The Quest for Information Privacy in Africa: A Review Essay

Abstract

References to personal information as the new “oil”—or “silk”—of the digital age are now commonplace.1 In increasingly networked lifestyles, we pay for free digital goods and services by giving away our—sometimes sensitive—personal information. This has, of course, been a cause for concern since the early 1960s and 1970s. The manner and the extent to which personal information is collected, aggregated, processed, and disseminated soon received the attention of lawmakers around the world. The German state of Hessen pioneered the passing of formal information privacy legislation in September 1970 that governs the gathering and processing of personal information, later followed by Sweden's Data Act of 1973. Across the Atlantic, the Code of Fair Information Practices produced by a commission installed by the Nixon Administration in 1973 was an early legislative attempt to regulate information privacy.Information privacy lawmaking has since proliferated in most parts of the world, particularly in Europe. Europe is now generally seen as having the most robust regime for the protection of information privacy, with a widely accepted Convention at the Council of Europe (CoE) and layers of regulatory information privacy instruments in the European Union (EU). At the international level, relatively little has been accomplished in terms of putting in place a strong regime for the protection of information privacy. Apart from high-level abstract principles on the right to privacy articulated in international human rights law, the United Nations (UN) has adopted Guidelines that short-list a set of information privacy principles as well as soft laws adopted by UN specialized agencies.2Most national information privacy pieces of legislation now adopted outside Europe have essentially been benchmarked after European instruments. The EU Data Protection Directive of 1995—which soon will be replaced by a regulation—has particularly been very influential. The influence is profoundly reflected in the emerging corpus of information privacy laws in Africa. While the substance of this new generation of African laws resembles their European counterparts on many fronts, little has been written in examining the nature, purposes, merits, and limitations of these pieces of legislation. Dr. Alex Makulilo of the Open University of Tanzania is perhaps the only African scholar who has consistently endeavored to shed light onto the growing body of information privacy legislation in Africa. Dr. Makulilo's work on information privacy commenced with a doctoral thesis on the “Protection of Personal Data in Sub-Saharan Africa,” for which he was awarded a PhD in 2012. The doctoral thesis was later published as a book in 2014 (Privacy and Data Protection in Africa). His collection of essays on African data privacy laws came only two years later (African Data Privacy Laws). The principal aim of these books is to provide a firsthand examination of the currently emerging legal regimes that govern the processing of personal information in selected African countries. This essay provides a brief review of these books. For the sake of convenience, this essay uses the term “information privacy” instead of “data privacy” or “data protection” unless the context requires otherwise.Privacy and Data Protection in Africa examines information privacy law in three selected sub-Saharan African countries: Mauritius, South Africa, and Tanzania. The book is organized into ten chapters. Chapter 1 introduces the book, and importantly outlines research methods adopted in the book (pp. 28–31). In addition to case studies in three purposively selected countries, the book employs a strong doctrinal approach in examining the relevant literature and laws. Conceptual and theoretical approaches to privacy in general and information privacy in particular are treated in Chapter 2. Chapter 3 considers international instruments on privacy including the privacy provisions of the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR) as well as the UN Guidelines on Computerized Personal Data Files.In discussing the ICCPR regime, the author mentions the “inter-state communication” procedure and its weaknesses in addressing information privacy (p. 82), but completely omits the rather relevant “individual communications procedure.” This is a significant lapse, given that the individual communications procedure established under the first Optional Protocol to the Covenant is the primary channel by which privacy cases against state parties are brought to the Human Rights Committee.3 Indeed, there have also been information privacy–related cases adjudged by the Committee.4 This chapter also regrettably fails to consider General Comment 16 of the Committee, which addresses information privacy to some degree. The Comment, for instance, provides that states' positive obligation under Art 17 includes the regulation by law of automated collection and processing of personal information both by the public and private sectors.5 This, in short, means that Art 17 requires states to pass information privacy legislation. Further, the Comment briefly outlines four major principles of information privacy law: “principle of information security,” “use limitation principles,” “principle of data subject participation,” and “principle of information quality.”6An additional gap of this chapter is that it fails to discuss other relevant UN instruments that have a direct bearing on information privacy. One such instrument is the UN Convention on the Rights of Persons with Disabilities, which touches on information privacy to some degree. It, for instance, requires state parties to ensure protection of “personal, health and rehabilitation information of persons with disabilities.”7 Details of this proviso are furthered in a dedicated provision. While requiring state parties to collect reliable information for purposes of formulating sound policies in the interest of disabled persons, the Convention attaches a number of requirements that must be complied with in the course of collecting and maintaining such statistics. It requires such processes to (i) comply with information privacy principles to ensure privacy and confidentiality of the information and (ii) comply with internationally accepted norms and principles.8 As a UN Convention with several African state parties, it deserved treatment in the book. Other sectoral information privacy instruments, such as the ILO Code of Ethics on the Protection of Workers Personal Data of 1997 and UNESCO's Declaration on the Human Genome and Human Rights, could have also been highlighted in Chapter 2.Chapter 4 considers regional systems for the protection of information privacy beginning with the European Convention on Human Rights and Fundamental Freedoms (ECHR), European Union instruments, and initiatives at the Arab League (pp. 91–208). The chapter has a largely descriptive tone, and readers are left wondering what value the discussion would add to the thrust of the book. While the book highlights in several parts the European influence in shaping information privacy lawmaking in other parts of the world, including Africa, this chapter could have been a pertinent place to note this important point.Chapter 5 examines information privacy law in Africa. It begins by providing a lengthy historical, socioeconomic, political, and cultural background on the continent (pp. 211–27). Further considered are factors that determine the development of information privacy legislation in the continent. Factors such as technological developments are identified as positive factors, whereas a lack of awareness about privacy risks is presented among factors that negatively limit the growth of continental law of information privacy (pp. 229–64). In discussing African concepts of privacy, the author makes reference to the communitarian notion of ubuntu to draw conclusions about the level of value accorded to privacy in Africa, a continent of significantly heterogeneous polities. Relying on the notion of ubuntu—which represents mostly the southern part of Africa—the author concludes that the African concept of privacy is more an import from the West than an indigenous notion (pp. 228 et seq.). Readers might find this claim to be a generalization about a rather heterogeneous continent of fifty-four nations with diverse ethnic and cultural backgrounds. A fairly accurate observation about privacy paradigms in Africa—and also in other non-Western societies for that matter—is that no society is inherently and uniquely for or opposed to privacy interests/values. Prevalent social, economic, and political factors over centuries determine the level of interest toward privacy. That is most probably the reason why non-Western societies in Africa and Asia have been late in introducing legal instruments that protect information privacy.Regional and subregional instruments on information privacy are also considered in this chapter (pp. 268–302). Of these instruments, the absence of an express privacy provision in the African Charter on Human and Peoples' Rights receives only a brief mention (pp. 268–69). The omission of a right to privacy provision in the Charter has been the source of a rather illogical conclusion about the absence of innate privacy demands in African societies. Due to the fact that several African countries have had some form of privacy protections in their constitutions and civil laws long before the Banjul Charter was adopted, this could only mean that the absence of a privacy provision probably was a mere drafting oversight. This also finds support in the inclusion later in 1990 of a privacy provision in the African Convention on the Rights and Welfare of the Child (see Art 10).Chapters 6 to 8 examine the three case studies based on a mixture of doctrinal analysis of applicable laws and empirical information collected through interviews.The case studies examine information privacy law and practice in Mauritius, South Africa, and Tanzania. While the last two had merely draft information privacy legislation at the time the book was written, Mauritius had freestanding information privacy legislation. These chapters are exhaustive and well written. The discussions follow a top-down approach in that the examination of relevant laws starts from constitutional privacy provisions, specific information privacy laws, and other subsidiary pieces of legislation with potential applicability to the protection of information privacy.Chapter 9 offers comparative conclusions and findings from the three case studies. An interesting conclusion in this chapter is that widespread recognition of constitutional rights to privacy in Africa is scarcely out of genuine desire to protect privacy but is rather either colonial inheritance of constitutional documents that happen to recognize privacy or mere capitulation or following suit with the international human rights standards (pp. 470–71). And, enactment of information privacy legislation since the early 2000s in Africa is presented primarily for economic reasons—to attract foreign investment from Europe, which sets higher information export standards (pp. 471–72). But the author concludes with an optimistic view that information privacy is bound to be an important public policy matter in Africa as awareness increases over time (p. 474).Chapter 10 is a postscript to highlight developments that took place between the submission of the thesis in 2012 and the publication of the book in 2014 (pp. 476–78). But given the two years in between and the nature of new developments highlighted in the postscript, one might wish that these were rather addressed in full in the book. Little actually appears to have changed in the published book from the original thesis in terms of substance.9In the “Future Agenda” section of Chapter 9, the author notes the need to study information privacy law and policy in other parts of Africa, particularly northern Africa—and in relation to specific sectors such as health and digital communications (pp. 474–75). The recently published edited collection—that is, African Data Privacy Laws—is the fruition of that agenda.10 As the author notes in the preface of the book, the collection builds on the study he undertook for his PhD thesis. In terms of the book's general purpose, it is parallel to Graham Greenleaf's recent book on Asian Data Privacy Laws: Trade and Human Rights Perspectives.11The essays appear to have been written by the first-generation African early academic researchers (except the three Portuguese contributors) who ventured to explore new continental legislative measures to address legal issues raised by modern communication technologies. The book generally has a descriptive tone, and the case studies follow almost the same approach in analyzing the present socioeconomic and political conditions as well as the applicable information privacy legal framework in each country surveyed. As such, this review does not perform a chapter by chapter review of the book. Instead, it focuses only on major themes addressed by the book and its strengths and weaknesses.African Data Privacy Laws is organized into three parts. Part I contains a chapter that aims to provide context to the state of information privacy lawmaking in Africa. Part II consists of seventeen chapters that detail information privacy legislation in twenty African countries, while Part III closes the book with a chapter on the future of information privacy in the continent. Unlike most edited collections, this book does not contain an introduction that puts the work in context and provides highlights of forthcoming chapters. Such an introduction is more useful for collections of case studies as it is best placed to inform readers about, for instance, the methodology employed to pick countries for case studies. This is missing from the book under review, and even the preface is used for the sheer purpose of extending gratitude and a brief statement about the purpose of the book.Readers do not also find a proper prologue in the first chapter of the book, which, authored by the editor himself, provides a straight history-intensive context to information privacy policy in Africa. For a book that surveys just twenty countries from a continent of fifty-four countries, the lack of a clearly defined methodology might make the selection appear random—and the conclusions appear to be generalizations. Africa's unique and deep socioeconomic, religious, political, and ethnic heterogeneity compounds the concern. That said, although the book does not state its methods, it has fairly picked countries from northern, eastern, western, and southern Africa.A striking takeaway from this introductory chapter is the author's claim that the recent proliferation of information privacy legislation in several African states is triggered by economic or trade considerations rather than by human rights concerns (p. 21). Readers might find this claim extraordinary as it appears to overlook the fact that almost every country surveyed in the collection already had a broader right to privacy in its constitution. This, of course, features prominently in the essays of the book that begin the sketch of the applicable legal regime with a recitation of constitutional provisions on the right to privacy.Another point worthy of emphasis is that the book makes only incidental references to the AU Convention on Cybersecurity and Personal Data Protection (pp. v, 19–20, 377–78) and other subregional instruments. But, given the continental focus of the book, these instruments deserved a chapter or two—if not a part (given that a mere concluding chapter is left for Part III). In discussing information privacy in Morocco (p. 36), the author/editor reluctantly notes that Art 17 of the ICCPR does not impose a positive obligation on state parties to enact information privacy legislation. This is, however, incorrect. The Human Rights Committee, as noted previously, has hinted in General Comment 16—and as one could also easily glean from sub art 2 of Art 17—the obligation seems patent. This later finds some form of reference toward the end of the book (Chapter 15, p. 325). But it could have appropriately been discussed as a common theme of the book—perhaps in Chapter 1—since countries surveyed in the book all have ratified the ICCPR.Overall, the book has a visibly descriptive penchant, and readers familiar with Greenleaf's book that exhibits remarkable rigor and depth of analysis might find this collection of essays not to be adequately rigorous in analysis and sound in structure.The primary advantage of the book is, however, that it will be an instructive and informative sourcebook for individuals and organizations in tracking the development of information privacy law in Africa. It is indeed the first ever attempt to comprehensively compile applicable and proposed privacy laws in Africa. Civil societies such as Privacy International have been surveying the state of privacy in several African countries, but these advocacy surveys are largely focused on privacy rights violations rather than providing an elaborate exposition of applicable laws.12 Another effort in putting together applicable information privacy laws around the world was the Data Protection Laws of the World Handbook. The Handbook, compiled by a global consulting firm called DLA Piper, provides an overview of information privacy regulation in close to one hundred countries.13 Information privacy regulatory instruments of several African countries are incorporated in this Handbook whose targets are businesses to allow them to gauge compliance strategies in countries in which they operate. What distinguishes Makulilo's books is that they provide an elaborate and exhaustive examination of emerging information privacy laws and policies in fairly representative African countries. In so doing, the author—and his contributors—have done justice to the developing field of African information privacy law in these two major projects. In conclusion, despite weaknesses highlighted in this review essay, the books are useful starting points for anyone interested in the evolving field of information privacy law in Africa.