4. The interplay between data protection and privacy
According to the International Network of Privacy Law professionals, the history of data protection and privacy can be traced back to 1890 when two United States lawyers, Samuel D. Warren and Louis Brandeis, wrote the article ‘The Right to Privacy’. The article argued that people should have the ’right to be left alone’, using the phrase as a definition of privacy. The first legal document to provide for this right is the Universal Declaration of Human Rights of 1948, which adopted as its 12th right, the ‘Right to Privacy’. Since then, many countries have included this right as a fundamental right of their citizens. For example, the South African Constitution contains the right to privacy in Article 14, Moroccan Constitution under Article 24, and the Ghanaian Constitution under Article 18.
Privacy is a right that is guaranteed by law and it is a fundamental right accrued to individuals because they are human beings. Data protection, on the other hand, is defined by the Oxford Dictionary as a set of legal controls that keep information stored on computers private, and that limit who can read it or use it. In case of data protection, as it relates to privacy, the focus is on personal information. So data protection and privacy are both created by legal regimes. Globally, 128 out of 194 countries had put in place legislation to secure the protection of data and privacy according to the United Nations Conference on Trade and Development (UNCTAD). In Africa, only 29 out of 54 countries have an established legal regime for data protection. Some have started developing the laws.
The interpretation of privacy has diverse views. These views include the rights such as to be free from observation; to be left alone; to keep one’s thoughts, beliefs, identity, and behaviour secret; and to choose and control when, what, why, where, how, and to whom information about oneself is revealed and to what extent the information is revealed. This right is directly connected to the right of freedom of expression and association. There is a need for anonymity, if an individual’s rights are to be protected.
Many users choose to access the internet anonymously, for a variety of reasons. One tool which helps users remain anonymous is the Tor concept, an open software developed to protect personal privacy and freedom by anonymising and preventing traffic analysis and surveillance. Similar to various encryption tools, Tor provides security and may even save the lives of activists and journalists working in politically unstable parts of the world.
However, the freedom from identification has created an environment for criminals to operate anonymously. It has also emboldened certain individuals to communicate cruel, discriminatory, racist, hateful, and/or other forms of harmful speech to others, which they would not otherwise have done if their identities were known. This creates a challenge for security agencies and law enforcement.
In recent years, the Snowden revelations that disclosed the use of surveillance programs by the United States National Security Agency (NSA), subsequent revelations of surveillance carried out in various other countries, and a rise in cybercrime and terrorism, have placed human rights in the context of security into sharper focus.
From a human rights standpoint, the right to privacy and other human rights should be protected. Encryption tools – including pervasive encryption – are essential to protect privacy. From a security standpoint, however, governments have reiterated the need to access encrypted data with the aim of preventing crime and ensuring public safety. This has put increasing pressure on internet and tech companies to allow governments access to data.
The interplay between encryption, privacy, and tackling cybercrime – and how to balance all of those issues – were highly debated when, in August 2021, Apple announced new measures for scanning iCloud Photos (i.e. user photos) for child sexual abuse material (CSAM). The measures were put on hold, due to at least two issues: the first being that Apple’s ability to scan iCloud Photos was a privacy breach in itself; the second being that Apple could be strong-armed by governments to use the tool for their own undemocratic purposes. In light of those concerns, stakeholders are still debating what the way forward is.
In an information or data driven economy, the value of personal data cannot be overemphasised. Data is used to develop business models, provide an efficient platform for marketing of goods and services, understand the preferences of consumers, and develop products and services. However, because data, like technology, is neutral, it can also be used for harmful purposes. There have been high profile cases of data breaches from Facebook, eBay, Equifax, and Uber. Hundreds of millions of individuals’ personal information (social security numbers, addresses, credit scores, etc.) were compromised. In order to address the issue of privacy and security, balancing the fundamental rights of citizens against the threat of cybercrimes, various countries have developed laws and regulations to create rights of citizens over their personal data and regulate the access and use of such data, especially by law enforcement.
Perhaps the most popular of these laws is the European Union General Data Protection Regulation (GDPR). The law creates rules for organisations and companies on how to use personal data in an integrity friendly manner. The law sets out principles for the processing of personal data, such as processing in a lawful, fair and transparent manner, limitation of purpose, data and storage, provides for the data subject’s rights, and ensures privacy by design. The GDPR, in recognition of the lack of boundaries on the internet, makes the jurisdiction of the law to cover organisations established in the European Union and organisations located outside the European Union that offer goods or services to EU residents or monitor their behaviour. This widens the scope of the law.
Another interesting area worth mentioning is the EU Data Protection Law Enforcement Directive. Generally, the practice in most data protection legal regimes, was to exclude law enforcement activities, especially criminal investigations and issues that affect national security, from the application of the law. However, most countries have recognised that even when citizens are under investigation, they are still entitled to certain rights including how their data is processed. Based on this, countries are beginning to create special rules for law enforcement to maintain a level of privacy rights for citizens, even when they are under criminal investigation.
Best Practices
The Privacy and Data Protection Principles of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 2013 provides a template for the principles of Data Protection which has been adopted by data protection laws in various jurisdictions. The principles are:
Collection Limitation Principle: The collection of personal data should be limited based on the law and, where appropriate, the consent of the data subject.
Data Quality Principle: Personal data should be accurate and relevant to the purpose for which it is intended to be used.
Purpose Specification Principle: The purpose for collection should be specific and should only be used for that purpose.
Use Limitation Principle: Personal data, when collected for a purpose, should only be used for that purpose except with the consent of the data subject, or by the authority of law.
Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against risks such as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness Principle: There should be a general policy of openness about developments, practices, and policies with respect to personal data.
Individual Participation Principle: The data subject has rights which may include
to the right to obtain them from a data controller, or confirm if the data controller has data relating to him; to have communicated to him the data relating to him within a reasonable time and at a reasonable charge, if any, in a reasonable manner; and in a form that is readily intelligible to him; to be given reasons if a request for information on his data is denied, and to be able to challenge such denial; and to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Accountability Principle
A data controller should be accountable for complying with measures which give effect to the principles stated above.
The African Union Convention on Cybersecurity and Personal Data Protection, states that parties shall under Article 8.1 commit to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, the protection of physical data, and punishing any violation of privacy without prejudice to the principle of free flow of personal data. Article 11.1 of the convention requires State Parties to establish an authority in charge of protecting personal data.
The Information Regulator (South Africa) is established pursuant to the Protection of Personal Information Act, 2013 (POPIA Act). Members of the Information Regulator (South Africa) began a new term effective 1 December 2021 following an appointment by the President. The new members were appointed after the Regulator took over the functions in terms of the Promotion of Access to Information Act (PAIA) 2000, and the coming into effect of enforcement powers in terms of the Protection of Personal Information Act (POPIA) 2013.
The Data Protection Law establishes the Agência de Proteção de Dados (APD) as Angola’s data protection authority. APD’s Organic Statute was established by the Presidential Decree 214/2016.
The Office of the Data Protection Commissioner (ODPC) Kenya was established in 2020 following the enactment of the Data Protection Act, 2019. The Act is expected to be supported by Data Protection (General) Regulations, 2021 that set out the procedures to enforce the rights of data subjects, while elaborating on the duties and obligations of Data Controllers and Data Processors. Data Protection (Compliance and Enforcement) Regulations, 2021, that outline the compliance and enforcement provisions for Data Commissioner, Data Controllers, and Data Processors and Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, define the procedure that will be adopted by the Office of the Data Protection Commissioner in registering Data Controllers and Data Processors.
Network of African Data Protection Authorities is an organisation of data protection regulators in Africa. It was established in Ouagadougou, Burkina Faso, in September 2016, at a side event to the African forum on personal data protection. It currently comprises several African privacy and data protection authorities from different geographical and linguistic areas, with the aim of setting up a platform for exchanges and co-operation between its members and making Africa’s voice heard in its dealings with partners around the world. The members are: Angola, Benin, Burkina Faso, Chad, Cape Verde, Gabon, Ghana, Kenya, Mali, Mauritius, Morocco, Niger, Nigeria, Sao Tome & Principe, Senegal, South Africa, Tunisia, and Uganda. Please note that the International Standards Organisation (ISO) has a standard for data privacy. This is the ISO 27701 standard.
Finally, in recent times, an issue has emerged regarding the control and movement of data generally. This invariably affects personal data and privacy. The emergence of cloud computing has created a platform for ubiquitous storage of data. Thus data processing can take place virtually without recognition of geographical or national boundaries. The need for governments to keep pace with data collection, movement and control has led to policies that affect the flow of information on the internet.
Concepts like data sovereignty, data residency, and data localisation, attempt to regulate the physical location of data. Data sovereignty refers to the principle that data, irrespective of where they are stored, must comply with the laws of a particular sovereign country. Data residency simply refers to a situation where the law specifies the physical location of the data. Data localisation refers to a mandatory administrative or legal requirement that data must be stored or processed, exclusively or non-exclusively within a specified jurisdiction.
The argument in favour of data localisation is based on a few issues, namely, the interest of national security; protection of personal data and enforcement of data protection laws; securing faster and better access to data for law enforcement; advancing local economic competitiveness; increasing economic growth and boosting employment; and preventing foreign surveillance.
Internationally, various countries have created data localisation regimes. Russia has data localisation requirements for all personal data. Kazakhstan requires all data for servers on the country’s specific (.kz) domain. Australia requires health records to be stored locally. Canada requires public service providers to follow data localisation requirements. China has data localisation requirements that affect all personal, business, and financial data. India’s data localisation requirements apply to payment service providers and government procurement. The USA requires the data related to the country’s citizens to be processed and/or retained in that country. The data covered by these laws can range from all personal data to only specific types of data such as health or financial information.
However, the Indian National Institute of Public Finance and Policy, argues that the assumption that data localisation will necessarily lead to better privacy protections is a fallacy. This is because the security of data is determined more by the technical measures, skills, cybersecurity protocols, put in place rather than its mere location. Overall, the degree of protection afforded to data will depend on the effectiveness of the applicable data protection regime and not the location of data.