Bonita Mulelengi, Senior Associate at KTA Advocates writes on Data Protection and Privacy for this edition of ALT’s Series: Regulating Tech
Since the Universal Declaration of human rights in 1948, there have been and continue to be many rights accorded to individuals and society by virtue of our dynamic humanity. The new era of disruptive technology has birthed a plethora of rights that are yet to be recognized as human rights because they occur faster than our legislative bodies can keep up. In some situations, they are tied to other existing rights with several qualifications whereas others may appear to be competing or in conflict with existing ones. Such is the situation with data privacy and database rights.
Mohammed Ali once said, ‘if your dreams don’t scare you, they aren’t big enough.’ Dare I say that we are living the creative dreams of the Fourth Industrial Revolution (4IR). This creativity relies heavily on the collection of data, much of which is personal data. This is data that is capable of helping identify persons including their names, age, location among others. Several countries in Africa have since passed legislation to govern the collection, control, storage, and processing of such data under data protection and data privacy laws.
Unbeknownst to many tech-enabled businesses, much of their core work entails the regulated collection, control, or processing of personal data including big names such as Uber and its subsidiaries, Busy Boda, Jumia, SafeBoda, etc. Under the new data protection laws, such businesses are required to collect personal data subject to the consent of the data subject – the person from whom the data is being collected. They must inform the data subject why they are collecting that data, what they will use that data for, how long they will keep it, where they will store it, whether they will share it with third parties and provide an avenue for change or correction of the data.
Similarly, ’database’ is a common term within the corridors of tech innovation but what does it really mean in those contexts? A definition that may be adopted from the UK is that a database is <em>a collection of independent works, data, or other materials that are arranged in a systematic or methodical way; and are individually accessible by electronic or other means</em>. Data collected electronically in a systematic way by the businesses listed above, for example, could very well be databases from which a ‘database right’ may accrue.
There is still ambiguity as to how database rights are protected, some laws for example qualify and protect them as copyright. To this end, it is essential that some substantial investment and work be undertaken for a database to be protected. The protection of a database under copyright is drawn from the possible originality in its creation or presentation or arrangement. In as much as a case has been made to recognize database rights as a whole, independent of copyright, most protection is under copyright law.
Protection under copyright would inevitably mean that an owner of a database has a right to sell it or assign it or give a license to another to use. However, as earlier mentioned, if a database contains personal data and its owner is resident in a country or territory to which data protection and data privacy laws apply, the right to assign or give a license to another person also designated a third party may be against the law. The right to the database would be in direct competition with the right to privacy.
Data privacy is relatively new and some data subjects may not be aware of their rights and the extent or the parameters under which their data can be used by a collector, controller or processor. Recent illustrations of this gap in awareness are the alleged data leak by True Caller in Nigeria, Experian in South Africa and the recent breach in Pegasus Technologies in Uganda – which is still under investigation. Such breaches can cause colossal economic and privacy damages, however, the rise of civil society organisations that diligently watch and promote the awareness of data privacy and hold data collectors/processors/controllers accountable is an important contribution to the tech environment. It is therefore not only imperative that data privacy laws be observed but that great measures for the protection of data privacy be undertaken.
The legal recognition of database rights and giving the individual or business the right to do with the database as they may please may very likely be capped; among other limitations; by the right to privacy which must be protected. Businesses that collect, process or control data which may include personal data should be careful to comply with the data privacy laws that govern them. Many of the challenges in breach of data privacy come down to the issue of consent at the time the data is collected which is rather blanket and sometimes clumsily presented by data collectors, controllers or processors. The same is also not often fully understood by the data subjects and so they quick to cry foul and stall businesses by injuncting and dragging them before tribunals or courts on allegations of breach.
Consent may be wide but should often be clear and transparent, the data subject must understand the extent of what they are consenting to. Consent is therefore critical for any data collector or controller or processor and therefore database owners too.
It is imperative to streamline the protection of database rights and the extent to which they apply to personal data regarding consent to strike the balance with data privacy. This is going to be particularly important in the coming months and years as the migration of businesses online due to the COVID-19 pandemic puts personal data at greater risk.
Bonita Mulelengi, Senior Associate at KTA Advocates writes on Data Protection and Privacy for this edition of ALT’s Series: Regulating Tech