Data Extraction by Chinese Phone Applications in Africa - An Analysis of Risks and Regulatory Protection - Oxford China International Consultancy
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Data Extraction by Chinese Phone Applications in Africa An Analysis of Risks and Regulatory Protection Huw Roberts, Kirra Evans, Charlotte Lenz
1 Executive Summary Data extraction through mobile phone applications (apps) is increasingly commonplace globally. Extensive research has been undertaken into data extraction in Europe and North America, however, research into the African context has been limited. In this study, we consider how popular Chinese mobile phone apps within Africa are extracting user data, the regulatory protections that are in place and the potential risks to citizens. To do this, we map out the privacy regulations that have been introduced across African to understand the consumer protections that are in place. We then analyse data on app downloads and the mobile handset market in Africa to gauge the prevalence of pre-installed and manually downloaded Chinese mobile apps, and consider the potential risks associated with their use. In the nal section of this report, we consider these risks in light of the regulations in place and assess how well protected African users are from data extraction by Chinese mobile phone apps, categorising states into high-, medium- and low-risk. We conclude by emphasising that high-risk states should introduce targeted data protection measures, and that medium-risk states should work to improve enforcement mechanisms for existing regulations. 1
2 1 Introduction Data extraction—the targeting and exploiting of substantial market share that Chinese companies have personal data for commercial gains—is an increasingly in both the mobile handset and mobile apps markets. [1] common phenomenon globally. One way in which this To investigate this topic, the structure of this report takes place is by means of pre-installed and manually will be as follows: rstly, it will outline the general state installed mobile phone applications (apps). Many apps of privacy legislation in Africa, including recent that come pre-installed on mobile phone handsets developments that have taken place and the gaps that (so-called ‘bloatware’), have been shown to harvest and still remain. e second section will consider the leak personal information and can be extremely Chinese apps that have been widely downloaded within di cult or even impossible to delete.[2] For manually a sample of African states, with the third section installed apps, although users actively chose to analysing the market conditions for mobile handset download, they are o en unaware of what types of data sales that provide Chinese app developers with a back are being collected and processed, and by whom, with door into the continent through bloatware. e nal third party trackers particularly prevalent on free section of the report outlines the harms that can come apps.[3] about when sections one and two are read together; it A number of studies have considered how mobile apps will be stressed that Africa should not be considered a [4] are harvesting data in Europe and North America, the unitary actor but a space in which there are countries harms that this can cause,[5] and the legal protections with high, medium and low risks in regard to the [6] that are in place to protect citizens. However, potential harms from data extraction. ose high and minimal work has been done to understand the data medium-risk countries, that make up a signi cant extraction taking place in Africa, in light of the portion of the continent, hold substantial data privacy regulatory protections present. Given the widely held risks including the potential for unchecked data misuse characterisation of Africa as a low-regulatory and insecurity. From this analysis, it is concluded that environment with a relatively weak enforcement of both downloadable Chinese apps and pre-installed [7] privacy protections, this is an area which needs bloatware represent substantial data privacy risks on exploring. e aim of this report is to engage with the the continent. Given this, there is a need for a type of data extraction from mobile apps that is taking continued push for data protection legislation in place in Africa and the potential harms that this could high-risk countries and improved enforcement in cause, as well as the legal protections that are in place medium-risk states to ensure consumer protection to protect citizens. Speci cally, this report will focus on the harvesting of data from Chinese apps on the continent. Chinese apps were chosen because of the 2
3 2 Data Privacy in Africa To begin with, it is important to note that academic continent, legislation may have been added depending literature on data privacy in the African context is still on the date at which this report is accessed. On top of lacking, which reduces the potential for ade uately this, a number of countries have also dra ed theorising about privacy concerns on the continent. legislation, even if they have no legislation currently in Nonetheless, data privacy regulation is rapidly growing, action, as can be seen with Rwanda.[4] with new legislation coming into existence consistently: Transnational cooperation mechanisms also signal the majority of these data privacy laws have been e orts to multilaterally adopt data protection measures introduced in recent years. However, considering that on the continent. On the regional level, the Economic cultural contexts lter into legislation, it is important Community of West African States (ECOWAS) to note how countries all over the world will respond adopted a regional Data Protection Act in 2010, to calls for data privacy in di erent ways. As Malkulilo obliging member states to develop national data argues, while “elements of individualisms” are now protection legislation for collecting, processing, storing commonplace on the African continent, the level of and using data. is also included the establishment of individualism remains di erent than in, for instance, an independent agency responsible for data privacy European countries.[1] In other words, data privacy in compliance, codes of conduct, but allows an Africa must be understood through relevant African undetermined time to implement the Data Protection contexts. Act.[5] However, research su ests that without an In regard to the legal protections a orded, all countries enforcement mechanism ensuring member states on the African continent possess privacy clauses within compliance, harmonisation of data privacy laws is their constitutions. Furthermore, several countries have unlikely.[6] introduced speci c personal data privacy laws in recent Another transnational e ort to ensure privacy years: since 2016, data privacy legislation has passed in protections is the African Union (AU) Convention on 13 African states, and legislation was dra ed in an Cybersecurity and Data Protection, passed in 2014, additional 3 countries (see Appendix a), which aligns which seeks to create a common legislative framework with other research on evolving attitudes towards data for data protection among member states.[7] [2] privacy on the continent. In total, there are now at Furthermore, 10 of the 14 French-speaking African least 27 of the 54 African countries that have data countries with national data privacy laws are part of a protection regulations.[3] is paper emphasizes ‘at least’ global alliance in the domain of data privacy, the as it is important to note that these statistics represent Association Francophone des Autorités de Protection information gathered in the last uarter of 2019. Since des Données Personnelles (AFAPDP).[8] Finally, 2019 legislation is continuously being updated on the 3
4 saw the launching of the rst Africa Data Protection speci cally states that privacy will not be violated and Privacy Conference, which brought together the without ‘reasonable cause’. Ghana also has a particularly African Data Protection Network, Ghanaian state interesting caveat that says that privacy will not be representatives and other stakeholders from thinks violated unless it violates the ‘economic well-being of a tanks, NGOs and other organisations involved in data country.’ Both ‘reasonable cause’ and ‘economic protection and cybersecurity.[9] well-being’ are extremely relative terms that are dependent on the interpretation by the state and 2.1. Limitations of these measures judicial system. If governments are particularly corrupt Despite these positive developments, there are still a or have skewed priorities, judicial interpretation of number of drawbacks to the measures that have been these caveats could end up violating privacy introduced. Foremost, although privacy is a [10] signi cantly. As a result, constitutional rights have constitutional right across the continent, this does not practically provided few protections for individuals’ mean that data privacy is ade uately protected by data privacy on the continent,[11] something which is constitutional clauses alone. Some of these privacy highly problematic given that half of the continent has clauses protect a citizen’s right to privacy regarding not introduced speci c privacy legislation (see their domicile but does not specify a right to privacy Appenidx a). with regards to correspondence. is means that Further, even when a state has introduced privacy governments and companies are not allowed to violate legislation, this is not necessarily a guarantee that someone’s place of residence or home, but does not individuals’ rights will be ade uately protected. Some mean that an individuals’ right to privacy with regards states lack the regulatory authority to enforce the to data are guaranteed, since data can be collected legislation, with no dedicated data protection authority anywhere. (DPA) being established or having outlined the For those which do account for a more holistic notion establishment of an authority that is yet to start of privacy, constitutional protections are typically operating (e.g. E uatorial Guinea). In other cases, even dra ed in general terms and provide little speci c when authorities have been set up, enforcement guidance as to how issues such as data protection remains an issue, with some states’ DPAs being should be managed. In some cases, ambiguous caveats relatively inactive (e.g. Senegal and Tunisia).[12] can be present, which are le open to judicial interpretation. For example, Eritrea’s constitution has a privacy clause in the form of Article 18. e clause 4
5 3 Chinese Apps in Africa Against this legislative backdrop, Chinese apps are amounts of personal information and data security widespread on the continent, collecting, processing and issues.[4] In India, intelligence services have gone as far transferring personal information. When considering as labelling a range of top-downloaded apps on the list the collection of data by Chinese apps in Africa, it is below, such as Shareit, BeautyPlus and uVideo, as necessary to explore two areas: spyware or malware and su ested that all military o cials do not download the apps.[5] More recently, the i) e data collected by apps that are installed Indian government banned 59 Chinese apps, including by African users. many on this list, on account of user information being ii) e data collected by bloatware apps that transferred abroad without authorisation.[6] ese are pre-installed on phones. actions need to be read in line with geopolitical In terms of the prior, no data has been compiled that tensions between India and China; nonetheless, the considers the most downloaded Chinese apps on the potential harms to privacy that these apps can cause continent. Nonetheless, using a sample of top should not be downplayed. Two speci c examples of downloads on the Google Play Store from four African Chinese apps in the top downloads above, TikTok and countries, Nigeria, Tanzania, Egypt and South Africa, UC Browser, will be outlined below to show some of shows that a number of Chinese apps are widely the potential privacy infringing practices that these [1] popular (Appendix b). ese countries are not meant apps can lead to. to be representative of the continent as a whole but 3.1. TikTok rather provide a snapshot from countries that are geographically spread and have di ering relationships TikTok is a Chinese video-sharing social networking with China. Within this sample, Chinese apps make up service, which has achieved global success, with over for around 10-15% of popular downloads during May 700 million downloads in 2019.[7] In TikTok’s terms and 2020.[2] To put this in perspective, using the same conditions, the organization claims to collect the method, US phone apps made up between 25-30% of the following data: usage information, device information, market, whilst no other single country made up a location data, messages, metadata, cookies.[8] It also substantial percentage.[3] e apps themselves vary in stipulates that TikTok that they scan and analyse content but centre around video editing, social media information composed in messages,[9] including the and mobile phone games. content and who the correspondence takes place between. As can be seen with many other apps A number of the apps present on this list have received throughout the world, TikTok also uses cookies which condemnation in di erent regions for their data are o en used to provide users’ subscription infringing practices, including re uesting unnecessary 5
6 information to business partners and service America have also a ed concerns with the company. providers.[10] Whilst on the surface, there is nothing In May 2020, the Dutch Data Protection Authority unusual about the type of data that TikTok’s terms and (DPA) launched an investigation into TikTok to conditions, with Western technology companies determine whether the data collection practices are in including similar clauses, the app has received breach of the General Data Protection Regulation widespread scrutiny for its data collection, transfer and (GDPR).[15] e Dutch DPA underscore that, as de ned processing practices. by the GDPR, children are a vulnerable group. Because of this, they are seeking to determine whether the Globally, lawsuits have emerged against TikTok privacy policies of the app are easy to understand and if because of data protection issues. For instance, a parental consent is re uired for the collection, use and class-action lawsuit was led in California in December storage of children’s personal data, as is re uired under 2019 against Tiktok’s parent company, ByteDance. e the GDPR for children under 16. Furthermore, recent claimant argued that the company’s privacy policies reports have shown TikTok as engaging in data were ambiguous and that it took user content, such as infringing practices. For instance, it was recently dra videos, and transferred them to China without highlighted that the company snooped on clipboard users’ consent.[11] Certain lawmakers in the US have data from Apple devices, which meant that the app was gone even further, with Senator Josh Hawley likely collecting sensitive information, such as personal introducing a bill into the US Senate to prohibit the messages or passwords, without users’ knowledge or downloading of TikTok onto federal government consent.[16] Conse uently, even with geopolitical devices, citing an existing ban within the US army for considerations accounted for, TikTok raises a variety of the app to be downloaded.[12] Most recently, US privacy concerns. President Trump declared that TikTok represented a national emergency and signed an executive order that 3.2. UC Browser would lead the app to be banned in September 2020,[13] Of the apps listed, UC Browser, a mobile web browser though this did not materialise in practice. app, is another that has faced public scrutiny because Importantly, the concern of the US government is not of a number of security aws over the past ve years. necessarily that the data collection practices are more Although this app is still relatively small in the African pervasive than other apps, rather it is the perceived browser market, accounting for 2% of the overall leverage that the Chinese government has over market,[17] this would still account for as many as 5.25 corporations domiciled within its territory, meaning million users.[18] In 2015, an analysis by the Citizen Lab that when data are collected, it is ambiguous as to who in Toronto discovered a series of major security aws will be able to access the data and to what ends.[14] and privacy concerns in the Android version of UC It should be stressed that US actions are likely Browser. ey found that the app leaked signi cant in uenced by the geopolitical competition that is amounts of personal and personally-identi able data, emerging with China, however, countries outside of meaning network operators or in-path actors on the 6
7 network could obtain users’ personally identi able Politically, there is a lack of transparency over the information, such as geolocation data and search data, relationship between the Chinese government and through observing unencrypted data or using simple Chinese companies. is problem was at the centre of decryption.[19] Based on similar data security concerns, the 2019 Huawei-African Union controversy: as UC Browser was probed by the Indian government in allegations of data being shipped from the African 2017 to determine whether these security aws were Union’s new head uarters to a data centre in Shanghai [20] present in the transfer of data from India to China. spread, Huawei became under increased scrutiny about Research in 2019 by a Russian cyber security rm leaking data to the Chinese government, as it had showed that UC Browser was still susceptible to similar provided the digital infrastructure for the building.[24] man in the middle attacks outlined by the Citizen Lab Huawei claimed no wrongdoing for this incident and in 2015, though now this was on account of sending other Chinese technology companies have been uick updates over an unsecured http connection.[21] to claim that they would not provide the government with user data. Nonetheless, some commentators have 3.3. Contextualising privacy concerns highlighted that national security laws within China is is not to say that all Chinese apps are harmful to mean that these companies would have little choice if privacy, nor is this to say that the privacy harms caused such data were re uested,[25] leaving users of Chinese by Chinese apps are necessarily uni ue, with American apps facing the potential for government access of their companies also collecting, transferring and processing personal data. [22] extensive amounts of personal information. Nonetheless, the security aws in a number of the top-downloaded Chinese apps and their data extraction practices, including but not limited to the two case studies above, are noteworthy. Alongside this, the relationship between the Chinese government and the technology companies that produce the apps and are domiciled within the China, raises important uestions over government access to personal data.[23] 7
8 4 Chinese Mobile Handsets in Africa Alongside data collection by downloaded apps, it is companies in Africa, but also expected to remain important to stress the role of data extraction by crucial actors in Africa’s phone market. pre-installed ‘bloatware’ apps on Chinese handsets. 4.1. Data collection by Transsion and China has been increasingly dominating the African pre-installed apps technology sector, including the mobile phone industry. ree key Chinese phone companies are is market position for Chinese phones and in present in the market: Huawei, Transsion and ZTE. Of particular, Transsion’s Tecno, is important to emphasise particular note is Transsion, which owns the brands because of the data extraction that it facilitates. e Tecno, Itel and In nix, that together make up 60% of type of data being collected by a company can be the feature phone market and 30% of the smartphone wide-ranging, especially if hardware and so ware are market in Africa.[1] Sub-Saharan is expected to remain linked to the same company, as is the case with Tecno the fastest growing region in Africa, with 5 countries phones. is can include location tracking (even when (Nigeria, Ethiopia, DRC, Tanzania, Kenya) expected to users are not actively using the function),[6] names, user provide nearly 170 million new subscribers by 2025:[2] habits, ngerprints, photos, credit card details, email with the exception of the DRC, Transsion dominates addresses, amongst others. While this is not speci c to the phone market in the 4 other countries through its Transsion/Tecno (Android phones and Google share a subsidiary Tecno. is market success is not chance; similar relationship), it is still pertinent to realise the Chinese mobile companies have been e ective at scope of data which can be potentially collected. accommodating the speci c needs of African Typically, this data collection is used for functionality consumers. For instance, Transsion subsidiaries have but is also used to track users behaviours to identify produced phones that re ect consumer price point,[3] patterns and create a pro le of a user, so as to target have provided keyboards with the local languages of them with advertisements closer to their pro le. As the Amharic, Swahili and Hausa,[4] and also adapted phone privacy policies of Tecno mobile,[7] Huawei,[8] but also cameras to be particularly complimentary towards Samsung[9] or Apple[10] explain, data can be collected to darker skin tones.[5] Chinese companies, and Transsion provide more targeted advertisements. is is in particular, are thus not only the leading phone particularly visible in Tecno phones, for which advertisements are included into two of their developed so ware (TECNO’s HiOS and In nix’ XOS).[11] ese advertisements function by promoting 8
9 ‘instant apps’, games that users can play without data and technical data.[18] As mentioned, the leverage download re uirements, mixed in with promoted that the Chinese government has over domestically third-party apps that it su ests users install. domiciled countries raises uestions surrounding data misuse in light of the Huawei-African Union scandal. On top of this, dominating the mobile phone market at being, there is scant evidence of the Chinese means that African consumers are subjected to the government using its position to access data collected same pre-installed apps (‘bloatware’) on by apps. Transsion-subsidiary phones. Bloatware has two key e ects on the African mobile app market: it promotes More importantly, even if an individual chooses not to certain pre-installed apps which facilitates market use bloatware apps, privacy infringements can still take share and more problematically, the apps o en collect place through tacit data collection without consent. It data without consent and are extremely di cult to is infamously di cult to uninstall bloatware from uninstall. handsets and for certain apps, impossible. is is problematic, as even when these apps are dormant in In regard to the rst, a range of Chinese apps are the background, many are still actively collecting and pre-installed upon purchase of Transsion-subsidiary transferring personal information. As was shown in a phones, such as China Literature, an app that provides Privacy International report, pre-installed apps on and sells literatures,[12] and Vskit, a popular video cheap handsets can collect a range of personal editing app.[13] One of the success stories of Transsion information, including name and date of birth, and bloatware is Boomplay, a streaming service that claims transfer this data unencrypted.[19] Whilst it was beyond to be one of the fastest growing apps on the African the scope of this paper to test the Tecno bloatware continent.[14] A er signing a licensing deal with Sony apps, including those mentioned above, a number of Music Entertainment, Boomplay was able to surpass 60 studies have shown how pre-installed Tecno apps come million users across the continent,[15] including Kenya, with security vulnerabilities[20] and collect substantial Senegal, and Zambia, amongst others.[16] Whilst amounts of personal information.[21] Moreover, recent causality cannot be solely attributed to its pre-installed reports have su ested that some pre-installed malware nature, it is extremely likely that this was a major on Tecno handsets which fraudulently funnelled money bene t in the app accruing market share.[17] In turn, this from users’ airtime and data recharges, something that has provided Boomplay with a wealth of consumer data Transsion now claim is resolved.[22] on the continent, which according to its terms and conditions, includes identity data, contact data, online presence data, nancial data, transaction data, content data, marketing and communications data, behavioural 9
10 5 Threats to Data Privacy To understand the threats to data privacy that Chinese countries have relatively stable governments but have apps pose in Africa, it is necessary to contextualise simply been slow to establish a personal data these threats in light of African data protection protection law. Still, examples such as these should be frameworks. However, as was stressed in section 1, taken seriously especially since there are 27 countries Africa is not a unitary actor nor is there a (approximately hal ) on the continent that fall into this continent-wide data protection framework comparable category. is category includes countries such as to the GDPR in place. Accordingly, the risk to Burundi, Central African Republic and the Democratic individuals from Chinese apps needs to be considered Republic of Congo. in light of the national data protection frameworks. An absence of a data privacy framework enables apps Rather than assessing each country individually, the to collect, use and transfer personal information remainder of this section will categorise countries into without prior consent being obtained by the high-, medium- or low-risk, based on the types of individual. is allows companies to sell personal data protections a orded (see Appendix a for full list).[1] and use it in multiple ways without the user being A rst category of countries can be perceived as informed. For apps, this could entail various data types, high-risk. ese are states that possess no speci c data including location data, contacts, microphone data and protection legislation while also lacking a signi cant many more, all of which can be used and sold to build regulatory authority. For some of these countries, there consumer pro les. One telling example of the type of is a lack of data as to whether said states possess any of harm this can cause is in the political sphere, where these re uirements. Some high-risk countries are data collection through the Facebook and Cambridge plagued by varying levels of instability as a result of Analytica scandal, could have in uenced the results of inade uate governments, which can account for weak elections in Nigeria (in 2007 and 2015) and Kenya (in protections. One such example is Somalia, which has 2013 and 2017).[4] e absence of any regulatory lacked a central government since President Siad Barre framework for data collection was, in both cases, was ousted in 1991.[2] Despite Somalia’s instability, the identi ed as the main reason why Cambridge country still possesses fast internet speeds, a strong Analytica was able to access to government-held data. presence of mobile money and a thriving Another is that data security is not guaranteed. at is, [3] telecommunications sector. In other words, it cannot alongside those personal data that are sold, there are no simply be dismissed as a ‘failed state’ that possesses no re uirements to inform users of data breaches or to risk for data extraction. However, instability is not an punish companies for poor security. is can facilitate a overarching characteristic of all these countries. Some number of types of data misuse, ranging from spam to fraud. 10
11 A second category of countries can be considered as against the aviation industry on account of breaching medium risk. ese states have enacted some form of the Ghanaian Data Protection Act.[7] Other examples of data protection, however, have relatively weak low risk countries include Morocco and Mauritius. enforcement mechanisms. is could include the absence of a speci c DPA (which may also be in the process of being established) or the presence of a DPA 6 Conclusion without having data protection laws that specify what data in particular is being protected.[5] is category Complaints have been made about opa ue data also includes countries that may possess dra collection by Chinese apps globally and a number of legislation or are in the process of establishing a DPA. Western phone brands come with pre-installed Such countries include E uatorial Guinea and Egypt. bloatware, raising the uestion of what is uni ue about Finally, this category includes states that have data Chinese apps within Africa. We argue that it is a protection legislation and a DPA in place but have a combination of the generally weak data privacy poor history of DPA activity or enforcement of protections, the dominance in the mobile handset legislation. ese countries include Angola, Cape market by Chinese companies and the opa ue Verde, Madagascar, Mali and South Africa.[6] ese government-corporate relations in China that makes environments su er from many of the same risks above the situation in Africa particularly worrisome. but due to the practices being illicit, there is greater Although data privacy protections on the continent are onus on companies not to breach laws. Nonetheless, the continually improving, work still needs to be done. absence of an active or e ective regulatory enforcer African states should continue their push for data raises uestions over the extent to which individuals’ protection, with urgency, to ensure that individuals data will be protected in light of an infringement. is across the continent are protected. at being said, is a particularly important aspect to consider as it Africa is not a unitary actor and the levels of emphasises that it is not enough for countries to protection di er across the continent. It is particularly establish data privacy legislation or DPAs; enforcement important for those countries that we categorised as remains just as important in order to create an high-risk, on account of an absence of speci c privacy environment with ade uate privacy protections. protections, to develop ade uate privacy legislation and e third category are countries that can be considered medium-risk states to continue developing their low risk. In these countries, there is a constitutional enforcement capacities. privacy protection, speci c legislation with regards to data protection and a functioning data protection authority, who have o en been willing to act against breaches of data privacy. Ghana is a good example of this: their data protection authority (the Data Protection Commission) has recently taken action 11
12 Footnotes 1 [1] Kane,Y.I. & Thurm,S. 2010. ‘Your Apps Are Watching You’. The Wall Street Journal. At: https://www.wsj.com/articles/SB10001424052748704368004576027751867039730 [2] Privacy International, 2019. ‘Buying A Smartphone on The Cheap? Privacy might be the Price you have to Pay’. At: https://privacyinternational.org/long-read/3226/buying-smart-phone-cheap-privacy-might-be-price-you-have-pay [3] Privacy International. 2018. ‘How Apps on Android Share Data With Facebook (Even if you don’t have a Facebook Account)’ At: https://privacyinternational.org/sites/default/files/2018-12/How%20Apps%20on%20Android%20Share%20Data%20with%20Facebook%20-%20Privac y%20International%202018.pdf [4] Binns,R. et al, 2018. ‘Third Party Tracking in the Mobile Ecosystem’, ArXiv. At: https://arxiv.org/pdf/1804.03603.pdf [5] Michael,T. 2019. ‘Data Privacy and Security: Why Mobile Apps are the New Weak Link’, Info-security magazine, At: https://www.infosecurity-magazine.com/next-gen-infosec/privacy-mobile-apps-weak-link-1-1/ [6] Fritsch,L. et al. 2019. ‘Did App Privacy Improve After the GDPR?’ , IEEE Security and Privacy, At: https://ieeexplore.ieee.org/abstract/document/8845749 [7] Quazi, R, M. 2014. ‘Effects of corruption and regulatory environment on foreign direct investment: A case study of africa.’ Global Journal of Business Research, Vol 8, Issue 4.Pg 51-60 At: https://econpapers.repec.org/article/ibfgjbres/v_3a8_3ay_3a2014_3ai_3a4_3ap_3a51-60.htm 2 [1] Makulilo, A. (2016) “A Person Is a Person through Other Persons”—A Critical Analysis of Privacy and Culture in Africa. Beijing Law Review, 7, 194. [2] Ibid, 192-204. [3] See Appendix a [4] Sabiiti,D. 2019. ‘Rwanda Working On A Personal Data Protection Law’ ,KT Press, At: https://www.ktpress.rw/2019/07/rwanda-working-on-a-personal-data-protection-law/#:~:text=Rwanda%20is%20currently%20drafting%20law,that%2 0use%20data%20for%20business. [5] Economic Community Of West African States ( ECOWAS) , At: http://www.tit.comm.ecowas.int/wp-content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf?hdjeknglfkngdbaa [6] Orji, U.J. (2017). Regionalizing data protection law: a discourse on the status and implementation of the ECOWAS Data Protection Act. International Data Privacy Law, 7(3), p. 179. [7] African Union Convention on Cyber Security and Personal Data Protection, 2014. https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf [8] Members of the AFAPDP, At: https://www.afapdp.org/lafapdp/membres [9] https://ardppc.com/eng/ 12
13 [10] Fombad, C. M. 2007. "Challenges to constitutionalism and constitutional rights in Africa and the enabling role of political parties: Lessons and perspectives from Southern Africa." The American Journal of Comparative Law 55, no. 1: 1-45. [11] Makulilo, A. B., 2016. African data privacy laws. Springer International Publishing. [12] Deloitte, ‘Privacy is Paramount: Personal Data Protection in Africa.’ N.d., At: https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/za_Privacy_is_Paramount-Personal_Data_Protection_in_Africa.pdf 3 [1] These are the Chinese apps appearing in the Google play store in the four case study countries as of May 11th, 2020. [2] To ensure that this was not an anomaly, this figure was cross-referenced with app ranking over the past 12 months which showed consistent findings. [3] It is important to highlight that country headquarters data were missing for a number of apps, suggesting that the percentage of US and Chinese was likely higher in practice. [4] Khan,D. & Sangani,P. 2019. ‘Chinese apps seek excessive information from Users : Survey’, Economic Times, At: https://economictimes.indiatimes.com/tech/internet/chinese-apps-seeking-way-more-information-than-needed-survey/articleshow/67633562.cms?fr om=mdr [5] FE Online, 2020. ‘Government reportedly lists 42 Chinese apps as dangerous including Truecaller, UC browser, Mi Store : Check if your phone has any of them, Financial Express, At: https://www.financialexpress.com/industry/technology/government-reportedly-lists-42-chinese-apps-as-dangerous-including-truecaller-uc-browser-m i-store-check-if-your-phone-has-any-of-them/954335/ [6] ET Bureau, 2020. ‘India Bans 59 Chinese Apps including TikTok, WeChat, Helo’ The Economic Times, At: https://economictimes.indiatimes.com/tech/software/india-bans-59-chinese-apps-including-tiktok-helo-wechat/articleshow/76694814.cms [7] Iqbal,M. 2020. ‘TikTok Revenue and Usage Statistics’, Business of Apps, At: https://www.businessofapps.com/data/tik-tok-statistics/ [8] TikTok Privacy Policy, At: https://www.tiktok.com/legal/privacy-policy?lang=en [9] Ibid [10] Ibid [11] Paul, K. 2019 TikTok accused in California lawsuit of sending user data to China, Reuters, At: https://www.reuters.com/article/us-usa-tiktok-lawsuit/tiktok-accused-in-california-lawsuit-of-sending-user-data-to-china-idUSKBN1Y708Q [12] Sherman, J. 2020, Unpacking TikTok, Mobile Apps and National Security Risks , Lawfare https://www.lawfareblog.com/unpacking-tiktok-mobile-apps-and-national-security-risks [13] Robertson, A. 2020. The big legal questions behind Trump’s TikTok and WeChat bans. The Verge. At: https://www.theverge.com/2020/8/10/21358505/trump-tiktok-wechat-tencent-bytedance-china-ban-executive-order-legal-sanctions-rules [14] Kharpal, A. 2019. Huawei says it would never hand data to China’s government. Experts say it wouldn’t have a choice. CNBC. https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html [15] Autoriteit Persoonsgegevens, 2020. ‘Dutch Data Protection Authority to Investigate TikTok’ , At: https://autoriteitpersoonsgegevens.nl/en/news/dutch-data-protection-authority-investigate-tiktok [16] Goodin,D. 2020. ‘TikTok and 32 Other IOS Apps still snoop your sensitive clipboard data’, ARS Technica, At: https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/ [17] StatsCounter GlobalStats -https://gs.statcounter.com/browser-market-share/mobile/africa 13
14 [18] Campbell,J. 2019. ‘Last Month, Over Half-a-Billion Africans Accessed the Internet’ , Council on Foreign Relations, At: https://www.cfr.org/blog/last-month-over-half-billion-africans-accessed-internet [19] Dalek,J. et al, 2015. ‘A Chatty Squirrel : Privacy and Security Issues with UC Browser’ , The Citizen Lab, At: https://citizenlab.ca/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/ [20] Tech2 News Staff, 2017. ‘ UC Browser Is Being Probed By The Indian Government for Sending User Data to China : Report’, Firstpost, At: https://www.firstpost.com/tech/news-analysis/uc-browser-probed-by-government-for-sending-user-data-to-china-report-3962511.html [21] Tung,L. 2019. ‘ Millions of Android users beware : Alibaba’s UC Browser can be used to deliver malware’ , ZDNet, At: https://www.zdnet.com/article/millions-of-android-users-beware-alibabas-uc-browser-can-be-used-to-deliver-malware/ [22] Binns,R. et al, 2018. ‘Third Party Tracking in the Mobile Ecosystem’, ArXiv. At: https://arxiv.org/pdf/1804.03603.pdf [23] It should be stressed that not all apps will store all users’ data in mainland China servers. However, the lack of cloud infrastructure in Africa suggests that the continent is particularly vulnerable to such storage. [24] Sherman,J. 2019. ‘ What’s The Deal With Huawei and This African Union Headquarters Hack?’ , New America, At: https://www.newamerica.org/cybersecurity-initiative/c2b/c2b-log/whats-the-deal-with-huawei-and-this-african-union-headquarters-hack/ [25] Kharpal, A. 2019. ‘Huawei says it would never hand data to China’s government. Experts say it wouldn’t have a choice.’ , CNBC, At: https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html 4 [1] Umeh,E. 2019. ‘In Africa, Chinese competitors will hurt Facebook’s Libra’, The Africa Report, At: https://www.theafricareport.com/17555/in-africa-chinese-competitors-will-hurt-facebooks-libra/ [2] GSM Association, The Mobile Economy of Sub-Saharan Africa 2019, p. 4 https://www.gsmaintelligence.com/research/?file=36b5ca079193fa82332d09063d3595b5&download#page=4 [3] Marsh,J. 2018. ‘ The Chinese Phone Giant That Beat Apple to Africa’, CNN Business, At: https://edition.cnn.com/2018/10/10/tech/tecno-phones-africa/index.html [4] Ibid [5] Tosin, 2017. ‘Africans have problem with selfie because of black skin -Tecno producer’ , The Herald News, At: https://www.herald.ng/africans-problem-selfie-black-skin-tecno-producer/ [6] Lindsey, N. 2018. ‘Google Data Collection Is More Extensive and Intrusive Than You Ever Imagined’, CPO Magazine, At: https://www.cpomagazine.com/data-privacy/google-data-collection-is-more-extensive-and-intrusive-than-you-ever-imagined/ [7] Tecno Mobile Privacy Policy, At: https://www.tecno-mobile.com/privacy-policy/#/ [8] Huawei Privacy Policy, At: https://consumer.huawei.com/uk/privacy/privacy-policy/ [9] Samsung Privacy Policy, At: https://www.samsung.com/us/account/privacy-policy/ [10] Apple Privacy Policy, At: https://www.apple.com/legal/privacy/en-ww/ [11] Maina, S. ‘Transsion Holdings - a Teardown of the company that controls Africa’s mobile phone industry’. 4..04.2019. https://gadgets-africa.com/2019/04/04/transsion-holdings-teardown/ [12] Olukotun, ‘Transsion Mobile phones will now have China Literature’s app installed on all its mobile phones sold in Africa’, Innovation village, 13.06.2019. https://innovation-village.com/transsions-mobile-phones-will-now-china-literatures-app-installed-on-all-its-mobile-phones-sold-in-africa/ [13] Ran,B. & Jing,Y. 2019. ‘Chinese video apps making inroads into global markets’ , CGTN, At: https://news.cgtn.com/news/2019-11-09/Chinese-video-apps-making-inroads-into-global-markets-Ltq898Kg0g/index.html 14
15 [14] Umeh, E. 2019. ‘In Africa, Chinese competitors will hurt Facebook’s Libra’, The Africa Report, At: https://www.theafricareport.com/17555/in-africa-chinese-competitors-will-hurt-facebooks-libra/ [15] Cohen,C. 2019. ‘Africa’s Boomplay Reaches 62 Million Users Major Labels + Merlin Now on Board’, Digital Music News, At: https://www.digitalmusicnews.com/2019/12/10/boomplay-reaches-62-million-users-merlin-on-board/ [16] Digital News Africa, 2019. ‘ Boomplay and Sony partner on Africa content’ , BizCommunity, At: https://www.bizcommunity.africa/Article/410/16/198093.html [17] Olukotun,O. 2019. ‘Transsion’s Mobile Phones Will Now Have China Literature’s App Installed On All Its Mobile Phones Sold in Africa’, Innovation Village, At: https://innovation-village.com/transsions-mobile-phones-will-now-china-literatures-app-installed-on-all-its-mobile-phones-sold-in-africa/ [18] Boomplay Terms & Conditions, At: https://www.boomplaymusic.com/webitem/conditions [19] Privacy International, 2019. ‘Buying A Smartphone on the Cheap? Privacy Might be the Price you have to Pay’. At: https://privacyinternational.org/long-read/3226/buying-smart-phone-cheap-privacy-might-be-price-you-have-pay [20] Kryptowire, 2019, ‘Android Firmware Vulnerabilities’, At: https://www.kryptowire.com/android-firmware-2019/ [21] Gamba, J. et al. 2019. An Analysis of Pre-installed Android Software. ArXiv. https://arxiv.org/abs/1905.02713 [22] Kazeem, Y. 2020. A probe has found click fraud malware on Chinese-made phones from Africa’s leading seller. Quartz, At: https://qz.com/africa/1896868/chinas-transsion-denies-africa-mobile-malware-fraud-profits-up/ 5 [1] Said categories are based on data privacy legislation that has been officially implemented and the documented work of enforcement bodies. This means that draft legislation and that which focuses on data privacy incidentally (e.g. cybersecurity legislation) were not considered in the categorisation. Accordingly, they should be read as guiding rather than definitive. [2] Stremlau, N. 2019. ‘Governance Without Government in the Somali Territories’, Journal of International Affairs, At: https://jia.sipa.columbia.edu/governance-without-government-somali-territories [3] Ibid [4] Kwamboka,L. 2018. ‘After the Facebook-Cambridge Analytica Scandal , can we talk about data privacy in Africa now?’ , Quartz Africa, At: https://qz.com/africa/1245876/facebook-cambridge-analytica-scandal-heralds-better-data-privacy-in-nigeria-kenya-other-african-countries/ [5] Note, in some of these cases related laws, such as those in regard to cybersecurity, provide some guidance. [6] Deloitte, ‘Privacy is Paramount: Personal Data Protection in Africa.’ n.d., At: https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/za_Privacy_is_Paramount-Personal_Data_Protection_in_Africa.pdf [7] Ibid 15
16 Appendices Appendix A Personal Data Protection Law Data Protection Authority (DPA) Comments Risk (as of May 2020) Level Algeria Loi n° 18-07 du 10 Juin 2018 Autorité Nationale de protection des données à caractère personnel Angola Law no.22/11,17 June 2011 Agência de Proteção de Dados (APD) Poor enforcement Benin Loi n° 2017-20 (The Digital Autorité de Protection des Données Code) Personnelles (APDP) Botswana The Data Protection Act – Act Still to be established Legislation not enacted No. 32 of 2018 Burkina Faso Loi n° 010-2004/AN Commission de l’Informatique et des Libertés (CIL) Burundi None None Cabo Verde Data Protection Law (Law Comissão Nacional de Proteção de Dados Poor enforcement 133/V/2001 ) Pessoais (CNPD) Cameroon None None Central African Republic None None Chad Law 007/PR/2015 on the Agence Nationale de Sécurité et de Protection of Personal Data Certification Electronique (ANSICE) Comoros None None Republic of Congo None None Côte D'Ivoire Loi n° 2013-450 du 19 juin Autorité des régulations des 2013 Télécommunications de Côte D'Ivoire (ARTCI) Djibouti None None DRC None None Egypt Data Protection Law Personal Data Protection Centre Not yet established Equatorial Guinea Law No. 1/2016 DPA - Data Protection Authority Not yet established Eritrea None None Kingdom of Eswatini Data Protection Bill 2017 None Ethiopia None None Draft legislation 16
17 Gabon Loi n°001/2011 CNPDCP The Gambia None None Ghana Data Protection Act (Act No. Data Protection Commission 843) 2012 ('Commission') Guinea None None Guinea-Bissau None None Kenya Data Protection Act, 2019 Data Protection Commissioner (DPC) Lesotho Data Protection Act 2012 Data Protection Commission Liberia None None Libya None National Authority for Information Security and Safety(NIISA) Madagascar Data Protection Law, Commission malagasy sur l’informatique Poor enforcement 2014-38/Loi No. 2014-38 et les libertés (CMIL) Malawi None None Mali Law No. 2013-015 of 21 May Autorité de Protection des Données à Poor enforcement 2013 & Law No. 2019-056 of 5 Caractère personnel (APDP-Mali) December 2019 Mauritania Loi n°2017-20 Still to be established Mauritius Data Protection Act, 2017 Data Protection Commissioner ('DPC'). proclaimed through Proclamation No.3 of 2018 Morocco Law No. 09-08/2009 Commission Nationale de Protection des Données Personnelles Mozambique None None Namibia Draft legislation None Draft legislation Niger Loi n° 2017-28 - adopted Haute Autorité de Protection des 30.4.2020 Données à caractère Personnel (HADP) Nigeria The Nigerian Data Protection NITDA Regulations (NDPR) Rwanda Draft legislation None Draft legislation Sao Tome & Principe Law No. 03/2016 on the ANPDP Protection of Personal Data Senegal Law No 2008-12 of 25 January Commission of Personal Data (CDP) Poor enforcement 2008 Seychelles The Data Protection Act - not None active Sierra Leone Draft legislation None Draft legislation 17
18 Somalia None None South Africa Protection of Personal Information Regulator Poor enforcement Information Act 4 of 2013 (POPIA) South Sudan None None Sudan None None Tanzania Draft legislation None Draft legislation Togo Law No. 2019-014 Relating to Togolese data protection authority the Protection of Personal ('IPDCP'). Data Tunisia Protection of Personal Data, National Authority for Protection of Poor enforcement 2004 Personal Data (The Instance) Uganda Data Protection and Privacy National Information Technology Act, 2019 Authority Zambia Electronic Communications The Zambia Information and and Transactions Act (ECTA), Communication Technology Authority 2009 Zimbabwe None None Appendix B Nigeria Tanzania Egypt South Africa 8: Xender 5: Xender 2: TikTok 6: TikTok 9: TikTok Lite 10: TikTok 3: PUBG Mobile 7: Shareit 23: TikTok 23: Emoji Keyboard 6: Shareit 17: InShot Video 27: InShot 41: Video Downloader 17: PUBG Mobile Lite 19: TikTok Lite 38: Emoji Keyboard 45: WPS Office 20: LOLita 39: QuVideo Editor 49: WPS Office 47: Mafia City 40: TikTok Lite 40: Emoji Keyboard 51: QuVideo Editor 46: All Downloader 49: AppLock 50: Block Puzzle 60: UC Browser 47: VMate 61: WPS Office 65: Sweet Fruit Candy 81: EnjoyMobi Video 68: InShot 62: U-Dictionary 73: Pooking Billiards 69: BeautyPlus 71: VideoShow 18
19 72: Sniper Shot 3D 78: MV Master 74: TikTok Lite 79: All Downloader 76: AppLock 84: CamScanner 78: QuVideo Editor 88: Pooking Billiards 89: Pooking Billiards 94: Lords Mobile 100: Prison Escape These are the Chinese apps appearing in the Google play store in the four case study countries as of May 11th, 2020 (source: App Annie). Published 6 May 2021 by Oxford China International Consultancy 19
You can also read