AI & Data privacy In Africa

Remmy Wahanze

January 28, 2024

As we commemorate this International Data Privacy Day, we must pay keen attention to the challenges posed by emerging technologies such as Artificial intelligence. By definition, Artificial Intelligence (AI) refers to the capability of algorithms integrated into systems and tools to learn from data so that they can perform automated tasks without explicit programming of every step by a human being. Based on this definition, it is crystal clear that for AI systems to be developed and subsequently deployed, they rely on one key component: Data.

This data is predominantly collected and controlled through large datasets and constantly iterated to create efficient AI systems through a process called machine learning. In doing so, all kinds of data are used. From sensitive personal data to general user data, these are deployed to train an AI system. It then poses an obligation on the data controller to protect the subjects’ right to privacy without fail. This in itself is a conundrum to navigate as the data controller aims to build the best AI models, yet the subjects’ right to privacy is at stake.

Moreover, over the past five years, almost all the countries on the African continent have passed numerous legislations on the protection of the data of their citizens who, by being consumers of digital services such as social media apps, and e-commerce platforms to mention but a few, have their data collected and controlled by the service providers. The implications of these legislations have not only been to compel digital service providers to comply with the privacy rights set out therein but also to set heavy fines and penalties for any non-compliant market players. A case in point is the three Kenyan companies that were penalized to the tune of 60,000 USD toward the tail-end of 2023. Therefore, the net effect of non-compliance by data controllers is huge not only in an economic sense but also reputation-wise for these market players.

From an AI perspective, its applications are a part of everyday life, from social media, and news feeds to mediating traffic flow in cities to autonomous cars to connected consumer devices such as smart assistants, spam filters, voice recognition systems, search engines and augmenting agricultural processes. Despite its revolutionary potential on the continent, there is a real risk that the use of new tools by states or enterprises could infringe on individuals' human rights, especially the right to data privacy, now enshrined under various data protection regimes on the continent.

The following are some of the risks posed by AI in light of the right to privacy:

  • Re-identification and deanonymization— Simply put, AI applications can be used for surveillance, tracking individuals across different devices in their homes, at work and in public spaces. For example, the deployment of facial recognition technologies violates the right to privacy of data subjects as enshrined in the various data protection regulations on the African continent.
  • Discrimination, unfairness, inaccuracies and the manifestation of historical biases—AI-driven identification, profiling and automated decision-making can lead to discriminatory or biased outcomes. People who belong to historical minorities can be misclassified, misidentified or judged negatively, and such errors or biases may disproportionately affect certain demographics. This is a preeminent risk given the history of the African continent on the world stage.
  • Opacity and secrecy of profiling—Some applications of AI can be obscure to individuals, regulators or even the designers of the system themselves, making it difficult to challenge or scrutinize outcomes. While there are technical solutions to help improve some systems’ interpretability and/or ability to audit, a key challenge remains whenever this is not possible, and the outcome can significantly impact people’s lives.
  • Data exploitation—People are often unable to fully understand what kinds of—and how much—data their devices, networks and platforms generate, process or share. As consumers continue to introduce smart and connected devices into their homes, workplaces, public spaces and even bodies, the need to enforce limits on data exploitation has become increasingly pressing. This challenge is accentuated on the African continent given the low levels of digital literacy.
  • Prediction—AI can utilize sophisticated machine-learning algorithms to infer or predict sensitive information from non-sensitive forms of data. For instance, someone’s keyboard typing patterns can be analyzed to deduce their emotional state, which includes emotions such as nervousness, confidence, sadness or anxiety. Even more alarming, a person’s political views given the volatile political landscape on the continent, ethnic identity, sexual orientation and even overall health status can also be determined based on activity logs, and location data which pose a security risk to the data subjects.

The above risks notwithstanding, it is important for industry players to strike a delicate balance between privacy rights and the advancement of AI as a technology. Each stakeholder has a significant role to play in resolving this dilemma. From forward-thinking regulation by the government to compliance from AI technology developers, to vigilance by data subjects, these synergies could give Africa a significant uptick while preserving the rights of its people. We propose solutions and recommendations for both African governments and industry players below:

Solutions.

Firstly, the data protection principle of accountability underpins all AI deployments. This principle is central to all data privacy laws and regulations in Africa and places great responsibility on the data controller to ensure that all processing is compliant. Also, organizations building AI systems must implement the following approaches to ensure that privacy rights are upheld:

  • Privacy by design—The data controller should build privacy protection into systems and ensure that personal data is safeguarded in the system’s standard settings. This approach requires that data protection be given due consideration in all stages of system development, in routines and in daily use of the AI system. Standard settings should be as protective of privacy as possible and data protection features should be embedded at the design stage.
  • Data Protection Impact Assessment—Anyone processing personal data must assess the risk involved. If an enterprise believes that a planned process is likely to pose a high risk to natural persons’ rights and freedoms, it must conduct a Data Protection Impact Assessment (DPIA) as per the data protection laws and regulations in Africa. Moreover, there is a requirement to assess the impact on personal privacy by systematically considering all personal details in cases where these data are used in automated decision-making or when special categories of personal data (i.e., sensitive personal data) are used on a large scale. The systematic and large-scale monitoring of public areas also requires documentation showing that a DPIA has been conducted.

Recommendations.

  • Carry out a risk assessment and, if required, complete a DPIA before purchasing a system.
  • Ensure that the systems satisfy the requirements for privacy by design under African data protection regulations.
  • Conduct regular tests of the system to ensure that it complies with regulatory requirements.
  • Ensure that the system protects the rights of the users, customers and other stakeholders on the continent.
  • Consider establishing Afro-centric industry norms, ethical guidelines or a data protection panel consisting of external experts in the fields of technology, society and data protection. Such experts can provide advice on the legal, ethical, social and technological challenges–and opportunities–linked to the use of AI.

In conclusion, it is noteworthy that whereas AI holds the promise of revolutionizing the African continent, the rights of individuals using these systems must not be undermined at any one point in the deployment of AI systems.