By Alagi Yorro Jallow
With the unmasking of the Cambridge Analytica scandal. The confession of Christopher Wylie about how Cambridge Analytica harvested data from millions of Facebook profiles, without taking the consent of the users and Mark Zuckerberg’s declaration of guilt, is alarming and troubling.
The citizens of the Gambia deserve a strong and comprehensive statutory framework to supplement the fundamental right to data privacy, as part of the undiluted assurance of the State to uphold the rule of law.
Facebook founder Mark Zuckerberg has grudgingly accepted that, maybe, his company’s activities should be regulated. To ensure the effective implementation of a data protection regime, the Gambia government must enact a law and create an independent regulatory body — a Commission under the Ministry of Communication, Information & Technology empowered to investigate complaints of any breach of the data protection framework.
It should be enabled to issue orders to those collecting data (like Facebook, PR and IT companies) on activities that may be in contravention of the law, as well as to take necessary steps to implement the law. All forms of interception and surveillance should only be permitted if authorized by the privacy commission and carried out strictly to the extent necessary for the express purpose.
Businesses dependent on data for their businesses may fear that a regulatory body could end up as an overburdening behemoth, and, therefore, be in favor of a law that prescribes general principles of privacy for self-regulation by companies. But we must not give in to their fears. We can define the scope of powers of the regulatory body to reduce the risk of misuse.
Since privacy is now recognized as a constitutional right — there is an urgent need to enact a comprehensive data protection law to implement it. The Govt and policymakers should to be clear about certain essential principles on privacy law.
The law must be clear on what it seeks to protect, which in this context is the personal data of each Gambian citizen. Personal data is the type of data which, if linked to other information, can be used to identify the concerned individual. Within the sphere of personal data, the law must recognize and distinguish sensitive personal data, which encompasses information relating to a person’s sexual preferences, political and religious views, ethnicity, race, financial information, DNA, biometric data and so on.
The level of protection for sensitive personal data should be more stringent than in the case of other personal data.
Consent is the cornerstone of any comprehensive framework on data protection, and it must be obtained by the data-controller or processor before collecting, processing, using and disseminating personal data. The underlying principle for a consent-based mechanism is that personal data is owned by the subject — the person who generates the data. Once the consent to use personal data is withdrawn, the collector should destroy any record of the data collected.
There should be a general bar on disclosing data, except to the person to whom it pertains. The consent of the subject should be required to transfer any personal data. The subject should also have the right to access her own data always, so that she may check and update it as necessary.
Consent should be meaningful.
We must ensure that the subject can make an informed choice and still retain control over the data collected, unlike the prevailing scenario in which websites merely intimate the user that they use cookies, or where they interpret the scrolling of a website or the clicking of a banner as consent.
At the same time, the law must be flexible to allow for exceptional circumstances due to which data may be collected without prior consent, such as the prevention of commission of a cognizable offence or a reasonable threat to the security of the State. It is essential that the exceptions to the consent-driven regime are strictly and narrowly defined, without leaving any elbow-room for the crushing of dissent under the guise of ‘national security.
The government should enact a Privacy Data law that must prescribe fines or even imprisonment for the handling or collection of data in contravention of standards prescribed under the data protection framework.