Here’s Proof Big Brother Is Watching

It’s getting out of hand.

Governments around the world are increasingly demanding access to personal data from tech giants like Apple, Google, Meta, and Microsoft. In just 10 years, the number of user accounts requested has skyrocketed over 8x. The US and EU are leading the pack, accounting for 58 per cent of all requests. To put it into perspective, the US has requested more than double the number of accounts per 100,000 people compared to all EU countries combined. Yes, this is a serious privacy invasion happening on a global scale.

The relationship between African governments and Big Tech is complicated. Did you know, for instance, that government agencies can request your information from Big Tech, get it, act on it, and you would be pinned to the wall like a demented butterfly because of it? This essay explores government requests for user data, reminding you of two things; the importance of digital sovereignty, and the urgent need for strong data protection laws.

Let’s examine the alarming rise in government data requests from Big Tech companies in Africa, highlighting the implications for privacy, digital sovereignty, and the need for robust data protection laws.

It starts with the Surfshark report indicating their research hub analysed “user data requests that Apple, Google, Meta, and Microsoft received from government agencies of 190 countries over 10 years (between 2013 and 2022).” Most requests relate to criminal investigations, but government agencies also request information for civil or administrative cases. “As a data request can cover multiple accounts, the research examines the number of accounts specified in these requests and their global distribution per population. It also compares the number of requests disclosed partially or fully.”

Why Should You Care?

“Surfshark’s research shows that government requests for user data have increased significantly,” said Goda Sukackaite, Privacy Counsel at Surfshark. “While it is crucial for authorities to have tools to combat serious crimes, it is also important to ensure that these measures do not infringe on the fundamental right to privacy,”

As the global debate around government requests for user data heats up, particularly concerning Big Tech companies like Meta, Google, Apple, and Microsoft, the African perspective presents an equally unique and evolving narrative. Much of the focus has been on the US, EU, and other global players, but Africa has also been steadily establishing her place in this conversation, albeit grappling with her own set of challenges when it comes to data privacy, digital sovereignty, and cybersecurity. Granted, in comparison to the EU’s comprehensive and punishing General Data Protection Regulation (GDPR), many African countries are toddling, yet to formalise their data privacy frameworks.

This should not be discouraging news. Out of 55 African countries, 35 of them have data protection laws and three have draft laws. Notable mentions: Botswana Data Protection Act, 2018 bars the transfer of data from the Tswana to another country; Kenya’s Data Protection Act (2019) is praised for being one of the more advanced regulations on the continent, mirroring key aspects of the GDPR. The Nigerian Data Protection Act of 2023 governs personal data processing, aligning it with global privacy standards. Meanwhile, South Africa’s Protection of Personal Information Act (POPIA) is crafted to protect personal data while enforcing its responsible handling.

These regulations represent progress. But the challenge lies in enforcement. Governments face limited resources and infrastructure, resulting in inconsistent implementation. Then there is Big Tech. Companies that often operate with minimal local oversight, attracting conflict. Tanzania wrangled with X, eventually shutting it down for non-compliance with local laws. All Elon Musk had to do was point at an X representative to manage his affairs. Naturally, he chose to trudge along the complicated path, getting in the way of compliance. It is a win for Tanzania considering without proper frameworks, African governments risk being left out of the global push for digital accountability, not just through enforcing it, but by being held accountable.

Africa, Her Royal Highness 

One of the defining concerns for Africa is digital sovereignty; can she control and protect digital data generated on the continent? With Big Tech dominating the digital landscape, from social media platforms to cloud storage, governments are finding themselves with minimal control over how data is handled and stored. The beauty of this, however, is a gradual awakening to the need for homegrown solutions. Lord knows it will reduce reliance on Big Tech Corp. Welcoming this outlook are initiatives such as the African Union’s Convention on Cyber Security and Personal Data Protection. It certainly underscores this shift toward more autonomy.

You have probably observed a paradox. Big Tech in Africa is a double-edged sword that their government agencies routinely and actively wield when they request user data. Sadly, African governments couldn’t possibly assert such control. Instead, their efforts are channelled externally. That, or it depends on international legal frameworks or soft power. Hence a clear and fundamental gap in Africa’s digital sovereignty. It presents a multifaceted challenge that arouses many problems. Big Tech companies wield significant influence in Africa’s digital ecosystem, controlling vast amounts of data and shaping the internet experience for over 570 million Africans as of 2022. While their platforms have helped boost internet penetration and access to services, they have also raised concerns about privacy and user data control.

Cybersecurity: Urgent Yet Underfunded

Cyber threats, including data breaches, identity theft, and hacking, are rising, leaving governments and citizens alike, vulnerable. Countries like Kenya and South Africa have started taking measures to protect themselves. Kenya’s National Cybersecurity Strategy and South Africa’s Cybercrimes Act aim to address these growing threats, but many other nations lag in adopting similar frameworks. While cybersecurity is a pressing issue, data privacy is often relegated to a secondary concern, with national security taking precedence. This tension between safeguarding personal data and addressing national security risks is a complex balancing act that many African countries are still navigating. Kenya’s vulnerabilities were exposed with the World Coin saga.

It definitely opened a can of worms, probed, as it were, by the Office of the Data Protection Commissioner (ODPC), the Communications Authority of Kenya, the Central Bank of Kenya, the Ministry of ICT & the Digital Economy and the National Computer and Cybercrime coordination committee. NetSheria International stated that “It was further agreed that all WorldApps be taken down from all App stores within Kenyan region for one year pending the approval of the company. On legal reforms, the Taskforce has mandated the ODPC to impose administrative fines on companies doing commercial activities on data collection which is a threat opt national security and the economy.” Concluding “The World Coin saga comes as a major test to Kenya’s preparedness for cyber threats and primarily testing the scope of our data protection laws. The saga exposed various weaknesses … and highlighted the need for reforms of the current data protection and cyber use regime.”

African governments are not exempt from the challenge of balancing national security with citizen privacy. Quite a few of the data requests that occur in Africa are tied to anti-terrorism efforts or civil unrest. An act that often comes at the expense of personal privacy, and a fact human rights groups have taken special note of, raising concerns over governments using broad powers to monitor citizens, especially in politically volatile regions. The invasion of privacy caused by excessive government data collection has been known to lead to a chilling effect on free speech with individuals fearing their online activities are being monitored, capping their expression.

It can harm democratic discourse and the exchange of ideas. We’ve seen surveillance coupled with internet shutdowns as a growing tool for controlling dissent from Kenya’s Gen Z protests in July 2024 to Uganda’s 2021 national elections, and Ethiopia’s repeated internet blackouts to Zimbabwe. It blurs the lines between protecting (legitimate?) national security concerns/political control and infringing on civil rights. As if government data requests in Africa needed any more complexity!

There is an emerging broader conversation on digital sovereignty. Nigeria is in the midst of a push for data localisation laws. With their heft in numbers, Nigerian data remaining within its borders, uncontrolled – one hopes – by foreign entities, they align with a global trend. It is also infused into their Data Protection Act, localizing data with legal requirements. Governments seeking to exert more control over critical information infrastructure could be headed for a collision course with Big Tech. The powers that be prefer centralised storage solutions outside of the countries where the data is generated. Privacy concerns specific to African countries regarding data requests are woven into the threads of governance, security, and digital rights. On the flip side of that dominion over self exists digital transformation. A pursuit that also promotes economic development.

African Countries With The Most User Data Requests

While the West make the most user data requests globally, there are some African nations actively seeking data from Big Tech companies like Meta, Google, Apple, and Microsoft. Here’s a look at the top 10 African countries with the highest number of user data requests.

The Surfshark Report on Government Requests for User Data may not explicitly underscore it, but it is evident this discussion around data privacy and government requests must include the African perspective. How else can these complexities get recognition and, more critically, acknowledgement, in the global discourse?

Surfshark indicates the increase in government requests for user data globally correlates with a heightened sense of surveillance among citizens, leading to self-censorship and reduced participation in public discourse. The potential misuse of collected data by governments also significantly undermines public trust in institutions. When citizens believe their privacy is being violated, it can lead to distrust towards governmental entities, leading to social unrest and political instability with this erosion of trust being particularly concerning in regions where governance is already fragile.

Organisations like Amnesty International have repeatedly illustrated how citizens across African nations express distrust towards their governments due to perceived abuses of power in data collection practices. This has happened in the Democratic Republic of Congo (DRC) regarding cobalt and copper mining forced evictions of entire communities and human rights abuses including sexual assault, arson and beatings.

Multinational mining companies have violated legal safeguards and disregarded the UN Guiding Principles on Business and Human Rights in their pursuit of minerals. Journalists, human rights defenders, activists and opposition members have been targeted in Cameroon over electoral irregularities while in Somalia, over 105,000 internally displaced people were forcibly evicted between January and December across Somalia. The lack of adequate shelter and privacy in overcrowded displaced persons settlements increased women’s and children’s vulnerability to violations such as gender-based violence.

These reports illustrate a concerning pattern of African governments overstepping their bounds in data collection, often targeting vulnerable populations and dissenting voices. This abuse of power has understandably led to a breakdown of trust between citizens and the state in many countries. Addressing these human rights violations and reforming data governance practices is crucial for restoring public confidence. There goes Big Brother. Always watching.

In the decade surveyed, companies complied with user data requests at an average rate of 72 per cent. “Over the years, the compliance rate (partial or full disclosure) with user data requests ranged from 66 per cent in 2015 to 77 per cent in 2022. Apple complied with government requests the most and submitted user data for around 82.0 per cent of requests, while Microsoft complied the least, with a rate of 67 per cent.”

Now That We’re Here, What To Do?

Do not despair. Here is a list.

1. It begins with advocating for stronger enforcement of those lovely, lovely data protection laws. If we were to be honest, the enforcement of existing data protection laws is often weak due to limited resources and infrastructure in many African countries. Establishing independent regulatory bodies like Kenya’s Office of the Data Protection Commissioner (ODPC) plays a crucial role. It took a while to lift off, but we can say we are somewhere.
2. More autonomy and resources to function effectively couldn’t hurt either. Once set up, they need regular audits and compliance checks in the form of routine inspections and assessments of data handling practices. And there must be legal consequences for non-compliance with strict penalties for organisations that fail to comply with data protection regulations to deter violations. A January 2024 report Strengthening Data Protection In Africa: Key Issues For Implementation by Access Now makes a solid case for all the above, citing Kenya, Ghana and South Africa in particular. Amnesty International Kenya underscores these points too, delving deep into providing guidance for the ODPC, citing global instances where we could lean into the GDPR.
3. Increasing funding for data protection agencies in Africa does several things. It facilitates operations, builds capacity through training programs for personnel while enhancing their skillsets owing to complex data privacy issues, boosts public awareness campaigns through digital and traditional media platforms, and investments in technology to monitor compliance and manage data breaches.
4. Promote data localisation laws to help African countries maintain control over the data generated within their borders. Nigeria, for instance, is striving to reduce reliance on foreign entities and enhance data sovereignty. Governments can further do the thing where they incentivise the establishment of local data centres to ensure that data remains within the country. Of course, job opportunities and economic stimulus are fantastic side effects of this. Collaborating with global agencies to establish standards for data localisation would also align local laws with global best practices while protecting national interests.
5. Access Now strongly recommends that African governments join the 15 states that recognise and ratify the African Union Convention on Cyber Security and Personal Data Protection aka The Malabo Convention “as a first step toward recognising the importance of data protection laws and strengthening accountability across the region.”

So, there you have it. The relationship between Big Tech and African governments is a mixed bag. On one hand, these tech giants can bring us amazing things like better access to information and services. But on the other hand, they also pose serious risks to our privacy and control over our own data. African governments need to be smart about this while at the same time, they need to encourage local innovation and reduce our overdependence on foreign companies.

Here’s to striking the right balance; technology and sovereignty. I, for one, am watching this space.

This article first run in the September 2024 edition of CIO Africa Magazine.