Senegal has just introduced a new law to replace the 2008 Personal Data Protection Law which was one of the first data protection laws enacted on the continent.
This statement was originally published on cipesa.org on 14 January 2020.
By Thomas Robertson
Twelve years after being among the first African countries to enact data protection legislation, Senegal has published a bill to replace the 2008 Personal Data Protection Law. The Personal Data Protection Bill of 2019 is part of the government’s goal of upgrading the legal and institutional framework of the technology and telecommunications sector by 2025 as part of “Digital Senegal 2016-2025 Strategic Plan” and seeks to address key emerging digital issues including biometrics, big data, artificial intelligence, geo-location and cloud computing. Further, the bill seeks to address gaps in the existing legislation related to the composition and independence of the oversight authority, mechanisms for self-referral, and cross-border cooperation.
In January 2008, Senegal adopted Law No. 2008-12 of 25 which provides a legal and institutional framework for the protection of personal data. The law established an independent authority known as the Commission of Personal Data (CDP) whose mandate is to ensure that the processing of personal data is implemented in accordance with the provisions of this law, and upholds the rights of data subjects and the obligations of data processors. A few years later in 2016, Senegal went on to become the first African country to ratify the continent-wide convention on Cyber Security and Personal Data Protection, which was adopted by the African Union in 2014.
Despite being a pioneer on data governance in Africa, implementation and enforcement of the law has remained a challenge. There have been reports of resource limitations for the CDP to sufficiently fulfill its mandate. In February 2018, CDP president Awa Ndiaye made a plea for government assistance to support efforts for sensitisation and compliance monitoring.
Meanwhile, the country has recorded a growing telecommunications sector, with a 2018 internet penetration rate of 68.49%, a diverse digital media and technology innovation landscape. However, several private and public actors continue to collect personal data in Senegal without any regulatory enforcement by the CDP. This is the case for mandatory SIM card registration implemented by the Regulatory Authority for Telecommunications and Posts (ARTP) through mobile telecom operators, which is linked to the national identity database.
The principles of the bill state that the collection, registration, processing, storage and transmission of personal data must be done in a lawful, fair and non-fraudulent manner. According to Article 7 of the bill, personal data processing is defined as lawful if “consent is given, processing is necessary for legal obligations, a task of public interest, a task related to exercising public authority, the implementation of policy, or in order to protect the interest of fundamental rights and liberties of the person whose data is being processed”.
Consent is defined as a declaration or clear affirmative action, either orally or in writing, that gives permission to process personal data (Article 8). The data processed must be stored securely and confidentially, be limited to data relevant to the task at hand, and be stored only within the period necessary (Articles 10-12). The bill also addresses third party processing of data and mandates a contract between the data controller and subcontractor that guarantees compliance with the law (Article 16). Article 110 maintains the rights of a data subject to access data held about them and to monitor its accuracy.
Section 1 of the bill proposes the establishment of the Personal Data Protection Authority (APDP) to replace the existing CDP. The APDP would operate much like the CDP, but its member composition is different in size and selection. The APDP would have 12 members, one more than the CDP. The APDP’s composition would be two presidential representatives, and one representative each from the National Assembly, the Finance Ministry, the Justice Ministry, the Ministry of Telecommunications and Digital Economy, a business organisation, a digital media organisation, a medical organisation, a human rights organisation, a civil society organisation and the Bar Association of Senegal. On the CDP, there are three presidential representatives, a deputy nominated by the head of the National Assembly, a Senator nominated by the head of the Senate, one magistrate member each from the Council of State and the Court of Cassation, the Director of the State Digital Information Agency (ADIE), a lawyer nominated by the Chairman of the Bar Association of Senegal and one representative each from a business organisation and a human rights organization.
The proposed constitution of the APDP is a four-member increase in the non-governmental representation in the oversight body, replacing seats formerly taken by government representatives and presidential advisors. Even if these non-governmental representatives must be nominated by decree of the president, the inclusion of non-state actors in APDP’s membership bodes well for incorporating the interests of civil society into the work of the Authority. Moreover, the 2019 bill builds on the 2008 law’s promise of CDP’s impartiality and protection of members’ freedom of expression by guaranteeing that members cannot be detained, arrested, or punished based on their opinions or decisions made.
Under the proposed law, exemptions apply when processing personal data for the purposes of journalism, research, artistic or literary expression, if implemented within “the ethical standards of these professions” (Article 105). Exemptions under the existing law are outlined under Article 2, which states that “any processing of data relating to public security, defense, investigation and prosecution of criminal offenses or state security, as well as significant economic or financial interests of the State, is subject to the exceptions defined by this law and specific provisions on the matter set by other laws.”
Provisions proposed under Section 6 specifically speak to personal data and law enforcement. Section 6 states that data collection as part of crime prevention, investigation and punishment must respect the principles of necessity and proportionality as well as follow a legitimate goal. Although both the 2008 law and 2019 bill do well in defining technical terms, “legitimate goal” is undefined in the bill, and as such, is a vague description that may be subject to abuse by the government.
The bill also introduces regulation of video surveillance, with a requirement for a visible notification of the presence of the surveillance system, a receipt reference issued by the Authority, and contact details of the person or service responsible for the “rights of access, opposition and deletion” of content from the video system (Article 121). Other than for purposes of safety of property and people, the installation of video surveillance for “systematic, deliberate and permanent monitoring” at places of work as defined in the Labor Code is outlawed (Article 120). Video monitoring at workplaces was a contentious issue in Senegal in 2019.
Article 128 expands the definition of “sensitive data,” which is illegal to process, to include familial descent and genetic data. Article 129 allows the processing of genetic data only in order to verify the existence of genetic connections in the context of court proceedings or criminal investigations. This expanded definition of “sensitive data” builds upon how it was defined under the previous law, where sensitive data was defined as personal data relating to religious, philosophical, political, and labor union activities, as well as sexual life, race, and health.
In a move to promote research and collaboration, the management of big data is also included in the bill, mandating that risks of big data collection and processing must be identified and evaluated (Article 114). Additionally, Article 118 sets out the conditions for the use and reuse of open data.
Overall, the bill is a significant step towards establishing a modernised data protection framework for Senegal that is rights respecting, and provides a conducive environment to support innovation amidst an increasingly digitised environment. Public consultations on the bill are ongoing and it remains to be seen whether ongoing drafting will incorporate recommendations and provide clarity on ambiguous/vague provisions.
Thomas Roberston is a fourth-year undergraduate student studying international affairs and foreign languages at Occidental College in Los Angeles, California, United States. He is currently interning with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) as part of research on his final year composition paper on digital expression and China-Africa relations.