The world is increasingly becoming digitised, with a significant amount of personal data being collected, stored and mined by different public and private sector players, in the various countries and communities, for one purpose or the other. Digitisation has increased efficiency of services and enhanced customer experiences of the same, as service providers take advantage of data-driven customer insights to improve what they offer to the public. Digital technologies have also provided law enforcement and intelligence services with new methods to tackle crime as they make use of personal data, in the form of communication, transaction or location data, to investigate unlawful acts.
However, while digitisation is enhancing law and order, there are increasing concerns over the manner in which some of the data collected through automated digital technologies and data mining is being manipulated or misused. This has prompted calls for more accountable use of personal data by law enforcement and state security agencies to protect the rights of citizens.
Collection of personal data by law enforcement and state security
Law enforcement agents collect digitised personal data of targeted individuals or organisations to aid in criminal investigations at different stages and in various ways. Evidence gathered can be used in a court of law against the targeted individual. However, there are also instances where some state agents collect vast amounts of data, which is not targeted at specific individuals, but as an intelligence gathering process and for use by government in decision making.
In a recent meeting of the Global Encryption Coalition on government hacking, panellists shared forms of government hacking for either criminal investigation or intelligence gathering, with three methods most relevant to our African context. The first is remote exploit hacking, which involves the use of devices to collect information over the internet. A recent report by Citizen Lab cites use of this method in Equatorial Guinea, Zimbabwe, Nigeria, Morocco, Botswana, Kenya and Zambia. Governments in these countries are accused of using the Israeli hacking tool Circles on targeted individuals.
Another form of intelligence gathering is the physical hack, using, for example, the GrayKey tool used by law enforcement in countries such as the United States to hack into mobile phones, including those with specialised security features such as iPhones.
The last form of intelligence gathering is the actual physical possession of digital accessories for manual extraction of data during investigations. Using this method, photographs or screenshots are taken of the device while email data and extracted recordings are sent to investigators.
Frameworks for data collection, storage and use by law enforcement agencies in Africa
Article 10 (5) of the African Union Convention on Cyber Security and Personal Data Protection provides for the collection of data by state security, defence or public security services for the prevention, investigation, detection and prosecution of criminal offences or execution of criminal convictions or security measures. Overall, the Convention seeks to establish a credible framework for cybersecurity in Africa through organisation of electronic transactions, protection of personal data, and promotion of cybersecurity, e-governance and combating cybercrime.
Following its revision in 2019, the African Charter on Human and Peoples’ Rights (ACHPR) Declaration on the Principles of Freedom of Expression and Access to Information in Africa now carries a section on freedom of expression and access to information on the internet. This has in turn produced more guidelines on both rights in the digital age. The section contains guidelines on privacy that are relevant to collection of data by law enforcement.
Principle 40 of the Declaration provides for the protection of people’s personal information while Principles 41 and 42 address privacy and communication surveillance and establish the legal framework for the protection of personal information in Africa. Principle 41 requires that any targeted surveillance be complemented by adequate safeguards for the right to privacy, including prior authorisation from an independent judge, due process, transparency on the collection processes and purposes of the collection, and notification, among other measures. Principle 42 makes provision for the protection of personal information through independent oversight mechanisms.
Also relevant is the African Declaration on Internet Rights and Freedoms principle on privacy and personal data protection, which emphasises the need for targeted surveillance to be governed by clear and transparent laws that meet the standards of international human rights. The principle outlines the need for targeted surveillance to be based on reasonable suspicion of commission or involvement in a serious crime, with the judiciary supposed to authorise such actions. Further, the principle says individuals placed under surveillance must be notified and calls for strong parliamentary oversight in the application of surveillance laws to prevent abuse and ensure the accountability of intelligence services and law enforcement agencies.
The European Union General Data Protection Regulation (GDPR) instrument does not apply to the investigation of crimes or for purposes of national security. However, Directive 2016/680 of the European Parliament and of the Council of April 2016 makes up for this lacuna and supplements the GDPR. Directive 2016/680 contains provisions on the protection of human rights when personal data is being processed for the purposes of combating, investigating or prosecuting criminal offences.
Status of data use by law enforcement agencies in Africa
A harmonised framework for the regulation of the collection of data by law enforcement and intelligence/security state agents that brings conformity of data protection laws of African member states is necessary at this important moment. Beyond the cross-border nature of cybercrime, a harmonised framework is necessitated by the fact that cybersecurity and personal data protection have emerged as a crucial cross-cutting theme for Africa’s digital and economic transformation agenda. This is particularly important following the recent launch of the African Continental Free Trade Agreement (AfCFTA), which will undoubtedly increase cross-border transacting and movement across the continent. It is of utmost importance that data protection laws consider the global nature and scope of their application and foster compatibility with other frameworks to facilitate trade in goods and services in the digital economy in an environment that does not create negative market effects and reduce consumer confidence as well as unduly restrict businesses.
Currently, Africa’s regulatory environment on the protection of data is far from ideal, as countries are at different stages of adoption and implementation of their respective legislation. The current move by Nigeria and four other nations to develop and test a framework for the harmonisation of their data protection and e-transacting across the continent is a step in the right direction in this regard, and could also facilitate accountability by law enforcement. An example of such collaboration is the Five Eyes intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, where there is cooperation in signals intelligence under the multilateral United Kingdom-United States of America Agreement.
Several concerns on the use of personal data for law enforcement purposes have arisen across the multiple regulatory frameworks and laws on the continent. African data protection laws have been criticised as not protective of people’s human rights, with law enforcement agencies (LEAs) given overly wide-ranging powers while not providing for checks and balances to curtail state excesses. Questions have also been raised on how to regulate the investigatory powers of the state in a manner that respects the essence of fundamental rights and freedoms, particularly as new technologies are deployed, such as facial recognition, or in the use of communications metadata. At a practical level, it also raises the need to consider data protection by design and the role of data protection impact assessments in identifying and mitigating risks posed by technology and practices adopted by LEAs and the private sector.
African states have long been accused of copy-pasting European Union data protection laws. Their stance on regulating the collection of personal data for use by LEAs is no different.
African states often leave the regulation of data to old legislation which has not been adapted for the purposes of new cybercrimes, or they rely on alternative legislation which does not cater for the rights of the individual. An example is the penal codes or cybercrime laws which contain provisions on search and seizure or the use of forensic tools when investigating crimes.
In general, African data protection laws are often broad, either offering too many protections or giving wide powers to states and, by extension, LEAs. Some African states, such as Zimbabwe, still have surveillance laws which violate the right to privacy in the form of the Interception of Communications Act.
The outbreak of the COVID-19 pandemic has also seen some countries in Africa imposing strict restrictions and other measures to control the spread of the novel coronavirus. Some of these restrictions have curtailed freedoms and people’s fundamental human rights, including data protection. In Zimbabwe, for example, a number of activists and journalists have been arrested for retweeting messages considered offensive by the government. Surveillance and mobile tracking mechanisms have also been put in place against targeted individuals under the guise of enforcing COVID-19 restrictions but in violation of fundamental human rights.
Other states also have laws whose provisions only thinly protect human rights. Therefore, a standard set of laws and rules governing data use by LEAs are important to supplement national legislation where it is lacking.
A framework for regulating personal data collection and use by law enforcement agencies
Based on standards found in international human rights law, data protection laws regulating the use of personal data by LEAs must be enacted together with surveillance laws that are founded on human rights principles. Such laws must also be proportionate and just, and reflect international standards of human rights protections.
An ideal framework must provide that communication surveillance be both targeted and based on reasonable suspicion of involvement in the commission of a serious crime. There must be an understanding of what encompasses “reasonable suspicion” that is agreed upon so that the term is not open to numerous interpretations. A second ideal is that communication surveillance must be authorised by the judicial system to ensure fairness and impartiality. Under surveillance authorised by the judiciary, individuals must be notified as soon as practicable after the conclusion of a surveillance operation. In addition to judicial oversight, the application of surveillance laws must also be subject to parliamentary oversight to prevent abuse and ensure accountability of intelligence services and law enforcement agencies.
An ideal framework must also be premised on the human rights-based approach, which espouses active participation in decision-making processes which have an influence on people’s rights; accountability mechanisms which involve the placement of effective remedies to hold duty bearers accountable where violation of human rights occurs; the principles of non-discrimination and equality; the principle of empowerment, whereby everyone is empowered to claim and exercise their rights; and the principle of legality, ensuring that all laws and regulations are in line with the legal rights set out in domestic and international laws.
In addition to the principles of participation, accountability, non-discrimination and equality, empowerment and legality set out above, the principles of necessity and proportionality must also inform the laws regulating the use of personal data by law enforcement agencies. The necessity and proportionality principles are set out in detail below:
- Legitimate aim: Communications surveillance by specified state authorities must achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society. Any measure must not be applied in a manner that discriminates on any basis.
- Necessity: Surveillance laws, regulations, activities, powers or authorities must be limited to those which are strictly and demonstrably necessary to achieve a legitimate aim.
- Proportionality: Decisions about communications surveillance must consider the sensitivity of the information accessed and the severity of the infringement on human rights and other competing interests. This requires a state, at a minimum, to ensure that there is a competent judicial authority to oversee communications surveillance for the purposes of enforcing law, protecting national security, or gathering intelligence.
- Judicial oversight: In the form of an impartial and independent authority separate and independent from the authorities conducting communications surveillance; conversant in issues related to and competent to make judicial decisions about the legality of communications surveillance, the technologies used and human rights; and with adequate resources in exercising the functions assigned to them.
- Transparency: States should be transparent about the use and scope of communications surveillance laws, regulations, activities, powers or authorities. They should publish, at a minimum, aggregate information on the specific number of requests approved and rejected, a disaggregation of the requests by service provider and by investigation authority, type and purpose, and the specific number of individuals affected by each. An example of this in action is illustrated by a recent South African Constitutional Court judgement in which the court added a post-surveillance notification clause to existing surveillance legislation providing that a suspect must be informed within 90 days after surveillance has ended that they had been placed under surveillance.
It is therefore clear that data protection laws in Africa are still in their budding stages with most of the legislations inadequate in protecting rights and other key data protection principles. There is also a need for more African countries to sign and ratify the various international instruments on data protection to ensure both the free flow of data and an accountable use of data by LEAs and intelligence services.
LEAs must also discharge their duties in a transparent manner and respect data protection rights in line with international standards and protocols. The judicial services and data protection authorities (DPAs) must play an oversight role to curb any excesses of LEAs in the discharge of their duties. The DPAs must be truly independent public entities that supervise, through investigative and corrective powers, the application of the data protection law, similar to the ones in the European Union which provide expert advice on data protection issues and handle complaints lodged against violations of the GDPR and the relevant national laws, with each member country having one of its own.
This article is based on a presentation made as part of the Global Action on Cybercrime Extended Series of Thematic Workshops on Data Protection on 3 March 2021.