By Andrew Green
BERLIN — In late 2017, Ugandan police raided the offices of three NGOs the government had accused of conducting illicit financial transactions and working to destabilize the country. It was part of a larger crackdown on civil society groups and NGOs that has been taking place in the country over several years.
Inside the building, officers demanded that staff provide passwords to computers and cell phones. Outside, civil society representatives gathered, including Dorothy Mukasa, the chief executive officer of Unwanted Witness, a digital advocacy group.
By the time the activists were allowed inside, it was too late. The police had stripped the office of whatever data they could find. Some of it has subsequently been used against the organizations. Though their representatives claim it has been doctored, they have no backups to prove that, and little legal cover, because Uganda has no data protection laws on the books.
The Data Guardians series
The collection of data on digital platforms has become ever more central to aid work, as organizations strive to ensure their interventions are as efficient, effective, and targeted as possible. But while data can be a transformative tool, it also comes with risks.
As scandals over data protection push these concerns further up the agenda, Devex’s Data Guardians series explores the issues affecting aid organizations as they work to protect their beneficiaries’ data, and the debates and practicalities around what more can be done. “Without a law, it becomes really tricky on how these organizations are going to be protected,” Mukasa said. “They faced the wrath of the absence of data protection laws.”
The level of data protection regulations varies widely across the African continent. Some countries, such as Senegal, have rushed to adopt and implement regulations. But the majority have no legislation in place. And where efforts at regulations exist, experts are concerned that governments are primarily interested in giving themselves more leeway to pursue cybercrimes — or cybercritics — than they are in protecting people’s data.
This landscape of patchy privacy legislation presents a significant risk to local organizations working with marginalized communities or around sensitive subjects, leaving both themselves and the people they are trying to help vulnerable. It also creates problems for international groups looking to partner with local agencies, raising questions about what information can safely be gathered and shared.
“The overall situation demands a lot of improvements,” Moctar Yedaly, head of the information society division at the African Union Commission, told Devex. “Most of the stakeholders have not self-acknowledged the importance of the matter.”
A paucity of legislation
The AU Commission is the force behind the main document guiding data protection policy on the continent: The African Union Convention on Cyber Security and Personal Data Protection, often referred to as the Malabo Convention, adopted in 2014.
The convention was motivated by an understanding of the risks posed by unmitigated access to private data and the need to protect citizens’ information, but it was also designed to spur information and communication technology development while respecting national security demands. Offering more than lip service to these ideals, it looked to provide guidance on how to establish an effective domestic data protection effort, with the collaboration of civil society groups and other nonstate actors. It also explored how privacy demands could interact with a national security apparatus whose work might require access to some of this information.
“It is unique,” Yedaly said. “No other region in the world [has one].”
That has not translated into widespread, national-level adoption, unfortunately. According to Yedaly, only 10 of the 55 member states have signed on to the convention, and three more have ratified it, though he noted that 18 have used it as a guidance for drafting their own cyber legislation. The commission plans to ramp up its advocacy around the convention this year.
Observers say there are several reasons for the slow pace of adoption.
“The problem is that it’s absolutely massive,” said Lucy Purdon, a policy officer with Privacy International, an advocacy organization. “It’s mixing all of these aspects in one piece of legislation. It’s a bit too much for governments to get to grips with.”
Another problem, experts say, is that data protection simply is not a priority for many governments. Instead, they have shown far more interest in legislation that protects their right to access information under the guise of national security interests. Henry Maina, East Africa director for Article 19, a British nonprofit that promotes freedom of expression and information worldwide, said this shift starts with “an easy claim. Nobody agrees that there should be cyberfraud, terrorism or espionage. But whenever such laws are being proposed, it is bringing in a litany of other content-related restrictions and abuse of due process.” According to his organization, 23 countries in Africa have data protection laws installed or drafted, versus 38 with cybersecurity-related regulations.
This is increasingly tipping the balance away from data protection and could leave civil society groups and NGOs exposed — particularly those who are working to assist marginalized or criminalized groups. There is a risk that governments will look to access organizational data for investigative or prosecutorial purposes. In addition to the raids in Uganda, there have been recent raids on sexual minority groups in Tanzania and on the office of an environmental activist in Cameroon, who officials attempted to link to an ongoing domestic conflict. In both instances, critical data was seized.
There is also a risk that broad cyber legislation will expose organizations themselves to attack. Maina pointed to Kenya’s new Computer and Cybercrimes Act, which was passed into law in May. Alongside provisions on issues such as cyberharassment and fraud, it also criminalizes publishing false, misleading or fictitious data, without really defining what those terms mean. It is not impossible to imagine those provisions being used to pursue organizations at odds with the government, he said. Those concerns were enough to convince one judge to suspend portions of the law until July, as the legal system considers whether they violate constitutional provisions, including the right to privacy.
Even in situations where administrations appear eager to enact data protection legislation, advocates point out that the field is nascent and complicated. In Senegal, which has been hailed for its leadership on the issue — particularly for being the first country to ratify the Malabo Convention — activists say the system is still flawed.
Ababacar Diop, president of Jonction Senegal, a human rights organization that monitors the right to privacy, applauded the 2016 decision to establish a data protection authority, but was quick to caution that it did not mean the country had solved the balance between data protection and other opportunities and risks.
“The commission does an excellent job of monitoring personal data breaches, but the problem is that the commission does not understand all of the issues related to data protection,” he said, adding that there had been problems determining how far they should go to protect personal privacy when it bumped up against issues such as economic development and issuing assistance.
For international organizations, these gaps present a problem. Often headquartered in countries that do have strict data protection guidelines, and working across myriad locations, they can enter African settings with policies that are far more stringent than anything they will encounter locally.
Catholic Relief Services provides humanitarian aid in more than 100 countries. Karl Lowe, vice president of global knowledge and information management, said in-country teams are constantly monitoring local laws around data protection and other cyber issues to make sure CRS is adhering to them. “But an IT system that is different for every country would drive us crazy,” he said. “We look at what are the most stringent rules and laws … and implement those in a standard way across the world.”
Devex’s Data Guardians series explores the issues affecting aid organizations as they work to protect their beneficiaries’ data, and the debates and practicalities around what more can be done. Here, Devex spoke to experts about how aid organizations can prepare for the onset of the most stringent data protection regulations worldwide.
That means looking primarily to Europe’s new General Data Protection Regulation, which came into effect in May and attempts to give consumers greater control over how their data is retained and shared. It applies to any institution that collects data from EU citizens — including many in Africa.
There have also been high-level efforts to codify how humanitarian agencies should gather, use, and dispose of data — the most prominent being the Handbook on Data Protection in Humanitarian Action, which was put together by the International Committee of the Red Cross and the Brussels Privacy Hub in 2017 in the absence of global guidelines.
Among the many issues it addresses is one that is particularly fraught for international organizations: While they might have the capacity to shield their data, how can they partner with local organizations that may not have those same protections?
“This is really pertinent,” Massimo Marelli, who heads ICRC’s data protection office and co-edited the handbook, told Devex. “What do you do in places where there are no [legal] regimes?” For ICRC, it means running regular risk assessments about what might happen to data that is shared. “You need to dissect and understand exactly what’s happening and what that means in terms of entities that might have access to it … [to make] a properly informed, risk-taking decision,” he said.
At the same time, many local organizations are working to shore up their protections. In the wake of the raids in Uganda, Mukasa’s organization has been working with NGOs on strategies to better protect themselves in such an event. That includes thinking about ways to conceal servers, and keeping regular backups of all crucial information.
“Even when we advocate for data protection laws, we need to have safeguards internally before we get to the level of the law,” she said. While this can be time intensive and expensive, it is not something that organizations can afford to ignore — especially when they are working with sensitive information, she said. There are also critical questions to address about what data is being collected, whether it is necessary, and if it is being destroyed when no longer needed.
Experts said that events like those in Uganda are ratcheting up the pressure on governments to ratify the Malabo Convention and to implement data protection laws. Much of this, Mukasa said, is consumer driven as governments begin to collect more and more data about their citizens through activities such as biometric voting and registration of SIM cards, encouraging people to push for additional protections on how their data is used.
Increasingly strict European laws are also having an impact on the situation in Africa. “Those African countries — mainly in the northern region — working with EU companies or [that] are processing EU citizens’ data will certainly have to comply with the GDPR,” Yedaly said. “This will require from them extra efforts in terms of policy and procedure, as well as infrastructure.”
To guide that process, the AU Commission has released guidelines to help countries draft policies in line with the various regulations, including the Malabo Convention.
And Purdon said humanitarian and civil society groups also have a role to play. “They’re signaling that this is an issue that they’re interested in and want to know more about,” she said. “They hold an awful lot of data, and it’s important that they are setting the example of handling and processing it and storing it correctly and not sharing it with people they shouldn’t be.”