Desmond Israel

Lawyer+ Privacy/Information SecurityPractitioner
…Well, so when do we know that a particular act amounts to sale of data? In Ghana the law is that explicit about sale and purchase of data, the enabling Act does not provide explicit definition however to what would amount to the sale of data or otherwise data selling activities. The law however defined “business” to include trade or profession. A good attempt will be to look at it this way, data selling can be done directly between the parties and in this case data controllers to themselves or data processors or even to individuals or it can be done through what is presently well-known in the industry as data brokers, such was the motivation for the Vermont law mentioned above. The data brokers are entities that collect information about consumers, and then sell that data (or analytic scores, or classifications made based on that data) to other data brokers, companies, and/or individuals. Even when consumers are aware of both the existence of data brokers and the extent of data collected, it’s difficult to determine which data they can control, for example, some data brokers might allow users to remove raw data, but not the inferences derived from it, making it difficult for consumers to know how they have been categorized. Some data brokers store all data indefinitely, even if it is later amended. A friend once asked me “are they data controllers under the law?“ the simple answer is “Yes”. The industry is incredibly opaque, and data brokers have no real incentive to interact with the people whose data they are collecting, analyzing, and sharing.

These data brokers do not have a direct relationship with the people they’re collecting data on, so most people aren’t even aware that the data is even being collected. Once data is collected and stored via whatever means, the data is sold through the direct transfer mostly through electronic means to the purchaser, it gives the purchaser an absolute ownership of the data contemplated in the said data sale contract and this shifts the responsibility of the what the data is used for to the new data controller and depending on the contractual outcomes and obligations, the initial data controller may also retain some responsibility in controllers controller or controllers processor relationship. By now you are getting the picture that data brokerage can be an integral part of data selling so let’s take a minute and identify the various kinds of data brokers; firstly there are people search sites, where users can input a piece of data, such as a person’s name (or a phone number, city/state, email address, social security number, etc.) and get personal information on that person either for free or for a small fee, example that comes to mind include places like Spokeo, PeekYou, PeopleSmart, Pipl, and many more. Secondly there are data brokers that focus on marketing, such as Datalogix (owned by Oracle), or divisions or subsidiaries of companies like Experian and Equifax. They develop dossiers on individuals which can be used to tailor marketing. And finally there are data brokers such as ID Analytics that offer risk mitigation products to verify identities and help detect fraud.

Well, having kept you on a mini-lecture which is the ground on which I will discuss the subject matter; let me hint that the subject matter of this article is whether the Electoral Commission of Ghana sold citizen data to a private company called B Systems. The background to the issue is that of a news article making the waves under the headline; EC sold voters data to private firm without an agreement – Auditor-General and reported on the 27th of June 2019 by the graphic online newspaper portal and other media outlets. The graphic online news portal captured the story in part as follows;

 “There was no Agreement between the Electoral Commission and Bsystems Limited who obtains Electoral Data from the Commission and offers it to the Financial Institutions for a fee. We further noted that, Bysystem Ltd. failed to remit the 20% commission due the Electoral Commission, in respect of charges for accessing the data, for the 2016 and 2017 financial years,” the report noted.

According to the report, the EC, in response to the findings, stated that, a Memorandum of Understanding (MoU) was signed between the Commission and BSystems Limited; but the MoU was suspended in the third quarter of 2016.”

For starters or probably as an appetizer, let’s determine how the Electoral Commission and BSystems relationship is established, BSystems as a private business identified an opportunity via a regulator’s requirement for banks and regulated financial institutions to have a Know Your Customer (KYC) routine done on its customers and this included ensuring that any nationally accepted identification card presented is verified to avoid fraud among others. This led the private business to develop a solution called GVIVE. GVIVE® is an online Identity Verification System that integrates with ID database systems enabling true and real-time verification of people to curb identity theft etc. By its design the integration is done at an Application Programming Interface (API) level which actually means the solution queries the database of whichever entity is the data controller holding and determining the ultimate use of the said data. At best such a service do not engage a direct transfer of the data from one entity to the other in whatever form or provide a direct custody of the data from the holding entity to the receiving entity. As I have come to understand it, the GVIVE system queries the electoral ID database hosted by the Electoral Commission, when Voter ID cards are submitted to the banks for the primary purpose of verification as required by the regulator’s directive to the banks and regulated financial institutions. It is important to note that this model is termed value-added data services and it involves multiple entities who still own and keep their data but gives minimal electronic access to that data for specific data processing purposes, it involves a machine-read-only access to the system hosting the data. This service will be needless if the financial institutions or the national ID regulator for instance can integrate directly to the electoral or any other ID database required.

Let’s proceed to have our main course, which is quite brief having had such an almost bellyful appetizer, I start off with the relationship between the Electoral Commission and BSystems, this is a data controller and a data processor relationship, access and its intended use is determined at law by the Electoral Commission who for all intent and purposes is responsible for the ultimate data protection obligations under the laws of Ghana, BSystems is a processor of the said personal data as must be directed by the data controller. It is clearly established that the purpose here is to ensure verification of the data. At this point it is important to also highlight that when a customer presents an identity card to the bank he or she has impliedly consented to verification, the very essence of the service rendered by GVIVE.

The data processor in the name of BSystems is required to adhere to the requirements of the personal data protection laws of Ghana and to the contract under which it operates with data controllers in this specific case the Electoral Commission, the Commission is also required to ensure data protection best practices are visible requirements in its engagement with any processor or controller, for instance the registration of the other party under the law, evidence of a data protection program and policy, privacy impact assessment reports and possibly technical security assessment report of the system meant for this engagement, it must be the business of every regulator and/or private data controllers must make it a benchmark to demand and ensure data protection best practices when engaging entities in data-driven model business. The primary question of whether data selling as taken place or data selling activities can be identified under the two breakdowns of data selling which is a direct BSystems of data between parties or the use of brokerage strategies, this cannot be said to have happened since BSystems has not received direct transfer of data and its model does not qualify as a brokerage. One is tempted to believe that BSystems operates on the third level of data brokerage which is that they offer risk mitigation products to verify identities and help detect fraud as done by GVIVE; the flaw with that argument is that BSystems on the current issues only integrates to the existing database and do not own it in any form, data brokers own their data.

Noteworthy to this article is the fact that the regulating bodies undoubtedly enjoy some exemptions under the Data Protection Act 2012 and these include the Electoral Commission; however let me sound a caveat found in the letter of the law, this is to the effect that exemption is given for the “processing of personal data”, which means the framers anticipates that whilst the exemption holds true an entity exempted will ensure that the protection mechanism are still in place for the personal data it holds. It will be an absurd interpretation of the law to say that because there is an exemption then an entity can for instance go out of its way and treat personal data with disdain, it defeats the spirit of Act 843 which was brought to life from the 1992 Constitution of Ghana and a matter of protecting fundamental human rights to privacy albeit the limitation of guaranteed rights under the Constitution.

I express the view that BSystems’ current model is one that is adding value to data stored without modifying or owning it; in this light the verification services rendered however as a data processor by BSystems is required under the laws to comply with data protection principles and ensuring that at all times it does not infringe on the privacy rights of individuals; the exemptions do not extend to BSystems as a value-add service provider . The Electoral Commission is however expected to have in place a data-transfer policy (where needed), data-use policy with its third-party service providers and without sounding unnecessarily legal the players in the industry must make the effort to shed some sunlight and transparency on an industry that’s traditionally been pretty opaque as it is the only way to balance the act of data protection regulations and data-driven business models which are heavily commercialized.

According to an online data business portal, the world produces an estimated 2.5 exabytes, or 2.5 billion gigabytes, of data every day. Of that data, 90 percent was created in the last two years. The amount of information available to use is growing — and growing fast. That data comes from a variety of sources including online transactions, social media, search engines, web traffic and more. The data-driven business models are here to stay and will influence all other aspects of endeavors, equally privacy laws are not going away so long as individuals become more aware of the control and power they have to make determinations concerning the use of their data.

The balancing act is crucial between the data protection regulator, the data controllers, processors and data subjects.