IGF 2022 WS #309 Access to remedies in safeguarding rights to privacy & data

Workshop #309:

Title: Access to remedies in safeguarding rights to privacy and data

List of panellists, chairs and moderators:

Panellists: Cynthia Chepkemoi (Data Protection Counsel (Advocate), Association of Privacy Lawyers in Africa, Kenya); Mosa Thekiso (Executive Head: International Legal & Regulatory Digital Services & Platforms and AI at Vodacom South Africa); Maureen Mwadigme (Senior Human Rights Officer: Kenya National Commission on Human Rights); Stella Alibateese (Director: National Personal Data Protection, Uganda)

Chair: Dr. Jonathan Andrew (Danish Institute for Human Rights)

Moderator: Cathrine Bloch Veiberg (Danish Institute for Human Rights)

Rapporteur: Line Gamrath Rasmussen

The session was moderated by Dr. Jonathan Andrew, representing the Danish Institute for Human Rights (DIHR), which is a national human rights institute (NHRI). The DIHR works closely with other national human rights institutions globally, a number of whom travelled to attend the IGF 2022. The DIHR continues to work on the theme of access to remedies, which is part of a broader project and initiative of the Action Coalition on Responsible Technology, an initiative funded by the Danish Foreign Ministry that brings together different stakeholders from civil society, non‑governmental organizations, public authorities, businesses, and other interested stakeholders who are participating in a year‑long program of events to strengthen the use of technologies responsibly on a global level.  The Action Coalition on Responsible Technology incorporates a work stream on policy coherence which is reviewing how regulations and different initiatives in relation to legislation are creating alignment in oversight, including in relation to access to remedies.

Substantive Report and Main Themes Raised:-

Data Protection and Privacy Rights in Kenya

- The legal framework in Kenya of the Data Protection Act of 2019, and the Computer Misuse and Cybercrimes Act of 2018 provide the basis for regulating data collection, processing and retention. The Data Protection Act has provided Kenya with regulations that put in place the procedural laws on how the registration of data controllers and processors must be conducted. The Data Protection Act also provides for a complaint handling procedure and outlines how data subjects can file a complaint to the office of the Data Protection Commissioner.  Whilst there exists a process, the mechanisms to seek redress where there is a violation of privacy have taken time to evolve into viable means of remedy.

- Enforcing data protection law in Kenya has proven to be a painstaking process, and larger tech companies continue to be responsible for some of the infractions that occur. It remains the case that many citizens are not aware of the procedures that they need to follow, such that much remains to be done in terms of sensitisation and capacity building to ensure a citizen is aware of, and can actually follow, the legal procedures in place to seek redress.

- The Data Protection Act also establishes an intricate system of rights and obligations that operationalise the right to privacy. Data protection authorities have a duty to receive and act on all complaints by individuals, and sometimes the authority on their own initiative can also investigate issues they have identified. The first stage of compliance is the DPA conducting privacy audits so that they can review their compliance level in terms of data governance, and whether they are actually registered as data controllers or data processors.  In cases where they have not registered, this means that they are not yet in compliance.

- A major consideration in relation to finding remedies are the different reporting mechanisms available with respect to violations of privacy.  Most frequently, the first port of call for any institution receiving a complaint is to attempt to resolve the dispute in-house. In certain cases, a party may have an alternate dispute resolution (ADR) mechanism in place and outlined in its privacy and data protection policy: where there is a data breach, this mechanism can be used to attempt to resolve the violation or breach.

- A second point of call for a violation of privacy rights is the Office of the Data Protection Commissioner (the Kenyan DPA): this is the authority in Kenya tasked to set the rules and regulations on how personal data is being handled, processed, stored, and is the authority to which all the data controllers and data processors are required to report any issue of a data breach or data loss.

- Personal data of data subjects in Kenya have on occasion been shared with a third party without consent having been given. Where this information is shared with a third party without consent, then this would amount to a violation of your rights as a data subject. From experience, when a complaint has been filed with the DPA, the office takes around 14 days to respond to the complaint. Then the DPA will ask the party that is the subject of the complaint to respond and provide evidence: this reflects the importance of fair administrative procedure whereby each party must be given an opportunity to defend themselves.  At this point, it is frequently realised that the data controller or processor actually had policies (also known as ‘agreements’) where the data subject consented to the processing. As such, consent to wider processing is often very broad: data subjects simply haven’t read the terms and conditions of the agreements which can be extremely long and convoluted. A final avenue for redress is the courts. 

- Public authorities, such as hospitals and schools (processing sensitive children's personal data or patient data), are often advised to have datasharing agreements in this regard with respect to any transfers of personal data. These agreements can protect the organization from liability, and from the risk of court proceedings or where complaints are filed to the Office of the Data Protection Commissioner.

Access to Remedy in Uganda: Role of the Personal Data Protection Office

- In Uganda the right to privacy is enshrined in Article 27 of the Constitution of Uganda. In 2019, the Ugandan government enacted a comprehensive law, the Data Protection and Privacy Act. The Act is a comprehensive law that was set up to further enhance protection of personal data, and it introduced specific digital rights in Uganda.  For example, the act has an entire chapter on data subject rights including the rights to access to your personal information, the right to erase your personal information, the right to make connections, the right to stop automated decision‑making and many others are also provided for. Prior to the Act, Uganda had other laws that provided for privacy protection more generally. The law also provides for the Personal Data Protection Office. Part of the mandate includes resolving complaints from data subjects, so if a person finds that her/his rights have been infringed upon by a data controller or data processor, then the law gives you a right to make a complaint to the data protection office.

- The Personal Data Protection Office in Uganda also provides guidance, particularly to data controllers in regard to the interpretation of the law in respect of issues related to compliance. The legal framework also gives powers to the DPA to investigate, and it can also prosecute where it finds there has been non-compliance. Under the same laws, the Ugandan DPA is required to register all data controllers and data processors: currently the entire system is online (including payment and certificate issuance). Under the online system the office also receives automated updates on complaints filed. The office activated the system around May 2022, and it has currently over 2,000 complaints that have been raised against various data controllers. Crucially, it is key to ensure that data subjects can access their rights under the act. The Ugandan Act is very specific: it provides for their rights within the regulations and provides for mechanisms of how the data subjects will raise their complaints. Within the regulations there are specific provisions that require data controllers to respond to those complaints within certain timelines.  The timelines range from 7 days to 14 days.

- Under the guidance notes that the Uganda DPA issued for data subjects to raise complaints, it requires that data subjects first engage with the data controller or the data processor before they come to the office of the DPA (this aspect of the process is also enabled through the online system).  If a data subject finds that it has a complaint to raise, she/he can use the system to develop the letter that they can submit to the data controller (it is automatically generated from the system). This was put in place to ease the complaints filing mechanism, because it was known that many people may have challenges writing letters.

- Ugandan data protection law also requires data controllers and processors to have in‑house complaint resolution mechanisms. The Ugandan DPA provides training for data protection officers, who are focal points of contact in these organizations. They are provided with training too on how to deal with various complaints. Regarding the Ugandan DPA’s role, its mandate under the law allows for it to investigate the complaint. 

- In terms of the current legislation, given the regulations were passed only in 2021, the country has not yet had any prosecutions brought under the new laws, however, the DPA does have a number of investigations that are currently being undertaken. 

A Business Perspective on Access to Remedy: Vodacom Group

- In its business activities Vodacom Group manages a number of privacy‑related issues across the continent and across various countries. The issues the business deals with on a daily basis are broad, given its drive to take Africa as a region fully into digital inclusion and financial inclusion: these are the main topics that are top of mind for Vodacom Group - it wishes to avoid a scenario where Africa and African consumers are getting left behind from a digital economy perspective.

- A lot of emerging and new innovative technology requires a lot of data and data processing. As such, with these data‑rich technologies a key balance is actually how to use these technologies whilst also looking after the rights of its consumers.

- Vodacom has undertaken a study on how the business actually achieved the balancing act in the current regulatory environments that are present across Africa.  It is important to point out that remedies do differ from jurisdiction to jurisdiction, which poses a lot of challenges for Vodacom as a big business. Robust, relevant measures are in place at Vodacom, yet in contrast it can be difficult to convey just how complex and difficult it is for a smaller entity trying to manoeuvre through Africa from a business perspective to grapple with these different laws as they change from country to country. 

- The main barriers that Vodacom has identified with regard to rolling out data‑rich technologies are data localization laws. Vodacom observes that when it is dealing with big data or AI technology and leveraging off technology provided by Cloud service providers, that they tend to take a regional approach. As such, for Vodacom to use these technologies it has to think about where it is going to centralise its operation of the tech in question. For example, would it use the Amazon Cloud in Cape Town or perhaps another Cloud in Kenya?  However, because Vodacom wishes to move its businesses forward throughout those jurisdictions at the same time, it tends to have to use one hub - and that means that data is always moving across borders. Thus, the first critical issue is data localization.  The second is that in many countries across Africa there are data protection laws, but in others they don't have the data protection laws in place yet. In some countries there is however a constitutional right to privacy, so a business such as Vodacom obviously has to take that into account.

- Vodacom conducts its own studies to determine how it develops and responds to emerging factors relating to data protection and privacy laws. Taking into account the rights protected from the constitutional perspective and also from data‑specific laws or data protection-specific laws, it has reviewed a number of best practices contained in policies, and in digital agreements. It has reviewed the Convention for the protection of individuals with regard to personal rights (Convention 108+). Vodacom also looked at the EU’s digital transformation strategy and the data policy framework.

- From a standards perspective, which form much of the business’s focus, it also looked at Mauritius, which is a good example of a robust data protection act which takes care of the rights of data subjects and also signatories. As such, from a bilateral perspective, the business also reviews preferential trade agreements: for example, Singapore is a good example and has robust bilateral agreements with Australia and also with New Zealand.  Vodacom also undertook to examine the African Continental Free Trade Area (AfCFTA). This approach outlines therefore a broad perspective by a business in evaluating policies and so as to develop best practice: the recommendations the company makes are thus what it understands it needs in order to protect data subjects and respect the laws. 

- Taking into account the technologies, it is important to look at how to take a regional approach. Thus, the business also takes policies and looks at them from a regional perspective. Another option that can be considered is regional cooperation by trade agreements, where provisions can be made for rights, and also for regulatory reform.

- Vodacom Group takes a regional approach in cases where there aren't any data protection laws in place.  It also encourages the ratification of international conventions such as Convention 108 +. Further, it understands too that a foundation is the right to privacy, which exists in most constitutions. In addition, Vodacom has in place as a business specific measures such as privacy by design (PbD) - this is part of its approach whenever it is dealing with any data technology, which is essentially a constant in the current operating environment. Privacy impact assessments (PIAs) are also used, including internally even for jurisdictions that don't have laws in place: this has been developed as internal best practice. Whenever the business is working with any kind of data processing, it starts with its privacy impact assessment, and adaption is required to each jurisdiction accordingly given different laws.

- Vodacom Group, when given the opportunity to comment on the various policies or laws that are still in draft, provides input e.g., with a new bill in Tanzania. Vodacom aims to take a robust and balanced approach in its activities: this is key in protecting rights of consumers from a privacy perspective. On the AI side, it is a little bit broader from an AI perspective: other constitutional rights are impacted, such as freedom of expression, equality and non-discrimination. One also has to consider how to deal with biases in data. Vodacom is therefore constantly thinking about these rights, whilst at the same time trying to cater for digital inclusion and financial inclusion.

The Role of National Human Rights Institutions – the Kenya National Commission on Human Rights

- The Kenya National Commission on Human Rights (KNCHR) is an ‘A’ status national human rights institution according to the Paris Principles.  The Commission has a clear mandate to speak on matters of digital rights. With regard to emerging digital technologies, it has become very clear that even seemingly neutral technologies can actually replicate pre‑existing inequalities and contribute towards marginalisation. Technology impacts human rights positively, and at the same time may have a negative impact - this is where the role of oversight institutions, such as the Kenya National Commission on Human Rights, can function in addition to other organisations such as data protection authorities.

- As a national human rights institution, the KNCHR is very keen in providing oversight of online spaces to ensure that the milestones met in the physical world are not lost in digital spaces.  We note that there are so many issues and human rights concerns that have been happening in the online spaces, and unfortunately most are often not regarded as such as human rights issues. For example, in Kenya a case study was conducted by the KNCHR due to having received a lot of complaints on matters of freedom of expression, where activists have been arrested and charged (frequently with offences under the Computer misuse and cybercrimes Act 2018 - Kenya). This proved particularly the case during the COVID‑19 epidemic where human rights defenders really took to express themselves online as opposed to going on the streets due to the limitations of public protest with which we are all familiar.

- Censoring and blocking are also key issues. For example,  public institutions that have a Twitter handle or Facebook page have unfortunately taking steps to avoid criticism by seeking to censor negative comments about their actions and activities. These authorities have in certain cases taken steps to ensure people are blocked from receiving any messages or interacting further on particular platforms.

- Surveillance is also a key concern, including government surveillance and surveillance by businesses. The targeting of consumer decisions and gaining insights on activities through processing personal data, such as by FinTech companies, is considered a huge problem in Kenya. The Central Bank of Kenya has been spearheading regulation of this sector, so as to ensure that there is a sensible approach with respect to FinTechs targeting civil and political rights. There has also been progress with regard to oversight of  government surveillance activities targeting civil and political rights in Kenya, including voting rights.

- Kenya has also experienced a number of massive data protection breaches. Prior to the elections in August 2022, a large number of Kenyans found themselves registered as members of political party with the Office of the Register of Political Parties even when they hadn’t in fact registered themselves. As such, this instance reflects a very interesting finding that political parties will go the extra mile to get very specific information  on individuals to be able to meet the threshold that was required by the Office of the Register of Political Parties to be able to register as a political party.

- Another concern in Kenya is that the country is seeing quite a lot of movement in terms of compliance in the private space.  In fact, recently the Office of the Data Protection Commission made a requirement on the regulations and compliance procedures by private companies.  However, for the government  the situation is quite different.  In essence, there also needs to be awareness in government of the need to follow data protection laws: government is in effect the largest data controller. There still exists a misguided belief that the public sector cannot infringe on personal data laws, and this approach must be challenged. Fundamentally, in Kenya, state departments, agencies, the government in general should lead by example and implement data privacy programmes within their organizations. On the issue of access to remedy itself, national human rights institutions (NHRIs) are very independent and trusted entities and are thus able to be engaged successfully. The KNCHR already receives a lot of complaints and a lot of feedback from communities and from users of particular technologies. Thus, in terms of providing legal advice, holding public awareness forums, these continue as activities conducted by the NHRI so that the citizens are actually helped to understand their rights, especially with regards to digital rights.

Conclusions: How should digital accessibility issues be tackled so as to safeguard the digital rights and access to remedies that the different stakeholders are all working to achieve?

Response from the Kenya National Commission on Human Rights (KNCHR)-

  NHRIs, such as the KNCHR, can work to ensure that the vulnerable and marginalised groups are not impacted by our actions when it comes to issues of access to online services.  Unfortunately, what is happening right now is that technologies are often marginalising the vulnerable even further. Thus, for an NHRI it is important to think, how it can work with ISPs and other companies to be able to understand the need of specific areas that have been mapped out.  Secondly, it is important to ensure that services are equitably distributed across the population. However, it is important to take into account the business angle, and whether they will be able to recoup their profits when they go into more rural areas.  A key question is therefore how best can government incentives be used to ensure that such companies can reasonably reach out to these offline areas and at the same time mitigate higher costs in doing so? This is an issue that requires a multi-sectoral approach: it is not one that can be dealt with by one sector alone.  It is a challenge that requires a mapping aspect, a monitoring aspect, and reporting - all parts must be performed so that the vulnerable and marginalised groups actually benefit from increased connectivity of networks. Stakeholders in the digital sector need to work very closely together as human rights are interdependent and the different roles that actors play here in their respective capacities all complement each other. Working in siloes doesn’t work; it is clearly necessary that the respective stakeholders in their different capacities come together to be able to impact positively on matters ensuring protection of the rights of users of the technology that is under development. 

Response from the Ugandan Personal Data Protection Office-

  Digital connectivity and access are a valid concern.  On the part of the Ugandan DPA, it is trying to address the issue by creating awareness through the local languages of the country (there are over 50 tribes speaking different dialects). At the  Ugandan DPA office only 3 or 4 of the dialects are spoken: this presents a large challenge where it is creating digital literacy programmes - clearly, it's important that you communicate them in the language that most people understand.  As such, this continues as a challenge that the DPA is trying to work out ways to address. First of all, it is interpreting the laws and then developing its work that can create awareness of the laws amongst the population. Secondly, in terms of access, whatever technology is developed, the Ugandan DPA makes sure that it provides for communication through current and future smartphone devices. For example, the complaint system is one that clearly interfaces with the population. The DPA has also enabled SMS and other technologies that enables an individual, even with a basic device, to be able to reach the authority and communicate. Obviously, the issue of engagement and connectivity is a journey and government need to continue with these efforts until the gaps are bridged.

Response from Cynthia Chepkemoi (Advocate)-

  Digital literacy is a broad challenge. Working with different institutions it is clear that, in creating awareness and improving digital literacy among marginalised communities and more especially women and children, the best approach is to work through associations, that's where you can reach many people and institutions. For example, in Kenya classes have been provided to train children on digital literacy, train them on cybersecurity and skills they need to stay safe online.  Also important is identifying specific groups that are more marginalised in the digital space. At times one of the major challenges is the infrastructure itself, in as much as in trying to roll out the services to marginalised communities, it is realised that they lack the infrastructure, so it even becomes more difficult to enhance digital literacy, but then through working with associations and civil society organizations it calls for a multi-stakeholder approach. A collaborative approach is required to actually attain and reach the digital literacy levels that we need to see among our communities.

Response from Vodacom Group-

  Vodacom has a very robust social contracting programme. and a big part of its function is when rolling out various products and services, for example, with its a mom‑and‑baby app (essentially a healthcare product that tracks pre and post‑natal development) that connectivity is considered. For such services to actually go into the market, users need a smartphone - thus smartphone penetration is key, as is also the relevant digital literacy. As part of Vodacom’s social contracting programme, as it rolls out its various products that cut across different sectors (e.g., healthcare, education) it partners with Cloud service providers on areas such as education, for example. Vodacom continues to look at specific issues and identify new areas, and this approach goes hand in hand with that of educating consumers and users of those products on their rights, what the business does with their data, how the company secures their data. In addition, it is also important to inform them how they can hold the business accountable when it comes to their data if they're not comfortable with how their data is being processed, or if don't understand what we do with their data. It is important that consumers have at their disposal a resource or various channels to approach the company so they can learn and be informed.

- - -