Case Studies

In order to gain in-depth insights of privacy issues in sub-Saharan Africa, Mauritius, South Africa and Tanzania were purposively selected from the rest of the countries in the sub-region. In this selection, three clusters of countries were made. The criteria used to determine a country’

respective cluster was whether at the time of field research (June-September 2011) such a country had comprehensive data privacy legislation or a Bill on such law or had neither data privacy legislation nor a Bill. However, new enactments after this period but before finalisation of this study have been updated. To further clarify these criteria, countries which at one time adopted Bills on data privacy legislation and later abandoned them were classified in a cluster without data privacy legislation or Bills on such law unless such Bills were later re-introduced.

This is because, first, a withdrawn Bill loses the force of being considered a Bill in the strict sense of the term. Moreover, where a Bill was yet to be introduced to parliament but subsequently

200 Ibid, p. 12.

46

abandoned because of strong criticisms from stakeholders and general public opinion or the abandonment was made by government suo moto, such situation was similarly grouped in a cluster of countries without data privacy legislation or draft Bills. At the same time, countries with Freedom of Information Act (FOIA) were put in the cluster of countries without data privacy legislation or draft Bills. This is because, although most invariably FOIA contains special provisions regulating personal data, it falls short of data protection principles.²⁰¹ Moreover, data protection principles in FOIA have limited application. First, they apply only the moment a request for access of information is initiated; second, in most cases the legislation is only binding on the public sector. There are exceptions with regard to the second limitation. The direct case at point is South African Promotion of Access to Information Act (PAIA).²⁰² This Act applies to (a) a record of a public body; and (b) a record of a private body, regardless of when the record came into existence.^{203 204} It is argued that PAIA is an unusual character of FOIA across the world whose normal application is limited to the public sector.²⁰⁵ It is worth noting that the emerging freedom of information law in Africa is influenced by PAIA by extending its scope to private sector.²⁰⁶ However, notwithstanding the broader scope of PAIA in bringing the private

201 See for example, ‘Data Protection and Freedom of Information in the Public Sector’, Notice No. 23 of 31 December, 2006 prepared jointly by the Irish FOI Central Policy Unit of the Department of Finance in consultation with the Office of the Data Protection Commissioner and the Office of Information Commission, issued by the Irish Office of Information Commission, http://foi.gov.ie/Data-Protection-and-Freedom-of-Information-in-the-Public-Sector, last visited 1/10/2011. This Notice attempts to interpret S. 1(5) of the Irish Data Protection Act, 1988 and S.7 (7) of the Freedom of Information Act, 1997 with regard to an individual’s right of access to information held by the public sector; see also generally Turle, M., ‘Freedom of Information and Data Protection-A Conflict or Reconciliation’, Computer Law and Security Report, 2007, Vol. 23, pp.514-522; see also, UK House of Commons, ‘The Freedom of Information Bill: Data Protection Issues, Bill 5 of 1999-2000’, Research Paper 99/99 of 3 December 1999, pp.11-16, http://www.parliament.uk/documents/commons/lib/research/rp99/rp99-099.pdf, last visited 1/10/2011; Banisar, D., ‘The Right to Information and Privacy: Balancing Rights and Managing Conflicts’, Working Paper, The International Bank of Reconstruction and Development/The World Bank, 2011. In the context of the South African legislation on freedom of information in relation to data protection, see, Currie, I and Klaaren, J., Commentary on the Promotion of Access to Information Act, Siber Ink, South Africa, 2002, p.18, para, 2.5; Roos, A., ‘Data Protection’ in Dana, M., et al, Information and Communications Technology Law, LexisNexis, Durban, 2008,pp.313-397, at p.360.

202 Act No. 2 of 2000.

203 Ibid, S. 3(a) & (b).

204 Presently only seven countries in Africa have implemented Freedom of Information Act. Included in this list are South Africa(2000), Zimbabwe(2002), Angola(2002), Uganda(2005), Ethiopia(2008), Liberia(2010), and Nigeria(2011). Counties with pending Bills on FOIA include Mozambique, Kenya, Ghana, Rwanda, Malawi, Botswana, Madagascar and Sudan. Zambia had at one time introduced the Bill on FOIA in parliament but withdrew it in 2002. Tanzania had taken sometime to discuss the Bill among stakeholders but the same is yet to be introduced in parliament.

205 See, EPIC and Privacy International, Privacy and Human Rights(2005), p.632 cited in Roos, A., ‘Data Protection’

in Dana, M., et al, Information and Communications Technology Law, LexisNexis, Durban, 2008, pp.358-359.

206 See for example, the Liberian Freedom of Information Act, 2010, SS. 1.4(a) & (d) which extends its application to both the public and private sector. However in slight contrast with PAIA which applies to the private sector generally, the Liberian law applies to the private sector with some limitations: where private entities receive public resources and benefits, engage in public functions, and or provide public services, particularly in respect of information relating to the public resources, benefits, functions or services. S. 2 of the Mozambican Access to Official Sources of Information Bill 2005 extends the scope of application of such proposed law to the private sector whenever private entities hold informative material of public interest; see also, S.25 (2) of the Kenyan

47

sector under its ambit, which in absolute terms makes it at equal level with most data protection legislation, the scope of the principles in PAIA are restrictive.²⁰⁷ Zimbabwe is among the earliest African states to enact FOIA. In contrast to PAIA, the Zimbabwean Access to Information and Protection of Privacy Act (AIPPA)²⁰⁸regulates only the public sector.

From the above backdrop, cluster one comprises countries with comprehensive data privacy legislation: Cape Verde, Seychelles, Burkina Faso, Mauritius, Tunisia, Senegal, Morocco, Benin, Angola, and Gabon. Ghana was not included in the list simply because at the time of field research she had no comprehensive data privacy legislation. She only adopted the Act after the field research. It is imperative to note that Tunisia and Morocco belong to the North African sub-region while the rest in this cluster belong to sub-Saharan Africa. Cluster two comprises countries with Bills or drafts on data privacy protection. In this cluster there is Ghana (which has passed its Bill into Act in February 2012), Ivory Coast (Cote d’Ivoire), Kenya, Madagascar, Mali, Niger, Nigeria and South Africa. Cluster three comprises countries with neither data privacy legislation nor Bills. These include Botswana, Burundi, Cameroon, Central African Republic, Chad, Comoros, Congo (Brazzaville),Congo DRC (Zaire), Djibouti, Equatorial Guinea, Eritrea, Ethiopia, Gambia, Guinea, Guinea- Bissau, Lesotho, Liberia, Malawi, Mauritania, Mozambique, Namibia, Reunion, Rwanda, Sao Tome and Principe, Somalia, South Sudan, Sudan, Swaziland, Tanzania, Togo, Uganda, Zambia, and Zimbabwe. It is important to note that in 2005/2006 Tanzania prepared a draft on freedom of information with a chapter on data protection. This draft was later abandoned from circulation and discussion before it was introduced to the parliament. Ghana presents a similar case to Tanzania. On 29 November 2010 the Ghanaian government introduced the Data Protection Bill to the parliament. However this Bill was subsequently withdrawn in July 2011. It was re-introduced to the parliament in October 2011.

On 10 February 2012 it was passed into law.

To narrow down these clusters, Mauritius was selected from cluster one; South Africa from cluster two and Tanzania from cluster three. As pointed out, these country cases were purposively selected.

A number of considerations were taken into account for these selections. To start with, the choice of Mauritius from cluster one was informed by the fact that the country’s data protection law and practices are more transparent and accessible. Nearly all the information about Mauritian

Freedom of Information Bill, 2007 which subjects the private sector holding or controlling information that is necessary for the enforcement or protection of any right to the application of the proposed law.

207 Roos, p. 360, note 201, supra.

208 Chapter 10:27 of the Laws of Zimbabwe came into operation on 15^th March, 2002 through G.N No.116 of 2002.

48

Data Protection Act 2004 and its enforcement is available at the Data Protection Office’s website.²⁰⁹ In contrast, the accessibility of similar information in the rest of the countries in cluster one is hardly lacking. For example, the only useful and accessible information to the researcher from Cape Verde was the data privacy legislation²¹⁰ and a more recently published article on the Cape Verdean data privacy system.²¹¹ As to the rest of the countries, the primary information available and accessible to the researcher in Seychelles, Burkina Faso, Senegal, Benin, Angola and Gabon was only the data protection legislation in the respective countries.²¹²²¹³ The accessibility to such information was also hampered by language constraints notably French for Burkina Faso, Senegal, Benin and Gabon and Portuguese for Cape Verde and Angola.²¹⁴ This is with the exception of Seychelles which is an English speaking country. Since the researcher is conversant in English language, Mauritius whose one of the official language is English provided a more convenient research environment. Also, compared to the rest of countries in the cluster, Mauritius has relatively sufficient level of data protection practices. For example, although Cape Verde appears as the leading African country to enact data privacy legislation, it has not yet established the data protection authority.²¹⁵ Seychelles’ Data Protect Act status was contradictory.

For instance, the Seychelles Legal Information Institute (SEYLII), whose mission is to provide online free public access to legal information from Seychelles, placed on its website only the

209See, Data Protection Act 2004 for Mauritius via http://www.gov.mu/portal/sites/ncbnew/files/DPA.pdf last visited 11/10/2011.

210 Lei nº 133/V/2001, de 22 de Janeiro Regime Jurídico Geral de Protecção de Dados Pessoais a Pessoas Singulares 2001[Law No. 133/V/2001, of 22 January 2001 on protection of personal data of individuals], http://portoncv.gov.cv/dhub/porton.por_global.open_file?p_doc_id=407, last visited 29/10/2011.

211 Traca and Embry, note 38, supra. This article, written in English language, provides a broader overview of the entire Cape Verdean legal system of data privacy protection.

212 Seychelles, Data Protection Act No.9 of 2003, http://dev.seylii.org/sc/legislation/act/2003/9 last visited 11/10/2011; Burkina Faso, Loi n° 010-2004/AN Portant Protection des Données à Caractère Personnel 2004 [Act 10-2004/AN on Protection of Personal Data], www.cil.bf/legislations/loi_cil_burkina_faso.pdf

last visited 29/10/2011; Senegal, Loi n° 2008-12 sur la Protection des Données à Caractère Personnel 2008 [Law No. 2008-12 on the Protection of Personal Data],

http://right2info.org/resources/publications/loi_sur_les_donnees_a_caractere_personnel.pdf

last visited 29/10/2011; Benin, Loi n° 2009-09 du Mai 2009 Portant Protection des Données à Caractère Personnel 2009[Law No. 2009-09 on the Protection of Personal Data in the Republic of Benin],

http://ddata.over-blog.com/1/35/48/78/Benin-2/Loi-2009-protection-donnees-a-caractere-personnel.pdf

last visited 29/10/2011; Angola, Lei nº 22/11 Da Protecçao de Dados Pessoais 2011 [Law 22/11 on Personal Data Protection]. Recently Traca and Embry, note 38, supra, have published an article in English about Angolan data protection legislation; Gabon, Loi n°001/2011 Relative à la Protection des Données à Caractère Personnel 2011[Act No. 001/2011 on the Protection of Personal Data].

213 This was also the case with respect to availability and accessibility of information from Tunisia and Morocco. The former’s data privacy legislation is (Tunisia) Loi n° 2004-63 Portant sur la Protection des Données à Caractère Personnel 2004 [Organic Act n°2004-63 on Protection of Personal Data], http://www.inpdp.nat.tn/version-anglaise/texte.html while the latter’s similar piece of legislation is (Morocco) Loi n° 09-08 Relative à la Protection des Personnes Physiques à l'égard du Traitement des Données à Caractère Personnel 2009[Law No. 09-08 on the protection of individuals with regard to processing of personal data].

214 Note also that the language barrier was considered in excluding Tunisia and Morocco and North Africa generally whose languages are both French and Arab.

215 Traca and Embry, p.249, note 38, supra.

49

name of the Data Protection Act with a ‘Not in Force’ status.²¹⁶ In contrast the editorial notice on SEYLII’s website under which the Data Protection Act was listed reads, ‘Seychelles Acts in Force as at 20 June, 2011’.²¹⁷ However against it there was an NIF defined as Not in Force. The researcher proceeded to the field research with this status in mind. However after the field research was over, he requested SEYLII to be supplied with an electronic document of the Act, by using the ‘contact us’ function on the website. The link to the Act was promptly supplied on 3 October 2011.²¹⁸ This was exactly the date when the Act was uploaded on the website under

‘recent posts’²¹⁹ with an ‘in force yes’ status.^{220 221} To ascertain the date when the Act came into force, the researcher sent a follow up email to SEYLII which was never replied. As it can be noted from this account, at the time of the field research, it was clear to the researcher that Seychelles’ Data Protection Act was inoperational. The data protection authorities in Burkina Faso, Senegal and Benin were recently established hence the law was insufficiently put into practice as compared to Mauritius.²²² As for Angola and Gabon, the data protection authorities are yet to be established.²²³ As pointed out, Ghana was not at all considered bedacsue she had no data protection legislation at the time of field research. There were also considerations of local research contacts established prior to the commencement of the field research. The contacts for Mauritius were obtained easily from the Data Protection Office’s website. It is interesting to note that request to undertake field research in Mauritius made to the Mauritian Data Protection

216 SEYLII, http://dev.seylii.org/sc/table/legislation/seychelles-acts-force-20-june-2011 last visited 11/10/2011.

217 Ibid.

218Email communication from Thelma Casquette sent via [email protected] to [email protected] providing the link to the requested information to http://www.seylii.org/sc/legislation/act/2003/9.

219 See the link to the updates at SEYLII, http://dev.seylii.org/sc/legislation/act/2003/9 last visited 11/10/2011.

220 It is noteworthy that on 11/10/2011 when the researcher last visited the SEYLII’s website the post relating to the Data Protection Act 2003 was only seven (7) days and twenty one hours old; see http://dev.seylii.org/tracker.

221 It is important to bear in mind that under the ‘Terms of Use’ on its website, SEYLII brings to the general public a disclaimer notice on the inaccuracy, incomprehensiveness or lack of up-to-date information on the Acts posted.

The researcher paid attention to this disclaimer in following up the status of data privacy legislation in Seychelles.

222 For example, for Burkina Faso la Commission de l'informatique et des libertés (CIL) was established on 18 May 2007 vide Décret n° 2007-283/PRES/PM/MPDH du 18 mai 2007 portant organisation et fonctionnement de la Commission de l'informatique et des libertés [Decree No. 2007-283/PRES/PM/MPDH of May 18, 2007 on the organization and functioning of the Commission on Informatics and Liberties] http://www.cil.bf/, see also, http://www.cai.gouv.qc.ca/CCPDF/doc/bf.pdf last visited 29/10/2011. It must be pointed out that although the Office of Mauritian Data Protection Commission was proclaimed on 27/12/2004, the first Commissioner, was appointed on 10/10/2008, see http://www.gov.mu/portal/goc/mcsa/files/president.pdf last visited 29/10/2011;

for Senegal, the Data Protection Commission was established on 29/06/2011 vide Decree No. 2011-0929 appointing the members of the Commission for the protection of personal data i.e Décret n° 2011-0929 du 29 juin 2011 portant nomination des membres de la Commission de protection des données à caractère personnel, http://www.demarches.gouv.sn/textes/decret_creation_cdp-2.pdf last visited 29/10/2011; surprisingly the date for establishment of the Senegalese Data Protection Commission is erroneously referred to as 20/04/2009 by Association Francophone Des Autorités De Protection Des Donnees Personnelles. This is the association for data protection authorities in Francophone, suggesting that it would be more informed on this development within its members, see, democratie.francophonie.org/IMG/pdf/Telechargez_ce_document-4.pdf last visited 29/10/2011;

for Benin the Office of Data Protection Commission was established on 11 March 2010 see http://www.journal-adjinakou-benin.info/?id=4&cat=6&id2=1475&jour=12&mois=3&an=2010 last visited 30/10/2011.

223 Note that the Angolan Data Protection Law 22/11 was enacted when the researcher was in the field research, i.e.

17/06/2011. Thus in any case it would have been less fruitful to choose Angola as a case study under cluster one.

50

Commissioner (Mrs. Drudeisha Madhub) on 26 January 2011 was responded positively and quickly on the same day. Moreover in contrast to the rest of countries in cluster one, Mauritius has gone far to formally seek EU’s ‘adequacy’ accreditation. Although other countries have applied for the EU ‘adequacy’ rating or about to do so in future, Mauritius is far in the accreditation process. These considerations made Mauritius to be selected a case country study from cluster one.

South Africa was selected from cluster two. Closely to Mauritius, the South African legislative process of the Protection of Personal Information Bill (B9-2009) which is still pending is open.

All preparatory works for this Bill are accessible online from the South African Law Reform Commission’s website (//www.justice.gov.za/salrc/). This made the researcher able to track the legislative process of the South African data privacy Bill since 2006, long before the formal commencement of this study. There was also a consideration of established local research contacts, in this case Professor Iain Currie and Professor Anneliese Roos, since 2006 and 2008 respectively. As we shall see, these were instrumental during field research in South Africa.

Moreover, South Africa is a multi-cultural society. It was considered that this peculiar feature of South Africa should be studied to discover how such multi-culturalism operated in favour or against the adoption and operation of a data privacy law. Connected to this but in contrast to the other countries in cluster two, the legislative process of a data privacy law in South Africa has taken more than a decade with serious discussions and considerations. This legislative process needed to be examined in order to understand competing interests in the process. It is important to underline that in the event the South African Protection of Personal Information Bill (B9-2009) is passed into law before the finalisation of this study, the analyses for this country case will be principally limited up to the stage such Bill is passed into law but before it is put into operation.

There are two important reasons for this delimitation: first, the issues that this thesis investigates will largely remain unaffected by voting such Bill into law, second, it will require sometime before the actual operation and practice of the law can be studied.

Tanzania was selected from cluster three. Three main considerations were taken into account for its inclusion as one of the country cases. First, it is imperative to note that Tanzania is one of the sub-Sahara African countries that practiced Ujamaa for a long time. Since Ujamaa is an ideology that is indispensable for collectivism it was considered that its development and likely impact on privacy issues be closely investigated. Second, considered for selection of Tanzania was the fact that the researcher had already undertaken two studies that culminated to the publication of two

51

journal articles: one relating to employees’ healthy privacy²²⁴ and the other privacy of individuals

journal articles: one relating to employees’ healthy privacy²²⁴ and the other privacy of individuals