Expert Speak Digital Frontiers
Published on May 20, 2019
African countries should learn from mistakes that have already been made while pursuing their own path in Internet security.
Protecting personal data: Who is the governor?

All kinds of information has recently been made digital. This has transformed it into data which appears as bytes on the waves of the Internet. However, only recently, after years of frantic digitalization, we are becoming increasingly aware of the need to protect this information as efficiently as possible. Amid the constant debate between businesses and governments on who has governance over personal data, it is imperative to review some key initiatives and strategies adopted by governments around the world. This will be important for the African government, as they form their own policies regarding online data and its protection:

1)  Protecting personal data by imposing regulations on business 

General Data Protection Regulation (GDPR): adopted by the EU Parliament in 2016, the GDPR has continuously made headlines on both political and technical media outlets. Aimed at protecting the personal data of online users, it obliged online companies to offer the acceptance of a public policy form while accessing the website. According to the regulation, any user has the right to have their personal data permanently deleted once it is of no direct use to this very company.

Initially, the initiative was met with dubious responses from both the industry and consumers. While the former faced the risks of serious fines and had to hire more personnel to be responsible for now-necessary tasks, internet users resulted became more responsible for controlling their own activity, while growing irritated with endless pop-ups on their screens. While the GDPR effect is difficult to put in numbers, the regulation led to Data Protection Authorities (DPAs) becoming busier, as it was also responding to breach notifications.

Outcomes and lessons: Because the GDPR involved serious financial costs, it hurt small businesses, and led to the possibility of certain services becoming unavailable for European customers (as they failed to comply with regulations). According to experts, this approach restricts innovation and negatively affects people’s sense of security.

2) Protecting content by top-down legislation

On May 1, 2019 Russian president Vladimir Putin signed the long-discussed ‘Law on Sovereign Internet’ aimed at protecting data and ensuring internet access for Russian citizens in case the country is cut off the global network by foreign states. According to government officials, the law should protect the data exchanged by Russian users. In order for the provisions to be implemented, the Russian government will spend about 500 million USD on “special equipment” which will ensure that the internal internet traffic will cross its borders.

Before the bill went through the parliament, it faced strong rejection from the media and general public. Some claimed it would restrict freedom of speech and impose control on content that circulates on the Russian segment of the internet. Technical experts shared concern over the country’s technological ability to put such initiatives into practice, as well as possible consequences for the businesses. One should not forget that “sovereign internet” came after the so-called Yarovaya Law came into force.<1> While the ‘sovereign internet law’ is expected to come into force by November 2019, it is currenly shrouded in mystery: the concepts mentioned and measures to be taken are too vague to judge the effect the law will have on citizens and the industry.

Outcomes and lessons: Even though it is too early to talk about the impact of the new law, some clear trends are already present. The top-down restrictive approach has been met with reluctance and opposition, and is often connected with fears of authoritative measures. Second, the industry is concerned with country’s economic capability to successfully implement the project, while partly supporting the idea. Third, suspicious international reactions are detrimental to the country’s image.

3) Juggling various interests

Following the Cybersecurity law of 2017, China introduced the non-binding national standard Personal Information Security Specification that is somewhat similar to GDPR. The main focus of the document, however, lies in ensuring national security while still making sure personal data is only stored for right purposes and short periods of time. Still, Chinese authorities are interested in growing their digital economy with their giants largely relying on big data and AI technologies. As always, the idea is to custom-make a system from China; key in this system is data that the government is  able to control.

Outcomes and lessons: Chinese authorities and businesses share views on economic development, and have designed laws to fit in this paradigm. The ever-increasing control over the Chinese population and the prospects of building a hi-tech authoritarian state are receiving more attention greater attention internationally.

4) Play-it-by-the-ear tactics

Responses to issues have been mostly ad-hoc. While the US government have not elaborated on any tactics, data protection has been ensured by the United States Privacy Act. At the same time, the Federal Trade Commission has the authority to enforce privacy regulations in specific areas. For instance, the Commission is now negotiating the idea of creating a privacy committee with an external assessor at Facebook; this is something the company has recently agreed to do following the alleged violations of the privacy consent decree.

Outcomes and lessons: A responsive approach may not work well enough when protecting personal data. After numerous leaks, one needs to establish a clear policy, and designate those who will be responsible for working towards this goal on a permanent basis.

Implications for African Countries

While the rest of the world is still discovering the art of protecting personal data online, there is a one-size-fits-all model. African countries should learn from mistakes that have already been made while pursuing their own path in Internet security. With the industry the internet has created, an alienating and divisive approach is advised against. Creating a clear understanding of data protection by key stakeholders would be the best foundation for a future legal framework.

<1> The law obliged communication service providers to store citizens data from personal chats and calls in order to fight terrorism; many associated it with restricting freedom of speech.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.


Maria Smekalova

Maria Smekalova

Maria Smekalova is a PhD student and Russian International Affairs Council (RIAC) expert. At RIAC she led bilateral cybersecurity programs together with the US and ...

Read More +