Data Governance and AI

  • CIPIT
  • |  
  • October 6, 2023
  • |
Data Protection in Africa

Data Protection in Africa

Data protection and AI can be analyzed from two perspectives: the first, relating to collection, processing, and storage of personal data for AI development and the second, to the protection of data from misuse and exploitation by researchers and developers during data mining, collection, processing, and storage. Both perspectives interlink and can be addressed, to an extent, by use of similar policies and legal frameworks.

The past year has seen African countries set foundational frameworks with respect to data protection necessitated by the changes and growth of the digital space on the continent. To date, 22 out of the 54 African countries have implemented data protection laws. The remaining majority have bills waiting to be passed into law. This is particularly significant to AI systems that rely on the processing of personal data as these laws create the foundational basis for the protection of personal data against misuse and exploitation by researchers, developers, and even the users of AI.

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.  Thus the general data protection principles on the protection of personal data could apply in specific aspects to AI. Specific data protection principles that may apply include:

  • Fairness: To function as intended, AI algorithms are trained using datasets. The principle of fairness mandates that the data must be handled in ways that would be reasonably expected and not used in ways that would have unjustified adverse effects. For AI systems, processing personal data in accordance with the fairness principle, means the data utilized must not be biased or flawed resulting in incorrect or discriminatory results.

  • Purpose Limitation: Machine learning often takes place by utilizing datasets collected for other purposes. Purpose limitation requires that the reason for processing data must be clearly established and indicated when the data is collected. The purpose of the processing also needs to be fully explained to the data subject, so that they can make an informed decision regarding consent where applicable.

  • Data Minimization: The development of artificial intelligence usually requires the processing of huge amounts of data. The Principle of data minimization compels that the gathered data must be used in an adequate, relevant, and limited manner, only to the extent that is necessary for achieving the purpose for which it was collected.  The principle mandates that sufficient efforts should be taken to determine the exact needs of the algorithm and to select only the information that is actually relevant for those purposes.

  • Accuracy: This principle of accuracy requires that personal data is accurate and kept up-to-date. This principle is of particular importance for fully automated systems, where the output could have a significant impact on individuals with little human oversight. In the context of AI, feeding an AI system inaccurate data could lower the quality of the output, and this principle requires that AI users take a particularly vigilant approach to ensuring that the data set is not diluted by bad quality data. These principles have been embedded in legal frameworks on data protection both regionally and nationally by individual countries within their specific data protection regulations. The existing regional frameworks are:

  • The African Union Convention on Cyber Security and Personal Data Protection: Adopted in 2014, the Convention has so far been signed by 14 states and ratified by 5 countries out of 54 member states. The Convention gives extensive legislative guidelines and member state obligations in promoting cybersecurity governance and the protection of personal data. Chapters II and III give member state obligations and commitments towards the protection of personal data as well as the application of the data protection principles.
    Additional legislative frameworks have been applied through specific African blocks and have led to the implementation of Data protection laws.

The additional legislative frameworks include:

  1. Supplementary Act on Personal Data Protection:
    Adopted in 2010 by the Economic Community of West Africa States (ECOWAS), the Act specifies the prerequisites of data protection laws creating an obligation upon the member states to create a data protection authority. The Act is legally binding. Of the 15 ECOWAS member states only Sierra Leone and Liberia are yet to enact data protection laws.

  2. SADC Model Law on Data Protection:
    The SADC Model Law on Data Protection was developed by the Southern Africa Development Community (SADC) 2010 and was adopted in 2013.  Out of the 16 member states, 7 member states have data protection legislation, 6 have draft legislation whereas 2 still don’t have any legislation on data protection. The model law provides a template that has been used by member states in developing their own data protection laws.

  3. EAC Framework on Cyber Laws:
    The East African Community (EAC) is the regional intergovernmental organization of the Republics of Burundi, Kenya, Rwanda, Uganda, and the United Republic of Tanzania.  The EAC framework on cyber laws was first established through the assistance of UNCTAD through the development of a Task Force on cyber laws in 2007. The Taskforce Prepared and endorsed two cyberlaw frameworks :

  • Framework I covers electronic transactions, electronic signatures and authentication, cybercrime, consumer protection, data protection, and privacy.

  • Framework II focuses on intellectual property rights, competition, e-taxation, and information security.

Of the EAC states  Kenya and Uganda have enacted data protection legislations. Rwanda and Tanzania are in the process of enacting their draft legislations.

AI Specific Legal Frameworks

The existence of these frameworks and laws form a good foundation for the protection of personal data when collected, processed, and used for AI development. These laws offer a safety net to the data subjects against misuse and possible exploitation of their data. While personal data protection laws offer a great start in regulating the data used for AI technologies, these laws do not cover all aspects of AI. AI specific policies, laws, and regulations are important in creating a clear roadmap towards the use of AI in a manner that is transparent and supports innovation, but also in the protection of fundamental rights and freedoms of the people and protection against exploitation and misuse not only by developers during their data collection and mining process but also by end-users.

The AU through its ministers for communication, and information and communication technologies (CICT) have taken steps towards the development of AI specific legislations for the African region by adopting the 2019 Sharm El Sheikh Declaration that puts special focus on the African Digital Transformation Strategy (DTS). The Digital Transformation Strategy for Africa is based on:

  • Foundation pillars: Enabling Environment, Policy and Regulation, Digital Infrastructure, Digital Skills, and Human Capacity, Digital Innovation and Entrepreneurship;

  • Critical sectors: Digital Industry, Digital Trade, and Financial Services, Digital Government, Digital Education, Digital Health, Digital Agriculture) to drive the digital transformation;

  • Cross cutting themes: Digital Content & Applications, Digital ID, Emerging Technologies, Cybersecurity, Privacy and Personal Data Protection, Research and Development to support the digital ecosystem.

The DTS also includes policy recommendations and actions under each foundational pillar, critical sectors, and cross-cutting themes. The declaration requested member states among others to, establish a working group on AI to study:

  • The creation of a common African stance on Artificial Intelligence (AI)

  • The development of an Africa wide capacity building framework

  • Establishment of an AI think tank to assess and recommend projects to collaborate on in line with Agenda 2063 and the UN Sustainable Development Goals.

Further, African UNESCO member states joined in the consultations with UNESCO for the first draft of a Recommendation on the Ethics of AI, to be submitted to UNESCO Member States for adoption in November 2021. If adopted, the Recommendations will be the first global normative instrument to address the impact of the development and application of AI.

Conclusion

Overall, for Africa to reap the benefits of AI, it will be important to reflect upon the policy implementations and changes that need to be considered to foster innovation and non- stifling oversight; the impact anticipated from the use of AI technologies and the benefits that will be derived from the use of AI both short term and long term. The oversights that relate to the collection, processing storage and use of data for AI must be developed in such a way that is both relevant and applicable to the African context socially, politically and economically.  Policy makers must ensure that the regulations are structured in a manner that protects information from leakages, misuse and exploitation and protects the rights of its people.

References:

What is personal data?’.  (European Commission).  https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

Artificial Intelligence and Data Protection’.  (SEE LEGAL) https://seelegal.org/news/artificial-intelligence-data-protection/

African Union Convention on Cyber Security and Personal Data Protection. https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

East African Community’. (UNCTAD).  https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-EastAfrican.aspx

2019 Sharm El Sheikh Declaration.  https://au.int/sites/default/files/decisions/37590-2019_sharm_el_sheikh_declaration_-_stc-cict-3_oct_2019_ver2410-10pm-1rev-2.pdf

African Digital Transformation Strategy (DTS).  https://au.int/sites/default/files/newsevents/workingdocuments/37470-wd-annex_2_draft_digital_transformation_strategy_for_africa.pdf

African Digital Transformation Strategy and African Union Communication and Advocacy Strategy among major AU initiatives in final declaration of STCCICT3’.  (African Union)  https://au.int/en/pressreleases/20191026/african-digital-transformation-strategy-and-african-union-communication-and

UNESCO launches worldwide online public consultation on the ethics of artificial intelligence’.  (UNESCO)  https://en.unesco.org/news/unesco-launches-worldwide-online-public-consultation-ethics-artificial-intelligence

Data Privacy and AI

Data Privacy and AI

Summary

The infographic provides a comprehensive overview of the intricate relationship between AI technologies and data privacy, outlining critical aspects of data collection and use in this AI-driven era. It begins by highlighting the pervasive use of AI in surveillance, shedding light on its implications for personal privacy. As AI technologies become increasingly integrated into surveillance systems, concerns arise regarding the extent of data collection and its potential misuse.

Amidst the AI revolution, preserving privacy becomes a paramount challenge, as the infographic elaborates on various risks and issues associated with AI-driven data processing. It delves into the pressing issue of bias and discrimination, emphasizing the need for fairness and accountability in AI algorithms to prevent reinforcing societal prejudices. Additionally, it addresses the concern of potential job displacements for workers as AI automates various tasks, reshaping the employment landscape.

Furthermore, the infographic highlights the issue of data abuse practices, underscoring the importance of robust data protection measures. Shifting the focus to Kenya's digital transformation and AI policy landscape, it explores how African nations are approaching the protection of privacy in the age of AI. Finally, the infographic offers insights into best practices and mitigation measures for privacy and data protection in AI, providing valuable guidance for policymakers and stakeholders navigating this complex terrain.


UNVEILING PRIVACY
IN THE AI ERA