The Matter of Mangala & WAP -vs- The Guacamole Republic of Avocado (GRA)
As promised, here is the account of the recently concluded CIPIT ICT Moot. Held every two years, the competition attracts teams across East Africa. It is the only one in the mooting calendar this part of Africa that has information technology and intellectual property as subject matters. This allows competitors to engage with contemporary issues, as was the case in this year’s edition. Data protection has not been legislated extensively in Kenya. The resulting lacuna forces the litigant to think outside the box and try to find viable and practical solutions to technology related problems oft outside the purview of lawyers.
“There will be winners, and there will be losers…” were the words of the Dean of the Strathmore Law School to end his address to the participating teams during the second biennial CIPIT moot. This author is sure that nothing rung truer in the minds of the eager young faces looking at him.
CIPIT held its biennial moot on 11th and 12th of October 2018. In total there were 13 teams in attendance, with about half of the teams hailing from Uganda. In the coming weeks, the CIPIT team will provide a full play by play account of events. Before that however, we would like to acknowledge one of the teams that participated.
The University of Nairobi Team comprising of the Kanyangi twins (so any confusion in the above image is regretted but understandable) and Jackline Sang wrote to us, grateful for the wonderful experience they had during the moot. Truth be told, it is the CIPIT team that is in gratitude for their attendance and their thoughtful letter. Here is their account of the moot, viva voce…
“It was a great privilege to participate in the recently concluded CIPIT 2018 moot competition. From the very onset it was exciting to engage with teams from universities around the country and Uganda. The moot concerned the right to privacy and data protection. Of specific emphasis was the disclosure of health data to third parties and the use of such information to peddle advertisements on the accounts of Wika virus victims.
The freedom of association has traditionally been defined as the right to be with other people for a legal reason, cause or purpose, without interference. However, with the advent of modern technology, today’s emergent associations differ in important ways from traditional political and social organizations.
Recent global events particularly those associated with the Arab Spring form prime examples of the need to examine and analyze the legal protections afforded to associations in the digital age and whether such protections are sufficient in the wake of emerging threats.
Thus, an analysis of the commonalities and the differing aspects of the contrasting viewpoints of the subject right as well as the impacts of this is well justified in light of the changing context within which the right is exercised and indeed with a view to building a wholesome definition having considered all relevant factors.
TRADITIONAL RIGHT VIS-À-VIS DIGITAL RIGHT
Freedom of association has commonly been associated with the notions of physical meetings and geographical proximity. However, advances in modern communication technology have greatly shifted the context of this right and led to a number of differing aspects with its traditional understanding. The prime difference consists in the non-requirement of geographical proximity. Previously, participation of one’s associational freedom often meant attendance of in person meetings. Conversely, in the present day, one can participate in the activities of an association without the need for physical attendance or geographical proximity due to the relatively inexpensive nature of internet connection. Global events ranging from the political uprisings that swept across the Arab world to the Occupy Wall Street Movement have highlighted the use of digital technology in the exercise of the subject right.
Another key differing factor is the platform on which the right is exercised. In its traditional understanding, the right is often exercised in public spaces such as city squares whereas the digital right extends to digital platforms such as discussion forums and chat rooms. This view was supported by the APC which stated that the right should be construed to include any space where people can meet, including online spaces.
A logical import from the differences highlighted is the central role of modern technology as a conduit to the exercise of the digital right. This view is reiterated by the 2012 report of the former Special Rapporteur where he called upon States “to recognize that the rights to freedom of peaceful assembly and of association can be exercised through new technologies, including through the Internet”. This view was also highlighted by the Human Rights Council in its Resolution 24/5 in which it:
“Reiterated the important role of new information and communications technologies in enabling and facilitating the enjoyment of the rights to freedom of peaceful assembly and of association…”
However, these differences do not constitute a comprehensive redefinition because of the commonalities shared such as the similar nature of the associations in both conceptions. As per the ‘Guidelines on Freedom of Association’ an association is “an organized, independent, not-for-profit body with an institutional structure based on the voluntary grouping of persons with a common purpose.” Online associations fulfill each of these requirements therefore enjoying protection even in the traditional understanding.
DEFINITION AND RELATION TO ASSEMBLY
In view of the differences as well as the commonalities of the contrasting interpretations of the subject right one can reasonably deduce that the digital right can be defined as the right to voluntarily join with others through collective action based on a common purpose through the use of modern communication technology without interference.
Perhaps an interpretational challenge in defining the subject right also owes to its confusion with the related freedom of assembly. Freedom of assembly secures the right of people to meet for any purpose connected with government whereas associational freedom protects the activities and composition of such meetings.
Digital technology has transformed the ways in which civic and political associations are formed and operate. Political and civic “work” in society is increasingly performed not by traditionally organized and well-defined associations but by decentralized networks of individuals. As such, online association has opened the door for a more effective advocacy of Human Rights issues which may be dangerous in authoritarian states and for the faster aggregation of resources for community development.
However, the same features of modern communications technology that enhance associational freedom also crucially enhance the threat posed by relational surveillance. Relational surveillance can loosely be defined as surveillance that makes extensive use of digital communications in order to determine the associative groups to which an individual belongs. Comprehensive surveillance has the unfortunate propensity to cause exploitation of vulnerable groupings in society. Indeed surveillance also highlights the occasionally involuntary nature of online association since it uncovers exploratory activities such as inquiries or admission into social media groups which could mark an individual as a “member” of an association before express consent has been made. Additionally, the networking tool of the internet is useful not only to legitimate civic groups but also to criminal and terrorist groups as they can also benefit from the pseudonymity of digital association.
Lastly, the central role of data in modern communications technology and continuous data collection often leads to the threat of profiling. It is no secret that platform providers retain consumer data often using it for targeted advertising purposes. However, the emergent use of data as a value tool whereby data is sold to advertisers and other firms has led to widespread privacy concerns highlighted best by the Cambridge Analytica scandal.
Given that the Computer Misuse and Cybercrimes Act’s chief focus is with regard to the content of the data rather than the collection and use of data and the relative lack of comprehensive data protection legislation outside the Constitution, it would seem that the local laws are ill equipped to deal with the issue of surveillance. Therefore, there is need for legislation to regulate and provide oversight on;
circumstances under which platform providers can collect and use data,
circumstances under which platform providers can share such data with government agencies and other 3rd parties.
Although modern communications technology has greatly enhanced associational freedom for many informal associations, it has also facilitated the emergence of new threats such as that of surveillance. This expansion of the scope of the subject right has meant that current legislation is insufficient in the wake of new threats. Therefore, it is imperative to review and update relevant legislation in order to comprehensively address these concerns.
The right to freedom of assembly has been widely accepted as a necessity in a functioning democracy as assemblies are used to express and defend different views. This right has justified holding of political rallies, picketing, demonstrations and meeting or barazas held to discuss issues in the society, with the condition that any of such is done peacefully. It is so essential that even the modes of protests have changed with time with online protests becoming more common. This has led to social media being viewed as a potent tool in aiding access to information as well as enhancing the right of the freedom of assembly. This has resulted in the need to justify the exercise of assembly online and the role the government has in safeguarding online assemblies.
So what constitutes and forms online assembly? What role does the government play in safeguarding this right? What constitutes an infringement and how can this be mitigated? This article seeks to answer these questions by first setting out the background of the right to the freedom of assembly in the traditional sense, then exploring the legal framework and case law, which set out the duties the State owes and how this right is applicable to online assemblies.
Online assembly is a controversial issue especially when it comes to online protests. This is especially with the disruptive nature and wide reach online protests have. Discussing the legality of online assemblies is necessary as this will determine whether governments are justified in shutting down the internet or censoring content online. This involves discussing the role the right to access information plays in online assemblies.
The right to the freedom of assembly in the traditional sense is composed of two elements that aid it: free speech and the right to associate. It finds its roots in “Tavern Talk” in America in the mid-18th Century, where the biggest revolutions such as the famous Boston Tea Party were found to begin with the political discussion that happened in taverns. The taverns offered the Americans a place to vent of their common issues and discuss matters affecting them. Given the large pool of men visiting these taverns it was often easy to mobilise people to protest against the then British rule. It foreseeable that the American legislator saw it important to protect free speech, freedom of association and the freedom of assembly in the First Amendment of the American Constitution. In fact, Congress in discussing what constitutes the freedom of assembly, found free speech and freedom of association as integral to fulfilment of this right.
This notion has been widely accepted in the Kenyan context. The right to the freedom of assembly is first and foremost a constitutional right, which is the supreme law of the land. it further finds its routes in our democracy, which is the exercise of the people will through elected representatives. The courts have interpreted the right to the freedom of as an end , with free speech and the right to associate being the means. The courts assert that free assembly requires the free flow of opinions and ideas…
What is Online Assembly?
Online assembly in this article refers to the association of people on virtual platforms in groups so as to express their views and at times for the purpose of criticising the government. The nature of online assemblies is unique as it involves the sharing of information across a digital platform in order to mobilise internet users to take part in virtual protests. As such, online assembly has various elements unique to it: the online platform, the role access of information plays and the viral effect brought about by the network.
The disruptive nature that online assemblies have had has seen governments in most States taking action to try and control them through stringent rules as well as complete media shutdowns. This has led to push back as it was seen as an infringement on the citizenries’ right to access information and the right to the freedom of assembly.
States are now required to ensure there is access to the internet as people have the right to gather online and express their opinions. The state should therefore refrain form shutting down the internet without just cause. There should additionally be no restrictions on content and government surveillance. This is to ensure free speech is not policed by government and that it is protected.
It goes without saying that online assembly does have its dark side. This is because of the tools internet activists used such as hacking and the use of computers whose owners don’t know they are infected. This is illegal as one cannot use someone’s personal resources for your political purpose without their consent. As such, the State does have the duty to draft frameworks to ensure online assembly is not abused.
There is a need to protect the right to online assembly as it has resulted in a lot of positive changes in society. An instance of this is the profound effect the #MeToo movement has had in addressing the need for stronger anti-rape laws. Online assembly has also has also played a profound role in advancing for the protection of citizens against violation of human rights, as seen in the Tunisian Revolution. These are just a few examples of the numerous occasions where digital media has been used to advance for legitimate causes.
In light of this, the State has to balance the need to maintain public order with the right to online assembly, which is achievable without shutting down the internet or censoring the internet. The State can take measures to ensure that those who abuse online assembly are penalised through cyber laws whilst still ensuring people can freely gather and express their opinions online.
The Right to Freedom of Peaceful Assembly: Best Practices Fact Sheet, United Nations Special Rapporteur on the rights to freedom of peaceful assembly and of association, Maina Kiai (published Nov. 2014)
Although Kenya does not have a rich history when it comes to privacy law as compared to the US, supposedly due to varying ages of the countries, there is an increasing interest in the right to privacy especially as applied in the digital sphere. The challenge, however, resides in defining the right to privacy in the digital era.
The Constitution of Kenya provides for the right to privacy but it is not immediately apparent Article 31 appreciates the realities of the digital world where the right can be asserted over the communication and telecommunication networks.
A report published by Privacy International highlights the intrusive nature of micro-lending apps, which continue to demand more and more personal data in a bid to define what they term as a financial identity in a bid to determine a person’s credit worthiness. The report studies the nature of information collected to create such identity. One digital lender, Branch, collects call logs, contacts, SMS messages including M-Pesa, GPS location, the repayment patterns of one’s friends for Branch loans etc. Most of these digital lenders are startups whose exit strategy involves being bought out by another company. It is not clear to what extent to customers will have control over their data once the startup is sold to new owners.
The case of Kenya Human Rights Commission v Communications Authority of Kenya & 4 others  eKLR discusses the use of a Device Management System (DMS) to tap into the devices of mobile phone users. The device was mainly meant to monitor illegal international calls between Kenya and Rwanda. Nevertheless, the High Court ruled that the device would infringe on the consumer right to privacy because the monitoring would be done in the absence of orders to collect information of a private nature.
Why does it Matter?
The foregoing cases bring out a number of challenges that need to be resolved if we are to entrench the right to privacy in the digital space. To begin with, where there are no mechanisms to regulate the nature of information collected, the autonomy of the individuals from whom such information is collected may not be respected. In addition, entities who unwittingly collecting significant volumes of data create a significant risk when their technical systems are breached. Moreover, it is important to make sure that customers can always exercise their data protection rights where a company changes ownership.
The Way Forward
From the aforementioned, certain elements are necessary in defining the right to privacy. A digital right to privacy will be assured where the data subject can determine: a) who can collect their data, b) what data is collected, c) what data is not collected, d) and the nature consent required to collect certain kinds of data. This criterion derives from the legal doctrine of the right to informational self-determination in respect of right to privacy. It is the right of a person to determine the disclosure, and the use of their personal data. The doctrine is in line with Westin’s definition of the right to privacy which he succinctly defines as “the right of the individual to decide what information about himself should be communicated to others and under what circumstances”.
 Samuel Warren, Louis Brandeis, ‘The Right to Privacy’, Harvard Law Review, Vol 4 No.5.
 Article 31, Constitution of Kenya (2010): Every person has the right privacy, which includes the right not to have – (a) their person, home or property searched, (b) their possessions seized, (c) information relating to their family or private affairs unnecessarily required or revealed, or (d) the privacy of their communications infringed.
 Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017.
 Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017
 Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017
 Crabtree A,’ Personal Data, Privacy and the Internet of Things: The Shifting Locus of Agency and Control’
 Rouvroy A, ‘The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy’ 2009.
 Westin A, ‘Privacy And Freedom’, 25 Washington and Lee Law Review, 1968.
A striking postulation of free speech was developed in the 19th Century by John Trenchard and Thomas Gordon, supporters of John Locke. They defined the right as the freedom to “think what you would and speak what you thought”. This placed a strong emphasis on the citizens’ role in exercising the right as against an implied oppressor, the government.
Other postulations of the right intuit that there is a balance to be struck between the right expressed by the citizen and the right of others. Between citizens, the government is charged with ensuring no one infringes the right of another. The overt regulation of speech amounts to the prevention from: holding an opinion, receiving information to facilitate creation of said opinion, or the dissemination of information that would allow the creation of opinions. The state would in this instance curb the spread of information it perceives as undermining its rule or that which infringes the rights of others.
The International Convention on Civil and Political Rights (ICCPR) posits freedom of speech as consisting two parts; a negative obligation on state organs, to deregulate speech and, a positive right, exercised by the public within the law. Subsequently, the right operates within two parameters as well: dissemination of information and expression of opinions that are vital for debate and transparency in democracies; and the censure of statements infringing the rights of others or abrogating order within the state. Two competing norms exist, individual autonomy versus the protection of collective goals, such as equality among persons.
Criticism of other persons should be conducted within the law. Hence, one must respect the rights and reputations of others. Are statements by errant bloggers protected by Kenya’s own free speech clause? Not quite, libellous statements are not granted legal protection. Article 33 of the Constitution of Kenya (CoK) outlaws making of statements that disparage persons and their reputations.
Citizens should be able to oppose decisions made by their government, employer, municipal court or member of parliament. The CoK stipulates that public participation is an essential avenue for citizens to express their sentiments regarding governance. In democracies, elected representatives are not immune from critique. Their actions are scrutinised by a vigilant public, aware of state obligations.
Free Speech: Applicable mutatis mutandis in cyberspace?
Conceptualists of free speech had written their treatises prior to the internet and mass media. Thus, contemporary issues such as jurisdictional conflicts over online offences were unforeseen. Free speech should evolve to meet these demands.
The right should supersede the classic two-party consideration; the government and the citizen. Social media platforms and internet service providers are new participants in the rights matrix. They curate more data than ever before and have the power to deactivate accounts spreading misinformation. While international case law indicates that social media is an arena for free speech, administrators should be obliged to curate the content on their sites and ensure there are no rights infringements.
Kenyan courts applied principles of tort to malfeasance on social media, to regulate the platform. This approach is only partially viable; the “obligation to curate” must be placed on administrators. The main impediment to this concern is practicality. Twitter cannot monitor its 335 million active user’s pages. Surveillance on that scale would broach a myriad of privacy concerns.
A possible solution could be mandating platforms to introduce a complaints system, allowing users to report rights violations. Administrators responding to the report provide initial adjudication on whether the offending content contravenes internal policies. Illegality however, mandates administrators to assist municipal law enforcement with information pertinent to investigations.
Concluding, digital free speech may be defined as:
The freedom to express a factual representation or opinion on an online platform. The right precludes the following: defamatory statements, hate speech, cyber-bullying, or misrepresentations. The custodians of the right include the government and at initial phases, administrators of online platforms. These custodians are obliged to respond expeditiously to any reports of illegal activity or activity flouting platform policies.
Kenya’s traffic situation is dire with deaths due to road traffic crashes estimated between 3,000 to 13,000 each year. Based on 2017 stats of the National Transport & Safety Authority (NTSA), pedestrians are the most vulnerable groups representing 39% of fatalities. Another 22% of victims are passengers, 12% are drivers while casualties due to motorbikes reached 18%. The reasons for these are many including poor driving behavior such as speeding, breaking traffic rules including talking on mobile phones or driving under the influence of alcohol or drugs. Overloading vehicles, not wearing seatbelts, poorly maintained vehicles and bad surface roads contribute to the rise in road traffic accidents.
Driverless Cars Can Benefit Kenya
In his study of road accidents in Kenya, Odero concludes that 85% of road mishaps was caused by human errors. Collisions between vehicles and pedestrians were the worse. Utility vehicles and buses were involved in 62% of accidents that lead to injuries. Faulty or poorly-maintained vehicles were also to blame. The costs of these accidents are estimated at Sh300 billion or $2.9 billion a year according to the 2015 NTSA report.
The introduction of driverless cars can significantly reduce the rate of accidents in the country. But before these autonomous cars could be driven on Kenyan streets, extensive testing needs to be done. Moreover, once on the road, there are other factors that play before deployment can even be considered. One of these is the IT law.
Driverless cars are dependent on the development of autonomous driving technologies. The biggest issue that crops up once an autonomous vehicle is driven is: who is responsible for the car and its actions? Is it the owner of the vehicle, the manufacturer or the creator of the autonomous driving system?
Autonomous Vehicles Can Save Lives
Before we can tackle the question, let us look at how testing of AVs has evolved. Without a doubt, driverless cars are big business. That is why automakers and technology giants are scrambling to get a big piece of the action. The likes of Waymo, Uber, Tesla and Apple have invested heavily in developing autonomous vehicles that are ready for deployment on the road.
In an ideal world, these vehicles are safer. Autonomous vehicles (AVs) are fitted with 360 degree cameras that allow them to see from all angles. They can use LIDAR technology which is a detection system using laser enabling them to see better and further. AVs can plot their course based on real time information so they can also change their routes and adjust their speed. In short, they can see better than the human eye.
Safe Testing Is Critical
The Uber test vehicle that killed a pedestrian in March this year suggested that the technology is not fully developed. According to the police report, the Uber car failed to identify the victim as a pedestrian and did nothing to avoid hitting her. The human operator who was inside the AV was also apparently watching a video before the crash occurred. In another incident, a Tesla Model X SUV crashed into a road barrier and killed its driver. It was on auto pilot mode. These accidents tell us that more safe testing needs to be done before the technology can be considered roadworthy.
There is also no existing legal framework that puts people or entities liable for accidents and deaths that may occur due to failures of AVs. While some countries are in the process of putting laws and regulations in place before driverless vehicles are put in circulation, there are still many snags that need to be untangled. For now, safe road testing is a top priority along with legislation, local zoning and stringent testing requirements.
Implications for the Kenya’s Road and Traffic
Chaotic Kenyan roads are even more of a challenge for AV testing. Not only are there more humans on the road, there are also cyclists, motor bikers and even animals. Driverless cars will have to learn to navigate around so many obstacles. Perhaps, this is also where they might make the biggest difference as hectic cities are places where the most collisions happen claiming more lives.
There are many benefits of autonomous vehicles for humans and the environment. However, safe testing of their capability on roads should be further enhanced. In addition, regulatory measures and a legal framework must be in place before they circulate in traffic.
The Internet has fundamentally altered the manner in which copyrighted works are created, distributed and accessed. The on-demand access to and transmission of works online has introduced novel methods of exploitation of copyright works not hitherto envisaged by the law. Copyright laws world wide are evolving to address the legal issues arising from this rapid technological development. For example, the European Union’s Information Society Directive (InfoSoc) 2001 was enacted within this context, to offer a high level of copyright protection to authors in the EU.
Hyperlinks, which are online network components that redirect users to another website when they click, tap or hover on it, came under scrutiny in the European Union in the case; Public Relations Consultants Association Limited (PRCA) v Newspaper Licensing Agency (NLA) C 360/13 (2013).
The PRCA, an association of public relations professionals, used a media monitoring service provided by Meltwater Limited to monitor online press reports concerning or relating to their clients. The NLA, representing the interests of newspapers i.e. the copyright holders of the published reports, took the view that the PRCA was required to obtain authorisation from the copyright holders for receiving the online media monitoring service offered by Meltwater. After both the High Court and Court of Appeal of England & Wales ruled in favour of the NLA, the PRCA instituted an appeal in the United Kingdom’s Supreme Court, which referred the case to the Court of Justice of the European Union (CJEU).
The main issue for consideration before the CJEU was whether the copies of the copyrighted material on the user’s computer screen and the copies in the internet ‘cache’ fell under the conditions of Article 5(1) of the InfoSoc Directive. This Article provides that an act of reproduction is exempted from the reproduction right provided for in Article 2 of the InfoSoc Directive, on condition that:
– it is temporary;
– it is transient or incidental;
– it is an integral and essential part of a technological process.
Central to the determination of this issue was not merely if onscreen displays and Internet cache copies are transient or temporary, but if the end user (e.g. PRCA) infringes on copyright by making of temporary copies that allows them to view the copyrighted material.
With respect to the first criterion of Article 5(1) of the InfoSoc Directive, the Court held that onscreen and cached copies of copyrighted works were temporary as the former were automatically deleted when the user exited from the website that they were viewing and the latter were often automatically replaced by other content depending on the cache’s capacity and the extent of the users internet use. It also found that the second criterion applied as onscreen and cached copies of copyrighted works were transient as the former is automatically deleted by the computer when the user exits the website and thus terminates the technological process used to view that site, and the latter were incidental as internet users could not create cached copies independently of their visit to a particular website or beyond the technological process used to view the site.
The third criterion of Article 5(1) however has direct implications on the functionality of the Internet and the court’s decision in this regard is particularly important. The Court held that on-screen and cached copies are created and deleted solely as a result of the technological process used to access websites. The reproduction as such is as such crucial in enabling users to access websites and subsequently use the Internet as a whole. Furthermore, the Court recognized the fact that the Internet would be unable to function without the creation of cached copies due to the huge volume of data transmitted online. As such, the reproduction is an integral part of the technological process as stipulated by Article 5(1) and it would be as such unjust to require the copyright holder’s authorization when browsing and viewing articles online.
The Court in PRCA v NLA (2013) also noted that the mere viewing or reading of an article in its physical form had hitherto never been an infringement in either English or EU Law. It would therefore not make sense to prohibit the mere viewing of articles online as online content is more often than not copyrighted and Internet users would become infringers if they required licenses to view content which they would inadvertently come across online. Copyright law should therefore not be used as a tool to impede Internet users’ right to browse content online freely.
Ultimately, on screen displays are transient and incidental and are an integral part of the process of browsing the Internet. Had NLA’s argument for the requirement of a license so that they could charge browsers to read content online prevailed, there would have been far reaching negative consequences as to the accessibility to the Internet by EU citizens.
While the legality of linking ‘free’ copyrighted material online, has not yet been explored in Kenyan courts, it is likely that the courts shall recognise that transient and incidental ‘copying’ that occurs in the operation of the Internet does not infringe on copyright holders’ exclusive reproduction right under section 35 of the Copyright Act (cap 130).
Copyright law should allow development and operation of new technologies while striking fair balance between copyright holders’ and the technologies’ users’ rights. Kenyan courts’ also have a duty to strike this balance. PRCA v NLA (2013) would in such cases be instrumental not only in its central finding but also in its compelling illustration of the fact that the operation of copyright online is inextricably tied to the accessibility of the Internet. This case also underscores the need for a review of the Copyright Act (Cap 130), in response to the unique challenges wrought by the operation of copyright in the digital age.
Lessons from the Forum on the participation of NGO’s in the 62nd ordinary session of the ACHPR at the Royal Suites Hotel, Nouakchott.
CIPIT was invited to the ACHPR NGO forum to present their biometrics research findings to a side event that was taking place during the African Charter for Human and Peoples Rights 62nd Ordinary Session and to lobby for the inclusion of the right to privacy to the ACHPR (Banjul Charter).
For this mission we teamed up with the Legal Research Centre (LRC) from South Africa and Privacy International from London. Based on his experience in previous ACHPR events, LRC’S Tsanga Mukumba advised us to advocate for the right to privacy to be included to the mandate of Rapporteur to the right of freedom of expression. He added that asking for the inclusion of the right to privacy, while still the end goal to the Banjul Charter, might be difficult at this stage. A sad truth that we discovered through our interactions with the other forum attendees.
Since we were organising a side event as well, we attended other organizations side events to advertise our event.
While interacting with other human rights advocates who had convened at the event, we faced a challenge of convincing them on our digital right agenda. Many felt that there far more important and grave human rights atrocities in the continent such as the death penalty, torture and slavery. We decided to show the participants how digital rights such right to privacy affect their work on other human rights issues. We brought up issues of government surveillance on civil society and instances where telecom corporates work with law enforcement to crackdown on human rights defenders. This argument helped us gain momentum in our interactions and many saw the relevance of our cause.
At the end of the NGO forum, Tsanga submitted a resolution to the forum, which sought inclusion of the right to privacy to the mandate of the Rapporteur to the right of freedom of expression.
Legal Resources Centre Recommended Resolutions to the NGO Forum April 2018
That human dignity, as contained in Art. 5 of the African Charter on Human and People’s Rights is the core right and value which underpins the need for the respect, recognition and promotion of the right to privacy of all people in Africa;
To accept that effective respect and promotion of this right is necessary for the enjoyment of a range of human rights, including freedom of expression, access to information, association and peaceful assembly;
That the above recognition of the importance and validity of the right to privacy ought to inform and embedded within the process of the revision of the Declaration of the Principles of Freedom of Expression in Africa flowing from African Commission Resolution 362;
That the mandate of the Special Rapporteur on Freedom of Expression and Access to Information should include privacy and digital rights concerns where these impinge on the ability to communicate and receive opinions freely. Specifically including:
Unlawful, disproportionate or unnecessary state surveillance and the private enterprises which enable this through the provision of technological solutions;
The role of the private sector in conducting unlawful collection and processing of their customers personally identifiable information;
Regulation of the costs of access to the internet, and content and platform neutrality online;
The prevalence of ‘internet shutdowns’ in African States, particularly during periods of social protest and elections;
Regulation of the processing of personal data, which can directly or indirectly identify individuals, by public and private bodies, and in particular the need for the processing of sensitive personal data such as biometrics to be subject to higher safeguards.
The LRC is a member of the International Network of Civil Liberties Organizations (INCLO). INCLO is a network of 13 independent, national human rights organizations from the global South and North working to promote fundamental rights and freedoms.
The Statute Law (Miscellaneous Amendment) Bill, 2018 seeks to amend a number of Acts and among them the Registration of Persons Act (Cap 107). This bill proposes the establishment of a National Integrated Identity Management System as well as the capture of biometric data and geographical data (GPS) during the registrations of persons in Kenya. This essentially means that one will be required to provide their biometric information before being issued with a National Identity card. Biometric information in this context includes, fingerprint, hand geometry, earlobe geometry, retina and iris patterns, voice waves and Deoxyribonucleic Acid (DNA) in digital form.
It is foreseeable that this law will have positive and negative implications in various fields. A number of advantages that might come as a result of the collection and digitisation of biometric data include: identification accuracy, establishing accountability in the civil registry as each transaction shall be accurately documented by the individual associated with it, thus reducing the possibility of system misuse and fraud. Similarly, the risk of identity theft shall be reduced consequently leading to an improved return on investments due to the enhanced accuracy, accountability and reduced opportunities for misuse.
As much as this system comes with a number of advantages the collection and storage of DNA data in Kenya’s registry of persons raises a number of legal and ethical concerns. The grimmest of these is the potential contravention of Kenyans’ right to privacy, as provided for under Article 31 of the Constitution, particularly, the guarantee to not have information relating to one’s family or private affairs unnecessarily required or revealed.
DNA data is sensitive. It is not only a unique identifier of an individual, it also can be used to determine an individual’s entire genetic history including their propensity towards certain diseases. This brings it within the ambit of ‘family or private affairs’ as stipulated under Article 31 of the Constitution. The Government of Kenya has not provided sufficient justification for the collection of this data nor has it demonstrated that it shall institute the required stringent security measures within the National Integrated Identity Management System, for the protection of this data. This measure, if adopted, shall transform Kenya into an Orwellian ‘Big Brother State’.
Similar concerns were raised by Britons in their vote against a national data registry and identity cards in 2010. This registry would have required the collection of fingerprint, iris or palm-print data. Their biggest concern was that the collection and storage of up to 50 different kinds of information on one person, would amount to a sort of ‘big brother’ approach. They also felt that it was unclear how secure this data would be from manipulation.
The security of this data is thus under scrutiny. Unlike passwords, biometric data such as DNA fingerprints and the like cannot be easily changed. This means that in the event of a data breach, one cannot easily reset their biometric details. The potential loss in the event of a breach is astronomical as a offender with a sample of the biometric data in question would obtain indefinite access to a database that is secured by the biometric data.
Moreover, the establishment of a DNA database in the absence of a comprehensive data protection legislation further puts the security of such data at risk. It is unclear whether Kenya will be able to afford the necessary encryption technologies and/or adopt the information security and privacy best practices like intrusion detection, breach reporting and having a risk management programs.
The collection of DNA data in a national registry of persons also raises the following ethical questions:
Firstly, who owns the collected DNA data? Given that DNA is unique to a particular individual it is appropriate to assume that DNA is owned by the individual whom it identifies. It is for this reason that the European General Data Protection Regulation (GDPR) in Article 4(5) requires that all organizations, bodies or persons seeking to collect DNA information (pseudo-anonymised data) from anyone to first have consent from that person.
The proposed law in Kenya does not however give people the opportunity to opt in or out of giving their DNA; it makes it a requirement for all Kenyans in order for them to be granted identification as citizens. The implication of refusal to provide such data is the deprivation of national identification documents and potentially one’s citizenship, contrary to Article 14 of the Constitution. As DNA is owned by the individual that it identifies, it is improper for the government or any other entity to collect such data without the explicit consent of the subject.
Given Kenya’s history with ethnic discrimination in both the public and private sector it is important to take into consideration the potential implications of the collection of DNA data, on a national level, on this issue. As DNA data can be used to identify the ethnicity of the subject, there is a risk of such data being abused to discriminate individuals based on their ethnicity. This is compounded by the fact that the Bill is silent as to the specific measures that shall be used to prevent the abuse of the National Integrated Identity Management System.
Additionally, the Ministry of Interiorwill also require GPS satellite details of Citizens’ homes. While the government can access mobile phones’ GPS data with a court order, they typically have to follow certain procedures to obtain such data from Mobile Networks. However, the collection and storage of both GPS and DNA data as proposed by the Bill is without any oversight, and risks making Kenya a Police State.
One cannot therefore ignore the security risk in collecting DNA data in the absence of elaborate data protection laws. These privacy and surveillance reservations are valid given the Cambridge Analytica (CA) scandal where 50 million facebook users’ data was collected and shared with CA, which built ‘psychographic’ profiles of facebook users. These profiles were then used in targeted political messaging during the United States’ 2016 election. Similarly, research carried out by CIPIT into the privacy implications of the use of biometrics in Kenya’s 2017 general elections established that Kenyans received unsolicited political campaign messages which contained accurate data on their names and in some cases polling stations. In light of the manipulation of personal data for profiling and other nefarious purposes, it is imperative that personal data, more so DNA data, is kept secure and only accessed by authorised personnel when absolutely necessary.
That said, keeping in mind the advantages of a National Integrated Identity Management System, is the risk of putting our DNA in the hands of our government worth it?
** Phillis Njoroge is a 4th Year Bachelor of Laws student at the Strathmore University.