ID4Africa will launch the Round Table of African Data Protection Authorities (RADPA) as a side meeting at the movement’s annual conference in Johannesburg, South Africa, on June 18, 2019.
The meeting will be the first major meeting of data protection authorities (DPAs) from across the Africa, ID4Africa Executive Director Joseph Atick revealed to Biometric Update. Africa Digital Rights Hub Founder and Executive Director Teki Akuetteh Falconer, who is the former Executive Director of Ghana’s Data Protection Commission, will chair the event. World Privacy Forum Founder and Executive Director Pam Dixon will serve as rapporteur for the meeting. The awareness, capacity, and enforcement of data protection systems will be discussed, along with the role of large multinational corporations, limitations on national security and law enforcement uses, legitimate processing and consent.
DPAs and representatives from directly related government agencies will make up the round-table, and will be joined by a limited number of invited stakeholders from international and not-for-profit agencies.
“Our objective is essentially to allow the authorities to network and coordinate their positions on this important matter, and then also at least understand the concerns and the priorities of the regulators with these digital systems,” Akuetteh told Biometric Update.
RADPA is intended to foster the dialogue needed to encourage effective data privacy protections in individual countries, as well as a harmonized approach that enables interoperability and safe cross-border data use.
“Any work that ends up getting done in privacy is dialogue based and consensus based,” Dixon said in an interview. “At the end of the day you can have all of the laws you want but it’s going to be governance and practice and best practices, and that’s the on-the-ground dialogue that this needs to foster.”
Once the DPAs deem it appropriate, they can engage with identity authorities, to coordinate on the appropriate protection and use of identity data such as biometric templates.
“There is no dialogue going on between them,” Atick says. “They don’t understand each other because both the ID systems and the data protection regulations and enforcement are new, and they haven’t had a chance to enable the dialogue. They have not even coordinated among themselves when it comes to identity data. The data protection authorities are now becoming aware that identity systems are by their nature data-intensive. And it’s not just any kind of data, it’s personally identifiable information.”
Côte d’Ivoire’s Telecommunications and ICT Regulatory Authority (ARTCI) is the one DPA which has been involved with ID4Africa for several years under, the direction of leaders like its current Director of Legal Affairs Leontine Gbato.
Getting to the point where African DPAs are generally able to engage with the ID community will require an exchange of information between DPAs. To that end, the laws and systems they have in place, their challenges and priorities will be discussed in the meeting. Laws on the books may also not reflect real practices.
“One of the key purposes and roles of RADPA is to say: ‘Here is the framework you are using. How is that working out?’” Dixon says.
There are several regional frameworks in place, in addition to laws at the national level. Even frameworks that have been accepted at one level may not be fully in force, Akuetteh notes.
“If you look at the ECOWAS act, which was passed as far back as 2010, as of now very few countries have implemented it,” she points out.
The agenda for the meeting will consist of information sharing, followed by a determination of the group’s priorities, in the hopes of creating a practical blueprint for its next steps.
Ultimately, a range of questions need to be addressed, including: What is PII? When does biometric data become PII? And who owns the data? Atick says that it would not have been possible to begin the dialogue RADPA is supposed to foster when ID4Africa first met in Dar Es Salaam, Tanzania, in 2015. As standards of living rise, digital technology proliferates more widely, and the data protection ecosystem matures, however, the time has come. The legal roll-back of parts of India’s Aadhaar system has also provided a wake-up call for many stakeholders internationally.
Despite the advances in data protection legislation and institution building, there is much work to be done to support African development objectives.
“We are not as a continent taking into consideration best practices to ensure that we are building these robust that also ensure adequate protection of the individual’s data,” according to Akuetteh’s assessment. “In a number of countries there have been issues around integrity, there has been fear that the data would be used for surveillance, and as a community, digital identity is very critical for Africa’s future. Especially when we are looking at an African free trade area, or we’re looking at expanding beyond our countries and working within each other’s countries.”
If the meeting is successful, it will be repeated regularly, and RADPA will have to largely forge its own path as the Africa pioneers its data protection ecosystem. Atick has seen evidence of strong demand, but calls the meeting a “trial balloon.”
“From the level of enthusiastic responses we’ve gotten, I can tell you my expectations are that this will be very successful, but it will all depend what value they attribute to it,” he says.
In the meantime, any company collecting, storing, or processing sensitive data in Africa should be aware that the legal landscape is changing.
“Any company that’s going to do business in any country needs to do a privacy impact assessment, and look at all of the things that could potentially go wrong, and identify the structural and legal potential risks in that country,” Dixon urges.
There is also an opportunity for industry to play a constructive role in the changes.
“One of the things that I have also seen when I worked as a regulator is there’s sometimes not enough interaction between industry and the regulators,” Akuetteh says.
Dixon will participate in an ID4Africa session the day following the RADPA meeting, and Akuetteh will join a panel on appropriate uses of identity data on day three. Biometric Update will cover ID4Africa June 18-20 as the event’s official journalist.