Data Extraction by Chinese Phone Applications in Africa - An Analysis of Risks and Regulatory Protection - Oxford China International Consultancy

Page created by Jimmy Kelly
 
CONTINUE READING
Data Extraction by Chinese Phone Applications in Africa - An Analysis of Risks and Regulatory Protection - Oxford China International Consultancy
Data Extraction
by Chinese
Phone
Applications
in Africa
  An Analysis of Risks and
   Regulatory Protection
  Huw Roberts, Kirra Evans, Charlotte Lenz
1

Executive Summary
Data extraction through mobile phone applications (apps) is increasingly commonplace globally. Extensive research has
been undertaken into data extraction in Europe and North America, however, research into the African context has
been limited. In this study, we consider how popular Chinese mobile phone apps within Africa are extracting user data,
the regulatory protections that are in place and the potential risks to citizens. To do this, we map out the privacy
regulations that have been introduced across African to understand the consumer protections that are in place. We then
analyse data on app downloads and the mobile handset market in Africa to gauge the prevalence of pre-installed and
manually downloaded Chinese mobile apps, and consider the potential risks associated with their use. In the nal
section of this report, we consider these risks in light of the regulations in place and assess how well protected African
users are from data extraction by Chinese mobile phone apps, categorising states into high-, medium- and low-risk. We
conclude by emphasising that high-risk states should introduce targeted data protection measures, and that medium-risk
states should work to improve enforcement mechanisms for existing regulations.

                                                                                                                          1
2

1 Introduction
Data extraction—the targeting and exploiting of                    substantial market share that Chinese companies have
personal data for commercial gains—is an increasingly              in both the mobile handset and mobile apps markets.
                                       [1]
common phenomenon globally. One way in which this
                                                                   To investigate this topic, the structure of this report
takes place is by means of pre-installed and manually
                                                                   will be as follows: rstly, it will outline the general state
installed mobile phone applications (apps). Many apps
                                                                   of privacy legislation in Africa, including recent
that come pre-installed on mobile phone handsets
                                                                   developments that have taken place and the gaps that
(so-called ‘bloatware’), have been shown to harvest and
                                                                   still remain.     e second section will consider the
leak personal information and can be extremely
                                                                   Chinese apps that have been widely downloaded within
di cult or even impossible to delete.[2] For manually
                                                                   a sample of African states, with the third section
installed apps, although users actively chose to
                                                                   analysing the market conditions for mobile handset
download, they are o en unaware of what types of data
                                                                   sales that provide Chinese app developers with a back
are being collected and processed, and by whom, with
                                                                   door into the continent through bloatware.          e nal
third party trackers particularly prevalent on free
                                                                   section of the report outlines the harms that can come
apps.[3]
                                                                   about when sections one and two are read together; it
A number of studies have considered how mobile apps                will be stressed that Africa should not be considered a
                                                           [4]
are harvesting data in Europe and North America, the               unitary actor but a space in which there are countries
harms that this can cause,[5] and the legal protections            with high, medium and low risks in regard to the
                                                  [6]
that are in place to protect citizens.                  However,   potential harms from data extraction.         ose high and
minimal work has been done to understand the data                  medium-risk countries, that make up a signi cant
extraction taking place in Africa, in light of the                 portion of the continent, hold substantial data privacy
regulatory protections present. Given the widely held              risks including the potential for unchecked data misuse
characterisation   of         Africa     as   a low-regulatory     and insecurity. From this analysis, it is concluded that
environment with a relatively weak enforcement of                  both downloadable Chinese apps and pre-installed
                        [7]
privacy protections,          this is an area which needs          bloatware represent substantial data privacy risks on
exploring.    e aim of this report is to engage with the           the continent. Given this, there is a need for a
type of data extraction from mobile apps that is taking            continued push for data protection legislation in
place in Africa and the potential harms that this could            high-risk countries and improved enforcement in
cause, as well as the legal protections that are in place          medium-risk states to ensure consumer protection
to protect citizens. Speci cally, this report will focus on
the harvesting of data from Chinese apps on the
continent. Chinese apps were chosen because of the

                                                                                                                              2
3

2 Data Privacy in Africa
To begin with, it is important to note that academic            continent, legislation may have been added depending
literature on data privacy in the African context is still      on the date at which this report is accessed. On top of
lacking, which reduces the potential for ade uately             this, a number of countries have also dra ed
theorising about privacy concerns on the continent.             legislation, even if they have no legislation currently in
Nonetheless, data privacy regulation is rapidly growing,        action, as can be seen with Rwanda.[4]
with new legislation coming into existence consistently:
                                                                Transnational cooperation mechanisms also signal
the majority of these data privacy laws have been
                                                                e orts to multilaterally adopt data protection measures
introduced in recent years. However, considering that
                                                                on the continent. On the regional level, the Economic
cultural contexts lter into legislation, it is important
                                                                Community of West African States (ECOWAS)
to note how countries all over the world will respond
                                                                adopted a regional Data Protection Act in 2010,
to calls for data privacy in di erent ways. As Malkulilo
                                                                obliging member states to develop national data
argues, while “elements of individualisms” are now
                                                                protection legislation for collecting, processing, storing
commonplace on the African continent, the level of
                                                                and using data.     is also included the establishment of
individualism remains di erent than in, for instance,
                                                                an independent agency responsible for data privacy
European countries.[1] In other words, data privacy in
                                                                compliance,     codes of conduct, but allows an
Africa must be understood through relevant African
                                                                undetermined time to implement the Data Protection
contexts.
                                                                Act.[5] However, research su ests that without an
In regard to the legal protections a orded, all countries       enforcement mechanism ensuring member states
on the African continent possess privacy clauses within         compliance, harmonisation of data privacy laws is
their constitutions. Furthermore, several countries have        unlikely.[6]
introduced speci c personal data privacy laws in recent
                                                                Another transnational e ort to ensure privacy
years: since 2016, data privacy legislation has passed in
                                                                protections is the African Union (AU) Convention on
13 African states, and legislation was dra ed in an
                                                                Cybersecurity and Data Protection, passed in 2014,
additional 3 countries (see Appendix a), which aligns
                                                                which seeks to create a common legislative framework
with other research on evolving attitudes towards data
                                                                for    data    protection   among     member      states.[7]
                             [2]
privacy on the continent. In total, there are now at
                                                                Furthermore, 10 of the 14 French-speaking African
least 27 of the 54 African countries that have data
                                                                countries with national data privacy laws are part of a
protection regulations.[3]     is paper emphasizes ‘at least’
                                                                global alliance in the domain of data privacy, the
as it is important to note that these statistics represent
                                                                Association Francophone des Autorités de Protection
information gathered in the last uarter of 2019. Since
                                                                des Données Personnelles (AFAPDP).[8] Finally, 2019
legislation is continuously being updated on the

                                                                                                                          3
4
saw the launching of the rst Africa Data Protection          speci cally states that privacy will not be violated
and Privacy Conference, which brought together the           without ‘reasonable cause’. Ghana also has a particularly
African Data Protection Network, Ghanaian state              interesting caveat that says that privacy will not be
representatives and other stakeholders from thinks           violated unless it violates the ‘economic well-being of a
tanks, NGOs and other organisations involved in data         country.’ Both ‘reasonable cause’ and ‘economic
protection and cybersecurity.[9]                             well-being’ are extremely relative terms that are
                                                             dependent on the interpretation by the state and
         2.1. Limitations of these measures
                                                             judicial system. If governments are particularly corrupt
Despite these positive developments, there are still a       or have skewed priorities, judicial interpretation of
number of drawbacks to the measures that have been           these   caveats      could end up violating privacy
introduced.    Foremost,    although    privacy     is   a                 [10]
                                                             signi cantly. As a result, constitutional rights have
constitutional right across the continent, this does not     practically provided few protections for individuals’
mean that data privacy is ade uately protected by            data privacy on the continent,[11] something which is
constitutional clauses alone. Some of these privacy          highly problematic given that half of the continent has
clauses protect a citizen’s right to privacy regarding       not introduced speci c privacy legislation (see
their domicile but does not specify a right to privacy       Appenidx a).
with regards to correspondence.          is means that
                                                             Further, even when a state has introduced privacy
governments and companies are not allowed to violate
                                                             legislation, this is not necessarily a guarantee that
someone’s place of residence or home, but does not
                                                             individuals’ rights will be ade uately protected. Some
mean that an individuals’ right to privacy with regards
                                                             states lack the regulatory authority to enforce the
to data are guaranteed, since data can be collected
                                                             legislation, with no dedicated data protection authority
anywhere.
                                                             (DPA) being established or having outlined the
For those which do account for a more holistic notion        establishment of an authority that is yet to start
of privacy, constitutional protections are typically         operating (e.g. E uatorial Guinea). In other cases, even
dra ed in general terms and provide little speci c           when authorities have been set up, enforcement
guidance as to how issues such as data protection            remains an issue, with some states’ DPAs being
should be managed. In some cases, ambiguous caveats          relatively inactive (e.g. Senegal and Tunisia).[12]
can be present, which are le           open to judicial
interpretation. For example, Eritrea’s constitution has a
privacy clause in the form of Article 18.         e clause

                                                                                                                       4
5

3 Chinese Apps in Africa
Against this legislative backdrop, Chinese apps are          amounts of personal information and data security
widespread on the continent, collecting, processing and      issues.[4] In India, intelligence services have gone as far
transferring personal information. When considering          as labelling a range of top-downloaded apps on the list
the collection of data by Chinese apps in Africa, it is      below, such as Shareit, BeautyPlus and         uVideo, as
necessary to explore two areas:                              spyware or malware and su ested that all military
                                                             o cials do not download the apps.[5] More recently, the
         i)    e data collected by apps that are installed
                                                             Indian government banned 59 Chinese apps, including
         by African users.
                                                             many on this list, on account of user information being
         ii)   e data collected by bloatware apps that
                                                             transferred abroad without authorisation.[6]           ese
         are pre-installed on phones.
                                                             actions need to be read in line with geopolitical
In terms of the prior, no data has been compiled that        tensions between India and China; nonetheless, the
considers the most downloaded Chinese apps on the            potential harms to privacy that these apps can cause
continent. Nonetheless, using a sample of top                should not be downplayed. Two speci c examples of
downloads on the Google Play Store from four African         Chinese apps in the top downloads above, TikTok and
countries, Nigeria, Tanzania, Egypt and South Africa,        UC Browser, will be outlined below to show some of
shows that a number of Chinese apps are widely               the potential privacy infringing practices that these
                       [1]
popular (Appendix b).        ese countries are not meant     apps can lead to.
to be representative of the continent as a whole but
                                                                      3.1. TikTok
rather provide a snapshot from countries that are
geographically spread and have di ering relationships        TikTok is a Chinese video-sharing social networking
with China. Within this sample, Chinese apps make up         service, which has achieved global success, with over
for around 10-15% of popular downloads during May            700 million downloads in 2019.[7] In TikTok’s terms and
2020.[2] To put this in perspective, using the same          conditions, the organization claims to collect the
method, US phone apps made up between 25-30% of the          following data: usage information, device information,
market, whilst no other single country made up a             location data, messages, metadata, cookies.[8] It also
substantial percentage.[3]    e apps themselves vary in      stipulates that TikTok that they scan and analyse
content but centre around video editing, social media        information composed in messages,[9] including the
and mobile phone games.                                      content and who the correspondence takes place
                                                             between. As can be seen with many other apps
A number of the apps present on this list have received
                                                             throughout the world, TikTok also uses cookies which
condemnation in di erent regions for their data
                                                             are   o en used to provide users’ subscription
infringing practices, including re uesting unnecessary

                                                                                                                       5
6
information      to     business     partners    and    service    America have also a ed concerns with the company.
providers.[10] Whilst on the surface, there is nothing             In May 2020, the Dutch Data Protection Authority
unusual about the type of data that TikTok’s terms and             (DPA) launched an investigation into TikTok to
conditions, with Western technology companies                      determine whether the data collection practices are in
including similar clauses, the app has received                    breach of the General Data Protection Regulation
widespread scrutiny for its data collection, transfer and          (GDPR).[15]     e Dutch DPA underscore that, as de ned
processing practices.                                              by the GDPR, children are a vulnerable group. Because
                                                                   of this, they are seeking to determine whether the
Globally, lawsuits have emerged against TikTok
                                                                   privacy policies of the app are easy to understand and if
because of data protection issues. For instance, a
                                                                   parental consent is re uired for the collection, use and
class-action lawsuit was led in California in December
                                                                   storage of children’s personal data, as is re uired under
2019 against Tiktok’s parent company, ByteDance.              e
                                                                   the GDPR for children under 16. Furthermore, recent
claimant argued that the company’s privacy policies
                                                                   reports have shown TikTok as engaging in data
were ambiguous and that it took user content, such as
                                                                   infringing practices. For instance, it was recently
dra   videos, and transferred them to China without
                                                                   highlighted that the company snooped on clipboard
users’ consent.[11] Certain lawmakers in the US have
                                                                   data from Apple devices, which meant that the app was
gone even further, with Senator Josh Hawley
                                                                   likely collecting sensitive information, such as personal
introducing a bill into the US Senate to prohibit the
                                                                   messages or passwords, without users’ knowledge or
downloading of TikTok onto federal government
                                                                   consent.[16]   Conse uently, even with geopolitical
devices, citing an existing ban within the US army for
                                                                   considerations accounted for, TikTok raises a variety of
the app to be downloaded.[12] Most recently, US
                                                                   privacy concerns.
President Trump declared that TikTok represented a
national emergency and signed an executive order that                         3.2. UC Browser
would lead the app to be banned in September 2020,[13]
                                                                   Of the apps listed, UC Browser, a mobile web browser
though    this    did     not      materialise   in    practice.
                                                                   app, is another that has faced public scrutiny because
Importantly, the concern of the US government is not
                                                                   of a number of security aws over the past ve years.
necessarily that the data collection practices are more
                                                                   Although this app is still relatively small in the African
pervasive than other apps, rather it is the perceived
                                                                   browser market, accounting for 2% of the overall
leverage that the Chinese government has over
                                                                   market,[17] this would still account for as many as 5.25
corporations domiciled within its territory, meaning
                                                                   million users.[18] In 2015, an analysis by the Citizen Lab
that when data are collected, it is ambiguous as to who
                                                                   in Toronto discovered a series of major security aws
will be able to access the data and to what ends.[14]
                                                                   and privacy concerns in the Android version of UC
It should be stressed that US actions are likely                   Browser.       ey found that the app leaked signi cant
in uenced by the geopolitical competition that is                  amounts of personal and personally-identi able data,
emerging with China, however, countries outside of                 meaning network operators or in-path actors on the

                                                                                                                             6
7
network could obtain users’ personally identi able            Politically, there is a lack of transparency over the
information, such as geolocation data and search data,        relationship between the Chinese government and
through observing unencrypted data or using simple            Chinese companies.      is problem was at the centre of
decryption.[19] Based on similar data security concerns,      the 2019 Huawei-African Union controversy: as
UC Browser was probed by the Indian government in             allegations of data being shipped from the African
2017 to determine whether these security         aws were     Union’s new head uarters to a data centre in Shanghai
                                                       [20]
present in the transfer of data from India to China.          spread, Huawei became under increased scrutiny about
Research in 2019 by a Russian cyber security          rm      leaking data to the Chinese government, as it had
showed that UC Browser was still susceptible to similar       provided the digital infrastructure for the building.[24]
man in the middle attacks outlined by the Citizen Lab         Huawei claimed no wrongdoing for this incident and
in 2015, though now this was on account of sending            other Chinese technology companies have been uick
updates over an unsecured http connection.[21]                to claim that they would not provide the government
                                                              with user data. Nonetheless, some commentators have
            3.3. Contextualising privacy concerns
                                                              highlighted that national security laws within China
  is is not to say that all Chinese apps are harmful to       mean that these companies would have little choice if
privacy, nor is this to say that the privacy harms caused     such data were re uested,[25] leaving users of Chinese
by Chinese apps are necessarily uni ue, with American         apps facing the potential for government access of their
companies also collecting, transferring and processing        personal data.
                                                       [22]
extensive     amounts   of    personal   information.
Nonetheless, the security     aws in a number of the
top-downloaded      Chinese   apps    and   their    data
extraction practices, including but not limited to the
two case studies above, are noteworthy. Alongside this,
the relationship between the Chinese government and
the technology companies that produce the apps and
are domiciled within the China, raises important
 uestions over government access to personal data.[23]

                                                                                                                       7
8

4 Chinese Mobile Handsets in
Africa
Alongside data collection by downloaded apps, it is        companies in Africa, but also expected to remain
important to stress the role of data extraction by         crucial actors in Africa’s phone market.
pre-installed ‘bloatware’ apps on Chinese handsets.
                                                           4.1. Data collection by Transsion and
China has been increasingly dominating the African
                                                           pre-installed apps
technology sector, including the mobile phone
industry.    ree key Chinese phone companies are             is market position for Chinese phones and in
present in the market: Huawei, Transsion and ZTE. Of       particular, Transsion’s Tecno, is important to emphasise
particular note is Transsion, which owns the brands        because of the data extraction that it facilitates.       e
Tecno, Itel and In nix, that together make up 60% of       type of data being collected by a company can be
the feature phone market and 30% of the smartphone         wide-ranging, especially if hardware and so ware are
market in Africa.[1] Sub-Saharan is expected to remain     linked to the same company, as is the case with Tecno
the fastest growing region in Africa, with 5 countries     phones.      is can include location tracking (even when
(Nigeria, Ethiopia, DRC, Tanzania, Kenya) expected to      users are not actively using the function),[6] names, user
provide nearly 170 million new subscribers by 2025:[2]     habits,     ngerprints, photos, credit card details, email
with the exception of the DRC, Transsion dominates         addresses, amongst others. While this is not speci c to
the phone market in the 4 other countries through its      Transsion/Tecno (Android phones and Google share a
subsidiary Tecno.     is market success is not chance;     similar relationship), it is still pertinent to realise the
Chinese mobile companies have been e ective at             scope of data which can be potentially collected.
accommodating       the   speci c   needs   of   African   Typically, this data collection is used for functionality
consumers. For instance, Transsion subsidiaries have       but is also used to track users behaviours to identify
produced phones that re ect consumer price point,[3]       patterns and create a pro le of a user, so as to target
have provided keyboards with the local languages of        them with advertisements closer to their pro le. As the
Amharic, Swahili and Hausa,[4] and also adapted phone      privacy policies of Tecno mobile,[7] Huawei,[8] but also
cameras to be particularly complimentary towards           Samsung[9] or Apple[10] explain, data can be collected to
darker skin tones.[5] Chinese companies, and Transsion     provide      more   targeted   advertisements.      is is
in particular, are thus not only the leading phone         particularly visible in Tecno phones, for which
                                                           advertisements are included into two of their
                                                           developed so ware (TECNO’s HiOS and In nix’
                                                           XOS).[11]     ese advertisements function by promoting

                                                                                                                     8
9
‘instant apps’, games that users can play without            data and technical data.[18] As mentioned, the leverage
download re uirements, mixed in with promoted                that the Chinese government has over domestically
third-party apps that it su ests users install.              domiciled countries raises uestions surrounding data
                                                             misuse in light of the Huawei-African Union scandal.
On top of this, dominating the mobile phone market
                                                               at being, there is scant evidence of the Chinese
means that African consumers are subjected to the
                                                             government using its position to access data collected
same         pre-installed   apps     (‘bloatware’)    on
                                                             by apps.
Transsion-subsidiary phones. Bloatware has two key
e ects on the African mobile app market: it promotes         More importantly, even if an individual chooses not to
certain pre-installed apps which facilitates market          use bloatware apps, privacy infringements can still take
share and more problematically, the apps o en collect        place through tacit data collection without consent. It
data without consent and are extremely di cult to            is infamously di cult to uninstall bloatware from
uninstall.                                                   handsets and for certain apps, impossible.          is is
                                                             problematic, as even when these apps are dormant in
In regard to the        rst, a range of Chinese apps are
                                                             the background, many are still actively collecting and
pre-installed upon purchase of Transsion-subsidiary
                                                             transferring personal information. As was shown in a
phones, such as China Literature, an app that provides
                                                             Privacy International report, pre-installed apps on
and sells literatures,[12] and Vskit, a popular video
                                                             cheap handsets can collect a range of personal
editing app.[13] One of the success stories of Transsion
                                                             information, including name and date of birth, and
bloatware is Boomplay, a streaming service that claims
                                                             transfer this data unencrypted.[19] Whilst it was beyond
to be one of the fastest growing apps on the African
                                                             the scope of this paper to test the Tecno bloatware
continent.[14] A er signing a licensing deal with Sony
                                                             apps, including those mentioned above, a number of
Music Entertainment, Boomplay was able to surpass 60
                                                             studies have shown how pre-installed Tecno apps come
million users across the continent,[15] including Kenya,
                                                             with security vulnerabilities[20] and collect substantial
Senegal, and Zambia, amongst others.[16] Whilst
                                                             amounts of personal information.[21] Moreover, recent
causality cannot be solely attributed to its pre-installed
                                                             reports have su ested that some pre-installed malware
nature, it is extremely likely that this was a major
                                                             on Tecno handsets which fraudulently funnelled money
bene t in the app accruing market share.[17] In turn, this
                                                             from users’ airtime and data recharges, something that
has provided Boomplay with a wealth of consumer data
                                                             Transsion now claim is resolved.[22]
on the continent, which according to its terms and
conditions, includes identity data, contact data, online
presence data, nancial data, transaction data, content
data, marketing and communications data, behavioural

                                                                                                                      9
10

5 Threats to Data Privacy
To understand the threats to data privacy that Chinese       countries have relatively stable governments but have
apps pose in Africa, it is necessary to contextualise        simply been slow to establish a personal data
these threats in light of African data protection            protection law. Still, examples such as these should be
frameworks. However, as was stressed in section 1,           taken seriously especially since there are 27 countries
Africa is not a unitary actor nor is there a                 (approximately hal ) on the continent that fall into this
continent-wide data protection framework comparable          category.     is category includes countries such as
to the GDPR in place. Accordingly, the risk to               Burundi, Central African Republic and the Democratic
individuals from Chinese apps needs to be considered         Republic of Congo.
in light of the national data protection frameworks.
                                                             An absence of a data privacy framework enables apps
Rather than assessing each country individually, the
                                                             to collect, use and transfer personal information
remainder of this section will categorise countries into
                                                             without prior consent being obtained by the
high-, medium- or low-risk, based on the types of
                                                             individual.    is allows companies to sell personal data
protections a orded (see Appendix a for full list).[1]
                                                             and use it in multiple ways without the user being
A    rst category of countries can be perceived as           informed. For apps, this could entail various data types,
high-risk.    ese are states that possess no speci c data    including location data, contacts, microphone data and
protection legislation while also lacking a signi cant       many more, all of which can be used and sold to build
regulatory authority. For some of these countries, there     consumer pro les. One telling example of the type of
is a lack of data as to whether said states possess any of   harm this can cause is in the political sphere, where
these re uirements. Some high-risk countries are             data collection through the Facebook and Cambridge
plagued by varying levels of instability as a result of      Analytica scandal, could have in uenced the results of
inade uate governments, which can account for weak           elections in Nigeria (in 2007 and 2015) and Kenya (in
protections. One such example is Somalia, which has          2013 and 2017).[4]      e absence of any regulatory
lacked a central government since President Siad Barre       framework for data collection was, in both cases,
was ousted in 1991.[2] Despite Somalia’s instability, the    identi ed as the main reason why Cambridge
country still possesses fast internet speeds, a strong       Analytica was able to access to government-held data.
presence     of   mobile    money     and     a   thriving   Another is that data security is not guaranteed.    at is,
                             [3]
telecommunications sector. In other words, it cannot         alongside those personal data that are sold, there are no
simply be dismissed as a ‘failed state’ that possesses no    re uirements to inform users of data breaches or to
risk for data extraction. However, instability is not an     punish companies for poor security.    is can facilitate a
overarching characteristic of all these countries. Some      number of types of data misuse, ranging from spam to
                                                             fraud.

                                                                                                                     10
11
A second category of countries can be considered as         against the aviation industry on account of breaching
medium risk.     ese states have enacted some form of       the Ghanaian Data Protection Act.[7] Other examples of
data protection, however, have relatively weak              low risk countries include Morocco and Mauritius.
enforcement mechanisms.         is could include the
absence of a speci c DPA (which may also be in the
process of being established) or the presence of a DPA
                                                            6 Conclusion
without having data protection laws that specify what
data in particular is being protected.[5]   is category
                                                            Complaints have been made about opa ue data
also includes countries that may possess dra
                                                            collection by Chinese apps globally and a number of
legislation or are in the process of establishing a DPA.
                                                            Western phone brands come with pre-installed
Such countries include E uatorial Guinea and Egypt.
                                                            bloatware, raising the uestion of what is uni ue about
Finally, this category includes states that have data
                                                            Chinese apps within Africa. We argue that it is a
protection legislation and a DPA in place but have a
                                                            combination of the generally weak data privacy
poor history of DPA activity or enforcement of
                                                            protections, the dominance in the mobile handset
legislation.   ese countries include Angola, Cape
                                                            market by Chinese companies and the opa ue
Verde, Madagascar, Mali and South Africa.[6]          ese
                                                            government-corporate relations in China that makes
environments su er from many of the same risks above
                                                            the situation in Africa particularly worrisome.
but due to the practices being illicit, there is greater
                                                            Although data privacy protections on the continent are
onus on companies not to breach laws. Nonetheless, the
                                                            continually improving, work still needs to be done.
absence of an active or e ective regulatory enforcer
                                                            African states should continue their push for data
raises uestions over the extent to which individuals’
                                                            protection, with urgency, to ensure that individuals
data will be protected in light of an infringement.    is
                                                            across the continent are protected.       at being said,
is a particularly important aspect to consider as it
                                                            Africa is not a unitary actor and the levels of
emphasises that it is not enough for countries to
                                                            protection di er across the continent. It is particularly
establish data privacy legislation or DPAs; enforcement
                                                            important for those countries that we categorised as
remains just as important in order to create an
                                                            high-risk, on account of an absence of speci c privacy
environment with ade uate privacy protections.
                                                            protections, to develop ade uate privacy legislation and
  e third category are countries that can be considered     medium-risk states to continue developing their
low risk. In these countries, there is a constitutional     enforcement capacities.
privacy protection, speci c legislation with regards to
data protection and a functioning data protection
authority, who have o en been willing to act against
breaches of data privacy. Ghana is a good example of
this: their data protection authority (the Data
Protection Commission) has recently taken action

                                                                                                                    11
12

Footnotes
1
[1] Kane,Y.I. & Thurm,S. 2010. ‘Your Apps Are Watching You’. The Wall Street Journal. At:

https://www.wsj.com/articles/SB10001424052748704368004576027751867039730

[2] Privacy International, 2019. ‘Buying A Smartphone on The Cheap? Privacy might be the Price you have to Pay’. At:
https://privacyinternational.org/long-read/3226/buying-smart-phone-cheap-privacy-might-be-price-you-have-pay

[3] Privacy International. 2018. ‘How Apps on Android Share Data With Facebook (Even if you don’t have a Facebook Account)’ At:
https://privacyinternational.org/sites/default/files/2018-12/How%20Apps%20on%20Android%20Share%20Data%20with%20Facebook%20-%20Privac
y%20International%202018.pdf

[4] Binns,R. et al, 2018. ‘Third Party Tracking in the Mobile Ecosystem’, ArXiv. At: https://arxiv.org/pdf/1804.03603.pdf

[5] Michael,T. 2019. ‘Data Privacy and Security: Why Mobile Apps are the New Weak Link’, Info-security magazine, At:
https://www.infosecurity-magazine.com/next-gen-infosec/privacy-mobile-apps-weak-link-1-1/

[6] Fritsch,L. et al. 2019. ‘Did App Privacy Improve After the GDPR?’ , IEEE Security and Privacy, At:
https://ieeexplore.ieee.org/abstract/document/8845749

[7] Quazi, R, M. 2014. ‘Effects of corruption and regulatory environment on foreign direct investment: A case study of africa.’ Global Journal of
Business Research, Vol 8, Issue 4.Pg 51-60 At: https://econpapers.repec.org/article/ibfgjbres/v_3a8_3ay_3a2014_3ai_3a4_3ap_3a51-60.htm

2
[1] Makulilo, A. (2016) “A Person Is a Person through Other Persons”—A Critical Analysis of Privacy and Culture in Africa. Beijing Law Review, 7, 194.

[2] Ibid, 192-204.

[3] See Appendix a

[4] Sabiiti,D. 2019. ‘Rwanda Working On A Personal Data Protection Law’ ,KT Press, At:
https://www.ktpress.rw/2019/07/rwanda-working-on-a-personal-data-protection-law/#:~:text=Rwanda%20is%20currently%20drafting%20law,that%2
0use%20data%20for%20business.

[5] Economic Community Of West African States ( ECOWAS) , At:
http://www.tit.comm.ecowas.int/wp-content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf?hdjeknglfkngdbaa

[6] Orji, U.J. (2017). Regionalizing data protection law: a discourse on the status and implementation of the ECOWAS Data Protection Act. International
Data Privacy Law, 7(3), p. 179.

[7] African Union Convention on Cyber Security and Personal Data Protection, 2014.
https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

[8] Members of the AFAPDP, At: https://www.afapdp.org/lafapdp/membres

[9] https://ardppc.com/eng/

                                                                                                                                                         12
13
[10] Fombad, C. M. 2007. "Challenges to constitutionalism and constitutional rights in Africa and the enabling role of political parties: Lessons and
perspectives from Southern Africa." The American Journal of Comparative Law 55, no. 1: 1-45.

[11] Makulilo, A. B., 2016. African data privacy laws. Springer International Publishing.

[12] Deloitte, ‘Privacy is Paramount: Personal Data Protection in Africa.’ N.d., At:
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/za_Privacy_is_Paramount-Personal_Data_Protection_in_Africa.pdf

3
[1] These are the Chinese apps appearing in the Google play store in the four case study countries as of May 11th, 2020.

[2] To ensure that this was not an anomaly, this figure was cross-referenced with app ranking over the past 12 months which showed consistent
findings.

[3] It is important to highlight that country headquarters data were missing for a number of apps, suggesting that the percentage of US and Chinese
was likely higher in practice.

[4] Khan,D. & Sangani,P. 2019. ‘Chinese apps seek excessive information from Users : Survey’, Economic Times, At:
https://economictimes.indiatimes.com/tech/internet/chinese-apps-seeking-way-more-information-than-needed-survey/articleshow/67633562.cms?fr
om=mdr

[5] FE Online, 2020. ‘Government reportedly lists 42 Chinese apps as dangerous including Truecaller, UC browser, Mi Store : Check if your phone has
any of them, Financial Express, At:
https://www.financialexpress.com/industry/technology/government-reportedly-lists-42-chinese-apps-as-dangerous-including-truecaller-uc-browser-m
i-store-check-if-your-phone-has-any-of-them/954335/

[6] ET Bureau, 2020. ‘India Bans 59 Chinese Apps including TikTok, WeChat, Helo’ The Economic Times, At:
https://economictimes.indiatimes.com/tech/software/india-bans-59-chinese-apps-including-tiktok-helo-wechat/articleshow/76694814.cms

[7] Iqbal,M. 2020. ‘TikTok Revenue and Usage Statistics’, Business of Apps, At: https://www.businessofapps.com/data/tik-tok-statistics/

[8] TikTok Privacy Policy, At: https://www.tiktok.com/legal/privacy-policy?lang=en

[9] Ibid

[10] Ibid

[11] Paul, K. 2019 TikTok accused in California lawsuit of sending user data to China, Reuters, At:
https://www.reuters.com/article/us-usa-tiktok-lawsuit/tiktok-accused-in-california-lawsuit-of-sending-user-data-to-china-idUSKBN1Y708Q

[12] Sherman, J. 2020, Unpacking TikTok, Mobile Apps and National Security Risks , Lawfare
https://www.lawfareblog.com/unpacking-tiktok-mobile-apps-and-national-security-risks

[13] Robertson, A. 2020. The big legal questions behind Trump’s TikTok and WeChat bans. The Verge. At:
https://www.theverge.com/2020/8/10/21358505/trump-tiktok-wechat-tencent-bytedance-china-ban-executive-order-legal-sanctions-rules

[14] Kharpal, A. 2019. Huawei says it would never hand data to China’s government. Experts say it wouldn’t have a choice. CNBC.
https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html

[15] Autoriteit Persoonsgegevens, 2020. ‘Dutch Data Protection Authority to Investigate TikTok’ , At:
https://autoriteitpersoonsgegevens.nl/en/news/dutch-data-protection-authority-investigate-tiktok

[16] Goodin,D. 2020. ‘TikTok and 32 Other IOS Apps still snoop your sensitive clipboard data’, ARS Technica, At:
https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/

[17] StatsCounter GlobalStats -https://gs.statcounter.com/browser-market-share/mobile/africa

                                                                                                                                                        13
14
[18] Campbell,J. 2019. ‘Last Month, Over Half-a-Billion Africans Accessed the Internet’ , Council on Foreign Relations, At:
https://www.cfr.org/blog/last-month-over-half-billion-africans-accessed-internet

[19] Dalek,J. et al, 2015. ‘A Chatty Squirrel : Privacy and Security Issues with UC Browser’ , The Citizen Lab, At:
https://citizenlab.ca/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/

[20] Tech2 News Staff, 2017. ‘ UC Browser Is Being Probed By The Indian Government for Sending User Data to China : Report’, Firstpost, At:
https://www.firstpost.com/tech/news-analysis/uc-browser-probed-by-government-for-sending-user-data-to-china-report-3962511.html

[21] Tung,L. 2019. ‘ Millions of Android users beware : Alibaba’s UC Browser can be used to deliver malware’ , ZDNet, At:
https://www.zdnet.com/article/millions-of-android-users-beware-alibabas-uc-browser-can-be-used-to-deliver-malware/

[22] Binns,R. et al, 2018. ‘Third Party Tracking in the Mobile Ecosystem’, ArXiv. At: https://arxiv.org/pdf/1804.03603.pdf

[23] It should be stressed that not all apps will store all users’ data in mainland China servers. However, the lack of cloud infrastructure in Africa
suggests that the continent is particularly vulnerable to such storage.

[24] Sherman,J. 2019. ‘ What’s The Deal With Huawei and This African Union Headquarters Hack?’ , New America, At:
https://www.newamerica.org/cybersecurity-initiative/c2b/c2b-log/whats-the-deal-with-huawei-and-this-african-union-headquarters-hack/

[25] Kharpal, A. 2019. ‘Huawei says it would never hand data to China’s government. Experts say it wouldn’t have a choice.’ , CNBC, At:
https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html

4
[1] Umeh,E. 2019. ‘In Africa, Chinese competitors will hurt Facebook’s Libra’, The Africa Report, At:
https://www.theafricareport.com/17555/in-africa-chinese-competitors-will-hurt-facebooks-libra/

[2] GSM Association, The Mobile Economy of Sub-Saharan Africa 2019, p. 4
https://www.gsmaintelligence.com/research/?file=36b5ca079193fa82332d09063d3595b5&download#page=4

[3] Marsh,J. 2018. ‘ The Chinese Phone Giant That Beat Apple to Africa’, CNN Business, At:
https://edition.cnn.com/2018/10/10/tech/tecno-phones-africa/index.html

[4] Ibid

[5] Tosin, 2017. ‘Africans have problem with selfie because of black skin -Tecno producer’ , The Herald News, At:
https://www.herald.ng/africans-problem-selfie-black-skin-tecno-producer/

[6] Lindsey, N. 2018. ‘Google Data Collection Is More Extensive and Intrusive Than You Ever Imagined’, CPO Magazine, At:
https://www.cpomagazine.com/data-privacy/google-data-collection-is-more-extensive-and-intrusive-than-you-ever-imagined/

[7] Tecno Mobile Privacy Policy, At: https://www.tecno-mobile.com/privacy-policy/#/

[8] Huawei Privacy Policy, At: https://consumer.huawei.com/uk/privacy/privacy-policy/

[9] Samsung Privacy Policy, At: https://www.samsung.com/us/account/privacy-policy/

[10] Apple Privacy Policy, At: https://www.apple.com/legal/privacy/en-ww/

[11] Maina, S. ‘Transsion Holdings - a Teardown of the company that controls Africa’s mobile phone industry’. 4..04.2019.
https://gadgets-africa.com/2019/04/04/transsion-holdings-teardown/

[12] Olukotun, ‘Transsion Mobile phones will now have China Literature’s app installed on all its mobile phones sold in Africa’, Innovation village,
13.06.2019. https://innovation-village.com/transsions-mobile-phones-will-now-china-literatures-app-installed-on-all-its-mobile-phones-sold-in-africa/

[13] Ran,B. & Jing,Y. 2019. ‘Chinese video apps making inroads into global markets’ , CGTN, At:
https://news.cgtn.com/news/2019-11-09/Chinese-video-apps-making-inroads-into-global-markets-Ltq898Kg0g/index.html

                                                                                                                                                          14
15
[14] Umeh, E. 2019. ‘In Africa, Chinese competitors will hurt Facebook’s Libra’, The Africa Report, At:
https://www.theafricareport.com/17555/in-africa-chinese-competitors-will-hurt-facebooks-libra/

[15] Cohen,C. 2019. ‘Africa’s Boomplay Reaches 62 Million Users Major Labels + Merlin Now on Board’, Digital Music News, At:
https://www.digitalmusicnews.com/2019/12/10/boomplay-reaches-62-million-users-merlin-on-board/

[16] Digital News Africa, 2019. ‘ Boomplay and Sony partner on Africa content’ , BizCommunity, At:
https://www.bizcommunity.africa/Article/410/16/198093.html

[17] Olukotun,O. 2019. ‘Transsion’s Mobile Phones Will Now Have China Literature’s App Installed On All Its Mobile Phones Sold in Africa’, Innovation
Village, At: https://innovation-village.com/transsions-mobile-phones-will-now-china-literatures-app-installed-on-all-its-mobile-phones-sold-in-africa/

[18] Boomplay Terms & Conditions, At: https://www.boomplaymusic.com/webitem/conditions

[19] Privacy International, 2019. ‘Buying A Smartphone on the Cheap? Privacy Might be the Price you have to Pay’. At:
https://privacyinternational.org/long-read/3226/buying-smart-phone-cheap-privacy-might-be-price-you-have-pay

[20] Kryptowire, 2019, ‘Android Firmware Vulnerabilities’, At: https://www.kryptowire.com/android-firmware-2019/

[21] Gamba, J. et al. 2019. An Analysis of Pre-installed Android Software. ArXiv. https://arxiv.org/abs/1905.02713

[22] Kazeem, Y. 2020. A probe has found click fraud malware on Chinese-made phones from Africa’s leading seller. Quartz, At:
https://qz.com/africa/1896868/chinas-transsion-denies-africa-mobile-malware-fraud-profits-up/

5
[1] Said categories are based on data privacy legislation that has been officially implemented and the documented work of enforcement bodies. This
means that draft legislation and that which focuses on data privacy incidentally (e.g. cybersecurity legislation) were not considered in the
categorisation. Accordingly, they should be read as guiding rather than definitive.

[2] Stremlau, N. 2019. ‘Governance Without Government in the Somali Territories’, Journal of International Affairs, At:
https://jia.sipa.columbia.edu/governance-without-government-somali-territories

[3] Ibid

[4] Kwamboka,L. 2018. ‘After the Facebook-Cambridge Analytica Scandal , can we talk about data privacy in Africa now?’ , Quartz Africa, At:
https://qz.com/africa/1245876/facebook-cambridge-analytica-scandal-heralds-better-data-privacy-in-nigeria-kenya-other-african-countries/

[5] Note, in some of these cases related laws, such as those in regard to cybersecurity, provide some guidance.

[6] Deloitte, ‘Privacy is Paramount: Personal Data Protection in Africa.’ n.d., At:
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/za_Privacy_is_Paramount-Personal_Data_Protection_in_Africa.pdf

[7] Ibid

                                                                                                                                                         15
16

Appendices

Appendix A

                           Personal Data Protection Law    Data Protection Authority (DPA)          Comments                  Risk
                           (as of May 2020)                                                                                   Level

Algeria                    Loi n° 18-07 du 10 Juin 2018    Autorité Nationale de protection des
                                                           données à caractère personnel

Angola                     Law no.22/11,17 June 2011       Agência de Proteção de Dados (APD)       Poor enforcement

Benin                      Loi n° 2017-20 (The Digital     Autorité de Protection des Données
                           Code)                           Personnelles (APDP)

Botswana                   The Data Protection Act – Act   Still to be established                  Legislation not enacted
                           No. 32 of 2018

Burkina Faso               Loi n° 010-2004/AN              Commission de l’Informatique et des
                                                           Libertés (CIL)

Burundi                    None                            None

Cabo Verde                 Data Protection Law (Law        Comissão Nacional de Proteção de Dados   Poor enforcement
                           133/V/2001 )                    Pessoais (CNPD)

Cameroon                   None                            None

Central African Republic   None                            None

Chad                       Law 007/PR/2015 on the          Agence Nationale de Sécurité et de
                           Protection of Personal Data     Certification Electronique (ANSICE)

Comoros                    None                            None

Republic of Congo          None                            None

Côte D'Ivoire              Loi n° 2013-450 du 19 juin      Autorité des régulations des
                           2013                            Télécommunications de Côte D'Ivoire
                                                           (ARTCI)

Djibouti                   None                            None

DRC                        None                            None

Egypt                      Data Protection Law             Personal Data Protection Centre          Not yet established

Equatorial Guinea          Law No. 1/2016                  DPA - Data Protection Authority          Not yet established

Eritrea                    None                            None

Kingdom of Eswatini        Data Protection Bill 2017       None

Ethiopia                   None                            None                                     Draft legislation

                                                                                                                                      16
17
Gabon                 Loi n°001/2011                  CNPDCP

The Gambia            None                            None

Ghana                 Data Protection Act (Act No.    Data Protection Commission
                      843) 2012                       ('Commission')

Guinea                None                            None

Guinea-Bissau         None                            None

Kenya                 Data Protection Act, 2019       Data Protection Commissioner (DPC)

Lesotho               Data Protection Act 2012        Data Protection Commission

Liberia               None                            None

Libya                 None                            National Authority for Information
                                                      Security and Safety(NIISA)

Madagascar            Data Protection Law,            Commission malagasy sur l’informatique   Poor enforcement
                      2014-38/Loi No. 2014-38         et les libertés (CMIL)

Malawi                None                            None

Mali                  Law No. 2013-015 of 21 May      Autorité de Protection des Données à     Poor enforcement
                      2013 & Law No. 2019-056 of 5    Caractère personnel (APDP-Mali)
                      December 2019

Mauritania            Loi n°2017-20                   Still to be established

Mauritius             Data Protection Act, 2017       Data Protection Commissioner ('DPC').
                      proclaimed through
                      Proclamation No.3 of 2018

Morocco               Law No. 09-08/2009              Commission Nationale de Protection des
                                                      Données Personnelles

Mozambique            None                            None

Namibia               Draft legislation               None                                     Draft legislation

Niger                 Loi n° 2017-28 - adopted        Haute Autorité de Protection des
                      30.4.2020                       Données à caractère Personnel (HADP)

Nigeria               The Nigerian Data Protection    NITDA
                      Regulations (NDPR)

Rwanda                Draft legislation               None                                     Draft legislation

Sao Tome & Principe   Law No. 03/2016 on the          ANPDP
                      Protection of Personal Data

Senegal               Law No 2008-12 of 25 January    Commission of Personal Data (CDP)        Poor enforcement
                      2008

Seychelles            The Data Protection Act - not   None
                      active

Sierra Leone          Draft legislation               None                                     Draft legislation

                                                                                                                        17
18
Somalia               None                           None

South Africa          Protection of Personal         Information Regulator                  Poor enforcement
                      Information Act 4 of 2013
                      (POPIA)

South Sudan           None                           None

Sudan                 None                           None

Tanzania              Draft legislation              None                                   Draft legislation

Togo                  Law No. 2019-014 Relating to   Togolese data protection authority
                      the Protection of Personal     ('IPDCP').
                      Data

Tunisia               Protection of Personal Data,   National Authority for Protection of   Poor enforcement
                      2004                           Personal Data (The Instance)

Uganda                Data Protection and Privacy    National Information Technology
                      Act, 2019                      Authority

Zambia                Electronic Communications      The Zambia Information and
                      and Transactions Act (ECTA),   Communication Technology Authority
                      2009

Zimbabwe              None                           None

Appendix B

Nigeria                      Tanzania                         Egypt                         South Africa

8: Xender                    5: Xender                        2: TikTok                     6: TikTok

9: TikTok Lite               10: TikTok                       3: PUBG Mobile                7: Shareit

23: TikTok                   23: Emoji Keyboard               6: Shareit                    17: InShot Video

27: InShot                   41: Video Downloader             17: PUBG Mobile Lite          19: TikTok Lite

38: Emoji Keyboard           45: WPS Office                   20: LOLita                    39: QuVideo Editor

49: WPS Office               47: Mafia City                   40: TikTok Lite               40: Emoji Keyboard

51: QuVideo Editor           46: All Downloader               49: AppLock                   50: Block Puzzle

60: UC Browser               47: VMate                        61: WPS Office                65: Sweet Fruit Candy

81: EnjoyMobi Video          68: InShot                       62: U-Dictionary              73: Pooking Billiards

                             69: BeautyPlus                   71: VideoShow

                                                                                                                         18
19
                                     72: Sniper Shot 3D                  78: MV Master

                                     74: TikTok Lite                     79: All Downloader

                                     76: AppLock                         84: CamScanner

                                     78: QuVideo Editor                  88: Pooking Billiards

                                     89: Pooking Billiards               94: Lords Mobile

                                     100: Prison Escape

These are the Chinese apps appearing in the Google play store in the four case study countries as of May 11th, 2020 (source: App Annie).

                                                                     Published 6 May 2021 by Oxford China International Consultancy

                                                                                                                                                19
You can also read