MY COMMENT ON THE DEFINITION SECTION OF THE DRAFT LAW ON DATA PROTECTION IN CAMEROON

As I predicted in my interview with APLA (read my interview here?https://lnkd.in/g5H5fKRp )and it has come to pass, a draft bill has been published and on the 30th of May 2023, the Coordinator of the Project to Accelerate Digital Transformation in Cameroon (PATNUC) launched a public call for public consultation on the revision of the draft law.

So early this week I was able to find time to go through the bill and although I am still at the definition section, I wanted to give my opinion before continuing my reading ( my oversabi too much ), nevertheless I won't continue without complimenting the drafters for a job well done, I was quite impressed but as a member of the public, a lawyer and a data protection practitioner I would like to make a few comments.

The UNDP advised and I agree with them that defining key terms and concepts (e.g. personal data or data controller) reduces ambiguity in the interpretation of any data protection framework and also helps to define the scope of a framework. The Key terms to be defined in any data protection law are;

?Personal Data????????????????????????????????????????????????????????????????????????????????????

Anonymized data

Pseudonymized data

Special categories of data(sensitive data)

Data subjects

Data controllers

Data processor

Processing

?

Personal data: A broad definition of personal data in any legislation ensures that the definition is comprehensive, allowing courts and regulators to protect individuals in the face of changing and ever-evolving technologies. Let's take a look at the GDPR definition of personal data.

The GDPR defines personal data as "any information relating to an identified or identifiable natural person. An identified person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This definition is quite recommendable.

There are other categories of data that weren't defined in the bill that I think the drafters should consider including in the definition section. The new categories of data are anonymised and pseudonymised data.

What is anonymised and pseudonymised data?

Anonymised data is any information that cannot be related to an identified or identifiable natural person.

Pseudonymise data, on the other hand, are personal data processed in such a way that the personal data can no longer be related to a specific data subject without the use of additional information and is subject to technical or organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Another key term in a data protection law is the term controller, the draft law defines a controller ''as the natural or legal person to whom the personal data is disclosed'', this definition in my opinion limits controllers to natural and legal persons only, my question then is, will public authorities not be liable or responsible for data breaches?

The GDPR defines Controller as the natural or legal person ,public authority ,agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data where the purpose or means of such processing are determined by union or data member state law...

The data protection bill should therefore not be an ambitious law with costly penalties that targets only a few, but should aim to protect the data and privacy of every Cameroonian citizen.

Who hasn't eaten Accra banana or beignets wrapped in a confidential document and wondered how it got there, or had to shout out his/her sensitive information in a queue at a public/private hospital during data collection?

Data Protection is thereby a fundamental human right, the foundation of data protection is in human rights laws as clearly stated in Article 12 of the Universal Declaration of Human Rights. Also,Article 8 of the European Convention on Human Rights provides for the right to privacy.

Looking at the nomenclature side of this section, the French word used to define controller is Destinateur, which when translated into English gives Recipient which is not the international or standard word used in most Data Protection Laws.I suggest that the word should be changed to 'Controlleur' which when translated will mean Controller.

I have raised the most pressing points in the definition section and as I continue my reading to the next chapter which is Chapter 3 of the Bill I will not hesitate to share my thoughts.

Have you read the draft law, if yes, what are your views?

Shella FRU esq

Managing Partner

CHI and Partners Law Firm