African Countries propose stringent rules governing ecommerce and data Dennis Mbuvi
The African Union is working on a draft policy to guide electronic commerce (e-Commerce)and data privacy rules. The draft is up for debating and perusal by member states.
Dubbed the “Draft African Union Convention on The Confidence and Security in Cyberspace”, the policy, if implemented as is, will have far reaching implications on a huge portion of the Internet including social media and other productivity applications. The policy may also impact on the growing developer community in countries like Kenya as its content massively affects the functioning and hosting of applications.
The draft defines e-commerce as the “provision of goods and services over the internet”. It also goes ahead to state that “African States are in dire need of innovative criminal policy strategies that embody states, societal and technical responses to create a credible legal climate for cyber security. “
Of huge implication is the disallowing of concealed identity in sending of messages which may raise a storm on use of nicknames, pen names and anonymous blogging, especially when exposing sensitive matters.
Other contentious issues will be a provision stating that only approved e-commerce payments may be used in a country, which leads to questions on the validity of popular platforms like PayPal and whether such will need to apply for approval in each of the African states.
Also limited is the data storage period with limits varying according to objective of the data collector.
The draft also states that processing of personal data shall be deemed to be legitimate where the person concerned has given his/her consent, but goes ahead to give exceptions to legitimacy such as when missions are of public interest.
Gambling, even in the form of legally authorized betting and lotteries, legal representation and assistance activities are banned as part of e-commerce. Also prohibited is spamming in any form.
The guidelines also state that adverts should be clearly identified and identify the advertiser.
Data pertaining to an individual’s religious affiliation, philosophical, political and labour union opinions and activities, as well as to sex life or race, health, social measures, legal proceedings and penal or administrative sanctions is regarded as secret and tightly controlled in the act. The draft act prohibits collection of the above data other than for select purposes.
Another clause separate from the above states, “Members of the African Union States shall undertake necessary measures to prevent any data gathering and processing based on racial, ethnic and regional considerations, parentage relationship, political views, religious or philosophical persuasion, trade union membership, sex life and genetic information or, more generally, data on the state health of the person concerned, is prohibited in the African Union.”
Personal data processing is also said to be subject to a declaration before an authority in each country.
There is however reprieve in a clause that states that common categories of data processing may be governed by standards, rather than those affected having to apply for approval. “With regard to the most common categories of personal data processing which are not likely to constitute a breach of private life or individual freedoms, the protection authority may establish and publish standards with a view to simplifying or introducing exemptions from the declaration obligation, “ it states.
A number of data processing procedures will however need permission from state bodies tasked with data protection. These include processing of personal data involving information on offenses, convictions or security measures; data processing involving national identity number or any other identification of similar nature; processing of personal data involving physiometric information; and processing of personal data of public interest, especially for historical, statistical or scientific purposes.
Of great note is the requirement of permission for data processing involving national identity numbers and that involving psychometric information. This may impact fitness products such as the Nike Fuel-band, Jawbone and smartphone fitness apps.
The draft notes that authorisation of requests by countries will be done within a set timeframe, which may or may not be extended, based on the nature of the request.
While data protection agencies are given high autonomy and independence, to many, this will seem surreal and over ambitious, especially given that the same will be appointed by the state.
Also contentious is the clause “The national protection authority shall ensure that ICTs do not constitute a threat to public freedoms and private life of citizens.” "Threats to public freedoms and private life" has often had a wide interpretation in a number of African states and has been deployed in cracking down of political dissidents.
The protection authority will also be expected to handle complaints regarding to the contents of the draft and also to inform judicial authorities of offences related to the draft policies.
Countries are expected to establish mechanisms for cooperation with the personal data protection authorities of other countries;
The draft also offers some reprieve for journalists and researchers. "Personal data processing for journalistic purposes or for the purpose of research or artistic or literary expression shall be admissible where the processing is meant exclusively for literary and artistic expression or for professional exercise of journalistic or research activity, in accordance with the code of conduct of these professions."
There is also a clause limiting transfer of data to countries that “do not offer sufficient level of data protection”. The clause states: A data processing official shall not transfer personal data to a non-Member State of the African Union unless such a State offers sufficient level of protection of the private life, freedoms and fundamental rights of persons whose data are being or are likely to be processed.
The proposal requires those whose data is being collected from to be informed of the duration of conservation of the data and possibility of transfer of the data to third countries. Apps hosted abroad will therefore need to inform their users of this.
Each Member State of the African Union is also required to take necessary legislative or regulatory measures to set up as a penal offence for fraudulent collection of data, neglect of laws when collecting data
Countries may choose to pull out of the agreement once implemented. Any State Party may denounce this convention by written notification addressed to the Chairperson of the Commission.
The many clauses in the proposal do offer a lot of control and restriction in the way developers will be implementing apps, many which touch on electronic commerce and personal data collection and processing. With such apps developed by small teams of developers, they may find themselves often on the wrong side of the law.
Additionally, Internet sites and content developed outside Africa, including popular social media sites, may choose to not offer their solutions in Africa as it may not make economic sense to comply with the stringent requirements here in a region that barely contributes to their revenue.