Happy Data Privacy Day!

On this day in 1981, the Council of Europe (‘the council’) through its treaty office opened for signature, The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of Personal Data. This instrument seeks to protect people against abuses from the collection, and processing of data and its movement across international boundaries. The binding law prohibits the processing of “sensitive” data on a person’s race, politics, health, religion, sexual life, criminal record, etc. outside a defined legal framework. 

The 26 of April 2006, more than a decade later, the Committee of Ministers of the council launched a Data Protection Day to be celebrated on January 28th each year. A few months later, in 2007, the council declared that, January 28th will be the European Data Protection Day.

In 2009, the United States of America passed a House Resolution (HR 31) overwhelming declaring January 28 the National Data Privacy Day. Two days later, the Senate followed suit. 

Today is Data Privacy Day, a day dedicated to educating and giving the citizens of the world a chance to understand what personal data is collected about them, processed, and what rights they should have as it relates to data management activities. 

Definition of Data Privacy

In data governance, clear and unambiguous definitions of important concepts are very important. Privacy, according to the Merriam-Webster dictionary is the quality or state of being apart from company or observation. It is one’s freedom from unauthorized intrusion. The act of being left alone and able to keep certain personal matters to oneself. By extension, data privacy is referred to as the state of one’s personal data being kept to one’s self and apart from unauthorized use by others.

Data privacy or information privacy has become a critical issue due to rapid changes in data and related technologies. The protection of confidential data has always been important to people . They put locks on filing cabinets and rent safety deposit boxes at their banks to protect their information. Data breaches, digital transformation projects, and emerging technologies, or simply put, the fourth industrial revolution, have prompted discussions and actions around the protection of private information. 

In the last decade, we have seen the prevalence of multiple data breaches with personal information compromised. David Ellis, Vice President of Forensic Investigations at SecurityMetrics, wrote in a blog post in 2018 that:

“the average organization was vulnerable for 275 days” and “50% of organizations were breached through remote execution or injection” (Statistics on Data Breaches). 

Another startling statistic from the Verizon Data Breach Investigation report shows that:

53 thousand security incidents were reported 2018 and 2,226 data breaches at 67 organizations impacting 6 5 countries that same year.

We have also seen privacy laws enacted with the sole purpose of protecting the consumer. Let’s look at a couple:

• General Data Protection Regulation (GDPR)

This is a regulation enacted by the European Union on data protection. The goal is to empower individuals to take control of their personal data through a unified regulatory environment for local and international businesses. The law provides for monitoring of businesses that process data of individuals who reside in the European Economic Area (EEA). The data authorities of these businesses must put in place processes and procedures to protect personal information.

Adopted in 2016 and enforceable in 2018, GDPR has become a model for many other national laws on data privacy outside of the EU including California.

•  California Consumer Protection Act (CCPA)

This law was passed by the California State Legislature and signed into law on June 28, 2018. The goal is to provide residents of California with the right to: know the personal data being collected about them; know whether it is sold or disclosed and to whom; access their personal data; stop sale and disclosure of their personal data; delete personal data collected by businesses (in the most part); and not be discriminated against for exercising their rights.

For now, this law is only applicable to businesses with gross reviews greater than 25 million; those that sell more personal data of more than 50,000 households or earns more than half of its annual revenue from selling personal information.

Data Privacy in Africa

In Africa, some countries have stringent data privacy laws in place include Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia, and Western Sahara.

• Protection of Personal Information Act (POPIA)

In South Africa, the POPI Act was enacted to promote the protection of personal information processed by public and private bodies. It lays emphasis on safeguarding personal information, balance the right to privacy against other rights, access to information, and protection of information across borders. Like others as in the case of GDPR and CCPA mentioned above, this law calls for the establishment of conditions that will be harmonized with international standards, a dedicated organization to implement processes to safeguard information, and the establishment of an information regulator to enforce the rights. 

Why Africa?

Our focus has turned to Africa because businesses are expanding at an unprecedented pace due to a plethora of investment opportunities on the continent. The increase in commerce is heavily dependent on the flow of personal data, which has the potential to be a major enhancer or inhibitor to either promote or hinder international trade. In such a rapidly evolving business environment, a comprehensive data privacy regulatory framework is of utmost importance. 

As of this moment, 25 countries out of a total of 55 have passed data privacy laws, the latest countries being Uganda, Nigeria, Kenya, and Egypt. Other countries have introduced data privacy bills that are under discussion or on the legislative agenda.

However, there is no unified approach to personal data protection across the African continent, with some countries having no legislation or constitutional protection. 

Need for a harmonized legal framework in Africa

Harmonizing the data protection statutory and regulatory framework in Africa is critical to its digital transformation and all efforts to promote digital economies. Privacy and data protection must continue to be topics of discussion in Africa. We expect another wave of legislation to go into effect within the next two years. Legal, technology and data professionals within and outside the continent must be engaged.

Africa has great potential to profit from digital transformation that could provide the much-needed jobs and improve access to quality services, including finance, healthcare, education, and agriculture.

In order to tap the continent’s full potential, African governments and civil society must stay in sync with international legal frameworks such as enacting effective data privacy laws. Not only should the laws be enacted, but data management methodologies, approaches, and experts must be leveraged for sustainable outcomes. One important prerequisite to an effective implementation of a data privacy law is the effective implementation of a Data Governance Framework. Our next article will delve into how Data Governance can be used as an enabler to a successful Data Privacy effort and a summary of a few more privacy laws that have been enacted.

I hope you learned something new about Data Privacy today!

Happy Data Privacy Day!

Note: These are my personal views and observations out of keen interest in the maturity of data management in Africa, and not that of any organization.