20 December, 2016
In November 2016, I had the opportunity to speak with Sub-Saharan African policy makers and regulators about the development of data protection and privacy laws. The maturity of existing data protection laws or their enforcement capacities in Africa varies, but most countries do not have formal laws in place. The concern for online privacy is growing, however, especially with ideas such as the ‘right to be forgotten,’ which comes from the EU Court of Justice ruling on Google v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González.
In my presentation, I discussed the state of current data protection laws in the US and Europe in light of rapidly evolving digital technologies and the unforeseen scope of data collection today. While considered fairly robust, some of the concepts and principles of these laws are now being stretched to the point of breaking (e.g. identifiability, anonymization), or are rendered somewhat meaningless (e.g. notice, consent, minimization) as a result of this increasing data collection. I discussed many of the privacy theories that have emerged since – and reflected on – wide adoption of the Internet, and how they may inform new data protection laws.
African policy makers seem to be most interested in the EU model of data protection as a way forward, but were weary of the huge differences between the contexts of technology use between Europe and Africa. I used a quote from James Q. Whitman’s excellent paper The Two Western Cultures of Privacy: Dignity Versus Liberty, which struck a chord with the policy makers: “Privacy law is not the product of logic. But neither is it the product of ‘experience’ or of supposed ‘felt necessities’ that are shared in all modern societies. It is the product of local social anxieties and local ideals.” A discussion ensued about the typical African Internet user and their relationship with data. Some countries have emerging regulatory structures with no law, while others have law but impoverished enforcement. Ghana, South Africa, and Uganda appear to be best (regional) practices right now.
A key insight is political: some parts of various African governments are keen to not let Western civil liberties ideas interfere with their newly gained digital surveillance powers. So it is helpful to know what the opposition politicians are up to! The development of meaningful data protection in Sub-Saharan Africa will be a multi-dimensional power struggle, if it happens at all. Like in China, though, we may see calls from civil society to enact data protection laws, as a government surveillance unit in everyone’s pocket in the form of a smart phone may be incentive to enact some boundaries on government control.
It will be interesting to follow the emerging discussions about privacy and data protection in African countries. They are keen to maintain their ICT leap-frogging ability (see the mobile phone example), so there is potential for them to evaluate carefully existing law and introduce some legislative innovation in this field. Through comparative socio-legal analysis it may be possible to assess current data protection law principles and specific articles, and map how they address “local social anxieties and local ideals” in the context of African Internet users. I’m not holding my breath, but I’m looking forward to being involved in this process!
Academic Liaison at Princeton University
The data breach notification obligation for healthcare companies: an article by Bart Schermer and Chris van Balen
Recently, the Dutch parliament presented a legislative proposal containing a data breach...
GPs and pharmacists have taken measurements to protect internet connections used to send...