This article was originally published on the website of APC member organisation Collaboration on International ICT Policy in East and Southern Africa (CIPESA).
As the world grapples to contain the novel coronavirus disease (Covid-19), the role of information and communications technology (ICT) to enhance disease surveillance, coordinate response mechanisms, and promote public awareness has become more significant. This role of digital technologies is particularly crucial in sub-Saharan Africa where systemic vulnerabilities such as weak health systems and high levels of illiteracy could slow the response to the pandemic.
As of March 25, 2020, the World Health Organization (WHO) reported 2,245 confirmed cases of Covid-19 in 44 countries and 58 deaths in 12 countries in Africa. For a continent of 1.2 billion people across 54 countries, these numbers are still relatively low, but could potentially escalate. The head of the WHO has advised African governments “to prepare for the worst and prepare today.”
In order to stem the spread of the coronavirus, several countries across the world have deployed the use of big data, mobile apps and other digital technologies. Austria, Iran, Israel, Italy, Singapore, South Korea, Taiwan, and the USA, are among the countries using geo-location technology reliant on data from tech platforms and telecom companies in order to contain the spread of the Covid-19.
In Austria, A1 Telekom has provided the government with real-time data on its subscribers to enable disease surveillance, while Deutsche Telekom is providing anonymised subscriber data to the Robert Koch Institute which is coordinating the German national response to Covid-19. Singapore’s contact tracing app is purportedly privacy conserving and data protection sensitive. Given the urgency of the pandemic and the dire social and economic costs, countries such as the USA and Israel are triggering emergency powers to institute state-level surveillance previously reserved for counter-terrorism operations.
China’s approach has seen the country leverage its pervasive and sophisticated digital surveillance infrastructure for disease control. Citizens in provinces such as Hubei – the worst hit by the virus – are required to install mobile apps that track travel and medical history and effect ‘digital quarantines’ to control access to subways, malls, and other public spaces. Drones and robots have also been deployed in the affected areas. In Italy, the second hardest-hit country after China, Vodafone has indicated in a statement that it is “providing Italian officials with anonymised customer data to track and analyse population movements in the hard-hit Lombardy region, where people are in lockdown.”
According to Bloomberg, about a dozen countries are testing a disease surveillance tool developed by Israeli spyware firm NSO Group. The software purportedly collects up to two-weeks of mobile tracking data from an infected person and matches it with geo-location data from mobile operators, which identifies individuals who were in close proximity with the infected person. The NSO Group has over the years been at the centre of spyware schemes in authoritarian and repressive governments in Africa and elsewhere.
The extent to which African countries are conducting technology-based disease surveillance is not fully known. However, according to an unconfirmed report, Kenya is monitoring the mobile phones of individuals who are under self-isolation, to arrest those who violate the restrictions imposed on their movements. Further, the Kenyan government has announced it will launch a contact tracing app for public transport to provide critical contact data that will help trace back the movements of confirmed or suspected cases. In South Africa, telecom companies have agreed to give the government location data to combat Covid-19. In Uganda, where health authorities struggled to locate several individuals who travelled on the same flights as persons who tested positive for the coronavirus, there has been a suggestion to use information from the immigration department and telecom companies to locate those individuals.
While well intentioned, Covid-19 surveillance and data-based tracking interventions have been effected in haste, and with limited precedent and oversight mechanisms.
See: Covid-19 in Africa: A Technology and Digital Rights Response
Indeed, the Covid-19 pandemic has fuelled debate about the ethics and legality of disease surveillance, echoing arguments around the collection and use of refugee data without consent nor agency. Recently, the chair of the European Data Protection Board (EDPB), Andrea Jelinek, stated that data protection rules (such as the General Data Protection Regulation – GDPR) do not hinder measures taken in fighting the pandemic, but added that even in these exceptional times, data controllers must ensure the protection of personal data.
According to Jelinek, the GDPR provides the legal grounds to enable employers and competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. There are separate rules for processing electronic communication data, such as mobile location data. They require public authorities to first aim for processing of location data in an anonymous way, namely, processing data aggregated in a way that it cannot be reversed to personal data. When this is not possible, states may issue enabling legislation provided this is a necessary, appropriate and proportionate measure within a democratic society.
In a recent statement, renowned freedom of expression defenders similarly expressed support for efforts to confront the pandemic. However, they cautioned that it is crucial that the use of surveillance technology to track the spread of the coronavirus be limited in terms of purpose and time, and that individual rights to privacy, non-discrimination, the protection of journalistic sources, and other freedoms, be rigorously protected. They added that the use of such technology ”abide by the strictest protections and only be available according to domestic law that is consistent with international human rights standards.”
In Africa, there is no GDPR equivalent. However, in 2014 the African Union (AU) adopted the Convention on Cybersecurity and Personal Data Protection which has to-date been signed by only 14 countries and ratified by four countries. Regional blocs have also invested efforts in ensuring that data protection and privacy are prioritised by member states. In 2013, the Southern African Development Community (SADC) adopted a model law on data protection. Also in 2010, the Economic Community of West African States (ECOWAS) adopted the Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. The East African Community, in 2008, developed a Framework for Cyberlaws.
See: Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa
Notwithstanding these efforts, many countries on the continent are still grappling with enacting specific legislation to regulate the collection, storage and processing of individuals’ data. At least 28 African countries had enacted a privacy and data protection law by the end of 2019. But even those with the laws have challenges of implementing them.
Which way for data privacy and digital rights?
Undoubtedly, greater availability and processing of data can be instrumental in addressing societal challenges such as the current coronavirus pandemic. However, a study on the use of big data in containing Ebola found plenty of evidence of misuse and abuse of the data and technological tools. It is therefore crucial that a balance is struck between processing data and conducting surveillance for the public good on the one hand, and protecting individuals’ rights on the other. This is essential both in trying times such as these, and in the post-coronavirus era.
Should governments – and relevant actors such as telecom companies – appropriately navigate the balance between disease surveillance and human rights, it will provide valuable learning on good data governance practices – those that help to solve societal problems and inform policy, while at the same time respecting individuals’ digital rights. The reverse could be true too: If governments abuse data and botch up the coronavirus surveillance effort, they will undermine citizens’ trust in data-based initiatives. This would particularly be true in the African countries where digital rights are under threat, data protection is misunderstood and citizens’ appetite for public participation is low.
It is therefore important that African governments commit to transparently deal with the use of technology-enabled disease surveillance, with robust legal safeguards and privacy standards. Accordingly, specific data protection principles must be adhered to. For instance, data should be processed for lawful and specific purposes and there must be strict accountability. Similarly, the justifications of public good should not be misused whatsoever, especially in the post-coronavirus era.
Follow the CIPESA (@cipesaug) hashtag #InternetFreedomAfrica which has a Twitter thread on Covid-19 developments from around the continent.