Yellow banner with pen and letters

Digital rights in Africa: A brief national overview

Across Africa, the growing uptake of digital technologies has led to calls for adequate legal frameworks to ensure the protection of privacy and personal data. Governments have accelerated the adoption of data protection laws, but differences between such laws create a complex and unharmonised framework. But the challenges the continent faces when it comes to human rights in the digital space are not only related to (the development of) legal frameworks.

Read full report Stronger digital voices from Africa: Building African digital foreign policy and diplomacy.

Africareport_cover_EN.png

Laws and policies: Focus on privacy and data protection

Accelerated digital transformation processes and increasing cross-border trade within and beyond the African continent call for strengthened and harmonised legal frameworks to ensure adequate protection of data and privacy. Civil society organisations, for example, are concerned that a lack of such frameworks encourages extensive data mining and extraction of data for business without consideration for the human rights impacts. 

Some governments share similar concerns: In its National Digital Master Plan, Kenya notes that one data-protection-related concern in need to be addressed is the mining of data by ‘specific multinationals’.

Over the last few years, the drafting and coming into effect of data protection laws has been accelerated across Africa (Figure 31). A few examples include:

  • Algeria: Law on the Protection of Natural Persons in the Processing of Personal Data, 2018
  • Egypt: Personal Data Protection Law, 2020
  • Kenya: Data Protection Act, 2019
  • Namibia: Working on a draft for 2022
  • Nigeria: Nigerian Data Protection Regulation, 2019 
  • Rwanda: Law No. 058/2021 Relating to the Protection of Personal Data and Privacy, 2021
  • South Africa: Protection of Personal Information Act, 2013 

Data protection laws in Kenya, Rwanda, and South Africa share some of the elements of the European Union’s General Data Protection Regulation (GDPR). In particular, they adopt the extraterritorial approach. This means that entities outside of the country that handle citizens’ data are subject to the law. Data protection frameworks of Benin, Cabo Verde, and Uganda also have extraterritorial provisions, and this appears to be the case for Egypt too.1Rich, C. J. (2022, January 11). Africa and the Near East: The region’s privacy landscape facing rapid and dramatic changes. Morrison and Foerster. It is also noteworthy that Kenya, Rwanda, and Zambia are among the countries with certain data localisation requirements.2Rich, C. J. (2022, January 11). Africa and the Near East: The region’s privacy landscape facing rapid and dramatic changes. Morrison and Foerster.

Figure 31. Data protection and privacy legislation (December 2021).3Based on United Nations Conference on Trade and Development [UNCTAD]. (2021). Data protection and privacy legislation worldwide.

Despite these significant and fast-paced developments, some challenges remain. While more African countries are adopting data protection laws, enforcement of the law is a substantial task for the years to come. Where laws exist, there are sometimes significant differences in rules, and so far, only some provisions for mutual recognition of data laws. In addition, there is still no harmonised mechanism being consistently implemented to support human-rights-centric cross-border data flows, an issue that puts African states at risk of exporting their data outside the continent without necessary protections. Kenya acknowledges, for instance, that there are issues with data-sharing agreements concluded with countries: ‘There is a provision for the data being processed, but no enforcement mechanism to ensure that data meant to remain local remains local’ (Digital Master Plan). The African Union Data Policy Framework might help address some of these harmonisation challenges and empower countries to benefit from data-driven economies while ensuring adequate levels of data protection.

One illustrative example of harmonisation challenges relates to the low rate of adoption of the Malabo Convention (see Figure 38 in this cybersecurity section). Some countries acknowledge the shortcoming: Nigeria, for example, notes the importance of adopting the convention in its National Digital Economy Policy and Strategy.  

Objectives related to the protection of human rights appear sporadically in some digital-related policies and strategies adopted at national level by some of the eight focus countries. Kenya’s Digital Master Plan has data protection (and cybersecurity management) as one of its cross-cutting themes. In addition to including several mentions of privacy (e.g. enacting effective legislation on privacy), the National ICT Policy notes that ‘the government will seek to promote the right of the use of social media as an extension of the protection of freedom of expression’. It also highlights a series of commitments the government is making with a view to ensuring that persons with disabilities can benefit from digital products and services. 

Nigeria’s Digital Economy Policy and Strategy acknowledges the need to strengthen the regulatory instruments that govern data protection and privacy. South Africa’s ICT and Digital Economy Master Plan tackles briefly the need to ensure privacy and data protection/security in the context of the digital economy. Namibia’s Overarching ICT Policy notes that to ensure a proper regulation for the ‘interface between technology and rights to privacy’, the collection and protection of data will comply with international standards. 

Cote d’Ivoire highlights, in its National Digital Development Strategy, the need to strengthen the implementation of national legislation on data protection and the plan to develop a strategy on data protection aimed at contributing to a safer cyberspace. The strategy also notes that the country has very little participation in international processes dealing with matters of personal data protection. Senegal’s Digital Senegal Strategy outlines as a priority the updating of legal frameworks on various digital issues, data protection being one of them. 

State of internet freedoms

Beyond issues related to developing and implementing privacy and data protection legislation, there are also challenges across the continent when it comes to broader internet/digital freedoms. This is illustrated by Freedom House’s Freedom on the Net report, which assesses the level of internet freedom by focusing on obstacles to internet access, limits on content (e.g. filtering, blocking, other forms of censorship), and violations of user rights (e.g. legal protections and restrictions on freedom of expression; surveillance and privacy; repercussions for online speech and activities).

For 2022, the report covered 17 African countries; among these, South Africa is the only one ranked as free. Partially free are Kenya, Ghana, Tunisia, Angola, Malawi, Nigeria, Zambia, Gambia, Morocco, Uganda, Libya, and Zimbabwe. Rwanda, Sudan, Ethiopia, and Egypt are ranked as not free (Figure 32).4Freedom House. (2022). Freedom on the Net 2022. Looking at the change in the internet freedom score from 2021 to 2022, we see an improvement for Egypt, Uganda, Kenya, and Zimbabwe, but a decline for several other countries such as Nigeria, Rwanda, and Sudan.5Freedom House. (2022). Change in internet freedom score.

Figure 32. Internet freedom status in Africa.6Based on Freedom House. (2022). Internet freedom status. Figure redrawn.

Consistent with Freedom House’s findings, a Quartz report published in May 2022 indicates that between 2017 and 2022, citizens in almost half of African countries experienced some form of government-imposed internet restrictions (Figure 33).7Ngila, F. (2022, May 13). These are the African countries that censor the internet the most. Quartz Africa. Such restrictions come with economic implications. To illustrate, data collected by Top10VPN indicates that, in 2021 alone, internet shutdowns8Internet restrictions/shutdowns accounted for in the cited reports include complete internet blackouts, social media shutdowns, and severe throttling measures (e.g. speeds are reduced to the extent that they only allow SMS and voice calls only). across 11 African countries affected 171 million users and amounted to an overall cost of US$1.93 billion.9Woodhams, S. & Migliano, S. (2022, January 4). Government internet shutdowns cost $5.5 billion in 2021. Top10VPN.

Figure 33. African countries that have experienced forms of internet shutdowns between 2017 and 2022.10Based on Ngila, F. (2022, May 13). These are the African countries that censor the internet the most. Quartz Africa. Figure redrawn.

Using digital tech for surveillance

The capabilities of states to use digital technology for surveillance are increasing. The AI Global Surveillance (AIGS) Index, produced in 2019 by the Carnegie Endowment for International Peace11Feldstein, S. (2019). The Global Expansion of AI Surveillance. Carnegie Endowment for International Peace. and updated in 2022,12Feldstein, S. (2022). AI & Big Data Global Surveillance Index (2022 updated). Carnegie Endowment for International Peace. gives an overview of the use of AI and big data surveillance tools (including smart city sensors, facial recognition, and smart policing) by state authorities in 179 countries around the world.

Eighteen African countries are included in the 2022 AIGS Index: Algeria, Angola, Botswana, Cameroon, Côte d’Ivoire, Egypt, Ghana, Kenya, Madagascar, Mauritius, Morocco, Namibia, Nigeria, South Africa, Tunisia, Uganda, Zambia, and Zimbabwe. The Index cannot differentiate between legitimate and illegitimate use of AI tools for surveillance by the state. So, the fact that these countries are listed on the AIGS Index does not indicate illegitimate use. Rather, as the author stresses, it shows ‘how new surveillance capabilities are transforming the ability of governments to monitor and track individuals or groups’.13Feldstein, S. (2022). AI & Big Data Global Surveillance Index (2022 updated). Carnegie Endowment for International Peace.

The AIGS Index distinguishes between technology supplied by companies in China, the USA, and other countries. With the exception of Namibia (where a local company is used), the technology is supplied by Chinese companies only (in 14 countries) or Chinese and US/UK companies (in 3 countries).