A Human Rights-Based Approach to Data

As the lives people live in the digital age are increasingly enjoyed online, the role of the internet becomes more pressing for human dignity. In the past, for people to eat, they had to physically go to the shops. In today’s world, you simply order a meal online via applications which take your personal information on registration and refresh your memory when you want to make an order. But how safe is data in the hands of the social media, tech or telecommunications companies? This article looks generally at data protection in Africa. 

From the initial point of registration for getting a sim card or joining an online platform, it is critical to figure out who holds the power of information.  Apart from all the data that is collected by online platforms, in places like Kenya and Zimbabwe mobile money is what sustains economic livelihoods, and telecommunications companies collect large amounts of data from clients who expect that their information is secure. 

Data breaches have been witnessed in countries across the globe. A report on the top 15 biggest data breaches of the 21st century lists platforms like Canva, Equifax, and LinkedIn, all of whom have had data breaches in the past seven years. Complaints have been made against Google and other tech companies. Data breaches happen without the consent of data subjects, and in violation of their privacy.   

While national constitutions prescribe that governments have a duty to protect human rights, business entities have increasingly been part of the threat to privacy. In the absence of domestic laws that secure personal data, violations of privacy remain unchecked.  In some instances, companies have been weaponized by states through disclosure of the troves of information they keep on data subjects. 

But over the past seven years, there has also been steady growth in the development of guidelines for data protection, necessitated by the need to place safeguards on how the private sector utilises the data it collects in a manner that respects human rights. 

South Africa’s Information Regulator, for example, recently called for Facebook to seek consent when making use of information collected from the Whatsapp messaging platform, in a bid to protect the privacy of many users.

The European General Data Protection Regulation (GDPR) came into effect on 25 May 2018 to harmonise data protection laws in Europe. It sets out that protection of the processing of personal data is a fundamental right, echoing article 8(1) of the Charter of Fundamental Rights of the European Union and article 16(1) of the treaty on the functioning of the European Union that everyone has the right to protection of personal data concerning himself or herself.

The GDPR has set the tone for data protection in Africa, given that most private companies collecting data in Africa are affiliated to Europe, hence falling within the ambit of the regulation. The GDPR promotes the need for informed consent when the data subject has their information collected, and private companies who breach privacy run the risk of being fined, which acts as a safeguard. 

While this is progressive, a more substantial remedy would be found in homegrown regional frameworks. With its slow pace in ratifying the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention), Africa is lagging behind.

Though the treaty, which lays a foundation for data protection in Africa, was adopted in June 2014 – before the GDPR – it needs to be ratified by 15 countries before it can come into force; though it has, in the meantime, inspired data protection laws within some African countries.

The common thread between the GDPR and the Malabo Convention is a human-rights-based approach to handling data. Like the GDPR, the Malabo Convention also provides for the punishment of any violations. Basic principles laid out include the principle of consent and legitimacy as well as the principle of transparency of personal data processing. 

Both the GDPR and the Malabo Convention articulate that a data subject has the right to be ‘forgotten’ on a particular platform and to object to the processing of their personal data in certain ways. 

As digital citizenry grows, so too does the risk to privacy and, most pertinently, the need for the protection of personal data. In ensuring adequate data protection in Africa, the following measures must be taken:

• There is a need for responsible data handling that ensures transparency from private companies on how they process data. As laid out in the Responsible Data community’s Responsible Data Principles, just because data can be used in a certain way does not mean it should be. Private companies must be guided by policies that ensure consent is sought for the processing of information collected.
• States that have not ratified the Malabo Convention must do so, to bring it into operation.
• States without data protection laws must enact them and provide deterrent penalties and guidelines to guard against data breaches. 

In Africa, it is critical that data protection is prioritised both by states and by private companies. The Malabo Convention is a comprehensive treaty which needs to be ratified, domesticated and relied upon to regulate the use of personal data by private companies in Africa: a homegrown solution is readily accessible.