Privacy 8 May 2018

Personal Data Protection Guidelines for Africa

A joint initiative of the Internet Society and the Commission of the African Union

Introduction

In 2014, African Union (AU) members adopted the African Union Convention on Cyber Security and Personal Data Protection (“the Convention”) [1]. AU Ministers in charge of Communication and Information and Communication Technology (CICT) and Postal Services confirmed their commitment to the Convention in the African Union Specialized Technical Committee on Communication and ICT Ministerial Declaration (AU/CCICT-2).[2]

The Declaration set a strong objective of African action on cybersecurity and personal data protection to deliver benefits to Africa. In particular, it called on the African Union Commission (AUC) to develop guidelines on personal data protection (Para. 31).

To facilitate implementation of the Convention, the AUC asked the Internet Society (ISOC) to jointly develop the Privacy and Personal Data Protection Guidelines for Africa (“the Guidelines”). The Guidelines were created with contributions from regional and global privacy experts, including industry privacy specialists, academics and civil society groups.

The Guidelines emphasize the importance of ensuring trust in online services, as a key factor in sustaining a productive and beneficial digital economy. They also offer guidance on how to help individuals take a more active part in the protection of their personal data, while recognising that in many areas, positive outcomes for individuals depend on positive action by other stakeholders.

The Guidelines set out 18 recommendations, grouped under three headings:

  • Two foundational principles to create trust, privacy, and responsible use of personal data
  • Eight recommendations for action by the following stakeholders:
    • Governments and policymakers
    • Data Protection Authorities (DPAs)
    • Data controllers and data processors
  • Eight recommendations on the following themes:
    • Multi-stakeholder solutions
    • Wellbeing of the digital citizen
    • Enabling and sustaining measures

Privacy and personal data protection is a broad and ever-changing domain; the Guidelines are not an end-state—they are a blueprint for an evolving process of developing policy, operational guidance, and best practice, as new circumstances and requirements emerge.

Executive Summary

This section summarises the principal roles and responsibilities of the main stakeholder groups, with respect to personal data protection.

Governments and policymakers

Role: to empower the digital citizen, and ensure the online environment is trusted, safe, and beneficial to all stakeholders.

Responsibilities:

  • Increase their understanding of the benefits and hazards of the data-driven economy.
  • Understand the economic and social forces at work in the personal data ecosystem.
  • Cultivate the long-term social framework for trust in the digital economy, ensuring that the benefits are distributed fairly.

These are the goals of the foundational principles, and the enabling and sustaining measures.

Data protection authorities (DPAs)

Role: to increase legal certainty, by enforcing data protection laws, investigating alleged privacy violations, imposing sanctions where applicable, and working with the stakeholder groups and other DPAs.

Responsibilities:

  • Provide expert input to governments on data protection policy and laws.
  • Give clear guidance to data controllers and manufacturers/developers of products and services.
  • Deliver effective enforcement of data protection regulations, including investigation and sanctions.
  • Develop advice and help for data subjects.
  • Coordinate with other DPAs, in support of consistent cross-border data protection rules and enforcement.
Data controllers and their partners

Role: to create and apply responsible and sustainable practices for handling personal data, that reflect the data subject’s interests as well as those of the data controller and partners.

Responsibilities:

  • Maximise trust, as an expectation of the citizen/customer/user, as a benefit delivered by your services and products, and as an economic asset of your organisation. Trust enhances reputation, strengthens consent, and can deliver competitive advantage in a commercial context.
  • Tackle the practical problems of personal data protection (consent, data retention periods, data security, etc.), with the right blend of technical and procedural measures.
  • Increase the use of Privacy by Design (PbD) and value-based design[3] , as an integrated part of product/service development.
Citizens and Civil Society

Role: to create effective digital citizens; to become active stakeholders of their own privacy and personal data.

Responsibilities:

  • Understand the risks involved in online life.
  • Understand and exercise the rights relating to personal data, privacy and autonomy.
  • Develop your capabilities to protect their interests online, whether directly, or by using tools and services that help enhance their privacy.
  • Develop a collective voice (with consumer and civil society organisations) to shift the consumer market towards better privacy.
Multi-Stakeholder Tasks

Every stakeholder has a role in collectively creating a trusted online ecosystem that operates to the benefit of all.

Privacy is about respecting individuals’ expectations as to how their personal information is handled; privacy depends on a relationship of respect, between the individual and the stakeholders who collect and use data about them. Better online privacy happens when everyone who has a stake in it is part of the solution.

Many practical problems of data protection require collaborative action by more than one stakeholder; for example,

  • Development of best practice codes of conduct (DPAs, data controllers, industry bodies);
  • Creation and operation of certification schemes for data protection (DPAs, consumer organisations, standards and certification bodies); and
  • User consent, and respect for privacy contexts [4] (DPAs, data controllers, consumer bodies).

These are the actions recommended under the heading of “Multi-stakeholder solutions”.

Continue reading…

Endnotes

[1] https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection

[2] https://au.int/sites/default/files/newsevents/reports/33025-rp-addis_ababa_declaration_of_the_stc-cict-2_en.pdf (Para31)

[3] Most product design processes focus primarily on aspects such as function, form, aesthetics, and cost. Value-based design recognises that every design choice has an ethical dimension and integrates ethical considerations systematically into the design and development lifecycle.

[4] Privacy is often a matter of respecting the context in which information is disclosed, and not sharing or re-using it in other contexts (for example, not taking private medical data and publishing it in a newspaper).

  • AUCguidelines.cover thumbnail

    Personal Data Protection Guidelines for Africa

    Download
  • guidelines.PT thumbnail

    Personal Data Protection Guidelines for Africa. Portuguese version

    Download
  • AUCguidelinesARcover thumbnail

    Personal Data Protection Guidelines for Africa. Arabic version

    Download
  • AUCguidelines.cover thumbnail

    Personal Data Protection Guidelines for Africa

    Download
  • guidelines.PT thumbnail

    Personal Data Protection Guidelines for Africa. Portuguese version

    Download
  • AUCguidelinesARcover thumbnail

    Personal Data Protection Guidelines for Africa. Arabic version

    Download

Related Resources

Privacy 24 September 2019

2019 Online Trust Audit Methodology 

The 2019 Online Trust Audit will represent the 11th independent analysis and benchmark report of the adoption of security standards and responsible...

Internet of Things (IoT) 19 September 2019

Policy Brief: IoT Privacy for Policymakers

Introduction The Internet of Things, or IoT, is the latest wave of integration of technology into our lives and...

Building Trust 16 September 2019

Are Organizations Ready for New Privacy Regulations?

Based on 1,200 privacy statements, many are not prepared for coming regulations.