The latest report by ARTICLE 19 Eastern Africa, the Kenya ICT Action Network and Pollicy (the Consortium), examines how increased Covid-19 surveillance in Kenya and Uganda has reduced people’s rights to privacy, data protection, freedom of expression and access to information.
While international human rights law allows governments to have increased powers and to take special measures during health crises, such actions must be temporary, and any measure must pass the three-part test of legality, necessity and proportionality.
The report highlights the following infringements, interferences and violations in 2020, including:
- Poor oversight over Covid-19 data collection
- Lack of independent data protection authorities
- Use of telecommunications data to ‘track and trace’ individuals without regard for due process.
- Surveillance of public spaces using CCTV and biometric technologies
- Lack of transparency and accountability by state and non-state actors
- The use of coronavirus contact tracing applications with limited impact and effectiveness, amongst others.
The report provides clear recommendations to governments and private companies in Kenya and Uganda to address these infringements, interferences and violations.
Learn how Covid-19 surveillance measures in Kenya and Uganda are reducing your right to privacy, leaving your data unprotected, and limiting how much information you can access.
‘Track and Trace’ measures and practices: Surveillance over safeguards
Across 2020, the Kenyan and Ugandan governments have been ‘tracking and tracing’ individuals suspected of having Covid-19. They have developed surveillance techniques in partnership with private companies, such as telecommunications operators, mobile network operators, and developers implementing biometric technologies. They have then deployed these measures across private and public spaces, using location and call data from smartphones, CCTVs, biometric surveillance technologies, and coronavirus contact tracing apps.
However, governments have failed to pay attention to due process and human rights protections while watching the public. For example, the Kenyan and Ugandan governments failed to pass laws that regulate where mobile operators can share the geo-location data of self-quarantined individuals. Using this data to monitor and enforce social distancing raises core concerns about mass surveillance, fears of continuous monitoring of individuals in both public and private spaces, and data misuse. Similarly, the use of location data can threaten digital anonymity, placing the lives of journalists and whistleblowers at grave risk.
Moreover, both governments used CCTV surveillance with facial recognition technologies to monitor public spaces and enforce social distancing requirements. The use of facial recognition technologies in public spaces is deeply intrusive. However, both countries lack a comprehensive legislative framework for the use of biometric technologies for surveillance purposes. As a result, the freedoms of assembly and association are also at risk.
Despite public-private partnerships underpinning the development of more than nine coronavirus contact tracing apps, these were not matched with a proactive disclosure of information and documents, including contracts, data sharing agreements, procurement documents, budgetary allocations, and more. These transparency failures prevent people from understanding how their personal data is collected and used.
State actors and private entities have also collected, processed and shared personal data, including sensitive health data. Despite Kenya and Uganda operationalising their data protection laws before the pandemic, the two data protection authorities had not been constituted at the time the pandemic struck, and as such, have been unable to oversee Covid-19 data collection.
Worryingly, functional and operational considerations limit data protection authorities from independently overseeing surveillance measures and practices to contain the pandemic. The two data protection authorities are established as state agencies rather than as independent or autonomous bodies, and as such, are subservient to the Executive.
In effect, while state and private authorities have kept the public under heavy surveillance, they have failed to implement appropriate safeguards and guarantee people’s rights to safety, privacy, data protection, freedom of expression and access to information.
Key Recommendations: Checking the ‘Watchers’
Based on the findings in the report, ARTICLE 19 Eastern Africa, the Kenya ICT Action Network and Pollicy propose that:·
The governments of Kenya and Uganda should:
- Review all measures and systems deployed to address the coronavirus pandemic, which include data collection programmes, systems and applications, to ensure they strictly comply with the three-part test under international human rights law, and data protection principles, including the purpose limitation, privacy by design and data minimisation (i.e., the processing of adequate, relevant, and limited’ personal data that is necessary).
- Introduce administrative, legislative, budgetary and practical measures to guarantee the full independence of data protection authorities.
- Ban biometric mass (i.e.: untargeted or arbitrarily targeted) surveillance in public or publicly accessible spaces.
- Proactively disclose and make public all information and documents relating to public-private partnerships including, but not limited to, contracts, data-sharing agreements, procurement documents, and budgetary allocations.
- Introduce appropriate oversight and safeguards in public health laws, including judicial warrants, to check the broad search powers granted to medical and public health officers and other delegable officials.
Private companies working on technologies, products and services to address the pandemic should:
- Comply with international human rights standards, including the UN Guiding Principles on Business and Human Rights, and national laws protecting the rights to privacy, data protection, freedom of expression, and access to information.
- Develop and implement comprehensive data protection measures and practices to regulate their collection, processing, and storage of personal data.
- Integrate data protection principles, including the purpose limitation, data minimisation, data retention, and prior and informed consent, in the design, development, and deployment of technologies, products, and services to tackle the Covid-19 pandemic.
- Demand court orders before complying with government requests for individuals’ data, and refuse to comply, or challenge in court, any arbitrary, unlawful, or illegal data requests or orders from government agencies or officials.
- Proactively publish transparency reports outlining the instances when user data has been requested and shared with state agencies and other private entities, the types of user data (including metadata) requested and shared, how the data was shared (compliance rates), risks to customers’ data, the existing grievance mechanisms, and measures in places to protect customer data.