UNESCO’s research published in 2022 found that 73% of women experienced online violence. It is documented that women journalists are often threatened with issues such as doxing, which in turn impact their ability to exercise their freedom of expression.[1] For the purpose of this factsheet, platform liability denotes the mechanisms by which various states hold to account persons and online platform owners whereby there has been instances of misuse and abuse of online platforms. Such misuse may take various forms including but not limited to cyber bullying, doxing and identity theft. This factsheet aims to provide a brief overview of the regional and national standards applicable specifically to web platform liability and accountability with the example of Kenya, Uganda, Nigeria, and Ghana.

            In Kenya, online platforms are registered as either Data Controllers[2] or Data Processors[3]. Under section 43 of the Data Protection Act[4], the law imposes a duty on all registered data controllers and data processors to notify the Data Commissioner, where personal data[5] has been accessed or acquired by an unauthorised person, and there is a real risk of harm to a data subject whose personal data has been subjected to the unauthorised access. The notification is to be made without delay within seventy-two hours of becoming aware of such breach and communication is to be equally made to the affected data subject in writing within a reasonably practical period of time on the same.

          In Nigeria, Section 37 of the 1999 Constitution of the Federal Republic of Nigeria guarantees and protects the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications. Platforms have the legal duty to remove posts or content that are harmful or a result of a breach of privacy. Failure of the platform to remove the harmful content may lead to an action for Fundamental Rights enforcement in court. 

Paragraph 12 of the Nigerian Communications Commission’s Guidelines for the Provision of Internet Services provides the demand for platforms to establish a procedure for receiving and promptly responding to content-related complaints, including any notice to withdraw or disable access to identified content issued by the Commission or other legal authority.

To prevent data breaches and address online harm to online users, Section 39 of the Nigeria Data Protection Act requires data controllers to implement appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data in their possession, including protection against accidental or unlawful destruction, loss, misuse, alteration, and unauthorized disclosure, or access including pseudonymization or de-identification of personal data, encryption of personal data or periodic assessment of risks. The Act requires data controllers to report the breach to the Nigeria Data Protection Commission (“NDPC”) within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals.

In Ghana, there is no general legal requirement for platforms to monitor content. According to Section 95(1) of the Electronic Transactions Act,  2008, intermediaries are not required to monitor user-generated content to ascertain whether such content amounts to a crime or will incur civil liability. This provision does not apply, however, where the intermediary has an obligation to monitor content because of a directive given by a court or competent state agency[6] or an obligation arising out of a contract.[7] Thus, unless the platform in question has an existing legal obligation to monitor content, which has not been fulfilled, it is not mandated to monitor content.

Web platforms however have an obligation to respond promptly to harm that comes to their notice. A platform will not be held liable for harmful content it hosts as long as:

(1) the platform does not actually know that a third party’s rights are being infringed;[8]

(2) the infringing nature of the content is not apparent or cannot be reasonably inferred;[9]

(3) the platform acts expeditiously to remove the content when it receives a take-down notification;[10] and

(4) the platform has provided an address, or an agent, to receive notifications of infringement. [11]

A platform that complies with these requirements will not be held liable for any harmful content it hosts.

Web platforms also have an obligation to remove links to infringing content. They are also required to notify victims and the Data Protection Commission of any data or security breaches.[12] This notification must be made as soon as is reasonably practical,[13] and immediate steps must be taken to restore the integrity of the system.[14]

Legal Mechanisms to Pursue Legal Recourse against a Platform that does not Remove Offensive Content in Response to a Request for Removal

            At the African regional level, Article 29 (4) of the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention)[15] obligates state parties to take necessary legislative and/or regulatory measures to ensure that digital evidence in criminal cases is admissible to establish offences under national criminal law. This is provided that such evidence has been presented during proceedings and discussed before the judge, that the person from whom it originates can be duly identified, and that it has been made out and retained in a manner capable of assuring its legality. In addition, Article 31 (3) requires State Parties to take the necessary legislative measures to ensure that in cases where the data contained in a computer system or in a medium on which computerised data may be stored in the territory of a State Party are useful for establishing the truth, the court seised may conduct a search to access all or part of the computer system through another computer system if the said data are accessible from or available to the original system. It also provides that State Parties shall require a service provider, within its technical capabilities, to collect and record data using technical facilities available in its territory or in the territory of a Contracting State or to provide assistance and support to the competent authorities in the collection and recording of the said electronic data.

          In Kenya, Section 27 of the Computer Misuse and Cyber Crimes Act[16] grants rights to any person to apply to court for an order compeling a service provider, i.e. web platform, to provide all subscriber data in its possession for the purpose of identifying a person whose conduct is complained of. Furthermore, other mechanisms exist under Sections 47 and 51 of the Computer Misuse and Cyber Crimes under the investigative powers of the police and authorities, which include the remedy to apply to the court for an order for search and seizure, preservation, and supply of any such stored data stored in any computer system or data storage medium or by means of a computer system that may be relevant in the prosecution of offence relating to computer usage and cyber-crimes.

            In Nigeria, a victim may institute a civil action in court against the platform seeking redress and specific reliefs, including but not limited to an injunction to take down the offensive content, and an order for damages of injunction against publication. The victims may request the web platform to provide proof of the content they were targeted with. This can be done by making an application for discovery to the Court for an order directing the platform to disclose on oath the documents in its possession. Failure to make the discovery when ordered by the Court in Nigeria amounts to contempt of Court, and the defaulting person may be liable to committal.  

            Section 46 (5) of the NDPA provides that where any material to which an investigation relates, consists of information stored in any document, record, minutes, mechanical or electronic device, the NDPC may require the person named to produce such material or give access to the NDPC to conduct an inspection.

            In Ghana, an individual may initiate a civil action in court seeking damages, and an order of injunction to remove the offending content or pursue criminal proceedings. The Cyber Security Authority can seek a court order authorising service providers to remove offensive content.[17] If the platform fails to comply, it is liable to pay an administrative penalty.[18] If non-compliance continues for more than one month, the platform can be fined, and its directors may be imprisoned.[19]

            Law enforcement authorities can request platforms to preserve records and other evidence in their possession, pending the issue of a court order.[20] Platforms are however not obliged to continue preserving the evidence if a court order is not procured within 14 days of the written request.[21] They can also seek an order requiring platforms to disclose content that is in transit, held, maintained or has been in electronic storage;[22] or that relates to the user of a platform.[23] An aggrieved subscriber or customer of the platform can apply to a court to vacate any order obtained by law enforcement agents,[24] and if successful, any evidence obtained solely on the basis of the order is inadmissible as evidence in court or administrative proceedings.[25]

            A court is authorised to summon any person to testify or to present evidence in its custody.[26] Anyone who fails to comply with the summons commits an offence punishable by a fine or imprisonment.[27] However, a party to civil proceedings[28] or a person being prosecuted under criminal law[29] cannot be compelled to testify or produce evidence.

The legal ‘Right to be Forgotten’ primarily denotes the right to have one’s data and information deleted and removed. The circumstances for the exercise of this right may vary depending with the context and the applicable law for instance where a law demands the publication of a list of sexual offenders whereas a convicted sexual offender may want one’s details deleted from that particular list.

At the African regional level, Article 13 of the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention)[30] provides for the principle of purpose, relevance, and storage of processed personal data, to the effect that data shall be kept for no longer than it is necessary for the purposes for which the data were collected or further processed. Principle 4 states that the data collected must be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified. Article 19 elaborates on the foregoing principles by providing for the right of rectification or erasure to the effect that any natural person may demand that the data controller rectify, complete, update, block, or erase, as the case may be, the personal data concerning oneself where such data are inaccurate, incomplete, equivocal, or out of date, or whose collection, use, disclosure, or storage ate prohibited.

            In Kenya, there is no express law that provides for the ‘Right to be Forgotten’. The laws focus on the deletion and erasure of records or misleading information. Article 35 of the Constitution of Kenya, 2010[31] provides for this right. Additionally, Section 34 (1) of the Data Protection Act imposes restrictions on the processing of personal data, at the request of a data subject, while Section 40 provides for the right of rectification and erasure. It stipulates that a data subject may request a data controller or data processor to rectify without undue delay personal data in its possession or under its control that is inaccurate, outdated, incomplete, or misleading; or to erase or destroy without undue delay personal data that the data controller or data processor is no longer authorised to retain, irrelevant, excessive or obtained unlawfully.

In Nigeria, Section 34 (1) (c) of the NDPA provides that a data subject has the right to request for a data controller to delete the data subject’s personal data that is inaccurate, out-of-date, incomplete or misleading. The Act also provides that data subjects have a right to request data controllers to erase any personal data of the data subject without undue delay. Under section 34(2) the data controllers shall erase personal data without undue delay where: personal data is no longer necessary, in relation to the purposes for which it was collected or processed; and the data controller has no other lawful basis to retain personal data.

In Uganda, the law does not define expressly what amounts to a legal right to be forgotten. However, the Data Privacy and Protection Act 2019[32] provides that a data subject may, at any time by notice in writing to a data controller or data processor, require the data controller or data processor to stop processing personal data which causes or is likely to cause unwarranted substantial damage or distress to the data subject. It further provides[33] that a data subject may, in writing, request a data controller to correct, destroy or delete a record of personal data concerning the data subject which are in the controller’s possession or control and which are inaccurate, irrelevant, excessive, outdated, incomplete, misleading or unlawfully obtained, or the processing or further processing of which is incompatible with the purpose for which the personal data were collected.

In Ghana, although there is no specific reference to a ‘right to be forgotten,’ under the Data Protection Act, a person can request a platform to delete their personal data, if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.[34] They can also request a record of such personal data to be deleted if the platform no longer has the authorisation to retain it.[35] The statute does not specify the form in which the request must be made, it should thus be possible to do this by way of a written demand letter. Upon receiving the request, the platform is required to either comply with the request, or to provide credible evidence to support keeping the data.[36] It is also required to notify the person of the actions taken as a result of the request.[37] Where it complies with the request, the platform must notify persons to whom the data has been disclosed of its deletion.[38] Where the parties are unable to agree on the request for removal, the data subject has the right to request the platform to attach to the record an indication that a request for the data to be deleted has been made, but not complied with.[39] The Data Protection Commission is empowered to order a platform to comply with its request, if it is satisfied that the request is justified.[40] Thus, to the extent that search engines and directories hold the personal data of individuals, it is possible to use these provisions to request the removal of personal data.

What legal provisions can be applied to intermediaries and platforms with regard to data sharing and user accountability?

At the African regional level, Article 14 (6) of the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention)[41] outlines specific principles for the processing of sensitive data to include a prohibition on sharing and transfer of personal data to a non-member state of the African Union unless such a State ensures an adequate level of protection of the privacy, freedoms, and fundamental rights of persons whose data are being or are likely to be processed. Furthermore, under the Convention, such sharing and transfer to a third country must be done after the approval and authorization for such transfer from the national data protection authority.

In Kenya, Section 48 of the Data Protection Act permits the sharing and transfer of personal data to another country where –

  1. The data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data.
  2. The data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of personal data, and the appropriate safeguards including jurisdictions with commensurate data protection laws;

In general, pursuant to section 49 of the Data Protection Act of Kenya, the processing of sensitive personal data out of Kenya is to be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards.

In Nigeria, Section 29 of the Cybercrimes Prevention Act 2015 provides that any person or organisation who, as a computer-based service provider and or vendor, fraudulently and by virtue of his position as a service provider, forges consumer security codes used illegally to gain financial or material advantage or to offer the consumer less value for his services is guilty of an offence and liable to a fine of N5,000,000.00 (five million Naira) and forfeiture of the equivalent of the monetary value of the loss suffered by the customer. On the other hand, Section 44 of the Nigeria Data Protection Act empowers the Nigeria Data Protection Commission (“NDPC”) to investigate all complaints made by data subjects. The NDPC may issue warnings and cease and desist orders in the course of such investigations. It is also authorised to issue enforcement orders against data controllers or processors that violate the data protection rights of users of its platforms upon completion of its investigations.

In Uganda, Section 23 of the Data Privacy and Protection Act 2019 provides that where a data collector, processor or controller believes that personal data of a data subject has been accessed or acquired by unauthorized person, the data collector, processor or controller shall immediately notify the National Information Technology Authority, of the unauthorized access or acquisition and the remedial action.[42] The Data Protection and Privacy Act 2019 further provides that a data subject who believes that a data collector, data processor or data controller is infringing upon their rights or is in violation of the Data Protection act, may make a complaint to the National Information Technology Authority in writing.[43]

Read or download the full factsheet here:

Disclaimer

This factsheet was designed by Arnold Ochieng Oginga and contributing law firms in collaboration with the TrustLaw. Media Defence assumes no responsibility or liability for any errors or omissions in the context of this site.

Authors and Contributing Law Firms

Arnold Ochieng Oginga

BNM Advocates, Uganda lead by Brendah N. Mpanga

Udo Udoma & Belo-Osagie Advocates, Nigeria lead by Itorobong Udom and Ozofu Ogiemudia

Renaissance Law Chambers, Ghana lead by Ismael Andani Abdulai

TrustLaw

TrustLaw is the Thomson Reuters Foundation’s global pro bono legal service. They connect high-impact NGOs and social enterprises working to create social and environmental change together with law firms and corporate legal teams, to provide them with free legal assistance.


[1] Julie Posetti, Nermine Aboulez, Kalina Bontcheva, Jackie Harrison, and Silvio Waisbord, ‘Online Violence Against Women Journalists: A Global Snapshot of Incidence and Impacts’, United Nations Educational, Scientific, and Cultural Organization, 2020, Available at http://www.unesdoc.unesco.org/ark:/48223/PF0000375136 (assessed 23 January 2024).

[2] Section 2 of the Data Protection Act of Kenya defines a data controller as ‘a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data’.

[3] Section 2 of the Data Protection Act of Kenya defines a data processor as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller’.

[4] Data Protection Act, 2019 available at http://kenyalaw.org:8181/exist/kenyalex/actview.xql?actid=No.%2024%20of%202019#:~:text=to%20provide%20data%20subjects%20with,in%20accordance%20with%20this%20Act.&text=not%20established%20or%20ordinarily%20resident,data%20subjects%20located%20in%20Kenya.

[5] Section 2 of the Data Protection Act of Kenya defines personal data as ‘any information relating to an identified or identifiable natural person’.

[6] Section 95(2)(a) Electronic Transactions Act, 2008 (Act 772)

[7] Section 95(2)(b) Electronic Transactions Act, 2008 (Act 772)

[8] Section 92(1)(a) Electronic Transactions Act, 2008 (Act 772)

[9] Section 92(1)(b) Electronic Transactions Act, 2008 (Act 772)

[10] Section 92(1)(c) Electronic Transactions Act, 2008 (Act 772)

[11] Section 92(2) Electronic Transactions Act, 2008 (Act 772)

[12] Section 31(1) Data Protection Act, 2012 (Act 843)

[13] Section 31(2) Data Protection Act, 2012 (Act 843)

[14] Section 31(3) Data Protection Act, 2012 (Act 843)

[15] The African Union Convention on Cyber Security and Personal Data Protection available at https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

[16] Computer Misuse and Cyber Crimes Act, No. 5 of 2018 available at http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/ComputerMisuseandCybercrimesActNo5of2018.pdf

[17] Section 87(1) Cybersecurity Act, 2020 (Act 1038)

[18] Section 87(3) Cybersecurity Act, 2020 (Act 1038)

[19] Section 87(5) Cybersecurity Act, 2020 (Act 1038)  

[20] Section 100(1) Electronic Transactions Act, 2008 (Act 772)

[21] Section 100(2) Electronic Transactions Act, 2008 (Act 772)

[22] Section 101(1) Electronic Transactions Act, 2008 (Act 772)

[23] Section 102(2)(b) Electronic Transactions Act, 2008 (Act 772)

[24] Section 105 Electronic Transactions Act, 2008 (Act 772)

[25] Section 106 Electronic Transactions Act, 2008 (Act 772)

[26] Section 58 Courts Act, 1993 (Act 459)

[27] Section 61(1) Courts Act, 1993 (Act 459)

[28] John Dramani Mahama v Electoral Commission and Nana Addo Dankwa Akufo-Addo Suit No J1/5/ 2021

[29] Article 19(10) Constitution of the Republic of Ghana

[30] The African Union Convention on Cyber Security and Personal Data Protection available at https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

[31] Constitution of Kenya, 2010 available at http://kenyalaw.org/lex/actview.xql?actid=Const2010

[32] Section 25 of the Data Privacy and Protection Act

[33] Sections 29 and 36

[34] Section 33(1)(a) Data Protection Act, 2012 (Act 843)

[35] Section 33(1)(b) Data Protection Act, 2012 (Act 843)

[36] Section 33(2) Data Protection Act, 2012 (Act 843)

[37] Section 33(5) Data Protection Act, 2012 (Act 843)

[38] Section 33(4) Data Protection Act, 2012 (Act 843)

[39] Section 33(3) Data Protection Act, 2012 (Act 843)

[40] Section 39(3) Data Protection Act, 2012 (Act 843)

[41] The African Union Convention on Cyber Security and Personal Data Protection available at https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

[42] Regulation 33.

[43] Section 31.