Blog post by Dr Younous Arbaoui, Assistant Professor, Amsterdam centre for Migration & Refugee Law (ACMRL), Vrije Universiteit, Amsterdam
Under the first Objective of the Global Compact for Migration, States committed to increase the collection and dissemination of migration-related data, while upholding the right to privacy under international human rights law and protecting personal data. In two previous blogs, Elspeth Guild (see here and here) examined the scope of this first objective and discussed where human rights obligations require particular attention when states implement it. One of the challenges she mentions is that of upholding the right to privacy and protection of migrants’ personal data. In this blog, I discuss whether and how the African Union, on the one hand, and African countries, on the other, addressed the issue of the protection of migrants’ privacy and personal data. In closing, I reflect on how the African Union can play a role in ensuring that increase in data collection is accompanied by increase in the protection of migrants’ personal data. My findings are largely based on my recent research about the GCM in Africa (Arbaoui 2022).
Implementing Objective 1 by the African Union
The African Union has implemented the first objective of GCM through the creation of the African Migration Observatory (AMO) in Rabat, Morocco. The AMO was established in December 2020 as a specialized technical unit of the African Union Commission. The idea was originally proposed by Morocco in the context of the African Agenda on Migration, which aimed at supporting member states by improving their immigration policies and gathering reliable data on migration movements in Africa (see also Preamble to the AMO Statute). Morocco’s proposal was favourably received, and eventually integrated into the African Union’s 2018 immigration policy and its action plan recommending strengthening the collection and dissemination of data.
One of the key missions of the Observatory is to facilitate the implementation of the GCM by collecting and analysing data on migration and guiding African countries through the development of effective evidence-based migration policies (Article 3 AMO Statute). To this aim, the Observatory will work on, inter alia, improving and coordinating the collection and dissemination of data, for example by establishing data sharing systems and creating a centralized and unified database on migration (Article 3 and 4 AMO Statute). Importantly, the AMO Statute states that one of its functions is “to safeguard the protection of migrants’ personal data out of respect for their dignity and well-being” (Article 4 Statute AMO). This function is in line with established African Union law on data collection and protection. For instance, the Malabo Convention (AU Convention on cybersecurity and the protection of personal data, 2014; see also this related Guidelines) incorporates both fundamental rights in general and the confidentiality of personal data in particular. More recently, in 2019, the AU introduced the Declaration of Principles on Freedom of Expression and Access to Information in Africa. According to this Declaration, “everyone has the right to have their privacy respected, including the confidentiality of their communications and the protection of their personal data” (see also: the Resolution on the Freedoms of information and expression on the Internet in Africa; the African Declaration of Rights and Freedoms on the Internet; the Additional Protocol on the protection of personal data in the Economic Community of West African States (ECOWAS 2010); the Southern African Development Community Model Law on data protection(SADC 2013); and the East African Community Framework for Cyber Law).
This legal arsenal and the fact that the Observatory’s Statute explicitly refers to data protection demonstrate that Africa has developed an extensive body of (soft)law on the issue of privacy and personal data protection. The next question, then, is whether African states have implemented these legal instruments and whether they have adopted national laws to the same effect.
Implementing Objective 1 GCM in national laws of African countries
Besides the creation of the AMO, African States have taken various measures at the national level to increase data collection, thereby furthering the first GCM’s objective. These measures include creating data collection agencies, increasing data collection initiatives, collaborating with universities, and organizing trainings on data collection technologies and methods (see the review reports submitted by African States as part of the African review of the implementation of the GCM). With regard to the question of privacy and personal data, it appears that not all African countries implemented the above-mentioned African legal framework. More specifically, only 14 countries out of 55 AU members have signed the Malabo Convention, and only eight have ratified it (International Bar Association 2021, p. 14).
In spite of this low ratification rate, data protection is an established right in various African States and it is inextricably linked to the right to privacy. With regard to national constitutional law, only a few African constitutions, such as those of Algeria, Cape Verde and Mozambique, make reference to personal data or the confidentiality of information. Some constitutions, such as that of Algeria, simply provide for the protection of personal data as a fundamental right without much elaboration. Others, such as those of Cape Verde and Mozambique, contain detailed provisions. (Majama et al. 2021, pp. 21-22 & 59-60)
As to national legislation, it is important to note that as of 2020 approximatively half of the African nations have laws that protect personal data, although this number is constantly changing as countries adopt new laws (Gillis 2021; International Bar Association 2021, p. 13-14). In different countries, data protection bills are at various stages of the legislative process (Majama, et al. 2021, p.31-32). Other countries, such as South Africa, have adopted laws on the protection of personal data, but haven’t put in place a regulatory framework to enforce it (Ibid., p. 6). On the flip side, some countries, such as Nigeria, have not yet adopted a law, but have a regulatory framework that protects privacy (Ibid.). Further, among the countries that have a legal framework for the protection of personal data, not all have established an agency with sufficient resources to ensure that these laws are enforced. Importantly, among countries that have data protection laws, there are significant differences in their composition and implementation. (International Bar Association 2021, p. 14) Although current laws generally all capture the essential principles and requirements for data protection, they differ in some respects, such as restrictions on cross-border data transfers and data security (K. Majama, et al. 2021, p.38.).
Finally, with regard to whether African states have taken specific post-Compact measures to protect the personal data of migrants when implementing Objective 1 GCM, it is striking that, the review reports submitted by African States does not mention the issue of protecting the data of migrants with the exception of Kenya. In its review report, Kenya mentions the 2019 promulgation of the Law on the Protection of Data, including personal data of migrants. This legislation dictates that, in addition to the rules regarding privacy and the protection of personal data, the Citizenship and Immigration Act should be amended to ensure that the personal data of individuals obtained under that Act must be treated in accordance with the principles set out in the Data Protection Act. The Kenyan review report also mentions the finalization of a Memorandum of Understanding on the sharing, exchange and dissemination of this data (see p. 11 and 23 in the report).
In sum, although Africa has an extensive legal framework protecting privacy and personal data, it is not implemented by all African States. Moreover, not all African countries have adopted national laws on the protection of personal data, and those that have, have not yet harmonized their regulations. This shows that migrants’ privacy and personal data are not yet protected across Africa. With the exception of Kenya, no other African country has introduced specific post-Compact measures in this regard. The follow-up question is what can the African Union, in particular the AMO, do to ensure the protection of migrants’ personal data and privacy?
The African legal arsenal would certainly facilitate the AMO’s function of protecting the privacy and personal data of migrants. It isn’t hard to imagine a future in which the AMO incorporates the standards of African data protection and privacy law into its agenda, and makes certain that African states respect these principles. However, the state of affairs at the national level will complicate this mission: about half of all African countries have not implemented key African law instruments; many countries have not adopted national laws on the protection of privacy and personal data; and African states, with the exception of Kenya, have not taken post-Compact steps in this regard. This becomes more complicated if we recall the situational factors that hinder the systemizing of privacy protections in Africa (Internet Society and the African Union Commission 2018, p.7). A first step the AMO can take to effectively deal with this challenge is to consider the introduction of African Guidelines on the collection of migration data in Africa and the protection of the privacy and personal data of migrants. In this, the AMO could build on African existing legal apparatus.
Arbaoui, La protection de la vie privée des migrants en Afrique: que peut faire l’Observatoire Africain des Migrations?, in: Elkbir Atouf (ed.), Le Maroc et l’Afrique subsaharienne à travers les rapports migratoires, Ministère de l’éducation nationale, de la formation professionnelle, de l’enseignement supérieur et de la recherche scientifique, en collaboration avec CNRST, Marrakech 2022 (sous presse).
K. Majama, J. Montinat and A. Esterhuysen, Privacy and personal data protection in Africa: Advocacy toolkit, African Declaration on Internet Rights and Freedoms Coalition, April 2021.
The views expressed in this article belong to the author/s and do not necessarily reflect those of the Refugee Law Initiative. We welcome comments and contributions to this blog – please comment below and see here for contribution guidelines.