Inclusiveness is the practice of embracing every class of people in the society irrespective of race, gender, disability or others, especially those who might otherwise have been marginalized. Gender inclusion therefore entails the provision for all gender without discrimination against a particular sex, whether male or female. In the discourse of data privacy protection, since men are mostly referred to in legal framework, this is gender exclusion and gender inclusion will mean including women in the provisions for the protection and privacy in the same way as the men.

The digital gender divide brought about the speculations that men were more users of technology than women. Notably, research reveals that as at 2005 women were catching up with men in the use of internet. Women surpass men in number of app use, depending on the purpose, including the areas of health and medicine. Commercial growth rate for women’s participation in these online activities is greater than the one for men.

Kenya’s internet use by both gender is the same and stands at 29.7 while women’s use of mobile phone is higher standing at 92.7 compared to men at 90.0. WhatsApp and Facebook dominate social apps used by Kenyans across all ages. By gender, Kenyan men are more active in the use of Telegram (66.1%), LinkedIn (62.1%), and Skype (61.6%) while women are most active on Snapchat (61.9%), TikTok (53.6%) and Pinterest (50%). Money transfer increase the usage of mobile phones due to its convenience especially during the pandemic after the introduction of government restrictions on use of cash payments. In lower Eastern Kenya, more women than men were found to benefit from the use of mobile money transfer services (MMT) using their mobile phones.

The presence of women on the internet and their use of mobile phones bring to fore mechanisms on these platforms to regulate such use. This is because women may particularly be among the top list of vulnerable to have their privacy infringed by smart devices, apps, search engines and social media platforms. The UN Human Rights Council and the General Assembly have noted that violations and abuses of the right to privacy in the digital age may affect all individuals and have particular effects on women.

When it comes to the particular effect on women, privacy exposure, infringement, and other related issues are some of the concerns attached to internet use. Violation, cybercrime, third-party data sharing, gathering and exposure, online harassment, including the creation and dissemination of falsehoods and inaccuracies online are possible negative impact of social media use. Research provides that violations of their right to privacy in health issues have been found to be a disincentive to seeking care for subsequent deliveries for women.

International and regional data protection regulations contain provisions on data privacy and protection, from definition to establishment of systems, control etc. Presently the framework in many African countries are inadequate.  The sufficiency of these provisions for gender purposes are arguable. The mere fact that the right to privacy exist in constitutions does not preclude the adoption of a robust data protection law.

Nigeria has many legislations on data protection, yet not one is gender specific, or an expression of the recognition of its provision for women. While Kenya boasts of a robust data protection law, although still under analysis, the gender or women issue has not come up for consideration. The same can be said of South Africa with its robust human rights and women friendly legislations and policies. Indeed, the discourse with regards to women inclusion in the legal framework on data privacy and protection cannot be said to form the topic yet. This is even an upcoming topic in the academic circle, albeit a necessary one.

However, the field of data privacy and protection in Africa is still an evolving area and women inclusion can be contemplated and ensured now. The use of inclusive clauses like providing in definition clauses that where men is mentioned, it should be taken to include women may fill the gap. More research is also needed on women relating or dealings with the existing regulations. At this stage however, legislation or its reform to be gender inclusive or friendly may be necessary. Other approaches including budgeting for gender mainstreaming, already practiced by some countries may also be included.

The summary is that women should not be treated as afterthought in legislations, particularly in issues of importance like data privacy and protection in this information age, because a feminist internet is in the best interest of everybody in the society.

Dr Olayinka Adeniyi is a researcher on women’s rights at the Centre for Intellectual Property, and Information Technology Law (CIPIT) Strathmore University, Nairobi, Kenya. Her current research area is Gender and AI.

Kenya adopted the National Integrated Identity Management System (NIIMS) in 2019. The system was designed to create and maintain a national population register as a single source of information about Kenyan citizens and foreign residents in the country. The adoption of this system was met with numerous reservations particularly concerning security, privacy, and inclusivity. These issues were raised and challenged in the acclaimed Huduma Number case (Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) that halted the nationwide biometric registration to collect the information for the NIIMS system and roll out of the Huduma number. The case resulted in the development of data protection laws and regulations, as well as additional legislation allowing for the establishment and use of NIIMS, which were not previously in place. The Government of Kenya began the first phase of the Huduma number rollout towards the end of 2020.

A risk-based assessment evaluates the digital ID system’s operation, privacy and security, the use of biometrics in the digital ID system, data lifecycle management, governance structures, and potential security threats. Privacy and security is an integral part of the functioning of the Digital ID system. The Huduma number case brought into question the system’s design, and its technical and functioning capabilities in ensuring the privacy and security of the data that would be processed for the proper functioning of the system. This is anchored to the operation of the NIIMS system especially in consideration of the use of biometrics which is highly susceptible to security threats. The system is vulnerable to serious threats due to the nature of the data collected and stored, the most serious of which are third-party data leaks and identity theft.  These potential threats are likely to negatively impact the data, the systems and the users whose data is stored and managed in the database.

The more data the system processes, the more complex the threats and the greater the need for strong security measures. These security measures are not only established by technical and organizational measures but also operational governance structures. Governance is significant in establishing public trust and protecting the constitutional right to privacy. The introduction of digital ID in Kenya led to the establishment of laws and policies that form the basis of governance that regulates the functioning of NIIMS. The Data Protection Act, 2019, the Registration of Persons NIIMS Regulations (2020), and the Data Protection (Civil Registrations) Regulations (2020) are the primary references for the statutory regulation of NIIMS. The risks posed by digital ID management systems cannot be overstated given the government’s continued reliance on personal data in providing services. The systems must therefore be continuously evaluated and improved while taking into account the risks the continued use poses to privacy, security, digital identity, and the overall functioning of the system.

NIIMS’s success or failure, will be determined by how well and consistently security measures are implemented. Access control mechanisms, network monitoring, and intrusion detection systems, are required to detect and respond to cybersecurity attacks. Most governments have established cybersecurity agencies, research centres, and standards and technology institutes to oversee such systems and ensure overall security within other systems that the public has access to. Running and maintaining such systems necessitates a consistent financial flow, adequately trained cybersecurity personnel, and a government that understands the importance of personal data privacy and security. The Kenyan government must take these issues into account, particularly in the system’s operation.

The transition to a digital ID management system is an unavoidable reality. Digital transformation, adoption, and increasing digitization opens the door to an infinite number of risks, those presently known, and those that might develop in the future. Vigilance on NIIMS’s technical infrastructure, potential security risks, and vulnerabilities, as well as the current legal framework, is necessary for determining whether the parameters established will remain sufficient in light of ever-changing processes and technology.

Florence A. Ogonjo is a Research Assistant at the Center for Intellectual Property and Information Technology Law (CIPIT) currently working on the research areas of digital ID, and Data Governance in Kenya.

Rachel Achieng is a Research Assistant at the Centre for Intellectual Property and Information Technology Law (CIPIT) currently working on the research areas of digital ID and data governance in Kenya.

The rationale for the implementation of an IPDT regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction.^[2]

However, there is a concerning lack of clear and sufficient regulations, as exemplified by the newly proposed draft General Regulation^[3], which fails to provide a comprehensive supplementary IPDT framework to Part VI DPA. Furthermore, the ODPC has not conducted assessments on foreign jurisdictions, nor declared the minimum principles and characteristics of data protection laws that need to be satisfied when determining the adequacy of foreign data protection legislation. The lack of clear guidelines and criteria on lawful IPDTs enables organisations to flagrantly conduct cross border data transfers without concern for their data subjects and the possible violation of their privacy-related rights in foreign jurisdictions.

The paper, which is the extension of this blog, develops and proposes an evaluation criterion that shall be relied upon by the ODPC when determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Kenyan DPA

The DPA expressly provides that it shall ensure that the processing of personal data of a data subject is guided by the principles set out in section 25.^[4] Section 25(h) states that organisations must ensure that personal data is not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject. The significance of the inclusion of conditional IPDTs as a guiding principle to the DPA should not be considered a mere coincidence, as it attempts to address the mischief of circumventing obligations created under the DPA by transferring personal data to a more favourable or a deficiently regulated jurisdiction. The provisions of section 25(h) induced and influenced the provisions of the Part VI DPA on the ‘transfer of personal data outside Kenya’. The focus of the paper will be on the conditions under which voluminous and regular IPDTs are conducted, namely the Appropriate safeguard condition and the Adequate data regulation condition enshrined under Section 48(a) and Section 48(b) of the DPA.

The Kenyan IPDT framework does not establish a concise hierarchy of the conditions that may be used to conduct IPDTs. These conditions are, for the most part, consistent with the IPDT provisions of the GDPR. It is on this basis that the paper borrows elements from the GDPR’s IPDT framework in an attempt to address the inadequacies of the current Kenyan IPDT framework and establish a more definitive structure that may be relied upon to engage in lawful cross border data transfers.

Comparative Study

The paper shall briefly examine the global IPDT frameworks that are currently adopted and relied upon to determine the legality of IPDTs. The frameworks identified shall assist in supplementing the inadequacies of the DPA’s IPDT provision. More specifically, the paper shall refer to the General Data Protection Regulation (GDPR), its Recitals and guiding documentation, the Asia Pacific Economic Cooperation, Cross Border Privacy Rules (APEC CBPR) and OECD: 1980 Regulations and Revised and Updated Regulations on Protection of Privacy and Transport Flows of Personal Data. The identified frameworks shall inform the evaluation criterion and appropriate safeguards to be relied upon when conducting IPDTs as per Part VI DPA. In addition, the paper succinctly explores the need for the Kenyan IPDT framework to develop mechanisms enabling International Cooperation, Coordination, and Implementation of cross border transfers of personal data between the ODPC and foreign data protection supervisory authorities. Finally, the paper concisely develops an argument for the development of a more robust set of exemptions that permit data exporters to circumvent the Appropriate safeguard condition and the Adequate data regulation condition for conducting IPDTs.

In a nutshell, the paper advocates for the development of a more comprehensive Kenyan IPDT framework based on the current  foundation created by Part VI DPA. What is mostly learned from the conducted comparative analysis is the derivation of content and procedural principles, which are simultaneously present within the DPA and global IPDT frameworks. The authors also note that the adequacy guidelines reiterate that the data protection concepts do not have to mirror the GDPR terminology, but should reflect and be consistent with the concepts enshrined in the European data protection law. The ODPC may adopt a similar methodology, and evaluate a recipient’s data protection framework for synonymous concepts expressly defined under Section 2 of the DPA. Evaluation of the data protection concepts should not be limited to the DPA, alternatively, it should be inclusive of concepts furnished under subsequent regulations developed to supplement the DPA.

Amrit Labhuram is a Data Protection Lawyer and Research Assistant who works on Data Governance and International Personal Data Transfer research at CIPIT. He is currently pursuing certifications to be a globally recognised Data Protection Officer under the IAPP.

Micheal Butera is a Research Intern at CIPIT. He is currently working on a Data Localisation research project.

^[1] Data Protection Act (Act No. 24 of 2019) -<https://www.odpc.go.ke/download/kenya-gazette-data-protection-act-2019/#> on 12 July 2021.

^[2] Phillips M, ‘International  data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR)’ Human Genetics, 2018, 575-<International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR) | SpringerLink> on 12 July 2021.

^[3] Data Protection (General) Regulations, 2021 -<https://www.odpc.go.ke/wp-content/uploads/2021/04/Data-Protection-General-regulations.pdf> on 12 July 2021.

^[4] Section 3(b), Data Protection Act (Act No. 24 of 2019).

Disinformation on social media has been a growing concern in global politics for several years, and it is now exploding across Sub-Saharan Africa, where social media-based disinformation campaigns are increasingly being deployed by foreign entities and governments  to influence narratives.

Several socio-political and economic factors provide fertile ground for disinformation to thrive in African countries. The exploding youth population – with many coming online for the first time through social media – growth in the use and availability of internet-enabled mobile phones, ethno-religious conflicts, and insecurity are some of the factors that have contributed to the large amount of information accessible via digital media and provided new, fast-moving channels for spreading and amplifying false information.

This growth in disinformation in the region has presented a new stress test for emerging internet policy and legislative responses. For instance, in March 2020, Ethiopia enacted the Hate Speech and Disinformation Prevention and Suppression Proclamation to address hate speech and disinformation, which have historically troubled the country. However, it has been argued that whereas government regulation is legitimate to control hate speech, Ethiopia’s new law poses a threat to freedom of expression and access to information online.

In Cameroon, under the Law Relating to Cyber Security and Cyber Criminality, it is an offense to publish and propagate information online “without being able to attest its veracity” or truthfulness. In a July 2020 press conference, Cameroon’s Communication Minister, René Emmanuel Sadi, expressed concerns over “irresponsible” use of social media to tarnish the image of public officials or sabotage government actions and warned that those who continued to propagate such information on social media platforms would face the heavy arm of the law.

Other countries like Zimbabwe and Tanzania have broader media laws that have been used to target fake news. The various laws have been criticised for posing a threat to digital rights, especially when deployed as tools against critical opinion, the media, and dissent in African countries with democratic deficits.

Many African countries, including Cameroon and the Democratic Republic of Congo (DR Congo), continue to grapple with disinformation, with a high risk of online activity resulting in offline harm. This report reviews the situation in these countries, where – despite relatively low connectivity levels – disinformation presents a considerable concern.

As of 2017, Cameroon had  19.7 million mobile phone subscribers  representing a penetration rate of 85%, while internet penetration was 35.6%. Meanwhile, as of December 2019, the DR Congo had an internet penetration rate of 19.2%, while mobile phone penetration was 42%.

Conflict Awareness and Disinformation

Citizens in Cameroon and the DR Congo rely on a wide range of traditional sources of information (including print and broadcast media), alongside online sources to keep abreast of social, economic and political issues. However, social media has come to play an increasing role on issues related to conflict because mainstream media is censored by their governments.

In Cameroon, tensions between Anglophone and Francophone regions date back to the country’s independence in 1961. Over the years, there have been fatal violence and protest action against the continued “francophonisation” and marginalisation of English speakers who say that the central government privileges the majority French-speaking population.

In 2015, a video showing two women and two children being shot dead by soldiers in the Far North town of Zelevet started to circulate on social media. According to a July 2018 BBC Africa Eye investigation, the government initially dismissed the video as fake news. However, Amnesty International revealed credible evidence that the Cameroon military was responsible, prompting the authorities to retract and state that the 10 soldiers depicted in the video had been arrested and would be prosecuted. Five years after the incident, a military court convicted and sentenced the soldiers to imprisonment.

Whereas the BBC Africa Eye investigation into the shooting incident revealed that several people did not like to spread hate speech and graphic violence content online, sometimes they recognised that such content could include safety information, especially for those who live in conflict areas.

In the DR Congo, a history of armed conflict has left millions dead and the country destabilised, with continued violence perpetrated by several armed groups active in the region, including the Allied Democratic Forces (ADF), the Democratic Forces for the Liberation of Rwanda (FDLR), and numerous militias. The United Nations Organization Stabilization Mission in the DR Congo (MONUSCO) has operated in the region since 1999 and is the largest UN peacekeeping mission in the world.

During the 2018 elections that had been long awaited, there were reports of widespread election irregularities, with competing political parties claiming to be in the lead as several unofficial tallies started to circulate on social media. Sponsored content from Google and Facebook falsely alleged that former President Joseph Kabila’s surrogate, Emmanuel Ramazani Shadary, had won the elections. The ads were published before the official results announcement by the Electoral Commission, which had been delayed. There were internet shutdowns in key cities, which made it even harder for fact checkers to verify any information related to the elections.

Considering the elections had been postponed from November 2016 to December 2017, and then to April 2018, the circulation of false election results could have prolonged the cycle of instability.

 Role of the Diaspora Community

The diaspora community is a huge contributor to the inflaming of tensions online in both countries, often through fake accounts that regularly share hateful and inciting content against rival political factions.

During the 2018 elections in Cameroon, there were several instances of social media posts from the diaspora claiming that long-serving President Paul Biya had died. Biya went on to win the disputed elections, and two years on, social media content, often from the diaspora, continues to fuel political and ethnic tensions.

With the conflict in Anglophone regions leading to calls for a break-away state and separatists actively seeking support from the Cameroonian diaspora, there is an ongoing risk that online content that depicts the Cameroonian government as repressive and violent could result in offline harm.

As for the social media posts falsely claiming that Shadary had won the 2018 presidential election in DR Congo, considering the internet disruption at the time, indications are that the perpetrators of the sponsored ads and admins of the accounts in question were based in the diaspora. Lumumba aime LE CONGO (Lumumba loves Congo), which was among the key propagators of the ads, had been created just before the elections and traded on the likeness of Patrice Lumumba, a famous independence leader. Besides content claiming victory for Shadary, the page also shared posts from several fake domains or news aggregation websites like CongoActu24.com. This was another example in which disinformation had the potential to lead to offline harms within a fragile political environment.

Pandemics

Like in other African countries, Cameroon and DR Congo have seen a surge in Covid-19 disinformation online, some of it pegged on cultural, political and religious sensitivities including promotion of herbal remedies, steaming, alcohol, contradictory and speculative reports about treatments and/or confusing guidance about standard operating procedures (SOPs).

The spread of disinformation around diseases can be a public health risk, as has been the case in Cameroon and the DR Congo regarding Ebola and, more recently, Covid-19. Disease disinformation undermines confidence in underlying science, slows down sensitisation, politicises health activities and questions the motives of health officials.

DR Congo is no novice to pandemics, having borne the brunt of the Ebola outbreak between 2017 and  2019. In May 2020, France 24 News reported a Covid-19 fake news campaign in DR Congo. The France 24 reports were later corroborated by Facebook and DFRLab, which linked the network to a politician called Honore Mvula. The network carried several Covid-19 false claims attributed to public figures including French infectious disease expert Didier Raoult, French president Emmanuel Macron and Madagascar president Andry Rajoelina and these made rounds on Congolese Facebook pages, recording a high rate of engagement. Mvula denied the allegations against him. Facebook took down the pages.

Internet Disruption

Cameroon and DR Congo have a history of ordering internet disruptions on multiple occasions during public protests and elections. In January 2017, internet connectivity was restricted in the Anglophone region of Cameroon following dissent and calls for succession from the Francophone region. The disruption, which lasted for over 230 days until March 2018 is recorded as the longest internet shutdown on the continent.

Similarly, in the DR Congo, instability in the country has been continuously characterised by persistent internet shutdowns since December 2011. Following a relatively peaceful voting day on December 30, 2018, the government shut down the internet on December 31 and progressively, broadcast  media, and expelled some international journalists reporting on the elections. The official reasons provided by policymakers were “to avoid fake results from circulating”.

According to analysts, the internet shutdown in Cameroon cost the economy USD 1.67 million per day, while the shutdown in DR Congo  cost the economy USD 3 million per day.

Internet shutdowns during elections are a common and growing trend of digital repression especially in authoritarian countries in Africa, whose leaders have been in power for many years. When governments impose information blackouts or curtail the free flow of information online through other means, disinformation thrives as fact-checking and the production of counter-narratives are hampered. In the case of Cameroon and DR Congo, that disinformation, much of it originating from the diaspora, propagates hate speech and disinformation that threaten to exacerbate civil strife and undermine electoral integrity. In turn, the shutdowns and the disinformation propagated by state and non-state actors, are eroding technology’s potential to enhance electoral integrity, to civic engagement and the fight against diseases such as Covid-19.

Overcoming Disinformation

Accounts of targeted messaging during elections have become common, and they are particularly concerning as the content of the messages is often misleading, out-rightly false, or inciting. This recent rise of online campaigning through social media platforms has thus raised further concerns about how the required data is obtained, the extent to which African democracies are vulnerable to foreign interference, the ways in which social media algorithms are prone to manipulation, and the ethics of using African countries as a testing ground for new digital technologies.

Whereas efforts to legislate against disinformation are human rights pressure points, alternative countermeasures, in collaboration with social media platform operators, hold some promise. In 2020, several sub Saharan African governments partnered with social media platforms and other intermediaries to fight Covid-19 disinformation. Earlier in 2018, Cameroon directly engaged with Facebook to explore opportunities for fighting the spread of false and misleading information within the country. Meanwhile, promoting digital literacy skills and fact checking capacity, and creating awareness about what is unacceptable content on platforms and how to report objectionable content, remain key needed actions. Hence efforts and other measures to combat disinformation and other harmful content, including around elections and in the fight against Covid-19, require closer collaboration between governments, civil society and platforms than we have witnessed this far.

Richard Ngamita is a Data Researcher who currently works on human rights, disinformation and espionage. He previously worked at Google with the Spam team. He has also led investigative research across health, agriculture and refugee movements.

In an increasingly digitised world, safeguarding data rights has become central to protecting individuals’ rights to access and share information, express themselves, and associate using the internet and related platforms.

Advances in technology, alongside growth in mobile subscriptions and increased use of smartphones have pushed individuals online to shop, interact, share and search for information, learn, and work, alongside digitalisation of more sectors of economies and public services. As a result, there is increased collection, processing and sharing of personal data. With many users of Information and Communications Technology (ICT) not aware of the implications of their use of digital technologies and how their rights are compromised, the potential for the data to be manipulated and abused by individuals, private companies and governments is ever-present.

At the end of 2019, 477 million people in Sub-Saharan Africa were subscribed to mobile services, accounting for 45% of the region’s population. According to the GSMA, the group that represents the interests of mobile operators worldwide, smartphone adoption continues to rise rapidly in the region, reaching 50% of total connections in 2020. Meanwhile, as of 2019, there were 469 million registered mobile money accounts in Sub-Saharan Africa, a figure that was expected to reach half a billion in 2020.

From the provision of eServices, to digital identity (or digital ID), voters registration, drivers’ license applications and issuance, through to mobile phone SIM card registration, public and private service bodies including immigration authorities, law and security enforcement, health service providers, telecom operators, and digital financial service providers are among the big collectors and processors of personal data in Africa. Increasingly, the nature of personal data being collected is expanding, to include biometric data such as facial images or fingerprints.

What is Personal Data?

Personal data refers to information that relates to an identified or identifiable natural person by which that person can be identified, “in particular by reference to an identification or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.”

Upholding individuals’ data rights implies their personal data must be kept private and should not be known, stored, or used by unauthorised parties. Upholding data rights is then a central pillar of the long-recognised right to privacy, which national laws and international human rights frameworks such as the international bill of rights guarantee. Notably, the right to privacy is pivotal in a democratic society as it is both an enabler and reliant on the enjoyment of other rights, such as freedom of expression, information and association.

As businesses, governments, and civil society organisations seek to maximise value of increased data flows, the dangers of cyberthreats, cybercrimes, surveillance, and general data misuse pose threats that require national, regional, and international action to address. At the same time, excessive restrictions on the flow of data between countries can undermine regional economic benefits if no best practices are adopted on how data should flow, be stored, protected, and disposed – Building an Enabling Environment for Inclusive Digital Transformation in Africa.

Poor or missing legal protections for personal data, abuse of existing laws by state agencies including security agencies and by private companies, and poor digital security practices by citizens, are exacerbating the erosion of many African citizens’ data rights. With increased data collection has come increased state surveillance and data privacy breaches. Worryingly, many African states are increasingly using data to undermine citizens’ digital freedoms, such as by conducting real-time monitoring, surveillance of citizens’ social media and intercepting telephone communications. In some instances, this has led to arbitrary arrests and prosecutions of individuals.

Moreover, telecoms and internet service providers are required by law to comply with user information requests or requests for assistance from the government, including the common requirement to install software to facilitate the state’s conduct of surveillance and monitoring of citizens’ communications. Many governments are indeed accessing subscribers’ data from telecom companies with limited oversight and hardly any transparency. Even where service providers feel constrained about regulator directives, they are often overcome by the need to continue operations and agree to restrict data rights.

In such countries, digital rights are under threat and, resultantly, citizens are losing the appetite to participate in public affairs, and they often practice self-censorship in their engagements over digital platforms. This undermines the philosophy of a free and open internet that drives innovation, enables the enjoyment of rights and improvement of livelihoods.

In many countries, the digital rights situation worsened during the Covid-19 pandemic, as governments suspended respect for several rights, collected lots of private data and conducted surveillance without sufficient oversight, safeguards, or transparency.

The State of Internet Freedom in Africa 2020 Report found that the fight against Covid-19 has had a fundamental impact on digital rights and freedoms including freedom of expression, access to information, privacy, assembly and association. It has also undermined civic participation and, in many countries, deepened the democracy deficit.

In responding to the Covid-19 pandemic, countries across the continent adopted a series of Covid-19 regulations and practices, including deploying surveillance technologies and untested applications, to enable them conduct lawful collection and processing of personal data for purposes of tracing, contacting, isolating and treating those found to be positive or their contacts. These measures were quickly adopted and the collection of personal information continues, and in some cases without adequate regulation or oversight – State of Internet Freedom in Africa 2020: Resetting Digital Rights Amidst the Covid-19 Fallout

In several African countries, there are inadequate safeguards and limited oversight to guard against potential violations of digital rights arising out of the implementation of laws, regulations, systems, and practices imposed to fight Covid-19. According to the United Nations, the use of emergency powers and tools of surveillance technology to track the spread of Covid-19 must be non-intrusive, limited in time and purpose and abide to the strictest protections and international human rights standards governing privacy and personal data.

Concerns over data handling during the fight against Covid-19 and how that harmed digital rights informed the formation of the #RestoreDataRights movement, that is promoted by a group of African and international civil society, academic and philanthropic partners. Launched at the end of 2020, it is premised on the conviction that our fundamental human rights – including those exercised in cyberspace and over our personal and sensitive data – should be respected and upheld during and after the Covid-19 public health emergency. Furthermore, decision-making processes around how sensitive data are collected, shared and used to tackle the Covid-19 pandemic in Africa should be transparent, inclusive and accountable.

There has also been a proliferation of retrogressive laws, procedures and practices such as the systematic criminalisation of online communication and dissent, the arbitrary arrest, illegal detention, flawed prosecution and excessive punishment of government critics. On a continent where digital authoritarianism is rising, the legitimisation of surveillance, censorship, and breaches in the rule of law during the coronavirus crisis could create a new normal that erodes internet freedom for years to come.

There is therefore a need to have strong data protection laws; to educate citizens to protect their data and to demand their digital rights; and to have strong, well-resourced and independent data protection authorities. It is also crucial to establish clear and well-publicised complaint mechanisms in cases of data privacy breaches. Meanwhile, private companies should institute stringent measures to protect data privacy and integrate ‘privacy by design’ in any applications they develop, partner with civic actors and public officials to promote digital rights, and be transparent about their data handling practices.

These measures would enable accountable data governance that respects citizens’ data rights and advances wider internet freedoms in Africa. Further, they would enable robust protection of digital rights and data rights, while providing scope for data openness that enables harnessing of data to serve the legitimate public interest.

At the onset of the Coronavirus disease (Covid-19), the prognosis for how Africa would manage the  pandemic was bleak. Many (mostly western-based) epidemiologists anticipated that the pandemic would kill millions of Africans. Researchers at the Imperial College London put the number of estimated deaths at three million as the worst case scenario if nothing was done.

As the pandemic ravaged the western world, however, many of these scientists and analysts were mystified by the comparably fewer deaths in Africa. While many credited Africa’s young population, less travel infrastructure, and a stroke of luck for this success, John Nkengasong, Director of the Africa Center for Disease Control and Prevention, attributed this early success to African countries taking radical preventative steps very early on.

Having dealt with epidemics such as Ebola in recent years, many countries in Sub-Saharan Africa were more prepared and had more supportive infrastructure in place than was apparent to outsiders. The harsh lockdowns, instituted at a terribly high cost to livelihoods of already poor populations, may have inoculated most of the continent from the kind of catastrophe that befell Italy, the United States of America (USA), the United Kingdom, Brazil and other countries.

This, however, is not to say that all African countries took the same scientifically sound responses to the pandemic. Some governments took a dismissive approach to the disease. Some outrightly denied its existence. In all instances, there have been significant social-economic and political costs.

A Deadly Infodemic

From presidents to religious, and opinion leaders, through to citizens, a small, but influential group of Covid-19 skeptics harmed an otherwise somewhat successful response to the pandemic on the continent.

Increased spread of false and misleading information about the virus via social media platforms has exacerbated the problem, often across demographics –  the educated and uneducated, young and old, rural and urban. African ‘WhatsApp aunties’ have been the most susceptible to, and purveyors of, Covid-19 misinformation, a phenomenon that compelled the World Health Organization (WHO) Africa Office to directly appeal to them to join the fight against misinformation.

However, when a government, under the tutelage of a powerful president, leads the misinformation campaign, the dynamics become different in scope, and the impact to public health and safety can be more catastrophic. Some governments have weaponised Covid-19 information and data to narrow the democratic space and muzzle political opponents.

For example, the governments of Tanzania and Burundi, led by their outspoken and populist presidents, outrightly denied the existence of the virus, stopped sharing data with WHO, and even harassed WHO officials based in those countries who were tracking the virus. Both presidents have since died – officially from heart-related complications but suspicions abound that they succumbed to the coronavirus disease. Both countries continue to reel from multiple deaths, attributed to ‘acute Pneumonia’, which independent experts say is a euphemism for Covid-19.

Acase study of Burundi and Tanzania: one learned its lesson and changed tack, the other stayed the course with devastatingly different outcomes for both of them.

Tanzania

When neighbouring countries such as Uganda, Kenya and Rwanda were frantically scrambling to shut down borders, schools, economies, and enforce mandatory curfew and quarantines, the Tanzanian government did not institute a lockdown and emphatically told its people that their daily routine would remain unchanged. Markets, churches, sports events, bars, and restaurants remained open even after the country confirmed its first case of Covid-19 on March 16, 2020. Two months later in May 2020, authorities stopped updating the WHO with Covid-19 statistic, which at the time stood at 509 cases and 21 deaths.

President John Pombe Magufuli incredulously claimed that the virus was not real, and that he had ordered tests for goats and pawpaws which had all returned positive results. In any case, he said, if the virus was real, God would protect the country. The government made no plans to order for vaccines which Magufuli termed a western plot to exterminate his people. Instead, Magufuli encouraged steaming, using natural remedies, and most importantly he encouraged prayer.

In the meantime, there were an increased number of deaths attributed to pneumonia in Tanzania, with the dead buried under the cover of night, and relatives cowered into silence. With an official policy of not reporting Covid-19 cases, the full scale of the virus’ toll in Tanzania is impossible to tell.

In February 2021, the Catholic Church of Tanzania broke its silence, reporting that up to 25 of its priests and 60 nuns had died of Covid-19, and when the Vice President of semi-autonomous Zanzibar died, the government there admitted Covid-19 was the cause of death and urged citizens to take precautions. Several high-profile individuals, including cabinet ministers, died but the government remained in denial. In one infamous incident, the country’s Finance Minister was taken from Intensive Care and paraded before the media to dispel rumours that he was dead. In coughing fits and clearly weak, surrounded by mask-less officials, he struggled to make a statement.

When President Magufuli disappeared from public view for weeks in mid-February, the country was rife with speculation that he had contracted the virus. The government dismissed the reports as untrue and claimed that the president was “busy working hard” for the country. Opposition leaders claimed that Magufuli had been flown to Kenya on life support due to Covid-19. This was again dismissed by the government. On March 17, 2021, the government announced that the president had died from heart disease.

Burundi

In May 2020, Burundi expelled WHO officials for questioning the wisdom of holding a presidential election amidst the pandemic. At the time, the country had not instituted a lockdown or any other preventative measures. A general election went on with massive rallies. By June 24, 2020 the country had reported 144 cases and one death, amid criticism that the true scale of the pandemic was not being reported. Civil society and health workers were purportedly gagged from talking about the virus.

The shocking death of outgoing president Pierre Nkurunziza in June 2020, however, seems to have caused a change of heart in the new leadership. Officially, Nkurunziza succumbed to a heart attack. However, many analysts alleged Covid-19. His wife had earlier been evacuated to Nairobi, Kenya for treatment, allegedly for the virus.

In July, the incoming government adopted a new Covid-19 response strategy, putting in place measures and restrictions including mandatory Covid-19 negative test results and quarantine at a government designated facility for incoming travellers. Land borders with the Democratic Republic of the Congo and Rwanda were closed and the new president declared Covid-19 “the biggest enemy of Burundians.”

Both Magufuli and Nkurunziza were fervent Christians, the Tanzanian a devout Catholic, the Burundian a Pentecostal, and both had a penchant for populist politics. The intersection of religion, social media misinformation and populism in the two presidents’ approach created a perfect combination for an anti-science, conspiracy-filled fertile ground for Covid-19 misinformation to thrive.

Weaponisation of Social Media

Only 22% of the continent’s population has internet access. While the digital divide between rural and urban Africans is still wide, with increasing availability of cheap smartphones, and enabling infrastructure like rural electrification and broadband programmes, there is increased access to information via online platforms compared to traditional broadcast media. This is creating a challenge with communities that are not media-savvy and are unable to decipher context or fact-check information received, and are therefore more prone to misinformation.

Consequently, social media has had a devastating role in fueling Covid-19 misinformation in Africa.  From ‘WhatsApp aunties,’ to religious leaders who claim that the virus does not exist, or that Africans are immune to it, or that it is just the flu, or a punishment from God, the information ecosystem has been fostering faster spread of Covid-19 denialism. This ecosystem feeds off each other, mutates and multiplies just like the virus itself as it moves easily and seamlessly across platforms reaching broad audiences. An obscure video from Brazil will reach the remotest village in Nigeria within minutes.

Socio-Economic Impacts of Covid-19 Denialism

As more African countries procure vaccines and inoculate citizens, it is expected that the pandemic will soon recede, and economies are revived. Approaches like that of Tanzania will likely harm its once thriving tourism industry as more tourists perceive it as an unsafe destination. Already, a number of countries have banned flights to and from Tanzania, including some neighbouring ones like Kenya that have closed some borders with the country. Most Western embassies currently maintain the highest-level travel risk advisories against the country. Prior to the outbreak of the pandemic, tourism was Tanzania’s fastest growing sector, employing over 10% of the total workforce and serving as the largest single source of foreign currency. The proposed adoption of Vaccine Passports, if implemented, is likely to further isolate the country.

Corruption and Covid Conspiracies

Meanwhile, Covid-19 has turned out to be not just a health and economic crisis but also a corruption crisis. The 2020 Corruption Perceptions Index (CPI) released on January 28, 2021 by Transparency International reveals that persistent corruption is undermining health care systems and contributing to democratic backsliding amid the Covid-19 pandemic. Politicians, from South Africa to Uganda, have taken advantage of the pandemic to illegally seize lucrative procurement deals, and gone on borrowing sprees, ballooning countries’ domestic and external debt in the process. This has further fueled conspiracies in some countries that Covid-19 and its numbers are a ploy by corrupt leaders to rip off taxpayers.

Ultimately, the seeds of misinformation, including a culture of mistrust and skepticism against the government, have the potential to affect public programmes implementation, in public health and beyond, as populations will continue to question the science and intentions.

Addressing the Covid Denialism Infodemic

• Misinformation counter-narratives: As fake news and misinformation thrive on social media, governments need to utilise the same platforms, including through champions, with counter scientific messaging to allay fears, misconceptions and conspiracy theories.
• Multi-agency coordination and collaboration: Close coordination and collaboration among fact-checkers, public health institutions and other communications stakeholders is essential for addressing the unique misinformation challenges faced today, “where informational ambiguity based on scant or conflicting evidence, or emerging scientific knowledge can exacerbate the spread of disease.”
• Narrow the Digital Divide: Dedicated efforts to promote connectivity in tandem with digital and media literacy programmes should be scaled up.
• Promote Covid-19 data transparency: Many African countries have established Covid-19 websites and information portals where infections, deaths and recovery rates are published. Meanwhile, the WHO Africa Region and CDC Africa run dashboards that are updated daily. However, many other governments still do not report routine Covid-19 data. Readily available, accessible data including on cases, procurement, vaccines, emergency relief and other measures will provide firsthand evidence to users and dispel misinformation and improve transparency around containment measures.

Bernard Sabiti is a Kampala-based Public Policy researcher and analyst focussing on the role of data and access to information in sustainable development.

As a mixed methodologist, I certainly do not wish to spark an internecine methodology war, but let me state at the outset that I stand with the qualitative researchers of social experience who agree that depending on the question, n = 1 is as valid as n = 100, and that this is also an ethical stance. As a buzzword, ‘data-driven’ is used to convey robustness, legitimacy and objectivity. Even when ‘big data’ is not referenced, ‘data-driven’ often implies data of the kind that has high frequencies—the data of the majority—where n = 1, or n = 30 might not viewed as objective or important. The tendency to trust machine-based data is rooted in the certainty of quantity. An algorithm can gather millions of data points, and some perspectives hold that this translates into an approximation of the truth. Depending on the inquiry this is easily co-signed, but research by Safiya Noble, Ruha Benjamin and many others informs us that we should abandon this belief in the objectivity of technology, particularly when dealing with social worlds (even models that calculate epidemiological risk during a pandemic turn out to be up for debate).

During a webinar on Inclusivity & Equity in Data Economies on September 3^rd we were able to mine the lived experiences of experts in the digital economy drawn from across the continent: Nichole Yembra (The Chrysalis Capital), Ebrima Fatty (Afrikasokoni), Simunza Muyangana (BongoHive) and Agostine Ndungu (Endeavour Kenya). The participants generally acknowledge the inherent bias in the investment arena that might lead to white fronting but, like many other actors I have encountered, differ on what the bias represents and where the solution lies (e.g. new policies in Kenya around co-ownership–some argue that preferences for one’s own is typical of social systems, and therefore not something worth legislating away).

The discussion reinforced that involvement in the digital economy arena almost requires a personal belief in the objectivity of markets—that markets are big data collection technologies in their own right. Any failures are often characterised as markets being distorted, rather than them working as they were designed. More data is often seen as a means for undoing these distortions. For instance, an expectation that if you can evidence the performance of Black-fronted firms, investments will follow the data.

When the claim is inherent bias in the investment market for digital enterprise, there is indeed a definite need for data to validate this claim. This is why, I thanked one of the participants, Agostine Ndungu, for generating the quantitative data that can mollify the “What’s you n” researcher whose scientific perspectival place is rooted in the validity of aggregates and frequencies.  But data, big or small, is not enough to undo ‘distortions’. Given the tendency to mistrust marginal, self-reported narratives, what exclusions and validation of exclusion does a machine-based, data-driven future hold? Who should we doubt and when? How can we create systems that allow ‘small data’ to provide the insight, balance and correction that might be needed?

These were some of the themes discussed during the latest Developing Data workshop on Data + Elections on 25 November 2020. The session was chaired by the project’s Principal Investigator Thomas Molony.

The first panellist was Laura Lazaro Cabrera from Privacy International. She gave a broad overview of the data exploitation in electoral campaigning ecosystem. It includes three main sources of data: electoral registers, canvasing, and third parties/data brokers. The third parties’ data can include things such as transactional data, consumer surveys, and behavioural data about online activity. Lazara Cabrera then explained that data is increasingly used by political parties for micro-targeting in a four-stage process. Firstly, the data is collected, then individual voters are profiled into small groups based on their attributes. Next, advertising material is personalised and, finally, personalised content is distributed on social media platforms to reach the targeted group.

Lazaro Cabrera also outlined some safeguards against data exploitation, such as data protection laws. Where they exist, they can require consent for data processing or give voters the right to ask political parties about the information they hold. In some cases, regulators will set further limits to the ways in which data can be used for micro-targeting. However, due to loopholes, data can often be used without consent.

The next panellist was Seema Shah of The Africa Centre for Open Governance. With a focus on both traditional and social media, she examined how big data can help actors in the political space understand and predict voter behaviour and facilitate targeted messaging. She then discussed how the associated reliance on algorithms is problematic, not just because they can be wrong, but also because, by making people into numbers, they downplay the understanding of people as people rather than at an aggregate level. The importance of context can be lost and citizens whose data is not represented in the data, because they do not have smart phones or social media, can be left out of the calculations political parties are making.

Next Shah gave the example of Cambridge Analytica taking over the branding of Jubilee’s campaign during the Kenya 2017 elections, and the misinformation that was circulating at that time. This led to her raising several broader concerns about micro-targeting. She pointed to concerns over privacy, the formation of online bubbles leading to people taking increasingly extreme positions, the undermining of media legitimacy, and the spread of misinformation undermining voters’ ability to make good decisions in elections. Ultimately, she argued, the companies employed to run micro-targeting initiatives are interested in profits not debating ideas or helping citizens and this is bad for democracy.

The final panellist was Boye Adegoke of Paradigm Initiative. He discussed digital rights in Nigeria. Although social media, such as Facebook had been used in conventional ways earlier, Adegoke argued that the 2015 elections in Nigeria were the first in which people became aware of the power of data. Cambridge Analytica was also present at that election, and it attempted to use religious tension to cause disaffection among certain sections of the electorate. However, as Adegoke explained, in this case the narrative was successfully countered.

Adegoke gave some examples that show political data is being marketed in Nigeria. In 2016, information about registered voters was put on sale by a broker despite their being no mechanism through which the electoral commission should have been able to release it. There have also been political cold-calls to mobile phones in which the callers refuse to disclose where they got the numbers. Although Adegoke argued that there is yet to be an effective use of social media during a Nigerian election, he pointed to weak data governance when he suggested that the scene is set for data to make a significant impact at future elections.

In the question-and-answer session a few further insights were brought out, including:

• There is still limited evidence as to how effective micro-targeting is in changing voter behaviour
• The issue of micro-targeting is still not well understood by broader electorates.
• One of the major reasons that states are reluctant to pass stronger data protection legislation is fear that it will be used against them.
• Much of the data exploited during micro-targeting is sold by low-level employees of electoral commissions and companies without authorisation.
• COVID-19 has implications for data and elections as it means voters will spend more time on digital devices and that contact tracing apps provide a new source of data.

Isaac Rutenberg set the tone for the discussion by explaining the rapid rise of digital IDs in the continent. They are implemented in various ways, often integrated with existing private and public sector systems, including, financial, mobile networks and social service systems. He invited panelists to reflect on new issues arising from the systems.

From a political science perspective, Nanjala Nyabola analysed how digital IDs change the balance of power. Traditionally, this balance was between the government and citizens but with digital ID, corporations had gained so much power that it was more realistic to analyse the balance as among the citizen, state and corporations. Taking the case of Kenya, Nanjala showed how corporations had gained surveillance power as had the state. However, the citizen, especially the marginalised ones, had less and less power. For example,  huduma namba,  gives the state more access to personal information about the citizen, and also allows corporations to verify citizens and in the process collect data about them. However,  it was impractical for the citizen to opt out of the system, and the citizen could not easily complain or get redress for misuse of their personal data.

Jaqueline Musiitwa explored the problem from a development lens, sharing some of the rationales for linking of digital ID with government services. These include lack of accurate information on the population, presence of refugees and migrants as well as corruption that had resulted in wastage of public funds for example where government paid ghost workers. She also shared experiences from the digital ID project in Uganda where challenges included other competing interests that also needed government funds, lack of infrastructure and power, a significant refugee population and use of coercion to register people on digital ID.

Further insights from Uganda were shared by Dorothy Mukasa, whose organisation, Unwanted Witness, had documented digital ID process. They observed exclusion at various levels. For instance,  people whose biometrics could not be recognised, could not be enrolled or authenticated on the system. This was particularly challenging for the elderly and pensioners, who also face other challenges in accessing the physical spaces where government services are offered. In addition, Uganda had inequitable internet infrastructure and power supply, and this meant that people from some areas had to travel in order to access digital ID. These problems created an avenue for corruption where those with resources could pay for enrolment.

Issues of exclusion were also addressed by Anja Kovacs, who shared insights from the Indian digital ID project, Aadhar. Dr Kovacs also explained how viewing data as a resource, ignores the fact that digital ID data comes from bodies, and therefore personal data is related to idea of personal identity as well as social solidarity. At the same time, data when considered as a resource can be sold to private actors who repackage and resell it on the market. In government systems, this can happen without consent as governments have other basis for processing of data.

The panel also delved into some possible solutions or what would be better ideas for digital ID. Some of the key points included:

• Inclusion of other points of view, voices and technologies in digital ID systems. Some of the other philosophies that provide frameworks for technology include feminist methodology which analyses how the most marginalised are affected by technology. Reframing of data as an extension of the body would also be important in incorporating dignity in digital ID programmes
• Resolving of systematic and historical issues for example citizenship prior to making digital ID a means of accessing citizenship rights and benefits.
• As the relationship between the state and citizen was fundamentally altered by technology, it was also important to regulate the use of data by the state and citizens, through among others, data protection laws and practices.
• Creating more linkages between stakeholders in the digital ID space, for example donors, states, business and civil society organisations. This would bring into perspective the real impacts of digital ID systems that are rolled out by states with the help of donors and business.

Daniel Mwesigwa, contextualized digital financial services in East Africa. He pointed out that according to GSMA, Sub-Saharan Africa leads in volume of Mobile Money transactions estimated at 23.6 Billion USD, which accounts for almost half of the volume transacted through Mobile Money and where, East Africa accounted for 25% of the total.  Then he invited the panel to discuss the role of digital data towards extending financial services and inclusion.

Rose Muturi, Assistant Chairperson at Digital Lenders Association of Kenya, begun by discussing the relationship between digital data and financial services. Her assertion was that the relationship ideally is symbiotic as data allows for more tailored financial services, competitive pricing and scaling of services especially for new market entrants. She also pointed out that all data is valuable depending on how you use it, here she elucidated the nuance of data collection employed by some digital lending apps. Lastly, she explored how the Banks, Mobile Network Operators and digital lenders are both competitors and collaborators. Finally, she highlighted that they all offer similar products at competing prices, while establishing a symbiotic ecosystem where each can rely on each other.

Joel Muhumuza, Country Director for Jumo Uganda and Kenya gave us a brief overview of the development of Jumo and how it operates. He embarked on sharing lessons learnt from his experience at Jumo.  He argued that the assertion that all data is valuable was not entirely correct as without the necessary tools, interpretation and use would be suboptimal. He gave the example of the data collected from MNOs that typically wasn’t meant to make up data for financial risk assessment. He further indicated that the tools in interpretation ought to improve in order to bring out the value.  Similarly, he stated that obtaining informed consent posed a challenge as often the customer failed to full understand the terms of service due to their urgent need for the money, additionally citing, poor digital and financial literacy.  Finally he asserted that the regulatory and policy framework posed a significant challenge on the operations of similar businesses, thus high failure rates, especially due to restrictions on processing of data.

Firas Ahmed, Founder of AzamPay, elaborated how AzamPay works and the challenges experienced as a result of limited data on customer behavior especially in regards to creditworthiness. He highlighted the need for data that was accurate, timely and constantly optimized to actual trends. He pointed out that in his course of business; the only way to mitigate risk would be persistently refining data on customer’s creditworthiness.  He argued that there was need to make all transaction transparent for the purposes of fully collecting all necessary data and thus further avoiding risks attached. The essence of his discussion was that there lacked sufficient data to support SME and B2B lending. Mwesigwa in a rejoinder highlighted that despite there being limited data availed to lenders, Banks in Africa were performing well with far much less risk attached, attributable to the fact that they often held the escrow accounts for Mobile Money operates, thus weren’t really motivated to come up with or support new products for SMEs and B2B lending.

Ali Hussein from KICTAnet, begun by raising issues centered on the use of data held by financial institutions. He pointed out that, despite the volumes of data, nothing in the way of a scalable solution was available for the East African market especially for the SME and B2B lending segments. In a rejoinder Mwesigwa, sought to highlight the challenge in establishing alternative credit scoring that could potentially be a viable method of averting risk, for both business and personal credit extensions.

The panel discussion brought out the following resolutions,

1. There needs to be use of alternative credit scoring mechanisms that would facilitate inclusion for SME or B2B Lending. Further there needs to be better parameters in place to facilitate fair credit score practices, such as increased transparency in business practices and collection of alternative non-traditional data.
2. The data in use ought to be repeatedly refined in order to reduce risk. This would require the capture of relevant data, use adequate tools in analysis and expertise in processing the data.
3. There exists a need to generate incentives that would convince businesses to transact on digital platforms that in turn would be vital for the collection of necessary data in the support of SME and B2B Lending.