements of the rights under the Act and promote international cooperation in matters relating to data protection. It also ensures the country’s compliance on data protection obligations under international conventions and agreements, among other functions. In the case of Republic vs Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 Others[29], the High Court affirmed the jurisdiction of the Data Commissioner to hear and determine complaints of breaches of the Data Protection Act.
The Computer Misuse and Cyber Crimes Act of Kenya creates various offences like identity theft and cyber harassment punishable by a fine of 20 million Kenyan Shillings or to imprisonment for 10 years or both. This provisions was challenged as unconstitutional in the case of Bloggers Association of Kenya (BAKE) vs Attorney General and 3 Others, Petition No. 206 of 2019[30] where the petitioner argued that the section is similar to section 29 of the Kenyan Information and Communication Act which was declared unconstitutional in the case of Geoffrey Andare vs Attorney General and Others and that it criminalizes speech on grounds that have no proximate relationship to the grounds in Article 33 (2) of the Constitution of Kenya. The court held that the petitioner failed to establish that the creation of the offence of cyber harassment was not necessary as no other legal provision existed within the criminal justice system that could adequately cater for that offence. Further, the court held that the creation of the said offence was necessary and justified and the section is concerned with conduct of harassment.[31]
Section 37 creates the offence of wrongful distribution of obscene or intimate images of another person which is punishable by a fine of 200,000 Kenya Shillings or imprisonment for 2 years, or both. The Kenyan court held in the case of Bloggers Association of Kenya (BAKE) vs Attorney General and 3 Others, Petition No. 206 of 2019[32] that Section 37 of the Computer Misuse and Cyber Crimes Act was constitutionally valid. In the case, the definition and lack of clarity around the words ‘obscene’ or ‘intimate’ were discussed. The court held that the offence created under this section was not new as it existed under the Kenyan Penal Code as the distribution of obscene images had always been criminalized conduct. Additionally, the only novel aspect of the section was the use of telecommunication network or other means of transferring data to a computer.[33] The section has been applied in subsequent cases for example in Republic vs Ahmed, Criminal Appeal E010 of 2021 [2022]KEHC 10590 (KLR)[34], where the respondent was convicted of the offence of wrongful distribution of obscene or intimate images whereby he had taken photos of the complainant without her consent and authority.
In the case of Law Society of Kenya vs Bloggers Association of Kenya and 6 Others, Civil Application No 102 of 2020[35], the Kenyan Court of Appeal declined to suspend the implementation of various sections of the Computer Misuse and Cyber Crimes Act including the above-highlighted sections 27, 29 and 37. The appellants argued that there was an imminent threat for bloggers, journalists, and whistle-blowers to be arrested, prosecuted, convicted, and jailed for publishing information including anonymous reports on violations of Covid-19 protocols that had been imposed by the Kenyan Government. The Court dismissed the assertions and held that they were premised on futuristic, presumptuous events which might or might not happen. The said events, according to the court, were prospective anticipatory circumstances rather than immediate.
Other developments on case law in Kenya include court sanction on publication of images by journalists for instance in the case of Kamande vs Nation Media Group (Constitutional Petition E004 of 2021[36]. In this case, the High Court ruled on a petition in which the Petitioner claimed a breach of her right to privacy, among other rights, as a result of the publication of her images in various newspaper publications by the Respondent without her consent. The Court ruled in favour of the Petitioner and found that the Petitioner’s right to privacy under Article 31 and Sections 26 and 29 of the Data Protection Act had been breached.
There is currently no case law on online safety for journalists or judgements on the right to privacy for journalists. Currently, the case of Abraham Meareg and Others vs Meta Platforms Inc, and Others, Nairobi High Court Petition No. E541 of 2022, is pending, in which the petitioners seek various declarations and compensation, alleging that Meta, through its platforms and the algorithms used therein, contributed to the loss of lives, displacement of families, vilification of individuals, and destruction of communities as a result of inciteful content posted in the platforms arising from the Tigrayan conflict in Ethiopia.
In Nigeria, a journalist who has been the victim of online identity theft or impersonation can seek redress under the Nigerian civil and criminal justice system in Nigeria. Section 484 of the Criminal Code Act Cap C.38 LFN 2004 (the “Criminal Code”) criminalises impersonation generally and provides that any person who, with intent to defraud any person, falsely impersonates another person living or dead, is guilty of an offence and liable to imprisonment for three years. If the offender impersonates a person who is entitled by will or by law to any specific property and commits the offence in order to obtain such property or possession thereof, he is liable to imprisonment for fourteen years.
In addition, section 22 of the Cybercrimes Act deals with online identity theft or impersonation, including fraudulent or dishonest use of another person’s electronic signature, password or other unique identification feature, or the fraudulent impersonation of another entity or person living or dead with intent to benefit oneself or another person.
A victim of doxing can seek redress under Nigerian the civil and criminal court system. Section 24 (2) (a) (i) of the Cybercrimes Act describes and criminalises various kinds of cyberstalking and makes it an offence liable to imprisonment for a term of 10 years and/or a minimum fine of N25,000,000.00.
With regards to defamation, Section 375 of the Criminal Code of Nigeria criminalises and imposes penalties for defamation in Nigeria. Furthermore, section 376 of the Criminal Code provides that a person who publishes, or threatens to publish, offers to abstain from publishing, or offers to prevent the publication of defamatory matter with intent to extort is liable to imprisonment for seven years.
Section 26 of the Cybercrimes Act criminalises the dissemination of material to the public, through a computer system or network, which denies, approves or justifies acts constituting crimes against persons based on gender. It provides that a person who engages in such conduct shall be liable on conviction to imprisonment for a term not exceeding 5 years or a fine not exceeding N10,000,000.00 or both such fine and imprisonment.
A journalist who has suffered harm or offences arising from or related to a breach of privacy or confidence can seek redress within the civil and criminal court system. The journalist also has the option of reporting a breach of one’s privacy rights to the Nigeria Data Protection Commission (NDPC) for redress. The NDPC will investigate and make the compliance or enforcement order against such person as it deems appropriate. Among the remedies include:
(i) In the case of a Data Controller or Data Processor of Major Importance dealing with more than 10,000 Data Subjects – a monetary fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of N10,000,000.00 (ten million Naira), whichever is greater.
(ii) In the case of a Data Controller or Data Processor not of Major Importance Where a Data Controller deals with less than 10,000 Data Subjects – a fine of 21% of the Annual Gross Revenue of the preceding year or the sum of N2,000,000.00 (two million Naira), whichever is greater.
In addition, the rights to privacy and dignity of the human person are guaranteed as fundamental rights in the Constitution of the Federal Republic of Nigeria 1999 (as amended) and a journalist who suffers a breach of one’s fundamental right to privacy can approach a court of competent jurisdiction to seek relief in accordance with the Fundamental Rights (Enforcement Procedure) Rules 2009 which lays down the procedure for the determination of claims involving the breach of fundamental human rights.
In Uganda, offences against the media and the press can be redressed through the courts under Article 50 and 137 of the Constitution of Uganda. One can also seek redress from the Uganda media council which is mandated to mediate disputes between the public and the media as well as the State and the media.[37] It also lodges complaints to the National Information Technology Authority of Uganda under section 31 of the Data Protection and Privacy Act 2019.
Cases that have been litigated in the context of privacy and media freedom among others issues, include the case of Charles Onyango Obbo & Andrew Mujuni Mwenda v Attorney General Constitutional Appeal No.2 of 2002.[38] In this case, the Court observed that the enjoyment or limitation of the right to freedom of speech and expression and freedom of the press should not go beyond what is acceptable and demonstrably justifiable in a free and democratic society.
In the case of Uganda v Lomoe Nakoupuet Criminal Case No. 109 of 2016,[39] the Court invoked Article 5(a) of the Convention on the Elimination of all forms of Discrimination Against Women (CEDAW). This imposes a duty upon government to modify customs and eliminate stereotypes that promote discrimination against women.
In Andrew Karamagi and Another vs Attorney General[40] the Court held that freedom of expression is a fundamental right protected under the Constitution of the Republic of Uganda.
In regard to provisions for protection against online offences, see:
- Articles 21, 24, 29, 50, 137 (1) and (3) of the 1995 Uganda Constitution as amended.
- Sections 1(1), (2), 3, 4, and 6 of the Human Rights (Enforcement Act) 2019.
- Section 3 of the Human Rights (Enforcement) Act 2019.[41]
- Section 5 of the Regulation of Interception of Communications Act 2010.
- Section 31 of the Electronic Transactions Act 2011.
- Section 31 of the Data Protection and Privacy Act 2019.
- Regulations 41 of the Data Protection and Privacy Regulations 2021.
- Part (ii) of the Judicature (Fundamental and Other Human Rights and Freedoms) (Enforcement Procedure) Rules 2019.
In Ghana, depending on the particular circumstances, a victim of online harm may seek either judicial or administrative remedies. Judicial remedies involve pursuing reliefs through the ordinary courts. Here, the victim can either file a civil claim, or enlist the appropriate authorities (usually the police) to initiate criminal proceedings against the offender. Pursuing administrative remedies involve seeking the intervention of an administrative body that has jurisdiction over the matter, such as the Data Protection Commission, or the Cyber Security Authority.
A person intending to commence a civil action in court must first have a cause of action which may emanate either from common law (for example defamation), or from statute (for example compensation for failure to comply with the Data Protection Act).[42] Success in a civil action may end in the payment of damages for the harm or injury suffered, and in deserving cases, the court may grant an injunction against the defendant to restrain them from engaging further in the prohibited activity. Civil actions can be initiated against private individuals, corporate bodies, and the state.[43]
Victims of online harm may also pursue criminal prosecution and in some instances, victims have the option to seek remedies under administrative law. In the context of online privacy and security, the Data Protection Commission has the authority under the Data Protection Act to investigate and take remedial action on matters concerning data privacy and security.[44] The Cyber Security Authority is also mandated to regulate cyber security activities in Ghana.[45] One may seek the assistance of these entities by lodging a complaint through their official channels.
Depending on the damage, a victim has the right to apply for compensation or an interim injunction in court as part of a civil action. An action for defamation can be used, for example, to remedy damage to a person’s reputation on the Internet.[46] The tort of passing off is applicable, for instance, where a person falsely misrepresents themselves as a known journalist or their associate, and acts in a manner that causes harm to the goodwill or reputation of that journalist. An action for breach of confidence may lie where a person to whom confidential information has been given, discloses or uses that information without authorisation. An action for breach of privacy may also be initiated where there has been a breach of the privacy of a person’s property, correspondence or communication.[47] It is also possible to make a claim for compensation under section 43 of the Data Protection Act, against a platform, where a breach of its obligations causes a person damages or distress. These civil reliefs may be applied to remedy malicious conduct online.
Other criminal provisions that may be applied to remedy errant conduct online include: online identity theft and impersonation are contrary to provisions on stealing[48] and personation;[49] doxing may be prosecuted based on provisions that prohibit the disclosure of personal data,[50] the sale of personal data,[51] the disclosure of communication,[52] and the disclosure of personal information;[53] and provisions also exist for sexual extortion, [54] non-consensual sharing of intimate images,[55] and threats to distribute prohibited intimate image or visual recording.[56]
Beyond the judiciary, there are also administrative mechanisms. For example, victims have the right to ask the Data Protection Commission to make an assessment as to whether the processing of data is in compliance with the Data Protection Act. If the Commission finds that this is not the case, it is authorised to issue an Information Notice (a notice informing the recipient of a breach of the law), and a notice to cease the breach.[57] Non-compliance with the Information Notice is a criminal offence punishable by a fine or imprisonment.[58] The Data Protection Commission is also empowered to issue Enforcement Notices against offending platforms that are in breach of the Act.[59] Non-compliance with the Enforcement Notice is a criminal offence punishable by a fine or imprisonment.[60] Again, the Data Protection Commission has the power to order the rectification, blocking, erasure or destruction of a victim’s personal data if it is inaccurate.[61] It is thus open to a victim to invoke the powers of the Commission.
In summary, the criminal justice system appears to be the common route in addressing privacy and online issues, with the countries have criminalized most of this conduct. The trend also emphasizes the availability of civil remedies, whereby damages and compensation can be awarded alongside injunctions and declaratory orders.
Read or download the full factsheet here:
Disclaimer
This factsheet was designed by Arnold Ochieng Oginga and contributing law firms in collaboration with the TrustLaw. Media Defence assumes no responsibility or liability for any errors or omissions in the context of this site.
Authors and Contributing Law Firms
Arnold Ochieng Oginga
BNM Advocates, Uganda lead by Brendah N. Mpanga
Udo Udoma & Belo-Osagie Advocates, Nigeria lead by Itorobong Udom and Ozofu Ogiemudia
Renaissance Law Chambers, Ghana lead by Ismael Andani Abdulai
TrustLaw
TrustLaw is the Thomson Reuters Foundation’s global pro bono legal service. They connect high-impact NGOs and social enterprises working to create social and environmental change together with law firms and corporate legal teams, to provide them with free legal assistance.
[1] The African Union Convention on Cyber Security and Personal Data Protection available at https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf.
[2] Article 8 of the Convention outlines the objectives of the Convention with respect to personal data to include each state committing itself to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and punish any violations of privacy without prejudice to the principle of free flow of personal data.
[3] Article 31 of the Constitution of Kenya, 2010 provides that every person has the right to privacy, which includes the right not to have –
- Their person, home or property searched;
- Their possession seized;
- Information relating to their family or private affairs unnecessarily required or revealed; or
- The privacy of their communication infringed. Available at http://kenyalaw.org/lex/actview.xql?actid=Const2010.
[4] Data Protection Act, 2019 available at http://kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=No.%2024%20of%202019#:~:text=to%20provide%20data%20subjects%20with,in%20accordance%20with%20this%20Act.&text=not%20established%20or%20ordinarily%20resident,data%20subjects%20located%20in%20Kenya.
[5] https://uubo.org/wp-content/uploads/2023/06/Constitution-of-the-Federal-Republic-of-Nigeria-upto-4th-Alterations.pdf).
[6] 5568201f4.pdf (refworld.org).
[7] CyberCrime_ProhibitionPreventionetc_Act_2015.pdf (lawpadi.com).
[8] Freedom of Information Act (cbn.gov.ng).
[10] Article 27 of the Constitution of the Republic of Uganda, 1995.
[11] Ibid. Article 29.
[12] Available at https://www.dataprotection.org.gh/media/attachments/2021/11/05/data-protection-act-2012-act-843.pdf
[13]Available at https://www.constituteproject.org/constitution/Ghana_1996.pdf
[14] Website of Ghana’s Data Protection Commission https://www.dataprotection.org.gh/
[15] Available at https://eoco.gov.gh/wp-content/uploads/2019/07/Electronic_Transactions_Act_no_772_2008.pdf
[16] Section 94 Electronic Transactions Act, 2008 (Act 772)
[17] Section 100 Electronic Transactions Act, 2008 (Act 772)
[18] Section 101 Electronic Transactions Act, 2008 (Act 772)
[19] Section 102 Electronic Transactions Act, 2008 (Act 772)
[20] Section 109 Electronic Transactions Act, 2008 (Act 772)
[21] Section 117 Electronic Transactions Act, 2008 (Act 772)
[22] Section 124 Electronic Transactions Act, 2008 (Act 772)
[23] Available at https://csa.gov.gh/resources/cybersecurity_Act_2020(Act_1038).pdf
[24] Section 66 Cyber security Act, 2020 (Act 1038)
[25] Sections 67 and 68 Cybersecurity Act, 2020 (Act 1038)
[26] Section 77 Cybersecurity Act, 2020 (Act 1038)
[27] Section 94 Cybersecurity Act, 2020 (Act 1038)
[28] The African Union Convention on Cyber Security and Personal Data Protection available at https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf.
[29] Republic vs Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 Others; (Judicial Review Application E1138 Of 2020) [2021] Kehc 122 (KLR) (Judicial Review) (14 October 2021) (Judgment), available at http://kenyalaw.org/caselaw/cases/view/220495/.
[30] Bloggers Association of Kenya (BAKE) vs Attorney General and 3 Others, Petition No. 206 of 2019, available at http://kenyalaw.org/caselaw/cases/view/191276/.
[31] Ibid para 74.
[32] Bloggers Association of Kenya (BAKE) vs Attorney General and 3 Others, Petition No. 206 of 2019, available at http://kenyalaw.org/caselaw/cases/view/191276/.
[33] Ibid. para 86.
[34] Republic vs Ahmed, Criminal Appeal E010 of 2021 [2022]KEHC 10590 (KLR), available at http://kenyalaw.org/caselaw/cases/view/236511.
[35] Law Society of Kenya vs Bloggers Association of Kenya and 6 Others, Civil Application No 102 of 2020, available at http://kenyalaw.org/caselaw/cases/view/199748/.
[36]Kamande v Nation Media Group (Constitutional Petition E004 of 2021) [2022] KEHC 16017 (KLR) 1 DEC; 2022) available at http://kenyalaw.org/caselaw/cases/view/247105/.
[37] Press and Journalist Act – ULII section 9.
[38] Charles Onyango Obbo and Anor v Attorney General (Constitutional Appeal No. 2 of 2002) [2004] UGSC 81 (10 February 2004) – ULII.
[39] Uganda v Nakoupuet (Criminal Case 109 of 2016) [2019] UGHCCRD 14 (25 January 2019) – ULII.
[40] Karamagi and Another v Attorney General (Constitutional Petition No. 5 of 2016) [2023] UGCC 2 (10 January 2023) – ULII ( assessed 3rd of June 2023 at 12:51).
[41] Human Rights (Enforcement) Act, 2019 – ULII.
[42] Section 43 Data Protection Act, 2012 (Act 843)
[43] Article 293 1992 Constitution of the Republic of Ghana
[44] Section 3 Data Protection Act, 2012 (Act 843)
[45] Section 4 Cybersecurity Act, 2020 (Act 1038)
[46] Ace Anan Ankomah v Kevin Ekow Baidoo Taylor & Loud Silence Media Suit no GJ/1692/2019
[47] Article 18(2) Constitution of the Republic of Ghana
[48] Relevant provisions: Section 124 Criminal Offences Act, 1960 (Act 29); Sections 107, 123 and 108 Electronic Transactions Act, 2008 (Act 772)
[49] Relevant provisions: Section 134 Criminal Offences Act, 1960 (Act 29); Sections 109 and 123 Electronic Transactions Act, 2008 (Act 772)
[50] Section 88 Data Protection Act, 2012 (Act 843)
[51] Section 89 Data Protection Act, 2012 (Act 843)
[52] Section 79(a) Electronic Communications Act of Ghana, 2008 (Act 775)
[53] Section 79(b) Electronic Communications Act of Ghana, 2008 (Act 775)
[54] Section 66 Cybersecurity Act, 2020 (Act 1038)
[55] Section 67 Cybersecurity Act, 2020 (Act 1038)
[56] Section 68 Cybersecurity Act, 2020 (Act 1038)
[57] Section 77 Data Protection Act, 2012 (Act 843)
[58] Section 80(1) Data Protection Act, 2012 (Act 843)
[59] Section 75 Data Protection Act, 2012 (Act 843)
[60] Section 80(1) Data Protection Act, 2012 (Act 843)
[61] Section 44(1) Data Protection Act, 2012 (Act 843)