TP TECHHIVE ate e HIGHLIGHT OF DATA PROTECTION | INAFRICA 2020. DECEMBER 2020ABOUT US (N @ THRIVACY Thrivacy is a start-up based in Botswana and serves the African market. It offers advisory and consultancy services in respect of issues of privacy and data protection. It also develops and deploys custom made technological solutions that facilitate compliance with data protection regulatory frameworks. TECH HIVE ADVISORY Tech Hive Advisory was founded on the belief that technology, law and business should always be harnessed to foster the success of our clients. We are global citizens with thirst for innovation. We are committed to delivering world-class service while providing the highest quality advice, efficient and effective support, through the use of technology. @tuavacy TP TECHH! IVEORCC MRLs SO NSA The year was another remarkable one for data protection in the continent. The milestones range from new legislation, proposed bills to actions from data protection authorities. The outbreak of the Covid-19 virus played a role in some of the developments that have taken place . Ina nutshell, Africa was not short on activities bordering on privacy and data pce We have highlighted some of the significant events of the year, pointed out the problems Pea ee ae ated ene@travacy TP TECHHIVE STRUCTURE AND OVERVIEW OF THE GUIDE 1. Covid-19 and Data Protection. 2. Covid-19 Contact Tracing Applications ("Apps")... 3. Accountability of DPA’. 4. Guidance, Resolution and Deliberation .. 5. Data Breaches and Enforcement... 6. New Legislations and Guidelines .. 7. Proposed Laws and Legislations. 8 Privacy Invasive Developments.. 9, More National Identity Projects ... 10. Events and Development: 11.Recommendations. 12. Predictions for 2021... Usage of the Report The Report is general and educational in nature and is not intended to provide, and should not be relied on, as a source of legal or business advice. This information and material provided in the Report may not be applicable in all (or any) situations and should not be acted upon without specific legal advice based on particular circumstances.8 aa UB gahy= The fight against the Covid-19 virus significantly relies on the use of personal data to identify individuals, who they have been in contact with and where they have been. Furthermore, the fight against the Covid-19 virus significantly relied on the use of personal data to monitor individuals who have been infected by the virus. At the time the pandemic engulfed the world leaving no continent and nation spared; about 24 of 53 African states had promulgated laws for the protection of personal data. Some states’ data protection authorities rose to the occasion and published guidance notes on what is expected of data controllers and processors in respect of processing personal data for purposes of monitoring and management of the pandemic. The Data Protection Authorities in duly issued Guidance on Covid-19 and the protection of personal data processed in relation to it. The common theme addressed the need for giving effect to data protection principles in order to safeguard the individuals’ data protection rights in contact tracing initiatives, protection of personal health data and that processing done within the context of Covid-19 must comply with the extant data protection law. Regulator, similarly issued a statement justifying the processing of personal data at the nation’s point of entry for public health reasons. Amanda Manyame, a digital law and policy consultant based in South Africa has aptly summarized the guidance and her summary may be read@tuavacy Tj TECHHIVE On the 10th of May 2020, the World Health Organisation published an Interim Guidance note on contact tracing in the context of Covid 19 in which it was indicated that electronic tools and information technology are not essential for contact tracing but can make it more efficient and facilitate implementation on a large scale. In the Interim Guidance, the World Health Organisations advised that the ethics of public health information, data protection and privacy must be considered at all levels of contact tracing activities and when implementing contact tracing tools. Few African countries deployed contact tracing apps, namely, . In Nigeria, two state governments (Ogun and Kogi) released Covid-19 self-assessment apps. For the above-mentioned self-assessment apps deployed in Nigeria, we had put together a_ privacy report on apps which may be accessed here. Cape Verde's CNPD also issued an on the mobile application, called "Na Nos Mon’ for proximity tracking within the scope of COVID-19. The Data Protection Authorities in and published their annual reports. The reports gave an account of their activities for the year in focus. The Senegalese Data Protection Authority (CDP) published their customary quarterly reports during the year. The reports chronicled the activities of CDP, its deliberations, resolutions, authorisations, partnership and other activities in each quarter. The CDP’s reports may be read herein : Q1, Q2 and@twavacy TP TECHHIVE GUIDANCE, RESOLUTION AND DELIBERATION = CAPE VERDE The Cape Verde National Data Protection Commission (CNDP) issued a statement on the processing of personal data for political marketing purposes in the context of election campaigns. The statement may be read here. ME morocco Morocco's CNOP published Guidance on facial recognition, digital identity policy, mail management, data protection impact assessment, use of facial recognition for remote account in the banking sector, teleworking in the Customer Relations sector in a state of health emergency and processing of personal data relating to the taking ‘of temperature in the workplace during Covid-19. WEEN SENEGAL = meuritius Mia BENIN The Senegalese CDP issued The Mauritian Data a deliberation on the Protection Authority operation of vehicle geolocated systems. The Benin Data Protection Authority (APDP) published published six decisions so its deliberations and far this year. The complaints decisions for the year. The ranged from unlawful deliberations range from disclosure, use, access to processing of biometric personal data, and the use data, international transfer of CCTV in public areas. of data, health data, to Sanctions were issued in processing of employees appropriate circumstances. data. Further details in states are taking data The detailed account of the respect of the decisions may protection with the decisions may be accessed be found here, seriousnessit deserves. here. The publication of the above-mentioned guidance notes are commendable and goes to show that some African@tuavacy TP TECHHIVE DATA BREACHES AND ENFORCEMENT The year also witnessed notable data breaches on the continent. We have highlighted some of them below: B= SOUTHAFRICA South Africa suffered a wave of data breaches this year. The most prominent is the Experian breach, which affected the data of over 24 million people. In response to the breach, the Informa- tion Regulator, the South Africa Data Protection Supervisory Authority, has announced an investi- gation into the breach, Unfortunately, the Information Regulator will be unable to sanction Experi an until 1st July 2021, when POPIA fully comes into effect. More on the Information Regulator’s in- vestigation may be accessed here. The latest breach is that which affected Absa Bank. The South African bank was reported to have suffered a data breach, which resulted in the compromise of personal data. The breach was said to be asa result of an action of a rogue employee acting maliciously. Read more here. OB NIGERIA Nigeria sanctioned a state government's tax agency for failure to secure data. There was also a reported data breach suffered by two commercial banks namely Bank1 and Bank2. Finally, the beta app belonging to the Nigeria Identity Management Commission was also reported to be granting unauthorised access to enrollees' personal data. T= GHANA The electoral commission was alleged to have made publicly available voters information which information included personal data. The information was available on a Google Drive folder that was publicly accessible. More may be read about it here. [== BOTSWANA A vulnerability was found on the government's official Covid-19 contact tracing app’s web platform which enabled the unauthorized disclosure and access of personal data of the registered users of the app. The information exposed is said to have included the registration details of the registered users and their travel history. This vulnerability was discovered by a security researcher who was also a registered user, the security researcher and another applicant instituted an application on an urgent basis seeking to have the vulnerabilities resolved promptly. More may be read about it here. = UGANDA A data breach into Pegasus Technologies, a “consumer finance aggregator” in Uganda offering finance and billing services to banks and telcos resulted in a loss of about $3.2 million or more affecting Stanbic Bank Uganda, Airtel Uganda, MTN Uganda and a host of others.@tuavacy TP TECHHIVE Egypt officially joins the list of African countries with a data protection law. The enactment of the law dragged on for long but was finally assented to by the President. Read more about it The Nigerian data protection regulator finally released the final version of the Nigeria Data Protection Implementation Framework. The Framework is an addendum to the Regulation. A copy of the framework is available The government passed into law the legal framework for video surveillance. The law set out the rules for installation of video surveillance in public spaces. The said installation is subject to authorisation from the competent authority. The new legal framework does not apply to strictly private or reserved places, provided that video recordings are limited to the property of the owner of the equipment and do not include images of the surrounding properties. The law is available here. Also, the government passed into law legislation on and localization and electronic surveillance. The law regulates use of cellular identification and location, and electronic surveillance of goods, people, and public/private places for investigation of crimes like terrorism, murder, theft of vehicles, abduction, corruption and currency counterfeiting. A judicial authorisation is required before the interception of telephonic and telematics communications. The law is availableIna published on 27th of October, 2020, the Office of the Prime Minister of the Republic of Rwanda published a statement on the Cabinet decisions highlighting a number of activities such as the bill relating to data protection and privacy. The Bill itself was published on 30 January 2020 by the Ministry of ICT and Innovation and can be found The Nigerian Government released its Draft Data Protection Bill. The copy of the Bill is available The government has held a validation exercise and the Bill will be presented by the Attorney-General to the legislature as an executive Bill. The government published a copy of the Cybersecurity and Data Protection Bill. However, there are around the provisions of the Bill, which is capable of stifling human rights. A copy of the Bill is availableES ucanpa The Ugandan government published the Draft Data Protection Regulation and opened it up for public comment. You can read the regulation here. The Draft Data Protection and Privacy Regulations, 2020 isa secondary legislation under the Data Protection and Privacy Act, 2019. The Regulations will operationalise the Act by laying down procedures and forms for use in regulating and for data subjects to exercise their rights. The provisions of the Act are given better context by providing more elaborate procedures. A Commission-like body called the Personal Data Protection Office will be established under the National Information and Technology Authority - Uganda (NITA-U). It will report directly to the NITA-U board however, to uphold its independence and no one person/authority will give it directions on how to run its affairs following the Cabinet of Uganda's decision to not set up any more Government bodies in order to reduce expenditure. The Regulation is awaiting the signature of the minister to set up the data protection commission. SOUTH AFRICA The Information Regulator released the Draft Guidelines for the Registration of Information Officers and requested for comment. The appointment of Information Officer is a requirement under the Protection of Personal Information Act (POPIA) and they are expected to be registered with the Regulator. === THE GAMBIA The Gambia made progress with its proposed data protection law. In December, the Ministry of Information and Communication infrastructure (MoICI) hosted the Data Protection and Privacy Bill formulation workshop. The workshop was attended by local government authorities and members of civil society organizations in the ICT sector. The technical guidance was provided by Council of Europe experts. Copy of the Draft National Data Protection and Privacy Policy and Strategy is available here. @Qtuavacy TECH! IVE@ tHawacy TP TECHHIVE PRIVACY INVASIVE DEVELOPMENTS SOUTH AFRICA The government announced it deployed surveillance drones to watch its border with Zimbabwe. According to government sources, it became necessary to secure its borders from border jumpers and smugglers among others. The threat is especially severe given the existence of the COVID-19 pandemic which necessitates the monitoring and testing of visitors, EH zimaaswe The government announced it has acquired surveillance drones to combat illegal immigration following arisein the number of persons infected with the Covid-19 virus, who have failed to follow the mandatory quarantine, self-isolation and testing. SS ucanpa The Ugandan police have been accused of using facial recognition technology built by Chinese company, Huawei. The technology is believed to be used "to track, arrest and torture anti-government protesters’, It is instructive to know that Uganda's Data Protection Act is yet to be fully implemented and the Data Protection Authority is yet to be set up. Read more here. HE morocco Face biometric authentication for social welfare approved by Morocco’s data protection authority The CNDP, Morocco’s personal data protection commission, has approved the use of biometric authentication systems, specifically facial recognition technology, by social security institutions for user authentication and proof of life of social welfare beneficiaries. The system was thought out to assist during national emergency crises like Covid-19, More on the document is here. Each government agency controller has to file an authorization request for data processing and facial recognition technologies, as well as ensure authentication stages are followed using the third-party services provided. More on the story here. Morocco Adopts Draft Decree Relating to New Identity Card Earlier in the month, the Moroccan government adopted the National Electronic Identity Card (CNIE) Decree which will usher in the National Electronic Identity Card program. According to the Minister of Interior Abdelouafi Laftit, “the new CNIE consists of advanced standards that strengthen the ministry's fight against fraud and identity theft, by integrating new functionalities in line with Morocco's outlook for digital development” Like bank cards, the CINE will include a PIN code, to protect holders from any unauthorized use in case of loss or theft. Its function will allow a scanner or mobile phone supporting NFC technology to read the card to protect citizens’ privacy from data entry errors. More on the story here. * MORE AFRICAN COUNTRIES ACCUSED OF SPYING ON THEIR CITIZENS Nigeria, Kenya, Zimbabwe, Botswana, Equatorial Guinea, Morocco, and Zambia have been accused of spying on their citizens “to access telephone calls, SMS messages and location services.” The report published by the University of Toronto's Citizen Lab disclosed the governments procured an Israeli made tool to conduct surveillance on its people. You can read the report here.MORE NATIONAL IDENTITY PROJECTS Some African countries announced plans te launch a foundational identity project or took steps. HM smapacascar Madagascar received funding support to implement a digital identity project that will modernise the current civil registry and national identity databases. More here. BM ocuinea Guinea is looking to start its foundational digital identity program. More here = LIBYA The internationally recognised government is looking to launch a biometric identity system. In November, the government signed a Memorandum of Understanding with Idemia, a French company. The government representative and the French company also discussed “the launch of sensitive, advanced video surveillance systems for cities to provide smart processing and ensure faster interventions, better targeting, the rapid detection of threats and a stronger link with the population: More here and here. BES SOUTHAFRICA The South African government announced plans to update its national identity system. More here. SE Kenva The government announced plans to proceed with the controversial Huduma Namba national identity scheme. More here. HE NIGERIA The government is proceeding with the digital identity program. This will include the capturing of internally displaced persons.@Qtuavacy TP TECHHIVE EVENTS AND DEVELOPMENTS SJ BS soutwarrica The Protection of Personal Information Act (POPIA) finally came into force. POPIA which was enacted in 2013 was not substantially implemented until July when the President signed it. The office of the Information Regulator has been set up and will start enforcing the law from July 2021. More here. Assembly of the African Network of Personal Data Protection Autho s (RAPDP) Meets The RAPDP met to advance the development of data protection on the continent. The meeting was held on September the 15th . The association considered reports from different working groups, proposals on membership requests, and reviewed the corporation with the African Union {AU) on the harmonisation of data protection laws in Africa, RAPDP brings together data protection authorities, representatives of States with legislation but not yet having a data protection authority and those who plan to legislate on data protection. You can read more here. Africa Union (AU) looks to harmonise data protection laws on the continent The AU in collaboration with the European Union are piloting the Policy and Regulation Initiative for Digital Africa (PRIDA) initiative. One of the mandates of PRIDA is the harmonisation of data protection laws in Africa. The pilot phase of the project is currently being tested in five African countries, with the hope to scale it for seamless transfer of data across the continent. Since April 2020, the CNDP has been chairing the “Protection and Localization of personal data” working group within this program. Nigeria is the vice-chair of this working group. The intervention strategy consists of establishing a diagnosis of the current situation, before proposing recommendations to the Conference of Heads of State, with a view to updating the Malabo Convention of 2014" Ghana's Data Protection Commission Launches New Registration and Compliance Software and Announces Amnesty The Data Protection Commission launched a new Registration and Compliance Software in October. Data Controllers are mandated to register with the Commission in Ghana. The software was designed to make the registration process more efficient. The Commission also announced amnesty for data controllers who have defaulted on the statutory obligation to register with the Commission and pay their annual fee. You can read more here,@tuavacy TP TESH, On 16 November 2020, Ms. Immaculate Kassait took her oath of office as Kenya's first Data Protec- tion Commissioner. Ms. Kasai was formerly a Director at the Independent Electoral and Boundaries ‘Commission in charge of Voter Education, Partnerships and Communications. Under the Data Pro- tection Act of Kenya (the Act), her appointment will be for a single term of six years and she will not be eligible for reappointment. On 13 October 2020, the President of Kenya, in compliance with the provisions of the Data Protection Act, 2019 ("DPA"). The appointment of Commissioner Kassait is very much welcomed and shows Kenya's determined commitmentin ensuring that the collection, processing and use of personal data in Kenya is properly regulated. More Some of the problems faced by African countries in respect of data protection are lack of funding and resources for the data protection authorities, lack of competence and expertise of human cap- ital, lack of political will, ack ofindependence, outdated legislations and weak enforcement frame- work, bundling of regulatory function with other regulators and the bundling cybersecurity and data protection function in a single body which overwhelms them, HIV! E@tHavacy $4 TECHHIVE RECOMMENDATIONS ee nee ge nn ie hae ee eee eit ate ate) Reva Ren seers el ls Meur micas reato me oie gees: kM est emt Eaten OTe] compliance and publish their decisions to reinforce the need to comply. There is a need to create more Renee rere ce tae ry eect Cuan n eran as enunciated in the Malabo Convention and other regional frameworks. Sees e reer Rent ae ee Cn CeCe statutory allocation from unwilling executives, which will impair their ability to function effectively. They could also explore collaboration with academic institutions and strategic international alliance with met Co OC Solel Soc eA CO rel he Cor Reco landscape and protection of data subjects across different jurisdictions. This could be by way of joint investigation, knowledge sharing and capacity building, notification, complaint referral, and other forms of mutually beneficial assistance. * African nations need to demonstrate an interest in the protection of personal data the same way some governments are obsessed with “information censorship, surveillance, data retention, interception, and ea etc ete Mie melt ae Maelo fo craeLe g Co R eeel aLeLe Mele (m technologies. Tunisia, Senegal, Seychelles, Morocco are some of the countries that might need to revise RUria Eo © More African countries should sign the African Union Convention on Cybersecurity and Protection of Pee el kono Ca eee en eae oe © More African countries should consider granting other African states an adequacy decision. Currently, only Nigeria and Tunisia have issued adequacy decisions in favour of other African countries. This will also impact the successful execution of the digital economy aspect of the African Continental Free Trade rere USLLA ate Gee eee nt ese ae Ce ec ee eee eas Mecano Cs eae Sy em zon ite Recourse Mauritius and Cape Verde) have already ratified the Council of Europe Modernised Convention 108. ®© More African countries need to enact a specific data protection law. The trend of bundling cybersecurity and data protection law might not be the best as seen in Guinea and Zimbabwe's draft law. The model where the same body exercises both data protection and cybersecurity functions is not the best too, as seen with NITDA in Nigeria, and Chad.REE e meh PREDICTIONS FOR 2021 Se RTO ee ce an a ac Rg Eee Pyle col rao eee) RE ee eh oan eu eae see Ors age ee ee ae ee a OCA supervisory authority to create one. We may see this from Botswana, Seychelles, Uganda, fee Se yam Dee ene ee ees Rk oD eae Resa OO eee el eet Re en ome Cea aC services, anti-money laundering and healthcare. * More African countries will issue guidance around the intersection of data protection and emerging technologies like smart cities, drone and surveillance, facial recognition, use of titer Eco le area A aL ceeas fj TECH HIVE ADVISORY contact@techhiveadvisory.org.ng www.techhiveadvisory.org.ng WT @HiveAdvisory i THRIVACY hello@thrivacy.co.bw +26777304443