…Need to Guide Against Being Conduits for Cyber Crimes Former Chairperson, Electoral Commission of South Africa, Ms Pansy Tlakula has warned Election Management Bodies (EMBs) in Africa against diverting voters’ personal data to uses other than the specific purpose on which they were collected. If this data is not properly protected, she cautions, it may
…Need to Guide Against Being Conduits for Cyber Crimes
Former Chairperson, Electoral Commission of South Africa, Ms Pansy Tlakula has warned Election Management Bodies (EMBs) in Africa against diverting voters’ personal data to uses other than the specific purpose on which they were collected. If this data is not properly protected, she cautions, it may lead to many citizens being more wary and discreet about turning up to be registered as voters which will ultimately undermine the electoral process.
“EMBs must ensure that they obtain the consent of a voter before they register him or her, they must use the personal information or data of a voter for the purpose for which that information was collected from the voter and they must secure such personal information or data,” explains the former chairperson of the African Commission of Human and Peoples’ Rights (ACHPR) while presenting her keynote address to the West Africa Media Excellence Conference and Awards (WAMECA) in Accra, Ghana..
According to her, “The voters roll contains a lot of personal information or data of voters such as the name, surname, identity number, physical address, photograph and special or sensitive personal information or data such as biometric information of a voter. EMBs are indeed allowed to process personal information of voters in the voter’s roll to enable them to perform their duties and functions of managing elections.
“In fulfilling these duties and functions, they have to strike a balance between the right to privacy of voters and the free flow of information required for the legitimacy, credibility and transparency of the electoral process. Therefore, EMBs are required to comply with all the principles or conditions for the lawful processing of personal information when they compile the voter’s roll.
“Simply put, EMBs, particularly on our continent, are sitting ducks for cyber crimes. These challenges are prevalent globally. Unfortunately most electoral laws are outdated and have not anticipated these challenges,” Tlakula, now chairperson, Information Regulator of South Africa says.
“It has already been stated that in order to enhance the transparency, credibility, freeness and fairness of the electoral process, all stakeholders involved in the process, including EMBs, should proactively disclose all the public information related to elections.”
“The electoral laws in many parts of the continent require an EMB to publish the voters roll in the run up to an election to afford registered voters and political parties the opportunity to inspect the voters roll for the purpose of verifying the details of registered voters.
“The laws of some countries on the continent, such as the Electoral Act in South Africa, require the Electoral Commission to provide each party contesting an election with a certified copy of the voter’s roll. It further requires the Chief Electoral Officer to provide a certified copy of the voter’s roll to any person upon payment of a prescribed fee.
“The question which remains to be addressed is whether an EMB should include all the personal information of voters contained in voters’ roll such as an identity number in the case of South Africa, when they publish the roll for inspection. An identity number in South Africa is a unique identifier which provides information on a person’s age, sex and citizenship status.
“It also serves as an identifier for a number of other enquiries relating to marital status, searches in the deeds office disclosing matrimonial regime, property ownership, company directorships etc.
Does the inclusion of the identity numbers of voters in the publication of the voters’ roll not amount to the excessive processing of the personal information or data of a voter and therefore an infringement of his or her right to privacy? The view of the Information Regulator of South Africa is that it does.
The balance can be struck between the right of access to information and the right to privacy of a voter by either excluding the voter’s identity number from the published roll or by encrypting it.
Continuing further, Tlakula, a lawyer and one of the founding commissioners of South Africa Human Rights Commission, says, “The deployment of other forms of technology in the electoral process has impacted on the right to privacy in a way that it was never anticipated. This impact goes beyond the use of social media in the electoral process.”
“To give an example, in recent times, technology is deployed by EMBs in all aspects of the electoral process, including in the demarcation of electoral boundaries, the registration of political parties, the registration of voters and the compilation and maintenance of the voter’s roll using biometric data, candidate nomination process, electronic voting and the collation of election results and allocation of legislative seats after the elections.
“The deployment of ICT in the electronic process has undoubtedly improved the efficiency and the effectiveness of the electoral process. However, technology has its own challenges and disadvantages. In the past, these challenges related mainly to the reliability and accuracy of electronic voting machines due to the absence of a paper trail, which made the verification and reconciliation of votes difficult.
“The rapid development in technology and new digital technologies has introduced new challenges in the electoral process. These challenges mainly include the following: the lack of adequate security measures within EMBs to secure the integrity of their systems in general and the integrity and confidentiality of the personal information or data they hold against unlawful access or hacking in particular, the use of personal information of voters obtained unlawfully from sources such as social media companies, direct marketers and data brokers to spread fake news or disinformation about political opponents and even the EMB during elections and the use of personal information of voters unlawfully obtained by political parties from these sources for campaigning purposes.”
Only a few countries on the continent have adopted effective and robust data protection laws with data protection regulatory authorities which have effective enforcement powers.
The Data Protection Act of 2018 of the United Kingdom, which has replaced the Data Protection Act of 1998, Tlakula, a graduate of law both at University of Witwatersrand and Harvard University, reveals, gives the Information Commission Office (ICO) enormous powers which was deployed to fine Facebook a lot of money during the Cambridge Analytica debacle.
The ICO found that the personal data of Facebook users, which did not have adequate security measures, was harvested and used by Cambridge Analytica, which worked with the “Leave EU Campaign” (Brexit) during the EU referendum to provide data services which supported the micro targeting of voters to influence the outcome of the referendum.
Following the investigation, the ICO released a report called “ Democracy Disrupted- Personal Information and Political Influence” in July 2018 in which it makes ten (10) policy recommendations relating to the use of personal data and data analytics techniques to target voters during political campaigns. These recommendations include the following:
“The ICO will work with the Electoral Commission, Cabinet Office and political parties to launch a version of its successful campaign called “Your Data Matters” before the next general elections. The aim will be to increase transparency and build trust amongst the electorate on how their personal data is being used during political campaigns”.
“Political parties should apply due diligence when sourcing personal information from third party organisations, including data brokers, to ensure appropriate consent has been sought from individuals concerned and that individuals are effectively informed in line with transparency requirements under the General data protection Regulation (GDPR). This should form part of the data protection impact assessment conducted by political parties.”
In most countries on the African Continent, political parties and candidates obtain cell phone numbers of voters from data brokers unlawfully and bombard the voters with unwelcome and intrusive campaigning messages on their mobile phones. In some instances, certain voters are also micro targeted and are sent particular messages to influence their vote. These practices constitute the violation of the voters’ right to privacy.
As already indicated above, unfortunately very few countries on the continent have adopted data protection laws which establish effective data protection authorities with effective and enforceable powers. The Electoral laws are also outdated and do not address this issue. Without these laws, political parties and candidates will continue to violate the voters’ right to privacy with impunity.
The African continent, unlike the European Union which has the General Data Protection Regulation (GDPR), which is a binding data protection regulation, is yet to adopt a similar regulation. The African Union Convention on Cyber Security and Personal Data, which was adopted in 2014, has not been ratified by the required number of States for it to come into effect. Even if ratified, the Convention is already outdated, is not binding and does not have the same force and effect as the GDPR.
According to Tlakula, who was chairperson of ACHPR between 2015 and 2017, Data Privacy is provided for in the African Union Convention on Cyber Security and Data Protection (Convention), which was adopted by the African Union in 2014.
The Convention recognises the interrelationship between right of access to information and the right to privacy as it relates to the protection of personal data. This interrelationship is aptly reflected in the preamble to the Convention which stipulates that:
“The protection of personal data and private life constitutes a major challenge to the Information Society for governments as well as other stakeholders; and that such protection requires a balance between the use of information and communication technologies and the protection of the privacy of citizens in their daily or professional lives, while guaranteeing the free flow of information.” The relationship between access to information and privacy is also reflected in article 8 (1) of the Convention which provides that:
“Each State Party shall commit itself to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and punish any violation of privacy without prejudice to the principle of free flow of personal data.”
The Convention also provides six (6) basic principles governing the processing of personal data. These are:
Principle 1: Consent and legitimacy of personal data processing- “the processing of personal data shall be deemed to be legitimate where the data subject has given his/her consent”
Principle 2: Lawfulness and fairness of personal data processing- “the collection, recording, processing, storage and transmission of personal data shall be undertaken lawfully, fairly and non- fraudulently.”
Principle 3: Purpose, relevance and storage of processing of processed personal data-“ data collection shall be undertaken for specific, explicit and legitimate purpose……, data collection shall be adequate, relevant and not excessive….., data shall be kept for no longer than is necessary for the purpose for which the data were collected….., beyond the required period, data may be stored only for the specific needs of data processing undertaken for historical, statistical or research purposes under the law”
Principle 4: Accuracy of personal data- “data collected shall be accurate and, where necessary, kept up to date”.
Principle 5: Transparency of personal data processing- “the principle of transparency requires mandatory disclosure of information on personal data by the data controller.
Principle 6: Confidentiality and security of personal data processing- “personal data shall be processed confidentially and protected, in particular where the processing involves transmission of the data over a network”
The adoption of the Convention reflects the prioritisation of the elaboration of legal frameworks on data protection in Africa. The challenge is that the elaboration and implementation of norms and standards on data protection in Africa often take place outside the human rights discourse.
Data protection has generally been treated as an information technology rather than a human rights issue pertaining to the right to privacy. The absence of a human rights approach to data protection on the Continent is further hampered by the non recognition of the right to privacy in the African Charter.
A number of countries on the continent have adopted both access to information laws and data protection laws. These include Angola, Benin Republic, Burkina Faso, Cape Verde, Cote d’Ivoire, Gabon, Ghana, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa and Tunisia.
Almost all these countries, with the exception of South Africa which has a single oversight body for both access to information and data protection, have established separate oversight bodies for these areas. This has reinforced the exclusion of data protection from the human rights discourse, particularly in the area of elections.
Photo: A cross section of Nigerian voters during election