Professional Documents
Culture Documents
Alex B. Makulilo Editor
African Data
Privacy
Laws
Law, Governance and Technology Series
Volume 33
Series editors
Pompeu Casanovas
Institute of Law and Technology, UAB
Bellaterra, Barcelona
Spain
Giovanni Sartor
University of Bologna (Faculty of Law -CIRSFID) and European University
Institute of Florence
Bologna
Italy
The Law-Governance and Technology Series is intended to attract manuscripts
arising from an interdisciplinary approach in law, artifi cial intelligence and
information technologies. The idea is to bridge the gap between research in IT law
and IT applications for lawyers developing a unifying techno-legal perspective. The
series will welcome proposals that have a fairly specifi c focus on problems or
projects that will lead to innovative research charting the course for new
interdisciplinary developments in law, legal theory, and law and society research as
well as in computer technologies, artifi cial intelligence and cognitive sciences. In
broad strokes, manuscripts for this series may be mainly located in the fi elds of the
Internet law (data protection, intellectual property, Internet rights, etc.), Computational
models of the legal contents and legal reasoning, Legal Information Retrieval,
Electronic Data Discovery, Collaborative Tools (e.g. Online Dispute Resolution
platforms), Metadata and XML Technologies (for Semantic Web Services),
Technologies in Courtrooms and Judicial Offi ces (E-Court), Technologies for
Governments and Administrations (E-Government), Legal Multimedia, and Legal
Electronic Institutions (Multi-Agent Systems and Artifi cial Societies).
v
vi Preface
Part I Overview
1 The Context of Data Privacy in Africa������������������������������������������������������ 3
Alex B. Makulilo
vii
viii Contents
Editor
Contributors
ix
x About the Editor and Contributors
regimes. She is also a lecturer at the Faculty of Law, Open University of Tanzania.
She has taught for 9 years. Boshe is also a practising advocate of the High Court of
Tanzania and a member of the Tanganyika Law Society (TLS) and Tanzania Women
Lawyers Association (TAWLA). She received her LL.M. in 2010, specialising in
ICT law. Her main career focus is on the privacy and data protection law, doing
research and teaching. In the subject of privacy and data protection, Boshe has pub-
lished several articles in the local and international peer-reviewed journals. Her pub-
lications include critical analysis of selected reformed frameworks in Africa and
comparative textual analysis of the East African Data Protection Bill and Draft Bills
as well as general comments on data protection practices in Africa. She has also
published book reviews and other scholarly comments on ICT and privacy law.
Apart from her Ph.D., she is currently working on a collaborative book on African
subregional regulation of privacy and data protection.
Alex B. Makulilo
Abstract This chapter maps data privacy systems in Africa by providing insights
into the nature of privacy concept in the African society generally, law reforms in
the continent and enforcement. The chapter is organised in six sections. The first
section provides an overview of the development of data privacy regulation as a
result of the rise of new technologies. The second provides the context of the African
society-its political history and culture. This section lays down foundation for Sect.
1.3 which deals with the notion of privacy in an African cultural context. Section 1.4
gives an overview of the international data privacy policies and their influence in the
development of privacy policies in Africa. The general state of national privacy laws
is presented in Sect. 1.5. Section 1.6 concludes the chapter.
1.1 Introduction
Privacy concerns have been with us at least since the ancient Greek civilisation.1
However those concerns have gained new importance in modern societies following the
rise of the computer and development of information and communications technolo-
gies. Big Data, the Cloud and Internet of Things have recently fuelled these concerns
for privacy due to the size and amount of data that can be collected, the speedy with
which such collection can be made, increased storage capacities for data especially in
the Cloud, increased possibilities of manipulation of our personal data as well as the
easy with which personal information can be shared across space and social media.
Since 1950s and 1960s when the computer was invented to date, privacy has
been regarded as a preserve of Western societies partly because outside the Western
hemisphere there has been little or no preoccupation in the privacy field. Yet threats
to privacy do not restrict themselves only to the West, but as the technology is
spreading to almost every corner of the globe, so are the threats.2 The fundamental
1
See e.g., Arendt (1958), pp. 152–168.
2
Hongladarom (2016), p. 9.
A.B. Makulilo (*)
Faculty of Law, University of Bremen, Bremen, Germany
e-mail: alex.makulilo@uni-bremen.de
question which has always been asked by many commentators in the field of data
privacy law is that how do non-Western cultures deal with the issue of privacy in
terms of its conceptualisation as well as legal regulation? As rightly pointed out by
Nwauche, the right to privacy in Nigeria (which is also the case for the rest of
Africa) has not received adequate protection or elaboration both in the definition,
philosophical basis or the key issues in the concept of privacy.3 The question posed
above is also relevant particularly considering the fact that although demands for
privacy have always been there even in primitive societies as Alan Westin maintains,4
privacy has always been cultural bound, and the level of its quest varies from one
culture to the other.5 These variations are due to a number of factors including the
economy, social factors, political factors as well as the level of use of technology by
individuals and institutions in a particular society.
This chapter maps data privacy systems in Africa by providing insights into the
nature of privacy concept in the African society generally, law reforms in the conti-
nent and practices. The chapter is organised in six sections. The first section pro-
vides an overview of the development of data privacy regulation as a result of the
rise of new technologies. The second provides the context of the African society-its
political history and culture. This section lays down foundation for Sect. 1.3 which
deals with the notion of privacy in an African cultural context. Section 1.4 gives an
overview of the international data privacy policies and their influence in the devel-
opment of privacy policies in Africa. The general state of national privacy laws is
presented in Sect. 1.5. Section 1.6 concludes the chapter.
Africa is the world’s second largest continent in terms of size and population after
Asia. Its total area covers about 11,677,239 square miles. Africa is made up of 54
independent states. As of June 2016, the population estimates of Africa were around
1.213 billion.6 The average growth rate of this population is approximately 2.25
per annum.7 However its settlement pattern is such that more Africans are still living
in rural areas than in urban centers. Only 39.8 % of the population is urban.8 It is
estimated that 60 % of African people will be living in cities by 2050.9 More than
14 African countries are expected to be at least 80 % urbanized by 2050.10 Although
3
Nwauche (2007), Vol. 1, No. 1, pp. 62–90, at p. 66.
4
Westin (1967).
5
Bezanson (1992), Vol. 80, No. 5, pp. 1133–1175, at p. 1137.
6
World meters http://www.worldometers.info/world-population/africa-population/ accessed
02.06.2016.
7
Ibid.
8
Ibid.
9
African Business (2011), Issue No. 381, pp. 17–24, at p. 18.
10
Ibid.
1 The Context of Data Privacy in Africa 5
the reasons for this growth are a mixture of factors, the rural to urban migration
plays a significant role. Lack of employment, access to services and perceived
opportunities of cities are widely considered to encourage people to migrate from
rural areas to cities.11
Politically African states especially those found in south of the Sahara have pres-
idential system of government. Under this system, the president is both the head of
the state and head of government. Politics in Africa is mainly based on liberal multi-
party political system although not without constraints such as lack of impartial
electoral bodies as well as free and fair elections; strict controls on rights to demon-
strate and assemble; lack of truly independent judiciary; good governance; adher-
ence to rule of law; freedom of access of information; etc.12 Yet the current political
system can largely be explained in the context of European external influence which
started in the fifteenth century through the well-known slave trade13 rather than
internal dynamics.
The abolition of slave trade in the nineteenth century did not leave a vacuum. It
immediately saw the colonization of the African continent by European powers
notably the British, German, France, Portuguese, Italian and Belgian. The coloniza-
tion process was preceded by the Berlin Conference of 1884–1885 which parti-
tioned Africa. The establishment of the colonial state and its instruments that
immediately came after the Berlin Conference had far reaching impacts on indige-
nous forms of governance. Chiefly among them was the destruction of indigenous
tribal leadership. Whenever the latter was tolerated to stay intact strategies to inte-
grate it to the colonial system were made. This is because the colonial rule had its
target goals namely production of raw materials for industries located in Europe,
mobilization of labour force for the plantations and mines and creation of market to
consume manufactured goods from Europe. Concomitantly allowing the indigenous
tribal rule to exist side-by-side with the colonial rule without any subjugation into
the latter would have defeated the very objectives of colonialism. It was not there-
fore by accident that Lord Lugard, for example, introduced on behalf of the British
colonial administration in Africa the so called ‘indirect rule’ i.e. colonial rule
through the disguise of tribal rulers while slightly the French used the local chiefs
and rulers as their agents.14
11
Ibid, p. 19.
12
For detailed discussion of the efficacy or otherwise of the current political system in Africa see
generally Makulilo (2008); Gentili (2005).
13
Historians generally agree that Africa came into first contacts with Europe in the fifteenth cen-
tury through Atlantic slave trade also known as ‘Triangular Slave Trade’ because of its behavioural
pattern starting from Africa where slaves were sourced, proceeding to America where such slaves
had to offer intensive labour force in mines and plantations owned by Europeans, then to Europe
where farm and mineral products from America were finally shipped for industrial processing; and
from Europe back to Africa where manufactured goods were dumped into Africa as market.
14
For details about the British ‘Indirect Rule’ see e.g. Crowder (1964), Vol. 34, No. 3,
pp. 197–205.
6 A.B. Makulilo
15
See e.g., Andrew (2004), Vol. 4, No. 2, pp. 143–166; Sinjela (1998), Vol. 23, No. 60, pp. 23–29,
at p. 23.
16
See e.g., Prempeh (2007), Vol. 5, pp. 469–506, at p. 474; Wing (1992), Vol. 11, No. 2, pp. 295–
380, at p. 308.
17
Paul (1988), Vol. 7, No. 1, pp. 1–34, at p. 14.
18
Sinjela, (n 15).
19
Ibid.
20
The Editors of the Spark (1965), P. 39.
21
The collapse of Soviet power led to the withdraw of military support to a variety of Soviet client
states such as Angola. Moreover the end of Cold War reduced the geographical significance of
Africa in Western eyes, because there was no longer any communist enemy to confront. Thus,
western economic support for repressive anti-communist regimes lessened as well, see Wing
(n16), p. 309.
1 The Context of Data Privacy in Africa 7
Fund (IMF), World Bank (WB) and European donor communities in their efforts to
reform the devastated economies. By 1980s the latter imposed on Africa ‘structural
adjustment programs’ commonly known as SAPs. As part of conditions to access
reliefs under SAPs African states were required to liberalize their political systems
by allowing multi-party political system, democratic elections, exercise of individ-
ual rights, good governance, rule of law, accountability, etc. In short, SAPs practi-
cally required African states to return to most of the features of their independence
constitutions. To achieve this African states quickly adopted either completely new
constitutions or just amended the existing ones by incorporating the liberal consti-
tutional principles. SAPs widened the space under which internal dynamics (poor
living standards, legitimacy crisis, etc.) would operate to mount internal pressure to
the African regimes to adopt changes.
As pointed out, Africa’s adoption of liberal constitutions on independence and in
1980s had been pre-conditioned by foreign pressures. As a result and in practical
terms such constitutions have been derailed by many African leaders. This, to some
extent, explains why the executive in Africa is still very strong and not fully account-
able to the people. It also explains the current election problems; lack of respect to
the rule of law; interference with the judiciary; weak legislatures; weak opposition
parties; problems of transparency and respect for human rights generally and basic
rights and freedom of individuals. Notwithstanding, the liberal constitutions have
had progressive gains in improving the political systems and life in Africa. For
example, courts have so far produced a corpus of important rulings protecting civil
and political liberties and limiting governmental powers.22 At least there are now
regular elections after every 4–5 years in many African countries. These elections
are reinforced by the rise of new era of presidential term limits.23 There are also
ascendance of fearless and strong private media and civil societies.24 In some coun-
tries such as South Africa and Mauritius governments are largely made accountable
to the electorates through legislatures. Moreover some countries are moving towards
the fourth generation of constitution making (after the independence constitutions;
military/single party constitutions 1960s–1980s and liberal constitutions
1980s–1990s) with the view of increasingly curbing the executive powers and mak-
ing the legislatures and judiciary discharge efficiently their traditional roles. This is
the case with Kenya which only adopted its new constitution in 2010. Other coun-
tries such as Tanzania are currently undertaking constitutional review for purposes
of overhauling the existing constitution enacted in 1977 but which has been amended
from time to time. Zimbabwe has similarly adopted a new constitution in 2013.25
Economically Africa has evolved through pre-colonial, colonial, post-
independent/neo colonial and now global economies. In pre-colonial times Africa’s
economy was largely subsistence. Small scale agriculture and livestock keeping
were the permanent feature. Family was the main unit of labour force. Pastoralism
22
Prempeh (n16), p. 502.
23
Ibid, p. 487.
24
Ibid, pp. 488–489.
25
Constitution of Zimbabwe Amendment (No. 20) Act, 2013.
8 A.B. Makulilo
was practiced in arid and semi-arid areas. The Maasai of the East African Valley and
grassland plateau, the Fulani of Western Sudan, the Khoi Khoi of the Cape Region
in South Africa, the Herero of Namibia, the Tswana of Botswana, the Galla and the
Somali of the semi-desert regions of the Horn of Africa provide typical examples of
pastoralist societies in Africa.26 Mining, industry and trade were present but limited.
Technology was low and the iron technology which was invented in the first millen-
nium A.D was used to make working tools in some societies only.27 Starting from
the fifteenth century the African pre-colonial economies became incorporated into
the world capitalist economy through the mercantile capitalism which saw the
beginning of the Atlantic Slave Trade, then colonialism, neo-colonialism and now
globalization.28
Despite the above incorporation which might have positively transformed Africa,
that has not been the case. The external links affected Africa adversely. Africa’s
economy is still characterized as pre-industrial or simply agrarian with little export
trade. The national per capita income is relatively very low.29 Agriculture forms the
largest sector of its economy but it faces many challenges due to lack of technology,
viable industries, draught conditions, capital and researches. Together Africa
accounts for less than 2 % of the global trade.30 The industrial and mineral sectors
as well as tourism have yet been fully realized although the continent is rich in these
natural resources.
In the period following independence the state in African countries was in total
control of economy. The private sector was very weak. However with SAPs which
came about in 1980s strict terms were imposed on African states by the IMF, World
Bank and Africa’s lenders and creditors of the last resort, as a condition for provid-
ing interim relief, to liberalize and deregulate their economies and structure their
public administrations; privatize the loss-making state enterprises, remove price
controls and subsidies for the social services, and trim blotted public payrolls.31 The
economic liberalization has resulted into significant growth of the private sector in
present day Africa. It has also changed the pattern of ownership. The latter in turn
has led to the individual ownership of property.
Technologically Africa has come far away. Walter Rodney asserts that in the
fifteenth century when Africa first came in contact with Europe, the latter’s techno-
logical development was not superior to that of Africa and the rest of the world
generally.32 Yet he notes that there were certain specific features that were highly
26
Tanzania Institute of Education (2002), pp. 16–17.
27
Ibid, p. 18.
28
See e.g., Henriot, http://sedosmission.org/old/eng/global.html accessed 08.06.2016; Olutayo and
Omobawale (2007), Vol. 32, No. 2, pp. 97–112, at pp. 100–106.
29
See e.g., World Bank (2014),http://databank.worldbank.org/data/download/GNIPC.pdf accessed
08.06.2016.
30
Arieff et al. (2010), p. 8, http://www.fas.org/sgp/crs/row/R40778.pdf accessed 08.06.2016.
31
Prempeh (n16), p. 483.
32
Rodney (1972), p. 103.
1 The Context of Data Privacy in Africa 9
advantageous to Europe such as shipping industry and (to a lesser extent) guns.33
According to this historian Africa had strength in the cloth industry and irrigation
technology (e.g. North Africa particularly Egypt).34 However through the Atlantic
slave trade that saw the declining of Africa’s skilled labour force and colonialism
Africa lost its technological grip. Under colonialism Africa remained the exporter
of raw materials as well as importer of manufactured goods from Europe. This
explains why, for example, the African cotton cloth industry declined as a result of
competition from importing manufactured cotton cloth which were of cheap and of
high quality.35 Accordingly this remarkable reversal is tied to technological advance
in Europe and to stagnation of technology in Africa owing to the very trade with
Europe.36 Yet while Europe has its share in the Africa’s ‘technological arrest’
African nationalist elites after independence fueled the regression. This is mainly
because immediately after independence most African countries purporting to com-
pletely detach from European influence and in view of stimulating industrialization
in the newly independent states banned imports from Europe.37 While it was thought
this could have boosted local technological development and industries, the same
failed to produce such effect. Instead such protectionist policies greatly constrained
Africa’s ability to participate in international trade.38 As a result technologically the
continent has remained backward compared to the rest of the world, particularly
Europe and America. However two caveats need to be made. First, when a society
for whatever reason finds itself technologically trailing behind others, it catches up
not so much by independent inventions but by borrowing.39 Japan is widely cited as
an example of a country which effectively borrowed technology from Europe and
became capitalist.40 Yet this could not happen in Africa despite centuries of contact
with Europe because of the nature of the relationship between the two continents
which operated in disfavor of the former.41 The second caveat partly linked to the
first is that technology transfer should be distinguished from transplantation.
Whereas in the former case the demand for European technology would have come
from inside Africa with the willingness of both sides42 the latter involves the imposi-
tion of such technology from Europe to Africa. As a result customization of such
technology to suit the local needs has been difficult. Undoubtedly this second caveat
has contributed to Africa’s resistance to embracing imported technology.
However Africa’s technological breakthrough in the formal sense started with
the lifting of protectionist policies in 1980s–1990s following SAPs. Through trade
33
Ibid.
34
Ibid, pp. 41 and 103.
35
Ibid, pp. 103–104.
36
Ibid, p. 104.
37
Martin (2001), pp. 1–35, at p. 8.
38
Ibid.
39
Rodney (n32), p. 106.
40
Ibid.
41
Ibid.
42
Ibid.
10 A.B. Makulilo
43
See e.g., Molla (2000), Vol. 9, No. 3 & 4, pp. 205–221.
44
International Telecommunication Union (2009), http://www.itu.int/dms_pub/itu-d/opb/ind/D-
IND-RPM.AF-2009-PDF-E.pdf accessed 08.06.2016.
45
Ibid.
46
Ibid.
47
Ibid.
48
Ibid.
49
See e.g. Alemna and Sam (2006) Vol. 22, No. 4, pp. 236–241; Fuchs and Horak (2008), Vol. 25,
No. 2, pp. 99–116.
50
See e.g., Kasusse (2005), Vol. 37, No. 3, pp. 147–158, at p. 157; Gebremichael and Jackson
(2006), Vol. 23, No. 2, pp. 267–280, at p. 272.
51
See e.g., Ezedike (2005), Vol. 8, No. 1, pp. 59–64, at p. 61.
52
Ubuntu has been defined differently by scholars. However to put it in simple terms, the concept
Ubuntu refers to African philosophy which emphasises collectivist human relationship and assis-
tance in everyday life. In Ubuntu, an individual is subjected under communal considerations. The
concept is well developed in South African scholarship though it has its reflection in other African
societies.
53
Olinger et al. (2007), Vol. 39, No. 1, pp. 31–43, at pp. 34–35.
1 The Context of Data Privacy in Africa 11
expression: ‘I am because we are, and since we are therefore I am’.54 Yet although
Ubuntu philosophy has its roots in South Africa it has been popularized as
representing African worldview.55 Some scholarships have only regarded it as the
most recent manifestation of the notion of an African humanism, similar to earlier
notions such as Pan-Africanism, Ujamaa (i.e. the special type of socialism in
Tanzania) or negritude56 especially after the collapse of the latter. They have there-
fore dismissed Ubuntu as a post-colonial ‘Utopia’ invention and/or a ‘prophetic’
illusion crafted by the African political elites in the age of globalization.57
The dominant discourse by African and non-African scholars claim that Africans
have only been collectivists. Yet individualism and individualistic life style could/
can still be identified in pre-colonial African societies and the subsequent periods.
This point is well articulated by Professor Olufemi Taiwo who posits:-
Africans and non-Africans alike believe that African societies are essentially communalis-
tic and are fundamentally reluctant to pollute these waters with an introduction of the bad
philosophy of individualism. This is a misplaced identification. It ignores the fact that what
needs to be accounted for when we investigate social forms are what type of individualism
can be found in various societies, what indigenous nodes of individualist transformations
are there to be isolated, and how those nodes were affected by colonialism. What is at issue
is not whether there were forms of individualism in any but the most primitive societies but
what kind of individualism there is and what role it plays in social ordering. In addition a
blanket condemnation of individualism reinforces a reluctance to identify its presence in
African societies, past and present. I abjure such a blanket condemnation. While this is not
the place to consider the many sides of individualism, I must insist that its introduction into
African societies by the apostles of modernity and its evolution in indigenous societies fol-
lowing upon their own internal dynamics deserve serious scholarly attention that does not
preclude condemnation of its deleterious consequences if there have been such.58
Taiwo and Ezedike’s views are reiterated by Kigongo. The latter holds that in
African traditional society social cohesion was dominant over individuality; unlike
54
Mbiti (1969), p. 144.
55
See e.g., McDonald (2010), Vol. 37, No. 124, pp. 139–152, at pp. 141–142.
56
See e.g., McAllister (2009), Vol. 6, No. 1, pp. 1–10, at p. 2.
57
Nabudere (2008), pp. 1–20, at p. 1, http://www.grandslacs.net/doc/3621.pdf accessed 08.06.2016.
58
Taiwo (2010), p. 85.
59
Ezedike (n51).
12 A.B. Makulilo
60
Kigongo (1992), pp. 59–68, at p. 59.
61
Gyekye (1988), pp. 31–32.
62
Senghor (1966), Vol. 16, No. 1, pp. 1–18.
63
Achebe (1966), pp. 123–125.
64
Wa Thiong’o (2007).
65
Okigbo (1956), Vol. 305, pp. 125–133, at pp. 132–133.
66
Ntibagirirwa (2001), pp. 65–81, at p. 65.
67
Ibid, p.70.
1 The Context of Data Privacy in Africa 13
In the Nigeria context Omobowale observes that since the incorporation of the
Nigerian economy into the world capitalist system, the indigenous social structure
has been fundamentally restructured with the youth being immensely immersed in
Western cultures.71 Empirical studies carried out in different parts of Africa confirm
the above observations. Suffice here to mention four of them.
The first study: Individualism versus Community in Africa? The Case of
Botswana72 was carried out in Botswana to answer the following question: How is
it possible that two deeply-rooted values in some African societies-the people’s
sense of individualism and their sense of community-have persisted through time
when they seem to work against each other?73 This study was carried out in the
context of collective and private government-sponsored farming projects in rural
areas. The study found that it is not that the African value of individualism under-
mines the chances of success for government-sponsored group efforts, or that the
African value of community hampers the successful operation of government-
initiated efforts to promote private enterprises.74 Rather what works against these
endeavors in many rural areas is that they involve taking risks, when the cultural
context in which they are meant to operate, both at the individual and societal levels,
has been profoundly averse to taking such risks.75
68
Ibid, p.65.
69
Ibid, p.74.
70
See, Kimani (1998), p.1; see also, Edwards and Whiting (eds) (2004); Sindima (1990), Vol. 21,
No. 2, pp. 190–209.
71
Omobowale (2006), Vol. 16, No. 2, pp. 85–95, at pp. 85 and 90.
72
Roe (1988), Vol. 26, No. 2, pp. 347–350.
73
Ibid, p.347.
74
Ibid, p. 349.
75
Ibid.
14 A.B. Makulilo
The second study was carried out in Kenya: Individualism versus Collectivism:
A Comparison of Kenyan and American Self-Concepts.76 This study involved two
levels of comparison of self-concepts in relation to culture. The first level was a
comparison between Kenya and America in which case it was fond that conceptions
of the self among the pastoral nomads in Kenya are more collective and less indi-
vidualized than Western or American self-concepts.77 This first level confirmed the
researchers’ hypothesis as it was expected. The second level of comparison involved
the various groups and communities within Kenya. As compared to Kenyans living
in rural areas especially the Maasai, the study found that factors of urbanization,
development, modernization and Western education influenced the self-concepts of
Kenyans living in Nairobi (the capital city of Kenya) and resulted in a decreased
level of collectivism.78
The third empirical study was carried out in Swaziland under the title: The
Indigenous Rights of Personality with Particular Reference to the Swazi in the
Kingdom of Swaziland.79 This research found among other things that the rural areas
of Swaziland have never remained static.80 Instead, considerable pressure has been
exerted on traditional Swazi structures by large agri-business, medical and educa-
tional missionaries leading to modernization and transformation of traditional rural
populations.81 More specifically, industrialization and urbanization with the accom-
panying labour migration have eroded the ties of kinship with the result that women
alone have been obliged to rear families, with modern Swazi households lacking the
establishing influence of a patriarchal head.82 Accordingly the foundation and social
cohesion upon which the family and kinship ties were based upon had collapsed.
The fourth study illustrating the diminishing value of collectivism in Africa was
carried out in Malawi.83 This study is interesting as it specifically investigated the
existence of Ubuntu in Malawi’s political system. It was found by this study that the
dictatorial regime of the then President Kamuzu Banda associated with massive cor-
ruption; violation of individuals’ rights, embezzlement of public resources, torture,
political killings, mysterious deaths, etc denied the regime of any Ubuntu
standards.84
Under globalization African culture of collectivism has to a large extent given
way to Western individualism. Maduagwu argues that the present-day extreme indi-
vidualism of the West, the outcome of centuries of laissez-faire capitalism, is being
transmitted across the world as the final stage of world civilization to which all
76
Thomas and Schoeneman (1997), Vol. 19, No. 2, pp. 261–273.
77
Ibid, p. 269.
78
Ibid.
79
Ferraro (1980), p. 3.
80
Ibid.
81
Ibid.
82
Ibid.
83
Tambulasi and Kayuni (2005), Vol. 14, No. 2, pp. 147–161.
84
Ibid, p. 149.
1 The Context of Data Privacy in Africa 15
85
Maduagwu (2000), pp. 213–224, at p. 216.
86
Ibid, pp. 213–214.
87
Thomas and Schoeneman (n76), at p. 269; see also, Newell (2008), Vol. 44, No. 1, pp. 15–27.
88
See e.g., Kimani (n70); Ferraro (n79).
89
Lassiter (2000), Vol. 3, No. 3, pp. 1–21, at p. 5.
90
Kamwangamalu (1999), Vol. 13, No. 2, pp. 24–41, at p. 27.
16 A.B. Makulilo
colonies after independence. It is for these reasons data privacy commentators have
held that even though African countries shortly after independence partly or fully
adopted the legal system of their former colonial powers which was based on the
individual, in practice, the dominance of the collective spirit probably even exceeds
the boundaries set by that legal system.91 This view when considered in the context
of the notion of privacy simply means that legal documents surrounding the regula-
tion of privacy in Africa developed in isolation of pre-existing societal values.
However societies are never static. The strong social bonding that held African
societies in collectives in the last century is disintegrating due to the globalisation
process. In the urban areas and large cities, societal bonding has fallen apart making
individuals no longer relying on inter-dependence. Rural areas in Africa where
there are still some forms of collectivism, changes are also occurring due to the
diminishing gap between rural–urban divide. Modern technologies which are part
and parcel of the globalisation have played and continue to play a significant role in
transformation of African societies. However despite their benefits such technolo-
gies have raised concerns for privacy in a number of ways. Thus the emerging pri-
vacy policies and regulations are now very crucial in Africa.
Despite the emerging data privacy policies in the continent, there is yet no philo-
sophical conception of the term privacy in the African context. African scholarship
has struggled to conceptualise privacy in the African cultural context in vain.
Bakibinga has made a fruitless call that ‘privacy has to be defined in a way that is
acceptable to the Ugandan society given the emphasis on communalism versus indi-
vidual rights.’92 She recommends that one way to start seeking for such definition
would be to commission studies to obtain perceptions of privacy within the Ugandan
society.93 However Bakibinga realises that although in Africa the community comes
first, privacy will still be an important concern as the information technology revo-
lution advances.94
The only attempt made so far to define privacy in Africa though reference to an
individual is still central as in the Western culture is that of Professor Neethling. His
theory states that ‘privacy is an individual condition of life characterised by exclu-
sion from publicity. This condition includes all those personal facts which the per-
son himself at the relevant time determines to be excluded from the knowledge of
outsiders and in respect of which he evidences a will for privacy.’95 Neethling’s defi-
nition of privacy does not depart from a class of definitions known as information
control theory propounded by Westin. It is also closer to another class of definitions
known as non-interference theory demonstrated by the ‘right to be let alone’ in the
seminal article of Samuel Warren and Louis Brandeis.96 Critically viewed
91
Gutwirth (2002), pp. 24–25.
92
Bakibinga (2004), pp. 1–13, at p. 12.
93
Ibid, p. 13.
94
EPIC Alert (2005) Vol. 11, No. 24, http://www.epic.org/alert/EPIC_Alert_11.24.html accessed
28.02.2016.
95
Neethling (2005), Vol. 122, No. 1, pp. 18–28, at p. 19.
96
Warren and Brandeis (1890), Vol. 4, No. 5, pp. 193–195.
1 The Context of Data Privacy in Africa 17
97
Roos (2003), pp. 554–560.
98
[1996] 3 SA 262 (A) 271.
99
See e.g., De Hert and Schreuders (2001). See also, Bygrave (2001), Vol. 24, No. 1,
pp. 277–283.
100
See, e.g, Bygrave (1998), Vol .6, No. 3, pp. 247-284, at pp .283-284; see also, Ulyashyna (2006);
De Hert and Gutwirth (2009), pp. 344.
101
Bygrave (2014), p. 1.
102
Ibid.
18 A.B. Makulilo
Political Rights 1966 (ICCPR). Other international human rights instruments that
specifically recognize privacy as a right include Article 14 of the United Nations
Convention on Migrant Workers 1990, and Article 16 of the United Nations
Convention on Protection of the Child 1989.
Privacy protection in the international human rights agreements provides the
normative basis for the data protection laws. The earliest formal international instru-
ments which lay frameworks for data privacy protection are the Organization for
Economic Cooperation and Development’s Guidelines Governing the Protection of
Privacy 1980 (i.e. the OECD Privacy Guidelines) and the Convention for the
Protection of Individuals with regard to the Automatic Processing of Personal Data
1981 of the Council of Europe. The rules within these two documents form the core
of the data protection laws of many countries. The key privacy principles incorpo-
rated in these instruments require that personal data must be obtained fairly and
lawfully; used only for the original specified purpose; adequate, relevant and not
excessive to purpose; accurate and up to date; and destroyed after its purpose is
completed. They also require establishment of a supervisory authority to enforce the
data protection principles. It is important to note that the Convention number 108 of
the Council of Europe concerning the protection of personal data is open to acces-
sion by non- European countries. So far from Africa, Mauritius and Senegal have
acceded to the Council of Europe Convention 108 on data protection and its
Additional Protocol. Similarly Morocco, Tunisia and Cape Verde have been invited
by the Council of Europe to accede to these instruments.
In 1990s two new important privacy policies were adopted. The first was the
United Nations Guidelines for the Regulation of Computerized Personal Data Files
1990 and the Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (i.e. EU Directive 95/46/EC).
The Data Protection Directive sets a benchmark for national law which harmonizes
law throughout the European Union.103 Of all the privacy policies mentioned, the
EU Data Protection Directive is the most influential in the privacy law reforms in
non-EU countries. Its influence is exerted by its Article 25 which imposes an obliga-
tion on EU member States to ensure that personal information relating to European
citizens is covered by law when it is exported to, and processed in, countries outside
Europe. This requirement has resulted in growing pressure outside Europe for the
passage of privacy laws.104 Those countries which refuse to adopt meaningful pri-
vacy law may find themselves unable to conduct certain types of information flows
with Europe, particularly if they involve sensitive data.105 As far as the African
countries are concerned, in most cases securing better chances for off-shoring busi-
103
The EU has recently adopted the General Data Protection Regulation (GDPR) 2016 to replace
the EU Directive. The GDPR will come into operation on 25 May 2018.
104
GLOBAL INTERNET LIBERTY CAMPAIGN PRIVACY AND HUMAN RIGHTS: An
International Survey of Privacy Laws and Practice, http://gilc.org/privacy/survey/intro.html
accessed 27.02.2016.
105
Ibid.
1 The Context of Data Privacy in Africa 19
ness from Europe is a major reason as to why African countries have adopted or
plan to adopt comprehensive data protection laws.
At the regional level, the African Union (AU) adopted on 27 June 2014 the AU
Convention on Cybersecurity and Personal Data Protection 2014. This Convention
covers three main issues: electronic transactions, personal data protection and
cybercrimes. The part that covers data protection i.e. Chapter II (Articles 8–23) of
the Cybersecurity Convention is similar to the EU Directive 95/46/EC. However,
this Convention has not yet come into force. It is noteworthy that the AU
Cybersecurity Convention was preceded by other initiatives to protect privacy in
Africa. These include the Supplementary Act A/SA.1/01/10 on Personal Data
Protection for the Economic Community of West African States (ECOWAS) as well
as the Data Protection Model Law 2012 for Southern African Development
Community (SADC). It is also important to mention the EAC Legal Framework for
Cyber Laws 2008 (Phase I) adopted in 2010 for the East African Community (EAC)
states. In contrast to the ECOWAS Act and SADC Model Law, the EAC Frameworks
are only recommendations for the member states to adopt the data privacy legisla-
tion in compliance with the international data privacy standards. Another data pri-
vacy policy initiative that preceded the AU Cybersecurity Convention is the
Francophone Binding Corporate Rules (BCR) 2013 on cross-border transfer of per-
sonal data among French speaking countries (including French speaking countries
in Africa). The Francophone BCR is at least one of the old lines of colonial influ-
ence in the data privacy reform in Africa. Bygrave has noted similar efforts by the
French Data Protection Authority (with its French acronym CNIL) to provide tech-
nical expertise and perhaps financial support to cultivate data privacy in the former
French colonies of north-west Africa.106 There are also traces of Portuguese inspira-
tion for the laws enacted in former Portuguese colonies (Angola, Cape Verde)107 and
recently such influences are notable in the third former Portuguese colony of
Mozambique.
Moreover the so called old lines of colonial influences are accentuated by the
existence of the two major legal systems in Africa namely common and civil law
legal systems which are Western in origin. These systems which were introduced by
the French and British during the colonial rule in Africa create fertile grounds for
adaptability of European law. For example, in many former British colonies in
Africa, common law, doctrines of equity and statutes of general application in the
United Kingdom are still the sources of municipal law.108 It is noteworthy that the
attitude to view the civil and common law legal systems as colonial has diminished
significantly as more customisation continues to take place.
To sum up this section, three points can be made. First, so far the EU Directive
95/46/EC is the main influential privacy policy in privacy reform in Africa. It influ-
enced individual country in Africa to adopt comprehensive data protection legisla-
tion and subsequently the regional and sub-regional data privacy policies and codes
106
Bygrave (n 102), p. 106.
107
Ibid.
108
See e.g., Tanzanian Judicature and Application of Laws Act, Cap.358 R.E 2002, s. 2 (3).
20 A.B. Makulilo
Data privacy laws are not indigenous of any African nation. They originated from
Western nations. In Africa privacy is protected in most national constitutions.
However being framed as a broad right, it has not been well enforced. There is little
case law based on constitutional right to privacy in the continent. In former
Portuguese colonies in Africa (Angola, Cape Verde and Mozambique) privacy is
over and above protected in constitutions as habeas data similar to the protection
offered to individuals in many Latin American countries. Habeas data provides
individuals with a possibility of legal action of access to public databases for the
purpose, as necessary, of updating, correcting, removing, or reserving information
about the individual concerned. So far there is little case law developed around
habeas data provision and it is not clearly known how this right is exercised in
practice.
Apart from constitutions, privacy is protected in sectoral legislation as well as in
general law such as civil codes. Most often the protection in such legislation is
focused on principles of secrecy and confidentiality. It was not until in 2000s when
comprehensive data protection laws started to develop in Africa. Cape Verde, a
former Portuguese colony, was the first nation in Africa to adopt comprehensive
data privacy legislation. As of now in Africa there are 18 countries out of 54 which
have implemented omnibus data protection legislation. These include Angola,
Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Mali,
Madagascar, Mauritius, Morocco, Sao Thome and Principe, Senegal, Seychelles,
South Africa, and Tunisia. It is important to note that Zimbabwe has a data protec-
tion legislation which covers only the public sector. Despite the adoption of data
privacy legislation in Africa, in many instances such laws have yet to be properly
enforced. This is due to the fact that in some countries data protection commissions
have not yet been appointed or the law is not yet in force. Even where the commis-
sioner has been appointed, sometimes enforcement has been problematic.
109
Makulilo (2013), Vol. 3, No. 1, pp .42–50.
1 The Context of Data Privacy in Africa 21
1.6 Conclusion
References
Achebe C (1966), Things Fall Apart, East African Educational Publishers, Nairobi/Kampala/Dar
es Salaam, 1966.
African Business (2011), Urbanisation for Better or for Worse, Issue No. 381, pp. 17–24.
Alemna AA and Sam J (2006), Critical Issues in Information and Communication Technologies
for Rural Development in Ghana, Information Development, 22(4):236–241.
Andrew H (2004), The “Westminster Model” Constitution Overseas: Transplantation, Adaptation
and Development in Commonwealth States, Oxford University Commonwealth Law Journal,
4(2): 43–166.
Arendt H (1958) The Human Condition, 2nd ed., Chicago: The University of Chicago Press.
Arieff A et al. (2010), The Global Economic Crisis: Impact on Sub-Saharan Africa and Global
Policy Responses, CRS Report for Congress, 2010.
Bakibinga E M (2004), Managing Electronic Privacy in the Telecommunications Sub-Sector: The
Ugandan Perspective.
Bezanson R (1992) The Right to Privacy Revisited: Privacy, News and Social Change 1890–1990,
80(5): 1133–1175.
Bygrave L A (1998) Data Protection Pursuant to the Right in Human Rights Treaties, International
Journal of Law and Information Technology, 6(3):247–284.
Bygrave L A (2001) The Place of Privacy in Data Protection Law, University of New South Wales
Law Journal, 24(1): 277–283.
Bygrave L A (2014) Data Privacy Law: An International Perspective, Oxford University Press,
UK.
Crowder M (1964), Indirect Rule-French and British Style, Africa: Journal of the International
African Institute, 34(3): 197–205.
De Hert P and Gutwirth S (2009) Data Protection in the Case Law of Strasbourg and Luxemburg:
Constitutionalism in Action in Gutwirth S et al (eds), Reinventing Data Protection?, Springer.
De Hert P and Schreuders E (2001) The Relevance of Convention 108, Proceedings of the Council
of Europe Conference on Data Protection, Warsaw, 19–20.
Edwards CP and Whiting BB (eds) (2004), NGECHA: A Kenyan Village in a Time of Rapid
Social Change, University of Nebraska Press, Lincoln/London.
EPIC Alert (2005) EPIC Hosts Privacy and Public Voice Conference in Africa, 23 December 2005,
Vol. 11, No. 24, http://www.epic.org/alert/EPIC_Alert_11.24.html.
Ezedike EU (2005), Individualism and Community Consciousness in Contemporary Africa: A
Complementary Reflection, Sophia: An African Journal of Philosophy, 8(1):59–64.
Ferraro G (1980), Rural and Urban Population in Swaziland: Some Sociological Considerations,
National Symposium on Population and Development, Mbabane, Swaziland.
22 A.B. Makulilo
Fuchs C and Horak E (2008), Africa and the Digital Divide, Telematics and Informatics, 25(2):pp.
99–116.
Gebremichael MD and Jackson JW (2006), Bridging the gap in Sub-Saharan Africa: A holistic
look at information poverty and the region’s digital divide, Government Information Quarterly
23(2): 267–280.
Gentili AM (2005), Party, Party Systems and Democratisation in Sub-Saharan Africa, Paper
Presentation at the Sixth Global Forum on Reinventing Government, Seoul, Republic of Korea.
Gutwirth S (2002) Privacy and the Information Age. Lanham/Boulder/New York/Oxford, Rowman
& Littlefield Publ.
Gyekye K (1988), The Unexamined Life: Philosophy and the African Experience, Ghana
University Press, Accra.
Hongladarom S (2016) A Buddhist Theory of Privacy, Springer, Singapore.
International Telecommunication Union (2009), The Information Society Statistical Profiles
2009:Africa, http://www.itu.int/dms_pub/itu-d/opb/ind/D-IND-RPM.AF-2009-PDF-E.pdf.
Kamwangamalu M N (1999) Ubuntu in South Africa: a Sociolinguistic Perspective to a Pan-
African Concept, Critical Arts: South–north Cultural and Media Studies, 13(2): 24–41
Kasusse M (2005), Bridging the Digital Divide in Sub-Saharan Africa: The Rural Challenge in
Uganda, The International Information & Library Review, 37(3):147–158.
Kigongo JK (1992), The Concept of Individuality and Social Cohesion: A Perversion of Two
African Cultural Realities in Dalfovo A.T et al (eds) (1992), The Foundations of Social Life:
Uganda Philosophical Studies, I, The Council for Research in Values and Philosophy,
Washington, 1992, pp. 59–68.
Kimani P (1998), When the family becomes a burden, Daily Nations, Weekender Magazine.
Lassiter E J (2000) African Culture and Personality: Bad Social Science, Effective Social Activism,
or a Call to reinvent Ethnology? African Studies Quarterly 3(3):1–21
Maduagwu M.O (2000), Globalization and Its Challenges to National Culture and Values: A
Perspective from Sub-Saharan Africa, in Köchler H (ed) (2000), Globality versus Democracy?
The Changing Nature of International Relations in the Era of Globalization, Jamahir Society
for Culture and Philosophy, Vienna, pp. 213–224.
Makulilo A B (2013) Data Protection Regimes in Africa: too far from European ‘adequacy’ stan-
dard? Journal of International Data Privacy Law, 3(1): 42–50
Makulilo AB (2008), Tanzania: A De Facto One Party State?, VDM Verlag Dr. Müller
Aktiengesellschaft & Co. KG, Germany.
Martin W (2001), Trade Policies, Developing Countries and Globalisation, Development Research
Group, World Bank.
Mbiti J (1969), African Religions and Philosophy, Heinemann, London.
McAllister P (2009), Ubuntu-Beyond Belief in South Africa’, Sites: New Series, 6(1):1–10.
McDonald DA (2010), Ubuntu Bashing: The Marketisation of “African Values” in South Africa,
Review of African Political Economy, 37(124):139–152.
Molla A (2000), Downloading or Uploading? The Information Economy and Africa’s Current
Status, Information Technology for Development, 9(3&4):205–221.
Nabudere DW (2008), Ubuntu Philosophy: Memory and Reconciliation, http://www.grandslacs.
net/doc/3621.pdf.
Neethling J (2005) The Concept of Privacy in South African Law, The South African Law Journal,
122(1):18–28.
Newell S (2008), Corresponding with the City: Self-help Literature in Urban West Africa, Journal
of Postcolonial Writing, 44(1):15–27.
Ntibagirirwa S (2001), A Wrong Way: From Being to Having in the African Value System in
Giddy, P (ed) (2001), Protest and Engagement: Philosophy after Apartheid at an Historically
Black South African University, South African Philosophical Studies, II, The Council for
Research in Values and Philosophy, Washington, pp. 65–81.
Nwauche E S (2007) The Right to Privacy in Nigeria, Review of Nigerian Law and Practice, 1(1):
62–90.
1 The Context of Data Privacy in Africa 23
Okigbo P (1956), Social Consequences of Economic Development in West Africa, The Annals of
the American Academy of Political and Social Science, 305(1):125–133.
Olinger HN et al (2007), Western privacy and/or Ubuntu? Some Critical Comments on the influ-
ences in the Forthcoming Data Privacy Bill in South Africa, The International Information &
Library Review, 39(1): 31–43.
Olutayo AO and Omobawale AO (2007) Capitalism, Globalisation and the Underdevelopment
Process in Africa: History in Perpetuity, African Development, 32(2):97–112.
Omobowale AO (2006), The Youth and the Family in Transition in Nigeria, Review of Sociology,
16(2):85–95.
Paul JCN (1988), Developing Constitutional Orders in Sub-Saharan Africa: An Unofficial Report,
Third World Legal Studies, 7(1): 1–34.
Prempeh HK (2007), Africa’s “Constitutionalism Revival”: False start or new dawn?, International
Journal of Constitutional Law, 5:469–506.
Rodney W (1972), How Europe Underdeveloped Africa, East African Educational Publishers,
Nairobi/Kampala/Dar es Salaam, 1972.
Roe EM (1988), Individualism versus Community in Africa? The Case of Botswana, The Journal
of African Modern Studies, 26(2):347–350.
Roos A (2003) The Law of Data (Privacy) Protection: A Comparative and Theoretical Study, LL.D
Thesis, UNISA.
Senghor L (1966), ‘Negritude’ in Optima, 16(1):1–18.
Sindima H (1990), Liberalism and African Culture, Journal of Black Studies, 21(2):190–209.
Sinjela M (1998), Constitutionalism in Africa: Emerging Trends, The Review, Special Issue,
23(60):23–29.
Taiwo O (2010), Colonialism Pre-empted Modernity in Africa, Indiana University Press, U.S.A.
Tambulasi R and Kayuni H (2005), Can African Feet Divorce Western Shoes? The Case of
“Ubuntu” and Democratic Good Governance in Malawi, Nordic Journal of African Studies,
14(2):147–161.
Tanzania Institute of Education (2002), Africa from Stone Age to the Nineteenth Century, NPC-
KIUTA, Dar es Salaam.
The Editors of the Spark (1965), Some Essential Features of Nkurumaism, International Publishers,
New York.
Thomas VM and Schoeneman TJ (1997), Individualism versus Collectivism: A Comparison of
Kenyan and American Self-Concepts, Basic and Applied Social Psychology, 19(2):261–273.
Ulyashyna L (2006) Does case law developed by the European Court of human Rights pursuant to
ECHR Article 8 add anything substantial to the rules and principles found in ordinary data
protection principle?, A Tutorial Paper presented at the Norwegian Centre for Computers and
Law (NRCCL).
Wa Thiong’o N (2007), The River Between, East African Educational Publishers Ltd, Nairobi/
Kampala/Dar es Salaam.
Warren S D and Brandeis L S (1890) The Right to Privacy, Harvard Law Review, 4(5):193–195.
Westin A F (1967) Privacy and Freedom, Atheneum Books, New York.
Wing AK (1992), Communitarianism vs. Individualism: Constitutionalism in Namibia and South
Africa, Wisconsin International Law Journal, 11(2):295–380.
World Bank (2014), Gross National Income per Capita 2010, Atlas Method and PPP, http://data-
bank.worldbank.org/data/download/GNIPC.pdf.
Part II
National Data Privacy Laws
Chapter 2
Data Protection in North Africa: Tunisia
and Morocco
Alex B. Makulilo
Abstract Tunisia and Morocco are among the North African Arabic and Islamic
states. The two countries have data privacy systems that are largely inspired by the
European data protection standards. Both of them have been recently invited by the
Council of Europe to accede to its Convention 108 concerning the protection of
personal data and its Additional Protocol. Prior to that in 1990s, the European Union
signed Association Agreements (AAs) with Tunisia and Morocco for trading rela-
tions. The AAs have Annexes of fundamental principles of data protection. This
chapter provides an overview of Tunisian and Moccan data protection systems and
how such systems developed in a region rich in Arabic and Islamic cultures.
2.1 Introduction
• Is the new law an alien rule system quasi-imposed from without, or is it merely
a re-alignment of existing privacy values in a particular society with a ‘Western’
form of expression of such values in data protection terms appropriate to societ-
ies aspiring to be successful players in the Information Age?
Most of the above questions remain relevant todate especially considering the
fact that international transfer of personal data is rapidly growing. While this chap-
ter does not specifically intend to provide answers to the above four questions, it
will use them as frameworks for discussion. Three caveats must however be noted
here. First, that significant developments have so far taken place since the 2007
special issue Vol.16, No.2 above was published. The Arab Spring in 2011 have
resulted into constitutional reforms in Tunisia and Morocco. The ever increased
state of surveillance in these two countries have largely raised privacy concerns by
individuals and hence a call for more data privacy reforms and accountability of the
state. Second, the special issue only covered Tunisian system of data protection.
However the coverage of issues from the Tunisian article in the special issue is quite
different from the present chapter. Third, the special issue did not cover Morocco.
For that reason, it will be interesting to consider similar questions in the context of
Morocco.
2.2 Tunisia
During the world economic crises of 1970s, Tunisia was pushed by the World Bank
and donor countries towards implementing a capitalist system. Through capitalism,
Tunisia made progress economically but with little democratic reforms. Since
Tunisia’s democratic reforms did not accompany the economic progress it was
labelled authoritarian regime due to its tendency of suppressing opposition and cen-
soring news. The Tunisian legal system is heavily influenced by the French civil
law, while the Law of Personal Status is based on Islamic law. The Law of Personal
Status is applied to all Tunisians regardless of their religion. However, Sharia courts
were abolished in 1956. The Constitution of Tunisia is the supreme law of the
Tunisian Republic.
In 2011 Tunisia went through a political transition. The starting point of this
transition was ignited on 17 December 2010, where a street vendor set himself on
fire to protest against poverty, injustice and repression by the ruling regime.
Following his death, massive public demonstrations famously known as the Jasmine
Revolution, broke out, forcing Ben Ali to flee to Saudi Arabia on 14 January 2011.
The Tunisian Jasmine Revolution inspired popular uprisings throughout the Arab
World culminating into the Arab Spring that swept across North Africa and Middle
East. On 15 January 2011, in line with the 1959 Constitution, the speaker of the
Parliament Fouad Mebazza became interim President of the Republic. On 23
October 2011, Tunisia held free election for the National Constituent Assembly
(NCA). The newly elected assembly was charged with the work of drafting a new
constitution that would be followed by legislative and presidential elections. The
elections were conducted relatively peacefully, with only a few minor violations
considering the strong turnout attesting to a strong democratic impulse. The Islamic
movement Ennahda/Al Nahda (Renaissance) won 37 % of the popular vote and
became the strongest political force in the new National Assembly. On 12 December
2011, the NCA elected former dissident Moncef Marouki as interim president until
a new Constitution was to be adopted and new presidential elections were held. The
Tunisian Constitution was adopted on 26 January 2014. Following this, parliamen-
tary elections were held on 26 October 2014. A presidential election was held on 23
November 2014, a month after the parliamentary election. It was the first free and
fair presidential election since the country gained independence in 1956, as well as
the first regular presidential election after the Tunisian Revolution of 2011 and the
adoption of the Constitution in January 2014. Since no candidate won a majority
during the first round of voting, a second round between incumbent Moncef
Marzouki and Nidaa Tounes candidate Beji Caid Essebsi took place on 21 December
2014 and saw Essebsi winning the election.
Agreement with the European Union. The significance of this Treaty is to remove
certain tariffs and create a free trade area. By 2008 Tunisia was the first Mediterranean
country to enter in a free trade area with EU. The EU is Tunisia’s first trading part-
ner, currently accounting for 72.5 % of Tunisian imports and 75 % of Tunisian
exports.1 Moreover it is one of the EU’s most established trading partners in the
Mediterranean region and ranks as the EU’s 30th largest trading partner.2 The cur-
rent agenda of EU-Tunisia relations is spelled out in an Action Plan under the
European Neighbourhood Policy. Tunisia and the EU are therefore bound by the
legally binding treaty in the form of an Association agreement.
The Jasmine Revolution, the local name for the Arab Spring in Tunisia that saw the
ousting of the former Tunisian President El Abidine Ben Ali, was compounded by
massive state surveillance of its people, particularly protestors who organized
through social media (Twitter and Facebook) raising concerns for privacy. It is
important to note that even prior to the Jasmine Revolution, internet censorship and
control had been commonplace in Tunisia. It was not until the last days of the
Jasmine Revolution in January 2011 that the Tunisian government shut down the
censorship regime, raising numerous questions about Internet censorship in Tunisia.3
However even after the Jasmine Revolution Internet censorship is still existing rais-
ing fears of the Big Brother which goes by the fictional name of Ammar 404 in
Tunisia due to ‘Error 404’ message for blocked website.4
The Tunisian data protection system is highly inspired by the EU data protection
governance. The starting point comes from the EU-Tunisia Association Agreement
(AA). The Annex to the Protocol which is part of the AA has the fundamental prin-
ciples of data protection which must be adhered to by parties in implementing it.
These principles are replica of the data protection principles found in the EU
Directive 95/46/EC. The key data protection principles in the Annex include fair
and lawful processing; purpose specification; relevancy; accuracy; data retention;
sensitity and security. Similarly the Annex provides for a regime of rights of data
1
Country Facts: Tunisia-Economy http://country-facts.com/en/countries/africa/tunisia/9640-tuni-
sia-economy.html accessed 22.02.2016.
2
Ibid.
3
Wagner (2012), Vol. 36, No. 6, pp. 484–492 at p. 484.
4
Silver (2011), http://www.bloomberg.com/news/articles/2011-12-12/tunisia-after-revolt-can-
alter-e-mails-with-big-brother-software accessed 22.02.2016.
2 Data Protection in North Africa: Tunisia and Morocco 31
subject such as access, rectification, and erasure. However the fundamental princi-
ples of data protection in the Annex do not apply in data processing in the context
of national security, public order or a State’s financial interests or criminal law
enforcement; protection of the data subjects or the rights and freedoms of others;
and personal data used for statistical purposes or scientific research.
The second influence over the Tunisian data protection system comes from the
Council of Europe. Last year Tunisia made a request to the Council of Europe to
accede to the Convention 108 of the Council of Europe concerning the protection of
personal data. The request was granted in December 2015 by the Council of
Ministers of the Council of Europe who invited Tunisia to accede to the Convention
and its Additional Protocol. The third influence on the Tunisian data protection
system comes from the EU Directive 95/46/EC on the protection of personal data
which restricts movement of personal data to third countries unless they provide
adequate protection of personal data. This restriction at least indirectly gave pres-
sure on Tunisia to adopt comprehensive data protection legislation in order to attract
foreign investment from EU. Also important to note, Tunisia is a party to the
International Covenant on Civil and Political Rights (ICCPR) 1966 whose Article
17 protects the right to privacy. In this case Tunisia has obligation to enact privacy
legislation emanating from this Treaty. In Africa, Tunisia is a member of the African
Union (AU). The latter adopted the AU Convention on Cyber Security and Personal
Data Protection 2014 which is not yet in force. This AU Treaty requires the AU
countries parties to it to implement data protection legislation in their countries.
The Constitution of Tunisia is the supreme law. The Constitution is superior even to
the international agreements which are approved and ratified by the Assembly of the
Representatives of the People. Article 24 of the Constitution expressly guarantees
the right to privacy by stating that the right to privacy and the inviolability of the
home, and the confidentiality of correspondence, communications, and personal
information. There are also scattering provisions of privacy relevance in sectoral
and statutory laws. These pieces of legislation are beyond the scope of this chapter
because they do not spell out the basic principles of data protection.
Act No. 2004–63 of 27 July 2004 (the DP Act) comprises the comprehensive piece
of legislation for the protection of personal data in Tunisia. This Act was imple-
mented by two Decrees: the Decree No. 2007-3004 of 27 November 2007 on the
conditions and processing of notification and authorization for the processing of
personal data and the Decree No. 2007-3003 of 27 November 2007 on the
32 A.B. Makulilo
functioning of the national authority for the protection of personal data: l’Instance
Nationale de Protection des Données à Caractère Personnel (INPDP).
Scope The Act applies to any automatic processing and non-automatic processing
of personal data performed by natural or legal persons. However this Act has a
major derogatory regime for processing of personal data by public authorities. This
means that processing of personal data carried out by public persons is generally
excluded.
Similarly, the Tunisian Act does not have any provision with respect to its territo-
rial scope. As a consequence, the Act governs the conditions under which a process-
ing of personal data takes place on the Tunisian territory. Moreover section 22 of the
Act provides that any person wishing to process personal data must meet the follow-
ing conditions: − to have the Tunisian nationality; to have a residence in Tunisia;
and to have a blank criminal record. According to this provision, a foreign person or
legal entity will neither be a controller or a processor of personal data in Tunisia, nor
an employee or agent of a controller or processor of such data without violating the
Act.5 At the same time, even a Tunisian citizen who does not have his/her residence
in Tunisia shall not be able to be involved in the processing of personal data per-
formed in Tunisia, either as a controller, a processor or an agent.6
5
CRID (2010a), Analysis of the Adequacy of Protection of Personal Data Provided in Tunisia,
p. 32.
6
Ibid, p. 33.
2 Data Protection in North Africa: Tunisia and Morocco 33
Direct Marketing the Data Protection Act prohibits the use of personal data for
advertising or marketing without express prior consent.
Data Subject’s Rights A data subject has the right to access, object and rectify
personal data held by a data controller.
Data Protection Authority The 2004 Act creates national authority for the protec-
tion of personal data (INPDP). The INPDP has the traditional function of any data
protection authority. Generally its main function is to enforce the DP Act. The
Tunisian INPDP has been criticized as being weak, powerless and subject to gov-
ernment interference.7
International Transfer of Personal Data The Act prohibits the transfer of personal
data to third parties without prior consent. Moreover it prohibits the transfer of per-
sonal data outside Tunisia that may have national security impact, unless the coun-
try to which data is being transferred has adequate protection for the data.
On 22 December 2010 the EU through its consultant (CRID) released its final report
on the analysis of the adequacy of protection of personal data provided in Tunisia.
The overall outcome of this assessment was that the Tunisian regime regarding the
protection of personal data was to be considered inadequate.8 This conclusion was
based on a number of shortcomings in the Tunisian data protection system including
the limited territorial scope of the Data Protection Act 2004; an extensive deroga-
tory regime; highly restrictive international onward transfer of personal data regime;
and the lack of regime with regard to automatic individual decision making.
However in July 2015 Tunisia filed its application to the Council of Europe for
accession of the Convention 108 of the Council of Europe concerning the protection
of personal data. In December 2015 the Council of Ministers of the Council of
Europe invited Tunisia to accede to the Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data (ETS No. 108) and to its
Additional Protocol (ETS No. 181). This invitation is open for a period of five years
from the date of its adoption. This means that Tunisia should accede to the
Convention and amend its 2004 legislation to meet the Convention standards.
7
Afef (2015), http://igmena.org/Shaping-fair-and-reasonable-privacy-and-data-protection-laws-
in-Tunisia accessed 21.02.2016.
8
CRID (n5), p. 123.
34 A.B. Makulilo
2.2.6 Conclusion
An overview of the above discussion shows that the Tunisian data protection system
is highly influenced by the European data protection standards. This influence first
comes out from the EU-Tunisian Association Agreement signed in 1995 as part of
the Euro-Mediterranean Partnership. Also, the EU influence of data privacy over
Tunisia comes from the EU Directive 95/46/EC on the protection of personal data
and most recent from the Council of Europe Convention 108 for the protection of
individuals with regard to automatic processing of personal data. In the latter case,
the Council of Europe has invited Tunisia to accede to the CoE Convention 108 and
its Protocol. Despite this inluence a specific study is required to establish empiri-
cally to what extent the Islamic and Arabic culture fares well within the European
privacy standards.
2.3 Morocco
the administration is involved while the judicial system handles criminal matters,
and civil and commercial matters between private parties.
Demands for political reforms in Morocco followed in the course of prodemoc-
racy protests that swept the Arab world starting from Tunisia. On 20 February 2011,
the Moroccan Movement was staged on. Thousands of Moroccans across the coun-
try took part in antigovernment protests. The protesters called for a genuine consti-
tutional monarchy, the disbanding of parliament, as well as the dismissal of Prime
Minister Abbas El-Fassi. In response, the Moroccan King made superficial consti-
tutional reforms which fell far short of the demands of protesters.
The EU-Moroccan relations are now expressly stated in the Preamble of the
Moroccan Constitution 2011, which is an integral part of the Constitution itself. By
this provision clearly Morocco reaffirms and commits itself to intensify relations of
cooperation and partnership with neighboring Euro-Mediterranean countries.
The Moroccan relations with EU are largely trade based. Such relations are built
on the Euro-Mediterranean Partnership (Euromed), formerly known as the Barcelona
Process. The latter was launched in 1995. The Union for the Mediterranean pro-
motes economic integration and democratic reform across 16 neighbours to the
EU’s south in North Africa and the Middle East including Morocco. Based on the
economic partnership initiatives, in 1998 the EU remained Morocco’s largest trad-
ing partner accounting for more than half of all trade.9 It is noteworthy that in 1996
Morocco signed a trade accord with EU (the Association Agreement) which came
into effect in March 2000. This accord provides the current framework for
EU-Morocco trade relations and a Free Trade Area (FTA). It created a fertile ground
for EU investments in Morocco. Currently EU is Morocco’s first trading partner
with total trade amounting to approximately euro 29.25 billion.10
To further reinforce the trading relations, in 2008 EU granted Morocco an
advanced status. The idea behind this is to increase close cooperation with EU on
matters as democratic reforms, economic modernization and migration issues.11 In
implementing the objectives of the Moroccan advanced status, in March 2013 nego-
tiations for a Deep and Comprehensive Free Trade Agreement (DCFTA) between
the EU and Morocco were launched. DCFTA seeks to strengthen the trade relations
between EU and Morocco by putting in place a comprehensive trade agreement,
thereby expanding the scope and domain of all previous agreements. The DCFTA,
among other things, will gradually integrate the Moroccan economy into the EU
9
European Commission, Countries and Regions: Trade, http://ec.europa.eu/trade/policy/countries-
and-regions/countries/morocco/ accessed 24.01.2016.
10
Ibid.
11
For a critical appraisal, see Marti´N (2009), Vol. 14, No. 2, pp. 239–245. See also, Brach (2006),
https://giga.hamburg/en/system/files/publications/wp36_brach.pdf accessed 24.01.2016.
36 A.B. Makulilo
There is a close link between the Arab Spring and state surveillance in Morocco, on
the one hand, and social attitude to privacy, on the other. Although state surveillance
had been there before, its magnitude intensified during and possibly after the Arab
Spring. In 2015, the Privacy International (PI), a UK based charity dedicated to
fighting for the right to privacy around the world, released its most incriminating
surveillance report on Morocco.12 According to this report, the Moroccan state
made heavy investment in spying on its citizens activities and squashing dissent
something which prevented the spread of a ‘Moroccan Spring’ which was ignited
by the February 20th Movement. The latter movement which took place in 2011
was characterised by a series of protests demanding democracy and more account-
ability from the government. The Movement was largely organized through social
media particularly on Twitter and Facebook. By 2011, the Moroccan government
had already invested € 2 million in a surveillance system named Eagle, which
allows the government to perform censorship and mass monitoring of internet traf-
fic, with a technique referred to as Deep Packet Inspection.13 The PI reports that
surveillance by the Moroccan government and other state agencies has increased
considerably since the Arab Spring, and ramped up further since the February 20th
Movement.14 Phone tapping and privacy violations on the internet have made the
Moroccan citizens more concerned and cautious about their privacy.
The Moroccan data protection system is highly influenced by the EU data protec-
tion frameworks due to its trading relations with Europe. Several trading agree-
ments and initiatives with EU oblige Morocco to put in place a sound system of data
protection. Although Morocco is a party to the International Covenant on Civil and
Political Rights (ICCPR) 1966 whose Article 17 protects the right to privacy, there
seems no much obligation to enact privacy legislation emanating from this Treaty.
Also significant to note, Morocco is not a member of the African Union (AU) as
12
Privacy International (2015), https://www.privacyinternational.org/sites/default/files/Their%20
Eyes%20on%20Me%20-%20English_0.pdf accessed 20.01.2016.
13
Ibid, p. 9.
14
Ibid.
2 Data Protection in North Africa: Tunisia and Morocco 37
such the AU Convention on Cyber Security and Personal Data Protection 2014 will
have little or no impact on the Moroccan data protection system when it becomes
operational. The AU Treaty requires the AU countries parties to it to implement data
protection legislation in their countries.
It is noteworthy that at a national level Morocco gives to duly ratified interna-
tional conventions primacy over its domestic laws (Preamble to the Moroccan
Constitution), and therefore transposes automatically the relevant provisions of the
international privacy law to its national legislation. In Morocco the preamble is an
integral part of the Constitution. Moreover Article 24 of the Moroccan Constitution
2011 expressly guarantees the right to privacy. Specifically the Constitution states
that every person has the right to the protection of his private life. The domicile is
also inviolable. This provision also prohibits searches generally except where it is
provided by the law. Private communications are secret. Only justice can authorize,
under the conditions and following the procedure provided by the law, the access to
their content, their total or partial divulgation.
Law 09/08 on the protection of individuals with regard to the processing of personal
data, which is the main Moroccan data protection law,15 was passed by the Moroccan
Parliament in December 2008. It was promulgated by Dahir No. 1-09-15 and was
published in the Official Gazette of 5 March 2009. However it gave data controllers
a transition period until 5 November 2012 to bring their operations in line with the
data protection Act. The data protection authority, the National Commission for the
Control and the Protection of Personal Data (CNDP), was established on 30 August
2010.
The history of data protection law reform in Morocco is partly linked to three
catalysts. First is the desire by Morocco to safeguard its outsourcing industry. A
study conducted in 2008 by the Moroccan Ministry of economy pointed out that the
low volume of relocation of banking and insurance services to Morocco was partly
due to a lack of a system of protection of personal data transferred to the Kingdom,
and recommended the adoption of legislation of this subject, which followed in
2009.16 The second factor is that the Moroccan Law 09/08 on the protection of per-
sonal data was adopted as part of regulatory convergence recorded in the Euro-
Mediterranean Partnership. As early as 1996 Morocco and EU signed the Association
Agreement which took effect in March 2000. This trade agreement specifies in its
Annex to Protocol 5 fundamental principles applicable to data protection which
contracting parties have to observe and take into account in their trade dealings. The
15
Loi n° 09–08 Relative à la Protection des Personnes Physiques à l’égard du Traitement des
Données à Caractère Personnel 2009.
16
Ministère de l’Economie et des Finances, Dé loc a l i s a t ion de s a c t i v i t é s de s e r v i c e s
au Ma roc, Etat de s l i eux e t oppor tuni t é s Juillet 2008, p. 15, http://www.finances.gov.ma/depf/
publications/en_catalogue/etudes/2008/delocalisation.pdf last accessed 25.01.2016.
38 A.B. Makulilo
Annex has the data protection principles that are based on the EU Directive 95/46/
EC. It provides that personal data undergoing computer processing must be obtained
and processed fairly and lawfully; kept for explicit and legitimate purposes and not
further used in a way incompatible with those purposes; appropriate, relevant and
not excessive in relation to the purposes for which they are collected; accurate and,
where necessary, kept up to date; kept in a form which permits identification of the
person concerned for no longer than is necessary for the procedure for which the
data were collected. With regard to sensitive personal data, the Annex states that
personal data revealing racial origin, political or religious opinions or other beliefs,
and data concerning a person’s health or sex life, may not undergo computer pro-
cessing except where suitable safeguards are provided by national law. Appropriate
security measures are also required to ensure that personal data recorded in com-
puter filing systems are protected against unlawful destruction or accidental loss
and against unauthorised alteration, disclosure or access.
The Annex provides the rights of persons whose personal data is subject of pro-
cessing. Such rights include access, rectification, and erasure. Similarly the Annex
contains the usual exceptions for application of data privacy laws. Accordingly data
processing for purposes of national security, public order or a State’s financial inter-
ests or prevent criminal offences; protection of the data subjects or the rights and
freedoms of others; and personal data used for statistical purposes or scientific
research are exempted.
Moreover, the EU-Morocco Action Plan (2013–2017) has made for a more tar-
geted implementation of the instruments provided for in the Association Agreement
and supported Morocco’s objective of bringing its economic and social structures
more into line with those of the Union.17 The Action Plan requires the Kingdom of
Morocco to gradually accede to the relevant Council of Europe conventions on the
protection of fundamental rights that are open to the participation of non-members
of the Council of Europe in accordance with the Council’s accession procedures,
including the Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data.18 The objective to accede the Moroccan data protec-
tion law system to EU has been specifically implemented through the Twinning
Light project which is part of the Action Plan for Morocco for the implementation
of the ‘Advanced Status’. The global objective of the Twinning Light Project
‘Improving the protection of the rights to privacy and personal data in Morocco’ is
to improve the protection of private life in Morocco and the personal data protec-
tion.19 However the project’s specific objective is to strengthen the institutional,
17
Joint Proposal for a COUNCIL DECISION on the Union position within the Association Council
set up by the Euro-Mediterranean Agreement establishing an association between the European
Communities and their Member States, of the one part, and the Kingdom of Morocco, of the other
part, with regard to the adoption of a recommendation on the implementation of the EU-Morocco
Action Plan implementing the advanced status (2013–2017)/* JOIN/2013/06 final - 2013/0107
(NLE)*/.
18
Ibid, para 2.8.
19
The ‘ACHIEVING ADVANCED STATUS’ Program (Programme: ‘Réussir le Statut Avancé’)
Project no. ENPI/2011/022, 778, http://www.sida.se/globalassets/abstract-twinning-project-cndp.
2 Data Protection in North Africa: Tunisia and Morocco 39
General Principles of Data Processing The general principles for processing per-
sonal data in the Moroccan data protection law are closely similar to those in the
European Directive 95/46/EC. The Act provides personal data must be: processed
lawfully and faithfully; collected for defined, explicit and legitimate purposes, and
not be further used in a manner incompatible with the purpose stated; adequate,
pertinent and non-excessive; accurate and, if required, updated; and kept for a term
proportionate with the purpose for which they are collected. In addition, the Law
provides that the data processor must implement technical and organizational mea-
sures so as to ensure the confidentiality and security of the personal data processed.
Direct marketing, including through automated call, email or use of the contact
information for a person who did not express its consent is prohibited.
Rights of Data Subjects The Moroccan data protection legislation provides for the
data subject’s including the rights to access and modification of personal data; the
right to oppose processing generally and specifically with respect to unsolicited
marketing.
Jersey, Isle of Man, Israel, New Zealand, United States-Safe Harbour Agreement,
Eastern Republic of Uruguay).22
In assessing adequacy, the CNDP takes into account the privacy regulatory
framework, safety measures, processing specifications, and the nature, origin and
destination of the personal data to be processed. The CNDP may authorize data
transfers to countries which do not provide for an adequate level of protection of
personal data where it is necessary: for the safeguarding of the data subjects life; for
the protection of public interest; where there exists a bilateral or multilateral agree-
ment between Morocco and the recipient’s country; where the specific authorization
of the CNDP has been provided when the processing provides a sufficient level of
protection, for instance in consideration of contractual provisions or internal rules
applicable to the processing.
The Data Protection Authority The CNDP is composed of: a president designated
by the Moroccan King; Six members also designated by the King following the sug-
gestions of the Prime Minister, and the presidents of the chamber of representatives,
and of the chamber of counselors. They are appointed for 5 years, which appoint-
ment can be subject to renewal once. The CNDP has all conventional functions of
data privacy authority including receiving all complaints from any data subject. The
CNDP, in contrast to other data protection authorities, is not empowered to impose
financial sanctions directly onto the data controllers. It can, however, cancel any
authorization granted, or suspend any processing which, while it has been declared
to its services, its implementation would be in violation of the Regulation. Sanctions
can only be imposed by Moroccan courts.
An attempt by the Moroccan state to accredit its data privacy system to the European
Union has not been successful. In 2010 the EU commissioned a consultant to evalu-
ate the Moroccan data protection system to see whether it meets the adequacy stan-
dard of the EU Directive 95/46/EC. The consultant refused to conclude that Morocco
meets the adequacy standard because of the insufficiency of practice of the data
privacy legislation.23 However a theoretical analysis of the Moroccan data protec-
tion legislation revealed a number of shortcomings.24 First and foremost, the data
concerning sex life are not considered as sensitive, though the definition of ‘sensi-
tive data’ follows closely the European one.25 This is explained from the Muslim
22
Ihrai (2014), http://www.phaedra-project.eu/wp-content/uploads/Maurice-Phaedra.pdf accessed
25.01.2016.
23
CRID (2010b).
24
For a critical appraisal, see Makulilo (2013), Vol. 3, No. 1, pp. 42–50.
25
Gayrel (2012) No. 115, pp. 18–20, at p. 20.
42 A.B. Makulilo
character of the Moroccan State.26 However, it is surprising the Legislator has rec-
ognised ‘philosophical and religious beliefs’ as sensitive data, while the processing
of this type of data is occurring regularly in a variety of situations in Morocco.27
Although the principle of transparency in the Moroccan data protection legislation
is held to be compliant with the European Union Article 29 Data Protection Working
Party (WP) Opinion 12, adequacy issues have been raised with respect to exceptions
to the disclosure requirement of processing in the context of ‘open networks’. The
adequacy of international transfer of personal data is similarly at issue. The reason
is that it always requires the approval of the data protection commissioner. This is
irrespective if the foreign country provides adequate level of protection of personal
data.
In 2012 the Moroccan state by letter to the Secretary General of the Council of
Europe, expressed interest in accession to the CoE Convention 108. This request
was assessed by the Consultative Committee of the Council which concluded that
there was ‘overall conformity of the Moroccan legislation with the principles of
Convention 108, with the exception of the scope of application of the protection and
the definition of special categories of data.’ On the basis of this Opinion, on 30
January 2013, the Committee of Ministers issued an invitation to the Moroccan
government to accede to Convention 108. Indeed, this is the second non-European
accession invitation after Uruguay, which has now acceded to the Convention 108.
Morocco is in the process of formalising accession. On 6 June 2013 Morocco
adopted a bill approving the Council of Europe’s (CoE) Convention 108 for the
Protection of Individuals with regard to Automatic Processing of Personal Data.
The main advantage that Morocco will have in acceding to the Convention 108 is
that it will be able to exchange personal data with CoE members, some of them are
also EU member states.
2.3.6 Conclusion
Despite the Moroccan Islamic and Arabic culture, there is significant influence from
the European principles of privacy in Morocco. This influence first comes out from
the EU-Moroccan Association Agreement signed in 1996 as part of the Euro-
Mediterranean Partnership, but which took effect in 2000. Also, the EU influence of
data privacy over Morocco comes from the EU Directive 95/46/EC on the protec-
tion of personal data and most recent from the Council of Europe Convention 108
for the protection of individuals with regard to automatic processing of personal
data. In the latter case, the Council of Europe has invited Morocco to accede to the
CoE Convention 108 and its Protocol. Up to now the CNDP has attained 5 years
since it became established. This is sufficient time for a specific study to be carried
26
Ibid.
27
Ibid.
2 Data Protection in North Africa: Tunisia and Morocco 43
out to establish empirically to what extent the Islamic and Arabic culture fares well
within the European privacy standards.
References
Brach J (2006) Ten Years after: Achievements and Challenges of the Euro-Mediterranean
Economic and Financial Partnership, GIGA WP 36, GIGA Research Unit: German Institute for
Middle East Studies
Bygrave L A (2010) Privacy and Data Protection in an International Perspective, Scandinavian
Studies in Law 56:165–200
Bygrave L A (2014) Data Privacy Law: An International Perspective, Oxford UK
Gayrel C (2012) Data Protection in the Arab Spring: Tunisia and Morocco, Privacy Laws &
Business International Report 115:18–20
Makulilo AB (2013) Data Protection Regimes in Africa: too far from European ‘adequacy’ stan-
dard? International Data Privacy Law 3(1):42–50
Marti´N IN (2009) EU–Morocco Relations: How Advanced is the ‘Advanced Status?’
Mediterranean Politics 14(2):239–245
Wagner B (2012) Push-button-autocracy in Tunisia: Analysing the role of Internet infrastructure,
institutions and international markets in creating a Tunisian censorship regime,
Telecommunications Policy 36 (6): 484–492
Documents
Afef A (2015) Shaping fair and reasonable privacy and data protection laws in Tunisia, Internet
Governance Capacity Building Program (IGCBP), http://igmena.org/
Shaping-fair-and-reasonable-privacy-and-data-protection-laws-in-Tunisia
Country Facts (2016) Tunisia-Economy, http://country-facts.com/en/countries/africa/tunisia/9640-
tunisia-economy.html
CRID (2010a) Analysis of the Adequacy of Protection of Personal Data Provided in Tunisia
CRID (2010b) Analyse du Niveau d’Adequation du Systeme de Protection des Donnees dans le
Royaume du Maroc
European Commission (2016) Countries and Regions: Trade, http://ec.europa.eu/trade/policy/
countries-and-regions/countries/morocco/
Ihrai S (2014) International cooperation on the protection of personal data: Moroccan practice’,
Phaedra Maurice, http://www.phaedra-project.eu/wp-content/uploads/Maurice-Phaedra.pdf
Joint Proposal for a COUNCIL DECISION on the Union position within the Association Council
set up by the Euro-Mediterranean Agreement establishing an association between the European
Communities and their Member States, of the one part, and the Kingdom of Morocco, of the
other part, with regard to the adoption of a recommendation on the implementation of the
EU-Morocco Action Plan implementing the advanced status (2013–2017)/* JOIN/2013/06
final – 2013/0107 (NLE) */
Ministère de l’Economie et des Finances (2008) Dé loc a l i s a t ion de s a c t i v i t é s de s e r v i
c e s au Ma roc, Etat de s l i eux e t oppor tuni t é s, http://www.finances.gov.ma/depf/publica-
tions/en_catalogue/etudes/2008/delocalisation.pdf
Privacy International (2015) Their Eyes on Me: Stories of Surveillance in Morocco, https://www.
privacyinternational.org/sites/default/files/Their%20Eyes%20on%20Me%20-%20English_0.
pdf
44 A.B. Makulilo
Silver V (2011) Post-Revolt Tunisia Can Alter E-Mail With “Big Brother” Software, http://
www.bloomberg.com/news/articles/2011-12-12/tunisia-after-revolt-can-alter-e-mails-
with-big-brother-software
The ‘ACHIEVING ADVANCED STATUS’ Program (Programme: ‘Réussir le Statut Avancé’)
Project no. ENPI/2011/022, 778, http://www.sida.se/globalassets/abstract-twinning-project-
cndp.pdf
Chapter 3
Information Privacy in Nigeria
Abstract The right to privacy as well as the right to respect for the dignity of the
person are provided for in the current Nigerian Constitution, and there are decided
cases that show how the Nigerian courts have interpreted and enforced them. It is
true that no specific legislation exists that defines the contours of the constitutional
right to privacy or demarcates its dimensions but there are statutory provisions in
some federal laws that highlight information privacy, even though these provisions
are often ancillary to the main objectives of these statutes and have limited applica-
tion. This chapter, therefore, undertakes a critical analysis of the development and
current legal reforms in respect of personal information protection in Nigeria. The
result indicates that information privacy is not well developed in the Nigerian legal
system despite the existence of the above mentioned constitutional rights. This is
reflected in the judicial, socio-cultural, political, technological and economic con-
texts in which informational privacy discussions take place. However, some key
legislative developments are occurring – some bills are before the Parliament and
international treaties are being signed. It is hoped that these will lead to a stronger
data protection framework in Nigeria sooner rather than later.
3.1 Introduction
laws made by federal parliament on items in the concurrent list apply to the Federal
Capital Territory and to federal institutions. Only when the state legislature passes
similar law will the subject have an effect on the state. For instance, assuming that an
item for personal data protection is in the concurrent list, if the federal government
passes a data protection act, it will not have an effect in the states. Only states that have
passed similar data protection law will regulate such matters within their territory.1
The Nigerian legal system is generally based on the English common law and
legal tradition due to its colonial ties with Britain, although upon gaining indepen-
dence, only the common law of England, the doctrines of equity and the statutes of
general application which were in force in England as at 1st January 1900 are appli-
cable in so far as local jurisdiction and circumstances permit.2 However, there are
multiple sources of Nigerian law – the Constitution, legislation passed by the fed-
eral and state Parliaments, Received English law,3 judicial precedents, international
law,4 customary law and sharia law.5 The Constitution which is the grundnorm,
among other things, provides for the fundamental human rights of Nigerian citizens.
These include the right to privacy6 and the right to respect for the dignity of the
person.7 Currently, there is no specific privacy legislation that concretises these con-
stitutional rights, but as indicated above, the effect of Nigeria’s colonial history is
that common law principles including that of privacy are applicable in Nigeria, even
in the absence of specific privacy legislation. But as will be discussed below, decided
1
No item could be found in either the exclusive or the concurrent legislative list with any of the
keywords: human rights, privacy, data protection, personal data and information privacy. However,
the combined reading of Items 60, 67 and 68 of the exclusive legislative list, as well as sections 17
and 45 of the Constitution suggest that it is the federal parliament that has the power to make a
privacy law. In contrast, Germany which operates a federal system of government like Nigeria has
a federal Data Protection Act and sixteen data protection laws for the states.
2
See, Interpretation Act, Cap I23, Laws of the Federation of Nigeria (LFN) 2004. No item could
be found in either the exclusive or the concurrent legislative list with any of the keywords: human
rights, privacy, data protection, personal data and information privacy. However, the combined
reading of Items 60, 67 and 68 of the exclusive legislative list, as well as sections 17 and 45 of the
Constitution suggest that it is the federal parliament that has the power to make a privacy law. In
contrast, Germany which operates a federal system of government like Nigeria has a federal Data
Protection Act and sixteen data protection laws for the states.
3
This consists of (1) the received English Law comprising of the following: the common law, the
doctrine of equity, statutes of general application in force in England on January 1, 1900, Statutes
and subsidiary legislation on specified matters, and (2) English law (statutes) made before 1st
October, 1960 and extending to Nigeria which are not yet repealed.
4
Nigeria is a dualist state, only international treaties that have been domesticated have local appli-
cation, but that does not relieve Nigeria of its international obligation arising from signed treaties
as set out in the Vienna Conventions on laws of Treaties. The Nigerian Constitution has clear
provisions in section 12 of the Constitution as per method of ratification of treaties.
5
See generally, Obilade, The Nigerian Legal System (1979).
6
Constitution of the Federal Republic of Nigeria 1999, s 37. This chapter will not focus on all aspects
of privacy, but will only deal with the aspect that protects personal information of the data subject.
7
Constitution of the Federal Republic of Nigeria 1999, s 34. The right to dignity of the person is
very important in privacy discussions. In some jurisdictions such as Germany, the right to free
development of one’s personality and the right to human dignity have been used to explain and
expand the right to privacy to include “the right to informational self-determination”. See BVerfGE
65, 1 – Census Cases; Killian, ‘Germany’ (2010).
3 Information Privacy in Nigeria 47
cases on privacy right in Nigeria have not shown this relationship. International law
could also create privacy rules in Nigeria. For instance, the ECOWAS Supplementary
Act A/SA.1/01/10 on Personal Data Protection 2010, which Nigeria signed, imposes
certain obligations on Nigerian State, and it is left to be seen how these will be
transposed into domestic rules that are enforceable in the national legal system.
From a broader perspective, privacy as a legal term is not defined in the Nigerian
Constitution. It is common knowledge however, that privacy as a concept has more
than one interpretation, and often means different things in different contexts. In
addition, each individual or group is entitled to different expectations of what con-
stitutes an invasion of privacy. As such, a good number of definitions of the concept
exist. Clerke (2000)8 for example, sees privacy as “the interest that individuals have
in sustaining a ‘personal space’, free from interference by other people and organ-
isations”, and further suggests that this interest has at least three dimensions: pri-
vacy of the person9; privacy of personal behaviour10 and information privacy.11
Other authors suggest a different definition and dimension.12 But irrespective of
these conceptual differences, this chapter will focus on information privacy in
Nigeria, that is, the aspect of the law that regulates how personal information is col-
lected, processed, accessed, shared and stored by others.13 Personal information
refers to any information relating to an identifiable person, that is, one who can be
identified, directly or indirectly, in particular by reference to an identification num-
ber or to one or more factors specific to his or her physical, physiological, mental,
economic, cultural or social identity.14
Information privacy is not well developed in the Nigerian legal system despite
the fact that the Nigerian Constitution provides for a right to privacy and a right to
respect for the dignity of the person. This state of affairs may be understood from
the judicial, socio-cultural, political, technological and economic contexts in which
(information) privacy discussions take place in the country. While there are cases
showing judicial attitudes toward violation of bodily privacy and invasion of private
homes,15 there seems to be no authority on information privacy or personal data
8
Clerke, ‘Beyond the OECD Guidelines: Privacy Protection for the 21st Century’ (2000).
9
This is concerned with the integrity of the individual’s body.
10
This relates to all aspects of behaviour, especially to sensitive matters, such as sexual preferences
and habits, political activities and religious practices, both in private and in public places.
11
This is the interest that individuals have in controlling, or at least significantly influencing, the
handling of data about themselves. Clerk merged privacy of personal communication and privacy
of personal data together in his updated version of the article. Later in 2013, he added another
dimension, the privacy of personal experience. See <http://www.rogerclarke.com/DV/Intro.html>
accessed 8 October 2016.
12
DeCew, ‘Privacy’ The Stanford Encyclopedia of Philosophy (2015).
13
The words “data protection” and “information privacy” are used interchangeable and they are
intended to mean the same thing for the purposes of this chapter.
14
See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free move-
ment of such data.
15
See: Ransome-Kuti v Att-Gen of the Federation & Ors (1985) 16 NSCC (Pt. 1) 879; Cletus Madu
v Neboh & Anor (2002) 2 CHR 67; Aliyu Ibrahim v Commissioner of Police (F.C.T Command)
(2007) LPELR-CA/A/115/05.
48 I.S. Nwankwo
protection that would help to concretise this aspect of the constitutional right. The
simple reason may be that no such cases have been brought to court, or that ele-
ments of information privacy in the cases are deemphasized or not even alluded to
during proceedings due to the lack of understanding of its contours in litigations.
In the socio-cultural sphere, traditional Nigerian societies were more concerned
with social cohesion rather than individual seclusion, and this meant to an extent
that issues of individual privacy rarely exist.16 However, in modern times as will be
shown below, a few instances of public agitations against informational privacy
threats or violations have been recorded. This lukewarm attitude to information pri-
vacy is also witnessed in the political arena, where events that could have generated
political debates went unnoticed. It is not surprising then that there is no specific
information privacy legislation in Nigeria; indeed, a bill to achieve this has been in
the Parliament since 2010, but is yet to be passed into law.17
From a technological perspective, the general attitude to and understanding of
information privacy in Nigeria also remain poor. With reference to the early days of
computers in Nigeria, Kusamotu (2007) attributes this poor attitude to the low level
of personal computer (PC) penetration and data processing that occurs only within
a small segment of the population.18 But in spite of the increase in the number of
PCs, smartphones and tablets nowadays, attitudes to privacy seem not to have
changed. Perhaps due to the lack of an overarching regulatory framework19 for the
management and processing of personal data by government and private organisa-
tions, the economic activities of those who exploit and use personal data for their
daily business have thrived. At best, only some form of self-regulation by organisa-
tions such as banks, website owners, online commercial firms, etc., exist. However,
the enforcement of such self-imposed obligation has been ineffective.
On the other side though, some organisations are concerned about the economic
risk of uncertain regulatory framework in the country, as this could affect their sys-
tems when radical legislation comes into force.20 This has led to various calls for the
enactment of balanced information society legislation such as data protection law,
16
Allotey, Data Protection and Transborder Data Flows: Implications for Nigeria’s Integration
into the Global Network Economy (2014).
17
See Data Protection Bill 2010, (HB 276, HB 45).
18
Kusamotu, ‘Privacy Law and Technology in Nigeria: The Legal Framework will not Meet the
Test of Adequacy as Mandated by Article 25 of European Union Directive 95/46’ (2007). See also
Azeez, ‘Boosting Computer Penetration in Nigeria’ National Mirrow (2013).
19
Obutte, ‘ICT Laws in Nigeria: Planning and Regulating a Societal Journey into the Future’
(2014).
20
Recently, the NCC slammed a fine of about 5.3 million dollars on MTN for violating the
Registration of Telephone Subscribers Regulation 2011. This came as a surprise to many as such
fines have never been imposed before in Nigeria. See BBC, ‘Nigeria Telecom Giant MTN Fined a
Record $5.2bn’ (2015).
3 Information Privacy in Nigeria 49
electronic commerce law, cyber security law, etc, to protect businesses and to pro-
vide clear rules on how to run information society services in the country.21
As earlier indicated, only a few instances of public agitation against informational
privacy threats or violations have been recorded in recent times by the media. In
2003, some politicians opposed the national identity card scheme on the ground that
the scheme would be used to cross-check other population records such as the voters
roll, and therefore could lead to the marginalization of a section of the population.22
The year 2010 and beyond saw similar opposition across the country as a result of
the compulsory registration of mobile phone SIM cards as demanded by the Nigerian
Communication Commission (NCC) following the issuance of the Registration of
Telephone Subscribers Regulation.23 Opponents of the registration exercise argue
that it will lead to surveillance and grave violations of information privacy, more so,
as the country is yet to enact a comprehensive data protection law. Although the
NCC went ahead with the scheme, the impact of the opposition to it led to an amend-
ment of the regulation to include a concrete pronouncement on privacy protection.24
Similar agitations have also followed the move by the National Identity
Management Commission (NIMC) to use a private firm in capturing data for the
national identity database and NIMC’s partnership with Visa Card and Master Card
so that the identity card could be used for payment purposes.25 Recently, the Central
Bank of Nigeria (CBN) issued a policy directive requiring that a single identifier
Bank Verification Number (BVN) be given to every bank customer in Nigeria.26 The
scheme will involve obtaining biometric information from every bank customer so
that fragmented bank details of individuals (in different banks) will be linked up in
the BVN database.27 This exercise prima facie raises important information privacy
and data security issues. Moreover, commentators have asked why should biometric
information already in the NIMC database be duplicated. It is in fact being alleged
that the CBN and the NIMC are at loggerhead over who should control the BVN
database.28 Against this background, one NGO, the Paradigm Initiative Nigeria
(PIN) has petitioned the CBN governor to suspend the scheme until a legal
framework for data protection is put in place in Nigeria,29 and this seems to have
been ignored.
On the individual level, there seems to be little motivation to pursue redress of
information privacy violation through the courts. Public reactions when such inci-
dents happen are always mixed: ranging from those who blame the victim to those
21
Nwokpoku, ‘E-Commerce - Nigerians Decry Dearth of Legislations’ (2015); Olangunju,
‘National e-ID card: Data Protection for Nigerians Must be Top Priority’ (2014).
22
BBC, ‘Protests over Nigerian ID scheme’ (2004).
23
Nwankwo, ‘Nigeria’s SIM Card Registration Regulations 2010: The Implications of Unguarded
Personal Data Collection’ (2010).
24
Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations
2011.
25
Olangunju (n 21).
26
http://www.bvn.com.ng/BVN_FAQ.pdf
27
Onalaja, ‘The Problem with Nigeria’s Bank Verification Number Exercise in 14 Tweets’ (2015).
28
Ibid.
29
PIN Admin, ‘PIN writes CBN, Calls for Suspension of Bank Verification Number (BVN)
Exercise’ (2015).
50 I.S. Nwankwo
who believe that seeking judicial redress will worsen the matter. A good instance
was the publication of nude pictures of Anita Hogan, a celebrity in the Nigerian
movie industry, by the PM News.30 Amidst the public reactions, ordinarily, one
would have expected that such a popular incident would result to litigation, not only
because the pictures were illegally obtained,31 but also because the PM News had
violated the Code of Ethics for Nigerian Journalists.32 Such violation by a news
media if not judicially addressed, might encourage others to do the same. But this
was not the case as the victim decided to forgive those who perpetrated the act and
not to pursue any legal remedy against them.33
It is admitted though that there have been some remarkable efforts at reforming
information privacy law in Nigeria such as the publication of the National IT Policy
in 2001 and the submission of various bills to the Parliament that address data pro-
tection and information security wholly or partially. These include: the Data
Protection Bill 201034; the Electronic Transaction (Establishment) Bill 201335;
Cyber Security and Data Protection Agency {Establishment, etc.) 2008,36 among
others.37 Recently, the Cybercrime Act 2015 was signed into law which should
assist in information privacy protection.38
There are also regional and sub-regional treaties on the subject of information
privacy that Nigeria has participated in drafting. Within the West African sub-region
for instance, Nigeria participated in the adoption and has indeed signed the
ECOWAS Supplementary Act on Personal Data Protection in 2010,39 which by vir-
tue of its Article 48 is an integral part of the ECOWAS Treaty. Nigeria also partici-
pated in the adoption of the African Union Convention on Cybersecurity and
Personal Data Protection in 2014.40 The Convention will require accession by fif-
teen states before coming into force, and so far, only eight African Union member
state has ratified it, excluding Nigeria. It has to be stressed however that Nigeria
operates a dualist system where international treaties do not apply locally until they
are domesticated by the Nigerian Parliament as prescribed by section 12 of the
Nigerian Constitution.
The above efforts are commendable and in the right direction, although they
come too slowly, and in some instances, uncoordinated or inadequate. For instance,
a cybercrime bill that was submitted to the Parliament in 2005 saw a version of it
30
‘Nude Photographs: Anita Breaks Silence’ (2006).
31
The victim alleged that the pictures were obtained from her laptop which she sent for repairs.
32
Code of Ethics for Nigerian Journalists 1998.
33
(nn) ‘Interview: I’ve Forgiven the Man who Published My Nude Pictures –Anita Hogan’ (2012).
34
HB 276, HB 45.
35
SB 248.
36
HB 154.
37
It should be noted that while this chapter was in progress, these Bills which were introduced in
the last legislative assembly (the 7th Assembly) lasped. Unless they are reintroduced in the 8th
Assembly in accordance with the standing orders of either the Senate or the House of
Representatives, they are not presumed to be before the Parliament.
38
Cybercrime (Prohibition, Prevention, etc) Act 2015.
39
ECOWAS Supplementary Act A/SA. 1/01/10 on Personal Data Protection 2010.
40
EX.CL/846(XXV).
3 Information Privacy in Nigeria 51
passed into law after 10 years.41 Furthermore, the Data Protection Bill 2010, as will
be discussed further below, appears to have been submitted in haste, and has been
criticized for its substandard quality when compared with similar legislation.42
Recent statistics have shown a sustained growth in the Nigerian ICT sector.43
Although PC penetration has not been remarkably high, most Nigerians now access
the Internet through their mobile phones.44 The second quarter 2014 ranking of
Internet usage places Nigeria first in Africa, recording slightly above 70 million
users and representing about 23.6 per cent of all African users.45 This trend is also
evident in the rapid evolution of platforms for online shopping, online banking,
e-learning and e-government in the country. There has equally been a consolidation
of Internet service providers with about 100 of them in 2015.46
Historically, as noted earlier, traditional Nigerian and indeed, African societies
did not emphasize individual privacy in the Western-style sense, and this arguably
has played a significant role in shaping the privacy discussions in the present soci-
ety. The communal culture of the various ethnic groups in Nigeria largely meant
that a greater emphasis has been laid on social cohesion than individuality.47 In such
circumstances, it seems that potential conflict with the common good of the com-
munity is always coercively kept in check by the authority of the elders.48 Preference
is thus given to communal protection over individual privacy protection, unlike
Western-style privacy that seeks to set boundaries between the individual and other
members of the community. Little or no discussion could be found in the Nigerian
or African setting where agitation for such individual seclusion has been forcefully
canvassed. This may largely account for the omission of a right to privacy in the
African Charter on Human and Peoples Right.49
One other possible reason for the present limited discussion on informational
privacy issues in Nigeria may be the rapid manner in which ICT development and
41
See the Computer Security and Critical Information Infrastructure Protection Bill 2005, SB 254,
and the Cybercrime Act 2015.
42
Makulilo, ‘Nigeria’s Data Protection Bill: Too Many Surprises’ (2012).
43
Ogundeji AO, ‘Tech, Telecom Contribute 10 Percent of Nigeria’s GDP, ICT Minister Says’; (nn)
‘ICT Sector at 53: Tremendous Growth, Poor Services’ (2013).
44
Matinde, ‘Africa: Tech Trends for 2015’ (2014).
45
<http://www.internetworldstats.com/stats1.htm> accessed 20 January 2015.
46
Budde, ‘Nigeria – Broadband Market and Digital Economy – Insights and Statistics’ (2015).
47
Allotey (n 16), 147–156.
48
Ibid.
49
For detailed discussion on African culture and privacy, see Makulilo, ‘Privacy and Data Protection
in Africa: A State of the Art’ (2012); Makulilo, ‘Myth and Reality of Harmonisation of Data
Privacy Policies in Africa’ (2015).
52 I.S. Nwankwo
influx have occurred in both Nigeria and all over Africa. Perhaps, the overwhelming
nature of the applications of ICT devices and infrastructure during the early stages
of their arrival made it seem unimportant to start any meaningful discussion as to
whether the preconditions for their use have been put in place, or as to how to
respond to their repercussions in case things go wrong as seen in the European his-
tory for instance.
It is admitted that Europeans may have some historical, philosophical and tech-
nological reasons for their stance on privacy, but the privacy issues we face today
are more or less the same globally, especially with rapid innovations in the ICT
sector. Unlike the debate that surfaced in the Western World when the earliest uses
of computers in public administration emerged (amidst fear that such technology
could increase government surveillance), African states merely imported ready-
made computers without opposition, and in some cases without public awareness of
the transformations occasioned by such devices. The results of those Western
debates, for instance, led to the first national data protection law in Sweden in 1973,
followed swiftly by other neighbouring states such as Germany in 1977; France,
Denmark and Austria in 1978.50
For example, when full body scanners were installed in Nigerian airports,51 liter-
ally no one considered the privacy implications of such technologies while the same
policy saw serious debate and even litigation in some Western countries.52 Similarly,
in order to forestall the privacy risks of using RFID tags, the European Commission
issued a recommendation that a privacy impact assessment must be carried out by
certain organisations using such technology before they are deployed.53 This shows
how seriously privacy concerns are taken in such societies.
The above remarks do not mean that it is only in the Nigerian traditional society
that the concept of privacy is unknown,54 or that Nigerians do not value their pri-
vacy, or have not realized that information privacy is now threatened more than ever
by technological advances such as cloud computing, massive databases of mobile
phone users, digitized national identity record, etc. On the contrary, Nigerians rather
seem uncertain of what to do to control how information about them is processed by
others, especially in the absence of a legal framework that clearly defines roles and
responsibilities, and prescribes penalties for violation. This is where the legislative
bridge that would have transitioned information privacy to the modern Nigerian
society seems to be lacking.
50
See Bennett, Regulating Privacy Data Protection and Public Policy in Europe and the United
States (1992).
51
Starr, ‘U.S. Paid for Full-Body Scanners at Nigeria’s Four International Airports in 2007’ (2010).
52
Electronic Privacy Information Center, ‘Whole Body Imaging Technology and Body Scanners
(“Backscatter” X-Ray and Millimeter Wave Screening)’ (nd).
53
European Commission, Commission Recommendation on the Implementation of Privacy and
Data Protection Principles in Applications Supported by Radiofrequency Identification (2009/387/
EC).
54
The Chinese traditional society for example, also lacked the concept of privacy, but some local
challenges arising from abuses in e-commerce and marketing have necessitated the evolution of
information privacy framework in China today. See Treacy, ‘Expert Comment’, Privacy and Data
Protection (2014).
3 Information Privacy in Nigeria 53
A good number of public institutions in Nigeria collect, process and store per-
sonal data in the course of executing their functions. Unfortunately, legislation
establishing these institutions did not make adequate provisions for information
privacy protection, thereby increasing the vulnerability of these data. This is one of
the factors that led the U.S. Chamber of Commerce to score Nigeria 9.81 out of 30
points in its 2015 International IP Index, placing the country 25th out of the 30
assessed.55 The lack of regulatory terms for data protection of clinical data submit-
ted for market registration application to agencies such as the National Agency for
Food and Drug Administration and Control (NAFDAC) was cited as contributing to
this low rating.
Other examples could be cited: the National Population Act 1989 tasks the
National Population Commission to “establish and maintain a machinery for con-
tinuous and universal registration of births and deaths, throughout the Federation”,56
but no provision is made on how to protect this database. The National Identity
Management Commission Act (NIMC) 2007 which created a national database for
identification purposes provides that: full name; other names by which the person is
or has been known; date of birth; place of birth; gender; the address of the individ-
ual’s principal place of residence in Nigeria; and the address of every other place in
Nigeria where the individual has a place of residence may be recorded in a regis-
tered individual’s entry in the database.57 Again, data protection principles were not
enshrined in the legislation and no concrete provision is made for information pri-
vacy and data security, except to make it an offence to unlawfully disclose or access
personal information in the national database. Other legislation dealing with the
processing of personal data such as the Immigration Act 1990, the Federal Road
Safety Commission Act 2007, the Independent National Electoral Commission Act
2010, the Insurance Act 2003, etc., also lack information privacy and data security
frameworks.
The financial sector is worthy of mention here, where personal data is constantly
processed by banks and other financial institutions under a very weak or even lack
of concrete information privacy law to protect customers. At least, the Central Bank
of Nigeria Act and the Banking and Other Financial Institutions Act (BOFIA) do
not have provisions in this regard. With the introduction of cashless transactions and
online services including e-commerce, e-banking, etc., more personal data are likely
to be processed and stored by financial and other institutions, and in the absence of
information society laws, the potential risks of data breach and cyber criminality are
significantly heightened.58
Apart from the federal laws, a number of state laws also require citizens to pro-
vide personal data such as in land registration or for tax purposes without concrete
55
GIPC, Unlimited Potential (2015).
56
National Population Act 1989, s 6.
57
See the 2nd schedule to the NIMC Act 2007.
58
It is noteworthy that the CBN recently published a draft Consumer Protection Framework
(Version 3.0) in July 2015 which includes Protection of Consumer Assets and Privacy as one of the
nine consumer protection principles. The draft framework among other things, provides that per-
sonal information of customers of financial operators shall be kept in confidence, and imposes a
duty of care on the operators to safeguard such data.
54 I.S. Nwankwo
data protection provisions. This lack of a comprehensive data protection law both at
the federal and state level means that little or no informational privacy is guaranteed
to the data subjects despite their constitutional right to privacy.
Although the current state of information privacy is thus fairly gloomy, there are
however prospects that, with the rapid increase in online transactions, agitations by
consumers about the misuse of their personal data in marketing and e-commerce
context will catalyze a legal reform.59 This is for example seen in the proposed
Electronic Transaction (Establishment) Bill 2013, and the clamour from local busi-
nesses with an online presence for a legal framework that would boost their global
competitiveness in the area of data processing.60 As new cloud data centres are
springing up in Nigeria,61 one may also expect pressure to mount on the government
to introduce serious data protection reform.
The Nigerian Constitution provides for the protection of privacy in general as fol-
lows: “The privacy of citizens, their homes, correspondence, telephone conversa-
tions and telegraphic communications is hereby guaranteed and protected.”62
However, as noted earlier, the Constitution does not define the term privacy, and
neither the Constitution nor any other statute provides for the manner in which this
privacy of citizens is to be guaranteed, leaving that aspect open. Thus, as Nwauche
(2007) suggests, this could lead to a number of possible interpretations.63 One of
such interpretations could be that the Constitution provides a general right to pri-
vacy of citizens as well as the specific context in which it is applicable – limiting it
to activities related to their homes, correspondence, telephone conversations and
telegraphic communications.64 If this interpretation is correct, it may well be that the
privacy provision of the Constitution is more limited than previously thought. For
instance, if in the context of religious activities, personal information is unlawfully
processed, could the data subject successfully bring a claim for the enforcement of
his or her right as such activity is not covered under section 37 of the Constitution?
So far, no judicial pronouncement has been made to interpret this aspect of the pri-
vacy right.
59
Nwokpoku ‘E-commerce: Nigerians Decry Dearth of Legislations’ (2015).
60
Adepetun ‘ICT to Witness Huge Growth in Nigeria, Two Others in 2015’ (December 2014).
61
‘West Africa Sees Launch of Largest Data Center’ (2015).
62
See Constitution of the Federal Republic of Nigeria 1999, s 37.
63
Nwauche, ‘The Right to Privacy in Nigeria’ (2007).
64
Ibid.
3 Information Privacy in Nigeria 55
Apart from the issue of scope, another possible interpretation of the above provi-
sion could be that it is so broad as to cover all aspects of privacy. In this respect, the
use of the phrase “privacy of citizens” could imply every aspect or dimension of
privacy irrespective of whether they are enumerated in section 37 or not. This could
be gleaned from the Supreme Court ruling in Medical and Dental Practitioners
Disciplinary Tribunal v Okonkwo where the court observed that:
The patient’s constitutional right to object to medical treatment or, particularly, as in this
case, to blood transfusion on religious grounds is founded on fundamental rights protected
by the 1979 Constitution as follows: (i) right to privacy: section 34; (ii) right to freedom of
thought, conscience and religion: section 35. All these are preserved in section 37 and 38 of
the 1999 Constitution respectively. The right to privacy implies a right to protect one’s
thought, conscience or religious belief and practice from coercive and unjustified intrusion;
and, one’s body from unauthorised invasion.65
This shows that the court is willing to locate any aspect of privacy within this
omnibus provision as seen in other jurisdictions. As such, the enumerations in sec-
tion 37 could simply represent a non-exhaustive example of dimensions of privacy.
For example, the activities relating to “correspondence, telephone conversations
and telegraphic communications” as listed in section 37 could be seen as non-
exhaustive examples of informational privacy. The mention of activities in “[citi-
zens’] homes” is capable also of covering many scenarios – bodily or behavioural
privacy, intrusion against seclusion or solitude and information privacy. This inter-
pretation seems more plausible in view of the fact that no high-level instruments
including the European Convention on Human Rights have defined privacy.66
Perhaps, this is to allow the concept to be applied in a flexible way by the courts in
consideration of social changes.
The above notwithstanding, a critical look at the wording of section 37 indicates
that it has various limitations. First, the right to privacy as provided in this section
appears to be applicable only to Nigerian citizens.67 Although Kusamotu (2007)
argues that non-Nigerians could invoke the provisions of the African Charter on
Human and Peoples Right, which discountenances discrimination, to claim their
privacy right, it is debatable to what extent such international law could override the
Nigerian Constitution.68 It is our view that the Constitutional provision is too restric-
tive in its wording, at least politically; excluding resident foreigners from benefiting
from the right to privacy in Nigeria may be indicative of a lack of adequate protec-
tion of personal data.69 In particular, it may be contrasted with the more accommo-
dating approach adopted in the EU Data Protection Directive, which stresses that:
65
(2002) AHRLR 159 (NgSC 2001). Italics are mine for emphasis.
66
European Convention of Human Rights, art 8.
67
Kusamotu (n 18) 154; Allotey (n 16), 170.
68
Kasamotu (n 18) 154.
69
Article 10 of the German Basic Law provides “The privacy of correspondence, posts and tele-
communications shall be inviolable.” It does not limit it to German citizens only.
56 I.S. Nwankwo
“data processing systems are designed to serve man; […] they must, whatever the
nationality or residence of natural persons, respect their fundamental rights and
freedoms, in particular, the right to privacy”.70
Even though no judicial pronouncement is found on the scope of privacy right in
the Constitution vis-à-vis its application to foreign residents, applying the black let-
ter of section 37 may have a number of implications. First, it will be difficult for
foreign nationals in Nigeria to seek judicial redress for a breach of privacy in spite
of the fact that they are required to disclose their personal information under the
NIMC Act for example.71 Second, it will be difficult to attract foreign investment in
the data processing industry in Nigeria such as enterprises hosting large cloud data
centres. European data controllers, for example, may not be willing to use Nigerian
data processors in the absence of other safeguards, as section 37 of the Constitution
will fall short of the adequacy protection envisaged by the EU Data Protection
Directive.72
Another important factor to consider regarding the constitutional provision on
privacy is that the right is not absolute; it could be limited by any other law – federal
or state, “in the interest of defence, public safety, public order, public morality or
public health; or for the purpose of protecting the rights and freedom or other per-
sons” if such law “is reasonably justifiable in a democratic society”.73 It is not sur-
prising to see such a limitation in other jurisdictions.
Besides the above limitations, the cost of enforcing human rights in Nigeria is
too high for the ordinary citizens since only the High Courts have jurisdiction to
hear such cases.74
It is surprising that despite the constitutional guarantee of the right to privacy and a
plethora of public institutions that require individuals to provide their personal
information, no statutory law has been specifically enacted to give effect to this right
and enumerate its application to information privacy. However, despite this lack of
an overarching statutory enactment, some federal laws have attempted to reflect
data protection principles albeit incoherently as will be shown below.
70
Data Protection Directive, Recital 2.
71
National Identity Management Commission Act 2007, s 16.
72
Kasumotu (n 18).
73
See Constitution of the Federal Republic of Nigeria 1999, s 45.
74
Constitution of the Federal Republic of Nigeria 1999, s 46.
3 Information Privacy in Nigeria 57
75
Federal Republic of Nigeria Official Gazette No. 84, Vol. 74 10 July 2007.
76
Ibid, s 35.
58 I.S. Nwankwo
addressed to all NCC licensees and any other provider of communication services
in Nigeria.77 More importantly, there has not been any robust mechanism deployed
by the NCC to enforce this regulation. It merely serves as a platform for self-
regulation which has not produced any significant result as telecommunications
consumers have been lamenting about data abuse and other violations by their ser-
vice providers.78
The second important regulation by the NCC that refers to section 37 of the
Constitution is the Registration of Telephone Subscribers Regulation 2011.79 One of
the rationales for this Regulation according to the Commission is “to assist security
agencies in resolving crimes and by extension to enhance the security of the state”.80
The initial version of the Regulation was opposed by many commentators for lack-
ing privacy safeguards, and following such agitations it was amended to include the
following data protection principles: data subjects’ rights of access and rectification,
principles of confidentiality, data retention; data security and access restriction.81
However, as the main purpose of the regulation is to curb crime, personal informa-
tion of subscribers could be transferred to public security agencies for law enforce-
ment purposes.
One condition for such transfer is that prior written request, which shall include
the purpose of access, must have been received by the NCC from an official of the
relevant security agency who is not below the rank of an Assistant Commissioner of
Police or a coordinate rank in any other security agency. Furthermore, international
transfer of the SIM registration data is forbidden, and there are penal sanctions for
licensees who violate the provisions of the Regulation. It was recently revealed that
the NCC slammed MTN with a fine of 5.2 billion US dollars for non-compliance
with a deadline set by the NCC to disconnect all non-registered SIM cards.82
It has to be stressed however that the objective of this Regulation has turned out
to be futile because there is no evidence to show that the spate of crime and insecu-
rity in Nigeria has significantly decreased after the exercise.83 Rather, Nigeria has
witnessed incessant instances of alleged detonation of explosive devices using com-
munication equipment such as mobile phones, as well as many unsolved kidnapping
cases where telecommunications were used in perpetrating the act. It is yet to be
seen whether this recent enforcement move will change the tides in terms of compli-
ance and due protection of privacy rights in Nigeria.
77
See Part I Regulation 3 of the Consumer Code of Practice Regulation 2007.
78
Amzat, ‘Nigerian Telecoms Firms Frustrate Subscribers’ (2015); Okwuke, ‘Protecting
Subscribers in Nigerian Telecoms Space’ (2015).
79
Federal Republic of Nigeria Official Gazette No. 101, Vol. 98, 7th November 2011.
80
NCC, ‘SIM Registration’.
81
Registration of Telephone Subscribers Regulation 2011, s 9(1).
82
BBC, (n 20).
83
Nwankwo (n 23).
3 Information Privacy in Nigeria 59
84
Nigerian National Policy for Information Technology 2001.
85
Ibid.
86
NITDA Guidelines on Data Protection 2013. Note that the Electronic Transaction (Establishment)
Bill 2013 also tasks the Agency to develop such guidelines. See section 25 of the Bill.
87
Ibid, s 1.
88
Ibid, s 3.
89
Ibid, s 4.
60 I.S. Nwankwo
90
NITDA Guidelines for Nigerian Content Development in Information and Communications
Technology (ICT) 2013.
91
Ibid, part 12.
92
Ibid, part 14.
93
Ibid, part 13.
94
Ibid, part 11.
95
NIALS, Abridged Report Identifying Gaps in Data Privacy and Security in the Adoption of
Cloud Services in Nigeria (2014).
96
Freedom of Information Act 2011, s. 14 (1).
97
Ibid, s 14 (2) and (3).
3 Information Privacy in Nigeria 61
also does not provide guidelines on how to balance the public interest against the
privacy of the individual data subject in the exceptional cases allowed by the Act.
As mentioned earlier, Nigeria inherited the common law system as a result of its
colonial ties with the United Kingdom. As such, decisions of English courts con-
tinue to enjoy strong persuasive authority in Nigerian courts after independence.
However, while the English common law has advanced in a number of areas includ-
ing information privacy, Nigerian common law has not developed a coherent pri-
vacy jurisprudence. As a result, scanty judicial pronouncements could be found in
this area of law.
Before delving into the Nigerian situation as it is now, it is noteworthy that his-
torically, English common law has no overarching recognition of a right to privacy
or tort of privacy. Only limited protection of certain aspects of informational privacy
98
Allotey (n 16).
99
Ibid, 158–161.
100
The Nigerian Postal Services Act, ss 28 and 29.
101
Evidence Act 2011, s 182 (3), 187.
102
Ibid, s 192.
62 I.S. Nwankwo
was offered through the doctrine of breach of confidence, a variety of torts linked to
intentional infliction of harm to the person, and administrative law principles relat-
ing to the appropriate use of police powers.103 The doctrine of breach of confidence
is however subject to the following requirements:
(i) the information must have the necessary quality of confidence about it,
(ii) the information must have been imparted in circumstances importing an obligation of
confidence,
(iii) there must be an unauthorised use or disclosure of that information to the detriment of
the party communicating it.104
With the introduction of the Human Rights Act in the UK in 1998 which incor-
porated the European Convention on Human Rights (ECHR) into English law, the
doctrine of breach of confidence has expanded significantly. For example, article
8(1) of the ECHR provides for the right to respect for private and family life, and by
virtue of section 6 of the Human Rights Act 1998, English courts are required when
developing the common law to give effect to the rights in the Convention.105 This
has reflected in the relaxation of some of the conditions for maintaining a case for
breach of confidence. The courts have ruled for instance, that there is no need to
show a pre-existing relationship of confidence in a claim for violation of the right to
privacy where private information is involved.106 Similarly, publication of private
material has been ruled to represents a detriment in itself, thereby extending breach
of confidence to private information irrespective of whether it is confidential or
not.107 Besides the Human Rights Act, the UK also has the Data Protection Act 1998
which implements the EU Data Protection Directive. Evidently, the situation in the
UK has substantially changed from the narrow traditional common law protection
of information privacy to a more expanded statutory protection.
Having stated the above, the pertinent question is how then has the Nigerian legal
system developed the common law doctrine of privacy, and specifically, information
privacy? Evidence from decided cases indicates that judicial pronouncements on
privacy such as bodily privacy, the privacy of the citizen’s home and human dignity
were based on the fundamental rights provisions of the Constitution.108 However,
some comments of a Lagos State High Court judge in Jimmy S. Olaghere v Portland
Paints and Production Nig Ltd and 2 others,109 points in the direction of common
law protection of privacy. The claimant alleged that a picture of his personal and
family house was used to advertise the defendant’s brand of paint on a calendar
103
Markesinis et al, ‘Concerns and Ideas About the Developing English Law of Privacy (and how
knowledge of foreign law might be of help)’ (2004).
104
Coco v AN Clark (Engineers) Ltd [1969] RPC 41, 47.
105
Markesinis, (n 103).
106
Ibid.
107
Ibid.
108
See: Ransome-Kuti v Att-Gen of the Federation & Ors (1985) 16 NSCC (Pt. 1) 879; Cletus
Madu v Neboh & Anor (2002) 2 CHR 67; Jimmy S. Olaghere v Portland Paints and Production Nig
Ltd and 2 others [2013] All FWLR (Part 661) 1593; INEC & 3 others v Action Congress and 3
others, and Muritala H. Nyako v Action Congress and 7 others [2009] 2 NWLR (Part 1126) 425.
109
[2013] All FWLR (Part 661) 1593.
3 Information Privacy in Nigeria 63
without his consent. In deciding the case, the judge first considered the constitu-
tional right of privacy and stated:
There is no doubt that the constitutional right of the claimant has been invaded contrary to
section 37 of the Constitution […] The applicant has a right to be protected against intru-
sion to his personal life and that of his family […] The claimant (sic) did not have the
consent to the use of the photograph of his house, the use of the photograph on Sandtex
Calendar cannot but be a breach of his privacy […].110
Surprisingly, the judge went further to state that the four branches of Prosser’s
classification of American torts of privacy,111 were violated, but did not elaborate on
how this common law applied. She stated:
[…] I do agree with the claimant’s counsel that the publicity has placed the claimant in false
light [, there was] intrusion upon the claimant’s seclusion or solitude, appropriation of the
claimant’s name or likeness and public disclosure of private facts about the claimant.112
It has to be stressed however, that in none of the above cases did the court con-
sider the common law doctrine of privacy. Although Nwauche (2007) opines “that
a comprehensive protection of information privacy can be achieved through a tort of
110
Ibid,1614.
111
Prosser, ‘Privacy’ (1960). The judge cited page 65 of Nwauche’s article which discussed
Prosser’s work.
112
[2013] All FWLR (Part 661) 1593, 1615.
113
[2009] 2 NWLR (Part 1126) 425, 618.
114
[2007] LPELR-CA/A/115/05.
115
Ibid, 38.
64 I.S. Nwankwo
privacy that protects against intrusion as well as disclosure [….]”,116 such a view
arguably fails to grasp the uniqueness of information privacy when compared with
other aspects of privacy. Nwauche tends thus to see a breach of confidence as cover-
ing every aspect of (informational) privacy as that was the context under which his
argument was based. However, although confidentiality is a concept that is related
to privacy, it is different from information privacy or personal data protection as
construed by the OCED guidelines and the European Data Protection Directive for
example. An obligation of confidence is generally owed by the recipient of informa-
tion to the provider of the information while information privacy concerns the right
of the subject of the information no matter who provided and who received the
information.117 Confidentiality is about controlling the disclosure of information,
while information privacy obligations are wider, encompassing in addition, process-
ing, collection, quality, security and disposal.118 The set of rules and principles
which accompany the collection and processing of personal data are clearly distinct
from what is protected by the torts of trespass or common law breach of confidence
as envisaged by Nwauche.
Evidently, apart from the facts in Olaghere’s case, it is difficult to analyse the
application of common law protection of information privacy in the Nigerian legal
system. It not clear to what extent the Nigerian courts will be willing to expand the
English jurisprudence relating to breach of confidence to overcome the hurdles of
the common law requirements as stated above, or whether the courts will adopt the
American torts of privacy as seen in Olaghere. Contrary to Nwauche’s claim, sup-
ported to an extent by Adeniyi’s (2014) who equally claims that the option of the
tort of negligence arguably provides a ray of hope for individual enforcement of
personal data protection in Nigeria,119 Allotey (2014) believes that it is still debatable
“whether the extension of the law of breach of confidence to protect information
privacy will fit the peculiar circumstances of the Nigerian environment”.120 He sug-
gests: “Rather than adopt the remedy of breach of confidence to address information
privacy issues, it is better to develop a proper statutory framework for the protection
of information privacy”.121 This is a pragmatic approach in our view, and such will
give Nigeria the opportunity of harnessing legal developments in other parts of the
world when creating its own privacy legislation.
116
Nwauche (n 63), 83.
117
Office of the Victorian Privacy Commissioner, Guidelines to the Information Privacy Principles
(2011).
118
Ibid.
119
Adeniyi, ‘The Need for Data Protection Law in Nigeria’ (2014).
120
Allotey (n 16), 169.
121
Ibid, p. 170.
3 Information Privacy in Nigeria 65
One of the objectives of the National IT Policy is to implement legal reforms by way
of developing data protect legislation in Nigeria. However, it took about 9 years
after its publication before the first data protection bill was submitted to the
Parliament.122 It should equally be noted that apart from the data protection bill of
2010, there are other bills before the Parliament that consider information privacy
protection or information security in part. Of all these bills, the Data Protection Bill
2010 and the Electronic Transaction (Establishment) Bill 2013 remain outstanding
and will be evaluated below.123
A Cybercrime Act has also recently been signed into law by the president in
2015.124 Although the Act partly purports to promote privacy right among its objec-
tives, no provision is included specifically addressing information privacy or eluci-
dating data protection principles.125 As such, it does not merit a review here, except
to say that it will assist in developing the Nigerian information society in the long
run.
The Data Protection Bill 2010 is the first bill that wholly focuses on data protection
in Nigeria.127 It appears to have passed the second reading and is currently before
the Committee on Interior.128 The bill originated from the House of Representatives
and was sponsored by Hon. Yakubu Dogara. It has only 11 sections,129 and has been
criticized for being too weak and substandard when compared with similar legisla-
tion in Africa and beyond.130 A simple look at the bill will immediately bring out its
defects.
122
HB 476.
123
It seems however, that there was a proposal for a data protection bill which never made it to the
Parliament that was the subject of a publication by the Article 19.org. See: ‘Nigeria: Personal
Information and Data Protection Bill’ (2013).
124
Cybercrime (Prohibition, Prevention, etc) Act 2015.
125
See the long title to the Act and its section 1.
126
This Bill was introduced in the 7th legislative Assembly which just ended on the 29th May 2015
while this Chapter was progress. According to the National Assembly Standing Orders it has
lapsed and unless it is reintroduced in the present 8th Assembly, it is not deemed to be before
the parliament.
127
This bill is cited as HB. 276, but appears to have another bill number in 2011 as HB. 45.
128
<http://www.placng.org/new/house-bills-charts.php?page=21> accessed 22 January 2015.
129
It was erroneously indicated that the bill has 12 sections on the cover page.
130
Makulilo (n 42).
66 I.S. Nwankwo
The Scope of Application It is not clear what the scope of application of the bill
is: whether it covers both public and private entities. It is also not mentioned in the
bill whether it exempts data processing for public order and national security, as
well as processing by individuals for purely personal or household activities, which
is common in similar legislation. However, one thing that could be deduced from
the bill is that it only covers natural persons as data subjects.
Conditions for Data Processing One other fundamental flaw in the bill is its fail-
ure to provide conditions for lawful processing of data. Such conditions would cre-
ate certainty as to how to process sensitive data as well as make rooms for exemptions
such as the use of data for research purposes. On its face value, it is also not certain
to what extent consent is a condition for personal data processing in the bill.
Definitions Section 10 of the bill contains the definition of terms used therein.
However, a number of terms in the bill are either not defined, poorly defined or
defined but not mentioned in the main sections. For example, the term “sensitive
data” is defined but not seen in any part of the main text. Some of the definitions
seen in the bill, such as: ‘obtaining’ or ‘recording’, ‘using’ or ‘disclosing’, appear
meaningless. See the following definitions for example: “obtaining or recording, in
relation to personal data, includes obtaining or recording the information to be con-
tained in the data” and “using or disclosing, in relation to personal data, includes
using or disclosing the information contained in the data”.131
Furthermore, the bill neither mentions nor defines a “data processor”. Only a
data controller is addressed which is rather unfortunate because globally in the data
processing industry, heavy reliance is placed on the use of data processors. Not
defining who they are in the bill makes it lopsided and difficult to apply in practical
scenarios.
Data Protection Authority The bill fails to establish any data protection authority
to oversee its enforcement. Rather, it envisages a situation where an aggrieved data
subject will always approach the courts to seek redress. This may be a very costly
exercise in Nigeria and will potentially create a big challenge for the courts in terms
of adjudicating over every minor issue that could have been solved otherwise
through the administrative powers of a data protection authority.132
Data Protection Officers No provision is made for the controller to appoint a data
protection officers who would be responsible for compliance with the provisions of
the bill within the controller’s organisation.
131
Makulilo (n 42).
132
Data Protection Bill 2010, s 2 (10), 4 (2).
3 Information Privacy in Nigeria 67
Data Controller – Processor Relationship As already noted, while the bill recog-
nises and defines a data controller, no such recognition exists for a data processor.
This seems to be a departure from the norms seen in similar legislation. Moreover,
the current trend is towards regulating the relationship between the data controller
and processor and making them both accountable to the data subjects and the regu-
latory authorities, as seen in the draft Ugandan Data Protection Bill,133 and the pro-
posed EU Data Protection Regulation.134 Thus under the current EU Data Protection
Directive, data controllers are required to only engage data processors who provide
sufficient guarantees in respect of the technical security measures and organiza-
tional measures governing the processing to be carried out, and must ensure compli-
ance with those measures.135 Furthermore, such relationship must be governed by a
contract or legal act binding the processor to the controller and stipulating in
particular, that the processor shall act only on instructions from the controller.
Therefore, it is our opinion that the bill should be amended to reflect this current
trend in data controller-processor relationship.
Rights of the Data Subjects The following rights were given to the data subjects
under the bill:
(i) Right of access to data;
(ii) Right to prevent processing likely to cause damage or distress;
(iii) Right to prevent processing for purposes of direct marketing;
(iv) Rights in relation to automated decision taking;
(v) Compensation for contravention of requirements stated in the bill;
(vi) Right to rectification, blocking, erasure and destruction of data.
These are the common rights of the data subject seen in similar legislation and
evoke no controversy, except to reiterate that there is a need for a data protection
authority that will aid the data subjects in enforcing these rights.
133
Ugandan Data Protection and Privacy Bill 2014.
134
Regulation of the European Parliament and of the Council on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (General Data
Protection Regulation) COM (2012) 11 final.
135
Data Protection Directive 95/46/EC, art 17.
68 I.S. Nwankwo
Data Security The bill provides that appropriate technical and organisational
measures shall be taken by the data controller against unauthorised or unlawful
processing of personal data and against accidental loss or its destruction or dam-
age.136 However, no specific interpretation or provision has been made to establish
what is meant by ‘appropriate technical and organizational measures’. This would
be relevant since, at the moment, no data security legislation exists in the
country.
Offences Under the Bill Section 8 of the bill makes it an offence for a person to
knowingly or recklessly, without the consent of the data controller, obtain or dis-
close personal data; or procure the disclosure of such data to another person. A
person who offers to sell personal data is also guilty of an offence under certain
circumstances. There are, however, a number of defences in the bill which under-
mine the strength of this part. One such defence is where the alleged offender acted
in the reasonable belief that he or she would have had the consent of the data con-
troller if the data controller had known of the obtaining. Such a defence is arguably
too broad and many offenders would tend to rely on it. Furthermore, the elements of
the offence created under section 9 of the bill (prohibition of requirement as to pro-
duction of certain records) appear very ambiguous. It is rare to see such offence in
similar data protection legislation.
In spite of these offences, Makulilo (2012b) has rightly suggested that the bill
will not fulfil the adequacy standard of the EU Data Protection Directive.137 In view
of the many defects seen in the bill, a reasonable conclusion would be that it was
drafted without sufficient expert consultation and as such, represents a lost
opportunity in harnessing experience that already exists in this area of law.138 This
may also explain why the bill has been in the Parliament for 5 years without any
concrete progress. One may even assume that it has died a natural death, or that the
Electronic Transaction Bill 2013 was submitted to correct some of its defects. In
any case, we recommend that the bill receives a total overhaul in terms of its struc-
ture and content.
136
Data Protection Bill 2010, s 1(3).
137
Makulilo (n 42).
138
It appears that nobody listened to Nwauche’s advice when he suggested that “the undeveloped
nature of privacy protection in Nigeria may be a blessing in disguise as it could enable the synthe-
sis of the content of the protection by reaching out to other legal traditions and legal systems in
order to ensure that privacy receives adequate protection”. Nwauche (n 63) 68.
3 Information Privacy in Nigeria 69
This bill originated from the Senate and was sponsored by Senator Bassey Edet
Otu.140 It was submitted in 2013 and passed through the first reading in February
2013.141 The bill has the objectives of providing a legal and regulatory framework
for: conducting transactions using electronic or related media; the protection of the
rights of consumers and other parties in electronic transactions and services; and the
protection of personal data and facilitation of electronic commerce in Nigeria.142
Although it only partially considers data protection, it seems richer in content and
more coherent in structure than the Data Protection Bill 2010, and appears to be
modeled after the EU Data Protection Directive.
The Scope of Application The bill applies to personal data processed wholly or
partly by automated means, as well as data which form part of a filling system that
is not processed by automated means. Data processed in the course of activities
concerning public safety, defence, national security, law enforcement, intelligence,
criminal justice and data processed in the course of personal or domestic activities
are excluded from the bill.143 Parties can also exclude the application of this bill by
express agreement.144 Its scope is also limited to data in electronic media, which
means that paper-based systems are not covered by the bill.
Conditions for Processing Data The bill also provides conditions under which
personal data processing will be lawful. These include: where the data subject has
given consent; where data is processed for the performance of a contract; for com-
pliance with any legal obligation to which the data holder is subject to; in order to
protect the vital interest of the data subject; and for public interest and good
governance.145
139
This Bill was introduced in the 7th legislative Assembly which just ended on the 29th May 2015
while this Chapter was progress, and was not concluded. According to the National Assembly
Standing Orders it has lapsed and unless it is reintroduced in the present 8th Assembly, it is not
deemed to be before the parliament.
140
There is a similar bill before the House of Representatives which does not include provisions for
data protection. See Electronic Transaction Bill 2011, HB 03.
141
<http://www.placng.org/new/senate-bills-charts.php?page=5> accessed 25 January 2015.
142
Electronic Transaction (Establishment) Bill 2013, s 1.
143
Ibid, s 17.
144
Ibid, s 5.
145
Ibid, s 18.
70 I.S. Nwankwo
accuracy principle; retention principle. In addition, the issue of rights of the data
subjects and international data transfer are addressed.
Sensitive Data Special provision is made for the processing of sensitive data, that
is personal data revealing racial or ethnic origin, political opinion, religious or phil-
osophical beliefs, trade union membership and data concerning health or sexual
orientation. In essence, processing of such data is prohibited unless certain condi-
tions as stipulated under section 19 of the bill are met. There are exemptions to this
rule such as where the processing is required for the purposes of preventive medi-
cine, medical diagnosis, healthcare or treatment services, and where the data is pro-
cessed by health professionals who are subject to professional secrecy. However, no
consideration is given for research in the exemptions as seen in similar legislation.
Rights of the Data Subjects The following rights were given to the data
subjects:
(i) Right to information about personal data processed;
(ii) Right to prevent processing for purposes of direct marketing;
(iii) Rights to compensation for contravention of requirements stated in the bill.
However, it is not clear why other essential rights such as the right to rectifica-
tion, erasure, or knowledge of the logic involved in any automatic processing of data
were omitted.
International Data Transfer Similar to the Data Protection Bill 2010, this bill
forbids the international transfer of data unless the recipient country ensures an
adequate level of personal data protection. Again, however, no criteria for assessing
this adequacy level are provided in the bill, and it is difficult to ascertain who will
make this assessment and how it will be made.
Data Security Section 23 of the bill is dedicated to data security and is modelled
after the EU data Protection Directive. It places an obligation on the data controller
to implement appropriate technical and organizational measures and to exercise rea-
sonable care to protect personal data against accidental or unlawful destruction or
accidental loss and against unauthorized alteration, processing, disclosure or access,
in particular where the processing involves the transmission of data over a network,
and against all other unlawful forms of processing. The criteria for assessing these
measures include the state of the art and the costs of implementing such security
measure in relation to the risks posed by the processing and the nature of the data to
be protected.
access to personal data, shall not process such data except on instructions from the
holder unless he is required to do so by law.”146 It goes on to state that the data holder
must only use a processor who provides sufficient guarantees in respect of data
security and must ensure compliance with that requirement.147
Regulatory Authority The bill does not establish any regulatory authority for the
enforcement of its provisions, rather, it provides that the NITDA may in consulta-
tion with any appropriate regulatory body, develop rules and guidelines for data
protection in Nigeria.148
In general, the Electronic Transaction Bill 2013 in our view contains a more
comprehensive provision of information privacy than the Data Protection Bill 2010,
in spite of lacking some elements such as the establishment of a regulatory body. We
believe it is better structured and contains the essential rules also seen in similar
legislation.
As mentioned earlier, Nigeria has actively participated in the negotiation and draft-
ing of two instruments on the subject of data protection. The first is the ECOWAS
Supplementary Act A/SA. 1/01/10 on Personal Data Protection in 2010. The
Supplementary Act is meant to provide a harmonized legal framework for data pro-
tection within the West African sub-region, and to fill the legal vacuum in the
national laws of the member states. It requires member states to enact legislation to
regulate the collection, processing, transmission, storage and use of personal data
within each member state. This will at the same time facilitate the free movement of
personal data within the community. Nigeria has signed the Supplementary Act
which requires that upon publication in the official journal of the community and
official gazette of each member state it becomes enforceable. There is no evidence
that Nigeria has published the Supplementary Act in its official gazette. However, it
has to be pointed out that by making the Supplementary Act an integral part of the
ECOWAS Treaty, there is an obligation on ECOWAS member states to implement
it, and sanctions could be meted out against any state that fails to do so.
The second important development in Africa to which Nigeria contributed is the
adoption of the African Union Convention on Cybersecurity and Personal Data
Protection in 2014. The inclusion of personal data protection in chapter II of the
Convention means that state parties who accede to and ratify the Convention are
committed to establishing a legal framework for data protection. This will include
146
Ibid, s 22.
147
Ibid, s 20.
148
Ibid, s 25.
72 I.S. Nwankwo
3.7 Conclusion
Acknowledgment The author wishes to immensely thank and acknowledge the assistance ren-
dered by the following persons in completing this Chapter: Marc Stauch, Nikolaus Forgó, Mbonu
Ifegwu, Charles Obutte, Chukwunyere Izuogu and Cosmas Emeziem.
References
Allotey A (2014) Data Protection and Transborder Data Flows: Implications for Nigeria’s
Integration into the Global Network Economy, Thesis submitted in accordance with the
requirements for the degree of Doctor of Laws University of South Africa
Obilade, AO (1979) The Nigerian Legal System, Sweet and Maxwell, London
Obutte, P (2014) ‘ICT Laws in Nigeria: Planning and Regulating a Societal Journey into the
Future’, Potchefstroom Electronic Law Journal, PER/PELJ 419, 439. Available from: <http://
www.ajol.info/index.php/pelj/article/view/103251> [22 November 2014]
Bennett, C (1992) Regulating Privacy Data Protection and Public Policy in Europe and the United
States, United States Cornell University Press
149
< http://www.au.int/en/sites/default/files/treaties/29560-sl-african_union_convention_on_
cyber_security_and_personal_data_protection.pdf>.
3 Information Privacy in Nigeria 73
Clerke R (2000) Beyond the OECD Guidelines: Privacy Protection for the 21st Century < http://
www.rogerclarke.com/DV/PP21C.html>
Clerke R (2013) Introduction to Dataveillance and Information Privacy, and Definitions of Terms,
<http://www.rogerclarke.com/DV/Intro.html>
Kusamotu A (2007) Privacy law and technology in Nigeria: the legal framework will not meet the
test of adequacy as mandated by article 25 of European Union directive 95/46, Information &
Communications Technology Law, Vol. 16, Issue 2
Killian, W (2010) ‘Germany’ in Rule, J and Greenleaf, G (eds) Global Privacy Protection, Edward
Elgar Publishing, UK
Makulilo A (2012) ‘Nigeria’s Data Protection Bill: Too Many Surprises’, Privacy Law and
Business International Report
Makulilo, A (2012) ‘Privacy and Data Protection in Africa: A State of the Art’, International Data
Privacy Law Vol. 2, No. 3, 163–178
Makulilo, A (2015) ‘Myth and Reality of Harmonisation of Data Privacy Policies in Africa’,
Computer Law & Security Review Vol. 31, No. 1, 78–89
Markesinis et al, (2004) ‘Concerns and Ideas about the Developing English Law of Privacy (and
how knowledge of foreign law might be of help)’, The American Journal of Comparative Law
Vol. 52, No. 1, 133–208
Nwauche, ES (2007) ‘The Right to Privacy in Nigeria’, CALS Review of Nigerian Law and
Practice, Vol. 1(1)
Prosser, WL (1960) ‘Privacy’, California Law Review, 48 Cal. L. Rev. 383
Treacy, B (2014) ‘Expert Comment’ Privacy and Data Protection, vol. 15 Issue 8
Case Law
Documents
Azeez K (2013) Boosting Computer Penetration in Nigeria, National Mirror 14 February <http://
nationalmirroronline.net/new/boosting-computer-penetration-in-nigeria/>
BBC (2004) Protests over Nigerian ID Scheme, BBC 20 April, <http://news.bbc.co.uk/2/hi/
africa/3641907.stm>
BBC (2015) Nigeria Telecom Giant MTN Fined a Record $5.2bn’, BBC 26 October < http://www.
bbc.com/news/business-34638595>
74 I.S. Nwankwo
Adepetun A (2014) ICT to Witness Huge Growth in Nigeria, Two Others in 2015, The Guardian,
24 December. Available from:< http://allafrica.com/stories/201412240234.html>
Amzat A (2015) Nigerian Telecoms Firms Frustrate Subscribers, Institute of Ware and Peace
Reporting, <https://iwpr.net/global-voices/nigerian-telecoms-firms-frustrate-subscribers>
Adeniyi A S (2014) The Need for Data Protection Law in Nigeria<https://adeadeniyi.wordpress.
com/2012/07/18/the-need-for-data-protection-law-in-nigeria-2/>
Article 19 (2013) Nigeria: Personal Information and Data Protection Bill <https://www.article19.
org/resources.php/resource/3683/en/nigeria:-personal-information-and-data-protection-bill>
Budde (2015) Nigeria – Broadband Market and Digital Economy – Insights and Statistics, <http://
www.budde.com.au/Research/Nigeria-Broadband-Market-and-Digital-Economy-Insights-
and-Statistics.html>
DeCew J (2015) Privacy, The Stanford Encyclopedia of Philosophy <http://plato.stanford.edu/
entries/privacy/>
GIPC (2015) Unlimited Potential, U.S Chamber of Commerce. Available from: <http://www.the-
globalipcenter.com/wp-content/uploads/2015/07/GIPC-Index-TPP.pdf> [20 October 2015]
Electronic Privacy Information Center, (nd), ‘Whole Body Imaging Technology and Body
Scanners (“Backscatter” X-Ray and Millimeter Wave Screening)’ < https://epic.org/privacy/
airtravel/backscatter/> [12 December 2014]
Kenyanito, EP (2015) ‘Emerging threats in cybersecurity and data protection legislation in African
Union countries’, Access, 13 February. Available from: <https://www.accessnow.org/
blog/2015/02/13/emerging-threats-in-cybersecurity-data-legislation-in-africa-union> [12
March 2015].
Matinde, V (2014) ‘Africa: Tech Trends for 2015’, IDG Connect, 8 December. Available from:
<http://www.idgconnect.com/abstract/9229/africa-tech-trends-2015> [25 February 2015]
Nwokpoku, J (2015) ‘E-Commerce – Nigerians Decry Dearth of Legislations’, Vanguard 9
January. Available from: <http://www.vanguardngr.
com/2015/01/e-commerce-nigerians-decry-dearth-legislations/> [13 February 2015].
Nwankwo, IS (2010) ‘Nigeria’s SIM card registration regulations 2010: the implications of
unguarded personal data collection’, International Legal Strategists Group. Available
from:<https://www.facebook.com/notes/international-legal-strategists-group/part-i-nigerias-
sim-card-registration-regulations-2010-the-implications-of-ungua/10150095718055827> [11
December 2014]
Nwankwo, NB (2012) ‘Interview: I’ve forgiven the man who published my nude pictures –Anita
Hogan’, 247 Nigeria News, 22 June. Available from: <http://247nigerianewsupdate.co/
interview-ive-forgiven-the-man-who-published-my-nude-pictures-anita-hogan/> [25 October
2015]
Nigerian National Policy for Information Technology. Available from: <http://portal.unesco.org/
en/files/3107/1023717285nigeriaitpolicy.pdf/nigeriaitpolicy.pdf> [12 December 2014]
NCC, ‘SIM Registration’. Available from: <http://ncc.gov.ng/index.php?option=com_content&vi
ew=article&id=122&Itemid=113> [22 February 2015]
Olangunju, T (2014) ‘National e-ID card: data protection for Nigerians must be top priority’, Your
Commonwealth 19 September. Available from: <http://www.yourcommonwealth.org/social-
development/democracy-participation/data-protection-for-nigerians-must-be-first-priority/>
[17 February 2015].
Ogundeji AO (nd), ‘Tech, telecom contribute 10 percent of Nigeria’s GDP, ICT minister says’,
<http://www.pcworld.com/article/2860252/tech-telecom-contribute-10-percent-of-nigerias-
gdp-ict-minister-says.html> [11 November 2015].
Onalaja, G (2015) ‘The problem with Nigeria’s Bank Verification Number exercise in 14 tweets’,
Techcabal 2 July. Available from: <http://techcabal.com/2015/07/02/the-problem-with-
nigerias-bank-verification-number-exercise-in-14-tweets/> [22 October 2015].
3 Information Privacy in Nigeria 75
Websites
Krissiamba Moumouni Ouiminga
The context of information privacy brings to wonder about the historical and politi-
cal circumstances that led to the birth, recognition and evolution of these attributes
of the human person that constitute personal data.
More accurately, to discuss the context of personal information one is supposed
to lead reflection on the determinant elements for the legal consecration of the per-
sonal data protection in Burkina Faso. In Burkina Faso, the context of the personal
data can be examined on two grounds: a social and historical ground on the one
hand (Sect. 4.1.1) and a legal and political ground on the other hand (Sect. 4.1.2).
The social and historical context of privacy reveal the elements which historically
determined the officials of Burkina Faso to be conscious of the new realities repre-
sented by the problem of information privacy and to develop awareness of the
necessity to establish a peaceful social interaction framework between the citizens
concerning the use of the Information and Communications Technology (ICT). This
problem of information privacy emerged when the ICT was used as a strategic
instrument for the development of the economic, social activities and good gover-
nance. As a matter of fact with the technological revolution that characterized the
beginning of the information society in Burkina Faso (twenty-first century), many
private and public agencies were established with Big data and many files contain-
ing important quantities of information privacy from the least important to the most
sensitive. Moreover, as regards to the discrimination and other prejudice that may
come from the overuse and the different manipulation of personal data on the one
hand, it has become necessary to regulate the different manipulations. On the other
hand there were real risks of infringing the individuals’ rights and freedom in the
processing of the personal data. So it has become necessary to regulate the different
processing of personal information by adopting legal instruments.
The political and legal context of information privacy refers to the political factors
that were determinant to the adoption of the right to personal data protection in
Burkina Faso through the law (‘Loi N°010-2004/AN’) relating to personal data pro-
tection that was passed on 20 April 2004. In addition, social and historical consid-
erations which contributed to the appearance of the right to personal data protection
in Burkina Faso are also important. With regard to this context, two aspects can be
pointed out. The first is the political and legal context which came after the
4 Data Protection Law in Burkina Faso 79
The Declaration of Bamako was signed on 3 November 2000 by the Ministers and
Heads of Delegations and Governments of the French speaking countries, during a
summit in Bamako (Mali) in the framework of the International Symposium on the
assessment of the democratic practices, human rights and freedoms in the French
speaking area. Many resolutions were taken including the promotion of internal
democratic culture and the inclusive respect of the human rights. With regard to
clause 23 of the Declaration, the participants formally agreed on:
[T]he creation, generalization and reinforcement of the national consulting and non-
consulting boards for the promotion of the human rights, and the advocacy of the actions of
the defenders of human rights as well as the creation of national bodies devoted to human
rights in the home administrations; …1
Burkina Faso abode by this promise which represents the most determinant ele-
ment for the adoption of the data protection law in the country.
1
See Declaration of Bamako clause 23, p. 6.
2
Ibid, clause 39.
3
See Declaration of Ouagadougou clause 51, p. 7.
80 K.M. Ouiminga
is responsible for the implementation of the data protection law that was passed in
April 2004. Therefore, both Declarations were decisive actions for the adoption of
the data protection law in Burkina Faso.
However the next question that could be asked and which is going to be exam-
ined in the following lines is related to the citizens’ perceptions concerning the
information privacy i.e. their attitudes or reflexes in regard to the situation of per-
sonal data and privacy.
Citizens’ social attitude to privacy is a crucial issue. It touches upon the perceptions
and reactions of the citizens regarding data privacy. It also focuses on their attach-
ment to the elements of privacy; therefore, it refers to their level in the knowledge
of the concept of personal data protection and privacy. In order to better appreciate
the social attitude related to privacy and personal data in Burkina Faso, it is neces-
sary to find out whether individuals are concerned with the context of the real world
(with the traditional conception of privacy) on the one hand, or are oriented toward
the cyberspace where one can notice an evolution in the conception of privacy on
the other hand.
In many African cultures in general, and the cultural traditions of Burkina Faso in
particular, the importance of individuals depend on their community or their soci-
ety: they belong to their family or communities. Hence, the perpetuation of the
community is closely linked with the protection of the individuals who composed it;
this protection covers the physical integrity as well as the moral integrity: their dig-
nity and privacy, etc. This approach contributed indeed to the preservation of the
social cohesion.
The traditional philosophy underlying the protection of privacy and personal
data in Burkina Faso, originates from the “secrecy”. Information privacy belonged
to the domain of “secrecy” i.e. it had to be shared among those who were concerned
by this secrecy. In this regard, only a few confidents (relatives, parents, etc…) could
share the same secret. The protection of the secret name of a person is a good
example of secrecy. Besides, the use of information privacy was not a systematic
practice in the traditional context of Burkina Faso. It was not systematically used
except during some cultural or ritual gatherings.
4 Data Protection Law in Burkina Faso 81
In general, individuals in Burkina Faso present social attitudes which respect pri-
vacy and personal data in the context of the physical world as opposed to the vir-
tual world. Some evolution can be noticed in the individuals’ social attitude
concerning privacy in the virtual world. This evolution can be explained from the
use of ICT by individuals in their daily ways of life. Thanks to the electronic devices,
it is possible to collect, save, communicate and disseminate an important quantity of
information privacy without the people awareness or consent. The opening of the
country to digital technologies has altered the social attitudes of many people espe-
cially most youngsters.
Another possible explanation for the evolution of the social attitude is the igno-
rance of the risks inherent in the technologies and the multiple potentialities that can
be found in the use of private information. The situation of ignorance is due to the
absence or insufficient sensitization and information that should be provided about
the drawbacks of technologies (about the Internet in particular). This can explain
today the tendency of personal data protection authorities as that of Burkina Faso,
to focus on digital education especially for young people.
Youngsters’ Attitudes in the Processing of Data For youngsters, the manipulating
and using of the elements of privacy or personal data have become their very com-
mon practices. They are not eager to respect the privacy and the personal data when
using the Internet or their smart phones. Their young age partly explanation for such
indelicate behaviors. However, even if some of the youngsters have ever heard of
the dangers in the use of personal data or the elements of privacy on the internet,
their attitudes are not always respectful of the measures in the protection of privacy
in the virtual context.
The careless social attitudes of youngsters can be understood when one refers to
the theory of privacy paradox. This theory shows the existing paradox between the
practices i.e. the daily dissemination of one’s privacy4 and the desire i.e. the will to
protect one’s privacy. In other words, it is the contradiction between their suspicion,
and their real apprehension in front of some real existing threats in the using of
personal data on the one hand, and their desire to expose themselves through a
voluntary revelation of some information which could be harmful to their privacy
and could show the paradox.
Furthermore, the real privacy paradox might not be due to these youngsters dis-
seminating their personal data though they fear about the consequences of their
actions, but it is when they refuse to protect their privacy even though they are aware
of the bad consequences. This is an example which does the illustration of many
pupils’ and young students’ social attitudes in general in Burkina Faso.5
4
On the Internet particularly (and especially through the social networks).
5
An impression that was generated during the campaigns of education on the technologies initiated
by the CCSL since Jan. 2014.
82 K.M. Ouiminga
The Parents or Adults’ Social Attitudes Adults or parents who are less skilled in the
use of technologies (Internet, smartphones) generally develop protective attitudes
when they are aware of those existing risks in the use of technologies with regard to
privacy. The theory of privacy paradox is less obvious in this social category of
people in Burkina Faso.
A privacy protection reflex obviously exists in this category depending on the
degree of maturity which is generally found with the parents, even though they do
not often master the use of the Internet technologies as opposed to their children
who have keen interest in technologies. Adults are much more matured and scared
of the invasion of the privacy by the Internet whereas the youngsters are less scared
as it can be noticed through their social attitudes.
In Burkina Faso, the legal and regulatory system of privacy protection or juridical
protection system includes the comprehensive national, regional and international
regulations. These regulations are either general or specific. However, no matter
their character (general or specific), in reality, they are included in the international
or regional conventions of human rights signed by Burkina Faso, then in the laws
passed by the National Assembly and finally in the implementing regulations.
Therefore, here are globally essential grounds of protection of personal data and
privacy in Burkina Faso.
4.3.1 P
rotection of Privacy in the General Law
in Burkina Faso
These instruments include conventions and treaties referring to privacy and personal
data protection signed by Burkina Faso. There are general and specific instruments.
4 Data Protection Law in Burkina Faso 83
General Instruments
Specific Instruments
6
Universal Declaration of Human Rights (UDHR) signed by the General Assembly of the United
Nations on 10 Dec. 1948 in Paris (France) and ratified by Burkina Faso. The right to privacy is
provided by article 12 and the protection of personal data is taken into account as well.
7
The human being’s moral integrity implies the respect of his privacy, his reputation and honor.
8
The first one is the protocol related to the African Charter for people and human rights, referring
to the creation of an African Court for people and human rights signed in Ouagadougou in June
1998. The second one is the protocol for the African Charter for people and human rights, referring
to women’s rights signed in Maputo in July 2003. It also prohibits the feminine genital
mutilations.
84 K.M. Ouiminga
Whether written or not, the Constitution is generally the first instrument which pro-
tects the individuals’ freedom and basic rights including the rights to privacy and
the confidentiality of correspondence10. Accordingly it is the essential document for
the legal organization of democratic nations. It has supreme value for all the national
instruments and it represents the source of law for all of them.11
In Burkina Faso, it is this constitution which was voted on 2 June 1991 and pro-
mulgated by ‘Kiti N° AN- VIII-330/FP/PRES du 11 juin 1991’ that is the first ref-
erential instrument regarding the individuals’ freedom and fundamental rights. The
right to privacy is stated in article 6 as ‘the residence, the home, the privacy and the
family, the confidentiality of the correspondence are inviolable. Their limitations
must be clearly provided by the law’. This constitutional provision is the first source
of the privacy protection as well as personal information in Burkina Faso. This con-
stitution is now (october 2016) in a revision processus.
Burkina Faso is among the first countries in sub-Sahara Africa to adopt a specific
legal act for the protection of personal data. The Act is ‘Loi N°010-2004/AN du 20
April 2004 portant protection des données à caractère personnel’. This law protects
the personal data against any form of use which could affect the individuals’ rights
including privacy in Burkina Faso. There is currently a draft revision of the Law
010-2004/AN of 20 April and new decree implementing projects that, hitherto, have
not been adopted.
In terms of article 2 of this law, personal data refers to any information which
permits in any way, directly or indirectly, individual’s identification. Accordingly
9
Convention for the protection of individuals in regards to automated personal data treatment or
Convention 108. It was signed on January 1981 by the European Council in Strasbourg, France. It
is the only specific legal instrument regarding the universal protection of personal data because all
the nations which are not member of the European Council can adhere to it.
10
Case of Burkina Faso with Article 6 of the Constitution of 2 June 1991.
11
Delpere 1987, p. 3.
4 Data Protection Law in Burkina Faso 85
some personal data can constitute elements of privacy or at least they fall into the
definition of privacy.
The 30–31 October 2014 popular up-rising which is considered as the expression
of the people’s aspiration for more freedom, justice and respect of ethics and demo-
cratic principles, prompted CCCL to undertake a lobbying for the consecration of
data protection in the Constitution. This decision aims at the extension and the con-
solidation of freedom and fundamental rights in Burkina Faso.
In order to enforce Loi N°010-2004/AN du 20 April 2004, it was necessary to
adopt some statutory instruments. This is the reason why as far back as 2007 the
national authorities took the decision to enact some orders and later on some rules
in order to specify and facilitate the implementation of the data protection
legislation.
These instruments include ‘decret N°2007-283/PRES/PM/MPDH’ referring to
organization and functioning of the Commission for Computing and Civil Liberties
(CCCL) enforced on 19 November 2007 and’Arrêté N°2008-001/CIL’ referring to
internal regulation of the Commission for Computer and Civil Liberties (CCCL)
which was passed on 22 May 2008.
These statutory instruments have actually permitted to set up the CCCL that
contributes to the effective protection of personal data and privacy of individuals.
The implementation of these instruments have allowed Burkina Faso to become the
first French speaking country in sub-Sahara Africa with a functional data protection
authority as far back as December 2007.
After almost 10 years of functioning, it has become necessary with regard of
many serious legal flaws that have been noticed in the implementation of ‘Loi N°010-
2004/AN du 20 April 2004’, to revise the law itself and its statutory instruments in
order to complete and enrich them. Proofreading these texts would not only solve
inter alia, the problem of institutional anchoring, but also define accurately:
–– the conditions for exercising powers of control and verification of the CCCL;
–– the conditions for the exercise of sanctioning powers of the CCCL etc.
In addition, the preparation of many other instruments has been planned espe-
cially for the modification of the status of the CCCL on the one hand and the status
of the workers on the other hand. More means are required in order to help the com-
mission fulfill its mission independently.
Organization of the law It includes essentially the provisions on preliminary for-
malities before processing personal data, the rights of persons, the obligations of
personal data processing managers and guiding principles. Specifically:
–– Title I of the Act defines technical terms, the fundamental principles of personal
data processing and the delimitation of the law enforcement field.
–– Title II deals with the implementation of the law in particular, the conditions for
collection and using of personal data, the declaration procedures and the deroga-
tion to the main principles.
–– Title III concerns the Authority of protection or control i.e. CCCL: its creation,
composition, organization and missions.
86 K.M. Ouiminga
–– Title IV defines the constituent for violations of Act No. 010-2004/AN and the
applicable sanctions.
–– Title V rules on a transitional basis, the procedure applicable to existing file
before the adoption of the Act No. 010 010-2004/AN.
Data protection principles The data protection legislation has the following data
protection principles which are found elsewhere in the Convention of the African
Union and the ECOWAS Additional Act. These principles are:
–– The principle of consent and legitimacy: a data controller has an obligation,
unless otherwise provided by law,12 not only to inform but also to require the
consent of the data subject. Thus, processing of personal data is considered
legitimate if the data subject has consented to the processing.
–– The principle of purpose13: this principle postulates that the processing of
personal data must have a specific purpose; also, personal data can only be
collected and processed for a specific and legitimate purpose.
–– The principle of proportionality and relevance: according to this principle,
personal data to be processed must only be relevant and necessary in light of the
purpose and objectives of the processing.14
–– The principle of lawfulness and fairness: a controller of personal data has the
obligation to collect and process data in a fair manner, lawful and not
fraudulent.15
–– The principle of respect of personal data retention period: personal data cannot
be stored indefinitely in computer files or papers. A precise shelf life should be
determined in advance depending on the purpose of each file or processing.16
–– The principle of security and confidentiality: all responsible persons for process-
ing personal data must not only ensure the security of data or files to prevent their
destruction, or alteration; but also prevent unauthorized access to personal data
contained in a file or intended to form part of the files.17
–– The principle of respect for preliminary formalities: without exception or exemp-
tion provided by law, all data controller shall, prior to the effective implementa-
tion and depending on the nature of personal data processing, namely notify the
CCCL or ask his opinion or obtain approval, etc.18
–– Prohibition except for a derogation provided by the law: it is prohibited to collect
and use personal data that come under ethnic origin, political, philosophical, or
12
See article 5 of Loi n° 010- 2004/AN portant protection des données à caractère personnel.
13
See article 14 of Loi n° 010- 2004/AN portant protection des données à caractère personnel.
14
Ibid.
15
See article 12 op. cit.
16
See article 14 op. cit.
17
See article 15 op. cit.
18
Cf. Articles 18, 19, 24 and 41 of Loi n° 010-2004/AN portant protection des données à caractère
personnel.
4 Data Protection Law in Burkina Faso 87
religious opinion, unionism, health status without the express consent of the per-
son involved.19
Commission for Computer and Civil Liberties The Commission for Computer and
Civil Liberties (CCCL) is the monitoring or regulatory authority of personal data
protection in Burkina Faso. It was established in December 7, 2007 with the swear-
ing in of the Commissioners and is in charge of the implementation of ‘Loi
N°010-2004/AN’ i.e. the personal data protection Act.
The Commission for Computer and Civil Liberties is an independent administra-
tive authority (Article 27 of the Law) because it receives no state authority instruc-
tions in the exercise of its powers, except to account for the execution of its activities
through its annual public report. Thus, ministers, public authorities, managers of
public or private companies responsible for various groups cannot resist its action
for any reason whatsoever (article 38) as part of its data protection missions. The
CCCL enjoys autonomy of management and financial resources to fulfill its mis-
sion. The finances are from the state budget. It cannot receive funding from an
individual, an organization or a foreign state unless that is through the cooperation
of Burkina Faso structures (article 35 and 36 of the Act).
The Commission is a pluralist organization. It includes different representatives
from the society. There are nine members of CCCL from public institutions, human
right associations, and computer science professionals. These members are
appointed by decree of the Council of Ministers as follows: one magistrate, member
of state council, elected by his peers in a general assembly; one magistrate, member
of Supreme Court of Appeal, elected by his peers in a general assembly; two mem-
bers of parliament appointed by the Speaker of the National Assembly; two person-
alities appointed by the national associations of human rights; two personalities
appointed by the computer science professionals and one personality appointed by
the President of Republic with regard to his competence. The tenure of members of
the Commission is five years renewable once.
The President of the Republic appoints from among the members of the
Commission for Computing and Civil Liberties, the President of the Commission,
which is assisted by a Vice-President elected by the members of the Commission.
With the exception of the President, members of the Commission do not exercise
permanently function. However they all are irremovable during their term of office
and enjoy total immunity for opinions expressed in the course of or in connection
with the performance of their duties (article 33). Their tenure can only be termi-
nated in the event of serious misconduct, resignation or incapacity noted by the
Commission itself, in the manner determined. If while in office, the president or a
member of the Commission ceases to hold office, his replacement must be in accor-
dance with Articles 27 and 29 of the Act. The tenure of a successor so appointed
shall be limited to the remaining period (article 31).
The Commission presents each year to the President of the Republic, the
President of the National Assembly and the President of the Constitutional Council,
19
See article 20 of Loi n° 010-2004/AN portant protection des données à caractère personnel.
88 K.M. Ouiminga
a report monitoring the performance of its mission. This report is made public (arti-
cle 45).
Enforcement The CCCL whose main function is to enforce the implementation of
‘Loi N°010-2004/AN’ has been operational since January 2008. A strategy for the
implementation of the law has been set up, and it includes the development of infor-
mation and communication by means of appropriate instruments to the target pub-
lic, and some information and monitoring functions, some research and surveys in
the personal data protection and privacy have been undertaken. In addition, the
implementation of this law has consisted of the examination of files that CCCL has
received including those relating to the transfer. The CCCL has specifically so far
done the following in discharge of its mandate:
–– in 2008,20 the CCCL met and presented to audiences with some political and
administrative personalities (Prime Minister’s Office, other departments and
institutions) the functions and authority of the Commission in order to bring it to
their knowledge;
–– met or made interviews with associations working in the field of personal data,
the mainstream media in Burkina established in order to establish working
partnerships;
–– took in March 2009, a national census files or processing carried out by the pub-
lic or private bodies in Burkina so as to make an inventory;
–– created the web site of the CCCL in 201021 and made awareness and information
TV movies on some topics related to personal data and privacy;
–– from 2014 to now, education campaigns have been carried out by CCCL regard-
ing the digital world for the youngsters in order to sensitize them to the personal
data protection during the use of social networks and smart phones.
Moreover, the CCCL has conducted research and survey with focus on informa-
tion and verification22 in many organizations such as state offices, telephone compa-
nies, banks, hotels, guest houses, recruiting agencies and caretaker agencies, etc. It
has similarly done so with regard to verification of conditions of access, security of
computer systems in Internet cafes and other centers of community Internet access
in Burkina Faso. This was done from 3 to 14 May 2010.23 CCCL had also carried
out survey on the impact of social networks and mobile phone devices on the per-
sonal data protection and privacy of the youngsters in November and December
20
See 2008 annual public report.
21
See w.w.w.cil.bf.
22
See Infra III. C. Other procedural and enforcement mechanisms.
23
This study resulted in a bill setting up the conditions and modalities for opening and operating
cyber centers and the other community centers with the Internet connection in Burkina Faso;
another bill establishing the taxes referring to the operation of cyber centers and community cen-
ters with the Internet and a bill charter for the use of Internet in the cyber centers and the other
community centers in Burkina Faso exist.
4 Data Protection Law in Burkina Faso 89
2011.24 A similar assessment has been done in 2013 with regard to the use of sur-
veillance cameras.25 At the same time, some complaints were received and exam-
ined by the Commission regarding victims of the violation of privacy information.
The next actions planned by CCCL include organization of information semi-
nars, public conferences and sensitization workshops on the law on personal data
protection, civil rights, the obligations of institutions that process personal data.
Intended audience for this include areas of secondary and higher education, justice,
media, banking, insurance and finance, security and defense, public administration,
cybercafés and other centers of community access to the Internet; young people,
students and pupils, municipalities, decentralized communities, etc.26
International Data Transfers One of the main problems which calls for a particular
attention in the world in general and Africa in particular is the question of transfer
of personal data. With the development of ICT and the necessity for the companies
to merge their resources for better competition it is obvious that the transfer of per-
sonal data are more and more frequent from one firm to another in the same con-
glomerate. But these firms are sometimes established in many different countries,
with different legislations. This is what is happening especially in banking and
financial institutions, insurance companies and mobile phone companies, etc.
The African Union Convention on Cyber Security and Personal Data, the
ECOWAS Supplementary Act referring to the protection of personal data and ‘Loi
N°010-2004/AN’ i.e. the personal data protection law of Burkina Faso do not give
the definition of transfer. It is particularly in the practical guides of the National
Commission for Computing and Civil Liberties of France for personal data transfer
that a broad definition of personal data transfer can be found.27 So, a data transfer
means any communication, copy or forwarding of data from one medium to another,
no matter the type of medium, insofar as these data will be used in the host country.
In Burkina Faso, the personal data transfer is governed by article 24 of the data
protection law that has been referred to above and article 36 of the Supplementary
Act of the Economic Community of the West African States.28 There is also the
RCF-F device mentioned, that Burkina adopted in November 2013.
Two cases in connection with data transfer have already been referred to the
Commission for Computing and Civil Liberties. But in reality, no one can tell if
other cases of transfer did not take place in this country. This explains why the veri-
fication and control functions must be emphasized. It appears this situation has been
well understood by the members of the Commission. They organized a regional
24
The expected results of this research were the adoption of a strategy and new instruments for
more adapted and efficient training, sensitization and information of the youngsters.
25
See CCSL 2013 public report p. 25 & all.
26
See CCSL annual public reports 2009, 2010, 2011, 2012, 2013, 2014.
27
Guide: ‘Transfer of personal data to countries which are not member of European Union’ and
‘Transfer of personal data to 3rd countries of E.U.
28
The additional Act of the ECOWAS referring to the protection of personal data is part of the law
applicable in Burkina Faso.
90 K.M. Ouiminga
seminar on the Binding Corporate Rules (BCR) in the French speaking countries
(BCR-F).29 This seminar was held from 30 to 31 July 2015 in Ouagadougou, in
order to carry out sensitization in the firms and multinationals. The participants
were informed on their obligation to respect the personal data protection law regard-
ing data transfer on the one hand. Secondly, the seminar aimed at facilitating work
of firms and multinationals by encouraging them to use the BCR-F that offer more
flexibility and speed in compliance with the law.30
Actually data transfer in Burkina Faso is allowed by the CCCL according to two
criteria: legal and contractual. Through the legal criterion, it is possible to appreci-
ate whether the host country has personal data protection legislation or whether its
legal system provides an adequate protection. With contractual criterion, in case of
the absence of data protection legislation, the two companies (the sender and the
receiver) abide by a contract of the personal data transfer in accordance with the
protection legislation.
BCR-F, an Alternative for Business Groups The BCR of the French Speaking
Association of the data protection authorities is an alternative to this contractual
criterion because they are included in the system of appreciation of the CCCL31 for
the prohibition or allowance of the personal data transfer out of the territory of
Burkina Faso. BCR-F allow a group of companies established in one or more
French-speaking countries to ensure a level of protection of personal data when
transferring and further processing of such data between companies in the group,
regardless of their location. In other words, BCR-F provide rules which offer multi-
national in Francophone flexibility and facilitate the transfer of personal data within
them, while respecting personal data protection standards. Indeed, in all states
which have no legislation on personal data protection and that multinationals have
subsidiaries or partners established in several countries that do not necessarily have
law on the subject, it was imagined an alternative for allowing them to perform eas-
ily, legally, data transfers among them. But first, it is necessary that these companies
have voluntarily adopted the BCR-F through a procedure that involves at least one
authority of personal data protection in the Francophone world. Once adopted, the
BCR-F become binding on these companies.
Other Procedural and Enforcement Mechanisms For the enforcement of the provi-
sions of ‘Loi N°010-2004/AN’, many procedural and enforcement mechanisms
exist; they all try to ensure effective protection of rights and freedoms of individuals
with regard to processing of personal information. The procedural mechanisms
include preliminary formalities before any processing. Now, how do these proce-
dures and mechanisms function?
29
BCR-F objectives are to provide the same level of protection of the transferred data in the con-
glomerate and to level the practices related to personal data protection in the conglomerate.
30
BCR-F are used by firms of multinationals for personal data transfer out of Burkina Faso.
31
BCR-F are adopted by CCCL as part of the French Speaking countries.
4 Data Protection Law in Burkina Faso 91
Other sources of privacy law existing in Burkina Faso independently from ‘Loi
N°010-2004/AN’ and its comprehensive statutory instruments include common
law, civil law and the penal code. Failure to comply with these regulations will
result in prosecution.
32
Legal mechanism to sanction (penal or civil).
92 K.M. Ouiminga
Common Law Concerning the Common law referring to the citizens’ social status
in Burkina Faso especially their private life, personal data and their confidentiality
protection, it is possible to refer to the dispositions of the persons and family code
on the one hand and those of the penal code on the other hand since they include
nonspecific legal regulations that are applicable to any circumstances related to the
protection of privacy or even personal data. The Family Code was adopted by
‘Zatu33 AN VII 13 du 16 novembre 1989 portant institution et application d’un code
des personnes et de la famille au Burkina Faso’. Article 34 specifically prescribes
that ‘A person who has got a name can claim compensation of prejudice caused on
him by the wrong use of this name’. This regulation could be applicable by exten-
sion to nominative data and moreover it may be be used to provide a legal protection
to personal data.
Penal Code The penal code in Burkina Faso was adopted in 1996 by ‘Loi N°043/96/
ADP du 13 Novembre 1996 portant code penal’. It provides in article 371 that:
An individual, who voluntarily violates the intimacy of a third person’s private
life, may be punished for imprisonment for a term of between 2 months to 1 year in
prison or fined to 50 000 to 1 000 000 Francs. However he may be sentenced to
either sanction for:
1. listening, recording or broadcasting by the means of any device the words uttered
by any person in privacy without their consent.
2. fixing or broadcasting the pictures by the means of any device of any person in
their privacy without their consent…
The regulation of this penal code stands as a common rule and could be used in
any case, whenever there is a violation of privacy or personal data. The complexity
inherent in privacy protection could be an explanation for the diversity of the statu-
tory instruments.
Regional Economic Communities (RECs) are integration areas which have been
established in consideration of territorial proximity criteria (e.g. within a regional
block: north, south, east, west, center of the Africa Region) or belonging to the same
community, in order to facilitate the economic growth by the means of mutual actions
of the respective resources of the states concerned. In Africa, there are many RECs.
33
It was the name given to the law at that time.
4 Data Protection Law in Burkina Faso 93
4.4.1 E
nvisaged Common Markets and the Movement
of Information
The question of common market, the movement of information and the necessity to
protect personal data is an urgent problem that concerns all the REC in Europe,42
Asia,43 and Africa44 as well. It is very crucial to find a solution to this problem
because legal protection of all personal data has a very important market value that
is more and more increasing. Also, all RECs in general want to promote the eco-
nomic integration in every sector of the economic activities especially industry,
transport, telecommunication, energy, agriculture, natural resources, commerce.
They are eager to address monetary and financial issues, social and cultural prob-
lems; however personal data are in the core of all the economic activities. So they
represent a determinant stake for the economic development of these RECs mainly
regarding the context of digital economy.
In the specific case of the West African sub-region (WAMEU precisely), how-
ever the issue is the subject of balancing between a comprehensive and harmonious
economic imperatives (common market and flow of information) and legal protec-
tion (effective legal protection of personal data) to continue the holistic dynamics of
their construction and consolidation. What for? Because, WAMEU as an indepen-
dent economic community has not yet adopted a specific legal text on the protection
of personal data in the context of the common market and the flow of information.
34
Community of Sahel-Saharan States.
35
Common Market for Eastern and Southern Africa.
36
East African Community.
37
Economic Community of Central African States.
38
Economic Community of West African States.
39
Intergovernmental Development Authority.
40
Southern African Development Community.
41
Arab Maghreb Union.
42
In the framework of European Union (EU), Council of Europe (CE) or Organization for
Economic Co-operation and Development (OECD).
43
In the framework of Economic Cooperation of Asia and Pacific.
44
In the framework of EAC, ECCAS, ECOWAS and SADC.
94 K.M. Ouiminga
However, each of its individual member states, has a normative frame of reference
for the protection of personal data through the ECOWAS Supplementary Act.
ECOWAS
WAMEU
The West African Monetary and Economic Union (WAMEU) is a West African
organization. Its principle mission is to achieve the economic integration of the
member states. It aims at the reinforcement of competitiveness in the economic
activities in the framework of an opened and competitive common market and in a
harmonized and rational legal environment. This organization succeeded the West
African Monetary Union (WAMU) which was established in 1961. WAMEU was
established in Dakar, Senegal on 10 June 1994. Its head office is in Ouagadougou,
Burkina Faso. There are eight member states which also belong to
ECOWAS. Consequently the ECOWAS Supplementary Act A/SA.1/01/10 referring
to personal data protection in the WAMEU area is applicable in each of these states,
individually.
45
By the ECOWAS treaty of 1975 revised on July 1993.
46
Article 47 line 2 and 48 of additional Act.
4 Data Protection Law in Burkina Faso 95
Independent from this point, other initiatives have been carried out within
WAMEU whose objective is to regulate the data movement in the framework of
WAMEU Unique Visa. Actually, in the perspective of setting up a unique visa in
WAMEU, a comprehensive research47 on the harmonization of the conditions of
entry and stay and the control mode at the frontiers was financed. It also concerns
about the feasibility of creation of national data base and the setting of a community
information system on the visas and the movement of the people in the WAMEU
area.
A sub-regional workshop had been held in Ouagadougou from 21 to 25 November
2011 by WAMEU in order to validate the research documents. The participants
were representatives of the data protection authorities from Benin, Burkina Faso
and Senegal. It has resulted from this meeting that the effective implementation of
the Unique Visa in WAMEU will involve the processing of personal data and con-
sequently it would be compulsory to design a specific legal protection instrument in
this area. This project is still running. Therefore, the question concerning the trans-
position of the REC data protection policies is important.
47
The study was done by Cabinet CIVLPOL Conseil in July 2011. It includes 3 aspects:
–– 1 document in 1 volume on the overview of the national systems of visa management
–– 1 document in 2 volumes on the organization of the management of the WAMEU Unique Visa.
A workshop was organized in Ouagadougou from 21 to 25 November 2011 in order to validate
these documents.
96 K.M. Ouiminga
4.5 Conclusion
This reflection on personal data in general and particularly its protection in Burkina
Faso, explains the problem of preservation of fundamental human rights and free-
dom in the use of personal data. An analysis of questions raised, reveals interdepen-
dence among abidance by the data protection law, the economic development, and
the consolidation of peace and democracy. It must then be mentioned that the effec-
tive protection of personal data contributes to the economic development. However
it must be carried out with regard to fundamental rights including the right to pri-
vacy. An attempt to find solution to the problem of protection of personal data also
requires the existence of a comprehensive approach (between the regions49 and the
REC) to some harmonized community mechanisms in the perspective of reaching,
in a near future, a universal system binding protection of personal data. For this, it
must be inclusive including cooperation between States, harmonization of legal
systems and the effective implementation of protection mechanisms.
48
Article 47 line 2 and 48 of the additional Act.
49
Africa, America, Asia, Europe, etc.
4 Data Protection Law in Burkina Faso 97
References
F. Delpere, ‘Droit Constitutionel’ T.I Les Données Constitutionelles (2e edn, Larcier 1987) 3
OUIMINGA (MK), “Practical uses of Facebook in the social network that expose personal data
and privacy violations: case of public universities of Ouagadougou”, master thesis II Science
Research Information and Communication, of the Pan-African Institute for Studies and
Research on Media, Information and Communication (IPERMIC) of the University of
Ouagadougou (Burkina Faso), 2015, 128 p
OUIMINGA (MK), “International obligations of states with regard to data protection: ECOWAS
Case” Master Professional II memory of the right of the African cyberspace, Gaston Berger
University of Saint-Louis (Sénégal), 2013a, p 80
OUIMINGA (MK), “The identification of the individual in the era of ICT” research report Master
Professional II of the African cyberspace law, University Gaston Berger of Saint-Louis, 2013b,
27 p.
“Tradition and protection of privacy in Burkina Faso”, paper presented April 2, 2009 in Bobo-
Dioulasso by Professor Albert OUEDRAOGO, University of Ouagadougou, p. 5 to 10.
Documents
Resolution A/RES/68/167 of the United Nations General Assembly on the “Right to Privacy in the
Digital Age”, adopted December 18, 2013
The United Nations Guidelines for the regulation of computerized personal data files, adopted
December 14, 1990 by Resolution 45/95 of the General Assembly of the United Nations
Universal Declaration of Human Rights of December 10, 1948
International Covenant on Civil and Political of December 16, 1966
The Bamako Declaration of 3 November 2000 adopted by Ministers and Heads of Delegation of
states and governments of countries using French as a common meeting in Bamako (Mali) in
the International Symposium on the Practices of Democracy, rights and freedoms in the
Francophone world.
The Ouagadougou Declaration of 27 November 2004 at the Xth Conference of Heads of State and
Government of countries using French as a common, held in Ouagadougou on 26 and 27
November 2004 under the theme: The Francophonie, a space for solidarity sustainability
African Union Convention on Cyber security and personal data protection of 27 June 2014
African Charter on Human and Peoples’ Rights of 27 June 1981
The Protocol to the African Charter on Human and Peoples’ Rights establishing an African Court
on Human Rights and Peoples, adopted in Ouagadougou in June 1998
The Protocol to the African Charter on Human and Peoples’ Rights on the Rights of Women,
adopted in Maputo in July 2003. It also prohibits female genital mutilation
Additional Act A/SA.1/01/10 on the protection of personal data in the space of ECOWAS of 16
February 2010
Volume I of the inventory of national visas management systems
Volume II on the WAEMU single visa management system
Comprehensive study on the creation of WAEMU visa
Constitution of 2 June 1991
Penal Code of 13 November 1996
Code of Persons and Family
Law No. 010-2004/AN of 20 April 2004 on the protection of personal data
Decree No. 2007-283/PRES/PM/MPDH on the organization and functioning of the Commission
for Computing and Civil Liberties (CCCL) of 18 May 2007
98 K.M. Ouiminga
Caroline B. Ncube
Abstract This chapter discusses Zimbabwe’s data protection regime within the
context of historical and current socio-economic and political conditions. It also
considers societal expectations which place a premium on the protection of personal
information as a core human right. This context explains societal concerns about the
vulnerability of personal information due to surveillance and monitoring by law
enforcement and national security organs. In addition, criminal activity, largely for
commercial gain, also compromises personal information. Therefore, the societal
context is one of mistrust of data processing, compounded by actual experiences of
the compromise of data. This perceived and experienced vulnerability is exacerbated
by the fact that there is a general lack of knowledge about existing legal protection
of privacy. The legislative framework does little to assuage this vulnerability because
it is currently inadequate.
The chapter sketches Zimbabwe’s data protection regime which has extensive
constitutional provision for the protection of privacy but currently lacks a compre-
hensive data protection statute. There are several pieces of legislation that regulate
some aspects of privacy. The most notable of these is legislation that regulates data
processing by public bodies. However, this current provision of protection for data
falls short of international and regionally established data protection principles.
Consequently, work has been done towards enacting a comprehensive data protec-
tion statute that is informed by of the SADC Model Law on Data Protection.
Whilst the focus of this chapter is the legislative privacy framework, it is important
to contextualize this with the national societal environment, particularly that
pertaining to democracy, rule of law and human rights. In particular, privacy is
implicated in surveillance that often accompanies censorship. These aspects have
been the subject of much scholarly, and other, commentary over the last decade.1
Therefore only a summary, inclusive of colonial history, will be presented here.
Pre-colonial Zimbabwe was a thriving multi-ethnic community.2 Zimbabwe was
colonised in the last decade of the nineteenth century by Cecil John Rhodes’ British
South Africa Company (BSAC) and was named Southern Rhodesia after him.3 The
BSAC then administered the colony until 1922 when the settler minority assumed
governance. Such governance was metted out in a racially discriminatory manner,
beginning with the enactment of the Land Apportionment Act, 1930.4 The colony
was self-governing and the settlers constituted a government which ruled with mini-
mal oversight from Britain. For a decade (1953–1963) the country was part of the
Central African Federation (CAF) with Northern Rhodesia (Zambia) and Nyasaland
(Malawi).5 The dissolution of the CAF in 1963 was soon followed by the attainment
of independence by Zambia and Malawi.6 Thereafter, the sitting government of
Southern Rhodesia, under the leadership of Ian Smith, made a unilateral declaration
of independence by which it sought to completely divest itself of any residual
British oversight.7 Due to the continued discriminatory stance of this government,
national liberation movements intensified their efforts to seek independence for
Zimbabwe, which was attained on 18 April 1980 following elections held earlier
that year. Prior to this election, the Lancaster House Agreement8 was concluded in
December 1979, following a constitutional conference that had begun in September
of that year.9 The inaugural constitution (known as the Lancaster House Constitution)
was appended to the agreement as Annexure C. Several political parties contested
the 1980 elections, including the most prominent the Zimbabwe African National
Union Patriotic Front (ZANU PF) led by Robert G Mugabe and the Zimbabwe
African People’s Union (ZAPU) led by Joshua M Nkomo. ZANU PF won the elec-
tions and Mugabe took up the position of Prime Minister whilst the Rev Canaan
Banana was the President, a then-ceremonial position.
The national social, economic and political terrains as well as the constitutional,
legislative and judicial context have shifted considerably since 1980. These shifts
have been comprehensively canvassed by other scholars.10 They include a period of
internal national strife which saw the deaths of innumerable people of minority
1
Ncube and Gray 2015, Zimbabwe Human Rights Forum 2013–2014, Zimbabwe Human Rights
NGO Forum 2014.
2
Mazarire 2008, p. 1.
3
Ndlovu-Gatsheni 2009, p. 46.
4
Jennings 1935; Phimister 1988.
5
Mlambo 2014, p. 119.
6
Ibid.
7
Mlambo 2014, p. 151.
8
Lancaster House Agreement, 21 December 1979, available at http://www.zimlii.org/files/
Zimbabwe_1_Lancaster_House_Agreement_0.pdf
9
Kagoro 2004, p. 237.
10
Raftopoulous and Savage 2004, Raftopoulos and Mlambo 2008.
5 Data Protection in Zimbabwe 101
ethnicity in the Southern regions of the country.11 This turmoil ended with the cre-
ation of a government of national unity between ZANU-PF and ZAPU paired with
constitutional reform in 1987. Consequent to such reform Mugabe became President
and Simon Muzenda (ZANU PF) and Nkomo (ZAPU) were appointed as Vice-
Presidents. The office of the Prime Minister was abolished and the Presidency was
bestowed with substantive powers. Economically, the country had to endure eco-
nomic structural adjustment programmes and had mixed fortunes.12 In the 1990s,
land reform became a major trigger point with growing calls for the government to
equitably distribute arable land.13 Party politics was invigorated by the formation of
the Movement for democratic Change (MDC) in 1999.
After 3 years of negotiation and drafting, a national referendum rejected a pro-
posed new constitution in February 2000.14 The following 8 years (2000–2008)
have been dubbed ‘crisis years’ due to the manifold socio-economic and political
difficulties which plagued the country.15 During this period the country embarked
on its fast track land reform programme, which included violence and intimida-
tion.16 Elections held in this period were marred by violence and contestation and
eventually a Global Political Agreement (GPA) was reached between competing
political parties.17 Consequent to the GPA, a new constitutional reform process was
launched and a new constitution was adopted on 22 May 2013 with its Declaration
of Rights immediately coming into effect.18 The rest of the constitution came into
force at a later date. Also as agreed under the GPA elections were held on 31 July
2013, upon which the GPA terminated.19 The elections were declared won by ZANU
PF and Mugabe retained the Presidency.
From a privacy focused perspective, the last two decades in Zimbabwe have seen
several major events and developments in the political sphere, which are outlined
above, that have impacted the enjoyment of the right to privacy. The political
upheaval had motivated surveillance, which has comprised privacy. In addition,
national security concerns have also led to monitoring and surveillance of individu-
als or entities perceived to be a possible threat to the state. Further, privacy is some-
times invaded by persons with criminal intent. Fortunately the recent constitutional
reform process has resulted in more comprehensive protection of privacy, which
needs to be translated into the legislative framework. The current constitutional pro-
visions pertaining to the right to privacy are sketched at Sect. 5.3 below.
11
(Eppel 2004, Catholic Commission for Justice and Peace (CCJP) and the Legal Resources
Foundation (LRF) 1997).
12
Muzondidya 2008.
13
Bowyer-Bower and Stoneman 2000.
14
Kagoro 2004.
15
Mlambo 2014, p. 231, Coltart 2008.
16
Chitsike 2003.
17
Mokhawa 2013.
18
Zimbabwe Human Rights Forum 2013, p. 2.
19
Ibid.
102 C.B. Ncube
Zimbabwe has high levels of internet access and usage by government, business
and individual users20 which means substantial amounts of personal data are pro-
cessed daily. In such a context, information privacy assumes paramount signifi-
cance. There is also an accompanying strain on the related infrastructure, which led
to the government’s attempt to legislate the use of a single international gateway by
commercial service providers via the Telecommunications (International
Termination Rates) Statutory Instrument 70 of March 2006. This move raised pri-
vacy and other concerns because it was feared that it would be easy for the state to
intercept communications if the infrastructure was configured in this way.
Consequently, in 2006 private telecommunications service providers, Econet and
Telecel, obtained a High Court order which suspended the statutory instrument.
Zimbabwe’s information privacy framework is provided for in the Access to
Information and Protection of Privacy Act, Chapter 10:27 of 2007 (AIPPA) which
came into force in 2002, and applies only to public bodies. It is also now embedded
in the country’s constitution21 which acquired force of law in 2013. There have been
calls for the repeal of AIPPA because it is perceived to be a hindrance to press and
media freedom.22 Indeed, the government itself had indicated that amendment or
repeal of the statute was on its agenda.23 It has been reported that draft data protec-
tion legislation has been prepared.24 However, the draft is not yet publicly
available.
Any new or amended data protection legislation would have to be informed by
the country’s Constitution. In the interests of promoting international trade, it would
also aspire to meeting the European Union (EU) adequacy standards.25 In addition,
there have been various continental, sub-regional and national developments per-
taining to data privacy which Zimbabwe has to take cognizance of. These are out-
lined in part 4.
It has been argued that privacy is not a primary concern for Africans as evidenced
by the African Charter of Human and People’s Rights’ (Banjul Charter’s) lack of an
express reference to privacy rights.26 However, some empirical evidence supports
20
The ITU’s Measuring the Information Society Report (2014) 86 ranked Zimbabwe 8th in Africa
and 121 globally in its ICT Development Index for 2013. On trends across Africa generally see
Borena et al. 2015, p. 3490.
21
Constitution of Zimbabwe Amendment (No.20) Act, 2013.
22
African Network of Constitutional Lawyers (ANCL), 2012, p. 23; Mashiri 2011.
23
Government of Zimbabwe Government Work Programme (GWP) 2010.
24
The Insiderzim.com, 2015; Maisiri and Hikwa 2013, p. 13.
25
Articles 25–26, Directive 95/46/EC. For a discussion of assessments of African attempts to meet
this standard see Makulilo 2013, p. 42.
26
Ibid, p. 78.
5 Data Protection in Zimbabwe 103
the view that internet users in Zimbabwe are concerned about their privacy,
particularly when they use internet cafes.27 Privacy was found to be comprised after
a person had used an internet café and in particular, more spam was received indi-
cating that one’s email address had been harvested during the internet café visit.28
The proprietors of the internet cafes were not well acquainted with the national
privacy regulatory framework, nor were they knowledgeable about monitoring and
other oversight exercised by Internet Service Providers.29 The internet café owners
implemented some technological and software based protection measures to protect
their equipment and their clients’ information privacy.30 In addition, some physical
measures such as obscuring computer screens were used to protect their clients’
privacy.31 However, they did not engage in any privacy education or awareness
raising campaigns for their clients, restricting themselves to the provision of
technical or practical advice only.32 In summary, this study found that both internet
café patrons and proprietors were not adequately knowledgeable about privacy and
its protection.
A more recent survey of Zimbabweans was undertaken to gauge perceptions of
privacy in the country.33 The survey’s key findings included the following:
• A significant majority of the polled population values privacy and is of the view
that it is a core human right34;
• Survey participants shared a significant amount of personal, health and financial
information with family and friends, banks and financial institutions, govern-
ment and websites35;
• Participants had varying levels of trust in the capabilities of these information
recipients to keep the information securely, with the least trust being placed in
government36;
• Less than half of the survey respondents were aware that privacy is protected by
the constitution, however 65 % were aware of legislative provisions pertaining to
privacy37;
• 65 % of the respondents were of the view that it is justiciable for government and
Internet Service Providers to monitor their internet usage, even if it comprised
their privacy, in order to curb and detect unlawful activities.38
27
Maisiri and Hikwa 2013, pp. 12–13.
28
Ibid p. 9.
29
Ibid.
30
Ibid, p. 9–11.
31
Ibid, p. 11.
32
Ibid.
33
Zimbabwe Human Rights NGO Forum 2014.
34
Ibid, p. 7.
35
Ibid, p. 9.
36
Ibid, p. 10.
37
Ibid, p. 24.
38
Ibid, p. 25.
104 C.B. Ncube
Based on these findings, the authors of the report recommended that the legisla-
tive framework ought to be aligned to the constitutional protection for privacy, pen-
alties and other sanctions for privacy violations should be provided for and that
awareness campaigns ought to be undertaken to educate the public about their pri-
vacy rights.39
In summary, it would be reasonable to conclude that privacy is an important
concern in Zimbabwe but that data subjects and those who process personal infor-
mation are uncertain of the full extent of the constitutional protection of privacy. In
addition, the national legislative framework is somewhat lacking and there are gen-
erally held perceptions of the vulnerability of personal information.40
The previous Constitution of Zimbabwe did not have any provisions pertaining to
the protection of privacy.41 Certain provisions protected some aspects of privacy,
namely protection against arbitrary search or entry in section 17, protection against
deprivation of property in section 16 and the sanctity of personal correspondence in
section 20.42 To this end section 20(1) of the Constitution, provided that:
Except with his own consent or by way of parental discipline, no person shall be hindered
in the enjoyment of his freedom of expression, that is to say, freedom to hold opinions and
to receive and impart ideas and information without interference, and freedom from inter-
ference with his correspondence. [emphasis added]
However, as mentioned above, the current Constitution provides for the right to
privacy as follows in section 57:
Every person has the right to privacy, which includes the right not to have—
(a) their home, premises or property entered without their permission;
(b) their person, home, premises or property searched;
(c) their possessions seized;
(d) the privacy of their communications infringed; or
(e) their health condition disclosed.
This section incorporates the provisions in the sections 16, 17 and 20 of the old
Constitution. The substantive differences between Zimbabwe’s old and new consti-
tutional provisions are:
39
Ibid, p. 32.
40
Maisiri and Hikwa 2013, pp. 12–13.
41
Ncube 2004, pp. 1, 3.
42
Ibid, p. 9.
5 Data Protection in Zimbabwe 105
1. the addition of paragraphs (a) and (e) which expressly mention a person’s right
not to have their home, premises or property entered without their consent and
the disclosure of their health condition without their consent; and
2. the substitution of the ‘correspondence’ with ‘communication’ in paragraph (d).
This may be indicative of a broadening of the scope of protection from written
communication (i.e. correspondence) to all types of communication including
oral and digital forms.
There is as yet no reported case law on the interpretation of the new Zimbabwean
constitutional provisions. However, as they so closely mirror South African provi-
sions, it is likely that Zimbabwean courts will be persuaded by South African case
law. Section 14 of South Africa’s Constitution provides:
Everyone has the right to privacy, which includes the right not to have –
(a) their person or home searched;
(b) their property searched;
(c) their possessions seized; or
(d) the privacy of their communications infringed.
The Zimbabwean constitutional provisions differ from their South African coun-
terpart in their express mention a person’s right not to have their home, premises or
property entered without their consent and the disclosure of their health condition
without their consent. However, South Africa’s section 14(a) – (b) constraints on the
search of a person’s home or property, of necessity include constraints on the requi-
site entry to those premises. In addition, other South African legislation such as the
Criminal Procedure Act 51 of 1977 regulates the entry of premises.43 The disclosure
of a person’s health condition is also covered in other South African legislative
provisions.44 Therefore the substantive legal position in both countries is the same.
There are corollary provisions that are relevant to the protection of privacy in
section 61(5) of the current Zimbabwean Constitution, which provides that:
Freedom of expression and freedom of the media do not include—
(a) incitement to violence;
(b) advocacy of hatred or hate speech;
(c) malicious injury to a person’s reputation or dignity; or
(d) malicious or unwarranted breach of a person’s right to privacy. [emphasis added]
43
For a discussion see Basdeo, 2009, pp. 307–331.
44
Section 32 of the Protection of Personal Information Act protects health information.
45
Limpitlaw 2013, p. 618.
106 C.B. Ncube
There are various statutes in Zimbabwe that have a bearing on data protection.
These include: the Courts and Adjudicating Authorities (Publicity Restrictions) Act
Chapter 7:04, Census and Statistics Act Chapter 10:05, Banking Act Chapter 24:20,
National Registration Act Chapter 10:17, Interception of Communications Act
Chapter 11:20 and AIPPA’.46 Of these, only AIPPA contains provisions that approx-
imate comprehensive data protection standards. However, its applicability is limited
to public bodies, therefore the processing of personal information by private or
commercial entities and individuals is unregulated.
As mentioned above, AIPPA regulates privacy and has raised considerable con-
cerns about expression and freedom of the media.47 This chapter’s focus is those
aspects of AIPPA that pertain to the protection of privacy. It applies to all records in
the custody or under the control of public bodies in Zimbabwe.48 However, the First
Schedule lists exclusions which encompass personal notes, communications or
draft decisions of a person who is acting in a judicial or quasi-judicial capacity to
records containing teaching materials or research information of employees of a
post-secondary educational body.
Of relevance to this chapter, AIPPA provides for the collection, protection and
retention of personal information by public bodies in sections 29–35 and for the use
and disclosure of personal information by public bodies in sections 36–37.
It also provides for other aspects, which will not be discussed in this chapter,
which include:
1 . Access to records and information held by public bodies (sections 5–13);
2. Protected information (sections 14–25);
3. Information pertaining to third parties (sections 26–28);
4. the Media and Information Commission (sections 38–42); and
5. Appeals to administrative court and other general matters (sections 90A–93).
46
Svotwa 2013a.
47
Ncube, p. 13.
48
Section 4(1) AIPPA.
5 Data Protection in Zimbabwe 107
The current Constitution has carried this provision forward and section 192
provides:
The law to be administered by the courts of Zimbabwe is the law that was in force on the
effective date, as subsequently modified.
There are several express references to English and Roman-Dutch law such as
sections 177(1)(a), 178(1) (a) and 179(1)(a) which require that Constitutional Court,
Supreme Court and High Court judges respectively have knowledge and experience
inn Roman-Dutch or English, common law.49
The common law of Zimbabwe derives from the common law of South Africa.
And under the common law every person has personality rights such as the rights to
physical integrity, freedom, reputation, dignity, and privacy.50
Under common law, to succeed, a plaintiff needs to prove the following51:
(i) An invasion of the his privacy in the form of disclosure or revelation of his
personal information;
(ii) Wrongfulness, which is determined using the criterion of reasonableness or the
norm of boni mores; and
(iii) Intention (animus iniuriandi).
In the case of a constitutional invasion of privacy the applicant must prove that
invasive law or conduct has infringed his right to privacy in the Constitution52; and
such infringement is not justifiable in terms of section 36 of the Constitution.
Defences to the common law action are categorised into two main groups. The
first category are defences which exclude wrongfulness such as consent, necessity,
private defence, impossibility, public interest and performance in a statutory or
official capacity. The second category of defences exclude intent such as jest,
mistake, insanity or intoxication. The generally accepted main remedies for common
law invasions of privacy are53:
(i) The actio Iniuriarum (recovery of sentimental damages or satisfaction (sola-
tium) for injured feelings. The amount of compensation is in the discretion of
the court and is assessed on what is fair and reasonable54;
(ii) The actio legis Aquiliae (damages where the plaintiff has suffered actual mon-
etary loss as a result of the violation of privacy);
(iii) The interdict where a person is confronted with a threatening or continuing
infringement of his or her right55; and
(iv) Retraction and apology.56
49
Dube 2014, pp. 13–14.
50
Neethling 1998 at 64, 103, 137, 157, 233, 265.
51
Ncube, pp. 11.
52
Ncube, pp. 11.
53
Ibid.
54
Jansen van Vuuren and others NNO v Kruger 1993 (4) SA 842 at 857–858.
55
Rhodesian Printing and Publishing Co Ltd v Duggan and others 1975 (1) SA 590 (Rhodesian
Appellate Court).
56
Mineworkers Investment Co (Pty) Ltd v Modibane 2002 (6) SA 512 (W).
108 C.B. Ncube
5.4.2 Collection
Section 29 provides that a public body may only collect personal information if the
following conditions are satisfied:
(a) The collection of that information is expressly authorized in terms of an
enactment;
(b) The information is to be collected for the purposes of national security, public
order and law enforcement; or
(c) The information is to be collected for the purposes of public health; or
(d) The information relates directly to and is necessary for an operating programme,
function or activity of the public body;
(e) The information will be used to formulate public policy.
Section 30(1) provides that personal information must always be collected
directly from the person to whom it relates unless another method of collection is
authorised by that person, the Media Commission (Commission), another enact-
ment or is being collected in relation to specific enumerated purposes. These pur-
poses are:
(i) determining the suitability for granting an honour or award, including an hon-
orary degree, scholarship, prize or bursary; or
(ii) proceedings before a court or judicial or quasi-judicial tribunal; or
(iii) collecting a debt or fine or making a payment; or
(iv) law enforcement.
5 Data Protection in Zimbabwe 109
The public body collecting personal information must inform a person from
whom it intends to collect personal information of the purpose for which the per-
sonal information is being collected and the legal authority for collecting it,57 except
where the information relates to law enforcement and/or the Commission exempts
it from making such notification.58 Such exemptions may be granted if the notifica-
tion would result in the collection of inaccurate information, or defeat the purpose
of, or prejudice the use for which, the information is to be collected.
5.4.3 Accuracy
5.4.4 Security
Section 33 requires that the head of a public body which has personal information
in its custody or under its control to take reasonable steps to ensure that the informa-
tion is secure. To this end, the head must ensure that there is adequate security and
there is no unauthorised access, collection, use, disclosure or disposal of such per-
sonal information.
57
Section 30(2).
58
Section 30(3).
59
Section 32(1).
60
Section 32(2).
61
Section 32(3).
110 C.B. Ncube
access to it.62 A public body may only use personal information for the purpose for
which that information was obtained or compiled or for a use consistent with that
purpose or if the person to whom the information relates has consented to such
use.63
The National Archives, or the archives of a public body, ‘may disclose personal
information to a third party for the purpose of historical research or any other lawful
purpose if such disclosure would not result in an unreasonable invasion of personal
privacy in terms of the Act or the information being released pertains to a person
who has been deceased for thirty or more years’.64
5.5 Commentary
AIPPA’s provisions meet some, but not all, of the Southern African Development
Community (SADC) Model Law’s data protection principles, as tabulated below:
62
Section 34.
63
Section 36.
64
Section 37.
5 Data Protection in Zimbabwe 111
Articles 15–17- sensitive AIPPA does not contain any equivalent provisions.
information
Article 18 – data pertaining to
litigation
Article 19 – children’s personal
data
Article 21 – information to be AIPPA does not expressly provide for this but it would be
provided to the data subject implied in the requirement to inform the data subject of the
when data is being collected reason/purpose of the collection of information in section
directly from him. 29.
Article 22 – information to be to AIPPA does not contain equivalent provisions.
be provided to the data subject
when data is being collected
directly from third parties.
Article 24 – security Section 33 of AIPPA meets this standard although it is not as
detailed in its provisions as the model law.
Article 25- notification of AIPPA does not have an equivalent provision.
security breaches
Articles 26–29 – automated AIPPA does not have any equivalent provisions.
processing
Article 30 – accountability AIPPA does not have an equivalent provision.
Article 31 – access There are no express provisions pertaining to access. Section
Article 32 – rectification, 31(1) which gives a data subject the right to request a
deletion, temporary limitation of correction presupposes access to the data for purposes of
access making a determination of inaccuracy. There are no
provisions pertaining to deletion and temporary limitation of
access.
From the above, it is clear that AIPPA’s provisions fall short of the SADC Model
Laws standards. It would thus not be adequate to simply extend its coverage to pri-
vate or commercial entities.
5.6 A
n Overview of the Implementation of Data Protection
Legislation
As noted above, Zimbabwe does not yet have comprehensive data protection laws.
AIPPA only regulates public bodies. However, since the adoption of the 2013
Constitution, which expressly protects privacy, there is an urgent need to enact leg-
islation that comprehensively provides for the protection of personal information.
The International Telecommunication Union (ITU)’s Harmonisation of the ICT
Policies in Sub-Saharan Africa (HIPSSA) Project’s work on cybersecurity which
led to the drafting and adoption of the SADC Model Law on Data Protection also
included in-country technical assistance.65 With respect to Zimbabwe, two mission
65
ITU ‘HIPSSA Project’ (ITU; n.d).
112 C.B. Ncube
visits were conducted in March 2013 and July 2013.66 The second mission encom-
passed the following:
Training on data protection law67;
National assessment on data protection68; and
Zimbabwe Data Protection Bill.69
From the above, it would appear that the data protection legislation will be a
transposition of the SADC Model Law. As stated in the introduction, the draft bill
has not been published by the state and there is no indication of when such draft
legislation may be expected. However, from the training presentation on data pro-
tection law, it appears that the draft legislation will:
1. Create a Data Protection Authority of Zimbabwe (DPAZ) which will be indepen-
dent of the state.
2. Create the office of the Data Protection Commissioner.
3. Create certain offences relating to the unlawful processing of data and stipulate
relevant penalties.
The bill also has to provide for the data protection principles as set out in the
Model Law. It would also be prudent to extend the bill’s applicability to data pro-
cessed by public bodies and to excise the privacy provisions from AIPPA.
There have been attempts to remedy the alleged breach of the right of privacy by
the Zimbabwean government at the African Commission on Human and Peoples’
Rights. A case in point is Chinhamo v Zimbabwe,70 in which the complainant alleged
that the Zimbabwe Republic Police (ZRP) had violated his right to privacy by delet-
ing certain files from his laptop and stealing some hard copy reports from his offic-
es.71 However, the substance of these claims was not adjudicated upon by the
Commission because it found that it did not have jurisdiction as the complainant
had failed to exhaust domestic remedies. Indeed, even if the Commission had found
jurisdiction, it may have proven difficult to resolve the violation of privacy claim as
the Banjul Charter does not expressly provide for privacy rights.
66
Ibid.
67
Svotwa 2013b.
68
Ibid.
69
Chetty 2013.
70
Chinhamo v Zimbabwe Admissibility, Comm no 307/2005, 42nd Ordinary Session, 23rd Activity
Report (2007), (2007) AHRLR 96 (ACHPR 2007).
71
para 6.
5 Data Protection in Zimbabwe 113
African Union Convention on Cyber Security and Personal Data Protection 2014.
This convention has not yet entered into force as the requisite 15 ratifications have
not been achieved. On an individual state level, South Africa has enacted the
Protection of Personal Information Act (POPI) which follows the EU’s data protec-
tion model and contains a similar adequacy standard in its section 76. POPI has not
yet fully entered into force, but when it does it will offer added impetus to other
African states to aspire to the same model in order to promote intra-continental
trade with South Africa.
SADC’s model law has some commonalities with other Regional Economic
Communities (RECs’) model laws and the AU Convention.72 As noted above, nei-
ther the SADC Model Law nor the AU Convention have been transposed into
Zimbabwean law. However, all indications are that the SADC Model Law will soon
be domesticated. If that eventuates, Zimbabwe adopt the model law’s approach to
transborder flows of data.
The SADC Model Law has two formulations. Article 43 regulates trans-border
flows of data between SADC member states that have transposed the model law.
Articles 44 and 45 regulate transborder flows from a SADC member state that has
transposed the model law to a non-SADC member state or a SADC member state
that has not transposed the model law. In such instances data shall only be trans-
ferred if ‘an adequate level of protection is ensured’ in the destination territory.
The way in which Zimbabwe chooses to transpose these provisions is up to the
legislature. One way is to simply utilize the model law’s formulation, with any nec-
essary adjustments. Another way is to adopt another SADC member state’s formu-
lation. For instance, the South African formulation is as follows:
72 Transfers of personal information outside Republic
(1) A responsible party in the Republic may not transfer personal information about a data
subject to a third party who is in a foreign country unless-
(a) the third party who is the recipient of the information is subject to a law,
binding corporate rules or binding agreement which provide an adequate
level of protection that-
(i) effectively upholds principles for reasonable processing of the infor-
mation that are substantially similar to the conditions for the lawful
processing of personal information relating to a data subject who is a
natural person and, where applicable, a juristic person; and
(ii) includes provisions, that are substantially similar to this section,
relating to the further transfer of personal information from the
recipient to third parties who are in a foreign country;
(b) the data subject consents to the transfer;
(c) the transfer is necessary for the performance of a contract between the
data subject and the responsible party, or for the implementation of pre-
contractual measures taken in response to the data subject’s request;
72
Greenleaf and Georges 2014; Makulilo 2015.
114 C.B. Ncube
5.8 Conclusion
Zimbabwe’s socio-economic and political history has provided the backdrop for
societal concerns about the vulnerability of personal information. Surveillance and
monitoring motivated by political imperatives, law enforcement initiatives and
national security concerns has resulted in a society that perceives its privacy to be
compromised. This is exacerbated by actual experiences of the invasion of privacy,
for example after visiting an internet café. Consequently, there are high levels of
mistrust of data processors by data subjects. Such feelings of vulnerability are inten-
sified by a lack of knowledge about existing legal protection of privacy.
The above overview of Zimbabwe’s data protection regime shows that it is
currently lacking in significant respects. Primary of which, is that the country is yet
to enact a comprehensive data protection statute. Its current provision of protection
for data processed by public bodies falls short of international and regionally estab-
lished data protection principles. However, all indications are that Zimbabwe
will soon transpose the SADC Model Law, which would improve the regulatory
framework considerably.
References
Ronald Kakungulu-Mayambala
Abstract This chapter deals with privacy and data protection in Uganda. The chap-
ter provides a useful overview of the discourse and enactment of data protection law
in Uganda. It offers a detailed and comprehensive overview of privacy law reforms
in Uganda including the adoption of the European model of governance. Part I of
the chapter gives a general introduction to privacy and data protection, Part II on the
context of information privacy analyses a wide range of issues from the history,
political, economic and technological advancements in Uganda. This is more so the
cases since privacy issues are contextual. Part III provides a more detailed analysis
of matters such as perception of privacy, the relevance of knowledge of privacy law
by the public and the authorities and the issue of drafting. Part IV of the chapter
critiques the Ugandan data privacy bill mainly based on the OECD data privacy
framework. Lastly, the chapter gives concluding remarks and recommendations.
6.1 Introduction
This chapter deals with information privacy, the social attitudes to privacy and the
legal and regulatory systems of protection of privacy in Uganda ranging from the
Constitution, the right to habeas data, the statutory laws and the common law posi-
tion on this right. Uganda does not have a comprehensive data protection legisla-
tion. However, the country is now in the process of enacting a comprehensive law
on data protection and privacy in the country. To this end, the Data Protection and
Privacy Bill 2015 has been prepared.1 In a nutshell, this chapter discusses the data
protection principles, the data protection regulator, and the international transfer of
personal data. All this discussion is done in light of the comparative influences and
interpretation of the data protection legislation especially that of the United
1
The draft Bill used herein the text is that as published by the Office of First Parliamentary Counsel
[FPC] on 19th February 2015.
R. Kakungulu-Mayambala (*)
Makerere University School of Law, Kampala, Uganda
e-mail: rkakungulu@law.mak.ac.ug
Kingdom (UK) and the European Union (EU). The chapter also deals with the pro-
cedural and enforcement mechanisms, the Regional Economic Communities
(RECs), in the context of Uganda, the East African Community (EAC) and its
Additional Protocols and data protection. Envisaged common markets such as the
Protocol for the EAC Common Market and the movement of information, the trans-
position of REC data protection policies are all analyzed.
Information privacy remains a relatively new area in Uganda. The courts of law
have however traditionally resorted to the use of common law principles in the
absence of a comprehensive legislation on data protection and privacy in Uganda. It
is for this reason that Uganda still lags behind in relation to the legal regulation and
framework of collection, use, and disclosure of personal information, even when the
country has taken major strides in the areas of national census, voter registration,
mandatory Subscriber Identification Modules (SIM) card registration, and the
National Identity (ID) card registration.
As Privacy International notes:
Privacy enables us to create barriers and manage boundaries to protect ourselves from in
our lives. Privacy helps us limit who has access to our bodies, places and things, as well as
our communications and our information. It's the right to know that your personal commu-
nications, medical records, metadata and bank details are secure, but it is also about ensur-
ing that they are under your control. Privacy is essential to human dignity and autonomy in
all societies. Privacy is at the cross-section of technology and human rights. The right to
privacy is a qualified fundamental human right – meaning that if someone wants to take it
away from you, they need to have a damn good reason for doing so.3
However, issues such as the history, political, economic and technological advance-
ments also greatly impact on the context of information privacy in Uganda and espe-
cially since privacy issues are contextual. A thorough discussion of the history, political,
economic and technological advancements in Uganda goes a long in giving a compre-
hensive foundation for the subsequent discussion in respect of the social attitudes to
privacy in Uganda, and the legal and regulatory systems of protection of privacy.
Whereas technological advancement in Uganda remains a key factor in issues of
privacy, Privacy International cautions thus:
Technologies are enabling new forms of empowerment and interaction as we integrate them
into our lives. They may also enable powerful institutions to amass our personal informa-
tion. The threat of terrorism is giving governments across the world carte blanche to ramp
up state surveillance. Industry is voracious in its appetite to profile us, predict what we will
do, and profit from our data. We believe that technological developments should strengthen,
rather than undermine, the right to a private life, and that everyone’s privacy must be care-
fully safeguarded, regardless of nationality, gender, race or ethnicity, personal or economic
status.4
Political and religious differences also persist and have had a tremendous impact
on the social attitudes to privacy in Uganda. Those citizens who are supportive of
the political establishment are always shy to point out the excesses of the ruling
class in respect of perceived violations of the right to privacy in the country.
Similarly, the religious groups such as the church and the mosques whose voices are
always raised through their leaders tend to toe the strict and usually conservative
line when it comes to privacy issues.
The influence of politics and religion on privacy issues in Uganda as a factor can
also be attributed to historical reasons as best noted by Frans Viljoen, “the initial
‘cultural’ focus on the ‘black race’ of Africa had to be adapted if the ‘political’
dimension of pan-Africanism were to include Arab North Africa’”.5 The Arab
North Africa, also otherwise known as the Magreb has traditionally been aligned to
the Arab world of the Middle East and has preferred to be referred to as such than
as Africans.6 The increasing radicalization of the Islam religion, and the emergency
of terror groups such as the al Qaeda and Al-Shabaab have launched disastrous
attacks on not only the west but also African countries such as Kenya, Tanzania and
Uganda.7 Khalid al-Fawwaz was accused of four counts of conspiring to kill
Americans in the 1998 twin bomb attacks on the US Embassies in Kenya (Nairobi)
and Tanzania (Dar es Salaam).8 A New York Federal Court subsequently convicted
Khalid on all the four counts.9 The result was massive arrests by the Government of
Uganda done mainly on Moslem Somali nationals living in Uganda. Again, this is
in line with the social attitude that Islam is associated with terrorism in Uganda and
the world over.10 Equally important is the view held by Makulilo who argues “at the
same time respect for privacy is lacking. Laws and conducts of the Government (of
Uganda) and private companies and individuals are in most cases falling outside the
protection offered by the Constitution.”11
4
Ibid.
5
Viljoen 2012, p. 154.
6
Mamdani and Survivors 2009.
7
A terrorist group, which later claimed to be the Al-Shabaab launched two deadly terrorist attacks
on Kampala City on July 11, 2010 killing over 50 football fans who were watching the final of the
2010 World Cup.
8
Kelley 2015, p. 14.
9
Ibid.
10
Mamdani 2004.
11
Makulilo 2015, p. 5.
120 R. Kakungulu-Mayambala
The social attitudes to privacy in Uganda are not helped any further by the State
itself as noted by Kakungulu-Mayambala, thus “the country continues to enforce a
colonial-era public interest law on morality that permits the government to interfere
with the private lives of its citizens. Such laws give the government a pretext to
invade people’s private lives and deny them essential human rights and to live in
peace and harmony. A close look at the enjoyment of this rights [to privacy] over the
last twelve years reveals several issues of concern.”12 The best illustration of such
laws includes the Penal Code Act, Cap. 120 and the Anti-Pornography Act, 2014.
The Privacy context in Uganda is quite fuzzy. What seems clear however, is the
fact that much of the privacy law that exists is mainly intended for regime survival.
This view is supported in part by Privacy International, which states:
State authorities have proactively cultivated the popular perception that surveillance is sys-
tematic, centralised and technically sophisticated. This is not the case; not yet, at least.
The attributes that have made Uganda’s human intelligence network strong and allowed
it to infiltrate opposition and other circles considered threatening to the Government are
poorly suited to conducting communications surveillance on a large and automated scale.13
State surveillance has increased in Uganda thereby blurring the privacy and data
protection line.14 Whereas the Government of Uganda has vehemently denied carry-
ing out covert surveillance on its political opponents15 it is an open secret and widely
perceived view across Uganda that the State practices covert surveillance on its citi-
zens especially on the political opposition.16 Amidst the government of Uganda’s
claim to sue the BBC for the Privacy International report on its security situations,17
all the above, comes on the backdrop of:
the fact that in 2010, President Museveni signed into law, the Regulation of Interception of
Communications Act, giving powers to security officials to listen into private communica-
tion if they (security officials) suspect the communication is in aid of criminal activity. But
security agencies must seek a court order to intercept communication.18
12
See generally, Mayambala 2009, p. 19.
13
Privacy International Report 2015, p. 37.
14
Serunjogi 2015, pp. 1, 4.
15
Wesonga and Kafeero 2015, p. 4, and Kiwawulo and Masaba 2015, p. 3.
16
See generally, The Observer, October 15–16, 2015.
17
Etukuri 2015, pp. 1, 4.
18
Ibid, p. 4.
19
Sunday Monitor, October 18, 2015, p. 3.
20
The Observer, October 19–21, 2015.
6 Privacy and Data Protection in Uganda 121
Uganda’s human rights record in bad light and this is well captured in the report
thus:
Along with more heavy-handed tactics, the use of surveillance technology has chilled free
speech and legitimate expressions of political dissent. Covert, extrajudicial surveillance
projects like those documented in this report have contributed towards making Uganda a
less open and democratic country in the name of national security. This situation is unlikely
to improve any time soon, particularly with the eventual addition of the centralised com-
munications monitoring centre under the intelligence services’ control. Until and unless
this is addressed, claims that Uganda is a burgeoning democracy ring hollow.21
The above scenario presents a rather sad social attitude to privacy in Uganda.
Owing to the rather massive violation of other human rights in Uganda, the Ugandan
public has resorted to cynicism and indifference when it comes to the right to pri-
vacy. The right to privacy in Uganda is not only taken in a lasses-faire manner but
is also seen largely as an elitist right. The few groups that seem to advocate for this
right are mainly the Non-Government Organizations (NGOs) that are donor funded.
This also aids in alienating the right farther as it is now seen as a mainly western-
influence right.
The contextual extent of privacy and data protection has been analysed above.
Privacy issues are contextual.22 However, the perception of privacy remains varied
in Uganda, with the State deeply interested in violating this right in the name of
national security.
Privacy and how it is understood and perceived may vary from society to society
and individual to individual. Indeed, the Americans and Europeans perceive privacy
differently. This is not only unique to Americans and Europeans; even Africans may
perceive privacy differently, depending on social, cultural and economic standing.
Solove and Schwartz best capture the differences between American and European
perspectives of privacy, thus:
U.S. and foreign privacy regimes differ in some respects. Consider the standard description
of privacy legislation in Europe as “omnibus” and privacy law in the United States as “sec-
toral.” In Europe, one statute typically regulates the processing of personal information in
public and private sectors alike. In the absence of more specific legislation, the general
information privacy law in Europe sets terms for the processing, storage, and transfer of
personal information. In the United States, in contrast, a series of narrower laws focus on
specific sectors of the economy or certain technologies.23
21
Privacy International Report, supra, note 13.
22
Hughes 2014, p. 267.
23
Ibid, p. 996.
122 R. Kakungulu-Mayambala
The way a given community perceives privacy goes along way in determining how
conscious that particular society will respond to alleged violations of the right to
privacy let alone recognize or fight for its protection and promotion. This is espe-
cially the case in light of the fact that a discussion of privacy issues is contextual.
The perception of privacy in Uganda is largely based on the history, political, eco-
nomic and technological advancements. Religion too plays a lead role. Religious
groups mainly Christians and Muslims form a solid majority in Uganda and the
thinking of most Ugandans is largely influenced by either their religious background
or culture.28 Invariably, the ordinary Ugandan’s perception of privacy is clouted with
both religious and cultural connotations.29 Islam too offers a clear-cut line of co-
existence and brotherliness among the faithful, to mutual respect for one another
including the respect for the rights of each individual. “Indeed Islam enjoins us to
guard our honour and privacy, and that of others as basic right.”30 The traditional
African belief and the African traditionalists in Uganda in general perceive human
rights including the right to privacy or privacy generally “as those legitimate enjoy-
24
Ibid, pp. 998–999.
25
See generally, Makubuya 1974.
26
See generally, Mayambala 2009.
27
Makubuya, supra.
28
Huripec 2014, p. 12.
29
Ibid, p. 21.
30
Ibid, p. 31.
6 Privacy and Data Protection in Uganda 123
ments of the individual that are consistent with the dignity of the community. The
avoidance of shame for the community is a dominant impulsion.”31 Thus, by far and
large, perception of privacy in Uganda is greatly influenced by one’s religious
belief(s); namely Christianity, Islam or African (oral) tradition.
6.3.2 T
he Relevance of Knowledge of Privacy Law
by the Public and the Authorities and the Issue
of Drafting
As discussed above, knowledge on privacy law in Uganda remains scanty not only
among the ordinary citizens but also the elite. The dismal knowledge of privacy law
by the public and the authorities presents such a conundrum that is not only unten-
able in respect of protection and promotion of the right to privacy but is also cum-
bersome to the authorities. In a way, such a situation presents a fertile ground for the
public not to demand for recognition and enforcement of the right to privacy in the
country whereas the authorities remain unaccountable. In the end, no tangible laws
have been enacted to foster privacy in the country except for a single Constitutional
Article 27. The major tangible goal and step in the right direction remains the yet to
be passed Data Protection and Privacy Bill, 2015 which was approved by the
Cabinet (Executive) in August 2015 and now awaits tabling before the national
legislative assembly – Parliament.
Even when the Data Protection and Privacy Bill is finally passed into an Act of
Parliament, knowledge of privacy law in the country may still remain unless correc-
tive steps are boldly taken to entrench a deeper understanding of this right to the
ordinary people. The broadly understood rights remain the obvious ones of right to
life and property that are as well anchored in both religion32 and politics. The rele-
vance of knowledge of privacy law by the public and the authorities and the issue of
drafting would be the hallmark to understanding this right in Uganda, unfortunately,
the country’s history of military and political tyranny.33 Knowledge on the few exist-
ing privacy law also remains scanty. Even when the current government which has
been in power since 1986 aims high in trying to restore democratic rule and good
governance,34 the country still remains at a crawling stage when it comes to issues
of privacy.
Power belongs to the people in Uganda and indeed all forms of governance can
only emanate from the power of the people.35 As Niringiye notes, in good political
governance, “laws are to be enacted by appropriate institutions according to the
31
Ibid, p. 39.
32
The Biblical Ten Commandments include thee shall not “kill or steal”.
33
See generally, Mamdani 1983.
34
Museveni 1997, p. 187.
35
Article 1 of the Constitution.
124 R. Kakungulu-Mayambala
In a nutshell, the Ugandan privacy and data protection malaise is more than
merely knowledge of privacy law by the public and the authorities or a good drafts-
man, it surely goes beyond that to involve a sitting government which is hell bent on
regime survival and suppressing human rights.
The Constitution of the Republic of Uganda firmly protects the right to privacy.
Article 27 provides as follows:
36
Niringiye 2014, p. 38.
37
Article 79.
38
Niringiye, supra, note 36.
39
See generally, Kabumba 2010, pp. 83–107.
40
Ibid, p. 84.
41
Oluka, supra, note 20.
42
Ibid, quoting the UK-based Organization.
6 Privacy and Data Protection in Uganda 125
Once again, the above state of affairs as referred to by Mayambala, are only but
a critical reflection of the social attitudes to privacy in Uganda, viz: a right largely
treated with cynicism and taken to be an elitist right or a “western-influence” kind
of right, at least in the eyes of the ordinary Ugandan. This fact is farther com-
pounded by the fact that under Article 44 of the Constitution, the right to privacy is
not absolute and is actually among the derogable rights in Uganda.44 Thus, “any
limitations of the enjoyment of the right to privacy may be placed on this right in
what is acceptable and demonstrably justifiable in a free and democratic society, or
what is provided in the Constitution.”45 The test as given in Article 43(2)(c) of the
Constitution was interpreted in the case of Charles Onyango Obbo & Anor v.
Uganda46 in which the Canadian case of R. v. Oakes47 was cited with approval as
“the yardstick is that the limitation must be acceptable and demonstrably justifiable
in a free and democratic society. This is what I have referred to as ‘the limitation
upon limitation.’”48 A delicate balance therefore needs to be struck between the
enjoyment of the right to privacy in Uganda and any limitations that may be placed
on such a right.49
Article 27 of the Constitution has covered data protection and privacy issues in
Uganda. Save for the several laws which have been passed by the Parliament of the
Republic of Uganda, all of which are aimed at placing limitations on the enjoyment
of the right to privacy in Uganda, no detailed law has been passed to tackle the ques-
tion of data protection in Uganda. Currently, Uganda has no specific privacy or data
protection legislation to give effect or to operationalize the constitutional provision.
Only the Data Protection and Privacy Bill, 2015 seeks to fill that lacuna. Thus, to
date, Uganda does not have a comprehensive law on data protection and only relies
43
Mayambala 2010, p. 5.
44
Daily Monitor, Thursday, November 20, 2014, p. 14.
45
See Article 43 of the Constitution.
46
Const. App. No. 1 of 2000 [unreported].
47
[1986] 1 S.C.R. 103.
48
See judgment of Mulenga J.S.C. in Obbo’s case.
49
See generally, Ojambo 2008.
126 R. Kakungulu-Mayambala
As Makulilo notes, “there is little case law by Ugandan courts that interpret
Article 27 of the Constitution.”54 The three landmark cases by the High Court of
Uganda are worth of mention here. In the case of Victor Juliet Mukasa & Yvonne
50
Makulilo 2015, p. 6.
51
Cap. 13, LoU.
52
See also Article 132(4) of the Constitution.
53
Mayambala 2010, p. 6.
54
Makulilo 2015, p. 5.
6 Privacy and Data Protection in Uganda 127
Oyo v. Attorney General,55 where 206 agents of the State broke into the residence of
the plaintiffs in search for evidence of suspected lesbianism, the applicants sued for
unlawful confiscation of their property [CDs], correspondence and trespass to their
home. Stella Arach-Amoko, J. held thus:
In respect of the 1st applicant, the evidence on record shows that the police did not handle
her documents properly. They gave the LC1 Chairman unlimited access to the said docu-
ments even after he had handed them over to police, and detained the said documents over
night without entry in their books in accordance with the laid down procedures. She is
accordingly awarded 3 million shillings for violation of her right to property contrary to
article 27(2) of the Constitution.56
Another very important case from the High Court of Uganda in respect of the
right to privacy is that of Kasha Jacqueline, Pepe Onziema & David Kato v. Giles
Muhame and the Rolling Stone Publication Ltd,58 in which the 2nd defendant, which
was a weekly tabloid newspaper published in Uganda with the sole purpose of fight-
ing homosexuality published the identities and contacts of people based on their real
and perceived sexual orientation with the plaintiffs being the first victims of such
publication. The applicants sued the defendants alleging a violation of their right to
privacy and also sought an injunction against the defendants to stop the publication
of the identities of persons and homes of the applicants, arguing that the said publi-
cation was not only a violation of their right to privacy but also a threat to their
personal security in light of the homophobia which the Ugandan society holds
against gays and lesbians. This homophobia was taken to high levels, when in
December 2013; the Parliament of the Republic of Uganda overwhelmingly passed
the Anti-Homosexuality Bill as a “Christmas gift” to Ugandans. President Museveni
assented to the Bill in February 2014 effectively turning it into an Act of Parliament.
The Act was subsequently nullified in the constitutional petition of Prof. J.Oloka-
Onyango & Others v. the Attorney General,59 on a technicality, that the impugned
law had been passed without the required quorum. The petitioners also alleged that
the Act was a violation of the right to property and privacy of alleged homosexual
55
Misc. Cause No. 247 of 2006, High Court of Uganda in Kampala, (2008) AHRLR 248 (UGHC
2008).
56
See H. Nsamba (2009), ‘Government to pay suspected lesbians sh13m,’ The New Vision.
57
Makulilo (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file with
the author), p. 6.
58
Misc. Cause No. 163 of 2010, High Court of Uganda in Kampala (Unreported).
59
Constitutional Petition No. 08 of 2014.
128 R. Kakungulu-Mayambala
and lesbians in Uganda. However, the court did not go to the merits of the petition
and merely upheld the petition on a technicality.
Makulilo notes:
The High Court held that with regard to the right to privacy of the person and home, under
Article 27 of the Constitution, it has no doubt, again using the objective test, that the expo-
sure, of the identities of the persons and homes of the applicants for the purpose of fighting
gays and the activities of gays, as can easily be seen from the general outlook of the
impugned publication, threatens the rights of the applicants to privacy of the person and
their homes. The Court emphasized that the applicant were entitled to enjoy their right to
privacy in Uganda and banned the publication of the Rolling Stone.60
The one and only Ugandan case on data protection came as a surprise albeit a
blessing. In 2010, the Parliament of the Republic of Uganda passed the Regulation
of Interception of Communications [RICA] Act and in 2011, the Regulation of
Interception of Communications Regulations, S.I, No. 2011 were also enacted by
the Minister responsible for Security as required under the RICA. Section 9(2) of
the RICA requires all telecommunication service providers to ensure that existing
subscribers register their SIM cards within a period of six months from the com-
mencement of the Act. Regulation 7 of S.I No. 42 of 2011 sought to operationalize
Section 9(2) of the RICA as much as the RICA itself seeks to operationalize Sections
18 and 19 of the Anti-Terrorism Act, 2002 of Uganda. In line with the requirements
under the RICA, the Uganda Communications Communication (UCC) established
by the UCC Act of 2013 with the sole mandate of regulating the broadcasting and
telecommunications industry of Uganda threatened to switch off or to direct all
service providers to switch off the users of unregistered SIM cards on 31st/08/2013.
Based on this threat and fearing to register their information or data with private and
mainly foreign telecommunication service providers in Uganda in the absence of a
comprehensive law on data protection and privacy in Uganda, two NGOs namely
the Human Rights Network for Journalists Uganda Limited (HRNJUL) and the
Legal Brains Trust (LBT) brought a public interest case on behalf of all the unreg-
istered SIM card users in Uganda.
Thus, in a case by the name, Human Rights Network for Journalists Uganda
Limited & Legal Brains Trust (LBT) v. Uganda Communications Commission
(UCC) & Attorney General,61 the applicants sought for an injunction to restrain the
defendants from effecting their [defendant’s] threat of switching off unregistered
SIM card users. The applicants also complained about the fact that the telephone
service providers may use the information [data] collected from subscribers for pur-
poses other than those for which the registration was conducted [security and iden-
tification of subscribers].62 However, the High Court declined to grant an injunction
60
Makulilo 2015, p. 6.
61
Misc. App. No. 81 of 2013 Arising out of Misc. Cause No. 219 of 2013 (the main suit is yet to be
determined).
62
This claim by the applicants is misconceived since under Section 18 of the Computer Misuse
Act, 2011, any person or organization who collects information or data from another person is
required to use the information or data only for the purpose for which the data was collected and
6 Privacy and Data Protection in Uganda 129
against the defendants. In so doing, and in a strange turn of events, the High Court
missed out on the opportunity to clarify on Uganda’s law in respect of rights of the
data subject, data processor, data controller and data collector. It was indeed a
missed opportunity.
This section of the paper deals with data protection principles, the data regulator,
international transfer of personal data and the relevance of comparative influences
and interpretation of data protection legislation.
Data Protection
Uganda does not have comprehensive data protection legislation yet. What can be
relied upon is mere piece-meal legislation touching on privacy and generally inter-
preted to even cover cases of data protection since the main aim of data protection
is to ensure the protection of privacy of the individual. Article 27 of the Constitution
has been used to protect privacy (including data) in Uganda albeit with some major
challenges as can be seen in the case of Human Rights Network for Journalists
Uganda Limited & Legal Brains Trust (LBT) v. Uganda Communications
Commission (UCC) & Attorney General (supra).
However, the government of Uganda has now introduced a comprehensive law to
deal with this subject viz: The Data Protection and Privacy Bill, 2015 (hereinafter
referred to as the “DPP” Bill) which awaits approval by Cabinet and introduction to
Parliament. A discussion of the draft Bill is therefore necessary and will follow
later.
Data Protection Principles It is imperative to first list what has come to be clas-
sified as the eight (8) basic principles of data protection, which are worth noting and
which almost every data protection law must have as core minimum standards to
abide by. The analysis on the Uganda Data Privacy Bill (DPP Bill) follows the stan-
dard of the OECD and it is based on this standard that the author is analyzing the
Bill.
The definition of ‘personal data’ as given above in the OECD Guidelines has
been amplified by the “DPP” Bill, which in Clause 2 on Interpretation defines ‘per-
sonal data’ to mean:
Information about a person from which the person can be identified that is recorded
in any form and includes—
in case of need of any further use of the information or data, express permission must be sought
from the person whom the information or data was got.
130 R. Kakungulu-Mayambala
(a) data that relates to the nationality, age or marital status of the person;
(b) data that relates to the educational level, or occupation of the person or data
that relates to a financial transaction in which the person has been involved;
(c) an identification number, symbol or other particulars assigned to the person;
and
(d) identity data;
(e) other information which is in the possession of, or is likely to come into pos-
session of the data controller, and includes an expression of opinion about
the individual.
Although non-binding, the OECD Guidelines have had a tremendous impact on
the development and enactment of data protection laws not only among members of
the OECD but the world over. Indeed, the Guidelines have been a trailblazer for not
only the OECD members but also non-members Uganda inclusive as seen in the
DPP Bill.
Owing to the great influence that the OECD Guidelines have had on the develop-
ment of data protections across the world, a mention of these Guidelines in detail is
done here below.
Solove and Schwart observe that the OECD Privacy Guidelines establish eight
principles regarding processing of personal data:
1. Collection Limitation Principle. There should be limits to the collection of per-
sonal data and any such data should be obtained by lawful and fair means and,
where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle. Personal data should be relevant to the purposes for
which they are to be used, and, to the extent necessary for those purposes, should
be accurate, complete and kept up-to-date.
3. Purpose Specification Principle. The purposes for which personal data are col-
lected should be specified not later than at the time of data collection and the
subsequent use limited to the fulfillment of those purposes or such others as are
not incompatible with those purposes and as are specified on each occasion of
change of purpose.
4. Use Limitation Principle. Personal data should not be disclosed, made available
or otherwise used for purposes other than those specified in accordance with [the
purpose specification] except: a) with the consent of the data subject; or b) by the
authority of law.
5. Security Safeguards Principle. Personal data should be protected by reasonable
security safeguards against such risks as loss or unauthorized access, destruc-
tion, use, modification or disclosure of data.
6. Openness Principle. There should be a general policy of openness about devel-
opments, practices and policies with respect to personal data. Means should be
readily available of establishing the existence and nature of personal data, and
the main purposes of their use, as well as the identity and usual residence of the
data controller.
7. Individual Participation Principle. An individual should have the right: (a) to
obtain from a data controller, or otherwise, confirmation of whether or not the
6 Privacy and Data Protection in Uganda 131
data controller has data relating to him; (b) to have communicated to him, data
relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not
excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelli-
gible to him; (c) to be given reasons if a request made under subparagraphs (a)
and (b) is denied, and to be able to challenge such denial; and (d) to challenge
data relating to him and, if the challenge is successful to have the data erased,
rectified, completed or amended.
8 . Accountability Principle. A data controller should be accountable for complying
with measures which give effect to the principles stated above….”63
Principle One of the OECD Guidelines on collection limitation has been cap-
tured in Clause 3(1)(a) of the DPP Bill. The clause deals with the usual sections on
collection limitation such as transparency, and has security safeguards to the data
collected.
In order to further strengthen and ensure the quality of the data or information
collected Clause 11 of the DPP Bill states that “a person who collects or processes
personal data shall ensure that the data is complete, accurate, up-to-date and not
misleading having regard to the purpose for its collection or processing.”
Purpose specification has been dealt with in Clauses 8 and 13 of the DPP Bill. In
particular, Clause 8 states that “a person who collects personal data shall collect the
data for a lawful purpose which is specific, explicitly defined and is related to the
functions or activity of the person or public body.” Clause 3(2) then enjoins the
Authority – NITA, to ensure “that every data collector, data controller, data proces-
sor or any other person collecting or processing data complies with the principles of
data protection and this Act.” Not only does the principle of purpose specification
seek to ensure that the data is collected for a lawful purpose but it also seeks to
ensure that the data is put to or used for the purpose for which it was sought. Indeed,
putting the data to another purpose without the prior informed consent of the data
subject is prohibited in Clause 13.
On use limitation, the Bill deals with this issue in Clause 8. Similarly, Clause
13(1) of the DPP Bill states that “where a person holds personal data collected in
connection with a specific purpose, further processing of the personal data shall be
only for that specific purpose.” The use limitation principle underscores the princi-
ple of Clause 3(1)(b) on “collecting and processing data fairly and lawfully.”
The Bill also underscores security safeguards, through Clauses 3(1)(g), 15 and
16 of the DPP Bill. Clause 3(1)(g) states that a data collector shall “observe security
safeguards in respect of the data.” Even when the data controller seeks to process
personal data outside Uganda, he or she shall ensure that the security safeguards in
respect of the data are secured.64 Clause 16(1) obliges data controller to “secure the
integrity of personal data in the possession or control of a person by adopting appro-
priate, reasonable, technical and organizational measures to prevent loss, damage,
or unauthorized destruction and unlawful access to or unauthorized processing of
63
Solove and Schwartz 2009, pp. 997–998.
64
Clause 15 of the DPP Bill.
132 R. Kakungulu-Mayambala
the personal data.” Equally, “a data controller shall observe generally accepted
information security practices and procedures, and specific industry or professional
rules and regulations.”65
Key to data protection in any country is the principle of openness which is some-
what dealt with in the DPP Bill, albeit in a vague manner. Though not specifically
referred to as such in the Bill, the openness principle is covered in Clauses 3(1)(b)
(c), 5, 10 and 14. The data controller should “(b) collect and process data fairly and
lawfully; and ‘(c) collect, process, use or hold adequate, relevant and not excessive
or unnecessary personal data’”.66 To strengthen the openness principle further, “a
person shall not collect or process personal data which relates to the religious or
philosophical beliefs, political opinion, or sexual life of an individual.”67 Clause 5 of
the DPP Bill is intended to secure the privacy of the individual and to avoid dis-
crimination based on any of the grounds listed in sub-clause 1. Clause 10 of the Bill
also obliges a “data controller or data processer to process only the necessary or
relevant personal data and nothing in excess of that”. The minimality principle,
which is treated as an independent principle in both the Bill and other jurisdictions
is also useful in promoting openness in data protection since only data that is neces-
sary shall be processed. In the same vein, “a person who collects personal data shall
not retain the personal data for a period longer than is necessary to achieve the
purpose for which the data is collected and processed unless the retention of the data
is required or authorized by law” or for any other purposes as is authorized under
the Bill.68
In a bid to secure and entrench democratic principles in the Bill, individual par-
ticipation has been covered adequately in the DPP Bill. At its core, this principle
seeks to ensure that data controller and users oblige to transparency and participa-
tion of data subjects in processing personal data.69 According to Makulilo, who has
offered an analysis of the DPP Bill, the principle of individual participation “entails
a number of things: obtaining consent prior to processing of personal information
(sec 4); collection of data directly from a data subject (sec 7); right to object [to]
processing (sec 4(3), 20, 21); right to access personal information (sec 19); right to
demand rectification, blocking, erasure and destruction of personal data (sec 24).”70
It can therefore be ascertained that the Bill offers great protection of the principle of
individual participation just in line with the widely accepted OECD Guidelines.
Lastly, another key principle is that of accountability which has been well articu-
lated above and more specifically in Clause 3(1)(a). However, it should be observed
that the attainment of the principle of accountability is largely dependent on other
principles such as principle on transparency and data subject participation.
65
Ibid, Clause 16(3).
66
Ibid, Clause 3(1)(b)(c).
67
Ibid, Clause 5(1).
68
Ibid, Clause 14(1).
69
Ibid, Clause 3(1)(e).
70
Makulilo 2015, p. 8.
6 Privacy and Data Protection in Uganda 133
Alongside the above principles, the DPP Bill offers extra protection in a number
of contexts including:
To give a data subject the right to require a data controller to stop processing data for pur-
poses of direct marketing (sec 21(1)). The term ‘direct marketing’ includes any communi-
cation by whatever means of any advertising or marketing material, which is directed at an
individual (sec 21(5)). Likewise, the Bill gives a data subject the right to require a data
controller to stop making decisions taken by or on her behalf which significantly affects the
data subject as it is based solely on the processing of personal data by automatic means (sec
22).71
Most data protection legislation the world over has a regulator sometimes in the
form of an authority, which is usually independent in the performance of its duties.
Uganda’s DPP Bill is no exception. Clause 25 of the Bill bestows upon the National
Information Technology Authority – Uganda (NITA-U); the power to keep and
maintain a Data Protection Register. This is clearly in line with the functions of
NITA-U viz: “‘co-ordinate, supervise and monitor the utilization of information
technology in the public and private sectors’; and ‘to create and manage the national
databank, its inputs and outputs.”72 NITA-U is also required to ensure “access to
register by any member of the public.”73 As the regulator, NITA-U is meant to play
a leading role in matters touching on data protection in Uganda such as receiving
and hearing of complaints of data subjects, and it is therefore imperative to examine
the objects, powers, and functions of NITA-U and the extent to which the regulator
is able to carry out the mandate which has been bestowed upon it by the DPP Bill.
Clauses 20(4), 21(4), 22(5) of the DPP Bill. NITA-U has been empowered to
ensure access to personal information once a request has been made by a data sub-
ject to a data controller.74 The data subject also has a right to “prevent the processing
of personal data, by the data controller or processor in writing, and in the event of
non-compliance, the Authority, if satisfied that the request by the data subject is
justified, may direct the data controller to comply.”75 The Bill also empowers the
data subject to “prevent processing of personal data for direct marketing”76 and
“‘direct marketing’ has been stated to include the communication by whatever
71
Ibid, p. 9.
72
See Section 5(c)(e) of the National Information Technology Authority, Uganda Act, Act No. 4 of
2009.
73
Clause 26 of the Bill.
74
Clause 20(4) of the Bill.
75
Clause 21(4) of the Bill.
76
Clause 22(1) of the Bill.
134 R. Kakungulu-Mayambala
Apart from listing the objects, functions and powers of the Authority, the NITA,
Uganda Act does not expressly provide for the independence of the regulator as is
required and has been stated in most international data privacy Conventions and to
that extent it can be said that NITA-U is not fully independent of the Government of
Uganda or the Minister for Technology. It would have been better, if the DPP Bill
had gone ahead to create an independent regulator for data protection in Uganda
77
Clause 22(5) of the Bill.
78
Clause 23(1) of the Bill.
79
Clause 23(4) of the Bill.
80
Clause 24(1) of the Bill.
81
Clause 27 of the Bill.
82
Clause 28 of the Bill.
83
Clause 29(1) of the Bill.
84
Makulilo 2015, p. 8.
6 Privacy and Data Protection in Uganda 135
other than NITA-U or in the absence of that, giving the NITA-U, such independence
under the DPP Bill in respect of data privacy protection in the country. In clause 25
of the DPP Bill, NITA-U is a [data] regulator, processor and enforcer at the same
time, which not only presents a conflict of interest on its part but is a recipe for
disaster.
Not only does the NITA-U face a litany of shortcomings as a regulator in the
DPP Bill but also the weakest enforcement provisions. Makulilo has again high-
lighted upon the weaknesses in these provisions in the Bill thus:
There are no complaints resolving mechanisms in the Bill. In the three situations where the
Authority is empowered to issue an order for compliance to data controllers, there is no right
to the aggrieved data controller who wish to challenge the order by way of appeal. The Bill
provides for civil remedies where a data subject suffers damage or distress in the event that
data controller contravenes the law (23(1)). There is neither limit set for the maximum dam-
ages nor guidance on how to assess them. The Bill is also silent as to forum where a data
subject will pursue his claim for compensation. Will this be the Authority itself or court of
law? There is no any indication to the response of this question from the Bill. The right of
appeal for the aggrieved party is also not provided [for] in the Bill. The data controller may
raise the defence of reasonable care against claims for compensation (sec 23(2)). Similarly,
the Bill creates offenses for unlawful obtaining and disclosure of personal data, whose con-
viction is fine not exceeding 120 currency points or imprisonment for a period not exceeding
five years or both (sec 27). It is also an offense to sale personal data (sec 28). The punishment
of which is the same as in the unlawful disclosure of personal data. There is also an admin-
istrative penalty sort of where the Authority may direct the data controller to punish the fact
of the compromise to the integrity or confidentiality of the personal data (sec 18(7)).85
Along side the complaints on enforcement as raised by Makulilo above lies pen-
alties for unlawful obtaining and disclosure of personal data (clause 30); sale of
personal data (clause 31) and offences by corporations (on clauses 30 and 31) shall
also be liable. The weaknesses that are apparent in the Bill as given above by
Makulilo can also be rectified through the Regulations. Under the Bill, “the Minister
for Technology is given power to make regulations by a statutory instrument for (b)
administrative or procedural matter which is necessary to give effect to this Act; (c)
retention period of personal data; or (d) matter which is necessary and expedient to
give effect to this Act.”86 Similarly, “the Minister is given power to amend the
Schedule by a statutory instrument with the approval of Cabinet.”87 It is therefore
possible that using clauses 33 and 34 of the Bill, the Minister can effectively address
some of the loopholes of the Act.
One of the key highlights in terms of assessing the adequacy and appropriateness of
a data protection law is the guarantees that such legislation seeks to offer in relation
to international transfer of personal data. Such transfer is not only regional, but can
85
Ibid, p. 12.
86
Clause 33 of the Bill.
87
Clause 34 of the Bill.
136 R. Kakungulu-Mayambala
It can therefore be said that Clause 15 of the Bill offers a bare minimum protec-
tion for cases of personal data processed outside Uganda. However, the above clause
is not adequate on all fronts in respect of international transfer of personal data and
especially when analyzed from the lenses of standards that have been set in interna-
tional legislations on this subject. Makulilo argues thus:
In contrast to the sixteen (16) African countries which have so far adopted data privacy
legislations (i.e., Cape Verde, Seychelles, Burkina Faso, Mauritius, Tunisia, Senegal,
Morocco, Benin, Angola, Gabon, Ghana, Mali, Ivory Coast, Lesotho, South Africa and
Madagascar), the Ugandan Data Protection and Privacy Bill does not provide any regime of
cross-border transfer of personal data. It means that personal data of Ugandans can be
transferred to Uganda from countries whose laws have no such restrictions to transfer of
personal [data] abroad. As one of the reasons for the proposed privacy Bill in Uganda is to
improve the business outsourcing sector (BPO), this is unlikely to be achieved. This is due
to the fact that significant investments in such business come from foreign companies par-
ticularly the ones in Europe. The EU Directive restricts transfer of personal data to third
countries, which do not have adequate level of protection of personal data (Article 25).
Lack of a regime of cross-border transfer of personal data alone, is enough to render loop-
holes in the Ugandan law to the extent that it may act as a safe haven for onward transfer of
personal data by controllers who escape stringent regulations in their home countries.
Definitely [the] EU will limit transfer [of] personal data of its citizens to Uganda.88
The above criticism of Bill by Makulilo is true in part and false in another. If
Clause 15 of the Bill is implemented even in its current form, it will be able to curb
and address some of the fears being raised by Makulilo. For, under Clause 15 “any
processor or data controller shall ensure that the country in which the data is pro-
cessed has adequate measures in place for the protection of the personal data, which
are at least equivalent to the protection provided by this Act [Uganda].” Thus, in a
way, the Bill seeks to guarantee the international data export and extra territoriality
issues that arise in relation to data. Again Makulilo argues:
The privacy Bill does not propose any rule for this. It is safe to argue that the privacy Bill
will only apply to controllers established in Uganda. The Bill does not cater for a controller
who is not domiciled or having principal place of business in Uganda but uses automated or
not automated equipment located in Uganda. This provision is too restrictive and will as
well affect the business-outsourcing sector.89
The Bill may need re-writing to capture some of the key concerns such as extra-
territorial and cross-border protection of personal data. The Bill offers protection in
88
Makulilo (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file with
the author), p. 10–11.
89
Ibid.
6 Privacy and Data Protection in Uganda 137
Clauses 22 and 23 to curtail “any data controller who wants to use personal data for
direct marketing”90 (be it in Uganda or abroad) and “a data subject may by notice in
writing to a data controller require the data controller to ensure that any decision
taken by or on behalf of the data controller which significantly affects that data
subject is not based solely on the processing by automatic means of personal data in
respect of that data subject.”91
The United Nations has called upon member states to pass laws which “respect
the right to privacy and personal data in relation to the Human Rights Committee,
general comment No. 16 on article 17 of the International Covenant on Civil and
Political Rights, para.10.”92 Frank La Rue, noted that:
…the protection of personal data represents a special form of respect for the right to pri-
vacy. States parties are required by article 17(2) to regulate, through clearly articulated
laws, the recording, processing, use and conveyance of automated personal data and to
protect those affected against misuse by State organs as well as private parties. In addition
to prohibiting data processing for purposes that are incompatible with the Covenant, data
protection laws must establish rights to information, correction and, if need be, deletion of
data and provide effective supervisory measures. Moreover, as stated in the Human Rights
Committee’s general comment on the right to privacy, “in order to have the most effective
protection of his private life, every individual should have the right to ascertain in an intel-
ligible from, whether, and if so, what personal data is stored in automatic data files, and for
what purposes. Every individual should also be able to ascertain which public authorities or
private individuals or bodies control or may control their files.93
In a way therefore, the United Nations has set the standard, as recent as 2011, in
which it calls upon all its members to protect personal data as a form of respect for
the right to privacy including developing comprehensive guidelines and rules on not
only automated data files but also cross-border and international transfer of personal
data.
Uganda has never had a comprehensive data protection law. As Makulilo notes “the
last two decades have witnessed privacy law reform in Africa. Yet there is no pri-
vacy legislation in any of the countries in the East African Community (EAC) com-
prising of Kenya, Uganda, Tanzania, Rwanda and Burundi. At the moment, Kenya
and Tanzania have draft data privacy bills. Recently, Uganda has issued a draft pri-
vacy bill following suit to Kenya and Tanzania.”94 However, the comparative influ-
90
Clause 22(1) of the Bill.
91
Clause 23(1) of the Bill.
92
Frank La Rue, ‘Report of the Special Rapporteur on the promotion and protection of the right to
freedom of opinion and expression,’ Human Rights Council, 17th Session, Agenda Item 3, 2011,
p. 16.
93
Ibid, para. 58.
94
Makulilo 2015, 1.
138 R. Kakungulu-Mayambala
ences on the development of data privacy protection law in Uganda can be said to
come from mainly the influences of African Union, the OECD, the EU Directive
and the EAC.
In order to effectively achieve data protection and privacy, the DPP should espouse
universally accepted procedural and enforcement mechanism.95 The procedural and
enforcement mechanisms should guarantee the right to privacy akin to those, which
have been developed to ensure the enjoyment of rights in the fight against terror-
ism.96 Comprehensive guidelines also need to be developed, mostly by subsidiary
law to deal with issues of public interest and national security in relation to data
protection and privacy.97 This is particularly important as Nowak notes “in the fight
against organized crime and terrorism, modern police and intelligence agencies are
using information and surveillance technology, including racial profiling, that
potentially affects numerous innocent citizens and constitutes far-reaching interfer-
ence with the right to privacy and data protection.”98 The application of international
data privacy rules has to be harmonized with Uganda’s national laws.99
95
See generally Solove 2008.
96
See generally Foster 2011.
97
See general Dycus et al. 2007.
98
Nowak 2003, p. 346.
99
See generally Reidenberg 2000.
100
Under Article 3 of the EAC Treaty, the EAC has five (5) Partner States, i.e., the Republic of
Uganda, the Republic of Kenya and the United Republic of Tanzania. The Republics of Rwanda
and Burundi have also since joined the Community.
101
Article 6(d) of the EAC Treaty.
6 Privacy and Data Protection in Uganda 139
6.5.1 E
nvisaged Common Markets and the Movement
of Information
The “Common Market Protocol (CMP) became operational in 2010 and negotia-
tions are under way to achieve a Monetary Union and Political Federation by the
year 2015.”102 The EAC region has a population of nearly 150 million people with a
Common Market. Thus, the movement of both people (labour) and goods and the
corresponding information is massive. Some strides have been made in the area as
noted by Makulilo:
Uganda acceded to the International Covenant on Civil and Political Rights (ICCPR) 1966
on 21 June 1995. She is also a part to its optional Protocols. The ICCPR protects the right
to privacy (Art 17). Likewise, Uganda is a party to the Convention on the Rights of the
Child (CRC) 1990 and its optional Protocols. The CRC offers to children protection of
privacy (Art 16). Similarly, Uganda is a member of the East African Community (EAC). In
2010 the EAC adopted the EAC Legal Framework for Cyber Law (Phase I). Although not
a model law, it recommended to the best practices. Uganda is also a member of the African
Union (AU). On 27 June 2014, the AU adopted the African Union Convention on Cyber
Security and Personal Data Protection 2014. The Convention provides for principles of data
protection and oversight institution hence filling the gap left in the African Charter on
Human and Peoples’ Rights 1981 as far as protection of privacy is concerned. However, it
is not yet in force and Uganda will only be bound by this Convention upon ratification.103
The recently adopted African Union Convention on Cyber Security and Personal
Data Protection is a landmark model law, which can guide its members on cyber
security and personal data protection. The AU Convention mirrors similar legisla-
tions such as the OECD model law, the UK Data Protection Act, 1998, and the EU
Directive. Indeed, the AU Convention is like a response to the observations of UN
Special Rapportuer Frank La Rue who observed [in 2011] thus:
…there is insufficient or inadequate data protection laws in many States stipulating who is
allowed to access personal data, what it can be used for, how it should be stored, and for
how long. The necessity of adopting clear laws to protect personal data is further increased
in the current information age, where large volumes of personal data are collected and
stored by intermediaries, and there is a worrying trend of States obliging or pressuring these
private actors to hand over information of their users. Moreover, with the increasing use of
cloud-computing services, where information is stored on servers distributed in different
geographical locations, ensuring that third parties also adhere to strict data protection guar-
antees is paramount.104
102
Gastorn et al. 2011, p. 1.
103
Makulilo, supra, p. 5.
104
Frank La Rue, supra, p. 15, para. 56.
140 R. Kakungulu-Mayambala
At the regional level, apart from the EAC Treaty, which obliges Partner States to
observe the principles of good governance and human rights, the EAC has also
adopted the EAC Legal Framework for Cyber Law (Phase I), which can be quite
informative on the processes and procedures for EAC Partner States to follow in
order to come up with meaningful REC data protection policies. The Data Protection
principles of the EU and the UK have greatly influenced the development of data
protection legislation in Uganda.105 Data protection remains key in securing the pri-
vacy of the individual since such data may be very sensitive.106 However, whereas
the Data Protection Act 1998 of the UK gives conditions for processing ‘sensitive’
data, the DPP Bill of Uganda does not have similar or corresponding provisions.107
Even with this shortcoming, the DPP Bill still fulfills the key objectives of data
protection law, viz: “those who process information concerning individuals are sub-
ject to a regulatory framework within which they can process personal data lawfully,
[and secondly] as individuals we all have rights under data protection law.”108
6.6 Conclusion
Uganda needs to pass a comprehensive data protection law that not only reflects the
generally accepted international standards,109 but also takes care of the Ugandan and
African values to data protection and privacy.110 Even with the present day chal-
lenges of terrorism,111 increasing organized crime and political instability,112 Uganda
needs to remain steadfast in its pursuit of human rights.113 The law should not be
used to victimize or violate rights of any group in Uganda and beyond.114 The core
values and principles of data protection and privacy should be well observed in the
law. Above all Uganda’s Data Protection and Privacy Bill should be revised so as to
align it more with human rights.115 The tensions that come with balancing the civil
105
Bainbridge 2005, p. 61.
106
Reed 2007, p. 402.
107
Bainbridge 2008.
108
Bainbridge 2008, p. 498.
109
Charlesworth 2000.
110
See generally, Murphy (ed) 2009.
111
See generally, Goold 2007.
112
Goold and Neyland (eds) 2009.
113
Kobusingye 2010.
114
See generally Fox et al. 2006.
115
See generally Alfredsson and Eide (eds) 1999; Steiner et al 2007; Lillich et al. 2006.
6 Privacy and Data Protection in Uganda 141
liberties, human rights and national security alongside data protection and privacy
also need to be addressed very carefully.116
References
Books
116
Hicks 2005; Galison and Minow 2005; Roth 2005.
142 R. Kakungulu-Mayambala
Steiner HJ, Alston P & Goodman R, International Human Rights in Context: Law, Politics, Morals
(OUP 2007)
Solove DJ, Understanding Privacy (Harvard University Press 2008)
Solove DJ & Schwartz, Information Privacy Law (Aspen Publishers 2009)
Viljoen F, International Human Rights Law in Africa (OUP 2012)
Wilson, RA (ed), Human Rights in the ‘War on Terror’ (CUP 2005)
Articles
Kakungulu-Mayambala R, Data Protection and National Security: analyzing the Right to Privacy
in Correspondence and Communication in Uganda, HURIPEC Working Paper No. 25, 2009.
Kakungulu-Mayambala R, Examining the Nexus Between ICTs and Human Rights in Uganda: A
Survey of Key Issues, East African Journal of Peace & Human Rights, Vol. 16, Issue 1, 2010
Khiddu-Makubuya E, The Concept of Human Rights in Traditional Africa, Makerere Law Journal,
Vol. 1, No. 1, 1974
Makulilo A, Ugandan Privacy Bill: a cosmetic tokenism, Unpublished paper (on file with the
author 2015)
Reidenberg JR, Resolving Conflicting International Data Privacy Rules in Cyberspace, Standford
Law Review, Vol. 52, 2000
Reports
La Rue F, Report of the Special Rapporteur on the promotion and protection of the right to freedom
of opinion and expression, Human Rights Council 2011
Privacy International Report, For God and My President: State Surveillance in Uganda, October
2015
Newspapers
Kelly JK, US Court finds Suspect guilty of Nairobi blast, The East African, February 28 – March
6, 2015
Nyakahuman PM, Conflict between Right to Privacy and the Law, Daily Monitor, Thursday,
November 20, 2014
Nsamba H, Government to pay suspected lesbians sh13m, The New Vision, 2009
Mukiibi Serunjogi E, How Government Taps Opposition Leaders’ Phone Calls, Saturday Monitor,
2015
Chapter 7
Towards Data Protection Law in Ethiopia
Alebachew Birhanu Enyew
7.1 Introduction
transposed into national law for its full enforcement. Accordingly, many countries
across the world have developed national data protection legislation.
While Ethiopia has ratified major human rights documents, and has incorporated
the right to privacy in its constitution, it has not yet promulgated comprehensive data
protection law. Due to the absence of data protection law, the country is forced to rely
on the existing laws. In the existing legal framework, one can find scattered and terse
privacy protective legal provisions. However, the existing laws are found inadequate
to cope up with the challenges of information technology-born privacy concerns.
Taking the inadequacy of the law into account, the country prepared a draft data pro-
tection law in 2009, albeit not yet promulgated and entered into force. This chapter is,
therefore; designed to explore privacy protective legal provisions in the legal system
of the country, and discuss briefly the content of the draft Ethiopia data protection law.
This chapter consists of five sections. The first section gives some contextual
information about information technologies in Ethiopia and the respective policies.
The second section discusses the attitude of the Ethiopian society towards the value
of privacy. It examines whether privacy exists as a societal value. The third section
embarks on the privacy related legal provisions found in different pieces of legisla-
tion of the country. It tries to reveal what the existing laws lack to govern the collec-
tion and processing of personal data. The fourth section pertains to the reasons why
the country needs a robust and comprehensive data protection law. In the final sec-
tion, a conclusion will be drawn.
National constitutions of countries and various human rights instruments have rec-
ognized the right to privacy as fundamental right. Regardless of its recognition
under different legal documents, the right to privacy has been increasingly threat-
ened owing to technological advancements, which have yielded range of systems
such as distributed networking, the World Wide Web, mobile devices, video, audio,
and biometric surveillance, global positioning, ubiquitous computing, social net-
works, sensor networks, databases of compiled information, data mining etc.1 In
short, information and communication technology (ICT) has become a major threat
to this fundamental right, as ICT enables “pervasive surveillance, massive data-
bases, and lighting-speed distribution of information across the globe”.2
The advancement of ICT and its global nature have enhanced the flow of infor-
mation across the world.3 The ICT has resulted in a wide and uncontrolled flow of
personal information. Personal information can be collected and processed easily
through the use of sophisticated means and implemented in various ways. Collecting
and processing personal information can endanger the right to privacy as long as the
manner of collection and processing personal information is not regulated. Hence,
1
Nissenbaum 2010, p. 1.
2
Ibid.
3
Banisar 2000, p. 18.
7 Towards Data Protection Law in Ethiopia 145
the flow of information has to be carefully regulated from privacy and personal
information protection perspective.
Following the radical transformations of ICT, notably European countries and
USA began to promulgate piece of legislation to protect personal information in
1970s.4 On the other hand, countries like Ethiopia have tried to regulate privacy
concerns by the virtue of the already existing law, without having specific law.
Undoubtedly, the legal response of countries can be contingent upon their level of
information and communication technology development. In this respect and
relative to where the rest of the world has reached in terms of ICTs, many African
countries have lagged behind in relation to use the global digital wave.5 Thus, this
digital divide between Africa and the rest of the world has partly played a role in
delaying legislative measures in the field in Africa. This being so, many African
countries are yet to enact legislation to govern cyber related activities in general.
Ethiopia is not an exception to this.
There exists low level of ICT developments in Ethiopia. This can be discerned
from the absence of appropriate legal and regulatory frameworks, limitations in
telecommunications infrastructure, low level of internet services penetration, lack
of organized data and information resources, poor accessibility to the available data,
lack of skilled human resources, and under-developed private sector.6 Studies indi-
cated that Ethiopia is among the countries with the lowest internet penetration and
use.7 Although ICT is still in its infant stage in Ethiopia, it has recently developed
rapidly. Indeed, the development of ICT has outpaced legislative and regulatory
environment. In 2002 Ethiopia introduced the first National ICT Policy which
made the development of information and communication technology one of the
government’s strategic priorities as an industry and as an enabler of socio-economic
transformation. In 2009, the government replaced the 2002 National ICT Policy
with a more comprehensive policy.
The 2009 National ICT Policy gears its strategic focus towards six major areas:
ICT infrastructure, human resource development, ICT legal systems and security,
ICT for government administration and services, ICT industry and private sector
development, and research and technology transfer.8 The strategic focus areas of
this document include, among other things, the legal system and regulatory environ-
ment. The 2009 ICT policy recognizes that the current legal framework is insuffi-
cient for coping with the challenges of the fast-developing national and global ICT
sectors. The ICT policy further outlines the legislative instruments that are needed
to govern cyber-related activities, such as data protection laws, cybercrime laws,
and intellectual property laws. However, only telecom fraud proclamation and
national payment services proclamations have so far been enacted to implement the
4
Michael 1994, p. 32.
5
Assefa 2010, p. 7.
6
The FDRE National Information and Communication Technology Policy and Strategy (Addis
Ababa 2009) 1 (The National ICT Policy).
7
Yilma 2014, p. 30. See Freedom House 2011, p. 133.
8
The National ICT Policy (n 6) 5.
146 A.B. Enyew
Studies revealed that the desire for some level of privacy stretches back to even
primitive societies.10 Psychological and anthropological evidences suggest that
human beings have a fundamental need for privacy.11 The need for privacy appears
to be a common feature of all human beings. However, regardless of a panhuman
desire for privacy, the degree of demand for privacy may vary from culture to
culture. Culture guides the attitudes and behavior of human beings. Thus, the ways
that people create, safeguard and enhance their respective privacy, in the main,
differ from one culture to another depending on various factors.12
In this regard, one can compare and see the western’s attitudes to the value of
private life with African’s attitudes to the value of private life (worth of persons as
individuals in general). The need for privacy appears to be high in the western coun-
tries, which have espoused liberal ideals, rather than African countries. Indeed,
some African scholars claim that African societies have given priority to communal
way of life where “a person is not regarded as an isolated and abstract individual,
but an integral member of a community.”13 There is no doubt that the diverse cul-
tures of Africa significantly identify group influence over the individual. It meant
that Africa is low individualist society. Low individualist/collectivist societies have
9
Human Rights Watch 2014, p. 1.
10
Westin 1967, p. 8.
11
Neethling et al. 2005, p. 29.
12
Bygrave 2010, p. 174.
13
Kiwanuka 1988, p. 80.
7 Towards Data Protection Law in Ethiopia 147
a greater acceptance of intrusion on the private life of individual than the western
liberal democracies.14 The strong association of privacy with the western idea of
liberalism can be discerned from the development of legal regimes for privacy pro-
tection.15 Whilst the western countries have enacted advanced data protection laws,
many African Countries are yet to pass legal regimes for privacy protection.16
Like any other societies, the Ethiopian societies have exhibited a desire for pri-
vacy since ancient times. At the same time, being an African country, Ethiopia tends
to pursue the communal way of life. Yet, many writers claimed that secrecy has
been rooted in the Ethiopian traditions since antiquity. In this regard one commenta-
tor/blogger has highlighted the following:
Ethiopians are notoriously secretive and distrustful, the great Polish journalist Rysard
Kapuscinski in his classic work ‘The Emperor’, regarding the reign of the last Ethiopian
Emperor, Haile Selasie and his inner circle, states ‘the Ethiopians are deeply distrustful and
found it hard to believe in the sincerity of my intentions,’ elsewhere he goes further claiming
that Ethiopians are the most ‘secretive people on Earth.’ Having lived in Addis Ababa and
worked with Ethiopians for a number of years, my experience certainly bears out Kapuscinski’s
comments reinforced by René Lefort, author of ‘Ethiopia: An Heretical Revolution?’ when he
states ‘given the history of Ethiopia, where secrecy is a cardinal virtue’.17
Based on his personal experience and the works of two authors, the blogger
upheld that secrecy is deep rooted in the cult of the Ethiopian society. Akin to the
above quotation, Donald Levine, who studied Ethiopia from sociological perspec-
tive, indicated that the Amhara (the second largest ethnic group in Ethiopia) assume
that it is improper to reveal oneself fully, to disclose one’s secrecy to anyone, but to
a very close friend; and that in fact rarely happens.18 Image and social status is of
great importance within Ethiopian society. One does not thus make disclosure about
oneself that may affect her/his image or jeopardize her/his social status. The secre-
tive tendency of the Ethiopian people is also manifested in their proverbs.19 In sum,
the demand for some level of privacy can be observed in the Ethiopian society.
Nonetheless, there exists little opportunity for physical and spatial solitude in
Ethiopia due to different factors. These factors can be expressed in terms of eco-
nomic, social and political factors.20 Economic capacity defines the degree of indi-
viduals’ liberty and privacy. In the words of Franklin D. Roosevelt “true individual
freedom cannot exist without economic security and independence.”21 Also Sen, in
his seminal work ‘Development as Freedom’, claimed that growth of individuals
14
Bellman et al. 2004, p. 315.
15
Bygrave (n 12), p. 176.
16
Ibid.
17
Peebles 2012.
18
Tibebu 1995.
19
There are so many proverbs which demonstrate the secretive tendency of the Ethiopian society:
ለጥረሰ ፍንጭት ሰዉ ሚሰጥር አታጫዉተዉ (Donot share your secret to someone who can easly let it go),
ነገርን በጉያ ስንቅህን በአህያ (Keep your private matters for yourself).
20
Yilma 2015, p. 2.
21
Alston 1990.
148 A.B. Enyew
income can serve as means to expanding the freedoms that can be enjoyed by mem-
bers of a society.22 Economically, Ethiopia remains to be one of the poorest coun-
tries in Africa irrespective of its recent encouraging sign of robust economic growth.
It is a country with nearly 85 % of its population living in rural areas living on rain-
fed subsistence farming using obsolete technical know-how. According to the World
Bank Report, one-third of Ethiopians lives below poverty line.23 Economic inability
can thus affect the extent of privacy that Ethiopians seek to create and safeguard in
their private life.
As a result of economic deprivation, many households in urban areas of Ethiopia
live crowdedly in a small compound where residents have no option rather than
noticing almost every aspect of others’ lives.24 In addition to a compound, residents
in slum areas share means of survival and shelters that result in little space for pri-
vacy.25 Thus, social factors can limit the space for private life.
Politically, Ethiopians have been one of the most enduring people associated
with authoritarian regimes. Until recently, the conception of Ethiopia has been
shaped by stories of war, famine and dictatorship.26 The defunct successive dictato-
rial regimes sidestepped the respect of human rights, including the right to privacy
for years. Following the demise of the military dictatorial regime, the current gov-
ernment has taken several measures such as ratifying human rights instruments,
incorporating human rights norms into the national legal system, and establishing
national human rights institutions in order to ensure the protection and promotion of
human rights in the country. However, regardless of the normative and institutional
transformations, the human rights records of the Ethiopian government remains
poor, marked by sever restriction on human rights including the right to privacy.27 In
this respect, Human Rights Watch reported that the Ethiopian government has used
abusive digital surveillance to “target journalists and opposition groups to silence
independent voices.”28 The political realm has therefore left little space for privacy.
As described earlier, Ethiopia does not have a comprehensive data protection law
that governs collection, storage, processing, and/or dissemination of personal data.
However, this should not be construed that the national legal system is devoid of
22
Amartya Sen 2000, p. 3.
23
The World Bank Group 2015, p. xv.
24
Yilma, (n 20), p. 2.
25
Ibid.
26
Adejumobi 2007, p. 1.
27
Human Rights Watch (n 9), p. 1.
28
Ibid.
7 Towards Data Protection Law in Ethiopia 149
pertinent provisions for privacy protection. In fact, one may find some privacy pro-
tective provisions in different pieces of legislation ranging from the Constitution of
Federal Democratic Republic of Ethiopia (the FDRE Constitution) to subsidiary
laws. Nonetheless, these privacy-related provisions can be described as scattered
and terse. In this section, discussions on the FDRE Constitution and other relevant
ordinary laws will be made.
FDRE Constitution
The current government of Ethiopia toppled and superseded the Dergue regime,
which had been marked by egregious human rights abuses. Four years later, the
FDRE Constitution was promulgated as a reaction to the past state-sponsored atroc-
ities.29 The FDRE Constitution consists of a comprehensive bill of rights including
civil, political, economic, social and cultural rights as well as the right to develop-
ment and environmental rights. Nearly one thirds of the Constitution is dedicated to
deal with human rights.30
Besides, the FDRE Constitution stipulates that any international agreements
including human rights treaties ratified by Ethiopia are “an integral part of the law
of the land”.31 It means that once the country ratifies a certain international agree-
ment, the ratified agreement is deemed to be part and parcel of the law of the land.
Ethiopia has ratified the major human rights documents including the two cove-
nants. This being so, the provisions of the International Covenant on Civil and
Political Rights (ICCPR) have formed part of the domestic legal system of Ethiopia.
Concomitantly, the FDRE Constitution lays down that the human rights provisions
of the Constitution should be construed in conformity with international human
rights standards. If any of the human rights provisions requires interpretation as a
result of vagueness or ambiguity, it should be interpreted in line with human rights
standards.
Furthermore, the FDRE Constitution recognizes the right to privacy as funda-
mental human right. Article 26 of the FDRE Constitution describes the right to
privacy in the following terms.
1) Everyone has the right to privacy. This right shall include the right not to be subjected to
searches of his home, person or property, or the seizure of any property under his personal
possession. 2) Everyone has the right to inviolability of his notes and correspondence
including postal letters, and communications made by means of telephone, telecommunica-
tions and electronic devices. 3) Public officials shall respect and protect these rights. No
restrictions may be placed on the enjoyment of such rights except in compelling circum-
stances and in accordance with specific laws whose purposes shall be the safeguarding of
national security or public peace, the prevention of crimes or the protection of health, public
morality or the rights and freedoms of others.
29
Proclamation No.1/1995, The Constitution of the Federal Democratic Republic of Ethiopia
(Federal Negarit Gazeta 1995).
30
Ibid Chapter three (from Article 13–44) deals with about democratic and human rights.
31
Ibid, Article 9(4).
150 A.B. Enyew
Article 26 of the Constitution starts with the recognition of the right to privacy in
general terms. Sub articles 1 and 2 of Article 26 further lay down different aspects
of privacy, which are described in terms of protection one’s person, home, property,
and correspondence and communication.32 In principle, one should not interfere
into the privacy of individuals including one’s person, home, property, correspon-
dence and communication. At this point it is good to note that the list of protected
interests (different spheres of privacy) is not exhaustive. Therefore, although
Constitution is silent whether or not family falls within the ambit of protected inter-
ests, right to privacy should be construed broadly to include non-interference with
one’s family.
The first limb of article 26(3) requires public officials not just to refrain them-
selves from interferences with individual privacy, but also to prevent persons/enti-
ties that would endanger the right. The second limb of the same sub-article deals
with permissible limitations to the rights to privacy. The FDRE Constitution does
not enshrine right to privacy in absolute terms. In fact, the right can be limited for
the sake of other competing interests. However, limitation to the right for the benefit
of others and general welfare may not always be justifiable.33 Article 26(3) of the
FDRE Constitution makes clear that limitations to the right are only permissible
under the fulfillment of certain cumulative requirements: (1) there must be purpose
for limitations, (2) there must be compelling circumstances, and (3) limitation must
be made in accordance with specific laws. These three criteria are important to
strike a balance between the constitutional right to privacy and other competing
interests. Thus, right to privacy can only be lawfully limited upon the satisfaction of
the three criteria together.
In relation to the first criterion, Article 26(3) of the FDRE Constitution enumer-
ates six competing interests (purposes) namely national security, public peace, the
prevention of crimes, the protection of health, public morality, and the rights and
freedoms of others. National security is an amorphous concept at the core of which
lies the survival of the state, whereas public safety, the prevention of crime, the
protection of health, and public morality reflect society’s interest from different
angles.34 With regard to the second criterion, the Constitution simply makes exis-
tence of ‘compelling circumstance’ as another requirement to limit the right to
privacy, without determining what constitutes compelling circumstances.
Conspicuously, it is hard to determine what constitutes ‘compelling circumstance’
in the abstract. Yet, one can say that the prevailing circumstances should appear
compelling to a reasonable degree to interfere with the right to privacy.35 Besides, it
is important to consider the extent of limitation to the right should not go beyond
what is required by the compelling circumstances.
In connection with the third criterion, the Constitution provides that limitation
must be made in accordance with specific laws which are promulgated to safeguard
32
Yilma and Birhanu 2013, p. 116.
33
Messele 2002, p. 13.
34
Nahum 1997, p. 124.
35
Yilma and Birhanu (n 32), p. 118.
7 Towards Data Protection Law in Ethiopia 151
the six purposes mentioned in the first criterion: national security or public peace,
the prevention of crimes or the protection of health, public morality or the rights and
freedoms of others. In such situations, pressing social needs may override the right
to privacy right.
In sum, Article 26 of the FDRE Constitution makes clear that right to privacy can
be lawfully limited whenever the three criteria are met cumulatively. In all other
cases, interference with any of the protected interests constitutes as encroachment
to the constitutional right.
Other Laws
As pointed out earlier, Ethiopia adopted the major human rights documents includ-
ing those treaties that enshrine privacy as fundamental right.36 The FDRE
Constitution equally recognizes the right to privacy. In addition to human rights
treaties adopted by Ethiopia and the FDRE Constitution, one can find privacy pro-
tective provisions in various subsidiary laws of the country. In this section, we try to
highlight privacy protective provisions of some subsidiary laws namely the Civil
Code, the Criminal Procedure Code, and Freedom of Mass Media and Access to
Information Proclamation (Freedom of Information Proclamation).
The 1960 Civil Code of Ethiopia contains some provisions for protection of pri-
vacy. For instance regarding pictures, it stipulates that the photograph or the image
of a person should not be exhibited in a public place, nor reproduced, nor offered for
sale without the consent such person.37 Consent is a requirement to display or dis-
close one’s image. However, the consent of a person concerned may not be sought
where the production of his image is required for justice, scientific or cultural inter-
ests, or public interests.38 Similarly, in respect of correspondence, the Civil Code
provides that “the addressee of a confidential letter may not divulge its contents
without the consent of the author.”39 In both cases, consent is very important. The
Civil Code entitles the person concerned to control the reproduction of his image or
the disclosure of the contents of his letter. From this, one can safely infer the two
basic principles of data processing (data subject’s participation and disclosure limi-
tation) which are also enshrined in European Union (EU) Data Protection Directive
and the Organization for Economic Cooperation and Development (OECD) OECD
Privacy Guidelines.40
36
The Universal Declaration of Human Rights (1948), Article 12; the International Covenant on
Civil and Political Rights (1966), Article 17; and the Convention on the Rights of the (1989),
Article 16.
37
Extraordinary Issue No. 2/1960, The Civil Code Proclamation of the Empire of Ethiopia (Negarit
Gazeta 1960), Article 27.
38
Ibid, Article 28.
39
Ibid, Article 31(1).
40
Directive 95/46/EC and OECD Guidelines on the Protection of Privacy and Transborder flows of
Personal Data (1980).
152 A.B. Enyew
41
The Civil Code (n 37), Article 13.
42
Ibid Articles 2053 and 2054.
43
Proclamation No. 185/1961, Criminal Procedure Code of Ethiopia (Negarit Gazeta 1961).
44
Article 32 of the Criminal Procedure Code of Ethiopia under the umbrella of ‘Searches and
seizures’ reads: “Any investigating police officer or member of the police may make searches or
seizures in accordance with the provisions which follow: (1) No arrested person shall be searched
except where it is reasonably suspected that he has about his person any articles which may be
material as evidence in respect of the offence with which he is accused or is suspected to have
committed. A search shall be made by a person of the same sex as the arrested person. (2) No
premises may be searched unless the police officer or member of the police is in possession of a
search warrant … where: (a) an offender is followed in hot pursuit and enters premises or disposes
of articles the subject matter of an offence in premises;(b) information is given to an investigating
police officer or member of the police that there is reasonable cause for suspecting that articles
which may be material as evidence in respect of an offence,… are concealed or lodged in any place
and he has good grounds for believing that by reason of the delay in obtaining a search warrant
such articles are likely to be removed.”
45
Ibid.
7 Towards Data Protection Law in Ethiopia 153
46
Proclamation No.590/2008, Freedom of Mass Media and Access to Information (Federal Negarit
Gazeta 2008), Articles 12(1) and 15.
47
Ibid, Article 16(1).
48
Ibid, Article 2(18).
49
Birhanu 2009, p. 42.
50
Draft Ethiopian Data Protection Act (Version 1.1, 7 May 2009).
154 A.B. Enyew
In its definitional part, the draft data protection law gives definition to the key
terminologies, including personal data. Under Article 1(E) of the draft data protec-
tion law, personal data is defined as:
data which relate to a living individual who can be identified: i) from those data, or ii) from
those data and other information which is in the possession of, or is likely to come into the
possession of, the data controller, and includes any expression of opinion about the indi-
vidual and any indication of the intentions of the data controller or any other person in
respect of the individual.
This definition is very broad to include any data that relate to identifiable living
individual. Any data can be considered as personal data so long as we are able to
link the data to an identifiable individual. The definition is silent if data related to an
identified individual can be viewed as personal data. However, one can still argue
that if data related to an identifiable person (who can be identified through the use
of one or the combination of such data) is treated as personal data, data about an
identified person must be personal one for stronger reason. In this regard, the EU
Data Protection Directive has made it clear by saying personal data means any
information related to an identified or identifiable individual.51
With a view to accord protection to personal data, the draft data protection law
contains eight governing principles. These principles are fair and lawful processing,
minimality in amount of data processed (data adequacy and relevancy), purpose
specification, duration of data storage, data quality and accuracy, data security, data
subject participation and control, and adequate protection for data transmitted out-
side Ethiopia.52 Any data controller that processes personal data must comply with
these data protection principles. However, the draft data protection law qualifies this
rule by having a long list of instances in which personal data can be processed with-
out observing data protection principles. For example, personal data processed for
prevention/detection of crime, apprehension/prosecution of offenders, assessment
or collection of tax, regulatory activity, journalistic purposes, and artistic activity etc
are exempt from the data protection principles.53 Unlike the draft Ethiopian data
protection law, the EU data protection directive has made only a few exemptions
from data protection principles i.e. national security, journalistic activity, and purely
personal/domestic activity.54 Thus, the long list of exemptions in the draft Ethiopian
data protection law is worrisome unless it is well considered before promulgation.
Like the OECD Guidelines55 and the EU Data Protection Directive, the draft
Ethiopian data protection law embodies provisions for trans-border data flows – the
51
Directive 95/46/EC (n 40), Article 2(a).
52
Draft Ethiopian Data Protection Act (n 50), Article 4 and Schedule 1.
53
Ibid, Articles 27–38.
54
Directive 95/46/EC (n 40), Articles 3(2) and 9.
55
The privacy guidelines of OECD represent a consensus position of countries from North America,
Europe, and East Asia as to the basic structure of privacy law. The OECD guidelines 15–18 regu-
late trans-border data flows among member states, but the guidelines are silent about the flow of
data outside member states. The guidelines set out eight key principles for the protection of per-
sonal data which have shaped national privacy laws around the globe.
7 Towards Data Protection Law in Ethiopia 155
flow of information outside Ethiopia. The draft data protection law introduces an
EU-kind of requirement for transfer of personal data outside Ethiopia i.e. ensuring
adequate level of protection before transfer. It stipulates that personal data may not
be transmitted to another country unless that country ensures adequate level of pro-
tection for the rights and freedoms of data subjects, or the data subject has con-
sented in relation to the processing of personal data by the use of a prescribed form
of contract to govern the transfer of the data.56 In fact, the requirement adequate data
protection for trans-border data flow is made to be one of the governing principles
of the draft data protection law.
Furthermore, the draft data protection law entrusts the power of data protection
regulation to the already existing federal government organ: the Information
Network Security Agency (INSA).57 In its enabling legislation, INSA is mandated
to formulate national policies, laws and standards to ensure security of information
and computer based key infrastructure and oversee its enforcement.58 In line with
these broad mandates, the draft data protection law makes INSA a data protection
regulator. As data protection regulator, INSA mandatorily registers all personal data
processing entities, save those entities that only do simple processing, and for
domestic use.59 Thus, a data controller, which is not included in the INSA’s register,
cannot process personal data.
In sum, the draft Ethiopian data protection law is intended to fill the deficiencies
of the existing legal framework in relation to privacy protection. While the draft
Ethiopian data protection law was prepared six years ago, and the quest for a com-
prehensive data protection law is imperative, it remains and continues to be a draft
law. If promulgated, it will serve as the main piece of legislation that governs the
protection of personal data in the country.
56
The Draft Ethiopian Draft Data Protection Law (n 50), Schedule 1
57
Ibid, Articles 6, and 16–26.
58
Proclamation No. 808/2013, Article 6.
59
Ibid, Article 16.
60
ICCPR (n 36), Article 2(1).
156 A.B. Enyew
with privacy of individual, but also take some positive measures including enacting
a robust personal data protection law to give effect the right.
Second, the power of the Ethiopian government has increasingly expanded in
terms of personal data collection, storage and processing in sphere where govern-
ment services are provided in particular in relation to tax collection, immigration,
national identity cards, universities.61 Besides, the Ethiopian government has
increasingly acquired the most advanced surveillance technologies for law enforce-
ment purposes.62 In the face of these facts, the promulgation of a comprehensive
personal data is decisive to regulate the collection of personal data, and the uses of
surveillance technologies.
The third reason pertains to the promotion of electronic commerce. The global
economy has increasingly become dependent upon information technology which
has enabled a growth of international communication and commerce.63 Commerce
now requires the transfer of huge quantities of personal data, largely relating to
employees and customers.64 Thus, personal data increasingly flows across the bor-
ders of different nations around the world. Nonetheless, trans-border flow of per-
sonal data raises privacy concerns. In addressing these concerns, the EU Data
Protection Directive contains rules for trans-border data flows – the flow of informa-
tion between different countries.
The EU Data Protection Directive regulates the transfer of data across national
borders in two ways: letting the flow of information free within the community, and
putting the requirement of adequate level of protection for transfer of data outside
Europe.65 The EU makes the flow of information within the community free by
increasing the level of harmonization, and puts pressure on other countries to adopt
legislation satisfying adequate protection. This means that personal data may only
be transferred to third countries if that country provides an adequate level of protec-
tion. In view of this, the Ethiopian government should enact a comprehensive data
protection law to deal with the European countries in terms of e-commerce, interna-
tional trade and investment.
The fourth reason has to do with the recent regional developments in relation to
online activities. The African Union (AU) adopted a Convention on Cyber Security
and Personal Data Protection.66 The Convention covers three major areas of cyber
law: cybercrime, personal data protection and electronic commerce. Importantly,
the Convention requires member states to pass laws protecting data security and
notifying users of risks to their data, and of data transfers to third parties.67 As a
member of the AU, Ethiopia is expected to ratify the Convention anytime soon.
61
Yilma (n 20), p. 7.
62
Ibid 7–8.
63
Solove and Rotenberg 2003, p. 735.
64
Bender and Ponemon 2006, p. 154.
65
Directive 95/46/EC (n 40), Articles 1(1), 25 and 26.
66
African Union, African Union Convention on Cyber Security and Personal Data Protection 2014.
67
Ibid, Articles 18 and 29.
7 Towards Data Protection Law in Ethiopia 157
In line with this regional development, the need to adopt data protection law in
Ethiopia is quite clear.
7.6 Conclusion
References
Alebachew Birhanu (2009), Regulatory Legal Regime on the Protection of Privacy and Personal
Information in Ethiopia, Master thesis at University of Oslo.
Aman Assefa (2010), Information and Communication Technology in Ethiopia: Challenges and
Prospects from an A2k Perspective, unpublished.
Amartya Sen (2000), Development as Freedom, New York.
A Westin (1967), Privacy and Freedom, Atheneum Books.
Report of the Office of United Nation High Commissioner for Human Rights on ‘the right to
68
Daniel J. Solove and Marc Rotenberg (2003), Information Privacy Law, Aspen Publishers,
New York.
David Banisar (2000), Privacy and Human Rights,Washington, DC.
David Bender and Larry Ponemon (2006), Binding Corporate Rules for Cross-Border Data
Transfer, 3 Rutgers Journal of Law and Urban Policy No.2.
Fasil Nahum (1997), Constitution for a Nation of Nations: the Ethiopian Prospect, Red Sea Press.
Graham Peebles (2012), The Meles Mystery: Has Anyone Seen Ethiopia’s Prime Minister Zenawi.
Helen Nissenbaum (2010), Privacy in Context: Technology, Policy, and The Integrity of Social
Life, Stanford University Press.
Human Rights Watch (2014), They Know Everything We Do: Telecom and Internet Surveillance
in Ethiopia, Report.
J Neethling et al. (2005), Neethling’s Law of Personality, Butterworth Durban.
James Michael (1994), Privacy and Human Rights: an International and Comparative Study, with
Special Reference to Developments in Information Technology, Dartmouth UNESCO
Publishing.
Kinfe Michael Yilma and Alebachew Birhanu (2013), Safeguards of the Right to Privacy in
Ethiopia: A Critique of Laws and Practices, 26 JEL.
Kinfe Michael Yilma (2015), Data privacy law and practice in Ethiopia, International Data Privacy
Law.
Kinfe Micheal Yilma (2014), Developments in Cybercrime Law and Practice in Ethiopia, Elsevier
Ltd, 30 Computer Law and Security Review.
LA Bygrave (2010), Privacy and Data Protection in an International Perspective, Stockholm
Institute for Scandinavian Law.
P Alston (1990), U .S. Ratification of the Covenant on Economic, Social and Cultural Rights: The
Need for an Entirely New Strategy, 84 AJIL.
R Kiwanuka (1988), The Meaning of ‘People’ in the African Charter of Human and Peoples’
Rights, 82 AJIL.
S Bellman and others (2004), International Differences in Information Privacy Concerns: A Global
Survey of Consumers, Columbia Business School, 20 Information Society No.5.
Saheed A. Adejumobi (2007), The History of Ethiopia, Greenwood Press.
Teshale Tibebu (1995), The making of Modern Ethiopia:1896–1974, The Red See Press 1995.
Documents
Report of the Office of United Nation High Commissioner for Human Rights on ‘the right to pri-
vacy in the digital age’ (2014), A/HR/C/27/37.
The World Bank Group (2015), Ethiopia: Poverty Assessment, Report No.AUS6744.
Freedom House (2011), Freedom on the Net 2011: Ethiopia.
African Union Convention on Cyber Security and Personal Data Protection (2014).
Directive 95/46/EC of the European Parliament and of the Council (1995), the Protection of
Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such
Data.
Draft Ethiopian Data Protection Act (2009), Version 1.1, 7.
Extraordinary Issue No. 2/1960, The Civil Code Proclamation of the Empire of Ethiopia, Negarit
Gazeta.
OECD Guidelines on the Protection of Privacy and Transborder flows of Personal Data (1980).
Proclamation No. 185/1961, Criminal Procedure Code of Ethiopia (Negarit Gazeta 1961).
Proclamation No.590/2008, Freedom of Mass Media and Access to Information, Federal
Negarit Gazeta.
7 Towards Data Protection Law in Ethiopia 159
Patricia Boshe
Abstract The right to protection of personal data is derived from the individual right
to privacy. Tanzania has had a difficulty history in protection of the right to privacy;
from evading its inclusion in the Bill of Rights after her independence to unsuccessful
enactment of the right to privacy and data protection in the draft Freedom of Information
Bill in 2006. In 2013, Tanzania decided to reform her framework for the protection of
personal data and individual privacy. This chapter explores the background to the pro-
tection of privacy in Tanzania and the recent reforms. The chapter also takes a look at
social attitude to privacy and the legal framework that supports the individual claims
and protection to one’s privacy in Tanzania. This overview provides for the background
upon which the present Draft Personal Data Protection Bill emanates. This is followed
with a textual analysis of the Draft Bill which describes the weaknesses of the Draft
Bills from simply omitting one condition for processing and adding a condition to
Commissioner’s duties which are not usually found in data protection codes.
8.1 Introduction
Tanzania is peculiar when it comes to law reforms and legislation; being a United
Republic of two formerly sovereign States namely; the Republic of Tanganyika and
the People’s Republic of Zanzibar. Tanganyika got her independence on 9th
December 1961 and became Republic in 1962. Zanzibar got her independence on
10th December 1963 and the People’s Republic was established after the revolution
of Zanzibar of 12th January 1964. The union of the two states took place soon after
the revolution of Zanzibar in 1964 and formed one state, the United Republic of
Tanzania. The union State has two governments, the United Republic government
and the Revolutionary government of Zanzibar. The union did not extinguish sover-
eignty of Zanzibar, because unlike Tanganyika, Zanzibar retained its own
Constitution. The Constitution of the Revolutionary government of Zanzibar
P. Boshe (*)
Faculty of Law, Passau University, Passau, Germany
e-mail: boshe01@uni-passau.de
provides for non-union matters.1 This means, the United Republic of Tanzania has
two organs of government both with judicial, legislative and supervisory powers.2
The Union government and its organs has power over the whole territory in all
union matters, while the judiciary of the Revolutionary government of Zanzibar and
the House of Representative have power limited to non-union matters in and for
Zanzibar; with its Constitution of the Revolutionary government of Zanzibar of
1985. However, laws passed by the union parliament cannot apply to Zanzibar with-
out an express provision on that behalf3 or unless the law relates to union affairs
and only in compliance with the provisions of the union Constitution.4,5 Therefore
Zanzibar has her own laws passed by the House of Representative in Zanzibar.
In 2013 Tanzania introduced a Draft Privacy and Data Protection Bill. This was
the beginning of reforms in the sphere of data protection legal regulation. The chap-
ter highlights the reforms process and the forces behind the reform in Tanzania. The
current Draft Bill and its status up to the time of preparing this work is also dis-
cussed. The discussion focuses on the data protection standards established
and Bill's compliance to international best practice. The existence of other legisla-
tion that protects privacy in specific sectors based on peculiar nature of the sector
concerned is acknowledged. However, this chapter limits its focus on the provisions
of the Draft Personal Data Protection Bill.
Data protection laws regulate practices that are risky or posse potential risk to the
security of personal data and hence personal privacy. Usually, data protection laws
provide guidelines, conditions or rules that inform individuals or institutions
of proper ways of handling personal data to avoid interference with personal pri-
vacy. The rules prevent risk inherent in processing of personal data such as
processing of wrong, misleading or inaccurate data, accessing or usage or personal
data without authorization and processing of personal data for unauthorized pur-
pose. Individual attitudes to privacy are determined by different reasons; and no
matter how good the law or legal framework is, personal privacy and data security
remains at the hand an individual and legal culture in a specific area.
1
See Maina, C.P and Othman, H. 2006, p. 2.
2
These powers are provided by the Constitution of United Republic of Tanzania under article 4(1)
(2) and articles of Union between United Republic of Tanzania and People’s Republic of Zanzibar
of 1964 article 111 (a).
3
Nchalla, B. M in Mbondenyi, M. K and Ojiende, T., (eds) 2013, p. 15.
4
Articles 64(4) (a) 6 and (5) Constitution of United Republic of Tanzania, 1977 (as amended);
Article 132 (1) (2) Constitution of Zanzibar Revolutionary Government, 1984 (as amended).
5
Union Constitution is the Acts of Union- The treaty which united Tanganyika and Zanzibar. This
treaty was translated into domestic laws in Tanganyika the enacted law is the Union of Tanganyika
and Zanzibar Act of 1964 (Act 22 of 1964) and for Zanzibar is the Union of Zanzibar and
Tanganyika Law 1964. The two laws constitute Constitution of the Union.
8 Data Privacy Law Reforms in Tanzania 163
Quite often individuals would complain of security of their data and breach of
their privacy by media and telecommunication operators; but an overall individual
attitude in most Tanzanians does display prudence in neither data security nor per-
sonal privacy. The society, especially the young generation displays ignorance, spe-
cifically in social media. The volume, range and nature of personal data posted on
social media indicate lack of individual assessment on the implications of their
actions to their privacy and security of their data and those of others.
In a survey study conducted in Tanzania on University students’ attitude towards
e-Security, Matti Tedre and Bukaza Chachage discovered that students and staff
members often share their passwords with other students and staff members, and
often lend their virtual identities to each other.6 In this survey, the researchers dis-
covered that users do not really understand the essence, the very idea of a password.
For instance, one of the interviewee said, ‘[I] feel like password can be given to
anybody. It is cultural’.7 To insist that password is not really a ‘big deal’ another
interviewee said, ‘like when you go to a Bank, and you are in this ATM queue-like
a very long queue-and somebody comes, sees you very close to the ATM machine,
then he can come and give you the card and the password…..it is a cultural thing:
people do not feel one could do something bad with another person’s password’.8
Apart from risks based on individual attitudes, the government and private insti-
tutions’ administrative actions create risks to personal privacy. With the consider-
able use of ICTs and wireless technology, security risks to personal data and privacy
heightens. Technology has enabled the government to track, profile and surveille
citizens. For instance, in 2009 the Tanzania Communication Regulatory Authority
(TCRA) issued a directive demanding registration of all pre-paid SIM Cards.9 In
2010, the government enacted Electronic and Postal Communications Act (EPOCA)
establishing the Central Equipment and Identification Register (CEIR) and the man-
datory SIM registration requirement, giving the 2009 directive a legal effect.10 Prior
to the directive, subscribers could conduct their communication activities anony-
mously. As explained by Kelly and Minges, ‘Africa mobile telephony is largely
pre-paid as such one could access to services anonymously without the need to
submit their credit records, fixed address or any kind of personal information’.11
However, with this directive, every SIM registration becomes a personal identifier.
6
Tedre, M and Chachage, B. 2008.
7
Ibid.
8
ibid
9
See TCRA, 2013A; TCRA, 2013B; also on The Guardian, 2010, pp. 1–2; and The Citizen, 2010,
p. 2.
10
The justification offered for the obligation to register SIM is the suppression and detention of
criminal activities, including transborder crimes such as terrorism and regulating inflammatory and
hate speech being spread through SMS. The government says that the SIM registration will also
enable identification of consumers for purposes of value added services, enhance national security
and enable operators to promote the ‘know your customer’. See The Guardian (October 17, 2010);
Mwachang’a, D.; IPP Media (21 February 2013); Makulilo, A.B, Vol No. 17 No. 2, p. 48; and
Hemeson, C. J.
11
Kelly, T and Minges, M., (eds) 2012 Cited in Donovan, K. and Martin, A.
164 P. Boshe
In turn it enables, for example, the government to trace geographical locations and
monitor subscriber’s communications through a mobile phone. It can also be used
by businesses to send unwarranted location-based promotions and advertisement
through SMS and phone calls which can be intrusive. SIM registration has led to
wide communication surveillance, and processing of personal data for purposes
unknown and uncommunicated to data subjects; including storing communication
details on behalf of the police and security agencies.12
Furthermore, with the SIM registration, identity theft has become common in
Tanzania. Criminals hack and ‘steal’ personal information stored in operators’ data-
bases and use the information for criminal activities implicating data subjects. The
common crimes include blocking the user of communication services for a limited
time and use the services at data subject’s expenses or using data subject’s creden-
tials and phone number to fraudulently collect money on data subject’s name or
behalf. This has raised a lot of questions regarding SIM registration and personal
privacy and data security in Tanzania.13
Yet, the re-establishment of the East African Community (EAC) calls for sharing
of SIM registration databases between member States.14 This is happening when
there is neither legal nor regulatory mechanism to regulate personal privacy and
data security between and within member States. At domestic level, none of the five
members has a comprehensive framework for data protection. Kenya has a bill,
Tanzania, Rwanda and Uganda have draft bills and Burundi has none.
In 2014 a UK based Vodafone (with subsidiary in Tanzania) reported to have
received the highest number of phone (both data and voice) interception requests by
the government of Tanzania.15 According to the report, in 2013, Tanzania alone
reported 98,785 interception contents of voice and data communications. There are
also reports on existence of wiretapping devices connected directly to providers’
networks to facilitate listening and recording of live conversations and in certain
cases, track the whereabouts of subscribers.16
There are laws in Tanzania allowing for surveillance and interception of com-
munication in certain incidents. Interception is mainly allowed to preserve national
security and public safety. In this context, the Constitution has, under article 30 (2)
permit interception and surveillance of communication to prevent persons or activi-
ties that potentially threatens national security or public safety, even if it means
infringing fundamental rights and freedoms guaranteed by the same Constitution.
This Constitutional provision forms a foundation of other laws that allows for sur-
veillance, monitoring and interception of communications in events that suggests a
threat to national security or public safety. The laws include the National Security
12
Donovan, K. and Martin, A, supra note 11.
13
Makulilo, supra, note 10, p. 12; see also Boshe, P., Vol. 20 No. 3, 2014.
14
Sato, N. 2013.
15
Vodafone Law Enforcement Disclosure Report 2014.
16
Business Times, Friday, 27 June 2014, ‘Phone interception: Tanzania to Land in Court?, by
Mnaku Mbani.
8 Data Privacy Law Reforms in Tanzania 165
17
Cap 47 [RE:2002].
18
Cap 19 of 2002.
19
See also section 42 of the Prevention of Terrorism Act.
20
Cap 15 of 1996.
21
Section 98(2) and 99 EPOCA.
22
EPOCA (Telecommunications Traffic monitoring System) Regulation 2013.
166 P. Boshe
law enforcement officer receiving the disclosure; or use such information to the
extent that such use is necessary for the proper performance of official duties’.23
Requests to surveille, intercept or tapping personal communications under the
above laws create legal obligation to telecommunication providers or network oper-
ators. It follows therefore, a refusal to surveille, intercept or install intercepting
device the operator’s network by an operator, or communication provider amounts
to interference with investigation and a threat to national security. Indeed section
152 (3) (b) (c) of EPOCA, 22 of the Cyber Crimes Act provides for imprisonment
or fine to a person who intentionally and without lawful cause refuses to assist or
fail to permit an interception order.
The Cyber Crimes Act further establishes a regime for communication, monitor-
ing and surveillance. Part II (sections 4–10) enact offences such as illegal intercep-
tion through technical means, data transmission, damaging computer systems and
computer data or interferes with personal usage of computer data. This includes
activating or installing or downloading a program that is designed to mutilate,
remove or modify data. The law has also introduced a new offence, ‘data espio-
nage’; this is when a person who, intentionally and without lawful cause, obtains
computer data protected against unauthorized access. Furthermore, the Act penal-
izes any ‘service provider who receives an order related to a criminal investigation
which requires confidentiality and intentionally without lawful cause discloses any-
thing that relates to that order’.24 The law also prevents service providers from mon-
itoring and or surveille data it transmit even when seeking facts or circumstances
indicating unlawful activities.25
Although in the above context the laws allow for surveillance, interception, and
tapping of communication, there are government surveillance and interception
activities which are questionable. They are questionable because it is difficult to
place them squarely in any of the above legal categories for surveillance and inter-
ception of communication. The manner and means used seems to fall out of the
described legal contexts. For instance, the cloning of websites to control contents;26
at least five cases of website blocking and interference have been reported.27 The
government also installs sophisticated devices to sensor and control contents in
social media sites.28 Furthermore, the 2015 Cyber Crime Act came with several
public announcements warning the public of TCRA’s new mandate to monitor and
filter communication contents in pursuit of cyber criminals, pornographic contents
sent or shared through social media such as WhatsApp, Facebook and others.
23
Section 121 (b) (i) (ii) EPOCA.
24
Section 21.
25
Section 38 (1) CCA.
26
Allen, K.
27
APC and Hivos.
28
Nalwoga, L., 2014, p. 243.
8 Data Privacy Law Reforms in Tanzania 167
29
The Executive Agencies Act Cap 245 of 2010.
30
World Bank. 2002.
31
Mbote, K. 2013.
168 P. Boshe
United Republic of Tanganyika and Zanzibar of 1964.32 This was the third
Constitution of Tanganyika and the first Constitution of United Republic of
Tanzania. In 1975 the Interim Constitution was amended.33 The amendment intro-
duced a single party political system (with party supremacy). This necessitated a
merger of two ruling parties (TANU in Tanganyika and ASP in Zanzibar) to form a
single party. The merger gave rise to a new party, Chama Cha Mapinduzi (CCM) in
1977. In the same year, Tanzania adopted its fifth and permanent Constitution
namely the Constitution of United Republic of Tanzania of 1977.34
The 1977 Constitution included the Bill of Rights but in the preamble.
Normally, under the common law tradition to which Tanzania follows, preambles
have no legal force hence no one could enforce any right enshrined in the preamble.35
The inclusion was a response to mounting critics by the international society on
Tanzania’s failure in her obligations under the UNHRC. Jennifer Widner36 explains
that the inclusion of the Bill of Rights was a way of Tanzania to illustrate her commit-
ment to human rights since she used the umbrella of human rights to achieve her
political goals such as the ‘use of human rights language to galvanize international
opinion against Idi Amin of Uganda (to help expel his forces from Tanzania). Widner
continues that the Constitutional amendments proposed in 1982 had heightened fears
about Zanzibar’s autonomy, where leaders emphasized that prior to unification; citi-
zens had been protected by a Bill of Rights’. Yet it is the fact that Tanzania was
involved in development of African Charter on Human and People’s Rights as such it
was absolutely necessary for her to portray her commitment to the individual rights.
In 1984 the Constitution was amended for the fifth time.37 The Fifth Amendment
gave the Bill of Rights force of law by introducing a new part 3 containing
Fundamental Rights and Individual Duties. Sadly, the implementation of Bill of
Rights was suspended for 3 years, as Christ of Heyns puts it, ‘to allow the govern-
ment put its house in order, repealing or amending laws which were likely to con-
flict with the Bills of Rights.38 In March 1988 the Bill of Rights became operational
with right to privacy among the guaranteed and protected rights. The same Bill of
Rights was adopted in the Constitution of Revolutionary Government of Zanzibar in
1985. The right to privacy is provided under article 16 (1) (2) of the United Republic
of Tanzania Constitution. The Revolutionary Government of Zanzibar Constitution
provides for the right to privacy in pari materia under its article 15 (1) (2) of the
United Republic of Tanzania Constitution.
The Constitutional right to privacy is not absolute and its implementation
depends of other piece of legislation to provide for the substance of the right and
32
This was through Act no. 43 of 1964.
33
Amendment was done through Interim Constitution of Tanzania (amendment) Act of 1975.
34
This is the current Constitution although several amendments have been made to it since its adop-
tion to accommodate socio-political and economic changes.
35
Heyns. C. 1999, p. 284.
36
Widner, J., 2005.
37
This was through Act No. 15 of 1984.
38
Heyns. C., supra note 35, p. 282.
8 Data Privacy Law Reforms in Tanzania 169
Precisely 10 years after the inclusion of the Bill of Rights into the Constitution,
the government enacted a law to enforce the rights. The Basic Rights and Duties
Enforcement Act40 enacted in 1994 provides for mechanisms and procedure to
enforce the Bill of Rights. Section 1 (2) of this Act provides for the scope of applica-
tion stating; ‘this law applies to mainland Tanzania and Zanzibar in all suits relating
to enforcement of Constitutional basic rights, duties and related matters.41 The Act
is basically a procedural law setting rules on composition of the judges, the majority
rule in decision making,42 and mode of instituting a complaint43 and proper forum
for redress.44
Surprisingly the Act introduces a provision limiting the power or the High Court
to enforce the Bill of Rights. The provision states, ‘where the Court is satisfied that
individual rights have been infringed by an action or law it should not pronounce
such an act or law as being unconstitutional or invalid rather it should allow the
Respondent or specific authority to rectify the infringement. If a law is in conflict
with the Bill of Rights the Court should not declare such law as being invalid or
unconstitutional. Such law will remain valid until the parliament amends or repeals
it’.45 The provision itself goes against the Constitution as article 65 (4) of the
Constitution empowers the High Court to declare any law unconstitutional or void.
Interestingly the Constitution was then amended, introducing article 30(5) of the
in pari materia with section 13(2) of the Act. The article requires High Court not to
39
See Article 16 (2) and 15 (2) of the Constitution of United Republic of Tanzania and Constitution
of Revolutionary government of Zanzibar respectively.
40
Act No. 33 of 1995.
41
Parallel to this provision, the Constitution of Revolutionary Government of Zanzibar provides,
under article 25A, procedure for enforcement of the basic rights and duties in Zanzibar.
42
Section 10.
43
Section 5.
44
Section 4.
45
section 13(2).
170 P. Boshe
declare any act or law void or unconstitutional even when its determination is to that
effect. Instead the court is required to afford the infringing organ opportunity to
rectify the infringement. Luckily, the judiciary resisted and declared the provision
as an obstacle in pursuit of individual rights and freedom.46 In 2000, as a result of
the judicial stance, it was declared that through article 65(4) of the Constitution, the
judiciary has a final say on matters of determining rights and duties according to law
and justice; however, article 30 (5) was not deleted from the Constitution.
No substantive law on the rights and basic duties, (or right to privacy) has ever
been enacted to provide context or substance of the rights. As a result most people
ends up airing their grievances, anger, dissatisfaction and concerns in blog discus-
sions and other interactive social media. A few resort to newspapers.47
The Constitution right to privacy is further limited by article 30 of the Constitution.
This section allows enactment of any other law in violation of the Bill of rights for
the interest of general of public (such as public safety, to maintain public morality,
in the process of rural or urban planning or exploration of oilier interests), in execu-
tion of Judgment or Court order, protecting reputation, rights and freedom of others.
Also, the Constitutional right to privacy is not to be exercised in interference with
rights and freedoms of other people.
In 2002 the government of Tanzania once again amended her Constitution for the
13th time. Through this amendment, the Constitution established the Commission
for Human Rights and Good Governance. The Commission was established as the
national focal point for the promotion and protection of human rights, duties and
good governance. According to section 3 the Commission has mandate in both
Tanzania mainland and Zanzibar.48 Regrettably, the Commission brought no changes
on the right to privacy as with the other rights.49 Even in her submissions to the
United Nations General Assembly, Tanzania’s report did not include the right to
46
In 1998 the Court of Appeal of Tanzania, stated the section 13 (2) of the Basic Rights and Duties
Enforcement Act seek to circumscribe the powers of the High Court in dealing with issues of fun-
damental rights and duties. The Court departed from section 13 (2), despite their duty to give effect
to plain words, The Court opined that it would be meaningless for the Courts to refrain from
declaring laws or actions that goes against human rights as void or unconstitutional. Further,
enforcing of this provision is a contravention to article 107A (2) (b) of the Constitution of United
Republic of Tanzania. See also Adam Mwaibabila v. The Republic, High Court of Tanzania at Dar
es salaam, Miscellaneous Criminal Case No. 1 of 1997, unreported; see also A.G v. Christopher
Mtikila [1995] T.L.R 3.
47
One such instance was featured in Arusha Times with headline ‘SIM card registration now
viewed as spying move’. The Citizen also published a complaint letter from a reader titled, ‘Airtel
are bothering me with unwanted text msgs’. The reader being annoyed by promotional text msgs
said the telecom company is invading his privacy urging the company to provide an ‘opt in/opt-out’
choice to avoid annoying their customers (More on m-marketing article)…. Other publications on
concerns over privacy breaches include ‘the Big Brother is Watching You’ in Daily news of 12th
February 2009.
48
Section 3.
49
In the National Report on Tanzania Human Rights Institutions submitted to the Human Rights
Council for Universal Periodic Review, the Commission is shown to have dealt mainly with mal-
administration issues than personal rights. [see UNGA., Reports of 2011].
8 Data Privacy Law Reforms in Tanzania 171
privacy among the key national priorities, initiatives and commitments she undertook
to improve.50 More surprisingly is the fact that, the UN summary of recommenda-
tions on Tanzania’s report did not show any concern on the report’s omission of the
right to privacy. This is despite the fact that the UN Recommendation report con-
tains a section titled, ‘Right to privacy, marriage and family life’ which has no men-
tioning of the right; neither the situational analysis nor recommendations for
improvement.51
This indicates, as Makulilo asserts, ‘privacy is less prominent a public issue in
Tanzania’.52 Although he agrees that there is a growing concern over privacy which
is reflected from isolated cases; citing an example of the debates that emerged dur-
ing introduction of compulsory SIM card registration in 2009. Perhaps Makulilo
assertion reflects for the outcome on the first ever case to reach the court. This was
in 2004. It was a case where local newspaper used images of a young lady, namely
Siah Nyange. Miss Nyange participated in Miss Tanzania beauty pageantry. The
newspaper used her images for commercial advertisement without her knowledge
or consent. Miss Nyange instituted a civil suit for violation of her right to privacy.53
Many had hoped that the court would, for the first time, lay some basic principles or
guidelines underlying the protection of privacy in Tanzania. Unfortunately, the court
did not adjudicate the case to its finality as the newspaper company requested to
settle the matter out of court and ended up compensating Miss Nyange.
The Media Council of Tanzania is so far the only forum which went a step further
in asserting right to privacy. This was in the conciliation case of Mkami Kasege and
Ismail Msengi v. Risasi.54 In this matter, the complainant approached the Council
claiming violation of her right to privacy and damage to reputation caused by false
and malevolent publication by a local newspaper, namely, Risasi. The Newspaper
50
UNGA, National Report Submitted in according with para 15(a) of the Annex to the Human
Rights Council Resolution 5/1- United Republic of Tanzania, Geneva, 3–14 October 2011, p. 5.
51
UNGA, Summary Prepared by the Office of the High Commission for Human Rights in accor-
dance with paragraph 15 (c) of the annex to Human Rights Council Resolution 5/1, Geneva, 3–14,
2011.
52
Makulilo, A. B. 2012, p. 534.
53
Siah Dominic Nyange v. Mwananchi Communications Ltd, Civil Case No. 155 of 2005, the
Resident Magistrate Court of Dar es salaam at Kisutu (unreported).
54
Conciliation Case No. 1 of 2005, 1997–2007, MCT 111. The Resident Magistrate Court of Dar
es salaam at Kisutu (unreported): A complainant instituted a claim against Risasi newspaper for
publishing her semi-nude photographs. The article concerned alleged that the complainant was
involved in an adulterous act against her husband. The complainant who is a University lecturer
was concerned of the photographs which were published as being invasive of her privacy and
damaging to her reputation. The Council conclusion was that the allegations were false and in
violation of privacy and code of ethics for media professionals. The Council explained further that,
even to public figures, it is only acceptable to intrude into ones privacy when it is absolutely neces-
sary for public interest. The Council then ordered the editor of the newspaper to retract the story,
apologize to the complainants and pay the costs of the case incurred by the complainants. Sadly,
the council decision and orders were ignored. Perhaps because the Council is only a voluntary,
self-regulatory body without powers to issue legal binding decisions. It has only reconciliatory
powers.
172 P. Boshe
published an article saying the complainant is involved in extra marital affairs and
had been caught ready-handed. This article was followed by another publication by
the same newspaper claiming the complainant tried to commit suicide out of shame.
The publications were accompanied by semi-nude photos of the complainant which
devastated the complainant and which she considered to be in violation of her per-
sonal privacy. The Council summoned both parties for the hearing but the represen-
tatives from the Media Company did not attend. This forced to Council to continue
ex-parte with the Complainant. The Council decided in favor of the complainant
based on the Code of Ethics for Media Professionals. The newspaper was found in
breach of complainant’s privacy. The Council ordered the newspaper to issue an
apology to the complainant, retract the story and pay for costs incurred by the com-
plainant. Sadly, the Media Council of Tanzania being a voluntary, self-regulatory
body can only reconcile parties; it has no powers to issue a binding legal decision.
Hence the Media Company ignored the order and the matter ended with no repara-
tion to the Complainant.
Motivations for the Reforms
The National ICT Policy suggests reforms in the present legal framework for pri-
vacy and data protection, cyber-crimes, e-commerce and e-contracts.55 This is the
first plea for legal and regulatory reforms in the area of privacy and data protection.
The policy explains the importance of the ICTs for economic development. The
policy also cautions of the weakness of the legal framework for the protection of
personal data, privacy, e-consumers and prosecute cyber-crimes in the virtual world.
Tanzania made an assessment of her laws and their adequacy in the era of infor-
mation system. On privacy and data protection it was resolved that the existing laws,
including the Records and Archives Management Act56 which provides for legal
framework within which records and archives should be managed needed to be
reviewed taking into account electronic record issues as well as access to informa-
tion and data protection.57 In essence there was a need for a law to secure personal
data and activities in the cyber space so as to allow electronic transactions to achieve
economic growth.
At the regional level, Tanzania is a member of the East African Community
(EAC) and the South African Development Community (SADC). In 2006 the
Council of Ministers of the EAC launched an eGovernment programme. The pro-
gramme discussed strategies for legal reforms to facilitate secure online transaction.
The Council suggested reforms of the Regional and national legal framework to
55
URT, 2003; Paragraph 3.5.
56
Act No. 3 of 2002.
57
URT, Proposal for Enacting Cyber Laws in Tanzania, Dar es salaam, January 2013, p. 3.
8 Data Privacy Law Reforms in Tanzania 173
ensure security in online transactions and interactions. This is part of the East
African Development Strategy (2011/12–2015/16). One of the key drivers in real-
ization of the EAC regional integration agenda is, among others, creation of a strong
legal framework to realize full potentials in regional eTransactions. The Council
created EAC Task Force in 2008 to implement Council resolutions. The Task Force
developed two instruments on Legal Framework for Cyber Crimes phase I and II on
2008 and 2010 respectively. Phase I suggested legal reforms on eTransaction,
Cyber-Crimes, Consumer Protections, Data Protection and Privacy. Phase II sug-
gested legal reforms on Intellectual Property Rights, Competition, Taxation.
On privacy and data protection, Phase I on recommendation 19 the instrument
states;
‘The Task Force recognized the critical importance of data protection and privacy and rec-
ommends that further work needs to carried out on this issue, to ensure that (a) the privacy
of citizens is not eroded through the Internet; (b) that legislation providing for access to
official information is appropriately taken into account; (c) the institutional implications of
such reforms and (d) to take into account fully international best practice in the area’.
Unlike the other Regional instruments, the EAC Frameworks do not provide any
framework or model law for member states to draw inspirations from. It merely
gives recommendations for member states to reforms their legal frameworks based
on international best practice. On other legal topics, the Framework has attached, as
annexes, some models as examples for the best practice. However, for unexplained
reasons, on privacy and data protection, the Framework neither suggested nor
attached a sample model considered as international best practice. On the other
hand, SADC adopted SADC Model Law on Data Protection. The main objective of
the model is harmonization of data protection law of member states. The Model
Law adopts a comprehensive framework for data protection, similar to that of the
EU Directive.
In 2013 Tanzania embarked on the legal reform process with the aim of transpos-
ing the SADC Model law into a domestic law. Besides the drive from the National
ICT Policy and Regional recommendations to reform, Tanzania received a support
from HIPSSA.58 Through the HIPSSA project and with financial, technical and
expert support from ITU and European Commission and European Union,59
Tanzania produced her first comprehensive data protection law. The law was drafted
within the six identified areas that needed legal reforms; these includes computer
security against unauthorized access or modification, data protection, guidelines for
processing personal data, legal recognition of eTransations and eCommerce, frame-
work for legal obligations for online suppliers and Protection of online consumers
and retention of electronic records60
Prudence dictates a little explanation on the route taken in drafting the Draft
Personal Data Protection Bill. In Tanzania, all legal reforms are vested under the
58
The Support for the Harmonisation of the ICT Policies in Sub-Saharan Africa project.
59
ITU., 2013.
60
Ministry of Communications, Science and Technology, 2013.
174 P. Boshe
Before looking at the present Draft data protection Bills drafted under the support
of HIPSSA it is important to provide a little overview of the unsuccessful attempt to
legislate data protection through the Freedom of Information Act Bill of 2006. This
Bill stated its objectives to be, (a) to make provision for the right to access to infor-
mation, (b) promotion and protection of individual privacy, (c) protection of reputa-
tion, (d) protection of journalists and their confidential sources of information, (e)
protection of minors, and (f) regulation and promotion of broadcasting.
The framework for the protection of personal data was created under Part VII-X
of the Bill. The framework established by the Bill exempted private institutions
from its application; it confined its application to public bodies only. This is surpris-
ing and conflicted with the main objective of Bill which stated the scope of the Bill
to extend to both private and public bodies.63
In substance, the Bill contained some obvious omissions in effecting protection
of personal data and privacy. The Bill did not provide for necessary working defini-
tions such as ‘data’, ‘personal data’, ‘data subject’, ‘data controller’ and ‘data pro-
cessor’, ‘filing system’, ‘processing’, ‘consent’, ‘security measures’ or ‘third party’.
In the context of data protection, the Bill only defined ‘commissioner’ as privacy
61
Section 4 Act no. 11 of 1980 [RE:2002].
62
The selected stakeholders includes the President’s Office – Planning Commission, the Ministry
of Constitutional Affairs and Justice, the Ministry of Finance-Mainland, the Ministry of Finance
Zanzibar, the Ministry of Science and Technology, the Ministry of Communication and
Transportation, the Ministry of East African Community Cooperation, the Tanzania Bankers
Associations (TBA), Commercial Banks, Mobile Network Operators (Vodacom, Airtel, Tigo,
Zantel), Savings and Credit Cooperatives Union League of Tanzania (SCULLT), Tanzania
Association of Micro Finance Institutions (TAMFI), The Fair Competition Commission (FCC),
Tanzania Consumer Advocacy Society, Tanzania Revenue Authority (TRA), Tanzania
Communication Regulatory Authority (TCRA), and the Financial Intelligence Unit. See the
Ministry of Communications, Science and Technology Report, supra note 60.
63
Section 2 (1) (3).
8 Data Privacy Law Reforms in Tanzania 175
64
See section 4.
65
Section 82.
66
Section 79 (2) (a) (b).
67
Section 79 (1)(2).
68
Section 82 required that public authority to process data only when such data is complete, accu-
rate, up to date, relevant and not misleading.
69
Section 85 (a) required public authority to impose reasonable security measures against loss,
unauthorized access, use, modification, disclosure or misuse.
70
Section 87 (1) allowing data subject to access/insect personal data and request for correction, or
updating data to suit the purpose for which the data is held.
71
Section 86.
72
Section 81 (3).
176 P. Boshe
has no power to issue sanctions for infringement, instead section 100 requires him
to provide the chief executive officer of the public authority in breach with a report
on findings and recommendations requesting him to report back to the commis-
sioner of any action taken or proposed action to be taken to implement the recom-
mendation. In case the complainant is not satisfied by the proposed rectification or
rectification or the promptness in rectification made by the responded on the com-
plained breach, s/he can channel the dissatisfaction by seeking for judicial review.73
The commissioner is also required to promote right to privacy in corporation and
in consultation with other bodies concerned with privacy, undertake research activi-
ties into, and monitor development of data protection systems and control any
adverse effect to such development on privacy of individual. The commissioner is
protected against civil and criminal proceedings for anything done, reported or said
in a good faith in performance of his duties as the commissioner.74 The commis-
sioner is required to report his activities to the parliament on annual basis.75
Although, the privacy commissioner’s functions are limited to part VIII of the Bill,
there is an overlap of functions between the data protection commissioner and the
Media Standards Board in enforcement of the Bill.76 It is not clear how this aspect
was expected to be harmonised in practise.
Commissioner’s independence was expressly provided in the Bill, apart from
section 88 (1) which provided for establishment of an independent office of the
privacy commissioner; no other provisions guaranteeing commissioner’s indepen-
dence existed. In the same line, the Bill did not state from which source the commis-
sioner to be remunerated was or from which funds was the office of the commissioner
to be run from. The Bill was not passed into a law; not for the weakness of the pri-
vacy framework but because journalists criticised it as being to curtailing to free-
dom of information.
Through HIPSSA project, drew its first comprehensive data protection law. The first
draft was the ‘Draft Privacy and Data Protection Bill 2013. The Bill was reviewed
between local experts and ITU expert and after several consultations and amend-
ments of the draft, it was agreed that the Bill should be renamed to ‘Draft Personal
Data Protection Bill’. This was in 2014; and this is the current Draft for Personal
Data Protection Bill 2014 which transposes the SADC Model Law. The 2014 Bill is
the same in substance as the 2013 Draft Bill except for the provisions relating to
whistleblowing and trans-border data flow. The changes made to the former Draft
Bill were made to reflect the three regimes that Tanzania is a member; the East
73
Section 100 (4).
74
Section 105.
75
Section 102.
76
See further section 58 on the functions of the Media Standards Board.
8 Data Privacy Law Reforms in Tanzania 177
African Community (EAC), SADC, and the African Union (on the cyber law
framework).77
Purpose and Scope The draft Protection of Personal Data proposes a comprehen-
sive framework for data protection in Tanzania. The Bill applies to Tanzania main-
land only (Zanzibar excluded). The Revolutionary Government of Zanzibar is yet to
embark into data protection reforms. The aim of the Bill is to secure personal data
for purposes of protecting right to privacy of individuals with respect to their data.
The Bill has seven parts including the preliminary provisions, conditions for lawful
processing, data protection commissioner, data protection register and data protec-
tion bureau, investigation and complaints, miscellaneous provisions and trans-
border data flow and three schedules.
The Bill applies to processing of personal data in both public and private sectors
whether or not the processing is by automated means. It does not matter whether the
processing is performed wholly or partly by automated means.78 It is not very clear
whether the Bill applies to juristic persons as the definition of personal data is too
general. Personal data is defined as, ‘data about an identifiable person that is
recorded in any form’.79 The use of the term ‘identifiable person’80 makes it difficult
to ascertain whether it extends to juristic persons or even dead persons. The defini-
tion of data subject does not offer much assistance either; it refers to data subject as,
‘an individual who is subject of the processing of personal data and who is identified
or an identifiable person’.81 The Bill applies to data notwithstanding format or
media, and whether printed, taped, filmed, by electronic means or otherwise.
According to the Bill, data can be in form of a map, diagram, photograph, film,
microfilm, videotape, sound recording or machine readable record.
Conditions for Lawful Processing The Bill categorises data processing into two;
processing of personal data in general and processing of sensitive personal data. The
Bill lays down the usual principles/conditions for lawful processing of personal data
and restricts processing of sensitive personal data. It also provides for exceptional
circumstances where sensitive data can be processed. The condition for processing
of personal data includes lawfulness,82 transparency, use limitation,83 purpose
77
Ministry of Communications, Science and Technology, Supra note 60, p. 9.
78
Section 5 (4).
79
Section 4.
80
Section 4 defines identifiable person as, ‘identifiable person” is an individual who can be identi-
fied, directly or indirectly, in particular by reference to an identification number or to one or more
factors specific to his/her physical, physiological, mental, economic, cultural or social identity. To
determine whether a person is identifiable, account should be taken of all the means reasonably
likely to be used either by the controller or by any other person to identify the said person’.
81
Section 4.
82
Section 6.
83
Section 9.
178 P. Boshe
The conditions for processing apply to every processing action a person takes
on personal data. Apart from the conditions, the Bill has not set any other adminis-
trative condition prior to processing of personal data such as giving notice to the
data commissioner. However, it contains a notorious omission. The Bill neglects
the role of data consent in processing personal data. Under the Bill, as long as the
above mentioned conditions are adhered to, data controller can process personal
data without data subject’s consent. The data controller is only required to inform
the data subject of the purpose of collection, the fact that collection of data is for
authorised purposes or purposes authorised by law and inform data subject of the
intended recipients.89 Despite consent being the central determinant of legality of
processing activities in international codes and practices, the Tanzanian Bill fails to
acknowledge its relevance in protection of personal data. The only time data sub-
ject’s consent is required in the Bill is when data controller wants to process data
for purposes beyond the initial communicated purposes.90 This omission exists not-
withstanding the fact that the Bill is basically modelled after the SADC Model
which drew inspiration from the EU Directive on data protection, insisting on the
importance of data subject consent as the main condition for lawful processing of
personal data.91
The Bill prohibits processing of sensitive data.92 Sensitive data can only be pro-
cessed when it is necessary to undertake legal obligation (for instance under employ-
ment laws or in promotion of human rights), or when data subject has given consent
to the processing or when such data has been made public by data subject.93
84
Sections 10 and 11.
85
Section 8.
86
Sections 7 and 14.
87
Sections 12 and 13.
88
Section 15.
89
Section 7 (2) (a) (b) (c).
90
Section 9.
91
Article 7 of the Directive states, ‘Member States shall provide that personal data may be pro-
cessed only if: (a) the data subject has unambiguously given his consent….’. Again Recital 30 to
the Directive states, ‘Whereas, in order to be lawful, the processing of personal data must in addi-
tion be carried out with the consent of the data subject….’
92
Section 4 of the Draft Bill provides categorizes sensitive data into two categories; first category
includes genetic data, data related to children, data related to offences, criminal sentences or secu-
rity measure, biometric data as well as, if they are processed for what they reveal, personal data
revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation,
trade-union membership, gender and data concerning health or sex life. The second category com-
prises of any personal data otherwise considered by Tanzanian law as presenting a major risk to the
rights and interests of the data subject, in particular unlawful or arbitrary discrimination.
93
Section 16 (2).
8 Data Privacy Law Reforms in Tanzania 179
However, depending on the nature and extent of sensitivity of the data, the
commissioner may still prohibit the processing of such sensitive data regardless of
the consent to process given by the data subject.
Exempted Activities The Bill provides for lists activities exempted from application
of the Bill. These include activities in preservation of national security, public safety,
criminal prevention, investigation and prosecution, in an instance of violation of
code of conduct in the case of legal profession, for literary and journalistic expres-
sion and journalism.94 However, the Minister is empowered to add activities to the
list through a regulation, but only activities performed by public bodies. Surprisingly
and contrary to the usual practise, the Bill has not exempted individual processing of
data for purely personal, family or domestic purposes. This means activities such as
creating a phone book in a mobile phone, keeping a diary containing reference to
friends, partners and workmates or domestic grocery lists are subject to the law. This
means that the data protection commissioner is involved in issues arising in private
processing of personal data for own personal, family of domestic purposes
Direct Marketing and Advertisement The Bill prohibits processing for purposes of
direct marketing. This includes mobile-marketing usually done by Telecom compa-
nies to advertise their products and promotions, by emails or other electronic
means.96 Data controller is prohibited to use personal data to advertise or promote
his business or transfer to third party for that purpose. The only instance personal
data can be used for marketing purposes is when data subject has consented to their
data to be used or shared with others for the use of promoting business or commer-
cial advertising. In such instance data subject must be informed of the identity of the
data controller and given all necessary information on the product to allow him/her
make an informed decision.
Although the Bill does not establish a concrete regime for processing for purpose
of direct marketing, apart from a mere prohibition, other laws and regulations erects
such regime to supplement the Bill. The Consumer Protection Regulation 2011
made under the Electronic and Postal Communications Act of 2010 provides for
that regime. The Regulation requires the collection of personal data for direct market
94
Section 17.
95
See section 4 (1) (2) and schedule II.
96
Section 3 (1) and Schedule I.
180 P. Boshe
to adhere to the usual data protection principles.97 In addition, data controller must
identify himself to data subject, and give breakdown of the total cost of the product
or services that is the subject of communication.98 The essence is to allow data sub-
ject to make a decision of whether or not to opt-in or opt-out. Together with the
Consumer Regulation is the Electronic Transaction and Electronic Contract Bill
2014 which obliges service providers to establish an opt-in and opt-out registers to
allow consumer choice. The ETECB fills in the gap left by the Regulation and the
Personal Data Protection Bill as both have failed to impose a requirement for estab-
lishing opt-in and opt-out facilities for this purpose.
Rights and Duties The Bill provides for data subjects’ right and data controllers’
duties in the implementation of the Bill. Data controller has a duty to and is account-
able to adherence and enforcement of the data protection principles.99 S/he is also
accountable to the integrity and strict rules of confidentiality on personal data. This
duty extends to third parties processing personal data for or on behalf of the data
controller and whoever has knowledge of processing of such personal data.100 On
the other hand, data subjects have the right to access their information held. This
right gives data subjects a further right to inspect the data and (if desired) request
correction or amendment of inaccurate, misleading or false data and erasure of irrel-
evant data. Data subjects have right to know the identity of the data controller and
any third party to whom data may be transferred to. Data subject has a right to object
processing of their personal data all together on legitimate grounds.101 In relation to
the right to erasure and amendment of personal data, the Bill has introduced an
unusual clause which requires data controllers when making amendments of per-
sonal data upon request by data subjects, not to delete the record of the document as
it existed prior to the amendment.102 The intention of this clause is unclear, however,
it is derogates the overall essence of data subject’s right to participate in protection
of his/her data and privacy. What then is the aim of allowing data subject to rectify
or delete irrelevant or misleading data if such data remains in the hands of a third
party? The Bill is silent on the treatment of the retained data and gives no obligation
to the controller to inform data subject of the fact that a copy of the deleted data
remains in controller’s data base. The reason for allowing data subject’s access and
amendment or erasure becomes redundant. Furthermore, looking at the definition of
processing under the Bill, processing includes storage. It follows then when data
controller deletes data (upon data subject request) but retains the ‘deleted’ data s/he
is in breach of data subject’s privacy. Bygrave clarifies this in clearer terms saying,
contravention of one’s right to privacy occasions when ‘the data in question reveal
details about the data subject’s personality (eg, his/her preferences), are processed
97
Regulation 6 (2).
98
Regulation 7 (4).
99
Section 15.
100
Section 45.
101
Section 14 (1) (2) and Schedule II.
102
Section 14 (3).
8 Data Privacy Law Reforms in Tanzania 181
without the latter’s knowledge or consent, and the processing potentially casts the
data subject in a negative light or could result in a restriction of the data subject’s
freedom of choice. These principles would seem to apply regardless of whether the
information is processed automatically or manually’.103 Legality in processing per-
sonal information is centred on subject’s knowledge in existence of his information
in data controller’s database and consent in processing of his/her information for
certain purpose. In this case there is neither knowledge nor consent of the data sub-
ject to retain the data.104 This section, not only obliterates the security of personal
data provided within the Bill itself, it also interferes with a sphere of a person’s life
in which he or she can freely choose his or her identity.
The Data Protection Commissioner The Bill establishes the office of the data pro-
tection commissioner as an independent body to oversee the implementation of the
Bill.105 Section 21 (2) of the Bill insists on the commissioner’s independence from
the influence of instructions of any other public or private entity. The commissioner
is further protected from criminal and civil prosecution for anything done in good
faith and in the course of exercise/performance of his duties as a commissioner. His
duties can be categorised into four major clusters. The first cluster is monitoring
compliance of the law; second is promoting public awareness of the law and moni-
tor the developments affecting data protection. This includes looking into and acts
upon matters, laws, regulations, procedures and activities affecting or which may
potentially affect protection of personal data and privacy rights. In the same cluster,
Commissioner receive as well as examine proposed legislation which may affect
data protection and individual privacy, as well as consider for approval, drafts,
modals, and codes of conduct set by data controllers in protection of data and per-
sonal privacy. Under this cluster, the commissioner must follow up any develop-
ment which may affect protection of personal data through researches, monitoring
development in technology and counter attack any adverse effects to the protection
of personal data.
The third cluster comprises the duty to cooperate and consult with other data
protection authorities from other countries. The duty aims at harmonising and
resolving cross border disputes pertaining data protection. This aspect also requires
the commissioner to participate in regional and/ or international cooperation or
negotiations on matters of data protection impacting Tanzania. The fourth cluster is
Commissioner’s power to investigate and resolve disputes. In this regard, the com-
missioner is empowered to receive and investigate complaints brought to his atten-
tion by a complainant or third party on behalf of the complainant about alleged
violation of the Bill.106 The fact that a complaint can be brought by a third part is a
positive in a sense that, it allows not only for individual claims but a possibility of
103
Bygrave, L. A., Vol. 6, No. 3, 1998, p. 253.
104
Boshe, P., supra note 13, p. 4.
105
Section 20.
106
See sections 21 (1) (b) and 36 (1) (2).
182 P. Boshe
class litigation. In resolving disputes the Bill empowers the Commissioner to sum-
mon any of the parties for interrogation or submission of evidence. The Commissioner
can also enter premises of a data controller and interrogate any person therein. The
commissioner can issue/pronounce administrative sanctions in case of violation of
the Bill.107
In discharge of the duties, the commissioner is required to prepare annual report
for the Parliament of activities undertaken by the commission in specific year. The
commissioner can also be prompted by the Minister to produce reports (from time
to time). The Minister is empowered to demand reports on specific functions by the
Commissioner or his office. The Commissioners is also to consult and advice the
Minister on matter affecting individual privacy, and suggest solutions including
where there is a need for taking legislative, administrative or any other action to
remedy the situation. This includes the desirability of accepting any international
instrument on that behalf.
Register of Data Controllers and Data Bureau The Bill does not have the require-
ment of ‘notice of process’, from the data controller or the filling of annual sum-
maries of all personal data processing as proposed by the EU Directive.108 Instead,
the Bill requires that the Commissioner to maintain a register of data controllers and
of persons maintaining data bureau and any persons providing services concerning
personal data. The essence of this requirement is to keep record of all persons pro-
cessing personal data, description of data held, purpose(s) of collection and pro-
cesses (as notified to the data subject), sources of collection and description of
intended direct and indirect transfers of data to countries outside Tanzania other
than countries notified to data subject.109 The establishment of this register means,
unregistered persons cannot process personal data as data controllers or provide
data bureau services in Tanzania.
International Data Transfer The Bill has established a regime for international data
transfer, similar to one found under article 25 and 26 of the European Data Protection
Directive 95/46/EC. According to section 4 of the Bill, international data transfer
‘refers to any international, cross border flows of personal data by means of elec-
tronic transmission’. International data transfer has been limited to data transferred
by electronic means. The general rule under section 54 allows transfer of data to
countries with adequate data protection framework. However this rule gives addi-
tional duty to the data recipient to establish that the data is necessary for perfor-
mance of a task carried out for public interest or pursuant to the lawful functions of
the data controller, or that the transfer is necessary and there is no reason to assume
that data subject legitimate interests might be prejudiced. The Bill states further that
the necessity of transfer is to be determined by the data controller110 who shall also
107
Sections 41, 21 (1) (p).
108
Articles 18–19 EU Directive.
109
Section 30 (3).
110
Section 54 (3).
8 Data Privacy Law Reforms in Tanzania 183
make sure that the recipient processes such data only for purposes for which they
were transferred.111
So far the Bill does not provide for the rules on authorisation for and governing
the whistleblowing system. However, once in force, the Commissioner is obliged to
establish such rules under section 51 (1) of the Bill. The whistle-blowing will, if
properly devised, allow persons to unearth institutional malpractices and act as a
safety net to adverse acts which may not be easily detected by the public or the com-
missioner in a desire to protect public interest.
111
Section 54 (5).
112
Section 55 (2).
113
Section 55 (5).
184 P. Boshe
At this stage it is not clear how the Commissioner is going to address the chal-
lenges surrounding whistleblowing in relation to data protection. Article 29 Working
Party issued a non-binding Opinion 1/2006114 on the Application of whistle-blowing
schemes in the field of accounting, internal accounting controls, audit matters, fight
against bribery, banking and financial crime. In the opinion, the Working Party insists
that any whistle-blowing scheme must be subjected to data protection principles. The
schemes must adhere to the duties of data collectors and data subjects. In this case,
the wrongdoer (data subject) should have the same rights in relation to processing of
personal data for the whistle-blowing arrangement to be lawful. Such rights include
the right to object the processing of personal data on legitimate grounds.
Dispute Resolution System The Bill establishes a dispute resolution system with
the Commissioner in the first order. The commissioner is given power to resolve
disputes arising out of alleged breach of the Bill. In this endeavour, the Commissioner
can receive complaints and investigate alleged breaches,115 summons parties for
interrogation or presentation of evidence.116 The Commissioner can also enter any
premises to satisfy him/herself of security requirement and compliance. Pursuant to
these powers the Commissioner can pronounce administrative sanctions and collect
fines from the sanctions pronounced against breach.117
8.4 Conclusion
114
00195/06/EN Working Paper 117.
115
Sections 21 (1), 36 (1).
116
Section 39 (1).
117
Section 29 (2).
118
Section 52 (2).
119
Section 53 the Protection of Personal Data Bill 2014.
120
Greenleaf, G., Vol. 2, No. 2 2012.
8 Data Privacy Law Reforms in Tanzania 185
Protection Act draws inspirations from the SADC Model Law, and EU Directive,
both of which emphasise on the central role of the data subject’s consent to legiti-
mise processing activities. At this point, I hesitate to call the omission in the draft
Bill an oversight. First, this draft involved the ITU expert in the drafting process.
Second the government employed local ‘data protection experts’. Hence, it is difficult
to simply accept that both local and international experts failed to notice the
omission. But third is the trend in the making this law; the very first time Tanzania
attempted to establish Privacy and Data Protection legal framework through the
draft Freedom of Information Bill in 2006 the requirement of consent was also
neglected. For these reasons I tend to believe the omission is intentional. However,
I still lack the knowledge of the reasons for such omission. The Bill, for reasons
beyond my apprehension, attempts to blind fold its subjects. I once again fail to
understand the essence of an obligation imposed on data controllers not to delete
original form of personal data upon erasure request by data subject. It makes no
sense to give an opportunity to data subject to amend or request for erasure when
such erasure is an illusion; a ‘make believe’ to data subject. It is recommended that
the government should review the draft Bill before it is passed into law, unless the
overall objective of the law is not to protect personal data, this law is as good as
there is no legal protection to personal data. The draft Bill is a mere conjure to the
people, the Regional and International community.
References
Boshe, P., ‘M-marketing and Consumers’ Right of Privacy: the Tanzanian Perspective’, C.T.L.R.,
No. 3, vol. 20, 2014 pp. 67–71
Greenleaf, G., ‘The influence of European Data Privacy Standards Outside Europe: Implication for
Globalisation of Convention 108, International Data Privacy Law, Vol. 2, No. 2, 2012
Heyns, C (1999), Human Rights Law in Africa, Kluwer Law International, the Hague/London/
New York
Maina, C.P and Othman, H., Zanzibar and the Union Question, Zanzibar Legal Services Centre, 2006.
Makulilo, A.B., ‘Registration of SIM cards in Tanzania: a Critical Evaluation of the Electronic and
Postal Communications Act 2010’, Computer and Telecommunications Law Review, Vol No.
17 No. 2, pp. 43–54, 2011.
Makulilo, A.B., Protection of Personal Data in sub-Saharan Africa, PhD thesis at Universität
Bremen: Rechtswissenschaften, 2012.
Nchalla, B. M., ‘Tanzania’s Experience with Constitutionalism, Constitutional-making and
Constitutional Reforms’ in Mbondenyi, M. K and Ojiende, T., (eds) Constitutionalism and
Democratic Governance in Africa: Contemporary Perspectives from Sub-Saharan Africa,
Pretoria University Law Press, South Africa, 2013.
Internet Materials
Allen, K., ‘African Jitters over Blogs and Social Media’, BBC News available at www.bbc.co.uk/
news/world-africa-13786143#story_ continues_1. accessed on 10.08.2015.
186 P. Boshe
APC and Hivos, ‘Global Information Society Watch 2014: Communications Surveillance in the
Digital Age’ available at GISWatch.org; accessed on 08.12.2015.
Business Times, Friday, 27 June 2014, ‘Phone interception: Tanzania to Land in Court?, by Mnaku
Mbani; available online at http://www.businesstimes.co.tz/index.php?option=com_content&vi
ew=article&id=3588:phone-interceptions-tanzania-to-land-in-court&catid=1:latest-
news&Itemid=57; accessed on 09.09.2015.
Hemeson, C. J., “Directive on Consumer Data for SIM Card Registration in the Telecommunications
Sector: an African Perspective”, 8 January 2012, available at http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=1982033; accessed on 14.12.2015.
IPP Media., 21 February 2013, “Unregistered SIM cards in use–survey,” by Mwachang’a, D.,
available at http://www.ippmedia.com/frontend/index.php?l=51483; accessed 10.04.2014.
IWACU News, ‘ID cards to replace passports in EAC by Diane Uwimana Tuesday, December 15,
2015 available online at http://www.iwacu-burundi.org/blogs/english/id-cards-to-replace-
passports-in-eac/ accessed on 14.12.2015.
Izougu, C. E., “Data protection and other implications in the ongoing SIM card registration pro-
cess” 29 April 2010, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1597665;
accessed on 14.12.2015.
Kelly, T and Minges, M., (eds), 2012 Information and Communication for Development:
Maximizing Mobile. Washington, D.C.: World Bank Cited in Donovan, K. and Martin, A., ‘The
Rise of African SIM Registration: The Emerging Dynamics of Regulatory Change’, February
2014. Available at: http://firstmonday.org/ojs/index.php/fm/article/view/4351/3820; accessed
on 14.12.2015.
Mbote, K., “Kenya’s Automated Population Registry (IPRS) Unmasked,” HumanIPO 1st February
2013, available at http://www.humanipo.com/news/3685/FEATURE-Kenyas-automated-
populationregistry-IPRS-unmasked/; accessed on 12.12.2015.
Nalwoga, L., Jamming the News: Taking the Struggle Online, article available online at https://
giswatch.org/sites/default/files/gisw_-_tanzania.pdf; accessed on 14.12.2015.
Sato, N., “East African Countries to Share Data on SIM Card Registration,” Human IPO, 18
December 2013, available at http://www.humanipo.com/news/38368/east-african-countries-
to-share-data-onsim-card-registration/; accessed on 15.12.2015.
Tanzania Communication Regulatory Authority, “Press Release: SIM Card Registration”, at http://
www.tcra.go.tz/headlines/SimRegPublicNoticeEn.pdf accessed 09.10.2013.
Tanzania Communication Regulatory Authority, “Public Notice: SIM Card Registration”, at http://
www.tcra.go.tz/headlines/simcardRegEng.pdf accessed 09.10.2013.
Tedre, M and Chachage, B., University Students’ Attitudes Towards e-Security Issues: A Survey
Study in Tumaini University, available at https://www.researchgate.net/profile/Bukaza_
Chachage/publications accessed 11.12.2015
The Arusha Times., 7–13 November 2009, ‘Tanzania: SIM-Card Registration Now Viewed as Spying
Move’, http://www.arushatimes.co.tz/2009/44/front_page_3.htm] Accessed on 12.03.2014.
The Guardian, October 17, 2010, at http://www.ippmedia.com/frontend/index.php?l=22119
accessed 15.08.2015
Vodafone Law Enforcement Disclosure report 2014 available at https://www.vodafone.com/content/
dam/sustainability/2014/pdf/operating-responsibly/vodafone_law_enforcement_disclosure_
report.pdf; [accessed on 08.10.2015.
Widner, J., “Constitution Writing & Conflict Resolution: Data & Summaries,” Princeton University,
first posted August 2005, available at https://www.princeton.edu/~pcwcr/reports/tanzania1984.
html; accessed on 17. 06.2015.
8 Data Privacy Law Reforms in Tanzania 187
Documents
Anneliese Roos
Abstract The right to privacy is protected in South African common law and in the
Constitution. Case law has interpreted the scope of this right and has enforced pri-
vacy rights for both individuals and juristic persons. After a lengthy legislative pro-
cess, South Africa is poised to implement the Protection of Personal Information
Act, an omnibus data protection act which complies with the European standards
for data protection.
9.1 Introduction
9.1.1 History
South Africa is situated at the most southern tip of Africa. It is bounded by the
Atlantic Ocean on the western side and the Indian Ocean on the eastern side. The
country shares common boundaries with Namibia, Botswana, Zimbabwe,
Mozambique and Swaziland. Lesotho is landlocked by South African territory in
the south-east. The Prince Edward and Marion islands, about 1920 km south-east of
Cape Town, also form part of South Africa.1
Modern humans have lived in South Africa for more than 100,000 years. The
written history of the country began with the arrival of Portuguese and Dutch seafar-
ers in the fifteenth century. When they arrived at the southern point of Africa they
encountered the Khoisan people. Other long-term residents of South Africa were
the Bantu-speaking people, who by the thirteenth century had migrated into the
north-eastern regions from the north.2
1
South African Yearbook2014/5 “Land and its people” available at http://www.gcis.gov.za/con-
tent/resourcecentre/sa-info/yearbook2014–15 [15 December 2015].
2
South African Yearbook2014/5 “Land and its people” available at http://www.gcis.gov.za/con-
tent/resourcecentre/sa-info/yearbook2014–15 [15 December 2015].
A. Roos (*)
Department of Private Law, University of South Africa (Unisa),
Pretoria, South Africa
e-mail: roosa1@unisa.ac.za
South Africa is a multi-cultural country. The Dutch were the first Europeans to
form a settlement at the Cape of Good Hope in 1652. They were employees of the
Dutch East India Company who needed a halfway station for its ships on the Eastern
trade route. Because of wars and religious prosecution in Europe, European settlers
also arrived from Germany and France.3 After the Cape Colony was annexed by the
British in 1759 and again in 18064 several thousand British settlers moved to South
Africa. Several other population groups came to South Africa from areas that
included the Dutch East Indies and India, some of them initially as slaves or inden-
tured labour. After diamonds and gold were discovered in South Africa in the late
1800s, an even wider variety of immigrants arrived.
From the 1700s white pioneers began to move into the interior of South Africa.
During the 1830s and 1840s a large number of Boere (Dutch/Afrikaans for “fam-
ers”) moved inland in what became known as the Great Trek. The Trek led to the
establishment of several Boer Republics (such as the Natalia Republic, the Orange
Free State and the Transvaal). While this movement of Europeans into the interior
of the country was taking place, conflict and warfare arose between them and the
indigenous people (such as the Zulus, Xhosas and Sothos). The 1800s also saw the
military expansion of the Zulu kingdom in which many other tribes were displaced,
the so-called difacane/mfecane.
War arose between the Boer Republics and the British. The British also fought
wars against African kingdoms (such as the Xhosa and Zulu kingdoms). By 1900
the British had defeated the Boer Republics and the African kingdoms and imposed
British rule. South Africa was unified in 1910 as the Union of South Africa. The
Government of the Union recognised only the rights of white people.5 In 1948 the
National Party came to power and from then onwards a policy of racial segregation
(apartheid) was officially adopted. In 1961 South Africa became the Republic of
South Africa. In that year, the ANC (which had been established in 1912) formed a
military wing to wage an armed struggle against apartheid.6 The apartheid regime
came to an end in 1993 with the adoption of the Interim Constitution.
3
South African History Online “The first large group of French Huguenots arrive at the Cape”
http://www.sahistory.org.za/article/1600s and http://www.sahistory.org.za/dated-event/first-large-
group-french-huguenots-arrive-cape-0 [30 January 2016].
4
SouthAfrica.info “A short history of South Africa” available at http://www.southafrica.info/
about/history/history.htm#.VnlLK_l94gs [15 December 2015].
5
African National Congress “A brief history of the African National Congress” available at http://
www.anc.org; SouthAfrica.info “South African history: gold and the war” available at http://www.
southafrica.info/about/history/521105.htm#.VozSKfl94gs; SouthAfrica.info “South African his-
tory: Union and the ANC” available at http://www.southafrica.info/about/history/521106.htm#.
VozSg_l94gs [15 December 2015].
6
South African History Online “Liberation struggle” available at http://www.sahistory.org.za/lib-
eration-struggle-south-africa/genesis-armed-struggle-1960-1966 [15 December 2015].
9 Data Protection Law in South Africa 191
With the adoption of the Interim Constitution7 in 1993, South Africa became a con-
stitutional democracy with a three-tier system of government (national, provincial
and local) and an independent judiciary. The final Constitution was adopted in
1996.8 South Africa’s Constitution is considered one of the most progressive in the
world. It enjoys high acclaim internationally.9 It contains a Bill of Rights10 that gives
prominence to Human Rights. The Constitution is the supreme law of the land.11
South African has a hybrid or mixed legal system, formed by the blending of a
civil law system (Roman-Dutch law inherited from the Dutch), a common law sys-
tem (inherited from the British), and a customary law system (African customary
law, which has many variations depending on the tribal origin).12 The common law
is supplemented by statute law. In terms of the Constitution,13 the courts may con-
sult foreign law when interpreting the Bill of Rights.
9.1.3 Demographics
By 2014 the population of South Africa was estimated to have reached 54 million,
of which 80 % are Black.14 About 30 % of the population are aged below 15 years
and approximately 8.4 % are 60 years or older. More than 60 % live in urban areas.
South Africa has 11 official languages, namely Afrikaans, English, isiNdebele,
isiXhosa, isiZulu, Sesotho sa Leboa, Sesotho, Setswana, siSwati, Tshivenda and
Xitsonga. Zulu is the mother tongue of the highest number of South Africans (about
22 %), followed by isiXhosa (16 %) and Afrikaans (13.5 %). English is the fifth
most spoken home language (9.6 %), but is the language spoken in public and com-
mercial life. Many other unofficial languages (African, European and Asian) are
also spoken.
7
Constitution of the Republic of South Africa Act 200 of 1993.
8
Constitution of the Republic of South Africa, 1996. (It was adopted as Act 108 of 1996, but no Act
number is to be associated with the Constitution – see Citation of Constitutional Laws Act 5 of
2005 s 1.)
9
South African Government “The Constitution” available at http://www.gov.za/constitution [15
December 2015].
10
In Ch 2.
11
S 2 of the Constitution of the Republic of South Africa, 1996.
12
Wikipedia “Law of South Africa” available at https://en.wikipedia.org/wiki/Law_of_South_
Africa [15 December 2015].
13
S 39.
14
Statistics South Africa “Mid-Year Population Estimates, 2014” Table 8 available at http://www.
statssa.gov.za/publications/P0302/P03022014.pdf [15 December 2015].
192 A. Roos
South Africa is divided into nine provinces, of which Gauteng is the most popu-
lous and the biggest contributor to South Africa’s gross domestic product. 15 The
other provinces are KwaZulu-Natal, Limpopo, North West, Mpumalanga, the Free
State, the Northern Cape, the Western Cape and the Eastern Cape.
South Africa is classified as an emerging market and developing economy.16
According to data gathered in 2013, almost 41 % of South African households had
at least one member who either used the Internet at home or had access to it else-
where. However, in reality only 10 % of households had Internet access at home.
About 30 % of people who used the Internet did so at work (16 %), school/univer-
sity (5.1 %) or at an Internet cafe (9.6 %).17
Mobile phone use in South Africa has increased from 17 % of adults in 2000 to
76 % in 2010. Twenty-nine million South Africans use mobile phones. Six million
use computers. Less than five million South Africans use landline phones.18
The use of social media in South Africa is growing rapidly. The most popular
social networking site is Facebook (11.8 million users). Almost 75 % of users access
Facebook on a mobile device.19
15
South African Yearbook2014/5 “Land and its people” available at http://www.gcis.gov.za/con-
tent/resourcecentre/sa-info/yearbook2014-15 [15 December 2015].
16
United Nations Development Programme “Human development report 2014” Tables 1 and 2
available at http://hdr.undp.org/en/content/table-1-human-development-index-and-its-compo-
nents, and http://hdr.undp.org/en/content/table-2-human-development-index-trends-1980-2013,
15 Sept. 2015 [15 December 2015].
17
Statistics South Africa “General household survey 2013” (2014) available at http://beta2.statssa.
gov.za/publications/P0318/P03182013.pdf [15 December 2015].
18
SouthAfrica.info “South Africa’s telecommunications” available at http://www.southafrica.info/
business/economy/infrastructure/telecoms.htm#.Vnl9_l94gs#ixzz3v4Kiwr4E [15 December
2015].
19
World Wide Worx “Social media landscape 2015” available at http://www.worldwideworx.com/
wp-content/uploads/2014/11/Exec-Summary-Social-Media-2015.pdf [15 December 2015].
20
See Makulilo AB “Privacy and data protection in Africa: A state of the art” 2012 (vol 2 no 3)
International Data Privacy Law 163 171 and authority cited there.
21
See Olinger HN, Britz JJ and Olivier MS “Western privacy and/or Ubuntu? Some critical com-
ments on the influences in the forthcoming data privacy bill in South Africa” 2007 (vol 39 no 1)
International Information & Library Review 34.
9 Data Protection Law in South Africa 193
However, since 1994 the convictions of the community have been informed by
constitutional values. The values on which the South African Constitution is
founded include human dignity, equality and promotion of human rights and free-
doms. These values coincide with some key values of ubuntu such as “human dig-
nity itself, respect, inclusivity, compassion, concern for others, honesty and
conformity”.25 Privacy forms part of the broader concept of human dignity, and
should in my opinion therefore not be seen as an antithesis to the values of ubuntu.
In S v Makwanyane26 (which held that the death penalty is unconstitutional) the
court held that ubuntu itself is a basic constitutional value to be used when interpret-
ing the Constitution.27 In The Citizen 1978 (Pty) Ltd v McBride28 ubuntu was applied
in a defamation case. The court stated that29
22
Mbigi L and Maree J Ubuntu: The Spirit of African Transformation Management (1995) 1–7.
23
Mokgoro JY “Ubuntu and the law in South-Africa” 1998 (vol 1 nr 1) Potchefstroom Electronic
Law Journal (PELJ) 3.
24
Olinger HN, Britz JJ and Olivier MS “Western privacy and/or Ubuntu? Some critical comments
on the influences in the forthcoming data privacy bill in South Africa” 2007 (vol 39 no 1)
International Information & Library Review 34.
25
Mokgoro J Y “Ubuntu and the law in South-Africa” 1998 (vol 1 no 1) Potchefstroom Electronic
Law Journal (PER) 7.
26
1995 (3) SA 391 (CC). Other case law interpreting ubuntu includes S v Mandela 2001 (1) SACR
156 (C); Crossley v National Commissioner of the South African Police Services [2004] 3 All SA
436 (T); Du Plooy v Minister of Correctional Services 2004 3 All SA 613 (T); Port Elizabeth
Municipality v Various Occupiers 2005 (1) SA 217 (CC); Dikoko v Mokhatla 2006 (6) SA 235
(CC); S v Maluleke 2008 1 SACR 49 (T); S v Sibiya 2010 1 SACR 284 (GNP); The Citizen 1978
(Pty) Ltd v McBride 2011 (4) SA 191 (CC). Van Vuren v Minister of Correctional Services 2012 1
SACR 103 (CC).
27
See further Himonga C, Taylor M and Pope A “Reflections on judicial views of ubuntu” 2013
(vol 16 no 5) Potchefstroom Electronic Law Journal 370.
28
2011 (4) SA 191 (CC) para [217]–[218].
29
See para [217]–[218].
194 A. Roos
Botho or ubuntu is the embodiment of a set of values and moral principles which informed
the peaceful co-existence of the African people in this country who espoused ubuntu based
on, among other things, mutual respect. … A forgiving and generous spirit, the readiness to
embrace and apply restorative justice, as well as a courteous interaction with others, were
instilled even in the young ones in the ordinary course of daily discourse. … Ubuntu gives
expression to, among others, a biblical injunction that one should do unto others as he or she
would have them do unto him or her.
9.2.1 Introduction
30
[2015] ZACC 18 at 21.
31
2007 (5) SA 323 (CC) at paras 28–29.
32
IT Web Business “Consumers still worried about privacy” available at http://www.itweb.co.za/
index.php?option=com_content&view=article&id=80414 [15 December 2015].
33
In SA law, the right to identity is also identified as a personality right that may be infringed
because of the processing of incorrect personal data (see discussion below). Identity is not recog-
nised eo nomine in the Bill of Rights but, like the right to a good name (fama) which is also not
mentioned explicitly, it can be considered to be protected under the right to dignity, which is men-
tioned explicitly in section 10. The concept of human dignity in the Constitution can therefore be
compared with the wide dignitas concept of common law (see below).
9 Data Protection Law in South Africa 195
9.2.2 Constitution
The right to privacy has been protected as a fundamental right in South African law
since 1994, with the commencement of the Interim Constitution.34 The final
Constitution35 also protects privacy as a fundamental right by proclaiming the fol-
lowing in section 14:
Everyone has the right to privacy, which includes the right not to have –
(a) their person or home searched;
(b) their property searched;
(c) their possessions seized;
(d) the privacy of their communications infringed.
The instances of privacy enumerated in section 14 relate to the “informational”
aspects of the right to privacy.36 In Mistry v Interim Medical and Dental Council of
South Africa37 the Constitutional Court held a number of factors to be important in
considering whether a violation of the informational aspect of the right to privacy
has taken place. These were the manner in which the information was obtained (in
an intrusive manner or not); the nature of the information (was it about intimate
aspects of the person’s life or not); the purpose for which the information was ini-
tially collected (was the information involved initially provided for a purpose other
than the one for which it was subsequenty used); and the manner and nature of the
dissemination of the information (was the information communicated to the press or
the general public or to persons from whom the applicant could reasonably expect
that such private information would be withheld, or was it only disseminated to a
person who had statutory responsibilities and who was subject to the requirements
of confidentiality).
The Constitutional Court has characterised the constitutional right to privacy as
lying along a continuum. A high level of protection is afforded to a person’s inti-
mate personal sphere. The further a person moves away from the most intimate core
of privacy, the less protection it receives.38 According to the Court, wherever a per-
son has the ability to decide what he or she wishes to disclose to the public and the
expectation that such a decision will be respected is reasonable, the right to privacy
34
S 13 of Act 200 of 1993.
35
The Constitution of the Republic of South Africa, 1996.
36
The courts have, however, also extended the constitutional right to privacy to “substantive” pri-
vacy rights. These are rights which enable persons to make decisions about their family, home and
sex life. See, for example, De Reuck v Director of Public Prosecutions, Witwatersrand Local
Division 2004 (1) SA 406 (CC); Bernstein v Bester NO 1996 (2) SA 751 (CC).
37
1998 (4) SA 1127 (CC) 1145. Also see Roos A “Data privacy law” 363–487 in Van der Merwe
D, Roos A, Pistorius T, Eiselen GTS and Nel SS Information and Communications Technology
Law (2016) 417.
38
Bernstein v Bester NO 1996 (2) SA 751 (CC).
196 A. Roos
will come into play.39 In other words, it extends to those aspects of a person’s life
regarding which the person has a legitimate expectation of privacy. A person has a
strong expectation of privacy in relation to his or her home and family life and inti-
mate relationships, but in communal relationships and activities such as business
and social interaction his or her expectation of privacy is reduced and becomes more
attenuated.
The fact that the right to privacy is protected as a fundamental (human) right
implies that the legislature and the executive of the State may not pass any law or
take any action which infringes or unreasonably limits the right.40 Fundamental
rights may only be limited by means of a law of general application, provided that
the limitation is reasonable and justifiable in an open and democratic society.41
Neethling argues convincingly that the entrenchment of the right to privacy in the
Constitution places an obligation on the legislature to enact legislation that will
protect the privacy of personal information.42
The right to privacy, like the other rights in the Bill of Rights, has to be balanced
against other fundamental rights.43 Furthermore, fundamental rights apply against
both the State and individuals (in other words, they apply both vertically and
horizontally).44 The Constitution extends the right to privacy to both individuals and
juristic persons.45 This is also the position in the law of delict (common law).46
39
Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd:
In re Hyundai Motor Distributors (Pty) Ltd v Smit NO 2001 (1) SA 545 (CC) para 16.
40
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 17.
41
S 36 of the Constitution of the Republic of South Africa, 1996. Examples of laws of general
application that limit the right to privacy are the Promotion of Access to Information Act 2 of 2000
and the Regulation of Interception of Communications and Provision of Communication-Related
Information Act 25 of 2002.
42
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 271–272.
43
Such as the public’s right to be informed and right to freedom of expression. See eg Khumalo v
Holomisa 2002 (5) SA 401 (CC) at [41]–[44] (referring to the balance that needs to be struck
between dignity and freedom of expression).
44
S 8(1) of the Constitution of the Republic of South Africa, 1996.
45
S 8(4) of the Constitution of the Republic of South Africa, 1996.
46
See below.
47
Also see Burchell J The legal protection of privacy in South Africa: A Transplantable hybrid
2009 (vol 13.1) Electronic Journal of Comparative Law available at http://www.ejcl.org/131/
art131-2.pdf [15 December 2015].
9 Data Protection Law in South Africa 197
individual.48 Different personality interests have been identified, such as the body,
physical liberty, good name, dignity, feelings, privacy and identity.49 These person-
ality interests are refinements of the broader triad of the Roman law, namely corpus
(physical integrity), fama (good name) and dignitas (a collective term for all person-
ality aspects apart from fama and corpus).
The infringement of a personality interest is considered to be an iniuria for which
non-patrimonial loss may be recovered by instituting the actio iniuriarum.50 The
requirements for the actio iniuriarum are that a personality interest must intention-
ally51 have been infringed in a wrongful manner. Wrongfulness is established by
judging the conduct in question in the light of the boni mores. Conduct that is con-
sidered to be unreasonable by the standard of the boni mores is wrongful. The
infringement of a subjective right, such as the right to privacy, is considered unrea-
sonable and therefore wrongful.52 Under the actio iniuriarum, conduct that infringes
a personality interest gives rise to two presumptions: a presumption that the publica-
tion was done wrongfully and a presumption that it was done with intent. The defen-
dant has to rebut these presumptions.53 The presumption of wrongfulness can be
rebutted by proving that a ground of justification, such as private defence, necessity,
provocation, consent to injury and exercise of a statutory right or official authority,
48
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 12. Personality
rights are characterised by the fact that they cannot be transferred to others, cannot be inherited, are
incapable of being relinquished, cannot be attached and that they come into existence with the birth
and are terminated by the death of a human being (or in the case of a juristic person, when such
person comes into existence or ceases to exist) – Neethling J, Potgieter JM and Visser PJ Neethling’s
Law of Personality 2 ed (2005) 13.
49
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 25–38.
50
The Roman law concerning liability for injury to personality has been adopted in South Africa –
see Neethling J, Potgieter JM and Visser PJ Law of Delict 7 ed (2015) 12.
51
As a general rule, negligence on the part of the defendant is insufficient for liability (see eg NM
v Smith 2007 (5) SA 250 (CC) para [48].) However, the application of the common law must be
informed by the precepts of the Constitution – NM v Smith 2007 (5) SA 250 (CC) para [28]. South
African law initially held the owner, editor, publisher and printer of a newspaper strictly liable for
the publication of defamatory content. After the adoption of the Constitution and the recognition
of the freedom of expression of the press and other media as a fundamental right, the court in
National Media Ltd v Bogoshi 1998 (4) SA 1196 (SCA) held that the democratic imperative of the
free flow of information, and the role played by the mass media in this respect, is not served by
imposing strict liability on the mass media. The court was also not prepared to reinstate the com-
mon-law position of liability based on intent or animus iniuriandi, because it would then be too
easy for the mass media to rely on the absence of consciousness of wrongfulness. Instead, the court
held that the mass publication of defamatory statements raises a presumption of negligence.
Considerations of policy, practice and fairness inter partes require that the onus be placed on the
defendant to rebut this presumption.
52
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 42.
53
See, eg, Jansen van Vuuren v Kruger 1993 (4) SA 842 (A) 849; Herselman v Botha 1994 (1) SA
28 (A) 35; SAUK v O’Malley 1977 (3) SA 394 (A) 401–402; Naylor v Jansen; Jansen v Naylor
2006 (3) SA 546 (SCA) 551 para [7]. Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal
D The Law of Delict in South Africa 2 ed (2012) 335.
198 A. Roos
was present. 54 The presumption of intent can be rebutted by proving that the publi-
cation was done mistakenly.55
Patrimonial loss that flows from the wrongful, intentional or negligent infringe-
ment of a personality interest can be claimed with the actio legis Aquiliae; an inter-
dict is also available to avert an impending interference with a personality interest,
or to prevent the continuation of a wrongful infringement.56
The processing of personal information endangers two personality interests,
namely privacy and identity.57 Privacy and identity are considered to be part of the
dignitas concept.58 Privacy is infringed when true personal information is processed,
whereas identity is infringed when the personal information that is processed is
untrue or false.59
Privacy is defined by Neethling60 as “an individual condition of life characterised
by exclusion from publicity. This condition includes all those personal facts which
the person himself [or herself] at the relevant time determines to be excluded from
the knowledge of outsiders and in respect of which he [or she] evidences a will for
privacy”.61 The right to privacy extends protection to personal facts or information
which the relevant person has decided to exclude from the knowledge of outsiders.
Privacy is therefore infringed when such facts become known to outsiders, either by
means of an act of intrusion by a third party into the private sphere, or by a d isclosure
54
See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 56.
55
See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 163.
56
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 254.
57
See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005)
270–271.
58
Bernstein v Bester NO 1996 (2) SA 751 (CC) 789; Jansen van Vuuren v Kruger 1993 (4) SA 842
(A) 849; NM v Smith 2007 (5) SA 250 (CC) para [48]. See also Loubser M, Midgley R, Mukheibir
A, Niesing L and Perumal D The Law of Delict in South Africa 2 ed (2012) 56.
59
See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 30
270–271.
60
Prof Johann Neethling is the leading authority on privacy and data protection in South Africa. He
wrote his LLD thesis on the right to privacy (Neethling J Die Reg op Privaatheid Unisa (1976)) and
he was the project leader of the SA Law Reform Commission’s Committee (SALRC Privacy and
Data Protection Project 124” (2001)) that did the research on which the Protection of Personal
Information Act 4 of 2013 is based.
61
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 36. This defi-
nition has been accepted by the South African courts – see eg National Media Ltd v Jooste 1996
(3) SA 262 (A) 271; Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 (4) SA 376
(T) 384; Bernstein v Bester NO 1996 (2) SA 751 (CC) 789; Swanepoel v Minister van Veiligheid
en Sekuriteit 1999 (4) SA 549 (T) 553.
9 Data Protection Law in South Africa 199
of private facts by a third party in a situation where the third party is acquainted with
the facts but not authorised to disclose them to outsiders.62, 63
Identity refers to characteristics of an individual which make him or her unique
and thus distinguish him or her from other persons. Identity is infringed when these
characteristics are used in a way that is misleading and is not in accordance with the
true personality image of the individual64; or “when aspects associated with a per-
son’s particular image are used outside the sphere or scope of that image”.65
Privacy and identity are both recognised in case law. O’Keefe v Argus Printing &
Publishing Co Ltd66 established in 1954 that a right to privacy is recognised in South
African common law.67 Identity was recognised as an independent personality right
for the first time in Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk68
and more recently by the Supreme Court of Appeal in Grutter v Lombard.69
South African common law also extends certain personality rights to juristic
persons, namely a right to a good name, a right to privacy and a right to identity.70
62
See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 30
270–71; Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in
South Africa 2 ed (2012) 326. This is similar to the American privacy torts of “intrusion upon the
plaintiff’s seclusion or solitude, or into his or her private affairs” and “public disclosure of embar-
rassing private facts about the plaintiff” – See Prosser WL Privacy 1960 (48) California Law
Review 383.
63
A person may decide that personal information may be disclosed to a specific person only or to
a defined group of persons, without relinquishing the right to decide to exclude other persons from
being acquainted with this information – see inter alia National Media Ltd v Jooste 1996 (3) SA
262 (A) 271–272; NM v Smith 2007 (5) SA 250 (CC) 262–263.
64
See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 36 271.
In other words, a false image is created by the use of the information. This is similar to the
American privacy torts of “publicity which places the plaintiff into a false light in the public eye”
and “appropriation for the defendant’s advantage of the plaintiff’s name or likeness” – see
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 37.
65
Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in South
Africa 2 ed (2012) 58, 335.
66
1954 (3) SA 244 (C).
67
Other cases in which the right to privacy was recognised and protected include Kidson v SA
Associated Newspapers Ltd 1957 (3) SA 461 (W); National Media Ltd v Jooste 1996 (3) SA 262
(A) 271; Jooste v National Media Ltd 1994 (2) SA 634 (C); Universiteit van Pretoria v Tommie
Meyer Films (Edms) Bpk 1977 (4) SA 376 (T); Bernstein v Bester NO 1996 (2) SA 751 (CC);
Jansen van Vuuren v Kruger 1993 (4) SA 842 (A); Swanepoel v Minister van Veiligheid en
Sekuriteit 1999 (4) SA 549 (T).
68
1977 (4) SA 376 (T) 386.
69
2007 (4) SA 89 (SCA). See also Wells v Atoll Media (Pty) Ltd [2010] 4 All SA 548 (WCC) paras
[48]–[49].
70
This is in line with the Constitution – see Investigating Directorate: Serious Economic Offences
v Hyundai Motor Distributors (Pty) Ltd : In re Hyundai Motor Distributors (Pty) Ltd v Smit NO
2001 (1) SA 545 (CC) para 17; Dhlomo v Natal Newspapers (Pty) Ltd 1989 (1) SA 945 (A);
Financial Mail (Pty) Ltd v Sage Holdings Ltd 1993 (2) SA 451 (A); Janit v Motor Industry Fund
Administrators (Pty) Ltd 1995 (4) SA 293 (A). Juristic persons do not have personality rights that
involve the feelings of a person (such as dignity) or the body of a person (physical integrity) –
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 71.
200 A. Roos
South Africa adopted an omnibus data protection Act, the Protection of Personal
Information Act (POPI Act) in 2013.73 Only a few of the provisions of the Act have
come into force so far. There are certain sectoral laws that contain some data protec-
tion provisions, but none of them can be considered adequate from a data protection
perspective.74 These laws are the Promotion of Access to Information Act (PAIA),75
the Electronic Communications and Transactions Act (ECTA),76 the National Credit
Act77 and the Consumer Protection Act.78 The POPI Act will be discussed in more
detail below.
71
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 281.
72
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 278.
73
Act 4 of 2013.
74
See Roos A “Data protection: Explaining the international backdrop and evaluating the current
South African position” 2007 (124) South African Law Journal 400 for a detailed discussion of
these acts and their limitations. Also see Roos A “Data privacy law” 313–397 in Van der Merwe D,
Roos A, Pistorius T and Eiselen S Information and Communications Technology Law (2008)
358–367.
75
Act 2 of 2000. An aspect of this Act that is relevant for present purposes is that it gives individuals
access to records containing personal information about them in both the private and the public
sectors – ss 11 and 50.
76
Act 25 2002. In terms of ss 50 and 51 of this Act, data controllers that electronically collect per-
sonal information may voluntarily subscribe to certain principles in the ECT Act which are
intended to protect a person’s privacy. The data subject and the data controller must first reach an
agreement in terms of which the data controller will adhere to these principles, before the princi-
ples become applicable to the transaction. The rights and obligations of the parties in respect of a
breach of the principles are governed by the terms of the agreement between them.
77
Act 34 of 2005. The Act provides that a person, who receives, compiles, retains or reports confi-
dential information pertaining to a consumer or prospective consumer must protect the confidenti-
ality of that information. The Act prescribes how this must be done – see s 68. Credit bureaux have
certain duties in respect of consumer credit information (s 70) and a right to access credit informa-
tion and challenge its correctness, is also provided for by the Act (s 72).
78
Act 68 of 2008. S 11 of this Act protects consumers’ right to privacy with regard to direct
marketing.
9 Data Protection Law in South Africa 201
The South African Law Reform Commission (SALRC) started its investigation into
privacy and data protection in 2001, with the appointment of a project committee to
consider privacy and data protection legislation. The impetus for the investigation
was a report in 2000 by the Ad Hoc Joint Committee on the Open Democracy Bill.79
The Open Democracy Bill was the forerunner of the Promotion of Access to
Information (PAI) Act. However, the Open Democracy Bill (ODB) contained not
only provisions regulating access to information, but also provisions regulating data
privacy or data protection.80 These provisions were omitted from the PAI Act. One
of the reasons for this omission was that the Joint Committee felt that if the PAI Act
were to regulate certain aspects of the right to privacy, such as the correction of and
control over personal information, it would be dealing with the constitutional right
to privacy in “an ad hoc and undesirable manner”.81 The Joint Committee was also
of the opinion that South Africa should enact separate privacy legislation, following
the international trend. The Joint Committee therefore requested the Minister for
Justice and Constitutional Development to introduce privacy and data protection
legislation, “after thorough research on the matter, as soon as reasonably possible”.82
The Minister requested the SALRC to include such an investigation in its
programme.83
79
Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on
the Open Democracy Bill [B67–98] (24 January 2000).
80
Before the ODB was published, a Draft Bill was published for comments (GG 18381 of 18-10-
1997). The Draft Bill was based on policy proposals made by the Task Group on Open Democracy.
A recommendation of the Task Group was that an Open Democracy Act should have more than one
function, including a freedom of information component, a privacy component, an open meetings
component and a component protecting whistleblowers (see Williams D “Access to Information in
the New South Africa” 1997 (Aug) De Rebus 563 565; Roos A “Data Protection Provisions in the
Open Democracy Bill, 1997” 1998 THRHR 497). The open meetings component was subsequently
deleted and the Bill itself was further scaled down – only the access to information component
remained in the PAI Act. The whistleblowers chapter of the ODB became the Protected Disclosures
Act 26 of 2000. See further White J “Open Democracy: Has the window of opportunity closed?”
1998 South African Journal of Human Rights 65; Currie I and Klaaren J The Promotion of Access
to Information Act Commentary (2002) 2 et seq (para 1.2).
81
Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on
the Open Democracy Bill [B67–98] (24 January 2000) 17.
82
Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on
the Open Democracy Bill [B67–98] (24 January 2000) 17. See also Roos A “Data Protection for
South Africa: Expectations Created by the Open Democracy Bill, 1988” in The Constitutional
Right of Access to Information (Report of a seminar held on 4 September 2000 at St George’s
Hotel, Rietvlei Dam, Pretoria) Konrad Adenauer Stiftung Seminar Report no 5 (2001) 43 and
Klaaren J, Currie I and Smith A “Analysing Foreign Access to Information Legislation from a
South African Viewpoint” 29–40 in The Constitutional Right of Access to Information (above) 31.
83
SA Law Reform Commission (SALRC) Privacy and Data Protection Project 124 Discussion
Paper 109 (2005) para 1.1.
202 A. Roos
84
Draft Bill s 1(1).
85
OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data
Paris (23 September 1980).
86
Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data No 108/1981, Strasbourg (28 January 1981).
87
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement
of Such Data 1995 Official Journal L 281/31.
88
See SALRC Privacy and Data Protection Project 124 Discussion Paper 109 (2005) ch 8.
89
Bill 9 of 2009.
90
The Portfolio Committee on Justice and Constitutional Development debated the Bill and made
amendments to it. In this process, notice was taken of new developments in the EU approach to
data protection. Also see Stein P “South Africa’s EU-style data protection law” 2012 (10) Without
Prejudice 48; Milo D and Palmer G “South Africa – New comprehensive data privacy law passed”
Linklaters 31 January 2014 available at http://www.linklaters.com/Insights/Publication1403
Newsletter/TMT-News-31-January-2014/Pages/SouthAfrica-New-comprehensive-data-privacy-
law-passed.aspx; Luck R “POPI – Is South Africa keeping up with international trends” 2014
(May) De Rebus 45 also available at http://reference.sabinet.co.za/webx/access/electronic_jour-
nals/derebus/derebus_n541_a26.pdf [15 December 2015].
91
Act 4 of 2013.
92
In terms of Government Gazette 37544 of 11 April 2014 the following sections came into force:
s 1 (definitions); Part A of Chapter 5 (establishment of Information Regulator); s 112 (grants the
Minister the authority to adopt regulations); and s 113 (procedures for making regulations). It was
reported that the final step to be taken before the full implementation of POPI was appointing a
Regulator for which five nominees were called for. The deadline was August 2015, but it was not
met. In November 2015 parliament called for a workshop to be held on the Act, thus delaying the
implementation of the Act – see Financial Mail FM Fox “Regulation: personal data in limbo” 28
January 2016 available at http://www.financialmail.co.za/fmfox/2016/01/28/regulation-per-
sonal-data-in-limbo [30 January 2016].
9 Data Protection Law in South Africa 203
has been established and regulations have been issued. Once the Act is in force, data
controllers will have 1 year in which to comply with the provisions of the Act.93
The Act is a voluminous piece of legislation and it is impossible to discuss every
provision in detail. Therefore only the most important aspects will be highlighted.
Since the Act has not yet been fully implemented, there is no case law interpreting
the Act.
Parliament enacted the POPI Act to fulfil its constitutional obligation to protect the
right to privacy, which right includes a right to be protected against the unlawful
collection, retention, dissemination and use of personal information. The Act pro-
motes the protection of personal information when processed by public and private
bodies in harmony with international standards.94
The POPI Act applies generally to any processing activity95 involving personal
information of a data subject that was entered into a record, where the processing is
done by either a South African data controller (responsible party) or by a non-South
African data controller using equipment in South Africa.96
S 114(1).
93
Act 4 of 2013 Preamble. The Act contains a purpose clause (s 2), explaining the purpose of the
94
Act in detail:
2. The purpose of this Act is to—
(a) give effect to the constitutional right to privacy, by safeguarding personal information when
processed by a responsible party, subject to justifiable limitations that are aimed at—
(i) balancing the right to privacy against other rights, particularly the right of access to informa-
tion; and
(ii) protecting important interests, including the free flow of information within the Republic and
across international borders;
(b) regulate the manner in which personal information may be processed, by establishing condi-
tions, in harmony with international standards, that prescribe the minimum threshold require-
ments for the lawful processing of personal information;
(c) provide persons with rights and remedies to protect their personal information from processing
that is not in accordance with this Act; and
(d) establish voluntary and compulsory measures, including the establishment of an Information
Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this
Act.
95
The processing could be done either manually or automatically, but if it is done manually the Act
will only be applicable if the record forms part of a filing system or is intended to form part
thereof – see s 3(1)(a).
96
S 3(1). If those means are only used to forward information through South Africa the Act is not
applicable to the processing.
204 A. Roos
The definitions97 given to key terms, such as “data subject”, “responsible party” (i.e.
the data controller),98 “personal information” and “processing” are fairly similar to
the definitions used in the EU Data Protection Directive.99
A “data subject” means the person to whom the personal information relates, and
a “responsible party” means a public or private body or any other person who, alone
or in conjunction with others, determines the purpose of and means for processing
personal information.
“Personal information” is defined as meaning information relating to an identifi-
able, living, natural person and, where applicable, an identifiable, existing juristic
person. A list of examples is provided.100 This is not an exhaustive list and any
information that may be considered to relate to a person, such as Internet Protocol
(IP) addresses, cookie identifiers or genetic information, should also be considered
“personal information”. It should be noted that juristic persons can also be data
subjects (contrary to the position in the EU Directive101 and most other international
instruments.)
“Processing” means any operation or activity or any set of operations, whether or
not by automatic means, concerning personal information. The Act gives a list of
examples of activities that are included in this definition.102
Another key term is “record”, since only information that is entered into a record
comes under the purview of the POPI Act. A “record” is any recorded information,
regardless of form or medium, in the possession or under the control of a responsible
97
The definitions are in s 1.
98
The term “responsible party” was borrowed from the Dutch data protection law (Wet Bescherming
Persoonsgegevens of 2000).
99
Directive 95/46/EC a 2.
100
Personal information includes (a) information relating to the race, gender, sex, pregnancy, mari-
tal status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental
health, well-being, disability, religion, conscience, belief, culture, language and birth of the per-
son; (b) information relating to the education or the medical, financial, criminal or employment
history of the person; (c) any identifying number, symbol, e-mail address, physical address, tele-
phone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person; (e) the personal opinions, views or preferences of the
person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confi-
dential nature or further correspondence that would reveal the contents of the original correspon-
dence; (g) the views or opinions of another individual about the person; and (h) the name of the
person if it appears with other personal information relating to the person or if the disclosure of the
name itself would reveal information about the person.
101
Directive 95/46/EC a 2.
102
Processing includes (a) the collection, receipt, recording, organisation, collation, storage, updat-
ing or modification, retrieval, alteration, consultation or use; (b) dissemination by means of trans-
mission, distribution or making available in any other form; or (c) merging, linking, as well as
restriction, degradation, erasure or destruction of information.
9 Data Protection Law in South Africa 205
party, whether or not it was created by a responsible party, and regardless of when it
came into existence. Here, again, examples of records are given.103
Certain information is completely exempted from the POPI Act. Most of these
exemptions are fairly similar to those found in the EU Directive.104 First of all, per-
sonal information that has been made anonymous by removing identifiable aspects
(“de-identified”105) to such an extent that it cannot be related again to a particular
person is not protected by the Act.106 The processing of personal information in the
course of a purely personal or household activity is excluded.107 Where personal
information is processed solely for journalistic, literary or artistic expression, such
processing is also excluded. The exclusion is only valid to the extent that such
exclusion is necessary to reconcile, as a matter of public interest, the right to privacy
with the right to freedom of expression.108
Also excluded from the Act are processing by or on behalf of a public body if the
processing involves national security, defence or public safety, or if the purpose of
the processing is the prevention and detection of unlawful activities, combating
money laundering activities, investigating offences, prosecution of offenders or the
execution of sentences or security measures.109 Processing of personal information
by the Cabinet and its committees and the Executive Council of a province is
excluded from the scope of the Act110; as is processing of personal information by a
court relating to its judicial functions.111
The Regulator to be established in terms of the Act may exempt processing activi-
ties that are in breach of the conditions of the Act from its provisions, if the processing
103
A record includes writing on any material; information produced, recorded or stored by means
of any tape-recorder, computer equipment, whether hardware or software or both, or other device,
and any material subsequently derived from information so produced, recorded or stored; a label,
marking or other writing that identifies or describes anything of which it forms part, or to which it
is attached by any means; a book, map, plan, graph or drawing; a photograph, film, negative, tape
or other device in which one or more visual images are embodied so as to be capable, with or
without the aid of equipment of some kind, of being reproduced.
104
See Dir 95/46/EC a 3(2), a 9.
105
The Act defines “de-identify” in s 1 as meaning, in relation to personal information of a data
subject, to delete information that identifies the data subject, or that can be used or manipulated by
a reasonably foreseeable method to identify the data subject, or that can be linked by a reasonably
foreseeable method to other information that identifies the data subject.
106
S 6(1)(b).
107
S 6(1)(a).
108
S 7.
109
S 6(1)(c).
110
S 6(1)(d).
111
S 6(1)(e).
206 A. Roos
is in a public interest that clearly outweighs the interference with the privacy of the
data subject, or if the processing involves a clear benefit to the data subject or a third
party. The exemption may be made subject to reasonable conditions.112
9.3.5 C
onditions for Lawful Processing of Personal
Information
POPI lists eight conditions that must be complied with before personal information
in general can be processed lawfully.113 These conditions are similar to the data
protection principles found in international data protection documents such as the
OECD Guidelines, the Council of Europe Convention and the EU Directive. POPI
provides heightened protection for sensitive personal information, referred to as
“special” personal information, and the personal information of children.
Processing in General
The eight conditions for lawful processing are accountability, processing limitation,
purpose specification, further processing limitation, information quality, openness,
security safeguards and data subject participation.
Accountability
In terms of this condition the responsible party must ensure compliance with all the
conditions in the Act set for the processing of personal information, as well as with
the measures giving effect to these conditions. Compliance must be ensured at the
initial stage when the purpose and means of the processing are determined, as well
as during the processing itself.114 The Act makes provision for the appointment of
information officers and deputy information officers. The head of a public body or
a private body is designated as the information officer of that body.115 The powers
and duties of the information officer may be delegated to the deputy information
officers appointed by the body involved.116 The deputy information officers will
perform the day-to-day work relating to the protection of personal information in an
112
S 37. In terms of s 38 the processing of personal information for the purpose of protecting mem-
bers of the public against, for example, dishonesty, malpractice and maladministration by persons
in the financial sector may also be exempted from some of the conditions for lawful processing.
113
See s 4(1) and Ch 3.
114
S 8.
115
S 1. “Information officer” is defined with reference to the definition of information officers in
the Promotion of Access to Information (PAI) Act. The same person who in terms of the PAI Act
is acting as the information officer of an entity will also be the information officer in terms of the
POPI Act.
116
S 56.
9 Data Protection Law in South Africa 207
organisation. Nevertheless, accountability rests with the “responsible party” (i.e. the
information officer designated by the Act), and not the deputy information officer.
Processing Limitation
This condition emphasises that in order for the processing of personal information
to be lawful, there should be limits to the reasons why personal information is pro-
cessed, the type of information that is processed and the subjects from whom it is
collected. The condition includes the following requirements: lawfulness of pro-
cessing; minimality; consent, justification and objection; collection directly from
data subject.
Lawfulness of processing : Processing should always be done lawfully – that is, in
accordance with the law and in a reasonable manner that does not infringe the pri-
vacy of the data subject.117
Minimality: Personal information may only be processed when, given the purpose
for which it is collected or subsequently processed, it is adequate, relevant and not
excessive.118
117
S 9.
118
S 10.
119
S 11(1)(a) of the Act.
120
S 1.
121
S 11(2)(a).
122
S 11(2)(b).
123
S 11(1)(b) of the Act.
124
S 11(1)(c).
125
S 11(1)(d).
126
S 11(1)(f).
127
S 11(1)(e).
208 A. Roos
The data subject has a right to object to the processing of personal information if
the processing takes place to protect a legitimate interest of the data subject, to com-
ply with a public law duty or to uphold a legitimate interest of the responsible party
or of a third party. The objection must be on reasonable grounds relating to the data
subject’s particular situation. Processing may not be objected to if takes place in
terms of legislation.128
The data subject may also object to the processing of personal information for
purposes of direct marketing. This does not include direct marketing by means of
unsolicited electronic communications (spam).129 The sending of unsolicited elec-
tronic communications is in general prohibited, unless certain specific conditions
are present.130
Purpose Specification
This condition requires that a specific, lawful purpose that relates to the function of
the responsible party must be established before any personal information is col-
lected.133 Data subjects must be informed of the purpose when the personal informa-
tion is collected134 and the information may not be retained for a period longer than
is required for this purpose.135 Records may be kept for longer periods for statistical,
historical or research purposes, provided that appropriate safeguards have been
established.136
128
S 11(3)(a).
129
S 11(3)(b).
130
This form of direct marketing is regulated in detail in section 69 of the Act.
131
S 12(1) of the Act.
132
S 12(2).
133
S 13.
134
S 13(2).
135
S 14(1). The steps that must be taken to inform the data subject are explained under the openness
principle.
136
S 14(2). Several other situations where data may be kept for longer periods are listed in s 14(1)
(a)–(d).
9 Data Protection Law in South Africa 209
This condition provides that information may not be further processed in a manner
that is incompatible with the original purpose.137 Compatibility is determined by
referring to the relationship between the original purpose and the purpose of the
intended further processing, the nature of the information, the consequences that the
further processing will have for the data subject, the manner in which the informa-
tion has been collected, and any contractual rights and obligations between the
parties.138
A purpose will not be considered incompatible if the data subject has consented
to the further processing, if the information is publicly available, if the processing is
necessary to prevent a serious threat to public health and safety or the life or health
of the data subject or another individual, or if the information is used for research or
statistical purposes.139
Information Quality
The fourth condition requires the responsible party to take reasonably practicable
steps, given the purpose for which personal information is collected or subsequently
processed, to ensure that the personal information is complete, up to date, accurate
and not misleading. There are no exceptions to this principle.140
Openness
This condition requires the responsible party to maintain information manuals of its
processing operations141 and to give certain information to the data subject when
personal information is collected.142 Registration with an authority is not required.
The data subject must be informed that personal information is being collected
and the source from which it is collected (if it is not collected directly from the data
subject), the purpose of its collection, the name and address of the responsible party,
whether it is mandatory or not to give the information, the consequences of failure
to provide the information, whether the collection is in terms of a particular law,
137
S 15(1).
138
S 15(2).
139
S 15(3).
140
S 16.
141
S 17. The manuals that must be maintained are the same as those required in terms of the PAI
Act. These manuals must contain “in sufficient detail to facilitate a request for access to a record
of the body, a description of the subjects on which the body holds records and the categories of
records held on each subject” – see PAI Act s 4(1)(d) (public bodies) and s 51(1)(e) (private
bodies).
142
S 18.
210 A. Roos
whether the responsible party intends to transfer the information to a third country
or international organisation, and any other relevant information which is “neces-
sary” for the data subject to know in order to make the processing in respect of that
particular data subject reasonable in his or her circumstances.143
The data subject need not be informed that personal information is being col-
lected if the data subject has consented to this; if the data subject’s interests would
not be prejudiced; if the purpose of the collection would be impeded; if it is not, in
the particular circumstances, reasonably practicable to inform the data subject; if it
is necessary to withhold the information to protect certain public interests, to com-
ply with an obligation imposed by law or to enforce legislation concerning the col-
lection of revenue; for the conduct of proceedings before any court or tribunal
(being proceedings that have been commenced or are reasonably contemplated); in
the interests of national security; if the information is used for historical, statistical
or research purposes; or if the information has been de-identified.144
Security Safeguards
The obligation of the responsible party to ensure the safety and security of personal
information under his or her control is spelled out in this condition. The responsible
party must implement technical and organisational measures that are reasonable and
appropriate to secure not only the integrity of the personal information, but also its
confidentiality. The responsible party must protect the personal information against
risks such as loss or destruction thereof and against unlawful access to or processing
of personal information.145 Specific measures that the responsible party must take
include identifying risks, establishing and maintaining appropriate safeguards, reg-
ularly verifying the implementation of the safeguards, and updating the safeguards
as necessary.146 In deciding what “appropriate” safeguards are, the responsible party
must follow the standard considered acceptable in the specific sector. 147
If a processor has been appointed to process the information on behalf of the
responsible party, then the processor may not process the information without the
proper authorisation of the responsible party. The responsible party and the proces-
sor must conclude a written contract stipulating the manner in which the processing
will be done as well as the obligation on the processor to implement security mea-
sures.148 The processor is also under a duty of confidentiality in respect of the per-
sonal information.149
143
This may, for example, include the names of the recipients of the information, the nature of the
information and the data subject’s rights in terms of the Act.
144
S 18(4).
145
S 19(1).
146
S 19(2).
147
S 19(3).
148
S 21(1).
149
S 20.
9 Data Protection Law in South Africa 211
This condition gives data subjects the right to access their information and a right to
request a correction of inaccurate information.154
Access to Personal Information
The right to access personal information gives data subjects three entitlements,
namely to obtain confirmation of whether or not the responsible party holds per-
sonal information about them, to have the content of recorded information given or
communicated to them,155 and to be advised that they are entitled to request the
correction of incorrect personal information.156 The manner of access is regulated
by the PAI Act.157 The responsible party may or must refuse to disclose the informa-
tion on the same grounds on which access to information may or must be refused in
terms of PAIA.158
150
S 21. This section contains detailed provisions in this regard.
151
S 22(5).
152
S 22(4).
153
S 22(6).
154
The right to object to certain processing activities forms part of the data subject participation
principle in many other data protection laws, but in POPI it forms part of the processing limitation
principle already discussed above.
155
S 23(1)(a) and (b).
156
S 23(2).
157
S 25. See PAIA ss 18 and 53.
158
POPI Act s 23(4)(a). See PAIA Ch 4 of Part 2 and Ch 4 of Part 3.
159
S 24(1).
160
S 24(2).
212 A. Roos
The data subject must be informed by the responsible party of any correction
made or of whether a statement has been attached.161 Third parties to whom the
incorrect or misleading information has been disclosed must also be informed of the
steps taken, if it is reasonably practicable to do so.162
161
S 24(4).
162
S 24(3).
163
S 26.
164
S 34 of the Act.
165
In the case of the personal information of a child, a person competent to consent to any action
or decision being taken in respect of any matter concerning a child, should consent – S 35(1)(a)
read with s 1 (definition of “competent person”).
166
S 27(1) and S 35(1).
167
S 27(2) and (3) and S 35(2) and (3).
9 Data Protection Law in South Africa 213
There are processing activities that carry an inherently higher risk for the individual
rights and freedoms of data subjects, such as using unique identifiers to link infor-
mation of data subjects from various sources and create profiles on them, using
personal information for direct marketing by means of unsolicited electronic com-
munications, and making automated decisions about data subjects. The POPI Act
contains special provisions for these types of processing.
In certain instances, for example when personal information on a data subject from
different sources will be linked by means of a unique identifier for another purpose
than the one the identifier was collected for, the responsible party must apply for
authorisation from the Regulator prior to doing so.172 Other occasions when prior
authorisation is required are when information on the data subject’s criminal behav-
iour or unlawful or objectionable conduct is processed on behalf of third parties173;
when information is processed for the purpose of credit reporting174; or when spe-
cial personal information or personal information of children is transferred to third
countries without adequate levels of protection for the processing of personal infor-
mation.175 If the responsible party fails to notify the Regulator of processing that is
subject to prior notification, such party is guilty of an offence.176
168
S 28.
169
S 29.
170
S 32.
171
For more detail, see ss 28–33 of the Act.
172
S 57(1)(a).
173
S 57(1)(b).
174
S 57(1)(c).
175
S 57(1)(d).
176
S 107(b).
214 A. Roos
Directories
Data subjects must be informed about the fact that their personal information is
included in a publicly available directory and also be informed about the purpose of
such a directory.181 The data subject must also have a reasonable opportunity to
object to his or her information being included in the directory, or to request verifi-
cation, confirmation or withdrawal of the information if the subscriber has not ini-
tially refused such use.182 Special provisions are made for existing printed directories
and directories concerning telephony services.183
177
S 69(1).
178
S 69(2).
179
S 69(3).
180
S 69(4).
181
S 70(1).
182
S 70(2).
183
S 70(3) and (4).
9 Data Protection Law in South Africa 215
POPI prohibits the “profiling” of data subjects for purposes of making automated
decisions about them based on such profiles. According to the Act, a data subject
may not be subjected to a decision to which legal consequences are attached, or
which substantially affects the data subject, where this decision has been taken
solely on the basis of the automated processing of personal information intended to
provide a profile of certain aspects of the data subject’s personality or personal hab-
its, such as the data subject’s performance at work, creditworthiness, reliability,
location, health, personal preferences or conduct.184
In other words, a data subject may not be subjected to an automated decision
based on a personality profile of that data subject. Two exceptions are provided for:
Automated decision making is allowed for purposes of concluding a contract, pro-
vided the request of the data subject in terms of the contract has been met, or appro-
priate measures have been taken to protect the data subject’s lawful interests185; or
the decision is governed by a code of conduct in which appropriate measures are
laid down for protecting the lawful interests of data subjects.186
POPI makes provision for the Regulator to issue codes of conduct for specific
industries, professions or classes of information. The purpose of a code of conduct
is to translate legislative provisions into practical application in the specific infor-
mation sector involved.
The Regulator may take the initiative in issuing a code of conduct, but may do so
only after consultation with the stakeholders involved. Representative bodies may
also apply to the Regulator for the issuing of a code of conduct for their industry. 187
The code must incorporate all the conditions for lawful processing and must
prescribe how the conditions must be adhered to in the particular sector for which
the code is to be issued.188 The code must also specify appropriate measures to pro-
tect the interests of data subjects if information matching programmes are used, or
if automated decision making is employed. A code of conduct must provide for the
review of the code by the Regulator and for the expiry of the code.189
184
S 71(1).
185
S 71(2)(a).
186
S 71(2)(b).
187
S 61(1).
188
S 60(2).
189
S 60(4).
216 A. Roos
The POPI Act contains provisions dealing with transborder information flows.190 In
terms of these provisions, responsible parties may only transfer personal informa-
tion about data subjects to third parties in foreign countries if certain grounds for the
transfer are present. First of all, the transfer may take place if the recipient of the
information is subject to a law, binding corporate rules191 or binding agreement
which effectively upholds principles for reasonable processing that are substantially
similar to the conditions for lawful processing as found in the Act. It must include
provisions relating to the further transfer of information from the recipient to third
parties in foreign countries which are substantially similar to the provisions of the
Act.192 In other words, personal information may only be sent across South African
borders if the information will be subject to adequate data privacy protection rules
in the foreign country.
Personal information may also be transferred outside South Africa’s borders if
the data subject consents to the transfer; or the transfer is necessary for the perfor-
mance of a contract between the data subject and the responsible party, or for the
implementation of pre-contractual measures taken in response to the data subject’s
request; or the transfer is necessary for the conclusion or performance of a contract
concluded in the interest of the data subject between the responsible party and a
third party; or the transfer is for the benefit of the data subject, and it is not reason-
ably practicable to obtain the consent of the data subject to that transfer and if it
were reasonably practicable to obtain such consent, the data subject would be likely
to give it.193
These provisions in POPI are necessary in order to comply with Article 25 of the
European Union’s 1995 Data Protection Directive,194 which prohibits Member
States of the European Union from allowing the transfer of personal information to
third countries without an adequate level of data protection. According to the EU
Working Party on Data Protection, in order for a data protection act to be considered
adequate, “the further transfers of the personal data from the destination third coun-
try to another third country should be permitted only where the second third country
also affords an adequate level of protection. The only exceptions permitted should
be in line with Article 26 of the directive”. 195 The reason for this prohibition is, of
course, to prevent the circumvention of data protection laws in EU countries by data
190
Ch 9.
191
Binding corporate rules are defined in the POPI Act s 72(2)(a) as meaning “personal informa-
tion processing policies, within a group of undertakings, which are adhered to by a responsible
party or operator within that group of undertakings when transferring personal information to a
responsible party or operator within that same group of undertakings in a foreign country”.
192
S 72(1)(a).
193
S 72(1)(b)–(e).
194
Directive 95/46/EC.
195
EU Working Party on the Protection of Individuals with regard to the Processing of Personal
Data “Working Document: Preliminary views on the use of contractual provisions in the context of
transfers of personal data to third countries” WP 4 (22 April 1998).
9 Data Protection Law in South Africa 217
9.3.8 Supervision
Regulator
The Act contains extensive provisions on the powers, duties and functions of the
Regulator. Its functions include educating the relevant parties about the conditions
for lawful processing and the objects thereof; monitoring and enforcing compliance
with the Act; consulting with interested parties; handling complaints; conducting
research and reporting to parliament on new developments relating to the protection
of personal information; issuing, amending or revoking codes of conduct and con-
sidering the determinations by adjudicators under codes of conduct; facilitating
cross-border cooperation in the enforcement of privacy laws; in general, doing any-
thing related to or helpful to the performance of its functions; and exercising the
powers conferred upon it by the Act in matters relating to access to information as
provided for by the PAI Act.200
The Regulator must, in the performance of its functions and the exercise of its pow-
ers, give fair consideration and attention to certain matters, namely: the conditions for
196
S 39.
197
S 41. On 7 September 2016 Parliament recommended the appointment of Pansy Tlakula as
chairperson of the Information Regulator. Pariament also nominated the four other members
required. These nominations must be approved by the President.
198
S 47.
199
S 52.
200
See s 40.
218 A. Roos
the lawful processing of personal information; the protection of all human rights and
social interests that compete with privacy, such as the desirability of a free flow of
information and the recognition of the legitimate interests of public and private bodies
in achieving their objectives in an efficient way; international obligations accepted by
South Africa; and any developing general international guidelines relevant to the bet-
ter protection of individual privacy.201
Information Officer
The information officers of public and private bodies must assist the Regulator. The
head of a private or public body is designated as the information officer.202 The same
person who acts as the information officer of an entity in terms of the PAI Act will
also be the information officer in terms of the POPI Act. The responsibilities of such
an officer include the encouragement of compliance by the body with the conditions
for processing, dealing with requests made to the body pursuant to the Act, helping
the Regulator with its investigations of the body, and otherwise ensuring compli-
ance by the body with the provisions of the Act.203 These officers must be registered
with the Regulator by the responsible party.204 Deputy information officers may be
appointed and the powers and duties of the information officer may be delegated to
these deputy information officers.205
9.3.9 Enforcement
The provisions of the Act are enforced by the Regulator or by private parties who
institute civil actions.
Enforcement by the Regulator
Under the Act, a person can either lay a complaint about an infringement206 or ask
for an assessment (audit) of processing activities.207 The Regulator may also launch
an investigation on its own initiative.208
201
S 44(1). S 44(2) prescribes what matters the Regulator must have regard to in performing its
functions with regard to information matching programmes.
202
S 1.
203
S 55(1).
204
S 55(2).
205
S 56.
206
S 74.
207
S 89.
208
S 76(3).
9 Data Protection Law in South Africa 219
Any person may lay a complaint with the Regulator regarding interference with
the protection of personal information of a data subject.209 The Act lists specific
actions that are considered to constitute interference with the protection of personal
information. These include a breach of the conditions for lawful processing; non-
compliance with the requirement that notification must be given to the Regulator
and the data subject of a security compromise; non-compliance with the duty of
confidentiality imposed on persons working for the Regulator; non-compliance with
the provisions for direct marketing by means of unsolicited electronic communica-
tions; non-compliance with the provisions regarding directories; non-compliance
with the provisions regarding automated decision making; non-compliance with the
provisions regarding transfers of personal information outside South-Africa; and
lastly, a breach of the provisions of a code of conduct.210
After receiving the complaint, the Regulator can take certain actions, such as to
conduct a pre-investigation,211 act as conciliator between the parties,212 conduct a
proper investigation,213 refer the complaint to an Enforcement Committee,214 refer
the complaint to another regulatory body if the complaint relates to a matter that
falls within the jurisdiction of that body,215 or settle the complaint.216 The Regulator
may also decide to take no action.217 Should it decide to investigate the proceedings,
the Regulator may summon persons to give evidence or produce records, administer
oaths, and receive evidence.218 If required, the Regulator may also request that a
warrant be issued enabling the Regulator to enter premises, carry out inspections,
seize anything covered by the warrant and have private interviews with persons on
the premises.219
Complaints could reach the Regulator via a process followed in terms of a code
of conduct.220
Instead of examining a complaint, the Regulator could assess (audit) the process-
ing activities. The Regulator could then issue a report requiring the responsible
party to take specific steps to implement any recommendations. Such a report is
equivalent to an enforcement notice.221
The Regulator may serve an information notice on a responsible party in order to
supply the Regulator with information needed to either evaluate a complaint that
209
S 74.
210
S 73.
211
S 79.
212
S 76(1)(b).
213
S 76(1)(d).
214
S 79.
215
S 78(1).
216
S 76(1)(b).
217
S 80.
218
S 81.
219
S 82.
220
S 63.
221
S 89.
220 A. Roos
interference with the personal information of a data subject has taken place, or to
make a proper assessment.222
After completing an investigation into a complaint, the Regulator may decide to
refer the matter to the Enforcement Committee, which then makes recommenda-
tions to the Regulator on what action to take. After considering the result of the
investigation by the Enforcement Committee the Regulator may serve the respon-
sible party with an enforcement notice if the Regulator is of the opinion that there
has been an interference with the personal information as stated in the complaint.
The enforcement notice will direct the responsible party to stop processing informa-
tion or to take certain steps, or to refrain from taking certain steps.223
A responsible party has a right of appeal against an information notice or an
enforcement notice.224
Any person who obstructs the Regulator in performing its functions or who fails
to comply with an information notice or an enforcement notice is guilty of an
offence.225 The Regulator may also impose administrative fines on responsible par-
ties who have committed an offence, instead of instituting a criminal
prosecution.226
Compliance with POPI is also ensured by granting data subjects a civil action
against responsible parties for breach of any of the provisions of the Act.227 POPI
creates strict statutory liability for the responsible party, in that the data subject need
not prove intent or negligence on the part of the responsible party. The defences
normally available to a defendant who is held strictly liable are available to the
responsible party, namely vis major, consent of the plaintiff and fault on the part of
the plaintiff. It is also a defence that compliance was not reasonably practicable in
the circumstances, or that the Regulator has granted an exemption in terms of sec-
tion 37.228 The Regulator may also institute an action on behalf of the data subject if
the latter requests it.229 The data subject is entitled to claim compensation for patri-
monial and non-patrimonial damages suffered as a result of the responsible party’s
non-compliance with the Act. Aggravated damages may also be claimed.230
222
S 90.
223
S 92.
224
S 97(1).
225
S 100 and s 103.
226
S 109. Criminal sanctions and administrative fines will be discussed below.
227
S 99(1).
228
S 99(2).
229
S 99(1).
230
S 99(3).
9 Data Protection Law in South Africa 221
Offences and Penalties
POPI creates several offences for which a person can be fined or imprisoned.
Judging from the penalties imposed, some offences are considered more serious
than others. A person convicted of a “serious” offence is liable to a fine or to impris-
onment for a maximum period of 10 years, or to both a fine and imprisonment.231
For less serious offences, the maximum term of imprisonment is 1 year.232
Serious offences include the hindering, obstruction or unlawful influencing of
the Regulator, or someone acting on its behalf, in the performance of its duties and
functions233; the failure by a responsible party to comply with an enforcement
notice234; a witness knowingly giving false evidence235; and an unlawful act by
either a responsible party or a third party in connection with an account number.236
Less serious offences include the failure by a responsible party to notify the
Regulator of processing that is subject to prior notification237; a breach of the duty
of confidentiality imposed on persons acting on behalf of the Regulator238; any per-
son intentionally obstructing the execution of a warrant or, without a reasonable
excuse, failing to give assistance to a person executing a warrant239; a responsible
party knowingly or recklessly making a false statement when served with an infor-
mation notice240; and an unlawful act by a witness.241 A magistrate’s court has juris-
diction to impose these penalties.242
Administrative Fines
The Regulator may decide to offer the offending party the option of paying an
administrative fine, rather than instituting criminal proceedings. This is done by
serving an infringement notice on the offending party.243 A failure to comply with
the notice within the time allowed will result in the administrative fine becoming
231
S 107(a).
232
S 107(b).
233
S 100.
234
S 103(1).
235
S 104(2).
236
S 105 (responsible party) and s 106 (third party). An account number is any unique number
assigned to a data subject.
237
S 59.
238
S 54 and s 101.
239
S 102
240
S 103(2).
241
S 104(1).
242
S 108.
243
S 109(1).
222 A. Roos
9.3.11 E
valuation of the Protection of Personal
Information Act
The Act sets out to establish mechanisms or procedures in harmony with interna-
tional prescripts to protect the privacy of personal information. It is important that
the data privacy law adopted by South Africa should be regarded by the European
Union and other third countries as providing “adequate” data privacy in order to
secure South Africa’s participation in international trade.
In my opinion the POPI Act provides adequate protection to personal informa-
tion. It includes all the basic content principles as spelled out by the Working Party
on data protection,246 it provides for additional safeguards in the case of sensitive
data and automatic processing activities and it allows for a data subject to opt out of
direct marketing. Its procedural or enforcement mechanisms will also ensure that
the main objectives of a data protection system are met. These are (a) to deliver a
good level of compliance with the rules, (b) to provide support and help to individ-
ual data subjects in the exercise of their rights, and (c) to provide appropriate redress
to the injured party where rules are not complied with.247
The African Union’s Convention on Cyber Security and Personal Data Protection248
was adopted in 2014 following South Africa’s adoption of the Protection of Personal
Information Act in 2013. The Convention had no obvious influence on the POPI
Act, although the Convention’s section on “Personal Data Protection” was clearly
244
S 109(5).
245
S 109(2)(c).
246
EU Working Party on the Protection of Individuals with regard to the Processing of Personal
Data “Working Document: Preliminary views on the use of contractual provisions in the context of
transfers of personal data to third countries” WP 4 (22 April 1998). These principles are purpose
limitation, data quality and proportionality, transparency, security, right of access, access, rectifica-
tion and opposition, restrictions on onward transfer to third countries.
247
EU Working Party on the Protection of Individuals with regard to the Processing of Personal
Data “Working Document: Preliminary views on the use of contractual provisions in the context of
transfers of personal data to third countries” WP 4 (22 April 1998).
248
EX.CL/846(XXV). The text of the Convention is available at https://ccdcoe.org/sites/default/
files/…/AU-270614-CSConvention.pdf.
9 Data Protection Law in South Africa 223
9.5 Conclusion
South Africa is on the brink of implementing an omnibus data protection act. In the
run-up to the implementation of the Act, South African businesses have been work-
ing hard on complying with its provisions. In view of the delay in its adoption, those
businesses that were lagging behind should have time to catch up. It is assumed that
the delay is being caused by the fact that the legislature wants to implement new
developments in the field of data protection, which will be introduced by the EU
Data Protection Regulation.
South African businesses should be ready to implement the Act in the South
African context, but the Act can be expected to have an influence on trade between
South Africa and countries in Africa that do not have data protection laws in place.
Individual transactions will have to be evaluated to make sure that the personal
information involved is protected as required by the Act.
Burchell J The legal protection of privacy in South Africa: A Transplantable hybrid 2009 (vol 13.1)
Electronic Journal of Comparative Law at <http://www.ejcl.org/131/art131-2.pdf>
Currie I and Klaaren J The Promotion of Access to Information Act Commentary (2002)
249
Greenleaf and Georges “The African Union’s data privacy Convention: A major step toward
global consistency?” (2014) Privacy Laws & Business International Report 18.
250
See http://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/Pages/default.aspx [17 July
2015]. See further Greenleaf and Georges “African regional privacy instruments: Their effects on
harmonization” 2014 Privacy Laws and Business International Report 19–21.
224 A. Roos
Greenleaf G and Georges M “The African Union’s data privacy Convention: A major step toward
global consistency?” (2014) Privacy Laws & Business International Report 18
Greenleaf G and Georges M “African regional privacy instruments: Their effects on harmoniza-
tion” 2014 Privacy Laws and Business International Report 19–21
Himonga C, Taylor M and Pope A “Reflections on judicial views of ubuntu” 2013 (vol 16 no 5)
Potchefstroom Electronic Law Journal 370
Klaaren J, Currie I and Smith A “Analysing Foreign Access to Information Legislation from a
South African viewpoint” 29–40 in The Constitutional Right of Access to Information (Report
of a seminar held on 4 September 2000 at St George’s Hotel, Rietvlei Dam, Pretoria) Konrad
Adenauer Stiftung Seminar Report no 5 (2001)
Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in South Africa
Oxford University Press Southern Africa Cape Town 2 ed (2012)
Luck R “POPI - Is South Africa keeping up with international trends” 2014 (May) De Rebus 45
Makulilo AB “Privacy and data protection in Africa: A state of the art” 2012 (vol 2 no 3)
International Data Privacy Law 163
Mbigi L and Maree J Ubuntu: The Spirit of African Transformation Management (1995)
Mokgoro J Y “Ubuntu and the law in South-Africa” 1998 (vol 1 no 1) Potchefstroom Electronic
Law Journal 2
Neethling Die Reg op Privaatheid LLD thesis Unisa (1976)
Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality LexisNexis Durban 2d ed
(2005)
Olinger HN, Britz JJ and Olivier MS “Western privacy and/or Ubuntu? Some critical comments on
the influences in the forthcoming data privacy bill in South Africa” 2007 (vol 39 no 1)
International Information & Library Review 34
Prosser WL Privacy 1960 (48) California Law Review 383
Roos “Data privacy law” 363–487 in Van der Merwe D, Roos A, Pistorius T, Eiselen GTS and Nel
SS Information and Communications Technology Law LexisNexis Durban (2016)
Roos A “Data protection: Explaining the international backdrop and evaluating the current South
African position” 2007 (124) South African Law Journal 400
Roos A “Data Protection for South Africa: Expectations Created by the Open Democracy Bill,
1988” in The Constitutional Right of Access to Information (Report of a seminar held on 4
September 2000 at St George’s Hotel, Rietvlei Dam, Pretoria) Konrad Adenauer Stiftung
Seminar Report no 5 (2001)
Roos A “Data Protection Provisions in the Open Democracy Bill, 1997” 1998 THRHR 497
Stein P “South Africa’s EU-style data protection law” 2012 (10) Without Prejudice 48
White J “Open Democracy: Has the window of opportunity closed?” 1998 South African Journal
of Human Rights 65
Williams D “Access to Information in the New South Africa” 1997 (Aug) De Rebus 563
Acts
International Documents
Council of Europe Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data No 108/1981, Strasbourg (28 January 1981)
European Union Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the
Free Movement of Such Data 1995 Official Journal L 281/31
OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data
Paris (23 September 1980)
Reports
Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on the
Open Democracy Bill [B67-98] (24 January 2000)
SA Law Reform Commission (SALRC) Privacy and Data Protection Project 124 Discussion
Paper 109 (2005)
European Union Working Party on the Protection of Individuals with regard to the Processing of
Personal Data “Working Document: Preliminary views on the use of contractual provisions in
the context of transfers of personal data to third countries” WP 4 (22 April 1998)
Case law
Internet Sources
African National Congress “A brief history of the African National Congress” available at http://
www.anc.org; SouthAfrica.info “South African history: gold and the war” available at http://
www.southafrica.info/about/history/521105.htm#.VozSKfl94gs [15 December 2015]
Financial Mail FM Fox “Regulation: personal data in limbo” 28 January 2016 available at http://
www.financialmail.co.za/fmfox/2016/01/28/regulation-personal-data-in-limbo [30 January
2016]
IT Web Business “Consumers still worried about privacy” available at http://www.itweb.co.za/
index.php?option=com_content&view=article&id=80414 [15 December 2015]
Milo D and Palmer G “South Africa- New comprehensive data privacy law passed” Linklaters 31
January 2014 available at http://www.linklaters.com/Insights/Publication1403Newsletter/
TMT-News-31-January-2014/Pages/SouthAfrica-New-comprehensive-data-privacy-law-
passed.aspx [15 December 2015]
South African Government “The Constitution” available at http://www.gov.za/constitution [15
December 2015]
South African History Online “Liberation struggle” available at http://www.sahistory.org.za/
liberation-struggle-south-africa/genesis-armed-struggle-1960-1966 [15 December 2015]
South African History Online “The first large group of French Huguenots arrive at the Cape”
http://www.sahistory.org.za/article/1600s and http://www.sahistory.org.za/dated-event/first-
large-group-french-huguenots-arrive-cape-0 [30 January 2016]
South African Yearbook2014/5 “Land and its people” available at http://www.gcis.gov.za/content/
resourcecentre/sa-info/yearbook2014-15 [15 December 2015]
SouthAfrica.info “A short history of South Africa” available at http://www.southafrica.info/about/
history/history.htm#.VnlLK_l94gs [15 December 2015]
SouthAfrica.info “South Africa’s telecommunications” available at http://www.southafrica.info/
business/economy/infrastructure/telecoms.htm#.Vnl9_l94gs#ixzz3v4Kiwr4E [15 December
2015]
SouthAfrica.info “South African history: Union and the ANC” available at http://www.south-
africa.info/about/history/521106.htm#.VozSg_l94gs [15 December 2015]
Statistics South Africa “General household survey 2013” (2014) available at http://beta2.statssa.
gov.za/publications/P0318/P03182013.pdf [15 December 2015]
9 Data Protection Law in South Africa 227
Statistics South Africa “Mid-Year Population Estimates, 2014” Table 8 available at http://www.
statssa.gov.za/publications/P0302/P03022014.pdf [15 December 2015]
United Nations Development Programme “Human development report 2014” Tables 1 and 2 avail-
able at http://hdr.undp.org/en/content/table-1-human-development-index-and-its-components,
and http://hdr.undp.org/en/content/table-2-human-development-index-trends-1980-2013, 15
Sept. 2015 [15 December 2015]
Wikipedia “Law of South Africa” available at https://en.wikipedia.org/wiki/Law_of_South_Africa
[15 December 2015]
World Wide Worx “Social media landscape 2015” available at http://www.worldwideworx.com/
wp-content/uploads/2014/11/Exec-Summary-Social-Media-2015.pdf [15 December 2015]
Chapter 10
The Right to Privacy and Data Protection
in Ghana
Dominic N. Dagbanja
Abstract The right to privacy forms part of fundamental human rights and freedoms
under most national constitutions or legislation. The law of privacy protects individu-
als from intrusions and invasions upon their person, correspondences and communi-
cations, home and property. Privacy law ensures that the autonomy, name and dignity
of human beings are protected. This chapter explores the nature of privacy and data
protection law in Africa with particular reference to Ghana. In broad terms, it reviews
and interprets the constitutional provision on privacy and analyses the social and cul-
tural attitudes towards privacy in Ghana. It argues that privacy is an individual-socio-
cultural construction. Privacy being a relational, social concept can only be understood
within the social and cultural context. The rest of the chapter is devoted to reviewing
and interpreting the legal principles of personal data protection in Ghana. The Data
Protection Act which was enacted in 2012 provides a statutory basis for the realisa-
tion of the constitutional right to privacy in Ghana. The principles of personal data
protection under this legislation are outlined and interpreted. The Data Protection Act
is a very important piece of legislation towards the substantive protection of the con-
stitutional right of privacy of correspondence and communication. The actual realisa-
tion of its objects depends on its implementation, which requires the collective and
collaborative efforts of all: the Data Protection Commission and other state institu-
tions, the private sector that uses personal data, data subjects and the general public.
10.1 Introduction
The primary legislation on the protection of personal data and information privacy
in Ghana is the Data Protection Act 2012 (Act 843) (DPA for short). The long title
of the DPA states that it is intended “to establish a Data Protection Commission, to
protect the privacy of the individual and personal data by regulating the processing
of personal information, to provide the process to obtain, hold, use or disclose
personal information and for related matters.” This title suggests that the law is
primarily aimed at individuals, the protection of their privacy and personal data.
Thus the DPA is concerned with regulating “the process to obtain, hold, use or dis-
close personal information”. This suggests that the law seeks to establish a mecha-
nism for how personal information can be used and managed.
It has been argued that laws regulating personal data use, handling and manage-
ment are influenced by globalisation, technological advancements and the need to
protect the individual against the business community that uses personal data.
Samuel Warren and Louis Brandeis rightly argued as far back in 1890 that “[r]ecent
inventions and business methods call attention to the next step which must be taken
for the protection of the person, and for securing to the individual … the right to be
let alone.” 1 Sandra Milberg and fellow authors argue for example that:2
Information technology developments – coupled with the increasing value of information
to decision makers – are causing a rising tide of concern about personal information privacy
management practices. As such concerns continue to grow, businesses’ ability to use per-
sonal information may be threatened, and decision makers will have to make trade-offs
between the efficient, effective operation of businesses and the protection of personal infor-
mation privacy.
This issue becomes even more complex given that interest in the globalization of infor-
mation systems (IS) has emerged as organizations enter increasingly competitive interna-
tional markets.
1
Warren and Brandeis (1890–1891) p. 196, they stated that:
The intensity and complexity of life, attendant upon advancing civilization, have rendered nec-
essary some retreat from the world, and man, under the refining influence of culture, has become
more sensitive to publicity, so that solitude and privacy have become more essential to the indi-
vidual; but modern enterprise and invention have, through invasions upon his privacy, subjected
him to mental pain and distress, far greater than could be inflicted by mere bodily injury.
2
Milberg et al. 1995, pp. 65–66. See Also Makulilo 2015a, b, p. 79; Long and Quek 2002, p. 326;
stating that “States are discovering that their economic interest in maintaining minimal barriers to
trade and information movement could threaten national norms and domestic institutions protect-
ing personal privacy.
3
Milberg et al, (n: 2); p. 66.
10 The Right to Privacy and Data Protection in Ghana 231
law is the Constitution of the Republic of Ghana 1992. The chapter also establishes
that the DPA was made in response to the emerging technological advancements
which can easily lead to privacy violations. In all, it can safely be said that the DPA
was enacted based on the realisation that people’s personal data are used by govern-
mental and private sector and non-governmental institutions and that in the absence
of a legal regime to protect individual data, privacy rights could be violated.
The law of information privacy in Ghana has been very much influenced by the
constitutional right to privacy as guaranteed in Article 18 of the Constitution. It also
appears to have been influenced by advancements in technology with its concomi-
tant implications for individual privacy violations.4 In that sense, the law of infor-
mation privacy protection is very much individual-centric. In a speech delivered at
the launch of the Data Protection Commission of Ghana (DPC) on 18 November
2014, the Minister of Communications, Edward Boamah, stated the values underly-
ing the enactment of the DPA in the following terms:5
On 15th February 2014, a newspaper in Ghana had this headline – Level 100 student com-
mits suicide over poor exam results. The news reported suicide by a 24-year-old first-year
student of the University of Education, Winneba (UEW) who was pursuing a degree. There
was no reason assigned for his action, but according to the sources, it may have been due to
his name being published on the notice board as having failed in three subjects. Campus
Sex Tape Leaked; Ghanaian Girl Commits Suicide After Sex Tape Leaks. These are some
of the many headlines on violations of privacy that have made news … lately.
The development of an enabling legal and regulatory environment is imperative in this
era of information age. Today, computers, web applications, mobile applications, software,
etc – all seek to promote efficient services, higher productivity and greater convenience by
reducing the gap in both space and time to bring the world closer. Indeed the relevance and
utility of Information Technology in our modern day lives cannot be underestimated.
Unfortunately, the information and communication technologies are also being misused by
anti-social elements in aid and furtherance of their illegal and nefarious activities,
In line with this the Ministry of Communications has been particularly instrumental in
the passage of key legislations [sic] to improve competition and transparency in the ICT
sector, the Data Protection Act, 2012 (Act 843) being one of such. The Data Protection Act
guarantees specific rights and obligations to the processing of one’s information in order to
protect the sacred precincts of personal life and dignity in the information age – that is …
PRIVACY.
The Act gives meaning to Article 18(2) of the 1992 Constitution. The underlying notion
behind the codification of data protection is the ever growing need to process personal data
today. Every Ghanaian has the right to the privacy of his or her communications and such
right must be guaranteed in the processing of his or her personal data irrespective of the
medium used.
Kang 1998.
4
Boamah 2014.
5
232 D.N. Dagbanja
Given the strong linkage between issues relating to personal data and privacy, the poten-
tial for personal data to be used in ways that can violate one’s right to privacy therefore
informed Government to develop this Act.
From this speech, it is very clear that the individual was very much at the centre
of the passage of the DPA. The goal was to give further backing to the legal right to
privacy as guaranteed by the Constitution of Ghana because the Government of
Ghana realised that personal information could be used in a manner that is detri-
mental to the individual and the Ghanaian society at large. According to Acting
Chief Executive Officer of the DPC, “the barrage [of] privacy invasions of citizens
in [Ghana] especially through the use of information technology, have led to dis-
crimination, personal harassments, damage to professional reputations, financial
losses and in some extreme cases death.”6 Mary Culnan and Pamela Armstrong
point out that individuals are less likely to perceive information collection and man-
agement procedures privacy-invasive and intrusive if the information is collected in
the context of an existing relationship, if the individuals have the ability to control
the use of the information, the information is collected or used for a lawful transac-
tion and the information will be used to draw reliable and valid inferences about the
individuals.7 So recognition of individual concerns regarding information privacy
and society-wide implications of privacy violations in Ghana must have informed
the enactment of the DPA.
However, Eric Agyei-Bekoe says that since Ghana is a collectivist society, “peo-
ple are likely to have low value of privacy concern.”8 He posits that there appears to
be “a link between low privacy concern and absence of privacy and data protection
legislation” and that the absence of privacy and data protection law in Ghana until
recently “may be attributed to the low privacy concern of the country.”9 For Agyei-
Bekoe, “if there was not any level of discontent (in terms of privacy concerns)
among the Ghanaian people yet the government passed the 2012 DPA law then it
was for economic reasons. The motive could well have been to satisfy the EU
Directive that prohibits trans-border flows of personal data without adequate protec-
tion. It allows EU companies to setup customer service call centres or to outsource
personal data to Ghana for processing.”10 Alex Makulilo also argues that “a power-
ful driver of the development of privacy law among developing countries is the
desire to engage in global e-Commerce and the recognition of trust as being a fun-
damental component of the new economy.”11
From the accounts available in Ghana it can be argued that the DPA must have
been enacted to protect individual right to privacy although it may also have been
influenced by Ghana’s international economic relations. As Agyei-Bekoe suggests,
6
Acting Chief Executive Officer, avove note 5 at 2.
7
Culnan and Armstrong 1999, p. 106. See also Smith et al. 1996.
8
Bekoe 2013, p. 189
9
Ibid.
10
Ibid.
11
Makulilo, (n. 2), p. 79.
10 The Right to Privacy and Data Protection in Ghana 233
“before the Data Protection Act was enacted there have been existing cyber laws but
none of them deals with privacy and data protection issues. This means that before
the passing of the law there were no privacy regulations to deal with any privacy
violations.”12 The enactment of the DPA fills that vacuum in personal data protec-
tion in Ghana. The enactment of the Data Protection strengthens the position of the
right to privacy under the Constitution of Ghana because in the absence of such a
law, there existed no substantive and procedural basis to determine privacy of com-
munications and how the right could be protected. It should be stated though that the
right to privacy is broader than protection of personal information alone. The DPA
does have a narrower focus to the extent that it focuses on individual and personal
data. Other aspect of the right to privacy, including privacy of home and property
would have to continue to be protected under the Constitution and other legislation
and the common law which forms part of the laws of Ghana.
Privacy concerns personal space and autonomy in relation to the self, information,
matters and issues that an invidudal or a group does not want others to see, know,
deal or interfere with or use in a manner that the person or group does not agree to.
It is about protecting the individual or group image, name and dignity. The very
concept of privacy itself suggests that it is a relational or social concept in the sense
that its use always relates to others; it is not a right that an individual cannot claim
in isolation from others. In this sense, the nature and content of the right of privacy
is shaped and defined by the cultural context even though it may be an individual
right. It is recognised in every culture but exactly what the individual can claim as
private can be shaped by the cultural backdrop. Privacy is an individual-socio-
cultural construction then. It is individual in the sense that there are certain matters
concerning the individual that they, as unique and independent, will never want
others to know because they want to protect their names and dignity and they do not
want to be shamed by those matters getting known to or improperly interfered with
by others. Privacy is socio-cultural in the sense that some matters individuals hold
as private are established by the social and cultural context. For example, dressing
is about privacy but it is a socio-cultural construction. Some individuals might want
to choose to walk naked in the streets but the society says that human beings must
cover up certain parts of their bodies when they are in a public place. Even covering
up by dressing is expressed differently in different cultures. In some cultures it does
not matter the occasion or where they are, whether in church, in a beach and other
public places or their private home; they dress the same. In other cultures, such as in
Ghana and Africa generally the dress code is defined by the occasion and the place.
Covering up gives human beings some measure of privacy and dignity of their bod-
ies and personhood and not just meeting an expression of individual privacy or
12
Ibid p. 165
234 D.N. Dagbanja
autonomy alone. In that sense it can hardly be argued that privacy is rooted in some
cultures and less or not rooted at all in other cultures. As I argued previously:13
privacy, a universal natural right, is culturally defined and shaped. While privacy is a natural
right – and a cultural universal in the sense that it is recognised in all cultures – the scope
and content of privacy is very much contextual since the particular desires and expressions
of privacy are dictated by the culture in a given society. Put it differently, the nature and
significance, and therefore, the content and scope of privacy depend on the cultural
context.
Ghana, like other African countries, is collective, reinforced by the descent sys-
tem which categorizes individuals into lineages, families, and clans.15 In a collective
culture such as Ghana, “collective interests generally take precedence over
self-interests although people from collective cultures also have self-interests that
are important and protected.”16 The Ghanaian family is the basic unit and foundation
Dagbanja 2014, pp. 40-2013;41. Underscoring social and cultural differences in the expression
13
But see Makulilo (n. 2); p. 78 arguing that “[p]privacy is a value that has its roots in the Western
world.”
14
University of Cape Coast v Anthony [1977] 2 GLR 21 at 42–43.
15
Nukunya 2003, p. 19.
16
Davies and Dagbanja 2009, p. 310.
10 The Right to Privacy and Data Protection in Ghana 235
of the society and the individual within that society. The family represents the indi-
vidual and the individual represents the family. What affects the family affects the
individual and what affects the individual affects the family.17 As Max Assimeng
rightly and beautifully put it, “as human beings we are born into a family, brought
up in a family, continue to live, think, and act in a family, and will die as members
of a family”.18 This emphasises the group-oriented, collective nature of the social
organisation of African societies such as Ghana.19 Thus if members of the family
“are impugned through insults, abusive language or words injurious to reputation …
the essence of the family’s identity and its place within society are placed in
question.”20 It goes without saying that the privacy of an individual in Ghana is not
just a matter that concerns the individual, it also concerns the family of which the
individual is a member. Thus laws that seek to protect the privacy of the individual
in the Ghanaian context may indirectly be promoting and protecting the family. In
his study on privacy, data protection and e-government, Agyei-Bekoe found the
project participants generally lacked “awareness and understanding of privacy and
data protection issues.”21 He also found “low privacy concerns among them, which
are influenced by the national culture, specifically collectivist cultural society.”22
Eric Agyei-Bekoe has not established a threshold for determining “low privacy con-
cerns” and whether such determination is to be done comparatively between differ-
ent geographic regions and cultures or within the national or regional context. Given
the differences in the socio-cultural value for and expression of what amounts to
privacy if a particular socio-cultural expression of privacy is to be respected, then
the question of low privacy concerns does not arise outside of the socio-cultural
perception and expression of privacy within the particular society. In other words,
since different cultures express privacy concerns differently, no universalist contin-
uum or standard can be established based on the cultural values of one particular
culture. The issue of low or high level of privacy concerns should be looked at in
terms of national and if possible regional contexts within which there is more likely
to be a sharing of values on privacy.
The conclusion drawn from the foregoing in this section is that the social and
cultural context is very important for the people’s understanding of privacy and data
protection issues because cultural values have significant and positive effect on pri-
vacy concerns across countries.23 It can be hypothesised in light of the preceding
analysis that the more the society is group-oriented, the less pronounced concerns
with regards to privacy in comparison with more individual-oriented societies.
However, that does not mean that standards in the individual-oriented society
regarding privacy should be become the basis for determining the level of privacy
17
Ibid at 309.
18
Assimeng 1999, p. 75.
19
Dagbanja 2015, p. 422.
20
Davies and Dagbanja, note 15 at 309.
21
Agyei-Bekoe, above note 8 at 159
22
Ibid.
23
Bellman et al. 2004, p. 315. See also Hofstede 1980, 1991; and Milberg et al. 2000.
236 D.N. Dagbanja
concerns in the group-oriented society. The value systems in the two societies are
different and one cannot be a standard for the other although there can be cross-
cultural learning.
Privacy and data protection are important in a group-focused society given the
intricate link between the group and individual interests on privacy issues. The inva-
sion of individual privacy can implicate the whole family. In Republic v. Tommy
Thompson Books Ltd stated in relation to insults and verbal abuse in Ghana that:24
[r]ecent events in certain parts of this country prove that our society is presently one in
which expressions and allegations against persons, whether oral or written, can have far-
reaching consequences (both as a result of the public acting upon the allegations or the
accused person seeking to defend himself), including breach of the peace, mob action, mass
hysteria and even loss of lives. Allegations made against persons, whatever be their station
in life, still have the potential power to cause immediate effect.
The Constitution guarantees the right to privacy in Ghana and subjects that right to
the need to protect the rights of others in society and to other larger societal interests
including the need for a free media for effective dissemination of information in a
free and democratic society. This generally defines the contours of the right to pri-
vacy in Ghana. The Constitution provides that:25
No person shall be subjected to interference with the privacy of his home, property, corre-
spondence or communication except in accordance with law and as may be necessary in a
24
Republic v Tommy Thompson Books Ltd [1997–1998] 1 GLR 611 at 644
25
Constitution art. 18(1) and (2). As far back as 1970 before the current Constitution of Ghana,
1992 came into force, some judges were calling for the need for recognition and protection of the
right to privacy in Ghana. Other judges were more hesitant and called for the need for studies that
would allow for the development of principles on the right to privacy that would be in consonance
with the Ghanaian culture and ways of live. A case in point is University of Cape Coast v. Anthony
[1977] 2 GLR 21. The photograph of the plaintiff, a married woman, was taken at a function of a
benevolent society at the request of the society by arrangement with The Catholic Standard, a
religious newspaper and with the consent of the plaintiff. The photograph was published in the
newspaper. Subsequently, the University of Cape Coast, published copies of the plaintiff’s photo-
graph in the form of postcards. The postcards were then exhibited and sold at their bookshop. The
plaintiff alleged that she had been libelled by the publication of the postcards and sued for dam-
ages. No case of invasion of privacy was pleaded but on appeal the plaintiff sought to make a claim
to invasion of her privacy. It was held, allowing the appeal that the publication of a person’s pho-
tograph even for sale without his consent was not libel per se and was not libellous in the circum-
stances of this case. On the right to privacy, it was held, obiter, that the court was precluded by a
long line of respectable authorities from granting any relief to the plaintiff for the alleged invasion
of her privacy. The court noted that plaintiff gave her full blessing for the picture to be published
in a newspaper with world-wide circulation; the defendant did not extract her picture from her
private family album. Therefore, she could not make a claim to invasion of her right to privacy.
10 The Right to Privacy and Data Protection in Ghana 237
free and democratic society for public safety or the economic well-being of the country, for
the protection of health or morals, for the prevention of disorder or crime or for the protec-
tion of the rights or freedoms of others.
This is the only direct provision on the rights to privacy in Ghana under the
Constitution. From Article 18 of the Constitution, the right to privacy in Ghana is
very broad and includes privacy in relation to one’s “home,” “property” and “cor-
respondence” or “communication.” It is in this sense that this chapter argues that the
DPA is of limited scope in the sense that it focuses on information privacy.
Interference with the right to privacy in Ghana in accordance with this constitu-
tional provision is justified as may be provided by (1) law; (2), as may be necessary
in a free and democratic society; and (3) where such interference is for public safety
or the economic well-being of the country, for the protection of health or morals, for
the prevention of disorder or crime or for the protection of the rights or freedoms of
others. The use of the word “interference,” in the Constitution meaning “meddling,”
“intrusion,” “prying,” “nosiness,” “obstruction” or “hindrance,” is of particular sig-
nificance to note. The Constitution seeks to prohibit “interference” which has the
various enumerated connotations. This kind of approach is consistent with the defi-
nition of the right to privacy as ‘the right to be alone’26 or “right of seclusion from
the public.”27
The use of the phrase “as may be necessary in a free and democratic society” is
also significant to note. The phrase implies that Ghana is a free and democratic
society. It also equally implies that there are other free and democratic societies
apart from Ghana. What this in effect means is that interference with the right to
privacy is “necessary” not only as may be judged in the Ghanaian context, but also
as may be judged in the context of any other free and democratic society. The phrase
suggests that there are certain values enshrined in free and democratic societies and
that those values are necessary in defining the scope of the rights to privacy in
Ghana. Impliedly, it will be difficult for a plaintiff in Ghana to make a claim to pri-
vacy merely on Ghanaian cultural values and norms alone.
A contrary argument to the foregoing is that not all values in other free and
democratic societies may be cherished in Ghana. Thus interference with the right to
privacy in one free and democratic society may not be necessary in Ghana. And to
that extent not all forms of interference with the right to privacy that may be neces-
sary in other free and democratic societies on the bases of the values in those societ-
ies may be necessary to justify interference with the right to privacy in Ghana. So
that in the end, whether what is necessary for or justifies interference with the right
to privacy in other societies is applicable in Ghana will depend on the circumstances
of each case. This chapter subscribes to the latter interpretation.
Given the group-focused rather than individual-focused nature of the Ghanaian
society, it is not likely that what will justify interference with the right to privacy in
individual-oriented societies will in all cases apply to the Ghanaian context. Indeed,
26
Warren and Brandeis, above note 1
27
University of Cape Coast v Anthony, (n.26) p. 421.
238 D.N. Dagbanja
it is likely that in Ghana complaints about interference with the rights to privacy
would have more to do with governmental, media and other institutional interfer-
ences rather than interferences from fellow private citizens in their individual or
group character. This is because Ghanaians live in groups: families, clans and lin-
eages and in other social groups and aggregates. The conception of the right to pri-
vacy in Ghana would therefore be different from individually-focused societies.
Therefore, the invasion of the right to privacy within the family context is more
likely to be tolerated than when the right is invaded through other means such as the
media and groups outside the family. Indeed, Richard Epstein acknowledges even in
the case of the United States that “in cases where individuals trespass or eavesdrop
merely for their own titillation, it becomes very difficult to assert any public interest
in their conduct. The matter becomes much more vexed when the acquired informa-
tion is then published to the world at large.”28
The Constitution protects privacy of “home,” “property,” “correspondence,” or
“communication”. Literally, these are the spheres or zones, or contexts within which
the right to privacy may be asserted or claimed in Ghana. A claim to privacy must
be situated within any of these contexts. If this is the case, it may limit the scope of
the right to privacy outside of these contexts. The content of the right to privacy of
home, property, correspondence or communication, as it is, will depend on the cir-
cumstances of each case. However, there are other substantive rights under the
Constitution which if respected and upheld will promote the substantive right to
privacy in Ghana, including freedom of speech and expression, freedom of thought,
conscience and belief, information, freedom of movement,29 personal liberty30 and
respect for human dignity.31
The Constitution not only deals with the substantive right to privacy, it also indi-
cates the nature of remedies that may be granted for breach of privacy rights. The
enforcement of fundamental human rights, including the right to privacy, is within
the jurisdiction of the High Court.32 In exercising its jurisdiction, the High Court has
the power to give directions or orders or writs including writs or orders in the nature
of habeas corpus, certiorari, mandamus and prohibition, whichever is appropriate,
for the purposes of enforcing or securing fundamental human rights and freedoms.33
There is a right of appeal from the decision of the High Court to the Court of Appeal
with a further right of appeal to the Supreme Court in respect of privacy and other
human rights disputes.34
The Constitution specifies the laws of Ghana to include the “common law”,35
which comprises “the rules of law generally known as the common law, the rules
28
Epstein 2000, p.15.
29
Constitution art 21(1).
30
Ibid art. 14.
31
Ibid art. 15.
32
Ibid art 33(1).
33
Ibid art. 33(2).
34
Ibid art. 33(3).
35
Ibid art. 11(1)(e).
10 The Right to Privacy and Data Protection in Ghana 239
generally known as the doctrines of equity and the rules of customary law including
those determined by the Superior Court of Judicature”.36 The “rules generally
known as the common law” are basically the judge-made law of the English legal
system.37 Ghana was colonised by Britain, so British decisions on issues unaffected
by Ghanaian statutes or case law may be cited as persuasive authority. Therefore,
the scope of the remedy for breach of the right to privacy in Ghana includes both
those remedies as specifically decided under common law of England and those
remedies specifically decided by the superior courts of Ghana. Generally, the rem-
edies for breach or threatened breach of the right to privacy include damages and
injunctions.38 It follows that damages or injunction may be secured for breach or
threatened breach of the right to privacy in Ghana and damages may be assessed by
following common law principles as the Constitution does not address this matter.
The existence of the constitutional regime for the protection of the right to privacy
in Ghana does not preclude the development or application of the rules of law gen-
erally known as the common law regime in Ghana. Indeed, the Constitution pro-
vides that the rights, duties, declarations and guarantees relating to the fundamental
human rights and freedoms it specifically recognises or establishes (including the
right to privacy) do not exclude other rights or remedies it has not specifically stated
but which are considered to be inherent in a democracy and intended to secure the
freedom and dignity of man.39 The common law regime for privacy protection thus
provides advantages which the Constitution does not offer by providing for both the
substantive right and the remedies for breach. The common law regime, therefore,
complements the constitutional protection of privacy in Ghana.
Scope and Definitions
Some scholars have identified four areas of privacy: privacy of a person, behaviour
privacy, communication privacy, and data privacy.40 Data protection is an as aspect
of the legal regime for the protection of the right to privacy in Ghana. The DPA
establishes the DPC. The object of the DPC is to “protect the privacy of the indi-
vidual and personal data by regulating the processing of personal information, and
36
Ibid art. 11(2).
37
Williams 1982, p. 25.
38
Relevant English case law include Wainwright v Home Office (Respondents) [2003] UKHL 53;
[2003] 3 WLR 1137; His Royal Highness the Prince of Wales v Associated Newspapers Ltd [2006]
EWHC 11 (Ch); Douglas v Hello! Ltd [2005] EWCA Civ 595; Kaye v Robertson [1991] FSR 62;
Mosley v News Group Newspapers [2008] EWHC 1777 (QB); Campbell v Mirror Group
Newspapers Ltd [2004] UKHL 22
39
Constitution art. 33(5)
40
Pavlou 2011, p. 978. See also Clarke 1999; and Solove 2006.
240 D.N. Dagbanja
The functions of the DPC which is responsible for the implementation of the
DPA are spelt out in section 3. The DPA requires the DPC to implement and moni-
tor compliance with the law, to investigate any complaint and keep and maintain a
data protection register.
The DPA is intended to ensure that all who process personal data take into consid-
eration individual right to the privacy of their information and communications.
Accordingly, a data controller or processer must follow eight basic principles for
processing personal information. According to section 96 of the DPA, “Data
Protection Principles” (DPP) are the principles set out in sections 17–26 of the
DPA. The principles listed in section 17 of the DPA are: accountability, lawfulness
of processing specification of purpose, compatibility of further processing with pur-
pose of collection, quality of information, openness, data security safeguards, and
data subject participation. It is quite difficult to fit in the content of sections 18–26
into these categories which suggests that Parliament may not have given conscious
41
Data Protection Act s 2.
42
Ibid s 45.
10 The Right to Privacy and Data Protection in Ghana 241
43
Data Protection Commission.
44
Data Protection Act s 18
45
Ibid s 19
242 D.N. Dagbanja
duty; or is necessary to pursue the legitimate interest of the data controller or a third
party to whom the data is supplied. These requirements seem to effectively mini-
mise the effect of the requirement for consent by a data subject before data can be
processed. However, a data subject may object to the processing of personal data.
Where such objection is made, the person who processes the personal data shall
stop the processing of the personal data. The provision has fallen short of what hap-
pens after the person has stopped processing the data. Perhaps the right of objection
to the processing of personal data brings an end to the processing of the data without
further question.
The DSPP is also reflected in section 21 of the DPA which requires direct collec-
tion of personal data from the data subject. However, personal data may be collected
indirectly where the data is contained in a public record, the data subject has delib-
erately made the data public or consented to the collection of the information from
another source. Personal data may also be collected indirectly if the collection of the
data from another source is not likely to prejudice a legitimate interest of the data
subject. Also if the collection of the data from another source is: necessary in con-
nection with an offence or breach of law, for the enforcement of a law which imposes
a pecuniary penalty or which concerns revenue collection, for the conduct of pro-
ceedings before any court or tribunal, for the protection of national security or for
the protection of the interests of a responsible or third party to whom the informa-
tion is supplied, then indirect collection of the data is permitted. Again, indirect
collection of personal data is permitted if direct collection would prejudice a lawful
purpose for the collection or direct collection is not reasonably practicable. A data
controller must take the necessary steps to ensure that the data subject is aware of
the purpose for the collection of the data.46 Participation is met by the requirements
of consent, objection and direct giving of the data by the data subject. Participation
of the data subject may also be met by the subject exercising the right to correct
personal data under section 33 of the DPA. However, this section has not been speci-
fied in section 96 as one of the principles of the data protection.
Data Security Safeguards Principle (DSSP) is reflected in provisions dealing
with maintenance and retention of records. For example, section 24 of the DPA says
personal data shall be retained only for the period necessary to achieve the purpose
for which the data was collected and processed. Retention of data for such period is
justified if it is required or authorised by law, is reasonably necessary for a lawful
purpose related to a function or activity, is required by virtue of a contract between
the parties to the contract or if the data subject consents to the retention of the
record. The limitation on the period of retention of records of personal data does not
apply if such records are retained for historical, statistical or research purposes.
Where data is retained for any of these purposes, it must be adequately protected
against access or use for unauthorised purposes. Where a record of the personal data
is made to make a decision about a data subject, the record is to be retained for a
period required or prescribed by law or a code of conduct for a period which will
afford the data subject an opportunity to request access to the record. At the expiry
46
Ibid s 23.
10 The Right to Privacy and Data Protection in Ghana 243
Under section 75 of the DPA, the DPC has the authority to serve a data controller
with an enforcement notice if the DPC is satisfied that a data controller has contra-
vened or is contravening any of the DPP. The notice may require a data controller to
take or refrain from taking the steps specified within the time stated in the notice or
from processing any personal data. Notice is to be served if a contravention has
caused or is likely to cause damage or distress to any person. The notice may also
require the data controller to rectify, block, erase or destroy data containing an
expression of opinion based on inaccurate data. The DPC may in exceptional cir-
cumstances order that notice apply immediately. Section 80 of the DPA says a per-
son who fails to comply with an enforcement notice commits an offence and is
liable on summary conviction to a fine, a term of imprisonment of not more than 1
year or to both the fine and imprisonment. Knowingly or recklessly making false
statements in a material respect is also an offence which may lead to a fine, a term
of imprisonment of not more than 1 year or to both the fine and the imprisonment.
Other offences that can attract a fine, a term of imprisonment of not more than 2
years or both are purchasing personal data or information contained in the personal
data of another person; improperly disclosing personal data or information con-
tained in the personal data of another person; and disclosing or causing to be dis-
closed to another person information contained in personal data.47 If an offence is
committed under the DPA for which no penalty is specified, the penalty or liability
is summary conviction to a fine of not more than 5000 penalty units or a term of
imprisonment of not more than 10 years or to both the fine and imprisonment.48 It is
not clear how these penalties or terms of imprisonment relate to the harm that may
have been caused to the data subject arising from breach of the DPA.
The DPC has a complaint investigative function under section 3 of the DPA. Thus
an individual who believes that his personal data is being handled illegally may
47
Ibid s 88.
48
Ibid s 95.
10 The Right to Privacy and Data Protection in Ghana 245
complain to the DPC. It is also possible for an individual to institute legal proceed-
ings in court under Article 33(1) of the Constitution. This provision entitles persons
who allege that the provisions of the Constitution on fundamental human rights,
including the right to privacy, has been or is likely to be contravened to apply to the
High Court for redress. Section 39 of the DPA also empowers an individual by
notice in writing to require a data controller “to cease or not begin processing for a
specified purpose or in a specified manner, personal data which causes or is likely
to cause unwarranted damage or distress to the individual.” If the DPC is satisfied
that the complainant is justified, it may order the data controller to comply with the
notice. This section gives the individual the right to prevent the processing of per-
sonal data. Section 40 of the DPA likewise entitles a data subject by notice in writ-
ing to require a data controller not to process personal data for the purposes of direct
marketing. If an individual suffers damage or distress because a data controller has
contravened DPA, section 43 entitles the individual to compensation from the data
controller for the damage or distress. According to section 90(2) of the DPA, a per-
son who suffers damage which arises from the supply of inaccurate or incomplete
information by a credit bureau about the person is entitled in addition to the reme-
dies under the DPA to further remedies under the Credit Reporting Act 2007 (Act
726).
There are currently about 16 African countries that have data protection laws and
other counties are working on coming out with theirs.49 On 27 June 2014, the
African Union adopted the African Union Convention on Cybersecurity and
Personal Data Protection.50 The Economic Community of West African States
(ECOWAS), which Ghana is a member country, also developed a framework of data
privacy law on 16 April 2010.51 There does not exist in DPA of Ghana any specific
provision on international transfer of data and applicable legislation might govern
the transfer of such data. The absence of such specific provision can defeat the pur-
pose of DPA to protect personal data. According to section 87 of the DPA, the DPC
“shall perform the data protection functions that are necessary to give effect to any
international obligations of the Republic.” The concept of “any international obliga-
tions” is very broad and can lead to a subordination of personal data protection
under the DPA to any international obligation that domestic personal data protection
principle may come into conflict with. The DPC was admitted into the membership
49
For essays on personal data protection in Africa see Makulilo 2012, 2015a, b; Makulilo, (n. 2);
Makulilo 2013a, b.
50
EX.CL/846(XXV), online: <https://ccdcoe.org/sites/default/files/documents/AU-270614-
CSConvention.pdf>
51
Supplementary Act A1SA.1f01f10 on Personal Data Protection within ECOWAS, (n. 2), pp.82–
83 for a fuller analysis of this legal framework.
246 D.N. Dagbanja
10.6 Conclusion
The DPA was passed in 2012. The DPA was enacted to protect the privacy of the
individual and personal data. The DPA regulates the manner of collection and pro-
cessing of personal information. The law provides for how to obtain, hold, use or
disclose personal information.53 It establishes the DPC and provides for penalties
for non-compliance with the DPP.
To ensure that Ghanaians exercise their rights under the DPA there is the need for
people to know that the DPA exists and what their rights are under it. Under section
86 of the DPA the DPC “is responsible for the conduct of public education and
awareness campaigns to the public on the rights of data subjects and the obligations
of data controllers.” The DPC has to perform this duty so that the public becomes
aware of their rights. In fact, the Acting Chief Executive Officer of the DPC has said
that “the successful implementation of the DPA will not be achieved without the
adequate education of all stakeholders” and that the DPC would “be embarking on
a national campaign from January 2015.”54
The law serves as an important basis for the realisation of the constitutional right
to privacy in Ghana. There are important substantive provisions in the DPA that
establish standards for the protection of personal data but which fall outside those
provisions specifically stated as DPP. Further legislation or amendments will need
to be clearer and easy to use if all provisions dealing with a particular data protec-
tion principle are grouped under that principle. Also the DPA empowers data sub-
ject to deal with data controllers without requiring the data subject to give notice to
the DPC at the moment of giving notice to the data controller. Since the DPC may
come in to act on behalf of the individual, it is important that relevant notices and
documents are served on the DPC at the moment the data subject is making a claim
against the data controller. If individuals can commence their claims without having
to do so through the DPC or even give it notice, then the DPC might be rendered in
effectual.
The DPA is a very important piece of legislation towards the substantive protec-
tion of the constitutional right of privacy of correspondence and communication in
Ghana. The actual realisation of its objects depends on its implementation which
52
Address by the Ag. Executive Director of the Commission at the Launch of the Data Protection
Act, 18 November 2012.
53
Ibid at 1.
54
Acting Chief Executive Office (n. 5) p. 6.
10 The Right to Privacy and Data Protection in Ghana 247
requires the collective and collaborative efforts of the DPC and other state institu-
tions, the private sector that uses personal data and the general public.
References
Assimeng, Max. Social Structure of Ghana: A Study in Persistence and Change,2nd edn, Ghana
Publishing Corporation, 1999.
D J Solove, “A Taxonomy of Privacy” 154(3) University of Pennsylvania Law Review 477–564,
2006.
Dominic N Dagbanja, “Customary Tort Law in Sub-Saharan Africa” in Mauro Bussani and
Anthony J. Sebok (eds) Comparative Tort Law: Global Perspectives (Edward Elgar Publishing,
2015) 412–440 at 422
Dominic N Dagbanja, Privacy in Context: The Right to Privacy, and Freedom and Independence of
the Media under the Constitution of Ghana, 22(1) African Journal of International and
Comparative Law 40–62, 2014.
Eric Agyei-Bekoe, Empirical Investigation of the Role of Privacy and Data Protection in the
Implementation of Electronic Government in Ghana, A Doctoral Thesis Submitted in Partial
Fulfilment of the Award of Doctor of Philosophy Faculty of Technology, Centre for Computing
and Social Responsibility De Montfort University September 2013.
G. K. Nukunya, Tradition and Change in Ghana: An Introduction to Sociology, 2edn, University
of Ghana Press, 2003.
Geert Hofstede, Culture’s Consequences: International Differences in Work-related Values, Sage,
1980.
Geert Hofstede, Cultures and Organizations: Software of the Mind, McGraw-Hill, 1991.
Glanville Williams, Learning the Law, Stevens & Sons, 1982.
H J Smith, J S Milberg, and J S Burke (1996) 20(2) “Information Privacy: Measuring Individuals’
Concerns about Organizational Practices,” MIS Quarterly 167–196.
Jerry Kang, “Information Privacy in Cyberspace Transactions” (1998) 50(4) Stanford Law Review
1193–1294
Julie Davies and Dominic N Dagbanja, “The Role and Future of Customary Tort Law in Ghana: A
Cross-Cultural Perspective” (2009) 26(2) Arizona Journal of International & Comparative
Law 303–332.
Makulilo, Alex B., “Privacy and Data Protection in Africa: A State of the Art” (2012) 2(3)
International Data Privacy Law 163–178;
Makulilo, Alex B., Data Protection Regimes in Africa: too far from the European ‘adequacy’
Standard? (2013a) 3(1) International Data Privacy Law 42–50
Makulilo, Alex B., “One size fits all”: Does Europe impose its Data Protection Regime on Africa?”
(2013b); 7 Datenschutz und Datensicherheit 447–451
Makulilo, Alex B., “Myth and Reality of Harmonisation of Data Privacy Policies in Africa”
(2015a) 31 Computer Law and Security Review 78–89
Makulilo, Alex B., “Privacy in mobile money: Central Banks in Africa and their Regulatory
Limits” (2015b) 23 International Journal of Law and Information Technology 372–391;
Mary J Culnan and Pamela K. Armstrong, “Information Privacy Concerns, Procedural Fairness,
and Impersonal Trust: An Empirical Investigation” (1999) 10(1) Organisation Science
104–115
McQuoid-Mason, The Law of Privacy in South Africa (Juta, 1978: 1–2)
Paul A. Pavlou, State of the Information Privacy Literature: Where Are We Now and Where Should
We Go? (2011) MIS Quarterly 977–988
R Clarke, “Internet Privacy Concerns Confirm the Case for Intervention” (1999) 42(2)
Communications of the ACM 60–67;
248 D.N. Dagbanja
Richard A. Epstein, Deconstructing Privacy: And Putting it Back Again in E Frankel Paul, F D
Miller, J and J Paul (eds), The Right to Privacy (Cambridge University Press, 2000) 15.
Samuel D. Warren and Louis D. Brandeis, The Right to Privacy (1890–91) 4(5) Harvard Law
Review 193.
Sandra J Milberg, H. Jeff Smith and Sandra J Burke, “Information Privacy: Corporate Management
and National Regulation” (2000) 11(1) Organization Science 35–57.
Sandra J Milberg, Sandra J Burke, H. Jeff Smith, and Ernest A. Kallman, “Values, Personal
Information Privacy and Regulatory Approaches” (1995) 38(12) Communications of the ACM
65–74
Steven Bellman, Eric J Johnson, Stephen J Kobrin and Gerald L Lohse, “International Differences
in Information Privacy Concerns: A Global Survey of Consumers” (2004) The Information
Society 313–324.
William J. Long and Marc Pang Quek, “Personal Data Privacy Protection in an Age of Globalization:
The US–EU Safe Harbor Compromise” (2002) 9(3) Journal of European Public Policy
325–344
Documents
Address by the Ag. Executive Director Of The Commission at the Launch Of the Data Protection
Act, 2012 (Act 843) (Data Protection Commission, 18 November 2012), online: http://datapro-
tection.org.gh/sites/default/files/Speech%20of%20the%20Executive%20Director%20at%20
the%20launch%20of%20the%20Data%20Protection%20Act.pdf
Data Protection Commission, Data Protection Principles, online: http://www.dataprotection.org.
gh/data-protection-principles
Edward O Boamah, Speech Delivered By Dr. Edward K. Omane Boamah, Minister for
Communications at The Launch Of The Data Protection Commission On 18th November 2014
at The International Conference Centre (Data Protection Commission): online: http://datapro-
tection.org.gh/sites/default/files/Final%20Speech%20of%20the%20Hon.%20Minister%20
of%20Communications%20at%20the%20launch%20of%20the%20Data%20Protection%20
Act.pdf.
Supplementary Act A1SA.1f01f10 on Personal Data Protection within ECOWAS, Online: http://
www.statewatch.org/news/2013/mar/ecowas-dp-act.pdf.
Chapter 11
Data Protection in Cape Verde: An Analysis
of the State of the Art
João Luís Traça and Pedro Marques Gaspar
Abstract Five hundred and seventy kilometers off the Western coast of Africa, we
find the Republic of Cape Verde, an archipelago composed by 10 volcanic islands.
Interesting enough, compared to other larger former Portuguese colonies in Africa
the country has a quite sophisticated legal system. For this reason, it comes as no
surprise that the country has implemented a general framework for data protection
and privacy matters.
At first glance, data protection can be found in the Cape Verdean Constitution,
the fundamental law of this country. Moreover and borrowing (to some extent) from
the European Data Protection regime, the country has put into place a Data Protection
Law, a statute that seeks to guarantee and to protect the fundamental rights of data
subjects, from a privacy standpoint. In fact, the role that the legislator has been
demonstrating (namely, by setting down the powers of the Cape Verdean Data
Protection Agency) translates the increasingly more important part that privacy has
been playing in the country.
The present chapter seeks to provide the readers with a general overview of the
country’s legal regime and to be a first approach for whoever wishes to investigate
this matter into further depth.
J.L. Traça
Av. Engenheiro Duarte Pacheco, Partner at Miranda & Associados, Lisboa, Portugal
e-mail: joao.traca@mirandalawfirm.com
P.M. Gaspar (*)
Av. Engenheiro Duarte Pacheco, Associate at Miranda & Associados, Lisboa, Portugal
e-mail: pedro.gaspar@mirandalawfirm.com
11.1 Introduction
In order to provide an adequate response to the fast paced global reality, the Cape
Verdean legislator has put into place a data protection legal framework comprising
of both provisions at a constitutional level and of a legislative level, the latter being
divided between Law No. 133/V/2001, of 22 January of 2001 (hereinafter referred
to as “Data Protection Act”) and Law No. 132/V/2001, of 22 January 2001 which
aims at regulating privacy in the telecommunications regime.
This paper outlines the most relevant rules and provisions encompassed in this
regime and attempts to provide some context as to their effects and applicability.
Moreover, given the novelty of the subject in both case law and legal doctrine, we
will mainly base our comments on the relevant provisions of the abovementioned
statutes, notwithstanding keeping in touch with the latest updates of data protection
in Cape Verde.
By putting into place a legal regime specifically aimed at regulating data protection
matters, the Cape Verdean legislator has taken the first steps towards a privacy-
aware legal regime. Such concern can be equally seen in the fact that more recent
steps have been taken in order for better defining the powers of the Cape Verdean
Data Protection Agency (we specially refer to Law No. 42/VIII/2013, of 17
September 2013).
The foregoing notwithstanding, it is important to underline that Cape Verde is
still rather new to data protection matters and citizens are not yet fully aware of the
full scope of their own sense of privacy. Although it is unarguable that Cape Verdean
citizens comprehend the basis of their own privacy rights, the authors believe that
the establishment and operation of the Cape Verdean Data Protection Agency will
have a significant impact in order to put into place, and promote an adequate
awareness of data protection-related matters that will fully grasp the extent to which
data subject rights can be enforced and protected.
From the outset, we find three separate provisions regulating citizens’ personal data
as well as privacy in the Constitution (i.e. Constitutional Law No. 1/VII/2010). For
the purpose of clarity, we will address each of the referred to articles by itself,
11 Data Protection in Cape Verde: An Analysis of the State of the Art 251
following the order by which they are laid down in the Constitution, although this
order does not set any sort of hierarchy between such provisions.
The first rule that must be underlined in connection to our subject is set down in
Article 44. This Article establishes a general rule that aims at guaranteeing the pro-
tection (and maxime privacy) of all citizens’ correspondence and telecommunica-
tions. Notwithstanding, it is stated in Article 44 that whenever a valid judicial order
is in place, public authorities may be entitled to restrict the said principle thus gain-
ing access to private correspondence and telecommunications.
Unfortunately, the relevant provision provides very little additional guidance for
what exactly constitutes the above mentioned restriction. As such, due to the lack of
any case law or other type of precedent on this matter, it is not possible to clearly
draw a line in what exactly are the powers (and limits) that public authorities have
(and must respect) whenever this constitutional provision is enforced.
Immediately after Article 44, the Constitution encompasses a rather intricate provi-
sion (Article 45) regarding the rules on the use of information technology systems
and data protection.
As an initial comment on this matter, Article 45 (1) expressly grants citizens the
right to access, to correct and to update any data processed by information technol-
ogy means. Furthermore, citizens are entitled to know the purposes for which their
data is being processed, according to the law.
Article 45 also addresses the issue of what is usually known as sensitive data
(although not specifically using the expression “sensitive data”) by setting down a
general prohibition to use information technology means to process any data relat-
ing to a person’s philosophical, ideological or political convictions; political party
or union affiliation; religious faith or private life. The said prohibition is only over-
come if (i) the data subject’s consent is expressly obtained; (ii) there is a legal rule
specifically granting the said authorization to process, provided that non-
discrimination guarantees are in place; or (iii) the data is processed for statistical
purposes in a non-identifiable way.
Practically speaking, while including these requirements to process sensitive
data directly in the Constitution text, Cape Verde is taking an important (and very
singular) approach to data protection matters, placing it on the level of many other
countries with more mature and sophisticated privacy regimes.
Article 45 also creates additional limitations to protect Cape Verdean citizens.
Namely, except whenever provided by law, public entities are not entitled access to
any and all files, electronic records or data bases containing personal data. The said
prohibition is also applicable to the transfer of information from one service or
252 J.L. Traça and P.M. Gaspar
Habeas Data
To this point, we have been addressing more general provisions on the matter of
privacy. Nonetheless, Cape Verde has enacted, by means of Law No. 133/V/2001,
of 22 January 2001 (as recently amended by Law No. 41/VIII/2013) the legal frame-
work for data protection matters.
As previously stated, much like in European legal framework, Law 133/V/2001
(the “Data Protection Law”), covers all types of processing of personal data relating
to identified or identifiable natural persons (including their collection, registration,
storage, consultation, use or transmission to others) by entities established in Cape
Verde or that collect or transmit personal data through any means located in Cape
Verde.
In order to fully gather the limits and the scope of the law, there are several defi-
nitions laid down that must be emphasized. Firstly, personal data is defined as any
1
By means of example, Angolan Constitution sets down the right of habeas data to their citizens
in Article 69.
2
The literal translation of habeas data being “we command you have the data”.
11 Data Protection in Cape Verde: An Analysis of the State of the Art 253
In order for the data processing to be lawful, the Cape Verdean legislator sets down
several principles by which any and all data controllers must abide. Namely, per-
sonal data must be processed with respect to the principle of good faith.
Furthermore, the collection of data must be conducted for specified, explicit and
legitimate purposes, the limits that must be respected in terms of any processing
operations.
That brings us to another principle which is that the data must be collected only
for relevant and non-excessive purposes. It is however hard to grasp what these limi-
tations exactly are as the Cape Verdean Data Protection Agency – although already
regulated – is yet to be established and operating. This topic will be addressed at a
later stage of this paper.
For the sake of completion, principles like data must be kept in a form which
permits identification of their subjects for no longer than is necessary for the
254 J.L. Traça and P.M. Gaspar
p urposes for which they were collected or for which they are further processed must
also be duly noted as they show a particular concern of the legislator to ensure that
data is not overly (or unduly) used. This is also clear in the Data Protection Act
where it is provided that a data controller must implement technical and organiza-
tional measures so as to ensure confidentiality and security of personal data pro-
cessed. Such obligations must also be contractually enforced by the data controller
on the data processor.
Law No. 42/VIII/2013, of 17 September 2013 sets down the powers, organization
and functioning of the Cape Verdean Data Protection Agency. Under this statute, the
persons leading the Agency should be three well-known personalities, appointed
for 6 years and elected by the National Assembly by a majority of three thirds of
the National Assembly members attending the election session. The majority
11 Data Protection in Cape Verde: An Analysis of the State of the Art 255
must however be higher than the absolute majority of the Members of the National
Assembly.
The Cape Verdean Data Protection Agency is empowered, among others, to over-
view all data protection operations subject to the DPL and to create new guidelines
on matters that it deems relevant. The implementation of the said guidelines is spe-
cifically aimed to overcome any shortcomings or to detail any practical aspect that
the Data Protection Act did not anticipate at the time it was drafted. On a more
practical note and taking into account the wording of the Data Protection Act, it is
important to underline that guidelines will play a fundamental role in implementing
an adequate and current data protection legal framework.
Regulatory Compliance
The Data Protection Act sets down that international transfer of personal data is
only permitted insofar if the country to which personal data is transferred is consid-
ered to have an adequate level of protection regarding personal data processing
matters.
While the matter of accessing a level of protection can be easy to solve in EU
countries, this matter is more difficult to solve in Cape Verde. A foreign country’s
256 J.L. Traça and P.M. Gaspar
Sanctions for Non-compliance
In order to ensure that the Data Protection Act would be duly complied with, the
Cape Verdean legislator sets down sanctions of various nature for non-compliance
with the said statute.
Firstly, any party who has suffered pecuniary or non-pecuniary losses as a result
of any inappropriate use of personal data is entitled to bring a civil action against the
relevant data controller.
Moreover, whenever situations such as (i) a failure to notify or to obtain authori-
zation from the Data Protection Agency for data processing operations; (ii) false
information is provided in administrative procedures; (iii) data is misused or unlaw-
fully processed; or (iv) the data controller does not comply with an request to stop
processing personal data, criminal sanctions may be put into place. In effect, the
said offences are punishable with a term of imprisonment of up until 2 years or a
fine.
Finally, the legislator also sets down several additional sanctions that can be
imposed in addition to either of the abovementioned situations such as (i) the tem-
porary/permanent prohibition to process personal data; and (ii) public announce-
ment of a decision setting a sanction to a data controller.
In addition to the Data Protection Act, Law No. 134/V/2001, of 22 January 2001 is
another important part of the legislative framework that should be considered from
a data protection standpoint. This statute aims at regulating data processing
11 Data Protection in Cape Verde: An Analysis of the State of the Art 257
11.4 C
omparative Influences and Interpretation of the Data
Protection Legislation
11.5 Conclusion
All things considered, it is clear that Cape Verde is increasingly attempting to estab-
lish a suitable data protection regime that is able to offer an adequate protection to
data subjects. It is also very likely that, once the Cape Verdean Data Protection
Agency is fully operational, the country will fall under the scope of “adequate level
of data protection” for the purposes of EU regulators and international data trans-
fers. This may be important for the development of certain industries in the coun-
tries, such as call centers. Still, until the regulator is fully operational, it is impossible
for one to completely and unquestionably evaluate how privacy-related matters will
evolve in the future.
Chapter 12
Protection of Personal Data in Senegal
Patricia Boshe
Abstract Personal data has always been at risk of loss, damage, theft, fraud, unau-
thorized access and unauthorized dissemination all of which threaten personal pri-
vacy. However, with increased technological innovation and the use of ICTs, data
becomes even more vulnerable as it involves automatic processing of data.
Furthermore, technology allows storage of high volume of data, increases possibili-
ties of interception, data matching, sharing, mining, and profiling. With introduction
of eTransactions, personal data can allow scrupulous individual to steal personal iden-
tities or use traffic data or cookies as personal footprints to track, mine personal data
(such as credit card details) and use it fraudulently for personal gain. In 2008 Senegal
enacted several laws in regulating and securing individual activities online and pun-
ishing cyber-criminals. This chapter looks at one of the laws enacted in 2008, the Data
Protection Law. The chapter canvases the regulatory framework established by this
law and, through textual analysis of the law, determines the contextual sufficient of
this law in protection of personal data and privacy. The analysis is made focusing also
at the social-political context of Senegal. This is because, for any law to be success-
fully implemented, the social-political environment must favor its application.
12.1 Introduction
P. Boshe (*)
Faculty of Law, Passau University, Passau, Germany
e-mail: boshe01@uni-passau.de
1958.1 In the late 1990s, with increased power outrage and protests for social jus-
tice, Senegal was labelled an autocratic government within Africa and at interna-
tional level.2
The Constitution of Senegal contains provisions that protect and guarantee fun-
damental rights and individual freedoms. However, in practice, the state of human
rights is affected by the Muslim brotherhood and their religious leaders; the
Marabouts. The Marabouts exert authority in legitimizing government in power.
The Marabouts act as intermediaries on policies and government actions and mobi-
lize electorate activities hence possess considerable influence on the government.
They are, in turn an essential portion of social and political stability in Senegal.
Pitifully, the interests of the Marabouts are not always and not necessarily in har-
mony with human rights standards or advocates for human rights.3
In 2001 Senegal introduced a new Constitution retaining the semi-parliamentary
system (with dual executive: head of state and the head of government) although the
president is, borrowing Abdon Khadre’s words, ‘the first and the last resort of all the
institutions. He is the unquestionable head of the executive and he supplants all the
other powers. The President controls all the institutions and even independent
administrative bodies.....the president outweighs all the institutions. He dominates
the legislature, overshadows the judiciary, and does not spare any sector of the
nation’s life’.4 The author’s conclusions are based on the powers of the president as
provided by the Constitution under articles 38, 42–52.
The 2001 Constitution made changes on the judicial system; it removed the
Supreme Court and introduced, on its place, the Supreme Court of Appeal, the
Council of States, the Constitutional Council and the Accountability Court; the sys-
tem which resembles the French system. Of more relevance in the present context is
the Constitutional Council. The Constitutional Council was created as an instru-
ment for the protection of citizens’ rights and freedom. The Constitutional Council
is argued to have been created in order to re-adjust the country’s situation to meet
international obligations and democratization of Senegal (among other things).5
On the right to privacy, Articles 13 and 16 of the Constitution provide for the
right to privacy; both physical and information privacy. The two articles are the
foundation of the 2008 Data Protection Law.6 With this overview, the chapter con-
siders the surveillance context in Senegal, and how the legal framework established
by the 2008 law addresses the emerging concerns brought by technology to the
security of personal data and persona privacy. In doing so, the chapter provides for
the overview of the regulatory framework established under the 2008 Data Protection
Law in protection of personal data and personal privacy.
1
See Villalón, L.A., p. 33.
2
Adjolohoun, H.S.
3
Schoepffer, K.
4
Diagne, K. A.
5
Baldé 2010.
6
Act No. 2008–12.
12 Protection of Personal Data in Senegal 261
7
Corbion, A.P.
8
See Bakibinga, E., pp. 2–3; Bygrave 2004, pp. 319–348; Bygrave 2010, pp.165–200; Gutwirth
2002, p. 24 and Makulilo 2012, p. 9.
9
In decision 2006–001 ART/DG/DRJ/DT/D.Rég of 5th December 2006.
10
David 2007 cited in Donovan and Martin 2014, p. 21.
262 P. Boshe
11
Le Pays of September 2011, Le Pays of November 2011.
12
Le Pays of November 2011.
13
BizTech.
14
Law 2011–01 of 24 February 2011.
15
Section 2 of the Telecommunications Code.
16
Diop 2014, pp. 214–216.
17
In acknowledging the scope of video surveillance, the Data Protection Commissioner was neces-
sitated to issue regulation on video surveillance on the 8th January 2016. Deliberation N°2015-
00186/CDP du 8 Janvier 2016 de la Commission de Protection des Donnees Personnelles Portant
sur les Conditions de Mise en Place d’un Systeme de Videosurveillance.
12 Protection of Personal Data in Senegal 263
tapping in the gist of public security. A report says, in 2004 the Directorate of State
Security acquired highly sophisticated and effective equipment for wiretapping. It is
not known whether the equipment is in use; although Sentel, the telecommunication
operator in Senegal when approached, refused to install the tapping device to its
networks.18 In 2011, the US Department of States reported that communication sur-
veillance by the government in Senegal is a normal practice.19 Surveillance is also a
common practice in restaurants, hotels, night clubs, shops as well as the walls in
residential areas. Surveillance activities as reported by GISWatch give no attention
to right of privacy or the need to alert the public that they are being watched. To the
contrary, they report, ‘secrecy is at the core of surveillance… this is why it is a direct
threat to our fundamental rights’.20
Massive of unconsented21 data is collected at the airport. This is through filling
of the mandatory cards by passengers. The cards require personal travel information
such as name, age, sex, reason for the visit, arrival and exit dates, residence and
flights information. This information is thereafter shared with the police. Biometric
information is also taken from the passengers. This information in electronic form
is collected by private security company in-charge of airport security and surveil-
lance. Again, passengers are not informed of the use of the submitted information,
custodian and transfers involved and have neither access nor right to rectify their
data once submitted.22 Senegal has, in the last 5 years, witnessed increased introduc-
tion of and use of electronic IDs (Biometric ID cards, visa cards) and digital records
(digital electoral lists) it once submitted.23
The 2015 Commission Quarterly opinion24 acknowledged the increase reporting
of processing activities which includes CCTV systems, badges, personal databases,
customers, patients, input and output registers. The Opinion also publishes that the
Commissioner received a lot of privacy violations complaints including violation of
the secrecy of private communications in workplace, online photograph publication
without data subjects consent, and direct marketing without compliance with the
legal requirements.
18
Ecoutes telephoniques: Le nouveau materiel des Renseignements generaux boude a Sentel,
available at www.orisis.sn/Ecoutes-telephoniques-Le nouveau.html accessed on 12/11/2015.
19
Privacy International and Jonction 2013, p. 13.
20
GISWatch 2015, p. 13.
21
The meaning of consent is attributed to the meaning provided by the EU Directive on data protec-
tion which is a freely given specific and informed indication of data subject’s approval for his/her
data to be processed for a certain purpose. Article 2(h) of the Directive.
22
See report by The Privacy International, supra note 19.
23
Ibid.
24
La Commission de Protection des Données Personnelles, Avis trimestriel N°03-2015.
264 P. Boshe
Senegal has had only two Constitutions (with several amendments) since its inde-
pendence in 1960. The independent Constitution had under article 10 and 13 the
right to privacy as: Article 10,
Le secret de la correspondance, des communications postales télégraphiques et télépho-
niques est inviolable. Il ne peut être ordonné de restriction à cette inviolabilité qu’en appli-
cation de la loi.
Translated as: The secrecy of correspondence [and] of postal, telegraphic, telephonic and
electronic communications[,] is inviolable. Restriction of this inviolability, may only be
ordered in application of the law.
In the 2001 the new Constitution maintained the right to privacy as in the 1963
Constitution word to word. The only change is that the right to privacy is now pro-
vided under articles 13 and 16 instead of 10 and 13 respectively. The right to privacy
in Senegalese Constitution (along with other rights and freedom in the Constitution)
is argued to have been highly influenced by the French Civil Rights Code of 1883.25
The right to privacy, as provided in the Constitution also reflects other international
Covenants and Conventions which Senegal has acceded including articles 12 and 17
of the Universal Declaration of Human Rights and the Convention on Civil and
Political Rights respectively.
It is prudent to note here that, in Senegal, international law takes precedence over
domestic law. Hence with respect to the right to privacy, Senegal would resort to
provisions in the international Covenants and/or Conventions she has acceded to
25
Getz 2004.
12 Protection of Personal Data in Senegal 265
and approved in case they are in conflicts with domestic laws. This is according to
article 98 of the Constitution which states:
Les traités ou accords régulièrement ratifiés ou approuvés ont, dès leur publication, une
autorité supérieure à celle des lois, sous réserve, pour chaque accord ou traité, de son
application par l’autre partie.
Translated as: Treaties or agreements duly ratified or approved shall, upon publication, an
authority superior to that of laws, subject, for each agreement or treaty, to its application
by the other party.
Senegal enacted a comprehensive data protection law in 2008. The main aim of the
law is to stop breach of privacy that may occasion through collection, processing,
transmission and use of personal data. The law stipulates that the essence of this law
is to ensure the processing of personal data and ICT do not affect fundamental rights
and freedoms of natural persons including the right to private life. Its overall object
is promotion of fundamental privacy right in light of the principles of proportionali-
ty.27 This law applies to processing of data in both public and private sector but
applies only to personal data on natural person; whether or not processed by auto-
mated means or by manual means.28
26
Kanté 2005, p.157 in Madior 2009, p.79.
27
Section 1.
28
Section 2.
266 P. Boshe
Scope of Application
Section 2 (4) of the law states that this law is applicable whenever any processing of
personal data is done by controller whether or not established in Senegal, as long as
the means of processing is located in the territory. It also applies to any place where
Senegalese law applies. The law does not apply to processing data by means located
to Senegal if the processing is solely for purpose of mere transit. However, in this
case the law requires the controller to designate a representative established in
Senegal.
The law enacts conditions for determining circumstances when personal data may
be lawfully processed. The law categorizes personal data processing into two cate-
gories; the processing of personal data in general (common categories of data) and
processing of sensitive data. The conditions provided for general processing of per-
sonal data are the same as the ones found in international data protection codes such
as the OECD, Convention 108 and the EU Directive. Above the known conditions,
the law also puts an obligation upon data controllers to report and seek
Commissioner’s authorization before any processing activity can take place.
Commissioner’s approval signifies that the processing satisfies the legal require-
ments.29 However, to simplify the processing activities, section 19 allows the
Commissioner to issue Regulation on the standards in processing to exonerate the
reporting obligation but only for the general processing of personal data which is
not likely to invade into personal privacy.
The law under section 34 states that the conditions for lawful processing set forth
are to ensure processing is done lawfully, fairly and not fraudulently. Although it
contains the eight conventional conditions for processing, it emphasizes on the
requirement of data subjects consent as a condition to legalize processing activities.
Consent is therefore the central condition for processing of personal data.30 Consent
as a legal requirement, can only be waived if the processing is for purposes of com-
plying with legal obligation to which the controller is subject; or when it is neces-
sary for public interest; or execution of a contract or pre-contractual measures to
which data subject is a party; or in protection of data subject’s fundamental rights
and freedoms.
The other conditions include purpose specification and limitation (sect. 35)
which requires processing of personal data to be compatible with the purpose of
which it was collected. The condition also requires that data should not be kept for
period longer than necessary for purpose of which it was collected. Section 36 pro-
vides for data accuracy/quality where data controllers are to ensure that processed
data is accurate and where necessary kept up to date. To adhere to this condition
29
Section 18.
30
Section 33.
12 Protection of Personal Data in Senegal 267
data controller must also take all necessary measures to ensure inaccurate and
incomplete data with regards to the purpose of collection are erased. This condition
is complimented with another condition which allows for data subject’s participa-
tion in the process to ensure the integrity of his/her data.31 Section 37 provides for
data transparency whereby data subject of intended process should be allowed
access to his/her data. Upon access, data subject has a right to request amendment,
deletion, update, and even stop the processing activities on legitimate grounds.
At the same time, data controller has an obligation to ensure safety of the per-
sonal data. The law sets conditions for security safeguards and confidentiality. The
two conditions are to ensure that personal data is protected by reasonable security
guards against loss, destruction, unauthorized access and use, modification or dis-
closure. In the same vain the controller is bound by the rules of confidentiality. The
law insists that data controllers should be more prudent on confidentiality of per-
sonal data when the processing involves networks.32
In the category of sensitive data,33 the law sets as a general rule, a prohibition on
processing of sensitive data.34 Sensitive data can only be processed if such data is
public data, or if there is a written consent from the data subject to process, or in
safeguarding vital interest of data subject or another person if the concerned person
is unable; physically, or legally to give consent, or if processing is necessary for
public interest and rights to justice. Other instances are when processing is neces-
sary in performance of a contract or pre-contractual measures to which data subject
is a party, or necessary for compliance of a legal obligation in which data controller
is a subject or processed in context of legitimate business or organization or non-
profit organization in which data subject is a member. The law provides for addi-
tional conditions on personal data relating to criminal conviction and national
security measures. For such data, processing can only be done by a Court, Public
authorities, or Corporations acting within their legal powers; and by judicial officers
in strict process for activities entrusted by law.
Commissioner Authorization
Over and above the general conditions on processing of personal data, personal
health data requires Commissioner authorization before it is processed. In addition,
such data can only be processed if/when data subject has given consent or when
31
Section 62, 64, and 69.
32
Section 38 and 70.
33
For purpose of this law, sensitive data is defined under section 4 to include any personal data
concerning opinions or religious activities, philosophical, political, union, sexual life or racial, to
health, to social measures, prosecution, criminal or administrative sanctions; and Data on the per-
sonal health including any information relating to the physical and mental state of a data subject as
well as any data concerning the hereditary characteristics of an individual or group of related
individuals.
34
Section 40.
268 P. Boshe
such data has been made public by the data subject or when it is necessary to protect
vital interest of data subject or for activities sanctioned by law. Furthermore, any
processing of data concerning personal health must be done under supervision of a
health care professional who is subjected to professional secrecy. Additionally,
access to medical records can only be given to a patient himself or a designated
physician. If the patient is dead the access can be granted to his non-separated
spouse, children, and parents.
Genetic and biometric data, data on health research, data on personal identity
number or other general identifiers, historical, statistical, and scientific data; and
data of notable public interest also require Commissioner’s authorization to pro-
cess.35 In the above mentioned categories of data, a data controller is obliged to seek
Commissioner’s authorization giving detailed information on his identity and loca-
tion (address) as well as purpose of processing, interconnection and linking of data
involved, recipient(s) and security measures taken against potential privacy breach-
es.36 In cases where the controller is not established in Senegal, the Commissioner
requires information of a duly authorized representative in Senegal. The data con-
troller must also inform the Commissioner if there are sub-contracts involved in the
process and the shelf life of the processed data.
In all processing activities that need Commissioner’s authorization, the law tasks
the Commissioner to issue the authorization within 2 months of application. If
authorization is not issued within 2 months, the concerned data controller is allowed
to proceed with the processing activities as the authorization is deemed favorable
upon expiration of 2 months if no communication against the application is made by
the Commissioner.
Interconnection of files is allowed when it involves data controllers who are running
public services for public interest, or when implemented by the State to support
administration of remote services within a framework of e-government.37 On the
other hand, interconnection of database may only be implemented to achieve statu-
tory objective or legitimate interests of data controllers. In this case, a warrant to
process will only be granted if processing cannot lead to discrimination or infringe-
ment of rights and freedoms and safeguards of data subjects concerned. However,
the interconnection must take into account the principles of data relevance.38
Before interconnection is made, application must be lodged to the Commissioner
prior to the processing. The application must provide information on the nature of
interconnection; illustrate the purpose of interconnection which makes it necessary;
duration of the interconnection and measure taken to ensure protection and
35
Section 20.
36
Section 22.
37
Section 53.
38
Section 54.
12 Protection of Personal Data in Senegal 269
39
Section 55.
40
Section 16.
41
Section 5 and 16.
42
Section 19, 26 and 32.
43
Section 16 (8).
270 P. Boshe
also to conduct audits and maintain a register on data processing activities including
publishing of authorizations granted.
Exempted Activities
Certain activities are exempted from the application of this law. Activities such as
when processing of personal data is solely for personal and for household activities
and as long as such processing is not intended for systematic communication or dis-
semination to third parties or for broadcasting. The law does not apply to personal
data in temporary copies made for technical activities in transmission or provision
of access to a digital network to allow data subject access quality services. The law
also does not apply to processing for sole purpose of record keeping in a register
sanctioned by laws or Regulations, or data processed by charitable non-profit orga-
nizations and religious organizations, philosophical, political or trade union relating
to a member and for purposes of the organization as long as the data is not disclosed
to third party.
Furthermore, journalistic, research or artistic and literary expressions are also
exempted from the application of this law. However, in this respect, the exemption
applies only when such activities are conducted as professional activities in compli-
ance with professional rules and codes of ethics.44 Although these activities are
exempted by this law, the law is clear that it does not preclude application of provi-
sion of other laws relating to press, broadcasting or the penal code which provides
for codes of conduct or penalizes offences against privacy and individual
reputation.45
Automatic processing is prohibited when such processing deals with decision mak-
ing bearing legal effect to a person. If the processing evaluates personality or certain
aspects of personality or defining person’s profile, such evaluation is not to be used
to make decisions regarding a person neither in Court of law or any institution;
public or private.46 However, when processing is done by the State in accordance
with the laws and regulations, the processing can take place with the approval of the
Commissioner.47 The law names the type of activities to which automated process-
ing is allowed with Commissioner’s approval to include matters of national security,
defense and matters relating to criminal investigation, detention, and execution of
criminal sentence. Others are matters of wages, pensions, taxes and other
liquidations.
44
Section 45.
45
Section 46.
46
Section 48.
47
Section 21.
12 Protection of Personal Data in Senegal 271
The law prohibits data controller from carrying out direct marketing by any
means or form of communication unless data subject has given prior consent to
receiving such promotions and advertisements.48
Transfer of personal data to a third country is allowed only when a third country
provides sufficient legal protection to privacy, freedoms and fundamental rights of
individuals to the processing of personal data.49 In implementing this provision, the
law considers any country which is not Senegal to be a third country;50 including the
countries within ECOWAS to which Senegal is a member. In exceptional circum-
stances, trans-border transfer can be made if the Commissioner is notified of the
third country. This can happen when the data controller requests for such transfer of
personal data.51 The law explains that the notification requirement is to allow the
Commissioner to be satisfied with the sufficiency of security measures provided to
personal data by the third country before s/he can issue authorization to the process-
ing. The assessment by the Commission on sufficiency of security by a third coun-
try focuses on the required security measures provided by Senegal law, nature of
data, purpose(s) of processing, duration, origin and destination of the personal data
subject of the processing activities.
Transfer of personal data in exemption is also possible when the data subject has
expressly consented to the transfer or in protection of data subject’s life, safe guard
public interest, in exercise of defense or legal claim and in execution of a contract
between data controllers and data subject.52
Rights and Duties
Data controllers are accountable for adherence and enforcement the data protection
principles. S/he is accountable for the integrity and strict rules of confidentiality on
personal data. This duty extends to third parties processing personal data for or on
behalf of the data controller and whoever has knowledge of processing of such per-
sonal data. On the other hand, data subjects have the right to access their informa-
tion held. This right gives data subjects a further right to inspect the data and (if
desired) request correction or amendment of inaccurate, misleading, outdated or
false data and erasure of irrelevant data. Data subjects have the right to know the
identity of the data controller and any third party to whom data may be transferred
48
Section 47.
49
Section 49.
50
Section 4 (12).
51
Section 52.
52
Section 50.
272 P. Boshe
to. Data subject may also object processing of their personal data all together on
legitimate grounds.53
The law explains that data subjects’ rights extend to the users of electronic net-
works, when controller's access to personal data is by a way of transmission. It does
not matter if the personal data is stored in the terminal connection equipment or
register of the same terminal connection equipment. Exception to this duty is made
when access to personal data stored in user’s terminal equipment is for a sole pur-
pose of allowing or facilitating electronic communications or when access is neces-
sary for provision of communication at the express request of the user.
Data controller is further required to provide the electronic communication user
with a means of opposing/refuting access if one wishes to do so. Section 58 imposes
a duty to data controllers to inform data subjects of their rights relating to their data;
during or soon after the collection.54 Data subjects’ rights do not, as per section 60,
extend to personal data used on behalf of the State for the interest of State security,
defense and for purposes of prevention, investigation, detention, prosecution and
execution of criminal sentences/convictions.55
Whenever there is a violation of this law, a complaint can be instituted directly with
the Commission. However, according to section 25 of the Data Protection Law, the
Commissioner’s power to resolve disputes is subject to a prior notification to the
prosecutor.56 Upon such notification the Commissioner can enter premises, search
and seize documents (evidence), summon evidence, access computer programmes
and/or databases. Investigations under the Data Protection Law are conducted
according to the provisions of the Code of Criminal Procedure. In doing so, the
Commissioner is allowed to hire an expert to assist with the investigation.57
In executing his/her powers to resolve disputes under this law, the Commissioner
can issue warning to controllers in breach or issue formal notice to stop the breach
within a specified period.58 In the case of breaching, controller’s failure or refusal to
abide to the warning or formal notice, the Commissioner can conduct adversarial
proceedings and issue sanctions, to wit, temporary withdrawal of authorization for
53
Section 58, 62, 68 and 69.
54
Section 61 – Law no. 2008–2012 on Protection of Personal Data.
55
Section 60 – Law no. 2008–2012 on Protection of Personal Data. In this respect an inquiry by
inquiry committee must be made to satisfy data subject of whether or not such data falls within this
category before access is denied.
56
Law no. 2008–2012 on Protection of Personal Data.
57
Section 27.
58
Section 29.
12 Protection of Personal Data in Senegal 273
12.4 Conclusion
The chapter began with caution that human rights implementation in Senegal may
be affected by the Marabouts. Indeed, the Constitutional right to privacy may have
been affected so; however, the overall political stance and evolution in Senegal plus
the judicial architecture play a big role in the implementation of the human rights.
Up to 2013, there was no judicial decision on the right to privacy from the
Constitutional Council. On contrary, the CC had a flood of decisions and cases on
electoral rights. The 2008 legal reforms which led to the enactment of the Data
Protection Law (among other ICT related legislation) puts Senegal among a few
African countries dedicated to protect and preserve individual privacy and personal
data. Although the implementation of the 2008 data protection legislation started in
2014, it can be confidently asserted that Senegal is one of the few African countries
that have a firm regime that implements the data protection law head-on. The
Senegalese Commission has an informative website, with relevant information for
the protection of personal data. It contains information about Commissioner’s activ-
ities (including quarterly reports and sensitization programmes), documents clarify-
ing citizens’ rights and procedures and online forms to lodge complaints. The
Commissioner is transparent; for instance activities of the Commissioner are rou-
tinely posted on the website and as they occur, quarterly reports as well. One can
also find breach notifications on the websites and decisions made against violators
of the law. Through the website, the Commissioner informs the public about aware-
ness programs and has an educational platform where rights and duties are explained
in a language understood by majority citizen, French.
59
Article 30 (1).
60
Article 30 (2).
61
Article 31.
62
Article 32.
274 P. Boshe
The content of the law has considered the basic principles found in international
codes. The law has only 28 pages but provides substantially necessary safeguards
and conditions towards protection and preservation of personal data and privacy.
The law comes with its implementing Regulation No. 12 of 2008 providing for
further guidance and procedural mechanisms to the Commissioner to properly
implement the Law. Furthermore, article 19 of the Constitution designates the judi-
ciary as the guardian of the rights and freedoms set out in the Constitution and in the
legislation.
References
Online Materials
Adjolohoun, H.S.,‘Visiting the Senegalese Legal System and Legal Research: A Human Rights
Perspective’, Published online March/April 2009; available at http://www.nyulawglobal.org/
globalex/SENEGAL.htm accessed on 09.11.2015.
Bakibinga, E.M., ‘Managing Electronic Privacy in the Telecommunications Sub-sector: The
Uganda Perspective’, Africa Electronic Privacy and Public Voice Symposium 2004, available
at http://thepublicvoice.org/events/capetown04/bakibinga.doc accessed on 20.05.2014.
Baldé, V. S., ‘Juge et Constitutionnel Démocratique Transition: Etude de cas en Afrique
Subsaharienne Francophone’, 2010; available at www.juridicas.unam.mx/wccl/ponen-
cias/16/279.pdf accessed on 20.08.2014.
BizTech, Africa Senegal moves to protect citizens’ personal data by Issa Sikiti da Silva available
at http://www.biztechafrica.com/article/senegal-moves-protect-citizens-personal-data/9049/#.
VnBGkfl97IU accessed on 20.11.2015
12 Protection of Personal Data in Senegal 275
Case Law
Alex B. Makulilo
Abstract This chapter offers an overview of the data privacy discourse in the
Indian Ocean islands of Mauritius, Seychelles and Madagascar. Motivated by the
need to attract foreign investment, the three islands adopted comprehensive data
protection laws based on the European model of governance. First and foremost, the
context of privacy in these islands is laid down. This chapter proceeds to discuss
privacy attitudes and frameworks of privacy regulation. Enforcement of data privacy
breaches is also dealt with especially in Mauritius where the data protection author-
ity is established and has since been operational for many years unlike Seychelles
whose data privacy law is not yet in force since it was adopted in 2003 and
Madagascar whose data privacy legislation has only come into force in July 2015.
13.1 Mauritius
The Republic of Mauritius consists of an island of Mauritius and other three smaller
islands of Rodrigues, Cargados Carajos and Agalega. Mauritius lies east of
Madagascar (an island to the south-eastern Africa), in the Indian Ocean. It occupies
a total area of 2040 sq km. As at 1 July 2015, the population of Mauritius stood at
1,262,879. This population consists of descendants of original immigrants from
India, Europe, Madagascar, Africa and China.
Mauritius attained her political independence from the British on 12 March
1968. Yet she continued to be under her Majesty the Queen of England as head of
State until 12 March 1992 when she became a Republic. Historically the Island has
been subject to a number of colonization attempts by Arabs, Portuguese and Dutch.
However it was actually the French and British who colonised Mauritius and whose
legacy is more pronounced. Although the French activities in Mauritius commenced
in 1715, it was not until the 1767 when the French governance started. The French
domination in Mauritius ended in 1810 following their defeat by the British in the
Napoleonic War. The British took control of Mauritius until 1968.
Politically, Mauritius is a multi-party system and constitutional parliamentary
democracy. The president is the head of state while the prime minister is the head of
government. The Constitution is the supreme law in Mauritius and if any other law
is inconsistent with it, to the extent of inconsistency, it becomes void.1 Mauritius is
the only African country which is characterised as fully democracy equating it with
most developed countries in Europe.2
The Mauritian legal system is influenced by the British adversarial system of liti-
gation and precedent. The Constitution establishes the Supreme Court of Mauritius
at the top of the judicial hierarchy and vests it with unlimited jurisdiction in both
criminal and civil matters.3 However under Art 81 of the Constitution of Mauritius
all appeals from the Supreme Court lie to the Privy Council in the Great Britain.
Below the Supreme Court there are subordinate courts: the District Courts,
Intermediate and Industrial Courts. These are vested with limited jurisdictions in
criminal and civil matters. It is also important to note that the influence of the French
law particularly the Civil Code is also present in the Mauritian legal system. This
makes Mauritius to have a hybrid legal system with the influence of both the British
and French laws. In general terms, Mauritian private law is based on the French
Code Civil while public and commercial law are based on the English law.
The Mauritian economy has undergone remarkable transformations since inde-
pendence. It is now characterised as an upper-middle economy.4 As from 2000
Mauritius commenced to invest in information and communication technologies
(ICTs). Today ICT is the third pillar of Mauritian economy after tourism and the
financial sector.5 To ensure that the ICT sector grows rapidly and produce desired
results, Mauritian legislature passed the Information and Communication
Technologies Act 2001. Similarly, in 2007 Mauritius adopted its first National
Information and Communications Technology (ICT) Policy 2007.
1
The Constitution of Mauritius 1968, Art 2.
2
See e.g, The Economist Intelligence Unit’s Index of Democracy 2011.
3
The Constitution of Mauritius 1968, Art 76.
4
Metz, (ed), 1994.
5
Krishna et al. 2012, pp.161–168.
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 279
A study conducted in the context of the adoption of Internet banking in the Island
indicated that although banks have security arrangements such as network and data
access controls, user authentication, transaction verification, virus protection, pri-
vacy policies and detection of possible intrusions which include penetration testing
and intrusion detection raised customers’ concerns on possible risks from Internet
banking.6 Another study which has privacy relevance in Mauritius was carried out
in the context of e-governance. The project title is, ‘Are Mauritians ready for
e-Government Services?’7 This study found that Mauritians have low trust in terms
of privacy, data protection, information security or cybercrime. According to the
project researcher, the low rate of trust Mauritians have in ICT should consequently
inspire policymakers to show their firm commitment to investigating e-justice and
cyber-crime issues.8
A less obvious yet relevant study as far as social attitude to privacy in Mauritius
is concerned was conducted in the context of use of public Internet kiosks in
Mauritius.9 The study sought to investigate the determinants affecting individuals’
intention and behaviour to use public Internet kiosks. The study concluded that
subjective norm significantly affects individuals’ intention to use ICT. This subjec-
tive normativity is attributable to the fact that Mauritius culture is largely collective.
Partly this explains why the E-Register System has not raised privacy concerns. The
E-Register System is a system whereby alerts via automatically generated SMS are
sent to a parent’s mobile phone if his child is absent or late at school.10 The system
has been introduced in order to curb unjustified absenteeism of students in Mauritian
public and private secondary schools which is becoming a major problem. The
E-Register System provides also a database of the details of schools, students and
parents. Despite massive collection of personal information in computerised data-
bases there have been no public concerns over privacy as a result of the introduction
of the E-Register System. Yet cultural factors, particularly strong family ties have
been sometimes regarded as having no or little influence in determining Mauritians’
privacy concerns. At least in Mauritius such claims have been considered as ‘out-
dated concerns’ as risks posed by modern technologies are no longer confined to a
particular society.11 Nevertheless, there are still problems in absorbing the culture of
data protection.
Similarly the debate over the adoption of the Mauritian DNA Identification Act
presents yet another context of concern for privacy in Mauritius.12 The debate rested
on both privacy and ethical issues. First, the adoption of the Act resulted in heated
debate between the government and the opposition party over retention of DNA
6
Khan and Emmambokus 2011, pp.53–58, at p.56.
7
Shalini 2009, pp.536–539.
8
Ibid, p.537.
9
Pee et al. 2010, pp.15–38.
10
Speech of Honourable Tassarajen Pillay Chedumbrum, 9th February 2011.
11
Author’s interview with Mrs. Drudeisha Madhub, Mauritian Data Protection Commissioner, on
4/07/2011.
12
See e.g. Maurer 2010, pp.53–62, at p.55.
280 A.B. Makulilo
samples once the case is over. Second, the debate raged over who should carry out
analyses of DNA samples. Was this to be done by private, independent or by
government laboratories? The government argued that DNA samples should be col-
lected and kept for the future crime cases as it is the case in Denmark or in Great
Britain. On the other hand, the opposition argued that collecting and keeping of
DNA samples might transform the society from an innocent one into a society of
convicts.
There is also fear particularly by politicians of interception of private communi-
cation (i.e. telephone tapping). This fear can well be demonstrated by the Mauritius
parliamentary debates of 13 April 2004.13 During the debates, some questions were
central to the debate: whether telephone tapping was restored to in Mauritius and if
so how many number of persons’ telephones had been tapped? And importantly, did
tapping include politicians, parliamentarians or non-parliamentarians, journalists
and representatives of religion.
A similar source of fear came from the use of anonymity within the current sale
of pre-paid SIM cards in Mauritius. This fear transpired in the course of parliamen-
tary debates of 27 April 2004.14 During these debates important questions were
discussed about existence of any control on the use of SMS and measures taken or
proposed to be taken to ensure that there was no abusive use of such SMS.
It is also important to point out that social attitudes to privacy in Mauritius are
also affected by lack of awareness of risks to privacy by data controllers and mem-
bers of the public. This is partly due to the fact that there was no or little public
consultation of the Data Protection Act 2004 during its legislative process. The
European Union consultant who evaluated the Mauritian data protection system in
view of EU accreditation noted that ‘there does not seem to be wide awareness of
the importance of Data Protection and Privacy in Mauritius, either among the public
or private sector, or even within the Prime Minister’s Office (PMO) itself. Only a
few entities, mainly those involved in the ICT and Business Offshoring sectors have
an appreciation of the functions and responsibilities. Most other persons and entities
seem to see the DPO as a registration rather than regulatory authority.’15 Similarly
the efforts of the Commissioner to educate data controllers and members of the
public are still not yet fully realised. In the first annual report to the Parliament the
Commissioner noted ‘continued lack of awareness amongst data controllers and
data processors of their data protection obligations’ and ‘continued lack of aware-
ness on the part of the members of the general public (who, as a result, give away
their personal information too easily, do not ask why personal information is needed
or fail to ‘tick the box’ to say they do not want to be contacted)’ as among the nine
threats to data protection in Mauritius.16
13
Mauritius National Assembly, Debate No. 5 of 2004.
14
Mauritius National Assembly, Debate No. 7 of 2004.
15
Mauritius Confidential report, 2011, pp. 3 & 75.
16
Mauritius Data Protection Office, 2009–2010, p.42.
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 281
This part outlines privacy protections under aspects of Mauritian law of general
application: constitutional and treaty protections; sectoral laws as well as civil law.
It also considers the comprehensive data protection legislation and its
enforcement.
Constitutional Protections
International Obligations
The Information and Communication Technologies Act 2001 This is one of the
most important pieces of legislation in regulating protection of personal data prior
to the enactment of the comprehensive data protection legislation. This Act incorpo-
rated the regime of data protection law in section 33 and the Fourth Schedule. The
latter detailed the data protection principles somewhat similar to the First Schedule
of the Data Protection Act 2004. However the entire regime of data protection in the
ICT Act 2001 was repealed under section 64(2) of the Data Protection Act 2004.
Currently the ICT Act regulates matters of interception of communication under
section 32(3) based on limited provisions of confidentiality.
The Code Civil Mauricien The Code is based on the French Civil Code. The latter
was extended to Mauritius under the title Code Napoléon by decree of Decaen,
Capitaine-General, on 21 April 1808. The Code Napoleon underwent substantial
reforms mainly in the field of family law and the law of persons during the British
rule in the Island and in 1970s and 80s after independence. The interaction between
the two systems makes the civil and common law systems in Mauritius complemen-
tary. Thus protection of confidentiality and privacy are less prominent in the Code.
Nonetheless, article 22 of the Civil Code states that everyone has the right to respect
for his private life. Apart from compensation for damage suffered and seizure,
courts may make any other order to prevent or stop an invasion to the privacy.
The Prevention of Terrorism Act 2002 Section 25 of this Act gives exorbitant pow-
ers to the minister responsible to give directions to communication service provid-
ers to tape of any correspondence between people and organisations. However the
Act does not provide safeguards against abuse of such powers.
The Data Protection Act 2004(DPA) is the principal data privacy legislation in
Mauritius. The Act was passed by the Mauritian Parliament on 1 June 2004. It was
immediately assented to by Sir Enerood Jugnauth, the President of Mauritius on 17
June 2004. However the Act was proclaimed in three phases. The first proclamation
related to the following sections 1; 2; 4; 5(b),(c),(e),(g),(h),(i),(j); and 6. These pro-
visions were brought into force on 27 December 2004 through Proclamation No. 45
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 283
of 2004. These sections are about the short title of the Act, interpretation, and estab-
lishment of the data protection office. Through Proclamation No.45 of 2004
Mauritius became the earliest African country to establish the office of the Data
Protection Commissioner and make it operational. The second set of proclamation
was made through Proclamation No. 5 of 2009. The latter brought the rest of the
provisions of the Act in force as from 16 February 2009. However the proclamation
did not concern the Commissioner’s powers of entry and search under section 17 of
the Act.
Until now the DPA has been amended twice. The first amendment was passed on
15 April 2009 through section 2 of the Additional Stimulus Package (Miscellaneous
Provisions) Act 2009. This provision, among others, amended section 17 of the
Data Protection Act 2004 on Commissioner’s powers of entry and search. The same
section repealed the contentious section 21 of the Data Protection Act 2004 on the
Prime Minister’s powers to give the Data Protection Commissioner direction in the
discharge of his duties. The Stimulus Package Act was assented on 16 April 2009
and proclaimed on 22 May 2009 through Proclamation No. 11 of 2009. Accordingly
section 17 of the DPA is currently in force making the third and final phase of proc-
lamation of the Act.
The second amendment of the Data Protection Act was passed on 22 July 2009
through section 10 of the Finance (Miscellaneous Provisions) Act 2009. This Act
was assented on 30 July 2009. However, while section 49 of the Finance
Miscellaneous Act declared different commencement dates for various provisions,
it did not do so with respect to section 10 which amends various provisions of the
Data Protection Act 2004.
The Data Protection Act’s amendments were necessitated by various reasons. It
was to meet the need for Mauritius to be potentially recognised by the European
Union as a third country with an adequate level of protection and thus attract more
investment in mainly the ITES/BPO (i.e. Information Technology Enabled Service/
Business Process Outsourcing) sectors of the Mauritian economy.
Scope and Application The Data Protection Act applies to both automatic and
manual processing of personal data held by public and private bodies.17 Territorially,
the DPA has a broad scope. It applies to a data controller who is established in
Mauritius and process personal data in the context of that establishment.18 If a con-
troller is not established in Mauritius but uses equipment in the Island for process-
ing data such a controller is subject to the application of the DPA.19 In that case he
or she has an obligation to nominate a representative who resides in Mauritius to
carry out his or her data processing activities through an office in Mauritius.20 But if
17
Data Protection Act, Sections 3 & 54.
18
Data Protection Act 2004, Section 3 (3), (a).
19
Data Protection Act 2004, Section 3 (3), (b).
20
Data Protection Act 2004, Section 3 (4).
284 A.B. Makulilo
such controller uses equipment for the purpose of transit through Mauritius, the Act
does not apply upon him/her.21
However the DPA contains an extensive exemption regime in Part VII (ss 45–54).
The list of matters exempted are national security(s 45); crime and taxation(s 46);
health and social work(s 47); regulatory activities(s 48); journalism, literature and
art(s 49); research, history and statistics(s 50); information available to the public
under an enactment(s 51); disclosure required by law or in connection with legal
proceedings(s 52); legal professional privilege(s 53); and domestic purposes(s 54).
Data Protection Principles The basic principles of data processing in the Data
Protection Act 2004 are provided in the First Schedule of the Act. There are eight
data protection principles in the Schedule similar to the ones in the European
Directive 95/46/EC.
The first data protection principle states that personal data shall be processed
fairly and lawfully. ‘Fairness’ and ‘lawfulness’ are not defined in the Data Protection
Act. However Rule 1 of the Practical Guide issued by the Data Protection
Commissioner relates the notion of fair processing to conditions stipulated in sec-
tions 24 and 25 of the DPA. Most of these conditions are about consent of the data
subject before processing begins. ‘Lawfulness’ is linked generally to processing in
compliance with the Act.
Purpose specification is the second principle in the Act. It states that personal
data shall be obtained only for any specified and lawful purpose, and shall not be
further processed in any manner incompatible with that purpose. According to Rule
2 of the Practical Guide the purpose specification principle prohibits collection of
information about people routinely and indiscriminately, without having a sound,
clear and legitimate purpose for so doing. Data controllers can only process per-
sonal information against the purpose for which they registered in the entry of pub-
lic register. Rule 4 of the Practical Guide lays down the test for ‘compatibility’. This
is whether use and disclosure of data conforms to expectation of the data subject
who supplied the information.
The third data protection principle is about minimality. It provides that personal
data shall be adequate, relevant and not excessive in relation to the purpose for
which they are processed. Rule 7 of the Practical Guide elaborates the third princi-
ple to mean that the data controller should only collect and keep information that
enables him or her to achieve the purpose for which information is collected and no
more. The controller is prohibited to collect and keep information ‘just in case’ a
use can be found for such personal data in the future. Moreover, controllers are
prohibited from asking intrusive or personal questions, if the information obtained
in this way has no bearing on the specified purpose for which he or she holds per-
sonal data.
The fourth principle is information quality. According to the Act personal data
shall be accurate and, where necessary, kept up to date. Rule 6 of the Practical
21
Data Protection Act 2004, Section 3 (3), (b).
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 285
Guide provides that a data controller after being informed as to the inaccurateness
of personal data by a data subject must rectify, block, erase or destroy data as appro-
priate. This obligation extends to the third party. If the data controller fails to rectify,
block, erase or destroy inaccurate personal data, a data subject may apply to the
Commissioner to have such data rectified, blocked, erased or destroyed. Rule 6
provides further that this requirement (i.e. keeping data accurate and up-to-date) has
an additional importance in that it may result into liability of a data controller to an
individual for damages if the former fails to observe the duty of care provision in the
Act applying to the handling of personal data.
The fifth data protection principle provides that personal data processed for any
purpose shall not be kept longer than is necessary for the purpose or those purposes.
Rule 8 of the Practical Guide provides that this requirement places a responsibility
on data controllers to be clear about the length of time for which the data will be
kept and the reason why the information is being retained. If there is no good reason
for retaining personal information, then that information should be routinely deleted.
Moreover, if the data controller would like to retain information about customers to
help provide better service to them in future, he or she must obtain the customers’
consent in advance.
The sixth principle is that personal data shall be processed in accordance with the
rights of the data subjects provided under the Act. Rule 10 of the Practical Guide
repeats essentially the requirements and exceptions provided in Part VI of the
DPA. Moreover this principle places an obligation on the data controller to explain
to the data subject the logic used in any automated decision making process where
it significantly affects the individual and the decision is solely based on the auto-
mated process.
The seventh principle states that appropriate security and organisational mea-
sures shall be taken against unauthorised or unlawful processing of personal data
and against accidental loss or destruction of, or damage to, personal data.
International transfer of personal data constitutes the eighth principle of data
protection. It provides that personal data shall not be transferred to another country,
unless that country ensures an adequate level of protection of the rights of data sub-
jects in relation to the processing of personal data. Rule 9 of the Practical Guide
interprets the eighth principle together with section 31 of the Act as setting out two
criteria for transfer of personal data to a foreign country: that the foreign country in
question ensures an adequate level of data protection and also the transfer is autho-
rised in writing by the Commissioner.
Apart from the eight data protection principles, the DPA has special principles
with regard to processing personal data in specific contexts. These include sensitiv-
ity; direct marketing; and data matching.
Section 25 of the DPA regulates processing of sensitive personal data which
include personal information consisting of information as to the racial or ethnic
origin; political opinion or adherence; religious belief or other belief of a similar
nature; membership to a trade union; physical or mental health; sexual preferences
or practices; the commission or alleged commission of an offence; or any proceed-
ings for an offence committed or alleged to have been committed by him, or the
286 A.B. Makulilo
disposal of such proceedings or the sentence of any court in such proceedings. The
DPA restricts processing of sensitive personal data unless the data subject has either
given his express consent to the processing of the personal data or made the data
public. This restriction does not apply where processing is necessary for purposes
of exercising or performing any right or obligation which is conferred or imposed
by law on the data controller in connection with his employment; in order to protect
the vital interests of the data subject or another person where consent cannot be
given by or on behalf of the data subject, or the data controller cannot reasonably be
expected to obtain the consent of the data subject; in order to protect the vital inter-
ests of another person, in case where consent by or on behalf of the data subject has
been unreasonably withheld; for the performance of a contract to which the data
subject is a party; in order to take steps required by the data subject prior to entering
into a contract; or for compliance with a legal obligation to which the data controller
is subject.
Section 30 of the Act governs processing of personal data in the context of direct
marketing. Generally, this provision does not prohibit direct marketing neither does
Rule 12 of the Practical Guide on direct marketing. Section 30(1) of the DPA only
states, ‘a person may, at any time, by notice in writing, request a data controller (a)
to stop; or (b) not to begin, the processing of personal data in respect of which he is
a data subject, for purposes of direct marketing.’ Once the data controller receives
such notice he is obliged under section 30(2) to act within a period of 28 days by
either erasing the data if such data were kept only for purposes of direct marketing;
and where the data were kept for direct marketing and other purposes, stop process-
ing the data for direct marketing.
According to the Commissioner, the application of the data protection law in the
direct marketing varies depending on the medium through which the marketing is
delivered.22 There are marketing by post, phones, fax and e-mail. Postal marketing
is the traditional and oldest form of marketing for mail received through a person’s
letter box. To be considered direct marketing, a mail must be addressed to a named
person and must be promoting a product or service. In the Commissioner’s view an
unaddressed mail put into a letter box or mail addressed to the ‘occupant’, ‘the resi-
dent’ or ‘the householder’ does not necessarily involve the use of personal data and
consequently data protection legislation may not apply.23 While the DPA is silent
about consent for purposes of direct marketing, Rule 12 of the Practical Guide pro-
vides two main forms of consent with regard to postal marketing. These are ‘opt in’
or ‘opt out’ consent. The former is a box which invites a person to indicate if he or
she would like to receive such material. Unless he demonstrates ‘active consent’ by
ticking the box, his or her personal data cannot be used for direct marketing pur-
pose. However failure by the person to tick the box, may be taken as an indication
of his ‘passive consent’ to receive the direct marketing material.
22
Mauritius Data Protection Office, ‘A Practical Guide for Data Controllers & Data Processors-
Volume 1’-Rule 12.
23
Ibid.
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 287
Also significant, Rule 12 of the Practical Guide provides that a person intending
to use personal data for direct marketing purposes should offer a cost free opt-out
facility. This requirement applies across all other forms of communications. Other
important rules of postal direct marketing include the following:-a controller is pro-
hibited from using personal information obtained in the past for a different purposes
for direct marketing; a person cannot sell a list of personal data for direct marketing
unless he or she obtains the consent of all the individuals affected; consent from
children should be obtained through their parents or guardians; and ordinarily a
controller is not allowed to direct market at people referred by his or her existing
customers.
Direct marketing by phone calls and faxes are prohibited unless the controller
obtains prior consent from the individuals concerned. However, in case of directing
marketing by using e-mail, the controller must obtain an individual’s consent or he
obtained those information in the course of a sale to him or her for a service or
product; the controller disclosed his or her identity, the purpose of collecting per-
sonal data; the persons or categories of persons to whom such personal data may be
disclosed and any other information which is necessary so that processing may be
fair; also the direct marketing the controller is sending is in respect of his or her
similar products and services only; the controller had given a simple cost-free means
of refusing the use of an individual’s contact details for direct marketing and such
individual did not object and he or she was given similar options subsequently still
he or she could not refuse.
Data matching is generally prohibited under section 32 of the DPA. However it
is permissible where a data subject has given his consent; the Commissioner has
consented to the procedure being carried out and such procedure is carried out in
accordance with conditions imposed by the Commissioner; or data matching is
required or permitted under any other enactment. Rule 13 of the Practical Guide
clearly provides that any data matching that is likely to adversely affect the data
subject must be carried out only after the data subject and Commissioner have
consented.
Data Protection Commission The DPA establishes the Data Protection Commission
(DPC) in section 4(1). Structurally the DPC is a department in the Prime Minister’s
Office. It is composed of the Commissioner as its head and other public officers.
A Commissioner must be a barrister with experience of legal practice of at least
5 years. The DPA does not mention who appoints the Commissioner. However
according to the information available on the DPC Website a Commissioner is
appointed by the Public Service Commission. Moreover, the Data Protection Act
does not state the length of tenure of the Commissioner and his re-appointment. The
DPA does not mention number of other public officers in the DPC. Neither does it
list their respective positions nor qualifications, leave alone their remunerations.
However such officers are under direct administrative control of the Commissioner.
The independence of the DPC raises many questions. In theory the general view
is that the Commission is independent. This follows the repeal of the controversial
section 21 of the Data Protection Act 2004 by Act No. 1 of 2009 (the Stimulus
288 A.B. Makulilo
Package Act 2009). Previously section 21 of the DPA gave the Prime Minister
unlimited powers to interfere with the duties and functions of the Commissioner.
Gayrel argues that the repeal of section 21 of the Data Protection Act 2004 shows
the will of the Mauritian legislature to provide an unambiguous independence to the
Commissioner.24 However, it is not enough that independence is spelt on letters of
law but how in practice the data protection authority functions to discharge its obli-
gations. Thus the Commissioner in Mauritius, at least in theory, is independent due
to amendment of section 21 of the DPA which guaranteed independence. Yet at
present the Commissioner is materially and institutionally dependent on the Prime
Minister’s Office (PMO). In fact the Commissioner has to seek approval from the
PMO for all disbursements and expenses, which is highly unusual for a Commission,
even more so for one that is purportedly independent.25 Similarly the guidelines
drafted by the Commissioner, also one of the functions of the Commissioner are
vetted by the PMO before printing.26 This impinges upon the DPC’s independence.
Thus the claim by the Commissioner that she is independent merely by virtue of the
amendment of section 21 of the DPA and submitting an annual report to the National
Assembly as required by the law27 is not consistent with the actual practice of how
her office functions. Such practice clearly reveals that the Commissioner is not
independent.
Section 5 of the Data Protection Act vests the Commissioner with a wide range
of functions typical of any data protection authority. The Commissioner has to
ensure data controllers comply with the DPA. He may issue or approve codes of
practice and guidelines for the purposes of the Act. The Commissioner may inves-
tigate any complaint or information which gives rise to a suspicion that an offence,
under the Act may have been, is being or is about to be committed. He may take any
measure to educate the general public of the provisions of the DPA. The
Commissioner is also required under section 55 of the DPA to prepare and submit
to the National Assembly annual report of the Commission’s activities.
The DPA vests the Commissioner various powers. Generally, the Commissioner
has powers to do anything for the purpose of carrying out his functions as long as it
appears to him to be requisite, advantageous or convenient for discharging such
functions. Specifically he may serve an enforcement notice (section 12 of DPA). He
may carry out security checks (section 14); periodic audits of the systems of data
controllers or processors to ensure compliance to the data protection principles (sec-
tion 15); and request assistance for purposes of gathering information or proper
conduct of investigation (section 16). Also, to better enable the Commissioner to
discharge his duties, the Data Protection Act vests in him under section 17 powers
of entry and search any premise. The Commissioner may also refer a matter to the
police for investigation and possible prosecution.
24
Gayrel 2011, pp.20–22, at .21.
25
Mauritius Confidential report, 2011, p. 87.
26
Ibid.
27
Madhub, D, ‘The pioneering journey of the Data Protection Commission of Mauritius’,
International Data Privacy Law, 2013, Vol. 3, No. 4, pp.239–243, at p.240.
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 289
Codes of Practice and Guidelines The Commissioner has issued various codes of
practice and guidelines including a Practical Guide for Data Controllers & Data
Processors-Volume 1; Data Protection-Your Rights-Volume 3; Guidelines for
Handling Privacy Breaches-Volume 4; Guidelines to regulate the Processing of
Personal Data by Video Surveillance Systems-Volume 5; Guidelines on Privacy
Impact Assessments-Volume 6; Practical Notes on Data Sharing Good Practices for
the Public and Private Sector-Volume 9; and Code of Practice issued by the Data
Protection Commissioner for CCTV Systems operated by the Mauritius Police
Force.
The above codes of good practice and guidelines either supply details to the main
provisions of the DPA or offer simplified version of the provisions of the Act.
Sometimes both aims manifest in the texts of these codes and guidelines at the same
time. In some of the codes of good practice and guidelines, the Commissioner has
supplied conditions for processing which somewhat appear in conflict with the pro-
visions of the DPA. For example, the general condition of data processing in the
DPA is data subject’s consent. However the Act does not define what is an ‘express
consent’. It defines ‘consent’ in section 2 as any freely given specific and informed
indication of the wishes of the data subject by which he signifies his agreement to
personal data relating to him being processed. In ‘A Practical Guide for Data
Controllers & Data Processors-Volume 1’ the Commissioner has taken the view that
‘express consent’ is consent given explicitly, either orally or in writing. Despite the
clear requirement of ‘express consent’ in section 24(1) of DPA, the Commissioner
has significantly lowered ‘express consent’ to ‘passive consent’ in the direct market-
ing context and is prepared to accept it in compliance to the law. The latter means
that the data subject does not ‘tick a box’ in order to ‘opt out’.
DPC Complaint Resolution The Commissioner completed 20 complaints in 2011–
2015, but of those only 18 resulted in formal findings of contravention of the DPA
(approximately 90%). The remaining 2 complaints (10%) were set aside for lack of
incriminating evidence. During the course of the complaint investigation most com-
plaints are either not proceeded with or transferred to police for further investigation
and consideration of prosecution. Virtually all complaints in which the Data
Protection Commissioner make formal findings of contravention of the DPA are
transferred to the police because under the Data Protection Act, the Commissioner
has very limited powers. In summary, the Commissioner cannot initiate prosecution
himself, or issue administrative fines, or provide compensation to complainants. All
that he can do is to order controllers to comply with the provisions of the DPA usu-
ally by issuing enforcement notices, recommend prosecution if they do not do so,
and assist complainants to pursue their compensation claims in court. Of the 18
cases where contraventions were found, 6 resulted in remedial actions taken by the
data controllers to remedy the contraventions and 10 cases were referred to the
police for prosecution (but no details are given). The remaining 2 cases were set
aside although contraventions were found, on account of the defence of ignorance
of law. It is interesting to note that of the 18 complaint cases in which contraven-
tions were found, only 1 decision was appealed to the ICT Appeal Tribunal.
290 A.B. Makulilo
13.2 Seychelles
Seychelles, an archipelago in the Indian Ocean situated about 1600 km off the east
coast of Africa is the second-smallest country in Africa with a population of 90,000
people by 2014 and an area of 455 sq km. It consists of 115 islands uninhabited until
fairly recent times. Seychelles has a long history of being under foreign occupation.
The Island first appeared on European maps at the beginning of the sixteenth cen-
tury after Portuguese explorers sighted the islands during voyages to India.
Subsequently the Island was visited by the French who settled there. The British
came later to Seychelles and since then possession of the islands alternated between
France and Britain several times during the French Revolution and the Napoleonic
wars. Finally France ceded Seychelles to Britain in 1814 in the Treaty of Paris.
However Britain administered Seychelles as a dependency of Mauritius. On June
29, 1976 Britain granted Seychelles complete independence, and, the Republic of
Seychelles became a sovereign nation.
In 1977, a coup detat led to the formation of a new government. This was fol-
lowed in 1979 by the institutionalisation of the one-party state system, based on
socialist ideology. A new constitution was adopted in 1979 which provided for a
strong executive headed by the president. It was not until 1993 that multi-party
democracy was restored in Seychelles after the adoption of a new Constitution.
The Seychelles has a presidential system of government based on the concept of
separation of powers doctrine, between the Judiciary, Executive and Legislature.
The Constitution is the supreme law in Seychelles. Any law which conflicts the
Constitution is invalid to the extent of such inconsistency. The Seychellois legal
system is based on English common law, with influences of the Napoleonic Code
(e.g., in tort and contract matters). The three-tiered judicial system consists of mag-
istrates’, Supreme Court and the Court of Appeal. The Court of Appeal hears
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 291
appeals from the Supreme Court in both civil and criminal cases. The Supreme
Court has jurisdiction of first instance as well as acting as an appeals court from the
magistrates’ courts. Criminal cases are heard in magistrates’ courts or the Supreme
Court depending on the seriousness of the charge.
In 2010 there were allegations that the Government of Seychelles under James Alix
Michel hired a number of Irish army officers who took leave of absence to work in
Seychelles for the Communist leadership in exchange for lucrative contracts. These
army officers worked for the Government, to spy on political opponents. They also
conducted internal surveillance on opponents of the ruling Communist party in
Seychelles. The little town of Victoria has been wired with cameras and State House
has been dotted with the same surveillance style equipment by contracted
personnel.
28
Seychellois Constitution, Article 20(2)(a).
29
Seychellois Constitution, Article 20(2)(b).
292 A.B. Makulilo
or that authority or body corporate.30 The right to privacy may similarly be limited
in cases of enforcing the judgment or order of a court in any civil proceedings, the
search of any person or property by order of a court or the entry upon any premises
by such order.
Seychelles is a dualistic state. Hence an international treaty takes effect at munic-
ipal level after it has been incorporated by an Act of parliament.31 However in inter-
preting the Bill of Rights in the Seychellois Constitution, courts are required to
maintain consistency with international obligations of Seychelles relating to human
rights and freedoms.32 The most relevant international treaty to which Seychelles is
a party is the International Covenant on Civil and Political Rights 1966 (ICCPR),
Article 17 of which requires privacy protection by law. Since Seychelles is a signa-
tory to the First Optional Protocol of the ICCPR, its citizens can lodge complaints
with the UN Human Rights Committee.33 Likewise a Seychellois court must take
into account the ICCPR while interpreting the Bill of Rights.
Seychelles is also a party to the Southern African Development Community
(SADC), a sub-regional economic group in the southern Africa. In 2012 SADC
adopted the Data Protection Model Law as a soft law for its members to use in
enacting data privacy legislation. Up to this point the Data Protection Act 2003 in
Seychelles has not been aligned to the model law.
The African Union (AU) of which Seychelles is a member has recently adopted
the African Union Convention on Cyber Security and Personal Data Protection
2014. This treaty requires the AU countries parties to it to implement data protec-
tion legislation in their countries. This treaty requires 15 signatures to come into
force. However the status of signatories and ratifications is unknown. It is only until
Seychelles accedes to this treaty it will assume its obligations.
The Civil Code has a few clauses relevant to privacy protection. Article 9(1) pro-
vides that subject to the provisions of any law, persons shall be entitled to protection
of the court with regard to their rights to privacy and confidential information.
However it is a defence to a civil action arising from an act, which has led, in fact,
to the invasion of the privacy of a person or to the breach of confidential information
to which he was entitled, that the act was performed as part of a legitimate investiga-
tion of allegations of behaviour against the public interest.34
30
Seychellois Constitution, Article 20(2)(c).
31
Seychellois Constitution, Article 64(4).
32
Seychellois Constitution, Article 48.
33
First Optional Protocol to the International Covenant on Civil and Political Rights, Article 1.
34
Civil Code, Article 9(2).
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 293
In 2012 the Seychellois Penal Code was amended to introduce several offences
which are relevant to privacy protection.35 One of such provisions states that a per-
son who observes or visually records another person, in circumstances where a
person would expect to be afforded privacy – without the other person’s consent;
and when the other person is – in a private place; or engaging in a private act; and
the observation or visual recording is made for the purpose of observing or visually
recording a private act, commits an offence and is liable on conviction to imprison-
ment for a term of 20 years.36 The Penal Code also criminalises a conduct of a per-
son who observes or visually records another person’s private parts, in circumstances
where a person would expect to be afforded privacy in relation to his or her private
parts – without the other person’s consent; and when the observation or visual
recording is made for the purpose of observing or visually recording the other per-
son’s private parts.37 The punishment for this offence is imprisonment for a term of
20 years.38 Likewise, a person who possesses a prohibited visual recording of
another person having reason to believe it to be a prohibited visual recording, with-
out the other person’s consent, commits an offence and is liable on conviction to
imprisonment for a term of 20 years.39 Another offense which is relevant to privacy
concerns about distribution of prohibited visual recording of another person. The
Penal Code states that a person who distributes a prohibited visual recording of
another person having reason to believe it to be a prohibited visual recording, with-
out the other person’s consent, commits an offence and is liable on conviction to
imprisonment for a term of 20 years.40
However, a person is not criminally responsible for an offence against sections
157A, 157B, 157C or 157D if – the person is, at the time of the offence, a law
enforcement officer acting in the course of the person’s duties; and such conduct is
reasonable in the circumstances for the performance of the duties.41
In 1997 the Criminal Procedure Code was amended. This amendment was intro-
duced to the Criminal Procedure Code through sections 30A-30E to enable the col-
lection and analysis of both intimate samples (a sample of blood, semen or other
tissue fluid, urine or pubic hair; a dental impression; a swab taken from a person’s
body orifice other than the mouth) and non-intimate samples(a sample of hair, other
35
Penal Code (Amendment) Act, 2012.
36
Penal Code, Section 157A.
37
Penal Code, Section 157B.
38
Penal Code, Section 157B.
39
Penal Code, Section 157C.
40
Penal Code, Section 157D.
41
Penal Code, Section 157 F.
294 A.B. Makulilo
than public hair; a sample taken from a nail or from under a nail; a swab taken from
any part of a person’s body including the mouth but not from any other body orifice;
saliva; finger-print, palm print, footprint or the impression of any part of a person’s
body; the measurement of a person or any part of the body of a person) from a per-
son for the purpose of crime detection.
As samples to be collected constitute sensitive personal data, the Criminal
Procedure Code (Amendment) Act 1997 provides specific requirements to safe-
guard individual’s privacy: “the decisions to take samples from persons are autho-
rised by relatively senior officers and written records of those decisions are kept; the
person whose consent is being sought is informed of the right to refuse to give a
sample; the person from whom the sample is to be taken is notified as to why the
sample is required, whether authorisation has been obtained or a court order has
been given for the taking of the sample; where a court order is being sought, suffi-
cient information about the applicant, the suspect, the reason for requesting the
order and the type of sample required must be given to allow the court to make an
informed decision” (Objects and reasons).
42
Prevention of Terrorism Act, Section 25(1).
43
Prevention of Terrorism Act, Section 25(2).
44
Prevention of Terrorism Act, Section 25(3)(a).
45
Prevention of Terrorism Act, Section 25(3)(b).
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 295
13.2.4 P
rotection of Privacy Through Comprehensive
Privacy Law
Seychelles enacted its data protection legislation since 2003. The Data Protection
Act 2003 is based upon the UK Data Protection Act 1984 which was repealed and
replaced by the UK Data Protection Act 1998 following the adoption of the EU
Directive on Data Protection 95/46/EC. The Seychellois Data Protection Act is not
yet in force.
Scope of the Data Protection Act The Seychellois Data protection Act applies to
data recorded in a form in which it can be processed by equipment operating auto-
matically in response to instructions given for that purpose.46 In other words the Act
applies only to digital data and excludes data held in manual filing system. It also
applies to any natural person involved in personal information processing. Both
public and private sectors are covered, subject to specific exceptions.
As far as territorial scope is concerned, the Data Protection Act does not apply to
a data user or computer bureau outside Seychelles.47 However, it applies where,
although data is wholly processed outside, it is used or is intended to be used in
Seychelles.48 Moreover the Act does not apply to personal data processing for
national security, crime, taxation, health and social work, payrolls and accounts,
domestic or other limited purposes, and examination marks.49
Terminologies The definition of ‘personal data’ is conventional one, referring to
information which relates to a living individual who can be identified from that
information.50 A ‘data user’ is known as ‘data controller’ in other jurisdictions, is
defined as a person who determines the purposes for which and the manner in which
personal data are to be processed.51 Similar to the UK Data Protection Act 1984(now
repealed), the Seychellois Data Protection Act uses the term ‘computer bureau’ in
the same way as ‘data processor’. Section 2(11) of the Data Protection Act defines
a ‘computer bureau’ as an agent of other persons who processes personal data. Most
of other terminologies are defined in a conventional ways.
The Data Protection Principles The DPA has eight data protection principles in
Part I of the Schedule whose interpretation is given in Part II of the Schedule. The
seven principles apply to personal data held by data users and the eighth principles
46
Data Protection Act, Section 2(5).
47
Data Protection Act, Section 45(1).
48
Data Protection Act, Section 45(5).
49
Data Protection Act, Sections 33–42.
50
Data Protection Act, Section 2(7).
51
Data Protection Act, Section 2(10).
296 A.B. Makulilo
applies both to such data and to personal data in respect of which services are pro-
vided by person carrying on computer bureaux.52 The eight principles are:
Data Protection Commissioner The privacy Act creates a data protection authority
in Seychelles with a role of keeping and maintaining a data protection register (sec
8). This appears to be the only major function of Commissioner in relation to the
implementation of the Act. The Commissioner has power to issue enforcement
52
Data Protection Act, Section 3(2).
53
Data Protection Act, Section 3(3).
54
Data Protection Act, Section 16(1).
55
Data Protection Act, Section 16(7).
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 297
notice to ensure compliance by data users (sec 14). He has also powers of entry and
search (sec 20). However he may not impose any administrative fines or any sanc-
tion upon contravention of the Act by data users or computer bureau. Similarly,
there are no mechanisms to resolve complaints in the Act. Individuals who are
aggrieved by data users must claim compensation in courts. Similarly any offence
committed under the Act must be prosecuted in courts.
The independence of the data protection authority is also questionable. The data
protection authority receives its moneys from the consolidated fund (sec 6). This is
important to ensure independence of the authority. However the tenure of the
Commissioner is not secured. He is appointed by the President and he can be
removed by him at any time (sec 4).
The preceding discussion demonstrates that Seychelles has a weak and obscure
regime of privacy law. Its data privacy law is based upon the repealed 1984-UK
Data Protection Act. It is difficult to illustrate the real operation of most of data
protection principles in the Act, because this law is not yet in force and there are no
available examples of their application. Moreover, data export and enforcement of
the law mechanisms are very weak. Protection of privacy outside the Data Protection
Act is also not strong. Until the Data Protection Act is amended in line with inter-
national best practices and brought in force, privacy will subject to violations by
data users.
13.3 Madagascar
s tatus. The country gained full independence from France in 1960 in the wake of
decolonization.
Since independence Madagascar has transitioned through four republics with
corresponding revisions to its constitution. The First Republic (1960–72), under the
leadership of French-appointed President Philibert Tsiranana, was characterized by
continued economic and cultural dependence upon France. This state of affair pro-
voked resentment and sparked the rotaka, popular movements among farmers and
students that ultimately ushered in the socialist Second Republic under Admiral
Didier Ratsiraka (1975–1992). The second Republic is distinguished by economic
isolationism and political alliances with pro-Soviet states. The socialist-Marxist
policies spelled the political and economic path of the country. The world economic
crisis of 1970s did not spare Madagascar. The crisis forced the country to reform its
policies and adopt the free market policies imposed by the International Monetary
Fund, World Bank and various bilateral donors in exchange for their bailout of the
nation’s broken economy. Ratsiraka became unpopular with these new policies and
he was ousted in 1991. The way to the Third Republic (1992–2010) under the lead-
ership of Albert Zafy was paved. The new Madagascar constitution established a
multi-party democracy and a separation of powers that placed significant control in
the hands of the National Assembly. It lso emphasized human rights, social and
political freedoms, and free trade. Zafy was impeached in 1996, and an interim
president, Norbert Ratsirahonana, was appointed for 3 months prior to the next
presidential election. Ratsiraka was then voted back into power on a platform of
decentralization and economic reforms for a second term which lasted from 1996 to
2001. Opposition leader and then-mayor of Antananarivo, Andry Rajoelina, led a
movement in early 2009 in which Ravalomanana was pushed from power in an
unconstitutional process widely condemned as a coup d’état. In March 2009,
Rajoelina was declared by the Supreme Court as the President of the High
Transitional Authority, an interim governing body responsible for moving the coun-
try toward presidential elections. In 2010, a new constitution was adopted by refer-
endum, establishing a Fourth Republic, which sustained the democratic, multi-party
structure established in the previous constitution.
56
Madagascar Constitution, Article 13.
57
Madagascar Constitution, Article 13.
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 299
58
AFAPDP, 2015.
59
Thomas Brookes, 2015.
60
Madagascar a été publiée au Journal Officiel n° 3630 du 20 juillet 2015.
300 A.B. Makulilo
second pillar is the regime of the rights of data subject. These are provided in Chap.
4. The independent data protection authority called Malagasy Commission for
Information and Freedoms (CMIL) is provided for in Chap. 5. The fourth pillar is
the sanctions regime in Chaps. 5 and 7.
Scope of the Data Protection Act The DP Act applies to data controllers both in the
public and private sectors with very few exceptions compared to the other two
Islands of Mauritius and Seychelles.61 Moreover it does not distinguish between
automated and manual data processing hence covering both equally. The law does
not apply to personal data processing in the course of purely personal activities; or
solely for journalistic or literary or artistic expression. Processing of personal data
in the context of national security, criminal law, public service and judiciary is
excluded under section 19 of the Act.
Moreover the Malagasy Data Protection Act applies to a data controller who is
established in Madagascar [s. 6(1)] or who is not established in Madagascar but who
uses means of data processing located in Madagascar [s. 6(2)]. The Act does not
cover processing only for purposes of transit through the territory.
The privacy legislation in Madagascar contains usual terminologies such as per-
sonal data, processing, data controller, processor, recipient, data subject and consent
in sections 7–13. These terminologies are defined in conventional way as it is the
case with the European Data Protection Directive 95/46/EC.
Data Protection Principles The data privacy legislation in Madagascar being
inspired by EU-laws, it contains similar data protection principles, namely:
• Personal data must be processed fairly and lawfully. Furthermore the processing
must be for an explicit and legitimate purpose.
• The amount of personal data to be processed must be adequate, relevant and not
excessive in relation to the purposes for which they are collected or used.
• Personal data must be accurate, complete and updated as necessary; all reason-
able necessary steps must be taken so that inaccurate or incomplete data are
erased or rectified.
• Personal data must be kept in a form which permits identification of data subjects
for a period not exceeding that necessary for the purposes for which they are col-
lected or used.
• The controller must take all necessary precautions, given the nature of the data
and the associated risks, to ensure security of such personal data. He must protect
data against accidental or unlawful destruction or accidental loss, alteration, dis-
closure or unauthorized access.
• Processing of sensitive personal data is generally prohibited unless certain strin-
gent criteria are fulfilled.
Legitimate Processing of Personal Data The Data Protection Act provides (s.17)
conditions for legitimate processing of personal data which are similar to Art 7 of
61
Loi n° 2014–038 du 9 janvier 2015 sur la protection des données à caractère personnel, s. 5.
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 301
the EU Data Protection Directive. Accordingly personal data may be processed only
if: the data subject has given his consent; or processing is necessary for compliance
with a legal obligation to which the controller is subject; or processing is necessary
in order to protect the vital interests of the data subject; or processing is necessary
for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the controller or in a third party to whom the data are
disclosed; or processing is necessary for the performance of a contract to which the
data subject is party or in order to take steps at the request of the data subject prior
to entering into a contract; or processing is necessary for the purposes of the legiti-
mate interests pursued by the controller or by the third party or parties to whom the
data are disclosed, except where such interests are overridden by the interests for
fundamental rights and freedoms of the data subject.
International Data Transfer from Madagascar The data privacy legislation pro-
vides that transfer of personal data from Madagascar to a foreign country may take
place if such country ensures an adequate level of protection (s. 20). The level of
protection afforded by a foreign country shall be assessed in the light of all circum-
stances surrounding a data transfer or transfer operations. This includes in particu-
lar, the nature of the data, the purpose and duration or the proposed processing, the
country of origin and final destination, the rules of law, general and sectoral, in force
in the foreign country in question and the professional rules and security measures
which are complied with in that country.
In case a foreign country does not ensure an adequate level of protection the
Commissioner may still authorise transfer after taking into consideration measures
such as contractual clauses. Similarly personal may still be transferred to a foreign
country where there is no adequate level of protection if:
• the data subject has given his consent unambiguously to the proposed transfer; or
• the transfer is necessary for the performance of a contract between the data sub-
ject and the controller or the implementation of precontractual measures taken in
response to the data subject’s request; or
• the transfer is necessary for the conclusion or performance of a contract con-
cluded in the interest of the data subject between the controller and a third party;
or
• the transfer is necessary or legally required on important public interest grounds,
or for the establishment, exercise or defence of legal claims; or
• the transfer is necessary in order to protect the vital interests of the data subject;
or
• the transfer is made from a register which according to laws or regulations is
intended to provide information to the public and which is open to consultation
either by the public in general or by any person who can demonstrate legitimate
interest, to the extent that the conditions laid down in law for consultation are
fulfilled in the particular case.
302 A.B. Makulilo
Rights of Data Subjects The regime of data subject rights in the Data Protection
Act is provided in Chap. 4 of the Act (ss. 22–27). The rights include the right to
object data processing; right to access one’s personal data; right of rectification and
the right to get information about a data controller and processing of personal data
relating to him.
Malagasy Commission for Technology and Freedom (MCIL) The Data Protection
Act establishes an independent data protection authority (s. 28). The independence
of MCIL is further reinforced in section 33 where the Act states that MCIL is not
required to take instructions from any authority in the course of discharge of its
duties. It also has its budget from the consolidated fund (s.74). At the moment it is
difficult to assess the independence of the MCIL until it commences its operation.
13.3.3 Conclusion
References
AFAPDP, ‘Madagascar adopte une loi sur la protection des données personnelles’, 21.01.2015,
http://www.afapdp.org/archives/2901.
Confidential report, ‘Ensuring the compliance of the data protection legislation and principles of
Mauritius with EU standards, 2011.
Gayrel, C, ‘Mauritius: Data Protection in an Evolving Island Economy’, Privacy Laws & Business
International Report, 2011, No.114, pp. 20–22.
Khan, N.M and Emmambokus, N., ‘Customer Adoption of Internet Banking in Mauritius’,
International Journal of Business Research and Management(IJBRM), 2011, Vol.2, No.2,
pp.53–58.
Krishna Oolun et al, ‘The Making of a Digital Nation: Toward i-Mauritius’, The Global Information
Technology Report 2012, pp.161–168.
Madagascar a été publiée au Journal Officiel n° 3630 du 20 juillet 2015.
Madhub, D, ‘The pioneering journey of the Data Protection Commission of Mauritius’,
International Data Privacy Law, 2013, Vol. 3, No. 4, pp 239–243.
Maurer, S., ‘Genetic Identity in Mauritius’ Antrocom, 2010, Vol.6, No.1, pp.53–62.
Mauritius Data Protection Office, ‘A Practical Guide for Data Controllers & Data Processors-
Volume 1’-Rule 12.
Mauritius Data Protection Office, First Annual Report of the Data Protection Commissioner
February 2009–February 2010.
Mauritius National Assembly, Debate No. 5 of 2004, ‘B/165 Telephone Tapping’, Parliamentary
Questions-Oral Answers, Tuesday 13th April, 2004.
13 Data Protection of the Indian Ocean Islands: Mauritius, Seychelles, Madagascar 303
Patricia Boshe
Abstract The Political unrest in Burundi makes the right to privacy a far less an
urgent issue in reform than the need for political stability. Nevertheless, the country
acknowledges the inevitable need to reform the legal and regulatory framework for
the protection of personal data and privacy. The objective is to minimize the risks
posed by government administrative activities and increased use of ICTs on data
security and personal privacy. Burundi has made some efforts to secure the cyber
space by amending some of the existing laws such as the penal code, the criminal
procedure code, telecommunications law and other sensitive sector specific legisla-
tion. However, the country is yet to embark into a substantial legal reform to secure
personal data in a comprehensive manner. Reforms are still in patchworks despite
displayed continued effort to secure personal data and privacy. This chapter pro-
vides for an overview of the present legal and regulatory framework for the protec-
tion of personal data and privacy in Burundi.
Burundi has the lowest number of internet user of 1.32 % of the population compared
to its East African counterparts.1 Statistical reflection based on telecommunications
operators shows that Burundi has 2.09 million subscribers of mobile telephony and
25,000 on the fixed, which is of 26 % and 0.3 %, penetration rate with an estimated
population of 8,000,000 inhabitants; and with the highest access costs in the East
African Region.2 The authoritarian government and political unrest in Burundi has, to
a large extent contributed to the lower development of Burundi’s economy, restricted
individual freedoms, human rights and ICT penetration. In the ICT sector, Burundi
had, in 2006 enacted the National ICT policy with the main objective of fostering ICT
1
www.itu.int/en/ITU-D/Statistics/Documents/statistics/2014/individuals_internet_2000-2013xls
2
Ministere de la Fonction Publique, du Travail et de la Securite Sociale and UNDP, (A) 2011, p.41.
P. Boshe (*)
Faculty of Law, Passau University, Passau, Germany
e-mail: boshe01@uni-passau.de
development in this digital era. However, the increased vulnerability of personal pri-
vacy and data security brought by the increased use and exploration of ICT and the
internet, necessitated the government of Burundi to review this policy in 2011.
The reviewed policy emphasizes on the need reform country’s legal and regula-
tory framework to reflect good practice in protection of personal information and
promote e-commerce and in instilling confidence to users of ICT services.3
According to the Burundi Executive Secretariat for ICT, the amendments were also
made to comply with the 2005 World Summit on the Information Society (WSIS)
commitments,4 including lessening the digital divide. The Policy acknowledges the
weaknesses of the previous legal and regulatory framework in regulating online
activities and securing personal data and individual privacy. The fact which has also
been confirmed by the country’s commissioned reports recommending reforms in
the legal and regulatory framework governing telecommunications sector.5
In 2007 Burundi was integrated in the East Africa Community (EAC).6 Article 126
of the East African Treaty and article 47 of the Common Market Protocol requires
Burundi to implement reforms in different sectors to align with the EAC policies,
good practices and other international practices the members subscribes to. In the area
of privacy and data protection, EAC Council of Ministers, had, in 2006 adopted the
EAC e-Government programme as a strategy to improve government service delivery.
The Council considered the main barrier for implementing e-Government programme
as being lack of proper legal and regulatory framework for the protection of personal
information, cybercrimes and corresponding legal system to prosecute cyber crimi-
nals. In addressing these concerns, the EAC member States met in Kampala- Uganda
in April 20067 to discuss strategies in reforming of the legal and regulatory framework
to allow smooth implementation of e-Government. Following the two workshops, the
EAC member States agreed to initiate legal reforms in their specific countries to regu-
late computer related activities against cybercrimes, protection personal privacy and
secure personal data in online transaction.
In 2008 three other meetings were held in Arusha-Tanzania (January 2008),
Kampala-Uganda (June 2008) and Bujumbura-Burundi (September 2008) consecu-
tively to deliberate on the status of the cyber laws in individual countries and iden-
tify areas in need of reforms. These meetings led to the drafting and adoption of the
EAC Legal Framework for Cyber Laws.8 The Framework was adopted in two
phases, phase I and phase II in 2008 and 2011 respectively. Phase I of the f rameworks
3
Nalwoga, L., p. 85
4
See Ministère de la Fonction Publique, du Travail et de la Securite Sociale and UNDP (A).
5
See Ibid; and Ministère de la Fonction Publique, du Travail et de la Securite Sociale and UNDP.,
(B),2012, p. 101.
6
This was through the ratification of the Treaty for the establishment of the East African Community
which was signed on the 30th November 1999, and entered into force on 7th July 2000, whereby
Burundi acceded the Treaty on the 18th June 2007.
7
The Workshop on Cyber Laws and e-Justice held on 25th - and 26th April 2006; and the Workshop
on Information Security held on the 27th and 28th April 2006.
8
See EAC, 2010, para 2.2 (b).
14 Data Protection Regulation in Burundi 307
The political status of Burundi limits Human Rights observers and activists working
on ground. Human rights organizations and activists have been an ongoing target of
police intimidation, threats, arrests and surveillance. The same applies to civil ser-
vants who attempt to expose government corrupt leaders or high officials. A good
example is the jailing and restricted liberty of two members of the observatory for
the fight against corruption and economic embezzlement who investigated the irreg-
ularities on the purchase of the presidential plane Falcon 50 in 2006. In May 2015,
the head of the association for the protection of Human Rights and Detained Persons,
Pierre Claver Mbonimpa was arrested and charged for spreading false rumors and
inciting violence in the course of his employment. This happens when Burundi has
an established National Human Rights Commission, which is claimed to have func-
tional independence.
As an illustration, limitations and restrictions of fundamental rights including the
right to move (by curfew measures or regroument of populations), the right to free-
dom of assembly (through measures requiring special permits to hold meetings or
organize demonstrations and the arrest of people who come together without these
308 P. Boshe
Online article ‘Burundi Shuts Down Civil Society’ of November 23, 2015.
9
Online article, ‘The biometric identity card she violates our privacy?’
10
14 Data Protection Regulation in Burundi 309
the operators and subscribers a deadline of up to July 2015 upon which all unregis-
tered SIM cards were blocked. As part of the exercise, personal information includ-
ing name and address are collected and stored by the communication operators.
Contrary to government reasons for the registration, the public associate the regis-
tration of SIM cards as a means to citizens’ surveillance by the government. The
public believes the registration of SIM cards can easily allow identification of a
person through suspected ongoing interception of communication by government
entities. Infact, some government officials in Burundi have affirmed public worry
over interception of their communication with statements such as the one issued by
the telecommunication Regulator saying ‘we will work with the service providers
on cooperation mechanism in the traceability of communications.’11
Interception of communication is legally permissible under article 24 of the
Telecommunication Law. The article obliges telecom operators to provide confiden-
tial information on demand by the Regulator if the demand is proved to be lawful
and in line with the constitution of the regulatory authority (ARCT).
Furthermore, in implementing the EAC e-Government strategy, Burundi intends
to create a single repository (database) with personal files for all citizens. According
to a report,12 the government suggests the use of the 2008 census data as an initial
step towards the creation of the repository. This data would be synchronized with
other data from, example, the Ministry of Civil Service and Ministry of Finance to
obtain additional information such as recruitment, career histories, payroll informa-
tion, employment numbers, number of children and their birth dates, photos and
fingerprints.13 In the repository, each individual will be assigned a personal ‘secured
ID Card’ with a barcode.
14.3 L
egal and Regulatory Framework for Privacy and Data
Protection
Burundi does not have a specific law for privacy and data protection. However, she
has ratified international codes such as the Universal Declaration of Human Rights
1948 and the International Covenant on Civil and Political Rights 1966 which pro-
vides for the right to privacy. In reflecting its commitment to international conven-
tions in relation to the right to privacy, the Constitution of Burundi provides under
article 28 the protection of individual privacy and the privacy of their communica-
tion. Article 28 states:
11
See Jean Paul Nkurunziza and Alain Ndikumana.
12
Ministère de la Fonction Publique, du Travail et de la Securite Sociale and UNDP,(A) supra,
note 2.
13
Ibid, p. 34.
310 P. Boshe
‘Toute femme, tout homme a droit au respect de sa vie privée et de sa vie familiale, de son
domicile et de ses communications personnelles’.
Translated as every woman, every man has the right to respect for their private life and for
their family life, for their domicile and their personal communications.
14
Article 19 paragraph 2.
14 Data Protection Regulation in Burundi 311
puter through a remote means; either through another computer or the use of any
other technological device. The last provision is article 270 creating an offence
against any person who introduces or designs or makes or distributes (sales) or uses
a destructive computer programme or does anything that prevents fully or partially
the correct operation of a computer system.
Part V of the Penal Code supplements the Telecommunications Law15 which
under article 10 prohibits unauthorized interception of communications not intended
for use by the public. Further, the provision prohibits unauthorized disclosure, pub-
lication and use of any communication not intended for the use by the general pub-
lic. The law also imposes an obligation to network operators and telecommunications
providers to ensure privacy and confidentiality of personal communications. Under
article 23 the obligation to ensure privacy and confidentiality of personal communi-
cation extends to any staff working for network operator and telecommunications
provider to ensure that confidentiality of communication exchange through their
networks. Accordingly, articles 40 and 248 of the Telecommunications Law and the
Penal Code respectively provide for punishment to any staff member of any network
operator or telecommunication provider who violates the confidentiality of com-
munications. Also article 6 of the ARCT16 tasks the service providers with an obli-
gation to protect and promote end users’ rights within the communication
environment. Although the law has not clarified what kind of protection is referred
to, prudence in interpretation is expected to include privacy of end users as one of
the protected and promoted rights under this specific provision.
The National Legal Framework for Statistics also puts an additional obligation to
data controllers to ensure confidentiality of personal data. The framework is, how-
ever, focused on the personal data from survey and census. It requires all personal
data collected on surveys and census statistics to be protected in light of individual
liberties of the citizens. The framework prevents the use of such data for purposes
other than distributing or publishing of aggregate statistical results. It also requires
the coding of the identifiers of the interview. The framework also protects data sub-
jects of this data from prosecution by prohibiting the use of related data from pros-
ecution and criminal punishments or in tax offences.
There are other sector specific laws beyond the communication sector amended
to address the EAC Framework in protection of personal privacy and data in the
cyberspace. These includes the Central Bank Act,17 Industrial Property Act,18
Competition Act,19 Customs Code Act,20 Press Act,21 Private and Public Companies
15
Law No. 1/011 of 1997.
16
Law No. 100/112 of April 5, 2012.
17
Law No. 1/34 of December 2008.
18
Law No. 1/13 of July 2009.
19
Law No. 1/06 of March 2010.
20
Law No. 1/02 of January 2009.
21
Law No. 25/01 of November 2003.
312 P. Boshe
Act,22 Protection of Right of Author and its related Act,23 Trade Code Act,24 Value
Added Taxation Act.25
The current framework for privacy and data protection gives power to two insti-
tutions to access personal data through wiretapping, interception and surveillance of
individual communication and data. Article 24 of telecommunications law empow-
ers the regulator to authorize interception of communication for public interest and
suppression of criminal activities. The same power is vested on the public prosecu-
tor to access; collect/seize personal data and intercept personal communications
when such access or interception is necessary to establish the truth during criminal
investigation. The public prosecutor can seize telegrams, letters, intercept any com-
munication and seize any object necessary to prove or establish his case. The Code
empowers the prosecutor to summon any communication or object of communica-
tion from Chief of Post Office or Telegram Officer. The Code is silent on electronic,
internet and phone based communications including SMS; however the fact that the
provision states the prosecutor can seize ‘any object’ may be construed to include
internet and phone based communications. Other than these instances, interception
and surveillance of communications is deemed illegal and punishable under the law.
The ARCT is the national regulatory authority for the Telecommunications sector.26
ARCT is not an independent regulatory body; it is placed under the Ministry of
Defence. All decisions made by the ARCT are evaluated by the Ministry of Transport
and Communication and must be approved by the Ministry of Defence before they
are implemented. The ARCT mission includes among others, the settling of disputes
22
Law No. 1/09 of May 2011.
23
Law No. 1/06 of December 2005.
24
Law No. 1/07 of April 2010.
25
Law No. 1/02 of February 2009.
26
Created by decree No. 100/182 of 30 September 1997.
14 Data Protection Regulation in Burundi 313
between users or subscribers and the operators on the one hand and between the
associated services providers on the other. ARCT deals with spectrum management,
tariffs and interconnection control and regulation of competition in the sector.
14.4 Conclusion
It is reported that, after the EAC Task Force on the EAC Cyber Law Framework
met, Burundi embarked into reforms of its legal framework in dealing with crimes
in the cyber space.28 The reforms were supervised by the Executive Secretariat of
Information and Communication Technologies under the Ministry of Transport,
Posts and Telecommunications. First of the reforms involved drafting of an
Electronic Transaction Bill which provides for mechanism of self-regulation of
electronic and alternative procedures for dispute resolution. The Draft Bill gives
recognition to electronic signatures and its authentication, online consumer protec-
tion, privacy and data protection and computer crimes. Specifically, Chap. 3 of the
Draft Bill contains a proposal framework for the Privacy and Data Protection legal
regulation.The Draft Bill was examined by the Ministry of Justice to check compli-
ance with existing laws and was scheduled for discussion by Council of Ministers
in 2012. However, there is no information on its progress ever since.
27
Law No. 1/03 of January 24, 2013.
28
EastAfrica_WS_Report.pdf, p. 6.
314 P. Boshe
From this chapter, it is clear that Burundi is in dire need of not only reform of the
legal regime on protection of personal data and privacy but also a supportive
intervention in re-establishing the institutional frameworks to support democratic
governance and implementation of human rights. The regime for the protection of
personal data and privacy needs a strong and stable foundation in terms of gover-
nance and human rights institutions to support its objectives. In the present state, the
Burundi legal system is still weak to support proper legal framework for data
protection.
References
Nalwoga, L., ‘Burundi and East Africa: Government Surveillance in East Africa’ in APC and Hivos
(eds), Global Information Society Watch: Communications Surveillance in the Digital Age,
2014, pp. 85–190
EAC, the 2nd extra-ordinary meeting of the EAC Sectoral Council on Transport, Communications
and Meteorology: Report of the meeting, EAC/SR/2010.
The Workshop on Cyber Laws and e-Justice held on 25th – and 26th April 2006; and the Workshop
on Information Security held on the 27th and 28th April 2006.
Online Materials
Nkurunziza, J. P., and Ndikumana, A., Update on the State of Internet Freedom in
Burundi, CIPESA, published online on 16.06.2015 at http://www.cipesa.org/2015/06/
update-on-the-state-of-internet-freedom-in-burundi/
www.itu.int/en/ITU-D/Statistics/Documents/statistics/2014/individuals_internet_2000-2013xls
Legal Instruments
Alex B. Makulilo and Patricia Boshe
Abstract This chapter discusses the data protection system of Kenya. However,
since Kenya has not yet adopted a specific data protection legislation, particular
focus in this chapter is given to the data protection reform process. An assessment
of the Data Protection Bill 2013 is central in this chapter. Also a discussion in this
chapter will focus on the current case law decided by Kenyan courts based on the
privacy protection afforded in the Kenyan Constitutions (the old and new). To what
extent is this case law adequate and relevant to the privacy protection in Kenya?
This is one of the main questions that this chapter will attempt to discuss.
The current state of privacy reform in Kenya has its historical backgrounds in the
cyber law reforms in the East African Community (EAC) in which Kenya is a mem-
ber state. The EAC cyber law reform programme began on 28 November 2006.
These reforms which culminated in the adoption of the EAC Framework for
Cyberlaws Phase I in 2010 recommended for the EAC member states to adopt data
protection legislation based upon international best practices. The purpose of devel-
oping a Cyber Law Framework for the EAC Partner States was to promote regional
harmonisation as the legal response to the challenges raised by the increasing use
and reliance on ICTs for commercial and administrative activities, specifically in an
Internet or cyberspace environment.1 The EAC Legal Framework for Cyber Law
(Phase I) which is relevant in the field of data protection made two specific recom-
mendations as far as data processing activities are concerned. First, is for data con-
trollers to comply with certain ‘principles of good practice’ in respect of their
processing activities, including accountability, transparency, fair and lawful pro-
cessing, processing limitation, data accuracy and data security.2 Second, is for those
data controllers to supply the individual with a copy of any personal data being held
and processed and provide an opportunity for incorrect data to be amended.3
Prior to the adoption of the EAC Legal Framework for Cyber Law (Phase I), the
Kenyan Ministry of Information and Communication issued a draft Data Protection
Bill 2009. This bill was highly criticized for being far below the best practice stan-
dards recommended by the EAC.4 The major criticism was that the draft bill only
applied to personal data held by public authorities leaving the private sector unregu-
lated. Other set of criticisms concerned about the scope of the data protection prin-
ciples as well as definitions of terminologies. This draft bill did not go further in the
legislative process.
In 2010 Kenya adopted its new constitution (the Constitution of Kenya 2010). In
contrast to its previous constitution (the Constitution of Kenya 1963), the new
Constitution incorporates an express provision for privacy protection. The imple-
mentation of the 2010 Constitution involves enactment of legislation as provided for
by the Fifth Schedule of the Constitution. Although a data protection legislation is
not specifically provided in the Fifth Schedule, the Kenya Law Reform Commission
(KLRC) went ahead to prepare and issue the Data Protection Bill 2012. This draft
bill, although addressed the criticisms in the previous data protection bill sponsored
by the Kenyan Ministry of Information and Communication it was similarly
1
Walden (2008), p.8.
2
Ibid, p.17.
3
Ibid.
4
Article 19, ‘Kenya: Draft Data Protection Bill critically limited’,
https://www.article19.org/resources.php/resource/2825/en/kenya:-draft-data-protection-bill-
critically-limited accessed 13.02.2016.
15 Data Protection in Kenya 319
criticized on its other aspects.5 The Commission for the Implementation of the
Constitution (CIC), charged with the mandate to implement the new Kenyan
Constitution slightly improved the draft data protection bill and forwarded to the
Kenyan Attorney General a revised version, the Data Protection Bill 2013.6 On 11
September 2014, the Kenyan Cabinet approved the privacy and data protection pol-
icy which is the basis for the data protection bill.7 The current status of this draft bill
as it is indicated on the CIC’s webpage is that the draft bill is forwarded to the
Attorney General for publication to the parliament. However it has not been intro-
duced in the Kenyan Parliament.
The Republic of Kenya also known as Kenya is a country in East Africa. It lies on
the equator and is bordered by Ethiopia to the North, Somalia to the East, Tanzania
to the South, Uganda to the West, Sudan to the Northwest and the Indian Ocean to
the southeast. Kenya has a population of approximately 44 million people. Its total
size is 582,650 sq. kilometers.
In 1963 Kenya got its independence from the British. Since then it has experi-
enced domestic tensions and contestation. Such tensions are associated with cen-
tralisation and abuse of power, high levels of corruption, and a more than two
decades long process of constitutional review and post-election violence. However
the elections in March 2013 are milestones constituting steps forward in Kenya’s
transition from political crisis. On 7 August 1998 Kenya suffered a historical terror
attack, when al Qaeda bombed the US embassy in Nairobi, killing hundreds of
people. Similarly, it has become a frequent target for the al Shabaab terror group
since October 2011 when the Kenya Defence Forces crossed into Somalia in hot
pursuit of the militia resulting in the adoption of highly controversial terrorism and
security laws.
Kenya follows a presidential system of government whereby the president is
both the head of State and government. The executive power is exercised through
the government. The country has a bi-cameral Parliament (consisting of the Senate
and the National Assembly) which is a result of the adoption of the new Constitution
of Kenya 2010. The operations of this Parliament commenced after the March 2013
General Elections. The judiciary is the other pillar of the government. It is based on
the common law legal system which was inherited from the British. The Kenyan
5
Makulilo (2013), No.121, pp.24–25.
6
Boshe (2015), Vol.12,No.3, pp.12–13.
7
Kass Online, ‘Statement by Cabinet at the end of its 7th Ordinary Meeting at the State House,
Nairobi’, 12.09.2014, http://kassfm.co.ke/home/index.php/component/k2/item/1342-statement-
by-cabinet-at-the-end-of-its-7th-ordinary-meeting-at-state-house-nairobi.html, accessed on
13.02.2016.
320 A.B. Makulilo and P. Boshe
Constitution is the supreme law. It binds all persons and all state organs. Any law
that is inconsistent with the constitution is void to the extent of its inconsistency.
In relative terms, Kenya has the largest and most diverse economy in East Africa.
The size of the economy is 25 % larger than previously thought, and Kenya is now
the 5th largest economy in Sub-Saharan Africa behind Nigeria, South Africa, Angola
and Sudan.8 In September 2014 Kenya become a middle-income country based on
the Mo Ibrahim Index. The last 5 years have also seen Kenya make major develop-
ments in information and communications technology (ICT). Four submarines
cables: the East African Marine Systems (TEAMS), the Eastern Africa Submarine
Cable System (EASSY), the South East Africa Communication (SEACOM) and the
Lower Indian Ocean Network (LION) were put in place to provide international
connectivity. Business Processing Off-shoring (BPO) and IT enabled services (one
of the seven priority sectors in the Vision 2030 economic pillar) rely on this fiber
optics for their operations.
Internationally, the Republic of Kenya is a member of many organizations within
and outside Africa including the United Nations (UN), African Union (AU), East
African Community (EAC) and Common Market for Eastern and Southern Africa
(COMESA). This means that Kenya has obligations to fulfil towards these
organisations.
The Kenyan main surveillance practices as well as the legislative context on which
the practices depend include SIM card registration, M-Pesa, surveillance and moni-
toring system, biometric voter registration system, interception of communications,
biometric passports and national ID cards.
Mandatory registration of SIM cards in Kenya was introduced on 20 July 2009. The
registration was announced on an event to mark the tenth anniversary of the
Communications Commission of Kenya (CCK), where President Mwai Kibaki,
through a speech read on his behalf by Vice President Kalonzo Musyoka directed
the Ministry of Information and Communication to put in place within 6 months
from then, an elaborate databank that would ensure all mobile telephone subscribers
were registered. The Ministry took this directive as the legal basis for registration of
SIM cards in the country. However in order to expeditiously seal the existing legal
loopholes, the government, through the Statute Law (Miscellaneous Amendments)
Act No 12 of 2012, amended the Kenya Information and Communications Act, Cap
8
The World Bank, ‘Kenya: A Bigger, Better Economy’, http://www.worldbank.org/en/news/fea-
ture/2014/09/30/kenya-a-bigger-better-economy accessed 14.02.2016.
15 Data Protection in Kenya 321
M-Pesa
The other aspect that has raised privacy concerns in Kenya in recent days is the
increasing use of personal data from M-Pesa to identify individuals. M-Pesa is the
local name for mobile money in Kenya. In Africa, Kenya is the first and leading
country to introduce mobile money in its economy to address problems of financial
exclusion. In 2007 when M-Pesa started there were only 9.5 million mobile money
subscribers in the country.10 However, this number increased up to 25 million sub-
scribers in 2014.11 To use M-Pesa one has to register his SIM card for that purpose.
Personal information such as names, ID numbers, mobile phone numbers, email
addresses, and so on are required.
9
The Communications Authority of Kenya, ‘First Quarter Sector Statistics Report for the Financial
Year 2015/2016 (July - September 2015)’, http://www.ca.go.ke/images/downloads/STATISTICS/
Sector%20%20Statistics%20Report%20Q1%202015-16.pdf accessed 15.02.2016.
10
World Bank, ‘M-PESA: Mobile Payments, Improved Lives for Kenyans’, http://go.worldbank.
org/IKRNFGS5J0
11
Malaka, M, ‘Kenya takes lead in booming African mobile money market’, IDG News Service\
Lusaka, 2014, http://www.pcworld.com/article/2682772/kenya-takes-lead-in-booming-african-
mobile-money-market.html
12
Communications Commission of Kenya, Kenya and ITU sign administrative agreement for
KE-CIRT/CC, 17 February 2012, http://www.cck.go.ke/news/2012/KE-CIRT_signing.html
accessed 15.02.2016.
13
Okuttah, M, ‘CCK sparks row with fresh bid to spy on Internet users’, Business Daily, 20 March
2012, http://www.businessdailyafrica.com/Corporate-News/CCK-sparks-row-with-fresh-bid-to-
spy-on-Internet-users−/−539550/1370218/-/x6adjmz/-/index.html accessed 15.02.2016.
322 A.B. Makulilo and P. Boshe
Furthermore, in its bid to fight against an increasing rate of crimes and state of
insecurity a novel approach taken by the government of Kenya in Nairobi, Mombasa
and other major cities has been the installation of Closed-Circuit Television Cameras
(CCTV) around these cities. Kenyans learned in 2014 that Safaricom, Kenya’s larg-
est telecoms operator, had contracted with the government to provide a new com-
munications and street-level surveillance system. This tender, officially known as a
National Surveillance, Communication Command and Control System (NSCCCS),
to coordinate emergency responses, which largely runs on Chinese
Telecommunications Company Huawei’s infrastructure and is 60 % government-
owned, is set to be completed in 2016.14 The new system integrates 2000 video
surveillance cameras, video conferencing, digital radios, and a mapping system into
a central command center.15 Worryingly, this contract likely entails many forms of
street-level surveillance including license plate readers, facial recognition technol-
ogy, and real-time tracking across major cities like Nairobi and Mombasa.16
The NSCCCS is associated to the two attacks by al Shabaab militants in late
2014 in Kenya, prompting members of the ruling Jubilee Coalition to introduce an
omnibus bill, the Security Laws (Amendment) Bill 2014 which was hastily enacted
into law despite street protests and skirmishes inside Parliament.17 The High Court
struck down eight of its clauses.
The BVR system was first used in Kenya for the 2013 general elections. This system
is used for registering voters. It comprises a laptop, a finger print scanner and a
camera. BVR captures a voter’s facial image, finger prints and civil data or
Personally Identifiable Information (PII)-name, gender, identity card/passport num-
ber, telephone number etc. The registration takes place at the registration centres
where an individual is expected to vote. Data from the BVR machines are trans-
ferred to a centralized storage server from which hard copy registers are printed.
The Independent Electoral and Boundaries Commission (IEBC) (i.e. the
Commission) provides for the register verification online and via SMS. The printed
registers are also used as back-ups during voting. The Commission had a BVR data-
base of 14.3 million registered voters in the 2013 general elections.
The Kenya Election Act 2011 allows the Electoral Commission to use such tech-
nology as it considers appropriate in the electoral process. However the Kenyan
14
Privacy International, ‘Kenyans face new privacy threats as State expands surveillance powers’,
https://www.privacyinternational.org/node/99 accessed 15.02.2016.
15
Kenyanito, E.P, ‘Surveillance in a legal vacuum: Kenya considers massive new spying system’,
Access Now, 13.06.2014, https://www.accessnow.org/surveillance-in-a-legal-vacuum-kenya-con-
siders-massive-new-spying-system/accessed 15.02.2016.
16
Ibid.
17
Privacy International (n 14).
15 Data Protection in Kenya 323
Constitution dictates that whatever system that the Commission adopts must be
simple, accurate, verifiable, secure, accountable and transparent.
In an awareness survey that was conducted in Nairobi in 2011, a question was raised
among participants (approximately 2000 people) from around the world who
attended the Internet Governance Forum (IGF) to discuss Internet Governance
issues, as to the status of data protection legislation in place in their countries.19 The
participants came from civil societies, academics, governments, technology compa-
nies and the private sector. Kenya alone had 34 % of its representatives in the
IGF. However with respect to the state of data privacy law in Kenya only 19 partici-
pants answered this question. Seven of the 19 participants from Kenya answered the
question affirmatively and two responded negatively. Ten participants responded
that they do not know. Although this survey was not meant to be rigorously scien-
tific, it gives a snapshot of how much and what people know about data privacy in
their countries.
The CIGI-Ipsos Global Survey on Internet Security and Trust, undertaken by the
Centre for International Governance Innovation (CIGI) and Ipsos in October and
November 2014 generally revealed that Kenyans are concerned about their online
privacy.20 According to this survey 62 % of Kenyans are concerned about their
18
The Constitution of Kenya, Article 12 (1) (b).
19
Taylor, K, ‘Awareness Survey on Freedom of Information and Data Protection Legislation and
Open Government Data Initiatives’, The Internet Governance Forum, Nairobi, Kenya, 27th–30th
September 2011, pp.1– 19, http://epsiplatform.eu/sites/default/files/IGF6_W123_
PSISurveyreport_21October2011.pdf, accessed 15.02.2016.
20
Centre for International Governance Innovation & IPSOS, ‘CIGI-Ipsos Global Survey on
Internet Security and Trust’, https://www.cigionline.org/internet-survey accessed 15.02.2016.
324 A.B. Makulilo and P. Boshe
online privacy while 96 % are concerned about a criminal hacking into their per-
sonal bank account. Moreover the survey reports that 93 % of Kenyans are con-
cerned about someone hacking into their online accounts and stealing their personal
information like photos and private messages while 88 % are concerned about a
private company monitoring their online activities (such as my internet surfing hab-
its) and then selling that information for commercial purposes without their explicit
consent. The survey also reveals that 73 % of Kenyans are concerned about their
government censoring the Internet; and 62 % are concerned about police or other
government agencies from their own country secretly monitoring their online
activities.
The other aspect that has raised privacy concerns in Kenya in recent times is the
increasing use of personal data from M-Pesa to identify individuals. In Kenya
M-Pesa subscribers have used personal information to catch cheating partners.21 If
A suspects that a partner B is cheating, and A finds a number that B calls regularly,
A sends money to the credit of that number and finds who subscribes to that number.
However in order for A to remain unknown to the person calling B regularly, A
sends either an amount that falls below the allowable minimum credit or sometimes
an amount that exceed his credit balance. In either case a report is generated even if
the transfer fails. This report normally discloses the name of the third part calling B
and his phone number.
The other way privacy concerns are raised in M-Pesa is that every transaction
(i.e. withdrawal or depositing) of mobile money is required to be recorded in an
open book. The details are left with the mobile money agents. It is not clear for how
long these details are kept by agents or for what other purposes they may be used.
Also, in case of illiterate subscribers the agents have always offered their assistance
to facilitate transactions. This means that PINs or passwords of such customers are
shared to the agents. A research study conducted in Kenya found that some M-Pesa
clients were giving account passwords to agents, and while there is no evidence this
has led to loss of funds or misuse of customer information, the risk could be
significant.22
21
Chimbelu, C, ‘Privacy concerns in Kenya as users turn to M-Pesa to catch cheating partners’
interview with Grace Githaiga, Deutsche Welle reports, 12.07.2013, http://www.dw.de/
privacy-concerns-in-kenya-as-users-turn-to-m-pesa-to-catch-cheating-partners/a-16947446
22
Morawczynski, O and Pickens, M, ‘Poor People Using Mobile Financial Services: Observations
on Usage and Impact of M-PESA’, Brief. Washington, D.C.: CGAP, August 2009, http://www.
cgap.org/gm/document-1.9.36723/MPESA_Brief.pdf
15 Data Protection in Kenya 325
correspondence, nor to unlawful attacks on his honour and reputation. This provi-
sion is reinforced by Article 17 of International Covenant on Civil and Political
Rights (ICCPR) 1966, which has been ratified by Kenya. The Human Rights
Committee has noted that states parties to the ICCPR have a positive obligation to
adopt legislative and other measures to give effect to the prohibition against such
interferences and attacks as well as to the protection of the right to privacy.23 Since
Kenya is a state party to the ICCPR, it is under obligation to put in place privacy
legislation. Moreover, as it is also a party to the First Optional Protocol of the
ICCPR, its citizens can lodge complaints with the UN Human Rights Committee.
Another significant international privacy policy is the AU Convention on Cyber
Security and Personal Data Protection 2014. This treaty requires the AU countries
parties to it to implement data protection legislation in their countries. The treaty
requires 15 signatures to come into force. The requisite number has not yet been
reached and thus the Treaty is not yet in force. When Kenya accedes to this treaty it
will assume its obligations.
It is noteworthy that although Kenya is a common law country and hence its
treaty practice could ordinarily be dualism, the Constitution of Kenya has modified
this practice by providing that the general rules of international law shall form part
of the law of Kenya and any treaty or convention ratified by Kenya shall form part
of the law of Kenya under the Constitution.24 What it means is that, international law
has a direct application in Kenya and a person may institute his claims to Kenyan
courts on the basis of international law.
In contrast to the repealed Constitution of Kenya 1963, the new Constitution (2010)
expressly guarantees the right to privacy. It states:-
Every person has the right to privacy, which includes the right not to have—
(a) their person, home or property searched;
(b) their possessions seized;
(c) information relating to their family or private affairs unnecessarily required or
revealed; or
(d) the privacy of their communications infringed.
The above provision is not absolute. It is limited particularly by Article 24(1)
which states, ‘a right or fundamental freedom in the Bill of Rights shall not be lim-
ited except by law, and then only to the extent that the limitation is reasonable and
23
UN Human Rights Committee (HRC), ‘CCPR General Comment No. 16: Article 17 (Right to
Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of
Honour and Reputation’, 8 April 1988, http://www.refworld.org/docid/453883f922.html accessed
16.02.2016.
24
Constitution of Kenya, Article 2(5)&(6).
326 A.B. Makulilo and P. Boshe
justifiable in an open and democratic society based on human dignity, equality and
freedom, taking into account all relevant factors. The relevant factors envisaged in
Article 24(2) include the nature of the right or fundamental freedom; the importance
of the purpose of the limitation; the nature and extent of the limitation; the need to
ensure that enjoyment of the rights by any individual does not prejudice upon the
rights of others; and the relation between the limitation and its purpose and whether
there are less restrictive means to achieve the purpose.
Kenyan courts have not so far determined the scope of Article 31 of the Kenyan
Constitution in terms of informational privacy. However, courts have taken a broad
view that where a party alleges a breach of fundamental rights and freedoms (in this
case privacy), he or she must state and identify the right infringed and how it is
infringed in respect to him.25 In Rukia Idris Barri v Mada Hotels Ltd,26 a case that
involved commercial appropriation of likeness of a person, the High Court of Kenya
cited two cases from South Africa with approval.27 The Court held, ‘the law as set
out about above in those South African cases is good law, and I respectively adopt
it. The High Court of Kenya should have no hesitation at all in according protection
for human dignity and privacy where they are exploited for commercial purposes
without consent.’28 It is arguable that since the South African case law is good law
in Kenya the scope of the right to information privacy there may be the same to the
Kenyan. It is imperative also to note that in both South Africa and Kenya, the con-
stitutional right to privacy extends to both individuals and juristic persons.29 Most of
the cases that have been decided around Article 31 of the Constitution of Kenya or
section 76 of the repealed Kenyan Constitution 1963 are about search and seizure;
evidence in possession of an opposite or third party in a court case and its implica-
tion on privacy if it is adduced in court; HIV/AIDS medical examination; and access
of information held by individuals or state.
It is submitted that by its nature constitutional right to privacy is too broad. It
covers aspects that are non-informational as well. While case law in Kenya on the
right to privacy is growing it does not at present reflect the basic principles of data
protection. Also it is scattered on different aspects other than informational
privacy.
25
S.W.M v G.M.K [2012] eKLR, p.2.
26
[2013] eKLR.
27
Grutter v Lombard and Another 2007 (4) SA 89 (SCA); Angella Wells v Atoll Media (PTY) Ltd
& anor, Western Cape High Court Case No. 11961/2006.
28
Rukia Idris Barri v Mada Hotels Ltd [2013] eKLR, p.4.
29
See e.g., Satrose Ayuma & 11 Others V Registered Trustees Of The Kenya Railways Staff
Retirement BenefitsScheme & 3 Others [2013] eKLR and In re Hyundai Motor Distributors (Pty)
Ltd and Others v Smit NO 2001 1 SA 545 (CC) 557.
15 Data Protection in Kenya 327
This Act regulates the telecommunication sector. With respect to the right to privacy
it prohibits a licensed telecommunication operator to intercept a message or dis-
close its contents unless such acts are done in the course of the operator’s business
or as permitted by law.30 The prohibition in the Information and Communications
Act is further reinforced by Regulation 15 (1) of the Kenya Information and
Communications (Consumer Protection) Regulations 2010, which states that sub-
ject to the provisions of the Act or any other written law, a licensee(i.e. operator)
shall not monitor, disclose or allow any person to monitor or disclose, the content of
any information of any subscriber transmitted through the licensed systems by lis-
tening, tapping, storage, or other kinds of interception or surveillance of communi-
cations and related data.
Section 36 of this Act provides that the right to privacy set out in Article 31 of the
Constitution of Kenya may be limited in respect of a person suspected to have com-
mitted an offence that falls under national security. In this case the privacy of a
person’s communications may be investigated, monitored or otherwise interfered
with. However prior to taking any action under this section, a warrant has to be
obtained from the High Court.
30
Kenya Information and Communications Act, Section 31.
31
The Prevention of Terrorism Act, Section 35(3) (a).
328 A.B. Makulilo and P. Boshe
The HIV and AIDS Act in Kenya makes a number of provisions with respect to
privacy. This Act requires the Minister for the time being responsible for matters
relating to health to put in place regulations, prescribing privacy guidelines, includ-
ing the use of an identifying code, relating to the recording, collecting, storing and
security of information, records or forms used in respect of HIV test and related
medical assessments.32 Furthermore the Act prohibits any person to record, collect,
transmit or store records, information or forms in respect of HIV tests or related
medical assessments of another person otherwise than in accordance with the pri-
vacy guidelines prescribed under the Act.33 The HIV and AIDS Act also prohibits
any person in any records or forms used in relation to request for an HIV test by
persons in respect of themselves; an instruction by a medical practitioner to a labo-
ratory for an HIV test to be conducted; the laboratory testing for HIV or HIV anti-
bodies; or the notification to the medical practitioner of the result of the HIV test, to
include any information which directly or indirectly identifies the person to whom
an HIV test relates, except in accordance with the privacy guidelines prescribed
under the Act.34 Similarly no person is allowed under the Act to disclose any infor-
mation concerning the result of an HIV test or any related assessments to any other
person except with the written consent of that person or permitted under the Act.35
The CRB Regulations 2014 apply to the credit reporting industry which is fast
growing in Kenya. These Regulations bind the private sector with regard to credit
information reports. Ordinarily such reports include individual personal informa-
tion. In order to protect personal information in credit reporting, the CRB Regulations
incorporate three mandatory principles:-
Processing limitation: the information or data shall be adequate and relevant in rela-
tion to the purpose for which it was obtained or submitted.
Purpose specification: the information or data shall be used only for the specified
purpose for which it was obtained or submitted and which purpose shall be con-
sistent with the provisions of these Regulations. A person shall not use the infor-
mation obtained under these Regulations for any purpose which is not consistent
with the provisions of these regulations.
Information quality: the information or data shall at all times be kept up to date and
accurate
32
The HIV and AIDS Prevention and Control Act, Section 20(1).
33
Ibid, Section 20(2).
34
Ibid, Section 21.
35
Ibid, Section 22.
15 Data Protection in Kenya 329
15.2 P
rotection of Personal Information in the Data
Protection Legislation
As pointed out, Kenya does not have specific statutory law regulating data protec-
tion. However privacy is limitedly protected in scattered laws and regulations. The
draft Data Protection Bill which is yet to be enacted into law, will regulate data
protection and privacy. This section provides an overview of the Data Protection
Bill 2013. Provisions of this draft bill may change after it is voted into law although
significant changes are not expected.
The Kenyan Data Protection Bill proposes a law that will apply to personal data
held and/or processed by both public and private bodies. The Bill does not have a
specific provision on the type or form of data it deals with; however, the long title of
the bill states that the proposed law will apply when an agency or a data controller
processes personal data in both manual and automatic form. Contrary to the best
practice of privacy standards the proposed law extends its application to processing
of personal data by natural persons in the course of personal and household activi-
ties. This means, as Makulilo asserted, mere act of creating a phone book contacts
will amount to interference and misuse of personal information as defined in section
16 of the Bill.36 In order to avoid breach of this law, whoever wishes to create a
phone book contact must abide to the conditions for processing of personal data set
under Part II of the proposed law. This includes informing all the prospective indi-
viduals one wishes to have their contacts, the purpose for having their contacts,
measure one intends to use to secure their information from being stolen, tampered
with or accessed by an unauthorized person and give them the right to access and
inspect their information stored into his phone book. Usually these activities are
exempted from the application of the data protection laws to allow for personal
processing and routine household activities to continue but also it is practically dif-
ficult to regulate such processing activities. This would create unnecessary limita-
tions to enjoyment of peoples’ right to live as it means the data protection authority
36
Makulilo (n 5), p.24.
330 A.B. Makulilo and P. Boshe
will have to be involved with issues arising from private people processing their
personal data for their own personal and household activities.
The Bill does not also exempt processing solely for journalistic, artistic and liter-
ary activities. Subjecting journalistic, artistic and literary work under the framework
for Data Protection is to limit creativity, restrict freedom of expression and access to
information. This also affects other societies’ activities at large because the essence
of exempting journalistic activities from application of data protection laws is the
understanding that publication is in the public interest. Furthermore, subjecting
journalistic activities to data protection framework would be unreasonable and
impractical to regulate. It will also restrict journalists and artists from accessing and
collecting information when investigating a story or for purposes of literature. The
inclusion of journalistic, artistic and literary work under this regulation goes against
the Kenyan Constitution which provides under Article 33:-
1. Every person has the right to freedom of expression, which includes—
(a) freedom to seek, receive or impart information or ideas;
(b) freedom of artistic creativity; and
(c) academic freedom and freedom of scientific research.
Activities exempted from application of the proposed law are those related to
criminal law, law enforcement, public revenue, conduct of proceedings before any
court of law or the Data Protection Authority and collection for statistical or research
purposes when published in anonymity. Exemption is also granted to authority col-
lecting data pursuant to a mandate granted under any written law. This would
include activities relating to national security and intelligence services as mandated
under the Kenya Information and Communications (Amendment) Act 2013 and
National Intelligence Service Act of 2012 and the Prevention of Terrorism Act 2002.
The proposed data protection Act applies to natural as well as juristic persons.
Section 2 of the draft bill attributes the meaning of persons as that provided by
Article 260 of the Constitution. The article defines a person to include ‘a company,
association or other body of persons whether incorporated or unincorporated’.
Moreover, the protection offered extends to any person (data subject) whether or not
a citizen of Kenya. However, the bill is silent on its extraterritorial application. It is
unknown whether the proposed law applies only to data controllers with establish-
ment in Kenya or it extends to controllers with establishment in other jurisdictions
but with equipment and processing activities in Kenya. It is also not clear if the
proposed law applies to data on transit. Precision is required in this aspect for proper
implementation of the proposed law. Clarity in applicable law is crucial to avoid
making a country a ‘data heaven’. The present uncertainty in the draft bill creates
loopholes for processing personal data in unsecure and unregulated manner.
15 Data Protection in Kenya 331
15.2.2 Terminologies
Implementation of the proposed law may bring some controversy for lack of work-
ing definitions. For instance, the bill has not defined ‘consent’ despite the usage of
the term therein. Take section 4(b) of the Bill for example, it requires that informa-
tion collected must be collected (among other things) with the consent of the data
subject. How the collecting agency determines data subject’s consent for purpose of
collection in the absence of a definition of consent? The bill has used a term ‘third
party’ without explaining who or what third party is for purposes of the proposed
law. The bill makes use of the terms ‘data’ and ‘information’ interchangeably. The
term ‘data’ has been defined but the term ‘information’ has not been defined. It is
unclear whether the two terms are meant to have the same meaning ascribed to
‘data’. It also makes cross reference to other laws as far as the meaning of some
terms is concerned. Some of the examples are ‘commissioning’, ‘exempt informa-
tion’, ‘person’, ‘private body’, ‘public entity’ and ‘secretary’. One has to refer to
specific laws to acquire necessary meaning to implement or understand the meaning
of terms as used in the bill.
The bill has not created a framework to regulate either automated direct marketing
or automated decision making as expected of any data protection law. However, on
direct marketing Kenya has the framework created by the Information and
Communications (Consumer Protection) Regulations 2010. The framework created
by the Regulations requires a data controller to adhere to opt-in principles before
processing data for purposes of automated direct marketing.
The proposed law lacks framework for transfer of personal data outside Kenya. This
simply means that the same data that is protected in Kenya by the proposed law can
be transferred outside of Kenya to a destination without any privacy safeguards.
This is regardless of whatever amount of data can be transferred from Kenya to any
other jurisdiction.
332 A.B. Makulilo and P. Boshe
The draft bill has not established the Data Protection Authority; instead, sections 2
and 20 designate the Commission on Administrative Justice (CAJ) established by
the Commission on Administrative Justice Act 2011 as the Commission for data
protection and implementation of the proposed law. The CAJ is a constitutional as
well as statutory established as an independent office of the Ombudsman. The CAJ
is a body dedicated to check the functioning of public bodies and address malad-
ministration, abuse of power, injustice and oppression. Although the Act on the
establishment of the CAJ does not specifically states the independence of this body,
the provisions of this Act suggest that at least in writing the Commission is indepen-
dent. Examples of such provisions include appointments and removal of its core
staff; budget; non-interference of its powers; immunity to prosecution and civil
claims for against the officials of the CAJ for actions done in the course of their
duties.
The draft privacy bill contains under Part II conditions for processing of personal
data. The conditions provided are similar to those found in international codes such
as the OECD, Council of Europe Convention 108 and the EU Directive on Data
Protection. Such principles include lawful and fair information processing; purpose
specification; adequacy of information, relevant and not excessive; accuracy and up
to date; personal information must not be kept for longer than is necessary; personal
information must be processed in line with the data subjects’ rights; information
security and restriction of transfer of personal data to other countries without ade-
quate protection. A quick look on the conditions may suggest the bill’s compliance
with the best practices in data protection. However, a careful scrutiny reveals a lot
of weaknesses in the formulation of the same principles found in international codes
making them weak in protection of personal data and privacy. For instance, the bill
requires processing of personal data to be legal; there is no requirement that such
processing should also be fair. This is contrary to good practices and international
codes in data protection.
The bill provides a list of data usually considered as ‘sensitive data’ under data
protection laws. Surprisingly, there are no special conditions for processing of ‘sen-
sitive data’ neither does the bill define nor give cognizance to such category of data.
Consequently, the usually considered ‘sensitive data’ is to be construed as ordinary
data and hence treated as such in processing activities unless stronger protection is
offered in sector specific laws.
15 Data Protection in Kenya 333
Infringement of the proposed law that affects personal privacy is, according to sec-
tion 19, punishable for a fine or imprisonment for a term not exceeding 2 years or
both. The bill has entrusted the Commissioner with a task to provide a framework
or mechanism for effective management of conflicts and disputes resolution.
Together with the framework to be created by the Commission, the bill has created
a system for resolution of dispute. The bill gives the Commission power to receive
complaints by individual aggrieved by breach of the proposed law. Furthermore,
under section 27 of the CAJA, the Commission possesses the power of the Court in
conducting of investigation which includes issuing summonses and orders requiring
attendance of persons before the Commission. The Commission may, apart from
complaints lodged, commence an investigation suo motto if is in opinion that there
is a breach or potential for breach of the proposed law.
In resolving disputes arising from the breach of the proposed law, the Commission
is expected to inform the complainant of all actions and decision taken on the mat-
ter. The Commission may also issue administrative sanctions or may decide to
resolve the dispute by settling the matter without any sanctions through settlement
and assurance against future repetition of the breach.
The standard of proof put by the draft bill in deciding privacy complaints is on
the balance of probability; unintentional or negligence does not constitute a defense.
And if the Commissioner is satisfied on balance of probability that there is a breach
s/he must declare the action as breaching of the proposed law and issue appropriate
sanctions which may include. The Commissioner may or may not award costs of the
proceedings. In cases involving pecuniary or loss of benefit or those involving
humiliation, loss of dignity and injury to feeling, the Commission is required to
advise the complainant to lodge the matter to the High Court for damages.
Despite its limitations, the Kenya’s draft data protection bill is a positive step
towards proper protection of data privacy in the country. However it has taken too
long without this bill being introduced in the parliament. The immediate implication
that comes out is that data controllers in Kenya continue to process personal infor-
mation without compliance to the data protection principles. As a result Kenya risks
losing business opportunities from foreign investment. This is because the existing
legal framework does not afford adequate protection. Similarly, the case law that is
emerging around the constitutional right to privacy in Kenya is not adequate to pro-
vide protection. It is strongly recommended that the law reform agents and the gov-
ernment should ensure that the data protection bill is introduced in the parliament.
Once voted into law, Kenya has to make sure that the data supervisory authority is
operational.
334 A.B. Makulilo and P. Boshe
References
Boshe P (2015) Critical issues unearthed in East African legal proposals, Data Protection Law &
Policy, 12(3):12–13
Makulilo AB (2013) Kenya’s Data Protection Bill 2012: many leaks still unplugged, Privacy Laws
& Business International Report, 121:24–25
Online Documents
Article 19(2011) Kenya: Draft Data Protection Bill critically limited, https://www.article19.org/
resources.php/resource/2825/en/kenya:-draft-data-protection-bill-critically-limited
Centre for International Governance Innovation & IPSOS (2014) CIGI-Ipsos Global Survey on
Internet Security and Trust, https://www.cigionline.org/internet-survey.
Chimbelu C (2013) Privacy concerns in Kenya as users turn to M-Pesa to catch cheating partners,
interview with Grace Githaiga, Deutsche Welle reports, http://www.dw.de/
privacy-concerns-in-kenya-as-users-turn-to-m-pesa-to-catch-cheating-partners/a-16947446
Communications Commission of Kenya (2012) Kenya and ITU sign administrative agreement for
KE-CIRT/CC, http://www.cck.go.ke/news/2012/KE-CIRT_signing.html.
Kass Online (2014) Statement by Cabinet at the end of its 7th Ordinary Meeting at the State House,
Nairobi, http://kassfm.co.ke/home/index.php/component/k2/item/1342-statement-by-cabinet-
at-the-end-of-its-7th-ordinary-meeting-at-state-house-nairobi.html
Kenyanito EP (2014) Surveillance in a legal vacuum: Kenya considers massive new spying system,
https://www.accessnow.org/surveillance-in-a-legal-vacuum-kenya-considers-massive-new-
spying-system/
Malaka M (2014) Kenya takes lead in booming African mobile money market, IDG News Service\
Lusaka,http://www.pcworld.com/article/2682772/kenya-takes-lead-in-booming-african-
mobile-money-market.html
Morawczynski O and Pickens M (2009) Poor People Using Mobile Financial Services:
Observations on Usage and Impact of M-PESA, Brief. Washington, D.C.: CGAP, https://www.
cgap.org/sites/default/files/CGAP-Brief-Poor-People-Using-Mobile-Financial-Services-
Observations-on-Customer-Usage-and-Impact-from-M-PESA-Aug-2009.pdf
Okuttah M (2012) CCK sparks row with fresh bid to spy on Internet users’, Business Daily, http://
www.businessdailyafrica.com/Corporate-News/CCK-sparks-row-with-fresh-bid-to-spy-on-Internet-users−/−
Privacy International, ‘Kenyans face new privacy threats as State expands surveillance powers’,
https://www.privacyinternational.org/node/99
Taylor K(2011)Awareness Survey on Freedom of Information and Data Protection Legislation and
Open Government Data Initiatives, The Internet Governance Forum, Nairobi, Kenya, pp.1-19,
http://www.epsiplatform.eu/content/awareness-survey-freedom-information-and-data-protection-
legislation-and-open-government
The Communications Authority of Kenya (2015) First Quarter Sector Statistics Report for the
Financial Year 2015/2016, http://www.ca.go.ke/images/downloads/STATISTICS/Sector%20
%20Statistics%20Report%20Q1%202015-16.pdf
The World Bank (2014) Kenya: A Bigger, Better Economy, http://www.worldbank.org/en/news/
feature/2014/09/30/kenya-a-bigger-better-economy
The World Bank (2010) M-PESA: Mobile Payments, Improved Lives for Kenyans, http://go.
worldbank.org/IKRNFGS5J0
UN Human Rights Committee (HRC)(1998) CCPR General Comment No. 16: Article 17 (Right
to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection
of Honour and Reputation, http://www.refworld.org/docid/453883f922.html
Walden I (2008) East African Community Task Force on Cyber Laws: Comparative Review and
Draft Legal Framework, Draft v.1.0, 2/5/08 prepared on behalf of UNCTAD and the EAC
15 Data Protection in Kenya 335
Case Law
Angella Wells v Atoll Media (PTY) Ltd & anor, Western Cape High Court Case No. 11961/2006.
Grutter v Lombard and Another 2007 (4) SA 89 (SCA)
In re Hyundai Motor Distributors (Pty) Ltd and Others v Smit NO, 2001 1 SA 545 (CC) 557
Rukia Idris Barri v Mada Hotels Ltd [2013] eKLR, p.4
Rukia Idris Barri v Mada Hotels Ltd, [2013] eKLR
S.W.M v G.M.K [2012] eKLR, p.2
Satrose Ayuma & 11 Others V Registered Trustees of the Kenya Railways Staff Retirement
Benefits Scheme & 3 Others [2013] eKLR
Chapter 16
Privacy and Data Protection in Lesotho
Alex B. Makulilo and Kuena Mophethe
Abstract This chapter evaluates Lesotho’s Data Protection Act 2011 (published as
Act No.5 of 2012). A comparison of this Act with its neighbour, South Africa and
Lesotho’s major trading partner is made. Comparison of this privacy law is also made
to the African Union (AU) and Southern African Development Community (SADC)
privacy frameworks because of two reasons: first, upon ratification, the AU Convention
will bind Lesotho and second, the SADC Model law (though only soft law) is likely
to influence data privacy law in Lesotho due to the requirement to restrict data trans-
fer to a SADC member state who has not transposed the model law. Reference to the
EU Data Protection Directive 95/46/EC is made from time to time because Lesotho’s
privacy law makes provision for a legal infrastructure compatible with international
best practices, and especially compliance with the EU Directive, since that will be a
commercial link for data flows between the EU and the Kingdom of Lesotho.
1
The Commonwealth, ‘Lesotho: Society’, http://thecommonwealth.org/our-member-countries/
lesotho/society
2
Ibid.
A.B. Makulilo (*)
Faculty of Law, University of Bremen, Bremen, Germany
e-mail: alex.makulilo@uni-bremen.de
K. Mophethe
Lesotho Federation of Women Lawyers, Maseru, Lesotho
e-mail: kmophethe@gmail.com
So far there is no privacy survey or study that has been conducted in Lesotho to
gauge the social attitude to privacy by individuals. However, generally speaking this
attitude is low. This may be ascertained from the level of regulatory awareness of
the public in Lesotho. The Data Protection Act is probably one of the least known
laws in Lesotho. During the consultations with stakeholders on the review of the
Act, under the ‘Harmonization of the ICT Policies in Sub-Saharan Africa’ (HIPSSA),
a project that is discussed later, participants were given forms in which one of the
questions asked was about whether Lesotho had any Data Protection law. A very
low percentage had ever heard of even a law closely related to the subject, most of
them were those that came from related industries.
Lesotho has ratified a number of international and regional conventions on the pro-
tection of basic human rights. Such conventions include the United Nations and
African covenants: the International Covenant on Civil and Political Rights 1966
3
The Commonwealth, ‘Lesotho: Economy’, http://thecommonwealth.org/our-member-countries/
lesotho/economy
4
Ibid.
5
Ibid.
6
For a detailed analysis of these privacy policies see, Greenleaf and Georges 2014, No.131, pp.18–
21; Makulilo 2015, Vol. 31, No.1, pp. 78–89.
16 Privacy and Data Protection in Lesotho 339
(ICCPR) and the International Covenant on Economic, social and Cultural Rights
1966 (ICESCR), the African Charter on Human and People’s Rights 1981, the
African Charter on the Rights and Welfare of the Child 1990 and the Convention on
the Rights of the Child 1989. These conventions either directly or indirectly impose
international obligations over Lesotho to protect privacy. There are also two instru-
ments which are relevant for privacy and data protection in Lesotho. These are the
African Union (AU) Convention on Cyber Security and Personal Data Protection
2014 and the Southern African Development Community (SADC) Data Protection
Model Law 2012. Upon ratification, the AU Convention will bind Lesotho and sec-
ond, the SADC Model law (though only soft law) is likely to influence data privacy
law in Lesotho due to the requirement to restrict data transfer to a SADC member
state who has not transposed the model law.
The Lesotho Constitution 1993 is the supreme law of the country whose Article 11
states that every person shall be entitled to respect for his private and family life and
his home. The Lesotho Constitution has therefore provided a platform from which
other laws specific to data protection can be premised. It protects the rights and
fundamental freedoms of an individual only subject to legitimate restrictions such
as the national security and other qualifications, making it consistent with the prin-
ciples enunciated in the international conventions mentioned above.
All these powers and functions of the Authority are in keeping with the minimum
principles of putting in place security safeguards and using limitations on the provi-
sion of personal data as well as ensuring accountability on the part of data control-
lers and recipients of such personal data. The Communications Act also makes
provision for the formulation of a Broadcasting Code which amongst others may
cover issues of fairness, accuracy and balance in the presentation of news as well as
on the protection of personal privacy. It is an offence for anybody to engage in inter-
ception or tracing of communication operations or messages unless so authorized
by a court; or to intentionally interfere with the contents of any message sent by
communication service.
The common law of Lesotho which is the Roman Dutch law deals with the issue of
client attorney privilege and provides that information that is kept by an attorney on
behalf of his client in connection with the matter that the attorney is handling for the
client may not be disclosed as it is privileged information.
In 2012, Lesotho enacted data protection legislation. This Act is called the Data
Protection Act, No. 5 of 2012. It came into operation upon publication in the gazette,
which was on the 22 February 2012. The Act is for the establishment of the Data
Protection Commission, provision of principles for regulation of processing of per-
sonal information in order to protect and reconcile the fundamental and competing
values of personal information privacy under the Act and sector specific legislation
and other related matters. As the long title suggests, the Data Protection Act is a law
that is entirely dedicated to the regulation, handling and processing of data.
Lesotho’s data privacy law generally makes provision for a legal infrastructure com-
patible with international best practices, and especially compliance with the EU
Directive, since that will be a commercial link for data flows between the EU and
the Kingdom of Lesotho.7 The Commissioner has not yet been appointed.
The Act does not specify its scope. Yet this can be ascertained from the Statement of
Object and Reasons of the Data Protection Act (GN No. 10 of 2012) which states in
part that the Act is laying provisions for regulation of automatic and manual pro-
cessing of personal and sensitive data by public and private bodies. This scope is
broad and it is compliant with many international best practices. Territorially, the
7
Lesotho: Statement of Object and Reasons of the Data Protection Act (GN No. 10 of 2012).
16 Privacy and Data Protection in Lesotho 341
Act applies to a data controller domiciled or having its principal place of business in
Lesotho; or not domiciled or does not have its principal place of business in Lesotho
and-uses automated or non- automated means in Lesotho; or the automated or non-
automated means are only used for forwarding personal information.
The Act does not apply to the processing of personal information, amongst oth-
ers, in the course of a purely personal or household activity; by or on behalf of the
State if such processing involves national security and defence or public safety. It
does not also apply to the processing of personal information solely for journalistic
purposes or the purpose of artistic or literary expression only if they are necessary
to reconcile the right to privacy with the rules governing freedom of expression. The
Act does not cover processing of personal data which is de-identified and it is not
possible to re-identify a data subject. Other than these general exemptions, the Act
has several exemptions which can together be classified as exemptions for purposes
of processing sensitive personal data.
Lesotho’s privacy legislation incorporates the eight data protection principles signi-
fying the influence of the EU Data Protection Directive 95/46/EC particularly in
relation to its cross-border data export restriction. Also, the South African data pri-
vacy law (POPIA) has a lot of influence on Lesotho although it was enacted later
(but its Bill existed since 2009). The principles can be summarised as follows:
• Purpose specification-collection of personal data is required to be for specified,
explicit and legitimate purpose and not to be further processed in a way incom-
patible with those purposes(sec 18);
• Minimality-processing of personal data is required to adequate, relevant and not
excessive(sec 16);
• Data retention- records of personal data shall not be retained any longer than is
necessary(sec 19);
342 A.B. Makulilo and K. Mophethe
Some of the conditions for legitimate processing are confusing and ambiguous. For
example, there is a general requirement that processing of personal data shall be
automated, processed and kept in a filing cabinet and in electronic form [sec 15(1)].
Apparently this is a restrictive provision because by requiring data processing to be
automated as a general condition for processing, it narrows down the broad scope of
the Act which extends to manual processing of personal data as well. The overall
effect of this limitation is to render the Act weaker unless a broad approach to inter-
pretation consistent to the object of the Act is taken by the data protection authority
or courts.
There is another condition that legitimises processing of personal data: explicit
consent [sec 15(2)(a)] which is defined as any voluntary, specific and informed con-
8
Bygrave 2002, pp.58–59.
16 Privacy and Data Protection in Lesotho 343
The Act accords data subjects the rights to demand access to personal information(sec
26) and in appropriate cases demand correction, deletion or destruction(sec 27). The
right to object data processing including direct marketing is not clearly stipulated.
At the same time the right to demand deletion or destruction may be linked to the
term ‘de-identify’ in sec 2 of the Act in that upon deletion or destruction the data
controller should not be able to resurrect any information that has been de-identified.
This has an unclear relationship with the ‘right to be forgotten’ which is one of the
central features of the EU data protection reforms.
The Data Protection Act prohibits transfer of personal data outside Lesotho (sec 52)
unless the recipient is subject to a law, code of conduct or contract which upholds
principles of data processing that are substantially similar to the information protec-
tion principles of Lesotho’s Act. Moreover a further provision for onward transfer
of personal data from the recipient to a third party in a foreign country is required to
be substantially similar to that of Lesotho. Other instances where transfer of per-
sonal data outside Lesotho is where the data subject consents, transfer is necessary
for a performance of a contract between or transfer is for the benefit of a data
subject.
It is worth noting that the privacy Act avoids the use of ‘adequacy’ level of data
protection in a foreign country, the terminology that is used in the EU Directive, AU
and SADC privacy frameworks for international transfer of personal data to be
allowed. Closer to Lesotho is South Africa which although uses the term ‘adequate’
level of protection it particularly requires data privacy principles of a foreign country
344 A.B. Makulilo and K. Mophethe
16.4.7 Extraterritoriality
The Data Protection Act applies to a data controller (defined in sec 2 as a public or
private body or individual who determines the purpose and means of processing
personal data) who is domiciled or having its principal place of business in
Lesotho[sec 3(a)]; or who is not domiciled or having a principal place of business in
Lesotho but uses automated or non-automated means located in Lesotho[sec 3(b)
(i)]; or such automated or non-automated means are used only for forwarding per-
sonal information [sec 3(b)(ii)]. This provision [sec 3(b)(ii)] appears restrictive, par-
ticularly when it purports to trigger the application of the law for mere forwarding
of personal data by data controllers domiciled outside Lesotho. In sharp contrast,
South Africa, the country that surrounds Lesotho excludes from application of the
Protection of Personal Information Act 2013 means used only to forward personal
information through the Republic [sec 3(1)(b)(ii)]. The South African provision is
similar to Art 2(2)(b) of the SADC Data Protection Model Law; Chapter II, Art 9(2)
(b) of the Convention on Cyber Security and Personal Data Protection and Art 4(1)
(c) of the EU Directive 95/46/EC, so the Lesotho provision is out-of-step. The other
limitation relates to sec 3(a) of Lesotho’s Act which fails to indicate whether the
scope of the Act applies to both automated and non-automated processing or to both
as it is the case for [sec 3(b)(i)(ii)].
The Data Protection Commission (DPC) is established in sec 6(1). The DPC con-
sists of a chairperson and five other members. The chairperson must have legal
expertise. Other members may be drawn from other specified fields. Members hold
office for 5 years (sec 9). All members of the Commission are appointed by the
Prime Minister and may be dismissed by him by only affording them opportunity to
make representations (sec 9). The members’ remunerations are also determined by
the minister (sec 10). The Commission’s quarterly report goes to the Parliament (sec
8). Members of the DPC are protected against legal actions for anything done in
good faith while discharging their duties under the Act (sec 13). The Act also pro-
vides for the usual functions and powers of most data protection authorities (sec 8).
At least the funds of the Commission are allocated by parliament from the
Consolidated Fund (sec 11). The cumulative effect of the provisions that establish
the Commission is that the institution is not independent. The Lesotho’s Act fails to
16 Privacy and Data Protection in Lesotho 345
declare such independence in its provision and the Prime Minister's powers are
likely to affect this independence. However a detailed assessment of independence
has to await the actual practice. In contrast, the South African POPIA states clearly
that the Information Regulator (IR) is independent [sec 39(b)]. This independence
is reinforced by requirements that IR, though he is appointed by the President, he
must be recommended by the National Assembly (NA) and subsequently approved
by it. Moreover, the IR is accountable only to the NA [sec 39(d)]. He can only be
dismissed after the NA has voted and a majority vote is attained [sec 41(6)(b)].
The Act has a weak enforcement regime that is not up to the best practice standards.
As far as complaints are concerned the DPC has only mediation and conciliatory
role [sec 8(1)(m)]. It can investigate data breaches, but may only issue enforcement
notices in certain cases (sec 40 & 46). The DPC cannot issue a binding decision
against data violators. It cannot issue administrative penalties or fines. Neither can
it award compensation for such breaches. In case of non-compliance with the
enforcement notice, there is no procedural detail on how the DPC is going to enforce
it. A data controller who is not satisfied with the notice may challenge it by way of
review in court to be set aside [sec 48(1)]. Similarly a complainant who is not satis-
fied by the result of the investigation may appeal to a magistrate’s court [sec 48(2)].
However the Act does not state the powers of the magistrate deciding the appeal. As
for civil remedies, the Act stipulates that a data subject may institute a civil action
for damages in a court of competent jurisdiction for breach of any provision of the
Act. There is no explicit bar to commence a complaint first with the data protection
authority before a civil action may be instituted. The Act does not set the maximum
limit of damages nor provide any guidance to its assessment. What appears is that
the general principles of damages by courts will apply and a complainant is free to
claim any amount of compensation but courts will finally decide the quantum of
damages. If these principles are not applied proportionally, it may pose a danger to
smaller data controllers who may find themselves closing businesses because of
huge damages for data breaches similar to those committed by giant data control-
lers. There are also offences and penalties prescribed in sec 55 of the Act. Yet they
are not related to breaches of information privacy principles as such. The offences
include obstruction of performance of DPC’s duties and functions; breach of the
rule of confidentiality; obstruction of execution of warrant; failing to give assistance
to execution of warrant; and violating any of the provisions of the Act or its regula-
tions. This last offence may suggest that breaches of information privacy principles
may also attract criminal prosecution and sanctions. Penalties for any of the listed
offences may include a fine not exceeding M 50 000.00 (US$ 4337.93) or imprison-
ment not exceeding 5 years or both. If the offender is a juristic person then the
sentence shall be served by the Chief Executive Officer.
346 A.B. Makulilo and K. Mophethe
Other procedural and enforcement mechanisms are contractual and bi-lateral agree-
ments that are entered into by service providers and their customers as well as with
other data controllers. Some service providers and data controllers in Lesotho have
introduced privacy risk management systems which deal with privacy, impact
assessment and document and data management, location and disclosure thereof as
well as reporting mechanisms. Data controllers and some service providers have put
in place policies and formats for dealing with permissions and level of consents
required from customers before utilizing their information. There have thus been a
lot of innovative mechanisms that data controllers have introduced to meet interna-
tional standards and deal with investor confidence.
16.7 T
ransposition of RECs Data Protection Standards
in Lesotho
Under the regional economic communities (RECs), the ‘Harmonization of the ICT
Policies in Sub-Saharan Africa’ (HIPSSA) project took the lead to assist member
countries to harmonize their laws so that free and yet regulated flow of information
can happen smoothly. The International Telecommunications Union (ITU) and the
European Commission (EC) jointly sponsored and supported the HIPSSA project.
The project was built on the experiences gained from a pilot project funded by
European Commission (EC) and ITU that led to the adoption of additional Acts for
telecommunications to the ECOWAS Treaty for the West African region. The proj-
ect aimed at developing and promoting harmonized policies and regulatory guide-
lines for the ICT market as well as building human and institutional capacity in the
field of ICT through a range of targeted training, education and knowledge sharing
measures. This project was intended to result in the creation of harmonized regional
and national policy, legal and regulatory frameworks conducive to significant invest-
ments in the ICT infrastructures and services.
As a member of the SADC, Lesotho requested for in country technical assistance
for the transposition of the SADC Model Laws on Cyber security developed by the
ITU-EC HIPSSA Project for the region and adopted by the SADC ICT Ministers in
their annual meeting held in Mauritius on the 6–8 November, 2012. The Cyber
Security Model Laws covered three areas of Cyber Crime, Data Protection and
Electronic Transactions. That support was given to Lesotho and in 2013 six experts
were engaged to help Lesotho navigate the path to harmonizing and reviewing the
ICT laws including Data Protection law. The drafts were prepared with the assis-
tance of local and international experts and relevant stakeholders. The work of the
experts was handed over to Lesotho, for Lesotho to action them as it finds appropri-
ate. There have not as yet been any new data protection laws or amendments to the
existing law.
16 Privacy and Data Protection in Lesotho 347
16.8 Conclusion
The Data Protection Act is a milestone for Lesotho. This Act has come into effect
but it has not fully been implemented because the Data Protection Commissioner
has not yet been appointed. Perhaps this is due to the efforts by Lesotho to align its
law to the SADC privacy framework through the assistance of the International
Telecommunications Union (ITU). This review is an important opportunity for
Lesotho to improve its legislation before it comes into effect, given the ambiguities
and deficiencies which have been outlined in this chapter.
References
Bygrave, L. A, Data Protection Law: Approaching Its Rationale, Logic and Limits, Kluwer Law
International, The Hague/London/New York, 2002, pp.58–59.
Greenleaf, G and Georges, M, ‘The African Union’s data privacy convention: A major step toward
global consistency?’ Privacy Laws & Business, 2014, No.131, pp.18–21.
Makulilo, A.B, ‘Myth and reality of harmonisation of data privacy policies in Africa’, Computer
Law & Security Review, 2015, Vol. 31, No.1, pp. 78–89.
Documents
Websites
João Luís Traça and Francisca Correia
Abstract Angola’s remarkable economic growth over the last few years has come
hand in hand with a significant shift in the legislative output, including the enact-
ment of a Data Protection Act. By having implemented this general data protection
framework, Angola has thus taken the first steps into establishing a fully operational
privacy regime.
The Data Protection Act, while borrowing to some extent from the EU Data
Protection Directive, has taken a rather unique approach in some aspects in order to
meet the specific challenges and cultural reality of the country.
The present chapter seeks to provide the readers with a general overview of the
country’s legal regime and to be a first approach for those who wish to investigate
in further depth as well as to provide some views on the yet to be created Angolan
Data Protection Authority. Moreover, this chapter also seeks to summarize and to
present the different provisions scattered throughout Angolan legislation that can,
one way or the other, affect or change the country privacy rights.
tions in Angola – are subject to strict requirements as well as compliance with the
duties of notification and registration with the Angolan Data Protection Agency
(hereinafter “Data Protection Agency”). In this paper we plan to provide an overview
of the most relevant aspects of the data protection regime currently in force in Angola.
It follows from the analysis of the Data Protection Act that the Angolan legislator
has devoted a great deal of time and attention addressing very detailed aspects
related with the protection of personal data. Although the Data Protection Act draws
inspiration from the EU data protection framework and Portuguese regulatory prac-
tice (Angola is a former colony of Portugal and Portuguese legal practice is still
used as the key reference in Angola), it is much more a mirror of contemporary
Angola, seeking to set privacy as a fundamental right of the Angolan citizens – set-
ting forth heavy fines and sanctions – while allowing for the sustainable develop-
ment of business operations.
It is however important to underline that Angolan citizens have only recently
started to be acquainted with their own privacy rights. In other words, Angolan citi-
zens are on the early stages of knowledge of their rights. From a historical analysis,
it must be taken into account that Angola is a young country (became independent
from Portugal in 1975) that had a civil war until 2002. From the Angolan citizens,
it is still time to celebrate peace, economic development and infrastructure develop-
ment (including in the telecommunications sector) other than claiming their rights
to privacy and protection of personal data. However, it is also fairly likely that, once
the Angolan Data Protection Agency is put into place, the country (and its citizens)
will have a regulatory boost that will promote privacy and bring the awareness to
privacy and data protection.
Before the Data Protection Act, personal data protection matters in Angola were
governed by a few constitutional and statutory provisions establishing general rights
and prohibitions relating to the protection of private life and personal data. Article
69 of the 2010 Angolan Constitution sets out a right for any person to access com-
puterized data that relates to him or her, enforceable by means of a writ of habeas
data. A person bringing an action for habeas data can additionally demand that
such data be corrected or updated. The habeas data has not been further regulated
in Angolan and the Data Protection Act contains no reference to it. It is important,
however, to mention that these rights exist both in the scope of the Angolan data
protection regime and in the scope of Angolan constitutional rights generally. While
17 Data Protection in Angola 351
the Angolan Data Protection Act may not apply to a foreign entity, constitutional
rights protect citizens at all times, and an Angolan court or the Data Protection
Agency may therefore find that, for reasons of public policy or public order, these
rights cannot be excluded or avoided due to the fact that the party controlling per-
sonal data of an Angolan citizen does not have any type of presence in Angola.
The full text of this provision reads: ‘Article 80 – Right to Respect for the Intimacy of Private
1
Life.
(1) Everyone must respect the intimacy of the private life of others.
(2) The extent of this duty is to be determined in accordance with the specific nature of the case
and the circumstances of the relevant persons.’
352 J.L. Traça and F. Correia
Scope of the Act
The Data Protection Act regulates the processing of personal data by both public
and private entities through any means whatsoever, except for processing carried
out by individuals for purely personal or domestic purposes. Under the Act, ‘per-
sonal data’ is defined as any information (including sound or images) relating to an
identified or identifiable natural person, while ‘processing’ is defined as conducting
any type of operation whatsoever on personal data, such as colleting, storing, using,
or transferring such data. Several other concepts and mechanisms found within the
Act have been borrowed from the EU and Portuguese legal regimes for the protec-
tion of personal data.
The Act is applicable only to the processing of personal data that has some kind
of connection with Angolan territory, specifically to processing that is carried out in
one of the following cases:
1 . by a data controller based in Angola;
2. in the course of the activities of a data controller based in Angola, even where the
data controller does not have its head office there;
3. anywhere outside of Angola where Angolan law applies as a result of public or
private international law; or
4. by a data controller located outside of Angola through any means located in
Angolan territory. For the purposes of this last situation, a data controller will be
considered to use ‘means’ located in Angola whenever such means are used for
collection, storage, or registration purposes, or merely transfers of the data
elsewhere.
17 Data Protection in Angola 353
Where the Data Protection Act is applicable, but the data controller is located
outside of Angola, it must appoint a representative established in Angola to substi-
tute it in all its legal duties and obligations under the Act2.
Under the Data Protection Act, all data processing operations must respect general
principles of transparency, lawfulness, proportionality (i.e. only those types and
specific items of data that are actually necessary to fulfil the purposes of the opera-
tion should be processed), predetermined purposes (i.e. personal data may only be
collected and processed for specific predetermined purposes and cannot be used,
kept or reused in future for other purposes unless the relevant approvals/consents
are obtained), accuracy of the data and storing the data only for so long as is actually
necessary to fulfil the purposes of the operation.
Personal data processing operations may only be undertaken once the following
two requirements are met:
(i) the express and unambiguous consent of the data subject has been obtained; and
(ii) the Data Protection Agency has been notified.
Upon receiving a notification, the Data Protection Agency has a period of thirty
(30) days in which to respond. Once this period has elapsed, the data processing
operation is to be deemed to have been duly notified in accordance with the terms
of the Data Protection Agency. However, it is not necessary to obtain the data sub-
ject’s consent where the processing is necessary for the performance of a contract to
which he or she is a party, necessary to undertake preliminary steps before execut-
ing a contract with the data subject or else is necessary for the compliance of a legal
duty to which the data controller is subject.
Where the data to be processed falls within the definition of “sensitive data”, the
requirements for making the data processing operation lawful are stricter than those
set out above. In this situation, the data controller must also ensure that the follow-
ing two requirements are met:
(i) there must be legal grounds for allowing the processing of sensitive data for the
purposes of an operation like the one the data controller proposes to undertake;
and
(ii) the data controller must obtain the prior authorization of the Data Protection
Agency.
An authorization will only be granted in a limited number of circumstances,
including where the express written consent of the data subject has been obtained or
2
Article 3 of the Data Protection Act. This Article further provides that the Data Protection act is
applicable to entities in the ‘cooperative sector’, which basically comprises cooperatives – jointly
owned commercial enterprises (usually organized by farmers or consumers) that produce and dis-
tribute goods and services and are run for the benefit of their owners.
354 J.L. Traça and F. Correia
where the processing is necessary in the course of court proceedings. Unlike the
case with processing personal data generally the Data Protection Agency is under
no obligation to respond to a request for authorization within a certain period of
time.
Personal Data Relating to a Person’s Health or Sex Life Personal data relating to a
person’s health or sex life (including genetic data) fall within the definition of “sen-
sitive data”, and are therefore subject to the above legal requirements of only being
processed pursuant to a legal provision allowing the processing and obtaining the
prior authorization of the Data Protection Agency. Processing these specific types of
data is, however, also subject to the further legal requirement of obtaining the
express written consent of the relevant data subjects.
The processing of personal data relating to a person’s health or sex life may only
ever be done by a health professional registered with a competent medical or profes-
sional association. All medical professionals who process such data must abide by
a duty of confidentiality in respect of the data.
The above requirements extend to operations for processing personal data relat-
ing to a person’s health status or medical test results, even when this is done in the
scope of an employment relationship in compliance with Angolan labor law.
Personal Data Relating to Unlawful Activities, Crimes and Breaches Under the
Data Protection Act, processing personal data relating to any unlawful activities,
breaches or crimes that may have been committed by natural persons (or relating to
any sanctions that may have been imposed in respect of same) may only be done by
Angolan authorities which have been given the specific jurisdiction to do so under
Angolan law and have obtained the prior authorization of the Data Protection
Agency.
A data controller does not have to meet any of the aforementioned requirements
where it has obtained the relevant personal data from publicly available sources.
Nevertheless, the data controller will always remain subject to the terms and remain-
ing duties imposed by the DPA on data controllers generally.
The Data Protection Act specifically provides that data relating to creditworthi-
ness may be communicated between banking institutions, judicial authorities and
17 Data Protection in Angola 355
law enforcement agencies once the Data Protection Agency has issued an authoriza-
tion to this effect.
Video Surveillance Data and Other Data Relating to Electronic Controls3 Video
surveillance, along with other forms of capturing, processing and transferring
sounds and images that allow natural persons to be identified are subject to the fol-
lowing requirements:
(i) there must be legal grounds for allowing the processing of these types of data
for the purposes for which the data controller wishes to process them; and
(ii) the data controller must obtain the prior authorization of the Data Protection
Agency.
Further, the data controller must place signs in any locations in which a video
surveillance (or other form of recording) system is in place, indicating that persons
in that location may be recorded and that sound and/or video are being recorded.
The data controller must also provide information as to the identity of the party that
will be processing the data, including that party’s address, telephone number and
e-mail address.
3
The processing of other types of data relating to any forms of electronic communication is dealt
with more specifically in the Angolan Information Society Law (Law No. 23/11, of 20 June 2011),
which sets out and regulates duties to respect the privacy and the protection of personal data of
telecommunications users in Angola. The main purpose of these provisions is to limit the ways
licensed operators can use the data.
356 J.L. Traça and F. Correia
necessary to ascertain what the Data Protection Agency’s policy will be in this
respect, once the Agency is established and starts to operate.
Sensitive personal data (as well as data relating to health and sex life, creditwor-
thiness and solvency, unlawful activities or electronic surveillance) must be pro-
tected using heightened security measures that are sufficient to ensure against
unlawful access and any other types of security breaches.
Professional Secrecy All data controllers and other parties with knowledge of the
data being processed are subject to a strict duty of confidentiality. This duty will
continue to apply even after the data processing has been concluded. Any failure to
comply with this duty may result in criminal liability, as well as civil liability and
the imposition of administrative fines.
Rights of Data Subjects Data subjects have the right to access, correct and delete
any personal data relating to them. A data processor must provide them with a free
and easy means of exercising these rights. Where the data subject wishes to have all
or any part of their data deleted, this request must be complied with within sixty
(60) working days of being made. Data controllers are under a further duty to pro-
vide data subjects, upon request, with any and all information relating to the identity
and location of the data controller, the purposes for which the personal data are
being used, the identity of any third parties to whom the data may be transferred and
the means through which the data subjects may exercise their right to access, correct
and delete any personal data relating to them.
All persons, regardless of whether or not they are data subjects, have the right
under to not be subjected to any decision that would have a significant effect on
them where this decision was made solely on the basis of an automated processing
of personal data aimed at evaluating certain aspects of their personality, namely
their professional skills, creditworthiness, trustworthiness or behavior. This right
may, however, be waived for the purposes of concluding or performing a contract
and there are sufficient safeguards for the rights of the relevant persons regarding
whom the decision is to be made, such as the right to be heard as part of the decision-
making process.
Using Personal Data for Marketing Purposes The use of personal data for the pur-
poses of sending marketing materials is governed by two separate provisions of the
Data Protection Act, namely Articles 18 and 19, which apply respectively to (a)
marketing materials sent by post or distributed directly in person and (b) to market-
ing materials sent by e-mail or other electronic means. In both cases, the recipient
of these types of commercial or advertising messages have the right to be informed
of any publicly available sources through which their personal data (e.g. name,
address or e-mail address) were obtained, the true and accurate identity of the data
controller and the fact that their personal data may be shared with others for adver-
tising purposes.
17 Data Protection in Angola 357
A data controller does not need to obtain the consent of a data subject in order to
send marketing materials through the post or to distribute such advertising in per-
son, though it will have to notify the Data Protection Agency of its intent to send
such materials. However, a data subject always has the right to refuse to have his or
her personal data used for these purposes, and the data controller must therefore
provide a free and easy means through which the data subject may manifest his/her
unwillingness to receive such advertising in future. To this end, the data controller
is required to maintain a list of data subjects who have expressed their unwillingness
to receive advertising from them.
In order to send advertising through e-mail or other electronic means (e.g. fax or
pre-recorded messages), a data controller must obtain the express consent of the
relevant data subjects and notify the Data Protection Agency of its intent to use their
personal data to this end. The consent of the data subject may, however, be waived
for advertising or commercial messages sent to representatives of companies or to
natural persons with whom the advertiser has previously concluded a transaction, so
long as that natural person has previously been given a free and express means of
refusing such messages. Moreover, the relevant data subjects always retain the right
to refuse to receive such messages in future. To this end, the data controller is
required to maintain a list of data subjects who have expressed their unwillingness
to receive advertising from them.
The Data Protection Act’s provisions on using personal data for advertising pur-
poses are phrased in imprecise and broad terms, leaving the Data Protection Agency
with a large amount of discretion to determine exactly how these provisions are to
be interpreted and applied. Once the Data Protection Agency has been established
and starts to operate, it will remain to be seen how data processors can best ensure
that they are fully compliant with the Data Protection Act’s rules on using personal
data for advertising purposes. Further, the large degree of discretion that the Data
Protection Agency has been afforded in this area means it can easily change its
policy as to what course of action data processors must take in order to be consid-
ered fully compliant with these rules. It is therefore highly advisable to monitor any
developments in the Data Protection Agency’s practice in this respect.
Recording Phone Calls Under the Data Protection Act, it is lawful to record phone
calls when this is done for the purpose of having evidence of a commercial transac-
tion, so long as the data subjects being recorded have previously given their express
consent to being recorded and the data controller has obtained the prior authoriza-
tion of the Data Protection Agency. Additionally, the recording must begin with the
data subject expressing their consent to being recorded4.
4
The processing of other types of data relating to phone calls or other forms of electronic com-
munication is dealt with more specifically in the Angolan Information Society Law (Law No.
23/11, of 20 June 2011), which sets out and regulates duties to respect the privacy and the protec-
tion of personal data of telecommunications users in Angola.
358 J.L. Traça and F. Correia
To the present date, the regulatory body, the Data Protection Agency, has not yet
been created. The Data Protection Act only mentions that this Agency is to be
administratively and financially independent and composed of seven members, to
be appointed as follows: three members designated by the President of the Republic,
one of which is to be appointed as Chairman of the Agency; three members elected
by the National Assembly; and a Judicial Magistrate elected by the Higher Council
of the Judiciary. This structure aims to promote an adequate level of independence
for the Agency, taking into consideration the characteristics of the Angolan political
system5, although one may consider that it would be more appropriate to have more
than one member appointed by the Higher Council of the Judiciary.
In any case the Act is in force and data controllers and data processors must
comply with all obligations set forth therein that are applicable to them, irrespective
of being subject to any filing or approval from the Data Protection Agency.
A transfer of personal data to a third party to be used for the third party’s own pur-
poses will result in the third party also being considered a data controller for the
purposes of the Data Protection Act. A transfer of personal data to a third party data
controller requires that the express consent of the data subject be obtained in
advance and that a notification be made to the Data Protection Agency. However,
the consent of the data subject does not need to be obtained in a number of circum-
stances, including where the data were lawfully collected from publicly available
sources, the transfer is necessary for the performance of a contract to which the data
subject is a party or the transfer is necessary to undertake preliminary steps before
executing a contract with the data subject.
On the other hand, a transfer of personal data to a third party that will only pro-
cess the data on behalf of a data controller and only for the purposes chosen by the
data controller will result in the third party being considered a data processor for the
purposes of the Data Protection Act. A transfer of data to a data processor requires
the existence of a written contract between the data controller and data processor,
under which the data processor agrees to only process the data in accordance with
the instructions of the data controller. Further, the data controller must also notify
the Data Protection Agency of this transfer.
A data processor is, by default, subject to specific legal duties under the Data
Protection Act, namely to not share the personal data with any other parties, to pro-
vide an appropriate level of security to protect the data and to destroy or return the
personal data once the contractual relationship with the data controller is concluded.
5
Please note that under the Angolan 2010 Constitution, Angola is a democratic country organized
under a presidential political system, comprising a President (elected by direct vote), a Parliament
(elected by direct vote) and a Council of Ministers appointed by the President.
17 Data Protection in Angola 359
These duties may, however, be excluded in the contract between the data controller
and the data processor. Nevertheless, a data processor may not process personal data
for its own purposes, or else it will be considered a data controller under the Data
Protection Act and will be subject to all of the duties and responsibilities that are
applicable to a data controller.
Transfers of personal data outside of Angola are divided into two different cate-
gories, borrowed from the EU Data Protection Directive6: transfers to countries that
offer an adequate level of protection and transfers to countries that do not offer an
adequate level of protection.
Whether or not a country meets this level of protection is to be determined by the
Angolan Data Protection Agency based on whether its rules on the protection of
personal data ensure a level of protection that is at least equal to that provided under
the Data Protection Act7.
Where the country to which a data controller intends to transfer data meets the
level of protection required by the Act, the transfer must still be notified to the Data
Protection Agency. If, on the other hand, the transfer is to a country that does not
meet this level of protection, the data controller must obtain a prior authorization
from the Angolan Data Protection Agency, which will only be granted in a limited
number of circumstances, including where the express and unequivocal consent of
the data subject is obtained in writing, the transfer is necessary for the performance
of a contractual agreement or, more specifically, the transfer is exclusively intended
to request humanitarian aid.
The Angolan Data Protection Agency is also entitled to grant an authorization
where the intended recipient of the data has contractually undertaken to provide an
adequate level of protection given the specific nature of the transferred data.
Although this provision clearly envisioned something akin to the EU Commission’s
standard contractual clauses for transfers of data to non-EU countries, the Act gives
the Angolan Data Protection Agency complete discretion to determine what specific
terms and conditions should be included in the contract.
The question of whether to accept binding corporate rules is debatable in the EU
legal framework for data protection, as the choice is to be made at a national, rather
than EU, level. Yet, the Angolan legislator has given a conscious and express vote
of confidence towards international businesses that transfer data internally through
binding corporate rules. An international transfer of data between companies
belonging to the same corporate group may be conducted under binding uniform
internal rules on the privacy and protection of personal data. Doing so will mean
that the transfer of data will be considered to be to a country ensuring an adequate
level of protection for the data in question, thereby only requiring the notification
of the Angolan Data Protection Agency and not its prior authorization. Angolan
legislator has sought to reach a compromise between its citizens’ constitutional
6
Directive 95/46/EC.
7
The decision to be issued by the Angolan Data Protection Agency on this matter is to be included
in a published opinion.
360 J.L. Traça and F. Correia
rights and interests to their privacy and the benefits to be derived from not over-
regulating the transfers of personal data.
17.4 C
omparative Influences and Interpretation of the Data
Protection Legislation
The Angolan legislator borrowed the classification system used in the EU Data
Protection Directive and developed it further, adopting different legal requirements
for different data processing operations based on the type of data processed and the
purposes to which they are to be put. Thus, compliance with the regime must be
assessed on a case by case basis, taking into account the specific content and cir-
cumstances of each data processing operation.
As already mentioned above, all personal data that do not fall into one of the
specific categories provided for by the Act are dealt with under the generic heading
of ‘personal data’ and are subject to general procedural requirements and safe-
guards. As well as the types of data being processed, the Act also imposes special
requirements where personal data are to be used for the purposes of sending market-
ing communications, where the data are collected for surveillance purposes and for
the recording of telephone calls.
The main difference between operations involving the specific categories of per-
sonal data described above, and those involving personal data generally is the type
of regulatory control to which they will be subjected by the Data Protection Agency.
All data processing operations must be registered with the Angolan Data Protection
Agency by their data controllers: those operations that involve the processing of
merely generic personal data require a simple notification to be submitted to the
Data Protection Agency, while data processing operations involving any of the spe-
cific categories of personal data must receive the prior authorization of the Agency
before they may take place. Likewise, using personal data to send marketing com-
munications only requires a notification of the Agency, while recording phone calls
or data for surveillance purposes always requires prior authorization.
Though the Act sets forth a priori control of data processing operations, the leg-
islator makes an effort to avoid halting these operations indefinitely due to bureau-
cratic delays. Accordingly, whenever a mere notification is required, the Data
Protection Agency must provide a response within thirty (30) days of receiving the
notification and if no response is provided within this time limit, the data controller
is legally entitled to consider the notification process as having been successfully
completed and may proceed with the operation. No similar concessions, however,
have been made for the process of obtaining an authorization from the Data
Protection Agency due to the nature of the data involved in these operations (for
instance, for the processing of sensitive data). Whenever an authorization is required
under the terms of the Data Protection Act, the data controller must await the
17 Data Protection in Angola 361
d ecision of the Angolan Data Protection Agency in order to begin processing the
relevant data.
As the Angolan Data Protection Agency has not yet been created, however, data
controllers are currently unable to comply with the registration requirements set out
in the Data Protection Act, but they should nevertheless remain cautious because the
Act provides for a number of other legal duties and obligations that data controllers
must meet besides the duty to register and Article 47 allows anyone to bring a legal
action against a controller for a breach of these duties and obligations.
Further, the Act also sets out the right to object to the processing of one’s own
personal data at any time. This right, notwithstanding, is not defined in as much
detail as the others, and this statute merely sets out that a person may make such an
objection whenever it is based on legitimate reasons arising due to the person’s own
particular circumstances. No guidance is given as to what types of reasons are to be
considered ‘legitimate’, nor does the Act delineate exactly how unique a person’s
circumstances have to be in order to meet this requirement. Hence, we must assume
that the Angolan legislator intended to leave this issue to be determined by more
specific data protection regulations8 or to have any disputes regarding this matter
settled by the Angolan Data Protection Agency. Angolan courts, however, will have
the final say on all regulatory decisions and application of regulatory provisions, as
parties are always entitled to make a judicial appeal against any decision of the
Angolan Data Protection Agency. In any event, due to the current lack of both regu-
lations and a regulatory agency, the extent to which individuals may lawfully seek
to stop data controllers from processing their personal data is yet to be defined.
Lastly, data subjects are also given the right to not be subjected to automated
individual decisions which produce legal effects concerning them or significantly
affect them, extending to the processing of data intended to evaluate certain aspects
of an individual’s personality, such as their performance at work, creditworthiness,
or degree of trustworthiness. The foregoing notwithstanding, these decisions may
take place where the relevant data controller requests the prior authorization of the
Angolan Data Protection Agency, or where they fall within one of the exceptions
provided for by the Act, including where they are necessary for the performance of
a contractual agreement.
17.5 Conclusion
8
Article 65 of the Data Protection Act requires the Angolan Executive Branch to issue regulations
on the specific application of the Act within 120 days of its enactment, but such regulations have
not yet been issued.
362 J.L. Traça and F. Correia
processing operations based on the type of data processed and the purposes to which
data are to be used, establishing specific rules for each category of operations.
While the Data Protection Agency, the regulatory body, has not yet been created,
enforcement proceedings for duties and obligations the Data Protection Act sets
forth may be initiated by anyone. Notwithstanding, in the meantime data subjects
and data controllers are left in the midst of great uncertainty in what regards the
issues yet to be decided and clarified by the regulator. For instance, it is yet to be
defined, if general exemptions from registration requirements for purely internal
data processing operations involving routine matters such as payroll processing or
monitoring employee expense claims will be issued by the Data Protection Agency.
These exemptions would definitely avoid the Agency being flooded with requests
for notification from data controllers. Further, they would allow, on the one hand,
preserving the level of protection offered to data subjects and, on the other hand,
business operations to be carried out smoothly and without being subject to unnec-
essary bureaucratic proceedings.
Chapter 18
Data Protection in Mozambique: Inception
Phase
João Luís Traça and Lídia Neves
Abstract The number of statutes that govern Mozambique data protection and
privacy matters are very limited and of a general nature. Thus, the concept of data
protection in Mozambique is not part of legislator’s priorities and all privacy matters
are dealt with legal tools that are not adequate. Furthermore, there is no social
pressure from Mozambique civil society in order to implement further developed
data protection legislation.
There has been an increase in the adoption of new technologies in Mozambique and,
as the country is in an early development stage, the use of the most recent technolo-
gies has allowed the country’s economy to jump technological hurdles (many cur-
rent mobile phones users were not brought up with a telephone landline at home).
An inadequate legal privacy framework and the lack of commitment from local
authorities and interest groups to raise awareness about risks associated with the
processing of personal data has led to privacy issues not being on the agenda of
Mozambique politicians and public opinion. From a legal standpoint, the shortest
way to reduce this gap would be to implement adequate data protection legislation,
but there are no signs that this would occur in the near future.
Mozambique has not implemented a data protection legal framework providing for
a regime similar to the one existing in the EU. As such, all data protection related
issues must be analyzed under the country’s legal provisions on privacy and protec-
tion of private life set forth in the Constitution (approved in 2004), the Civil Code,
Law No. 34/2014, of 31 December 2014, and the Labor Law.
Constitution
Pursuant to Article 41 of the Constitution, all individuals are entitled to the intimacy
of their private life. This provision should be construed as the right to private life as
compared to public life. In other words, not all acts or aspects of someone’s life
should be made public or made known to everyone. Having a private life that only
a limited number of people are aware of is a constitutional right. This is particularly
relevant in relation to unauthorized media exposure or surveillance and intrusion by
police and government authorities.
Additionally, Article 71 of the Constitution grants all individuals the right to
privacy, setting a prohibition on the use of electronic means for recording and pro-
cessing individually identifiable data in respect of political, philosophical or ideo-
logical beliefs, of religious faith, political party or trade union affiliation or private
lives. Access to data bases or to computerized archives, files and records with the
purpose of obtaining information on the personal data of third parties, as well as the
transfer of personal data from one computerized file to another that belongs to a
different “service” or “institution”, shall be prohibited except in cases provided for
by law or by judicial decision. If there was a data protection law in Mozambique,
18 Data Protection in Mozambique: Inception Phase 365
such statute would most likely set the concept of transfer of personal data between
data controllers and data processors. In the present case, such concepts are not avail-
able to assist in fully construing the scope of this provision. Based on the wording
of this provision, we are of the opinion that same aims at governing the transfer of
personal data between government or state entities. The expressions “service” and
“institution” are commonly used to make reference to government or state depart-
ments. Further, we take that view that, as result of the specific wording used, this
provision from the Constitution should not apply to the transfer of personal data
included in files owned or managed by State-owned entities (such as State-owned
companies – “Empresa Pública”) or private entities (such as private associations or
companies). This is in fact the same scope of application as under Law No. 34/2014,
of 31 December 2014 (as more detailed below). Article 1 of this statute sets forth
that it shall regulate Mozambique citizens’ rights on access to information, as part
of the rights granted to them by the Constitution.
The Constitution also provides that all individuals shall be entitled to have access
to collected data and have it rectified. Although the Constitution does not set forth
the specific information to be provided, we are of the opinion that provision of
information such as details of personal data belonging to a specific data subject that
are being processed must be provided.
The Constitution does not define the right to rectification of collected data either.
Nonetheless, a data subject is entitled to demand the correction and the update of any inac-
curate, incomplete, or wrong personal information related to him/her. Please note there is
no specific provision on the time and procedure for compliance with this right neither on
the procedure to adopt in case these data have already been shared with third parties.
Civil Law
Mozambique also has specific legal provisions that regulate the disclosure of per-
sonal data, such as Article 6 of the Labor Law (Law no. 23/2007 of 1 August 2007).
This provision ensures the protection of employee’s personal data, prohibiting the
366 J.L. Traça and L. Neves
transfer to third parties of any private data obtained by an employer subject to a duty
of confidentiality, without the employee’s consent. The right to privacy is deemed to
include any and all information of a personal nature in electronic format. Under the
same provision, the use of computer files and access to personal data of a job appli-
cant or an employee shall be subject to specific legislation. However, this legislation
was never approved or published.
More recently, in 31 December 2014, Mozambique has enacted the Law on the
Right to Information (hereinafter “LRI”) by means of Law No. 34/2014. This stat-
ute aims at governing and regulating the terms pursuant to which government and
state authorities, as well as private entities that are carrying out duties and tasks on
behalf of the state, or that are funded by the State (and, as a result, contain informa-
tion of public interest), allow Mozambique citizens to access to information related
to them. This law aims to allow citizens to obtain from the above mentioned authori-
ties and entities any information which is considered to be of “public interest”.
However, such disclosure of information must comply with the protection of private
life. Under Article 25 of the LRI, any “personal data” related to the intimacy of
private life of an identified or identifiable individual cannot be disclosed by the said
entities, unless a court order is issued in that regard. Accordingly, the wording of
Article 25 introduces a new concept to the Mozambique legal system which is
commonly used by more sophisticated data protection legislations: the concept of
“personal data”. This concept is defined in this statute (under the relevant definition
on Article 2) as “information related to identified or identifiable individuals, both in
manual or electronic formats”. Unfortunately, this definition is only applicable in
relation to the scope of this statute. But, nevertheless, it can be considered as a refer-
ence for future privacy-related statutes to be prepared in Mozambique.
As mentioned above, nor the Constitution, the Civil Code or any other statute sets
fourth any specific requirements (such as authorizations or approvals) to carry out
the cross border of data related to an individual. Therefore, there are no statutes or
regulations in force which could restrict or prevent personal data from leaving the
country from a privacy perspective.
18.5 Conclusion
Alex B. Makulilo
Abstract This chapter provides an overview of the future of data privacy law in
Africa. The first part outlines the main catalysts of privacy in Africa. The second
part of the chapter discusses the data privacy regulatory approaches and enforce-
ment. The third part deals with the influence of continental and sub-regional data
privacy policies in Africa on national data protection law reforms. Part four con-
cludes the chapter.
3
The Economist Intelligence Unit’s Democracy Index 2015, http://www.eiu.com/Handlers/
WhitepaperHandler.ashx?fi=EIU-Democracy-Index-2015.pdf&mode=wp&campaignid=Democr
acyIndex2015.
4
Centre for International Governance Innovation & IPSOS (2016), CIGI-Ipsos Global Survey on
Internet Security and Trust, https://www.cigionline.org/internet-survey accessed 13.06.2016.
19 The Future of Data Protection in Africa 373
course of conducting trade. Moreover, Tunisia and Morocco have also the obligation
to transform their institutions and laws in conformity with the standards agreed.
This has impacted on the culture and legal systems of the two North African states.
On the first level protection comes largely from national constitutions. Most consti-
tutions in Africa expressly guarantee the right to privacy. The formulations of these
constitution provisions closely follow Articles 12 and 17 of the Universal Declaration
of Human rights 1948 as well as International Covenant on Civil and Political
Rights 1966. These provisions state: no one shall be subjected to arbitrary interfer-
ence with his privacy, family, home or correspondence, or to attacks upon his hon-
our and reputation. Everyone has the right to the protection of the law against such
interference or attacks. However the right to privacy is not absolute. It is subject to
both constitutional and statutory limitations.
There has been little case law in Africa to show to what extent the constitutional
right to privacy has been interpreted. The only exception is South Africa which has
developed enough case law on the interpretation and enforcement of the constitu-
tional right of privacy and the common law.5 This case law has interpreted the scope
of this right and has enforced privacy rights for both individuals and juristic persons.
The South African case law has influenced courts in other African countries particu-
larly Kenya to adopt similar interpretation.6 There is also emerging privacy case law
by the High Court of Uganda based on unlawfully search of residence of persons
suspected of being lesbians.7 Another landmark case decided by the High Court of
Uganda was about publication by a weekly tabloid newspaper of names and con-
tacts of people based on their real and perceived sexual orientation.8 The two land-
mark cases were decided based on Article 27 of the Uganda’s Constitution. Similarly
in the absence of comprehensive data privacy legislation Nigerian courts have
recently rendered down landmark decisions based on Article 37 of its Constitution.
The cases concerned about publication of picture of a personal and family house for
purposes of commercial advertisement without consent; the disclosure of names of
persons voted for in an election and forceful eviction from a house.9 As to interna-
tional human treaties, so far there is no known case law that has been decided
5
For detailed discussion about this case law, see Makulilo (2015), 31(1): 78–89.
6
Ibid.
7
Victor Juliet Mukasa & Yvonne Oyo v Attorney General, Misc. Cause No. 247 of 2006, High
Court of Uganda in Kampala, (2008) AHRLR 248 (UGHC 2008).
8
Pepe Onziema & David Kato v. Giles Muhame and the Rolling Stone Publication Ltd, Misc.
Cause No. 163 of 2010, High Court of Uganda in Kampala (Unreported).
9
Jimmy S. Olaghere v Portland Paints and Production Nig Ltd and 2 others, [2013] All FWLR
(Part 661) 1593; INEC & 3 others v Action Congress and 3 others, and Muritala H. Nyako v Action
Congress and 7 others, [2009] 2 NWLR (Part 1126) 425, 618; Aliyu Ibrahim v Commissioner of
Police (F.C.T. Command), [2007] LPELR-CA/A/115/05.
374 A.B. Makulilo
directly based on such treaties even in countries where international treaties have a
direct application. The main point that can be generally made out here is that gen-
eral law as well as the case law which has so far been developed by courts in Africa
has never spelt out the general data privacy principles. This legislative gap has
called for the adoption of comprehensive data privacy legislation.
On the second level, there is legislative reform in Africa in the form of compre-
hensive data privacy legislation. African data privacy legislation is modelled upon
European data privacy standards heavily drawing from the European Union Data
Protection Directive 1995. This law has information protection principles as well as
the supervisory authority for enforcing the law.
The scope of data protection legislation in Africa is generally the same although
with some variations. It covers both public and private sectors. However, there are
exceptions. Only Zimbabwe’s Privacy Act covers the public sector leaving the pri-
vate sector unregulated. There are cases where the scope of the law remains unknown
even from its preparatory works. This is for example the Nigerian Data Protection
Bill 2010 whose scope is unknown and would await the court interpretation in case
of a specific dispute. It is also a notable feature of the privacy legislation that it only
regulates natural persons and do not extend to juristic persons. South Africa is
exceptional. Its Protection of Personal Information Act 2013 applies to both natural
and juristic persons. The Kenyan Constitution Bill of Rights is also applicable to
juristic persons. It is not clear if this protection will be read in the Data Protection
Bill which does not cover juristic persons.
In the beginning of the development of data privacy legislation the main scope of
regulation was manual processing of personal data. However as technology contin-
ued to develop, this scope was expanded to cover automated data processing.
Accordingly, data privacy laws cover both manual filling systems as well as auto-
mated data processing. This is also the case in African data privacy regimes.
However, Seychelles provides an exception where its law, provides expressly that it
regulates only automated data processing.
Similarly the data privacy legislation in Africa has the conventional scope of
exceptions. This is usually exemptions based on purely personal activities and state
security. Others include statistical and journalistic activities. However, there are
marked differences in scope of the exemptions. For example, in Tunisia public
agencies are largely exempted while the Kenyan Data Protection Bill does not
exempt processing solely for journalistic, artistic and literary activities. In sharp
contrast, the Ugandan Data Protection and Privacy Bill lacks standard exemptions
applicable to many data protection legislation. Ghana and Mauritius provide illus-
trations of extensive regime of data protection exemptions in their data privacy laws.
Other variations on exemption regimes occur in Africa. Apart from the standard
exemptions, there are discretionary exemptions by commissioners of data supervi-
sory authorities or ministers and subordination to other Acts. In Ghana for, example,
the Minister may exempt application of the Data Protection Act.
The extraterritorial scope of data protection legislation in Africa is also similar.
It reflects the scope provided in Article 4 of the EU Directive 95/46/EC on the pro-
tection of personal data. The privacy legislation in Africa makes national law
19 The Future of Data Protection in Africa 375
10
CRID (2010), Analysis of the Adequacy of Protection of Personal Data Provided in Tunisia,
p.32.
11
Ibid, p.33.
376 A.B. Makulilo
legislation. There are also different principles in processing for direct marketing. In
some cases as in Lesotho and Ghana prior consent is mandatory before direct
marketing can be allowed to take place while in some other cases direct marketing
is allowed but a data subject has the right to opt-out. Similarly, the data privacy
legislation in Ghana, Seychelles and Angola provide special rules for processing of
personal data in the credit reference market. The rest of privacy legislation in Africa
does not contain such rules. Credit reporting is however regulated by special regula-
tions which do not necessarily reflect data protection principles.
Most data protection legislation in Africa contains rules for transfer of personal
data abroad similar to Articles 25 and 26 of EU Directive 95/46/EC. However con-
ditions for such data transfer may vary from one piece of legislation to another. In
contrast Ghana does not provide for the rules of transfer of personal data outside
Ghana. This is also the case for the Kenyan and Ugandan privacy bills which lack
the regime of international transfer of personal data.
The typical data protection enforcement agencies are the data protection authori-
ties (DPAs) which are known by various names: Information Regulator, Data
Protection Commissioner, Data Protection Commission, Information Privacy
Commissioner, Data Protection Registrar or Data Protection Authority. Majority of
privacy legislation in Africa establishes DPAs. Yet there are significant departures.
In certain instances, the data protection legislation instead of establishing a DPA, it
designates an existing sectoral regulatory body as a DPA, as it is the case in the
proposed Ugandan and Kenyan data privacy bills, where privacy supervisory role is
assigned to the National Information Technology Authority-Uganda (NITA-U) and
the Commission on Administrative Justice (CAJ) respectively. There is a potential
danger for this type of arrangement to ensure the independence of respective author-
ities when discharging the role of a DPA. This danger as to independence arises
specifically taking into account the appointment, tenure and budgets of the desig-
nated authorities. There is also another trend of enforcement which is not so com-
mon in Africa. This is illustrated by the Nigerian privacy bill where no DPA is
provided nor is any other authority designated as DPA. In this case the proposed
privacy bill leaves the enforcement to courts. This may render the proposed data
privacy law cumbersome to be enforced as courts are not better placed to enforce the
law on a routine administrative basis.
The issue of independence of DPAs in Africa is not clearly known in many coun-
tries despite express guarantee in privacy legislation in some cases. In Ghana, the
governing body of the DPA may receive ministerial directives on matters of policy.
The limits of these directives and their impact upon the independence of the DPA
are difficult to assess at the moment. In Mauritius where similar ministerial direc-
tives were challenged and later the data privacy Act was amended, still the Privacy
Commissioner is materially and institutionally dependent on the Prime Minister’s
Office (PMO). In fact, the Commissioner has to seek approval from the PMO for all
disbursements and expenses, which is highly unusual for a Commission, even more
so for one that is purportedly independent. Similarly, the guidelines drafted by the
19 The Future of Data Protection in Africa 377
DPA, also one of the functions of the Commissioner, are vetted by the PMO before
printing.
It is noteworthy that some DPAs in Africa are yet to be established. Cape Verde
which is the first country in Africa to adopt comprehensive data privacy legislation
since 2001 has not yet established its DPA. This is also the case for Seychelles
whose data protection legislation has not yet come into force and accordingly its
DPA is not yet operational. Angola has also not created its DPA. In this situation, it
is highly likely that data controllers process personal data not necessarily in compli-
ance with the principles of data protection. Another point that can be connected with
this, is that, the activities of most DPAs are not open to the public. This is so particu-
larly with regard to reports of complaints decided by DPAs. At least the DPA in
Mauritius published decided complaints on its website and are accessible to the
public.
As far as enforcement is concerned, majority of DPAs in Africa have no powers
to sanction breaches of privacy laws by issuing administrative fine or to prosecute
offenders. Lesotho and Mauritius offer typical illustration of DPAs which are tooth-
less. All what these DPAs could do is to issue enforcement notices breach of which
must be referred to courts or where they find that a breach of privacy principles has
occurred, then refer the matter to the police for prosecution. Some DPAs have pow-
ers to impose administrative fines on breaches of privacy principles. This may be
illustrated by DPAs in South Africa and Tunisia. It is important to note that most of
the DPAs in Africa as it is the case in EU have no powers to give compensation as a
remedy. Compensation is only available by institution of civil claims in courts of
law.
As far as data privacy is concerned, there are four privacy policies at the regional
level and sub-regional levels in Africa. These are the AU Convention on Cybersecurity
and Personal Data Protection 2014, the ECOWAS Supplementary Act A/SA.1/01/10
on Personal Data Protection, SADC Data Protection Model Law 2012 and the EAC
Legal Framework for Cyber Laws 2008 (Phase I). There is also the Francophone
Binding Corporate Rules (BCR) 2013 on cross-border transfer of personal data
among French speaking countries (including French speaking countries in Africa).
Most national data protection legislation in Africa preceded the above privacy
policies. It is important to note that in contrast to the European Union (EU) where
after the adoption of the EU Directive 95/46/EC, member states had to bring their
national legislation in line with the Directive, in Africa this has not been the case. As
pointed out, the EU Directive 95/46/EC is the main influential privacy policy in
privacy reform in Africa. It influenced individual country in Africa to adopt compre-
hensive data protection legislation and subsequently the regional and sub-regional
378 A.B. Makulilo
data privacy policies and codes such as the AU Cybersecurity Convention, ECOWAS
Supplementary Act, SADC Model Law and EAC Cyberlaw Framework.
The AU Convention on Cyber Security and Personal Data Protection was adopted
in 2014. The Convention will only come into force once 15 of the 54 Member States
have ratified it. So far it is not yet in force. The Convention had no obvious influence
on data privacy reform in Africa up to 2015. This is somewhat the case for other
privacy codes. For example, South Africa is part of the Southern African Development
Community (SADC). SADC issued a Model Law on Data Protection in 2012. The
aim of the Model Law is to ensure that all Member States provide the same level of
protection for data subjects when their personal information is processed so as to
allow the free flow of information between SADC Member States. However the
SADC Model Law is not legally binding. It is only a soft law. Its provisions are
consistent with the AU Convention. It can be noted that the South Africa data pro-
tection law has not been influenced by the Model Law and it is likely that it will
have no role to play in South Africa. Lesotho, also a member of SADC has made
fruitful attempts to revise its data privacy Act in line with the SADC Model Law. As
a whole, it can generally be summarized that the significant impact of African
regional and sub-regional privacy policies have yet to be realized. It is also impor-
tant to point out that these policies have implications on harmonization in Africa.12
12
Makulilo (n5).
19 The Future of Data Protection in Africa 379
with the EU member states which are also members of the Council of Europe. There
is also likelihood of more data privacy legislation to be adopted taking into consid-
eration the existing number of privacy bills. Largely this is due to compliance to the
European data protection standards spelt in the EU Data Protection Directive. It is
also important to remember that the recent adoption of the European Union General
Data Protection Regulation which is expected to come into force in 2018 maintains
the adequacy standard as the criterion of data export to countries outside Europe.
This is likely to continue influencing privacy reforms in Africa.
References
Centre for International Governance Innovation & IPSOS (2016), CIGI-Ipsos Global Survey on
Internet Security and Trust, https://www.cigionline.org/internet-survey.
CRID (2010), Analysis of the Adequacy of Protection of Personal Data Provided in Tunisia.
Hixson RF (1987), Privacy in a Public Society: Human Rights in Conflicts, Oxford University
Press, New York.
Makulilo A B (2015), Myth and reality of harmonisation of data privacy policies in Africa,
Computer Law & Security Review, 31(1): 78–89.
The Economist Intelligence Unit’s Democracy Index 2015, http://www.eiu.com/Handlers/
WhitepaperHandler.ashx?fi=EIU-Democracy-Index-2015.pdf&mode=wp&campaignid=Dem
ocracyIndex2015.
Uniacke S (1977), Privacy and the Right to Privacy, Bulletin of the Australian Society for Legal
Philosophy, 1:1–21.