African Union Convention On Cyber Security and Personal Data Protection: A Case for Stronger Protection for The African Child Online in The Age of Digital Economy
By: Oloyede Ridwan
Abstract
The continent is witnessing a burgeoning growth in its digital economy. The increased internet penetration means more users joining the grid and has seen growth in the adoption and application of digitalisation in governance and business models. The emerging datafied model entails the generation, storage, processing and transfer of data within and outside the continent. The new data-driven digital economy poses immense risk without adequate data protection framework across the continent. The proliferation of internet connected devices has seen an increased number of African children online. There is an urgent need to protect their privacy online and develop a strong framework to protect them from the evolving risk and danger online.
“privacy”, “child”, “personal data”, “convention”, “data protection”, “Africa”, “digital economy”
INTRODUCTION
According to Wearesocial, the number of internet users globally has surpassed 4 billion[1]. There is an increase in the use of the internet in Africa. More devices and persons are connected than ever. The use of the internet is fast permeating into governance, commerce, finance, agriculture and social exchange of Africans. Mobile phones “are set to reach 535 million in 2020 which signifies a reach of mobile phones to 50% of Africa’s population[2].” As of June 2018, internet penetration in Africa was at 36.1% of her population; this percentage represents 11.0 of global internet users[3]. The rise of the digital economy globally has been predicted to account for over 26% of the world GDP[4]. According to Huawei’s Global Connectivity Index (GCI) 2018, the value of the global digital economy will hit US$23 trillion by 2025[5].
The spread of digital economy adoption in Africa and globally births online privacy and security concerns. The concerns are fraught with risk to users and more specifically, as it affects the African child. One in three internet users worldwide is a child, and young people are now the most connected of all age groups. “Every half a second, every day, a child goes online for the first time – tapping into all the great opportunities the Internet has to offer, but facing grave risks”(UNICEF).Three out of five African children are not connected to the internet. Increasingly, children have a digital footprint over internet[6]and even before birth.[7]“A growing body of evidence indicates that children are accessing the internet at increasingly younger ages. In some countries, children under 15 are as likely to use the internet as adults over 25” (UNICEF report, 2017). Mobile phones, computer, wearables and privileges for using a device births new responsibilities. Africa’s digital maturity is on the rise[8].
The increased use of social media and online services means children now share a tremendous volume of personal information online. The internet has enabled children to learn, share, and participate in civic life[9]. The use of the internet brings enormous benefit to children with access to information, ease of learning and social interaction. However, the internet portends risk to the privacy and reputation of children. Often, children are not aware of the imminent risk their digital footprint could possibly bring. Children could be vulnerable and be a victim of an online attack, information theft, cyberbullying, mass surveillance, cyberstalking, virtual child abuse and exploitation, corporate data collection and hawking to third parties, identity theft, privacy-invasive targeted commercial practices such as online profiling, behavioural monitoring and tracking or exposed to inappropriate contents. In the age of over-sharing, children could be a victim of online privacy violation. Digital kidnapping is another rising phenomenon, where pictures of children are collected for role play by online users[10].
Understanding child online privacy
According to the United States Child Online Privacy Protection Act[11], a child’s personal information “includes a kid’s name, address, phone number or email address; their physical whereabouts; photos, videos and audio recordings of the child, and persistent identifiers, like IP addresses, that can be used to track a child’s activities over time and across different websites and online services.”
Children deserve special protection with regard to their personal data, as they are vulnerable, less aware of the risks, consequences and safeguards involved and their rights as it relates to the processing of their personal data. According to Sheldon Yett, “the potential of connectivity makes it easier for children to connect with their peers anywhere in the world […] is a tool for children’s empowerment and engagement with their communities. However, this connectivity puts them at risk of their private information, access to harmful content, and cyberbullying,[12]”
METHODOLOGY
The paper utilises a number of UNICEF reports, the African Charter on the Rights and Welfare of the Child, the African Union Convention on Cybersecurity and Data Protection, the Modernised Convention of the Council of Europe, the Data Protection law of South Africa and Mauritius, the European Union General Data Protection Regulation and articles sourced online. The purpose of this paper is to identify the privacy risk to the African child in the age of increased digital economy and the need for a continent-wide legal framework for protection. The Author will seek to make a case for the enactment of an African Convention on the Protection of Children Online or a supplementary document to the existing convention on cybercrime and data protection.
THE LEGAL FRAMEWORK FOR PROTECTION
Article 12 of the Universal Declaration of Human Rights[13] provides for rights to privacy. Article 16 of the United Nations Convention on the Rights of Child provides a universal framework on the need to protect the privacy of children. The law should protect them from attacks against their way of life, their good name, their families and their homes[14]. There have been a number of national and international attempt and on-going effort at protecting the online privacy of children. Some of the instruments will be discussed and highlight their key provisions and how it can be improved upon to ensure the required safety. The biggest concern to the protection of children on the continent is the largely lack or inadequate regulations for protection in most countries.
The African Charter on the Rights and Welfare of the Child[15]
The Charter was adopted by the defunct Organisation of African Union (OAU) in 1990 and was entered into force in 1999. The Charter defines universal principle and norms on the status of the African child and rights[16]. Article 32 of the charter establishes the African Committee of Experts on the Rights and Welfare of the Child charged with the responsibility of promoting and protecting the rights enshrined in the Charter. More specifically, the Committee has a duty to “formulate and lay down principles and rules aimed at protecting the rights and welfare of children in Africa.” Since the adoption of the Charter, it has been signed and ratified by 41 African States; signed but not ratified by 9 States; and not yet signed and ratified by 4 States[17].
Article 10 of the Charter provides for the rights to privacy for the African Child. In supporting vein, Article 19, 20 and 27 of the Charter speaks to rights that could have online consequence to the safety of the child. The Article 19 and 20 emphasis the role of guardians and parents in ensuring the protection of the child’s best interest. The question of child’s privacy rights under the Charter came up before a Kenyan Court in the case of Jemimah Wambui Ikere v Standard Group Limited & another [2013] eKLR[18].
African Union Convention on Cyber Security and Personal Data Protection[19]
The Convention was adopted by the African Union in 2014. Only 10 nations have signed the convention since it was adopted. “Currently, only 23 out of 55 African nations have passed or drafted personal privacy laws, and only nine of them have data protection authorities.”[20] The convention seeks to create a continent-wide framework for establishing a credible digital space for electronic transactions, personal data protection and combating cybercrime.
The convention defines a “child” to be a human being below the age of 18. Article 26 of the convention urges member states to adopt a national cybersecurity system. Specifically, Article 26(1) (b) provides that member states must promote security measure by educating children on the risk and safety measures. The convention also urged member states to create criminal offence against child pornography. Though, the convention has wide provision for the protection of privacy, it was not specific to the privacy of children online.
Convention 108 + – Convention for the protection of individuals with regard to the processing of personal data
The modernised convention is one of the most advanced legislation on data protection. The convention is an amendment of the old Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The convention seeks “to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.” Article 15 of the convention provides that supervisory authorities shall give specific attention “to the data protection rights of children and other vulnerable individuals.”[21]
European Union General Data protection Regulation (EU-GDPR)
The GDPR came into force in May 2018 and replaces the European Directive. Article 8 of the GDPR provides that the processing of data of a “child below the age of 16 years, shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.” The controller must make reasonable effort to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Further, Recital 38 of the GDPR provides that the protection of children should apply to their activities as it relates to the use of their personal data for the purposes of marketing or creating a personality or user profiles and the collection of personal data when using services offered directly to a child. However, consent of the holder of parental responsibility could be dispensed with for preventive or counseling services offered directly to a child.[22]
Mauritius Data Protection Act 2017
The country’s Data Protection Act came into force in 2017. The Act was modelled after the GDPR “to strengthen the control and personal autonomy of data subjects over their personal data, thereby contributing to respect for their human rights and fundamental freedoms, in particular their right to privacy.”
The Act has a specific provision for the protection of privacy of children. The Act introduces new safeguards for the processing of personal data of a child. Section 30 of the Act provides that “no person shall process the personal data of a child below the age of 16 years unless consent is given by the child’s parent or guardian.” Further, for children below the age of 16, the “controller shall make every reasonable effort to verify that consent has been given or authorised, taking into account available technology.”[23]
South Africa’s Protection of Personal Information Act (POPI)[24]
The Act was enacted to “promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information.” POPI Act has one of the most extensive provisions on the protection of children. Section 4 (4) and Section 34 of POPI prohibits the processing of the personal information of a child subject to certain derogations. Section 11 (1) (a), 12 (2) (b), 14 (7) of POPI provides that consent of a competent person[25] should be given if processing involves a child. A child’s health data can be processed if “any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties.[26]”
Section 35 of POPI provides for the derogations from processing of a child’s personal data which include when the processing is done with the consent of the competent person acting for the child, when the information is available publicly with the consent of the competent person, when necessary for the establishment, exercise or defence of a right or obligation in law, when necessary to comply with an obligation under international law, for research and statistical purpose and public interest when safeguards are in place.
Section 35 of POPI created obligations on controllers in dealing with personal data of children. Controllers are expected to give notice when processing the personal data of a child, how such is processed and if there is further processing. Controllers are expected to be transparent with the processing of a child’s data and not engage in “any action that is intended to encourage or persuade a child to disclose more personal information about him or herself than is reasonably necessary given the purpose for which it is intended; and establish and maintain reasonable procedures to protect the integrity and confidentiality of the personal information collected from children.”[27]
Other frameworks include regional instruments like the Southern African Development Community Model Law on Data Protection (2010), Economic Community of West-African States Supplementary Act A/SA.1/01/10 on Personal Data Protection (2010) and East African Community Framework for Cyberlaws (2008). These instruments have provisions on data protection. 11 African countries have a law on cybercrime, criminalising common problem that could affect a child online, like cyberbullying, cyberstalking, identity theft, child pornography.
A case for an African Convention on the Protection Children Online
The Author recommends that the AU out of exigency should enact a convention or a supplementary protocol to the existing convention on cybercrime and data protection to protect the privacy and safety of the African child online. The Author recognises the disparity in existing data protection terrain on the continent. The convention will seek to establish standard and define minimum protection to be afforded to personal information of children. The obligation to ensure safeguard will be placed on member states and organisations collecting personal information of children. The African Convention on Cybercrime and Data Protection and the African Charter on Protection of Human and Peoples Rights and the African Charter on the Rights and Welfare of the Child define a child to be any human below the age of 18. However, the emerging trend is to protect the most vulnerable class. According to the GDPR and COPPA, any organisation collecting the personal information of a child below the age of 13 will need the consent of the parent or guardian.
The convention will seek to protect the privacy and reputation of children on websites, online services and platforms collecting their personal information. The convention upon adoption by member states will be binding on online service providers collecting the personal data of children. The biggest concern is consent management. Service providers will need the consent of the parent or guardian if the data collection affects a child below the established age adopted by respective member states. The convention will provide guidance on the age of consent, the definition and provision of rights, retention period of such data, and the child’s rights of access and obligations of service providers. The convention should provide for transparency and accountability mechanism on the use of personal data. There should be an independent body to administer enforcement and compliance with the provision of the law and address complaint from those seeking redress for infraction.
The Convention will demand more responsibility from service providers collecting personal information of children need to ensure it is secure and not put them at risk and should implement privacy and security by design and default. They will have to do more to create and ensure age-appropriate content by managing content and effectively deal with abuse, misuse and illegal contact with children. Data collection should not be excessive and limited to what is required for the services provided to the child. “Integrating child rights considerations into all appropriate corporate policies and management processes[28]” is vital. Consent management has to be transparent and verifiable. The instrument will pay attention to the peculiarity of children’s need and understanding of privacy, irrespective of the age-grouping[29].
CONCLUSION
“A resilient cyberspace is vital to fulfilling Africa’s potential and meeting society’s rising expectations. This demands pragmatic political action, good cyber governance, an agile regulation system and an effective agenda that treats cyberspace as a common public good.[30]” According to Chandy, “As younger and younger children join the Internet, the need to have a serious discussion about how to keep them safe online and secure their digital footprint becomes increasingly urgent,[31]”
Beyond the legal framework, effort should be directed toward protecting disadvantaged vulnerable African children, who might not understand online risks and likely to suffer harms. There is a need for collective action by the governments, the private sector; children-focused organisations, academia, families and children themselves. There should be other forms of regulation, such as self- and co-regulation, technical tools, awareness and education. The legal framework alone cannot guarantee complete protection for the African child, there is a need for increased digital literacy for both children and their parents or guardians. This will ensure children implement best privacy preferences, understand the implication of oversharing, and have good online behaviour. Parents or guardians can also utilise safety tool on their wards devices. The tool protects children from inappropriate online content, prevent disclosure of personal information and assist parents and guardians manage the time spent on devices.
“For better and for worse, digital technology is an irreversible fact of our lives. How we minimize the risks while maximizing access to the benefits will help shape the lives and futures of a new generation of digital natives.[32]”
[1] Digital In 2018: World’s Internet Users pass the 4 Billion Mark. Retrieved at https://wearesocial.com/us/blog/2018/01/global-digital-report-2018
[2] Bitange Ndemo & Tim Weiss (2017) Making Sense of Africa’s Emerging Digital Transformation and its Many Futures, Africa Journal of Management, 3:3-4, 328-347, DOI: 10.1080/23322373.2017.1400260
[3] Internet Usage Statistics (2018). The Internet Big Picture World Internet Users and 2018 Population Stats. Retrieved at https://www.internetworldstats.com/stats.htm
[4] World Development Report 2016: Digital Dividends. Retrieved at http://www.worldbank.org/en/publication/wdr2016
[5] Global Connectivity Index (2018). Retrieved at https://www.huawei.com/minisite/gci/en/index.html
[6] The State of the World’s Children 2017: Children in a Digital World – UNICEF report. December 2017. Retrieved at https://www.unicef.org/publications/files/SOWC_2017_ENG_WEB.pdf
[7] Digital footprint starts in the womb, Children’s Commissioner warns. retrieved at https://www.telegraph.co.uk/technology/2018/11/08/emb-thurs-children-have-1000-pictures-posted-online-turn-13/
[8] African Digitalization Maturity Report 2017 – Retrieved athttps://www.siemens.co.za/pool/about_us/Digitalization_Maturity_Report_2017.pdf
[9] Children’s Online Privacy and Freedom of Expression – (UNICEF, 2018). Retrieved athttps://www.unicef.org/csr/files/UNICEF_Childrens_Online_Privacy_and_Freedom_of_Expression(1).pdf
[10] Instagram’s “digital kidnappers” are stealing children’s photos and making up new lives
[11] Child Online Privacy Protection Act (COPPA). Retrieved at https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule
[12] Protect children and their digital footprint,’ urges UNICEF on Safer Internet Day (2018) Retrieved at https://news.un.org/en/story/2018/02/1002081
[13] Universal Declaration of Human Rights. Retrieved athttp://www.un.org/en/universal-declaration-human-rights/
[14] United Nations Convention on the Rights of the Child. Retrieved at https://www.unicef.org/rightsite/files/uncrcchilldfriendlylanguage.pdf
[15] The African Charter on the Rights and Welfare of the Child. Available at https://www.unicef.org/esaro/African_Charter_articles_in_full.pdf
[16] African Charter on the Rights and Welfare of the Child. Retreievd at https://en.wikipedia.org/wiki/African_Charter_on_the_Rights_and_Welfare_of_the_Child
[17] Ratification Table: African Charter on the Rights and Welfare of the Child. Available at http://www.achpr.org/instruments/child/ratification/
[18] Jemimah Wambui Ikere v Standard Group Limited & another [2013] eKLR. Retrieved at http://national-cases.acerwc.org/wp-content/uploads/2015/12/Kenya-High_Court_Nairobi-Jemimah_Wambui_Ikere-2013.pdf
[19] African Union Convention on Cyber Security and Personal Data Protection Retrieved athttps://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/African%20Union%20Convention%20on%20CyberSecurity%20%26%20Personal%20Data%20Protection_0.pdf
[20] Abdi Latif Dahir. Africa isn’t ready to protect its citizens personal data even as EU champions digital privacy (2018) Retrieved at https://qz.com/africa/1271756/africa-isnt-ready-to-protect-its-citizens-personal-data-even-as-eu-champions-digital-privacy/
[21] Convention 108 + Convention for the protection of individuals with regard to the processing of personal data(2018) Retrieved at https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1
[22] European Union General data Protection Regulation
[23] Mauritius Data Protection Act. 2017. Retrieved at https://rm.coe.int/dpa-2017-maurice/168077c5b8
[24] South Africa Protection of Personal Information Act – 2013. Retrieved at http://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf
[25] A competent person is any adult who is in the position to give consent on behalf of a child. This could be the parent or guardian or anyone exercising such power for the child.
[26] Section 32 (1) (d) of POPI Act
[27] Section 35 of POPI Act
[28] DISCUSSION PAPER SERIES: Children’s Rights and Business in a Digital World: PRIVACY, PROTECTION OF PERSONAL INFORMATION AND REPUTATION RIGHTS . Retrieved athttps://www.unicef.org/csr/files/UNICEF_CRB_Digital_World_Series_PRIVACY.pdf
[29] Privacy, data protection and the evolving capacity of the child: what the evidence tells us Retrieved at http://blogs.lse.ac.uk/mediapolicyproject/2018/11/08/privacy-data-protection-and-the-evolving-capacity-of-the-child-what-the-evidence-tells-us/
[30] Raouf Farrah. Here is what’s holding back Africa’s digital revolution (2018). Retrieved at https://www.weforum.org/agenda/2018/03/here-is-whats-holding-back-africas-digital-revolution/
[31] ‘Protect children and their digital footprint,’ urges UNICEF on Safer Internet Day (2018) Retrieved at https://news.un.org/en/story/2018/02/1002081
[32] THE STATE OF THE WORLD’S CHILDREN 2017: Children in a Digital World. Retrieved at https://www.unicef.org/publications/files/SOWC_2017_ENG_WEB.pdf
N.B: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official position of the African Academic Network on Internet Policy
