The Forum on Internet Freedom in Africa
(FIFAfrica) is a landmark event that convenes various stakeholders from the
internet freedom, governance and online rights arenas in Africa and beyond to
deliberate on gaps, issues and opportunities for advancing privacy, access to
information, freedom of expression, non-discrimination and the free flow of
information online on the continent.
The Forum responds to rising challenges to the
enjoyment of internet freedom in various countries, including arrests and intimidation
of online users, internet disruptions, and a proliferation of laws and
regulations that undermine the potential of digital technology to drive
socio-economic and political development on the continent.
FIFA strives to put internet freedom on the agenda
of key actors including policy makers, regulators, human rights defenders, law
enforcement representatives, and the media, paving way for broader work on
advancing online rights in Africa and promoting the multi-stakeholder model for
The engagement at the Forum aims to reflect the current
trends and concerns in access and usage of the internet and related
technologies on the continent at any given point in time. As such, each year
has its theme based on the state of Internet Freedom in Africa at that point.
The use of information technology in the country has increased over
the years, and this can be attributed to the use of social media that
has made it easier for people to communicate and share information.
With this increase of use, there have been concerns on the sharing of
false information of these platforms and cropping up of blog pages
that post false content.
The Social Media Bill, officially called the Kenya Information and
Communications (Amendment) Bill 2019, aims to provide for regulation
of social media platforms. It seeks to introduce a new part to the
Kenya Information Communications Act with sections regulating on
licensing of social media platforms, sharing of information by a
licensed person, creates obligations to social media users, registers
bloggers and seeks to give responsibility to the Communication
Authority to develop a bloggers code of conduct in consultation with
bloggers. The Bill also seeks to restrict the usage of social media
The Parliamentary statement also provides that the Amendment Act will not limit any right. However, all these new provision directly affect digital rights, i.e. the freedom of expression, the right to access information and the freedom of association. This Bill will see social media users requiring licenses to form groups, group administrators being held liable for the content posted in these groups and minors being restricted from being on the same platforms adults are in. The Act had been amended previously in 2013 so as to include regulation on the registration of mobile SIM card users.
We invite the public to comment and vote on the Bill on our digital
public forum, Jadili.
to access the forum. If
this link is not active in your browser, please copy and paste the
entire link into your browser’s address bar:
closed-circuit television (CCTV) is a type of television system that
enables surveillance by transmitting its signals only to the screens
that are directly connected to it. Use of CCTVs boosts security
efforts by making it possible for owners to monitor their premises.
However, caution ought to be taken to avoid using CCTVs for illegal
government has embarked on a process of regulating the use of CCTVs
in Kenya. A step taken is the drafting of a national CCTV policy
In its preamble, the policy states that Kenya has faced grave
security threats over the past thirty years and as a result, there
has been an increase in CCTV installations. Further, the policy notes
that the installations have been ‘ad hoc’ and ‘disjointed.’
The policy is presumably meant to provide some uniformity. The
objective of the proposed policy is to ‘guide installation,
operation and management of all CCTV systems in public and private
premises while promoting their use as a mechanism to deter, detect
and prevent crime for a safe and secure nation.’
Ministry of Interior and Coordination recently called
on the policy, a process CIPIT participated in. Below, we highlight
concerns that we raised in our submission.
provisions disproportionately limit the right to privacy.
Cyberrights Research Initiative and Localized Legal Almanac (CYRILLA
is producing an open and federated resource toolkit and online
database, of legal information on digital rights. It addresses an
increasingly urgent need “for comprehensive databases aggregating
legislation and case law across a variety of jurisdictions”
expressed by digital rights researchers, journalists, civil society
advocates, human rights defenders, legal professionals, and others
seeking to shape rapidly evolving legal frameworks for digital rights
aims to organize and make accessible the world’s digital rights –
related laws so that a wide range of actors can more readily and
confidently assess legal trends as they shape and impact digitally
networked spaces, highlighting threats to human rights and
opportunities for legal reform.
known as the Arab Digital Rights Dataset, the CYRILLA database was
launched in late 2017 with a dataset of bills, law, and case law from
the 22 Arab League states. With the addition of new CYRILLA
Collaborative partners – Association for Progressive Communications
Centre for Intellectual Property and Information Technology Law
at Strathmore Law School, Columbia University’s Global Freedom of
Expression Program, Derechos Digitales3,
and Social Media Exchange (SMEX)5
– the database will expand over the next two years to include legal
information on digital rights from more than 90 countries in Latin
America, Africa and Asia.
a think tank established under Strathmore Law School, is the African
partner in this Collaborative, whose mandate relates to sub-Saharan
Africa countries. As part of its role CIPIT has been reaching out to
partners across Africa and collating, developing and populating a
with digital rights data from across sub-Saharan Africa. This data
includes both hard and soft law instruments such as legislation, case
law and policies from various African jurisdictions.
This is the finale in our series on Data Protection principles espoused in the Data Protection Bill.
Clause 25 of the 2019 Data Protection Bill spells out the principles
of data protection. Among this is the prohibition from sharing data
with third parties without the consent of the data subject.
“Third party” is a term that originates from contracts.
Traditionally contracts are between two parties and a third party is
a person who deals with the contracting parties but is not party to
the contract. In data protection however, there are typically three
parties- the person whom the data concerns (data subject), the person
who designs how data will be processed (data controller) and the
person who actually processes the data (the data processor). In some
cases, data is processed by the same organisation that is the
controller. In other cases, it is processed by a third party
processor. A third party processor would not typically require
further consent to process data on behalf of the data controller.
For example, a manufacturing firm may outsource their payroll
function to a HR firm. The manufacturing firm is the data controller
as they determine which data is collected, and how it is processed.
The HR firm is the third party data processor and employees of the
manufacturing firm are data subjects.
The Data Protection Bill envisages that the data controller will
inform the data subject of the use to which their data is being put.
Clause 26 lists the rights of the data subject, and they include the
right to be informed about their data use; right to access their data
in the custody of the controller or processor; as well as the right
to object to processing of all or part of their personal data. In
the above example, the manufacturing firm would need to inform their
employees that their personal data is processed by the payroll
In the event that the data controller or processor were to share the
data with a third party, then the consent of the data subject would
be needed. Clause 25(g) states:
This post is the fourth of CIPIT’s analysis on the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on section 25(f) which provides that personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes for which it is collected.
Kenya’s National Assembly recently released a Data Protection Bill 2019 (the Bill), which gives effect to Article 31 of the Constitution of Kenya – The Right to Privacy. Specifically, the Bill prescribes a legal instrument for the protection of personal data. It establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of processing of personal data, and provides rights of data subjects and obligations of data controllers and processors.
Section 25 of the Bill outlines the broad principles of data protection, and this article focuses on s25 (f), which states: ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’.
These principles detailed in s25 of the Bill are in essence the overarching themes that capture the spirit and intent of this Bill. On a black letter review of the wording used on s25 (f) it appears self-evident that data identifying any data subject should not be held for an infinite timeframe particularly after its utility has ended.
For example, it should be a primary privacy
concern to any Kenyan citizen how the data they use in their communications
online or over the phone, is stored by local telecommunication companies, who
can access this data(for example if required for national security purposes),
and for how long this data is held by these companies.
It is an open secret that the Bill borrows heavily from the the European Union’s General Data Protection Regulation (GDPR). Being a Bill, as the interpretation of this clause hasn’t yet been tested from a Kenyan jurisprudence perspective, it is therefore prudent to look to the intent of the GDPR principles for an analysis of s25 (f). In this case it ascribes to the following principles:
The purpose limitation principle – a Data controller or Data processor should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. This principle has been reviewed in detail in this series of blogs particularly under s25 (e).
The storage limitation principle – This is effectively stated in the last part of the above principle, which is basically that organisations need to delete personal data when it is no longer necessary. What does ‘no longer necessary means’ in this context? In my view this means that data controllers should only process data for the time needed to execute the purpose for which this specific information was collected.
The question then follows, how this principle
is effected in this Bill. From this blogger’s review, aspects of this principle
are espoused in the following clauses:
Section 28(3) provides that a
data controller or processor shall collect, use or store personal data for a
lawful, specific and explicitly defined purpose (purpose limitation principle).
Section 29(c) on the duty to
notify, a data controller shall be mandated to inform the data subject of the
purpose for which the personal data is collected (purpose limitation principle).
Section 34(b) provides that
processing of personal data may be restricted where personal data is no longer
required for the purpose it was intended for (purpose limitation principle).
Section 39 provides for
limitation of retention of personal data and outlines some exemptions (storage limitation principle)
Huduma Namba draft bill (“the Bill”) was introduced in July 2019 against the
backdrop of a petition that challenged the recent amendments to the
Registration of Persons Act found in the Statute Miscellaneous (Amendment) Act.
The impugned amendments created the National Integrated Identity Management
System (NIIMS) by adding section 9A to the Registration of Persons Act, and extend
the data that can be collected during the registration of persons to include
personally identifying data such as Deoxyribonucleic acid (DNA) data and global
positioning system (GPS) coordinates.
The grounds for the petition were: that the registration process lacked legal basis, the registration process infringes on the right to privacy, Kenya lacks a comprehensive data protection law, and the process would further marginalise persons who have not acquired the primary documents required to register for Huduma Namba.
The implementation of the right to access information has been a topic of conversation as early as the 18th century. Sweden became the first country in Europe to do so (implement right to access). Anders Chydenius’ believed that democracy and workers’ rights were crucial to the economic growth of a state and urged that freedom of press and information is a vital right that should be accessible to all citizens; the English parliament also recognized the need and importance of abolishing political censorship in the 17th century. Eventually India, being the first non-European country, followed suit in the 20th century by incorporating the right to information into their own laws (known as the Right To Information Act).
The freedom of association has traditionally been defined as the right to be with other people for a legal reason, cause or purpose, without interference. However, with the advent of modern technology, today’s emergent associations differ in important ways from traditional political and social organizations.
Recent global events particularly those associated with the Arab Spring form prime examples of the need to examine and analyze the legal protections afforded to associations in the digital age and whether such protections are sufficient in the wake of emerging threats.
Thus, an analysis of the commonalities and the differing aspects of the contrasting viewpoints of the subject right as well as the impacts of this is well justified in light of the changing context within which the right is exercised and indeed with a view to building a wholesome definition having considered all relevant factors.
TRADITIONAL RIGHT VIS-À-VIS DIGITAL RIGHT
Freedom of association has commonly been associated with the notions of physical meetings and geographical proximity. However, advances in modern communication technology have greatly shifted the context of this right and led to a number of differing aspects with its traditional understanding. The prime difference consists in the non-requirement of geographical proximity. Previously, participation of one’s associational freedom often meant attendance of in person meetings. Conversely, in the present day, one can participate in the activities of an association without the need for physical attendance or geographical proximity due to the relatively inexpensive nature of internet connection. Global events ranging from the political uprisings that swept across the Arab world to the Occupy Wall Street Movement have highlighted the use of digital technology in the exercise of the subject right.
Another key differing factor is the platform on which the right is exercised. In its traditional understanding, the right is often exercised in public spaces such as city squares whereas the digital right extends to digital platforms such as discussion forums and chat rooms. This view was supported by the APC which stated that the right should be construed to include any space where people can meet, including online spaces.
A logical import from the differences highlighted is the central role of modern technology as a conduit to the exercise of the digital right. This view is reiterated by the 2012 report of the former Special Rapporteur where he called upon States “to recognize that the rights to freedom of peaceful assembly and of association can be exercised through new technologies, including through the Internet”. This view was also highlighted by the Human Rights Council in its Resolution 24/5 in which it:
“Reiterated the important role of new information and communications technologies in enabling and facilitating the enjoyment of the rights to freedom of peaceful assembly and of association…”
However, these differences do not constitute a comprehensive redefinition because of the commonalities shared such as the similar nature of the associations in both conceptions. As per the ‘Guidelines on Freedom of Association’ an association is “an organized, independent, not-for-profit body with an institutional structure based on the voluntary grouping of persons with a common purpose.” Online associations fulfill each of these requirements therefore enjoying protection even in the traditional understanding.
DEFINITION AND RELATION TO ASSEMBLY
In view of the differences as well as the commonalities of the contrasting interpretations of the subject right one can reasonably deduce that the digital right can be defined as the right to voluntarily join with others through collective action based on a common purpose through the use of modern communication technology without interference.
Perhaps an interpretational challenge in defining the subject right also owes to its confusion with the related freedom of assembly. Freedom of assembly secures the right of people to meet for any purpose connected with government whereas associational freedom protects the activities and composition of such meetings.
Digital technology has transformed the ways in which civic and political associations are formed and operate. Political and civic “work” in society is increasingly performed not by traditionally organized and well-defined associations but by decentralized networks of individuals. As such, online association has opened the door for a more effective advocacy of Human Rights issues which may be dangerous in authoritarian states and for the faster aggregation of resources for community development.
However, the same features of modern communications technology that enhance associational freedom also crucially enhance the threat posed by relational surveillance. Relational surveillance can loosely be defined as surveillance that makes extensive use of digital communications in order to determine the associative groups to which an individual belongs. Comprehensive surveillance has the unfortunate propensity to cause exploitation of vulnerable groupings in society. Indeed surveillance also highlights the occasionally involuntary nature of online association since it uncovers exploratory activities such as inquiries or admission into social media groups which could mark an individual as a “member” of an association before express consent has been made. Additionally, the networking tool of the internet is useful not only to legitimate civic groups but also to criminal and terrorist groups as they can also benefit from the pseudonymity of digital association.
Lastly, the central role of data in modern communications technology and continuous data collection often leads to the threat of profiling. It is no secret that platform providers retain consumer data often using it for targeted advertising purposes. However, the emergent use of data as a value tool whereby data is sold to advertisers and other firms has led to widespread privacy concerns highlighted best by the Cambridge Analytica scandal.
Given that the Computer Misuse and Cybercrimes Act’s chief focus is with regard to the content of the data rather than the collection and use of data and the relative lack of comprehensive data protection legislation outside the Constitution, it would seem that the local laws are ill equipped to deal with the issue of surveillance. Therefore, there is need for legislation to regulate and provide oversight on;
circumstances under which platform providers can collect and use data,
circumstances under which platform providers can share such data with government agencies and other 3rd parties.
Although modern communications technology has greatly enhanced associational freedom for many informal associations, it has also facilitated the emergence of new threats such as that of surveillance. This expansion of the scope of the subject right has meant that current legislation is insufficient in the wake of new threats. Therefore, it is imperative to review and update relevant legislation in order to comprehensively address these concerns.
The right to freedom of assembly has been widely accepted as a necessity in a functioning democracy as assemblies are used to express and defend different views. This right has justified holding of political rallies, picketing, demonstrations and meeting or barazas held to discuss issues in the society, with the condition that any of such is done peacefully. It is so essential that even the modes of protests have changed with time with online protests becoming more common. This has led to social media being viewed as a potent tool in aiding access to information as well as enhancing the right of the freedom of assembly. This has resulted in the need to justify the exercise of assembly online and the role the government has in safeguarding online assemblies.
So what constitutes and forms online assembly? What role does the government play in safeguarding this right? What constitutes an infringement and how can this be mitigated? This article seeks to answer these questions by first setting out the background of the right to the freedom of assembly in the traditional sense, then exploring the legal framework and case law, which set out the duties the State owes and how this right is applicable to online assemblies.
Online assembly is a controversial issue especially when it comes to online protests. This is especially with the disruptive nature and wide reach online protests have. Discussing the legality of online assemblies is necessary as this will determine whether governments are justified in shutting down the internet or censoring content online. This involves discussing the role the right to access information plays in online assemblies.
The right to the freedom of assembly in the traditional sense is composed of two elements that aid it: free speech and the right to associate. It finds its roots in “Tavern Talk” in America in the mid-18th Century, where the biggest revolutions such as the famous Boston Tea Party were found to begin with the political discussion that happened in taverns. The taverns offered the Americans a place to vent of their common issues and discuss matters affecting them. Given the large pool of men visiting these taverns it was often easy to mobilise people to protest against the then British rule. It foreseeable that the American legislator saw it important to protect free speech, freedom of association and the freedom of assembly in the First Amendment of the American Constitution. In fact, Congress in discussing what constitutes the freedom of assembly, found free speech and freedom of association as integral to fulfilment of this right.
This notion has been widely accepted in the Kenyan context. The right to the freedom of assembly is first and foremost a constitutional right, which is the supreme law of the land. it further finds its routes in our democracy, which is the exercise of the people will through elected representatives. The courts have interpreted the right to the freedom of as an end , with free speech and the right to associate being the means. The courts assert that free assembly requires the free flow of opinions and ideas…
What is Online Assembly?
Online assembly in this article refers to the gathering of people on virtual platforms in groups so as to express their views and at times for the purpose of criticising the government. The nature of online assemblies is unique as it involves the sharing of information across a digital platform in order to mobilise internet users to take part in virtual protests. As such, online assembly has various elements unique to it: the online platform, the role access of information plays and the viral effect brought about by the network.
The disruptive nature that online assemblies have had has seen governments in most States taking action to try and control them through stringent rules as well as complete media shutdowns. This has led to push back as it was seen as an infringement on the citizenries’ right to access information and the right to the freedom of assembly.
States are now required to ensure there is access to the internet as people have the right to gather online and express their opinions. The state should therefore refrain form shutting down the internet without just cause. There should additionally be no restrictions on content and government surveillance. This is to ensure free speech is not policed by government and that it is protected.
It goes without saying that online assembly does have its dark side. This is because of the tools internet activists used such as hacking and the use of computers whose owners don’t know they are infected. This is illegal as one cannot use someone’s personal resources for your political purpose without their consent. As such, the State does have the duty to draft frameworks to ensure online assembly is not abused.
There is a need to protect the right to online assembly as it has resulted in a lot of positive changes in society. An instance of this is the profound effect the #MeToo movement has had in addressing the need for stronger anti-rape laws. Online assembly has also has also played a profound role in advancing for the protection of citizens against violation of human rights, as seen in the Tunisian Revolution. These are just a few examples of the numerous occasions where digital media has been used to advance for legitimate causes.
In light of this, the State has to balance the need to maintain public order with the right to online assembly, which is achievable without shutting down the internet or censoring the internet. The State can take measures to ensure that those who abuse online assembly are penalised through cyber laws whilst still ensuring people can freely gather and express their opinions online.
The Right to Freedom of Peaceful Assembly: Best Practices Fact Sheet, United Nations Special Rapporteur on the rights to freedom of peaceful assembly and of association, Maina Kiai (published Nov. 2014)