COVID-19 UPDATES: All the stories and commentaries on Coronavirus, in one place


Data Protection Law Limits Gov't, Private Sector Data Processing Rights


June 5 , 2021
By HAWI DADHI


A new personal data protection bill places legal limitations on the extent to which both government and non-government entities can collect and utilise personal information imprinted on the internet by users who are often unsuspecting.

The bill, which was drafted by using European Union's General Data Protection Regulation (GDPR) bill as a benchmark, set outs the fundamental rights of data subjects including the right to be informed, the right to access and the right to be forgotten (right to erasure), among others.

Upon being legislated by the parliament, it is also expected to serve as a legal framework to regulate the processing of personal data, such as the principles of fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, security, and data transfer.

"As human rights in the physical world are inalienable, it should be extended to the online sphere as well," said Abiyot Bayou (PhD), director of the National Digital Transformation Programme at the Ministry of Innovation & Technology.

Prepared by the Ministry, the final draft has been submitted to the Office of the Federal Attorney-General. It restricts government entities from soliciting personal data, which is defined as any information relating to a person who can be identified, directly or indirectly, from other data collectors, without the knowledge and consent of the data owner.


The bill makes an exception where data can be confiscated as a response in the case of a period of crisis. Although government institutions would be allowed to process data in this scenario, the process must comply with several restrictions such as ensuring that it is in the public interest, is necessary and that its effects on the rights of the data owner are reasonable. And most importantly, it details that how the data is processed should be clearly defined.

According to Yohannes Eneyew, PhD candidate at the Monash University Faculty of Law in Australia, such exceptions have to be properly managed and regulated as they might expose personal data to misuse.

"The draft looks like a modern law decorated with stunning provisions yet it may face some challenges in practical implementation since currently there isn't an adequate body to oversee it," said Yohannes

To address such concerns, the bill aims to establish a regulatory body called the Data Protection Commission, which will be in charge of ensuring the implementation of the data protection law and auditing data controllers and processors, among the two dozen responsibilities it is to be tasked with.


The details on the establishment of the Commission, whether it is to be established as a separate entity or to be integrated into a certain ministry's services, will be decided on by parliament upon the issuance of the proclamation. However, the drafters of the proclamation are insisting it should be instated as an independent entity that answers to parliament. This is meant to foster impartiality as the Commission will also be in charge of monitoring government organisations, according to Abiyot.


If established as a Commission, the draft indicates that commissioners and deputy commissioners will be appointed by the Prime Minister and be presented to the House of Peoples' Representatives for approval.

Most countries that have adopted data protection laws require countries they invest in to have a similar legal framework. As the government wants to attract foreign investment as well as foreign data centre service providers, the law is thus expected to play an important facilitating role, according to Abiyot.

Additionally, when third-party data processors come into the country, their use of data has to be monitored and limited within the bounds of the country's laws, according to the new bill.

The draft explicitly details the rights of data owners, which is one of the main principles of data protection laws. Individuals whose personal data has been collected by a data controller are allowed to know the full background of the controller, such as the address and a representative's name, and how long the data will be controlled.

In addition, the individual can revoke the controller's access to data. This would mean that if an individual wants to have data collected by a data controller or processor to be erased, he/she should be able to do so upon his/her own will.


Similarly, the law identifies ethnic, genetic, physical and mental health status, sexual life, political views, membership of professional associations, religious views, criminal history, court procedures, and personal communication data, as sensitive. Any data labelled as sensitive is off-limits to processors, barring exceptions such as when the data is necessary for healthcare, judicial matters, or if the owner consents to its use.

Almost half of Africa's 53 countries, including some of the biggest Sub-Saharan markets, have adopted some form of regulation with the goal of protecting personal data, according to Privacy International, a UK-based organisation that promotes the right to privacy. The Malabo Convention hosted in 2014 was a step forward in this regard.

The issue of data privacy has been a hot topic in recent years with global tech giants being accused of breaching personal data rights. One of the biggest scandals was Facebook's shady dealings with Cambridge Analytica, a political consulting and strategic communication firm.

Facebook, a global force with more than 2.8 billion monthly active users, was accused of collecting and trading the personally identifiable information of up to 87 million people. Cambridge Analytica and thousands of other data collectors were able to gain access to the personal data of Facebook users due to the inadequate safeguards against companies engaging in data harvesting, insufficient oversight of Facebook developers, developer abuse of the Facebook API, and users agreeing to overly-broad terms and conditions.



PUBLISHED ON Jun 05,2021 [ VOL 22 , NO 1101]


How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.





Put your comments here




Editors' Pick



Editorial




Drop us a message

Or see contact page