In the wake of the COVID 19 pandemic, contact tracing – and the swift actions that governments initially took to take to curb the spread of COVID-19 have thrust the issues of data rights to the fore. Citizens have ceded personal data to states – in many cases unwillingly or without full knowledge of the future implications. The real fear is that Governments are unwieldy and might use this focus on data and national emergency response to push for further data disaggregation, and even advance cybersecurity or cybercrime laws that are not user-centred, do not keep data secure thereby effectively opening the door to human rights violations. So what are data rights and why are they important? Let’s briefly examine four personas to begin with for a better understanding.
We start with Amani, she has no clue that everytime she uses her smartphone or laptop she leaves behind a digital trail. From her (misspelt) internet searches to what she uploads on her social media, where she lives, what she eats, how fast she walks, what clothes she likes, what means of transport she uses, her age, how she is feeling today and even her sexuality. What she does not understand is that her digital trail has enabled companies to learn her behaviour; for example what she likes to eat, when she is most productive, where she wants to travel. This means that whenever Amani uses the internet she will probably see a barrage of adverts personalized to her.
Next is, Imani whose smartphone has prompted him to update to the latest software. Without an opt-out choice, he just has to upgrade. Before Imani upgrades he is prompted to read the terms and conditions’ agreement which is 56 pages or 19,972 words of reading – longer than the play ‘Macbeth’. Of course, Imani will not read the agreements, he does not understand any of the legal jargon used to begin with. So, he promptly agrees to terms that will eventually erode his personal privacy; it’s either this or he ceases to use his phone.
Then we have Zawadi who downloaded a money lending app to get a quick loan for her business. Things got difficult when she could no longer repay her loan. Zawadi started receiving calls from her friends and family asking her why she has not paid her loan. She started asking herself how these people even knew she had a loan to begin with. ’Unknown to her, the mobile app had accessed her contacts when she signed up.
Lastly, we have Daudi who comes from a country that has introduced contact tracing technology to monitor COVID-19. Further, there are no local or international data and privacy safeguards. As a result, there is no telling what the government can/will do with the data technology post-COVID – especially if Daudi was to express sentiments that were critical of the government now or in the future.
These are scenarios that are increasingly being played out with data – most of it without knowledge or consent of those involved.
Data Governance, Ownership and Rights
Data governance is the exercise of authority, control and shared decision making (planning, monitoring and enforcement) over the management of data assets. One tenet of data governance is data ownership; it stipulates that no one individual, department or business area should claim ownership over data, that it is an enterprise asset. However, to govern and manage data appropriately, organizations must identify and assign certain roles and responsibilities to staff members, a process known as data ownership. Data owners have a clearly outlined role that determines who can access what data, in accordance with security protocols, privacy requirements, compliance management, among others.
But the idea of data ownership has been challenged. Data ownership does not fix existing problems. Why? Well because whereas some of the data you create (especially online) is done on purpose, much much more is created by your actions but without your knowledge or consent. It is why the argument for data rights is increasingly being made. This is the creation of frameworks that gives citizens the rights to determine how their data will be used.
Data rights count for more than just privacy; they are about freedoms to shield oneself from any undesirable control from either state or non-state actors. Personal data must be treated as an intrinsic human right. These rights are guaranteed in the United Nations International Bill of Human Rights, as contained in the International Covenant on Civil and Political Rights (ICCPR). These rights had been with us as far back as 10 years before the advent of the big tech firms in the 2000s
International, Regional and National Laws on Data Rights
The Human Rights Committee at the UN, in 1988, added the following to Article 17 of the ICCPR, on the Right to Privacy:
“The gathering and holding of personal information on computers, data banks, and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.”
ICCPR, Article 17 G.C. No. 16-10
“…relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted.”
ICCPR, Article 17 G.C. No. 16-8
“…every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes…If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.”
ICCPR, Article 17 G.C. No. 16-10
Some 30 years later, what have been the responses to these issues?
In Europe, the General Data Protection Regulation (GDPR) has been established as a regulation in the European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). Coming into effect in 2016, the GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. It gives EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit.
In Africa, data protection laws have gained ground. Out of 54 countries, about 25 have passed data protection laws, the latest countries being Uganda, Kenya and Egypt. Other countries like Nigeria have introduced data protection bills which are at various levels in the respective country legislative agendas.
Some common features: In most countries, the consent of the data subject is the default condition for data processing. These also include the rights of people’s personal data to be changed or erased without their consent or knowledge. Also, statutes have provided for the establishment of a data protection authority reporting to the telecommunications or ICT regulator. In addition, statutes also require that data controllers’ obligatorily notify the regulator of any data processing activities and to seek from the regulator an authorisation
Some issues: Some African organisations and governments continue to express concerns around the issue of ‘digital colonisation’ – as a consequence of having sensitive political and strategic data hosted on servers outside the continent. Also, issues of compliance by both state/non-state actors as well as citizens to the data protection act remain low – with many not aware of their legal rights and obligations. As an example, most Kenyans probably missed the passing of the Data Protection Act after two years of sitting in the Kenyan National Assembly in 2019.
I have nothing to hide…
Returning to the 4 personas… filtering of advertisements is not such a bad thing… I have really nothing to hide… just turn it off… do not participate…. go offline. In principle, the latter presents an impossibility. A large number of services (both private and public) are offered online; from e-government to mobile money. The risks of being socioeconomically left behind are real, more so in the developing world. More importantly, even if the off (in the on/off duality) were possible, this goes against the principles enshrined in the universal declaration of human rights – which are about securing individual freedoms, choice and agency in a modern society. The same argument is made in the book ‘Permanent Record’, which was criticized as not telling anything new when it revealed that mass surveillance is not just a theoretical concept, rather, it is the loss of agency it depicts – our loss of agency – which is more nefarious. In the age of Artificial Intelligence, data in the aggregate is really fundamentally different from data from an individual; it is why it may end up affecting us even if we choose not to participate.
Regulations such as the GDPR and various data protection bills in the continent should step up and continue to protect and define these rights. This has also been referred to as a ‘data-rights infrastructure’ for which continual research on this complex topic should continue to establish standards and good practices for litigation, auditing, data ethics and/or on behalf of citizens. As information technologies continue to proliferate, the complex impact on citizen’s lives should also encapsulate these issues.
All of these can be summarized into two considerations on what data rights mean:
- The right to know: what data has been collected about you over what period of time, how much is out there and what it is being used for.
- The right to say no: that it is possible to withdraw personal data, and also that it will not be shared with third parties without consent.
In the coming weeks we will be launching the #RestoreDataRights initiative, a movement that seeks to advocate for transparent, inclusive and accountable data use in the COVID-19 response in Africa. We are keen to delve deeper into these issues and engage with governments, civil society, donor organisations and other players in the data space.