Data Extraction by Chinese Phone Applications in Africa - An Analysis of Risks and Regulatory Protection - Oxford China International Consultancy
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Data Extraction by Chinese Phone Applications in Africa An Analysis of Risks and Regulatory Protection Huw Roberts, Kirra Evans, Charlotte Lenz
1
Executive Summary
Data extraction through mobile phone applications (apps) is increasingly commonplace globally. Extensive research has
been undertaken into data extraction in Europe and North America, however, research into the African context has
been limited. In this study, we consider how popular Chinese mobile phone apps within Africa are extracting user data,
the regulatory protections that are in place and the potential risks to citizens. To do this, we map out the privacy
regulations that have been introduced across African to understand the consumer protections that are in place. We then
analyse data on app downloads and the mobile handset market in Africa to gauge the prevalence of pre-installed and
manually downloaded Chinese mobile apps, and consider the potential risks associated with their use. In the nal
section of this report, we consider these risks in light of the regulations in place and assess how well protected African
users are from data extraction by Chinese mobile phone apps, categorising states into high-, medium- and low-risk. We
conclude by emphasising that high-risk states should introduce targeted data protection measures, and that medium-risk
states should work to improve enforcement mechanisms for existing regulations.
12
1 Introduction
Data extraction—the targeting and exploiting of substantial market share that Chinese companies have
personal data for commercial gains—is an increasingly in both the mobile handset and mobile apps markets.
[1]
common phenomenon globally. One way in which this
To investigate this topic, the structure of this report
takes place is by means of pre-installed and manually
will be as follows: rstly, it will outline the general state
installed mobile phone applications (apps). Many apps
of privacy legislation in Africa, including recent
that come pre-installed on mobile phone handsets
developments that have taken place and the gaps that
(so-called ‘bloatware’), have been shown to harvest and
still remain. e second section will consider the
leak personal information and can be extremely
Chinese apps that have been widely downloaded within
di cult or even impossible to delete.[2] For manually
a sample of African states, with the third section
installed apps, although users actively chose to
analysing the market conditions for mobile handset
download, they are o en unaware of what types of data
sales that provide Chinese app developers with a back
are being collected and processed, and by whom, with
door into the continent through bloatware. e nal
third party trackers particularly prevalent on free
section of the report outlines the harms that can come
apps.[3]
about when sections one and two are read together; it
A number of studies have considered how mobile apps will be stressed that Africa should not be considered a
[4]
are harvesting data in Europe and North America, the unitary actor but a space in which there are countries
harms that this can cause,[5] and the legal protections with high, medium and low risks in regard to the
[6]
that are in place to protect citizens. However, potential harms from data extraction. ose high and
minimal work has been done to understand the data medium-risk countries, that make up a signi cant
extraction taking place in Africa, in light of the portion of the continent, hold substantial data privacy
regulatory protections present. Given the widely held risks including the potential for unchecked data misuse
characterisation of Africa as a low-regulatory and insecurity. From this analysis, it is concluded that
environment with a relatively weak enforcement of both downloadable Chinese apps and pre-installed
[7]
privacy protections, this is an area which needs bloatware represent substantial data privacy risks on
exploring. e aim of this report is to engage with the the continent. Given this, there is a need for a
type of data extraction from mobile apps that is taking continued push for data protection legislation in
place in Africa and the potential harms that this could high-risk countries and improved enforcement in
cause, as well as the legal protections that are in place medium-risk states to ensure consumer protection
to protect citizens. Speci cally, this report will focus on
the harvesting of data from Chinese apps on the
continent. Chinese apps were chosen because of the
23
2 Data Privacy in Africa
To begin with, it is important to note that academic continent, legislation may have been added depending
literature on data privacy in the African context is still on the date at which this report is accessed. On top of
lacking, which reduces the potential for ade uately this, a number of countries have also dra ed
theorising about privacy concerns on the continent. legislation, even if they have no legislation currently in
Nonetheless, data privacy regulation is rapidly growing, action, as can be seen with Rwanda.[4]
with new legislation coming into existence consistently:
Transnational cooperation mechanisms also signal
the majority of these data privacy laws have been
e orts to multilaterally adopt data protection measures
introduced in recent years. However, considering that
on the continent. On the regional level, the Economic
cultural contexts lter into legislation, it is important
Community of West African States (ECOWAS)
to note how countries all over the world will respond
adopted a regional Data Protection Act in 2010,
to calls for data privacy in di erent ways. As Malkulilo
obliging member states to develop national data
argues, while “elements of individualisms” are now
protection legislation for collecting, processing, storing
commonplace on the African continent, the level of
and using data. is also included the establishment of
individualism remains di erent than in, for instance,
an independent agency responsible for data privacy
European countries.[1] In other words, data privacy in
compliance, codes of conduct, but allows an
Africa must be understood through relevant African
undetermined time to implement the Data Protection
contexts.
Act.[5] However, research su ests that without an
In regard to the legal protections a orded, all countries enforcement mechanism ensuring member states
on the African continent possess privacy clauses within compliance, harmonisation of data privacy laws is
their constitutions. Furthermore, several countries have unlikely.[6]
introduced speci c personal data privacy laws in recent
Another transnational e ort to ensure privacy
years: since 2016, data privacy legislation has passed in
protections is the African Union (AU) Convention on
13 African states, and legislation was dra ed in an
Cybersecurity and Data Protection, passed in 2014,
additional 3 countries (see Appendix a), which aligns
which seeks to create a common legislative framework
with other research on evolving attitudes towards data
for data protection among member states.[7]
[2]
privacy on the continent. In total, there are now at
Furthermore, 10 of the 14 French-speaking African
least 27 of the 54 African countries that have data
countries with national data privacy laws are part of a
protection regulations.[3] is paper emphasizes ‘at least’
global alliance in the domain of data privacy, the
as it is important to note that these statistics represent
Association Francophone des Autorités de Protection
information gathered in the last uarter of 2019. Since
des Données Personnelles (AFAPDP).[8] Finally, 2019
legislation is continuously being updated on the
34
saw the launching of the rst Africa Data Protection speci cally states that privacy will not be violated
and Privacy Conference, which brought together the without ‘reasonable cause’. Ghana also has a particularly
African Data Protection Network, Ghanaian state interesting caveat that says that privacy will not be
representatives and other stakeholders from thinks violated unless it violates the ‘economic well-being of a
tanks, NGOs and other organisations involved in data country.’ Both ‘reasonable cause’ and ‘economic
protection and cybersecurity.[9] well-being’ are extremely relative terms that are
dependent on the interpretation by the state and
2.1. Limitations of these measures
judicial system. If governments are particularly corrupt
Despite these positive developments, there are still a or have skewed priorities, judicial interpretation of
number of drawbacks to the measures that have been these caveats could end up violating privacy
introduced. Foremost, although privacy is a [10]
signi cantly. As a result, constitutional rights have
constitutional right across the continent, this does not practically provided few protections for individuals’
mean that data privacy is ade uately protected by data privacy on the continent,[11] something which is
constitutional clauses alone. Some of these privacy highly problematic given that half of the continent has
clauses protect a citizen’s right to privacy regarding not introduced speci c privacy legislation (see
their domicile but does not specify a right to privacy Appenidx a).
with regards to correspondence. is means that
Further, even when a state has introduced privacy
governments and companies are not allowed to violate
legislation, this is not necessarily a guarantee that
someone’s place of residence or home, but does not
individuals’ rights will be ade uately protected. Some
mean that an individuals’ right to privacy with regards
states lack the regulatory authority to enforce the
to data are guaranteed, since data can be collected
legislation, with no dedicated data protection authority
anywhere.
(DPA) being established or having outlined the
For those which do account for a more holistic notion establishment of an authority that is yet to start
of privacy, constitutional protections are typically operating (e.g. E uatorial Guinea). In other cases, even
dra ed in general terms and provide little speci c when authorities have been set up, enforcement
guidance as to how issues such as data protection remains an issue, with some states’ DPAs being
should be managed. In some cases, ambiguous caveats relatively inactive (e.g. Senegal and Tunisia).[12]
can be present, which are le open to judicial
interpretation. For example, Eritrea’s constitution has a
privacy clause in the form of Article 18. e clause
45
3 Chinese Apps in Africa
Against this legislative backdrop, Chinese apps are amounts of personal information and data security
widespread on the continent, collecting, processing and issues.[4] In India, intelligence services have gone as far
transferring personal information. When considering as labelling a range of top-downloaded apps on the list
the collection of data by Chinese apps in Africa, it is below, such as Shareit, BeautyPlus and uVideo, as
necessary to explore two areas: spyware or malware and su ested that all military
o cials do not download the apps.[5] More recently, the
i) e data collected by apps that are installed
Indian government banned 59 Chinese apps, including
by African users.
many on this list, on account of user information being
ii) e data collected by bloatware apps that
transferred abroad without authorisation.[6] ese
are pre-installed on phones.
actions need to be read in line with geopolitical
In terms of the prior, no data has been compiled that tensions between India and China; nonetheless, the
considers the most downloaded Chinese apps on the potential harms to privacy that these apps can cause
continent. Nonetheless, using a sample of top should not be downplayed. Two speci c examples of
downloads on the Google Play Store from four African Chinese apps in the top downloads above, TikTok and
countries, Nigeria, Tanzania, Egypt and South Africa, UC Browser, will be outlined below to show some of
shows that a number of Chinese apps are widely the potential privacy infringing practices that these
[1]
popular (Appendix b). ese countries are not meant apps can lead to.
to be representative of the continent as a whole but
3.1. TikTok
rather provide a snapshot from countries that are
geographically spread and have di ering relationships TikTok is a Chinese video-sharing social networking
with China. Within this sample, Chinese apps make up service, which has achieved global success, with over
for around 10-15% of popular downloads during May 700 million downloads in 2019.[7] In TikTok’s terms and
2020.[2] To put this in perspective, using the same conditions, the organization claims to collect the
method, US phone apps made up between 25-30% of the following data: usage information, device information,
market, whilst no other single country made up a location data, messages, metadata, cookies.[8] It also
substantial percentage.[3] e apps themselves vary in stipulates that TikTok that they scan and analyse
content but centre around video editing, social media information composed in messages,[9] including the
and mobile phone games. content and who the correspondence takes place
between. As can be seen with many other apps
A number of the apps present on this list have received
throughout the world, TikTok also uses cookies which
condemnation in di erent regions for their data
are o en used to provide users’ subscription
infringing practices, including re uesting unnecessary
56
information to business partners and service America have also a ed concerns with the company.
providers.[10] Whilst on the surface, there is nothing In May 2020, the Dutch Data Protection Authority
unusual about the type of data that TikTok’s terms and (DPA) launched an investigation into TikTok to
conditions, with Western technology companies determine whether the data collection practices are in
including similar clauses, the app has received breach of the General Data Protection Regulation
widespread scrutiny for its data collection, transfer and (GDPR).[15] e Dutch DPA underscore that, as de ned
processing practices. by the GDPR, children are a vulnerable group. Because
of this, they are seeking to determine whether the
Globally, lawsuits have emerged against TikTok
privacy policies of the app are easy to understand and if
because of data protection issues. For instance, a
parental consent is re uired for the collection, use and
class-action lawsuit was led in California in December
storage of children’s personal data, as is re uired under
2019 against Tiktok’s parent company, ByteDance. e
the GDPR for children under 16. Furthermore, recent
claimant argued that the company’s privacy policies
reports have shown TikTok as engaging in data
were ambiguous and that it took user content, such as
infringing practices. For instance, it was recently
dra videos, and transferred them to China without
highlighted that the company snooped on clipboard
users’ consent.[11] Certain lawmakers in the US have
data from Apple devices, which meant that the app was
gone even further, with Senator Josh Hawley
likely collecting sensitive information, such as personal
introducing a bill into the US Senate to prohibit the
messages or passwords, without users’ knowledge or
downloading of TikTok onto federal government
consent.[16] Conse uently, even with geopolitical
devices, citing an existing ban within the US army for
considerations accounted for, TikTok raises a variety of
the app to be downloaded.[12] Most recently, US
privacy concerns.
President Trump declared that TikTok represented a
national emergency and signed an executive order that 3.2. UC Browser
would lead the app to be banned in September 2020,[13]
Of the apps listed, UC Browser, a mobile web browser
though this did not materialise in practice.
app, is another that has faced public scrutiny because
Importantly, the concern of the US government is not
of a number of security aws over the past ve years.
necessarily that the data collection practices are more
Although this app is still relatively small in the African
pervasive than other apps, rather it is the perceived
browser market, accounting for 2% of the overall
leverage that the Chinese government has over
market,[17] this would still account for as many as 5.25
corporations domiciled within its territory, meaning
million users.[18] In 2015, an analysis by the Citizen Lab
that when data are collected, it is ambiguous as to who
in Toronto discovered a series of major security aws
will be able to access the data and to what ends.[14]
and privacy concerns in the Android version of UC
It should be stressed that US actions are likely Browser. ey found that the app leaked signi cant
in uenced by the geopolitical competition that is amounts of personal and personally-identi able data,
emerging with China, however, countries outside of meaning network operators or in-path actors on the
67
network could obtain users’ personally identi able Politically, there is a lack of transparency over the
information, such as geolocation data and search data, relationship between the Chinese government and
through observing unencrypted data or using simple Chinese companies. is problem was at the centre of
decryption.[19] Based on similar data security concerns, the 2019 Huawei-African Union controversy: as
UC Browser was probed by the Indian government in allegations of data being shipped from the African
2017 to determine whether these security aws were Union’s new head uarters to a data centre in Shanghai
[20]
present in the transfer of data from India to China. spread, Huawei became under increased scrutiny about
Research in 2019 by a Russian cyber security rm leaking data to the Chinese government, as it had
showed that UC Browser was still susceptible to similar provided the digital infrastructure for the building.[24]
man in the middle attacks outlined by the Citizen Lab Huawei claimed no wrongdoing for this incident and
in 2015, though now this was on account of sending other Chinese technology companies have been uick
updates over an unsecured http connection.[21] to claim that they would not provide the government
with user data. Nonetheless, some commentators have
3.3. Contextualising privacy concerns
highlighted that national security laws within China
is is not to say that all Chinese apps are harmful to mean that these companies would have little choice if
privacy, nor is this to say that the privacy harms caused such data were re uested,[25] leaving users of Chinese
by Chinese apps are necessarily uni ue, with American apps facing the potential for government access of their
companies also collecting, transferring and processing personal data.
[22]
extensive amounts of personal information.
Nonetheless, the security aws in a number of the
top-downloaded Chinese apps and their data
extraction practices, including but not limited to the
two case studies above, are noteworthy. Alongside this,
the relationship between the Chinese government and
the technology companies that produce the apps and
are domiciled within the China, raises important
uestions over government access to personal data.[23]
78
4 Chinese Mobile Handsets in
Africa
Alongside data collection by downloaded apps, it is companies in Africa, but also expected to remain
important to stress the role of data extraction by crucial actors in Africa’s phone market.
pre-installed ‘bloatware’ apps on Chinese handsets.
4.1. Data collection by Transsion and
China has been increasingly dominating the African
pre-installed apps
technology sector, including the mobile phone
industry. ree key Chinese phone companies are is market position for Chinese phones and in
present in the market: Huawei, Transsion and ZTE. Of particular, Transsion’s Tecno, is important to emphasise
particular note is Transsion, which owns the brands because of the data extraction that it facilitates. e
Tecno, Itel and In nix, that together make up 60% of type of data being collected by a company can be
the feature phone market and 30% of the smartphone wide-ranging, especially if hardware and so ware are
market in Africa.[1] Sub-Saharan is expected to remain linked to the same company, as is the case with Tecno
the fastest growing region in Africa, with 5 countries phones. is can include location tracking (even when
(Nigeria, Ethiopia, DRC, Tanzania, Kenya) expected to users are not actively using the function),[6] names, user
provide nearly 170 million new subscribers by 2025:[2] habits, ngerprints, photos, credit card details, email
with the exception of the DRC, Transsion dominates addresses, amongst others. While this is not speci c to
the phone market in the 4 other countries through its Transsion/Tecno (Android phones and Google share a
subsidiary Tecno. is market success is not chance; similar relationship), it is still pertinent to realise the
Chinese mobile companies have been e ective at scope of data which can be potentially collected.
accommodating the speci c needs of African Typically, this data collection is used for functionality
consumers. For instance, Transsion subsidiaries have but is also used to track users behaviours to identify
produced phones that re ect consumer price point,[3] patterns and create a pro le of a user, so as to target
have provided keyboards with the local languages of them with advertisements closer to their pro le. As the
Amharic, Swahili and Hausa,[4] and also adapted phone privacy policies of Tecno mobile,[7] Huawei,[8] but also
cameras to be particularly complimentary towards Samsung[9] or Apple[10] explain, data can be collected to
darker skin tones.[5] Chinese companies, and Transsion provide more targeted advertisements. is is
in particular, are thus not only the leading phone particularly visible in Tecno phones, for which
advertisements are included into two of their
developed so ware (TECNO’s HiOS and In nix’
XOS).[11] ese advertisements function by promoting
89
‘instant apps’, games that users can play without data and technical data.[18] As mentioned, the leverage
download re uirements, mixed in with promoted that the Chinese government has over domestically
third-party apps that it su ests users install. domiciled countries raises uestions surrounding data
misuse in light of the Huawei-African Union scandal.
On top of this, dominating the mobile phone market
at being, there is scant evidence of the Chinese
means that African consumers are subjected to the
government using its position to access data collected
same pre-installed apps (‘bloatware’) on
by apps.
Transsion-subsidiary phones. Bloatware has two key
e ects on the African mobile app market: it promotes More importantly, even if an individual chooses not to
certain pre-installed apps which facilitates market use bloatware apps, privacy infringements can still take
share and more problematically, the apps o en collect place through tacit data collection without consent. It
data without consent and are extremely di cult to is infamously di cult to uninstall bloatware from
uninstall. handsets and for certain apps, impossible. is is
problematic, as even when these apps are dormant in
In regard to the rst, a range of Chinese apps are
the background, many are still actively collecting and
pre-installed upon purchase of Transsion-subsidiary
transferring personal information. As was shown in a
phones, such as China Literature, an app that provides
Privacy International report, pre-installed apps on
and sells literatures,[12] and Vskit, a popular video
cheap handsets can collect a range of personal
editing app.[13] One of the success stories of Transsion
information, including name and date of birth, and
bloatware is Boomplay, a streaming service that claims
transfer this data unencrypted.[19] Whilst it was beyond
to be one of the fastest growing apps on the African
the scope of this paper to test the Tecno bloatware
continent.[14] A er signing a licensing deal with Sony
apps, including those mentioned above, a number of
Music Entertainment, Boomplay was able to surpass 60
studies have shown how pre-installed Tecno apps come
million users across the continent,[15] including Kenya,
with security vulnerabilities[20] and collect substantial
Senegal, and Zambia, amongst others.[16] Whilst
amounts of personal information.[21] Moreover, recent
causality cannot be solely attributed to its pre-installed
reports have su ested that some pre-installed malware
nature, it is extremely likely that this was a major
on Tecno handsets which fraudulently funnelled money
bene t in the app accruing market share.[17] In turn, this
from users’ airtime and data recharges, something that
has provided Boomplay with a wealth of consumer data
Transsion now claim is resolved.[22]
on the continent, which according to its terms and
conditions, includes identity data, contact data, online
presence data, nancial data, transaction data, content
data, marketing and communications data, behavioural
910
5 Threats to Data Privacy
To understand the threats to data privacy that Chinese countries have relatively stable governments but have
apps pose in Africa, it is necessary to contextualise simply been slow to establish a personal data
these threats in light of African data protection protection law. Still, examples such as these should be
frameworks. However, as was stressed in section 1, taken seriously especially since there are 27 countries
Africa is not a unitary actor nor is there a (approximately hal ) on the continent that fall into this
continent-wide data protection framework comparable category. is category includes countries such as
to the GDPR in place. Accordingly, the risk to Burundi, Central African Republic and the Democratic
individuals from Chinese apps needs to be considered Republic of Congo.
in light of the national data protection frameworks.
An absence of a data privacy framework enables apps
Rather than assessing each country individually, the
to collect, use and transfer personal information
remainder of this section will categorise countries into
without prior consent being obtained by the
high-, medium- or low-risk, based on the types of
individual. is allows companies to sell personal data
protections a orded (see Appendix a for full list).[1]
and use it in multiple ways without the user being
A rst category of countries can be perceived as informed. For apps, this could entail various data types,
high-risk. ese are states that possess no speci c data including location data, contacts, microphone data and
protection legislation while also lacking a signi cant many more, all of which can be used and sold to build
regulatory authority. For some of these countries, there consumer pro les. One telling example of the type of
is a lack of data as to whether said states possess any of harm this can cause is in the political sphere, where
these re uirements. Some high-risk countries are data collection through the Facebook and Cambridge
plagued by varying levels of instability as a result of Analytica scandal, could have in uenced the results of
inade uate governments, which can account for weak elections in Nigeria (in 2007 and 2015) and Kenya (in
protections. One such example is Somalia, which has 2013 and 2017).[4] e absence of any regulatory
lacked a central government since President Siad Barre framework for data collection was, in both cases,
was ousted in 1991.[2] Despite Somalia’s instability, the identi ed as the main reason why Cambridge
country still possesses fast internet speeds, a strong Analytica was able to access to government-held data.
presence of mobile money and a thriving Another is that data security is not guaranteed. at is,
[3]
telecommunications sector. In other words, it cannot alongside those personal data that are sold, there are no
simply be dismissed as a ‘failed state’ that possesses no re uirements to inform users of data breaches or to
risk for data extraction. However, instability is not an punish companies for poor security. is can facilitate a
overarching characteristic of all these countries. Some number of types of data misuse, ranging from spam to
fraud.
1011
A second category of countries can be considered as against the aviation industry on account of breaching
medium risk. ese states have enacted some form of the Ghanaian Data Protection Act.[7] Other examples of
data protection, however, have relatively weak low risk countries include Morocco and Mauritius.
enforcement mechanisms. is could include the
absence of a speci c DPA (which may also be in the
process of being established) or the presence of a DPA
6 Conclusion
without having data protection laws that specify what
data in particular is being protected.[5] is category
Complaints have been made about opa ue data
also includes countries that may possess dra
collection by Chinese apps globally and a number of
legislation or are in the process of establishing a DPA.
Western phone brands come with pre-installed
Such countries include E uatorial Guinea and Egypt.
bloatware, raising the uestion of what is uni ue about
Finally, this category includes states that have data
Chinese apps within Africa. We argue that it is a
protection legislation and a DPA in place but have a
combination of the generally weak data privacy
poor history of DPA activity or enforcement of
protections, the dominance in the mobile handset
legislation. ese countries include Angola, Cape
market by Chinese companies and the opa ue
Verde, Madagascar, Mali and South Africa.[6] ese
government-corporate relations in China that makes
environments su er from many of the same risks above
the situation in Africa particularly worrisome.
but due to the practices being illicit, there is greater
Although data privacy protections on the continent are
onus on companies not to breach laws. Nonetheless, the
continually improving, work still needs to be done.
absence of an active or e ective regulatory enforcer
African states should continue their push for data
raises uestions over the extent to which individuals’
protection, with urgency, to ensure that individuals
data will be protected in light of an infringement. is
across the continent are protected. at being said,
is a particularly important aspect to consider as it
Africa is not a unitary actor and the levels of
emphasises that it is not enough for countries to
protection di er across the continent. It is particularly
establish data privacy legislation or DPAs; enforcement
important for those countries that we categorised as
remains just as important in order to create an
high-risk, on account of an absence of speci c privacy
environment with ade uate privacy protections.
protections, to develop ade uate privacy legislation and
e third category are countries that can be considered medium-risk states to continue developing their
low risk. In these countries, there is a constitutional enforcement capacities.
privacy protection, speci c legislation with regards to
data protection and a functioning data protection
authority, who have o en been willing to act against
breaches of data privacy. Ghana is a good example of
this: their data protection authority (the Data
Protection Commission) has recently taken action
1112
Footnotes
1
[1] Kane,Y.I. & Thurm,S. 2010. ‘Your Apps Are Watching You’. The Wall Street Journal. At:
https://www.wsj.com/articles/SB10001424052748704368004576027751867039730
[2] Privacy International, 2019. ‘Buying A Smartphone on The Cheap? Privacy might be the Price you have to Pay’. At:
https://privacyinternational.org/long-read/3226/buying-smart-phone-cheap-privacy-might-be-price-you-have-pay
[3] Privacy International. 2018. ‘How Apps on Android Share Data With Facebook (Even if you don’t have a Facebook Account)’ At:
https://privacyinternational.org/sites/default/files/2018-12/How%20Apps%20on%20Android%20Share%20Data%20with%20Facebook%20-%20Privac
y%20International%202018.pdf
[4] Binns,R. et al, 2018. ‘Third Party Tracking in the Mobile Ecosystem’, ArXiv. At: https://arxiv.org/pdf/1804.03603.pdf
[5] Michael,T. 2019. ‘Data Privacy and Security: Why Mobile Apps are the New Weak Link’, Info-security magazine, At:
https://www.infosecurity-magazine.com/next-gen-infosec/privacy-mobile-apps-weak-link-1-1/
[6] Fritsch,L. et al. 2019. ‘Did App Privacy Improve After the GDPR?’ , IEEE Security and Privacy, At:
https://ieeexplore.ieee.org/abstract/document/8845749
[7] Quazi, R, M. 2014. ‘Effects of corruption and regulatory environment on foreign direct investment: A case study of africa.’ Global Journal of
Business Research, Vol 8, Issue 4.Pg 51-60 At: https://econpapers.repec.org/article/ibfgjbres/v_3a8_3ay_3a2014_3ai_3a4_3ap_3a51-60.htm
2
[1] Makulilo, A. (2016) “A Person Is a Person through Other Persons”—A Critical Analysis of Privacy and Culture in Africa. Beijing Law Review, 7, 194.
[2] Ibid, 192-204.
[3] See Appendix a
[4] Sabiiti,D. 2019. ‘Rwanda Working On A Personal Data Protection Law’ ,KT Press, At:
https://www.ktpress.rw/2019/07/rwanda-working-on-a-personal-data-protection-law/#:~:text=Rwanda%20is%20currently%20drafting%20law,that%2
0use%20data%20for%20business.
[5] Economic Community Of West African States ( ECOWAS) , At:
http://www.tit.comm.ecowas.int/wp-content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf?hdjeknglfkngdbaa
[6] Orji, U.J. (2017). Regionalizing data protection law: a discourse on the status and implementation of the ECOWAS Data Protection Act. International
Data Privacy Law, 7(3), p. 179.
[7] African Union Convention on Cyber Security and Personal Data Protection, 2014.
https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf
[8] Members of the AFAPDP, At: https://www.afapdp.org/lafapdp/membres
[9] https://ardppc.com/eng/
1213
[10] Fombad, C. M. 2007. "Challenges to constitutionalism and constitutional rights in Africa and the enabling role of political parties: Lessons and
perspectives from Southern Africa." The American Journal of Comparative Law 55, no. 1: 1-45.
[11] Makulilo, A. B., 2016. African data privacy laws. Springer International Publishing.
[12] Deloitte, ‘Privacy is Paramount: Personal Data Protection in Africa.’ N.d., At:
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/za_Privacy_is_Paramount-Personal_Data_Protection_in_Africa.pdf
3
[1] These are the Chinese apps appearing in the Google play store in the four case study countries as of May 11th, 2020.
[2] To ensure that this was not an anomaly, this figure was cross-referenced with app ranking over the past 12 months which showed consistent
findings.
[3] It is important to highlight that country headquarters data were missing for a number of apps, suggesting that the percentage of US and Chinese
was likely higher in practice.
[4] Khan,D. & Sangani,P. 2019. ‘Chinese apps seek excessive information from Users : Survey’, Economic Times, At:
https://economictimes.indiatimes.com/tech/internet/chinese-apps-seeking-way-more-information-than-needed-survey/articleshow/67633562.cms?fr
om=mdr
[5] FE Online, 2020. ‘Government reportedly lists 42 Chinese apps as dangerous including Truecaller, UC browser, Mi Store : Check if your phone has
any of them, Financial Express, At:
https://www.financialexpress.com/industry/technology/government-reportedly-lists-42-chinese-apps-as-dangerous-including-truecaller-uc-browser-m
i-store-check-if-your-phone-has-any-of-them/954335/
[6] ET Bureau, 2020. ‘India Bans 59 Chinese Apps including TikTok, WeChat, Helo’ The Economic Times, At:
https://economictimes.indiatimes.com/tech/software/india-bans-59-chinese-apps-including-tiktok-helo-wechat/articleshow/76694814.cms
[7] Iqbal,M. 2020. ‘TikTok Revenue and Usage Statistics’, Business of Apps, At: https://www.businessofapps.com/data/tik-tok-statistics/
[8] TikTok Privacy Policy, At: https://www.tiktok.com/legal/privacy-policy?lang=en
[9] Ibid
[10] Ibid
[11] Paul, K. 2019 TikTok accused in California lawsuit of sending user data to China, Reuters, At:
https://www.reuters.com/article/us-usa-tiktok-lawsuit/tiktok-accused-in-california-lawsuit-of-sending-user-data-to-china-idUSKBN1Y708Q
[12] Sherman, J. 2020, Unpacking TikTok, Mobile Apps and National Security Risks , Lawfare
https://www.lawfareblog.com/unpacking-tiktok-mobile-apps-and-national-security-risks
[13] Robertson, A. 2020. The big legal questions behind Trump’s TikTok and WeChat bans. The Verge. At:
https://www.theverge.com/2020/8/10/21358505/trump-tiktok-wechat-tencent-bytedance-china-ban-executive-order-legal-sanctions-rules
[14] Kharpal, A. 2019. Huawei says it would never hand data to China’s government. Experts say it wouldn’t have a choice. CNBC.
https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html
[15] Autoriteit Persoonsgegevens, 2020. ‘Dutch Data Protection Authority to Investigate TikTok’ , At:
https://autoriteitpersoonsgegevens.nl/en/news/dutch-data-protection-authority-investigate-tiktok
[16] Goodin,D. 2020. ‘TikTok and 32 Other IOS Apps still snoop your sensitive clipboard data’, ARS Technica, At:
https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/
[17] StatsCounter GlobalStats -https://gs.statcounter.com/browser-market-share/mobile/africa
1314
[18] Campbell,J. 2019. ‘Last Month, Over Half-a-Billion Africans Accessed the Internet’ , Council on Foreign Relations, At:
https://www.cfr.org/blog/last-month-over-half-billion-africans-accessed-internet
[19] Dalek,J. et al, 2015. ‘A Chatty Squirrel : Privacy and Security Issues with UC Browser’ , The Citizen Lab, At:
https://citizenlab.ca/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/
[20] Tech2 News Staff, 2017. ‘ UC Browser Is Being Probed By The Indian Government for Sending User Data to China : Report’, Firstpost, At:
https://www.firstpost.com/tech/news-analysis/uc-browser-probed-by-government-for-sending-user-data-to-china-report-3962511.html
[21] Tung,L. 2019. ‘ Millions of Android users beware : Alibaba’s UC Browser can be used to deliver malware’ , ZDNet, At:
https://www.zdnet.com/article/millions-of-android-users-beware-alibabas-uc-browser-can-be-used-to-deliver-malware/
[22] Binns,R. et al, 2018. ‘Third Party Tracking in the Mobile Ecosystem’, ArXiv. At: https://arxiv.org/pdf/1804.03603.pdf
[23] It should be stressed that not all apps will store all users’ data in mainland China servers. However, the lack of cloud infrastructure in Africa
suggests that the continent is particularly vulnerable to such storage.
[24] Sherman,J. 2019. ‘ What’s The Deal With Huawei and This African Union Headquarters Hack?’ , New America, At:
https://www.newamerica.org/cybersecurity-initiative/c2b/c2b-log/whats-the-deal-with-huawei-and-this-african-union-headquarters-hack/
[25] Kharpal, A. 2019. ‘Huawei says it would never hand data to China’s government. Experts say it wouldn’t have a choice.’ , CNBC, At:
https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html
4
[1] Umeh,E. 2019. ‘In Africa, Chinese competitors will hurt Facebook’s Libra’, The Africa Report, At:
https://www.theafricareport.com/17555/in-africa-chinese-competitors-will-hurt-facebooks-libra/
[2] GSM Association, The Mobile Economy of Sub-Saharan Africa 2019, p. 4
https://www.gsmaintelligence.com/research/?file=36b5ca079193fa82332d09063d3595b5&download#page=4
[3] Marsh,J. 2018. ‘ The Chinese Phone Giant That Beat Apple to Africa’, CNN Business, At:
https://edition.cnn.com/2018/10/10/tech/tecno-phones-africa/index.html
[4] Ibid
[5] Tosin, 2017. ‘Africans have problem with selfie because of black skin -Tecno producer’ , The Herald News, At:
https://www.herald.ng/africans-problem-selfie-black-skin-tecno-producer/
[6] Lindsey, N. 2018. ‘Google Data Collection Is More Extensive and Intrusive Than You Ever Imagined’, CPO Magazine, At:
https://www.cpomagazine.com/data-privacy/google-data-collection-is-more-extensive-and-intrusive-than-you-ever-imagined/
[7] Tecno Mobile Privacy Policy, At: https://www.tecno-mobile.com/privacy-policy/#/
[8] Huawei Privacy Policy, At: https://consumer.huawei.com/uk/privacy/privacy-policy/
[9] Samsung Privacy Policy, At: https://www.samsung.com/us/account/privacy-policy/
[10] Apple Privacy Policy, At: https://www.apple.com/legal/privacy/en-ww/
[11] Maina, S. ‘Transsion Holdings - a Teardown of the company that controls Africa’s mobile phone industry’. 4..04.2019.
https://gadgets-africa.com/2019/04/04/transsion-holdings-teardown/
[12] Olukotun, ‘Transsion Mobile phones will now have China Literature’s app installed on all its mobile phones sold in Africa’, Innovation village,
13.06.2019. https://innovation-village.com/transsions-mobile-phones-will-now-china-literatures-app-installed-on-all-its-mobile-phones-sold-in-africa/
[13] Ran,B. & Jing,Y. 2019. ‘Chinese video apps making inroads into global markets’ , CGTN, At:
https://news.cgtn.com/news/2019-11-09/Chinese-video-apps-making-inroads-into-global-markets-Ltq898Kg0g/index.html
1415
[14] Umeh, E. 2019. ‘In Africa, Chinese competitors will hurt Facebook’s Libra’, The Africa Report, At:
https://www.theafricareport.com/17555/in-africa-chinese-competitors-will-hurt-facebooks-libra/
[15] Cohen,C. 2019. ‘Africa’s Boomplay Reaches 62 Million Users Major Labels + Merlin Now on Board’, Digital Music News, At:
https://www.digitalmusicnews.com/2019/12/10/boomplay-reaches-62-million-users-merlin-on-board/
[16] Digital News Africa, 2019. ‘ Boomplay and Sony partner on Africa content’ , BizCommunity, At:
https://www.bizcommunity.africa/Article/410/16/198093.html
[17] Olukotun,O. 2019. ‘Transsion’s Mobile Phones Will Now Have China Literature’s App Installed On All Its Mobile Phones Sold in Africa’, Innovation
Village, At: https://innovation-village.com/transsions-mobile-phones-will-now-china-literatures-app-installed-on-all-its-mobile-phones-sold-in-africa/
[18] Boomplay Terms & Conditions, At: https://www.boomplaymusic.com/webitem/conditions
[19] Privacy International, 2019. ‘Buying A Smartphone on the Cheap? Privacy Might be the Price you have to Pay’. At:
https://privacyinternational.org/long-read/3226/buying-smart-phone-cheap-privacy-might-be-price-you-have-pay
[20] Kryptowire, 2019, ‘Android Firmware Vulnerabilities’, At: https://www.kryptowire.com/android-firmware-2019/
[21] Gamba, J. et al. 2019. An Analysis of Pre-installed Android Software. ArXiv. https://arxiv.org/abs/1905.02713
[22] Kazeem, Y. 2020. A probe has found click fraud malware on Chinese-made phones from Africa’s leading seller. Quartz, At:
https://qz.com/africa/1896868/chinas-transsion-denies-africa-mobile-malware-fraud-profits-up/
5
[1] Said categories are based on data privacy legislation that has been officially implemented and the documented work of enforcement bodies. This
means that draft legislation and that which focuses on data privacy incidentally (e.g. cybersecurity legislation) were not considered in the
categorisation. Accordingly, they should be read as guiding rather than definitive.
[2] Stremlau, N. 2019. ‘Governance Without Government in the Somali Territories’, Journal of International Affairs, At:
https://jia.sipa.columbia.edu/governance-without-government-somali-territories
[3] Ibid
[4] Kwamboka,L. 2018. ‘After the Facebook-Cambridge Analytica Scandal , can we talk about data privacy in Africa now?’ , Quartz Africa, At:
https://qz.com/africa/1245876/facebook-cambridge-analytica-scandal-heralds-better-data-privacy-in-nigeria-kenya-other-african-countries/
[5] Note, in some of these cases related laws, such as those in regard to cybersecurity, provide some guidance.
[6] Deloitte, ‘Privacy is Paramount: Personal Data Protection in Africa.’ n.d., At:
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/za_Privacy_is_Paramount-Personal_Data_Protection_in_Africa.pdf
[7] Ibid
1516
Appendices
Appendix A
Personal Data Protection Law Data Protection Authority (DPA) Comments Risk
(as of May 2020) Level
Algeria Loi n° 18-07 du 10 Juin 2018 Autorité Nationale de protection des
données à caractère personnel
Angola Law no.22/11,17 June 2011 Agência de Proteção de Dados (APD) Poor enforcement
Benin Loi n° 2017-20 (The Digital Autorité de Protection des Données
Code) Personnelles (APDP)
Botswana The Data Protection Act – Act Still to be established Legislation not enacted
No. 32 of 2018
Burkina Faso Loi n° 010-2004/AN Commission de l’Informatique et des
Libertés (CIL)
Burundi None None
Cabo Verde Data Protection Law (Law Comissão Nacional de Proteção de Dados Poor enforcement
133/V/2001 ) Pessoais (CNPD)
Cameroon None None
Central African Republic None None
Chad Law 007/PR/2015 on the Agence Nationale de Sécurité et de
Protection of Personal Data Certification Electronique (ANSICE)
Comoros None None
Republic of Congo None None
Côte D'Ivoire Loi n° 2013-450 du 19 juin Autorité des régulations des
2013 Télécommunications de Côte D'Ivoire
(ARTCI)
Djibouti None None
DRC None None
Egypt Data Protection Law Personal Data Protection Centre Not yet established
Equatorial Guinea Law No. 1/2016 DPA - Data Protection Authority Not yet established
Eritrea None None
Kingdom of Eswatini Data Protection Bill 2017 None
Ethiopia None None Draft legislation
1617
Gabon Loi n°001/2011 CNPDCP
The Gambia None None
Ghana Data Protection Act (Act No. Data Protection Commission
843) 2012 ('Commission')
Guinea None None
Guinea-Bissau None None
Kenya Data Protection Act, 2019 Data Protection Commissioner (DPC)
Lesotho Data Protection Act 2012 Data Protection Commission
Liberia None None
Libya None National Authority for Information
Security and Safety(NIISA)
Madagascar Data Protection Law, Commission malagasy sur l’informatique Poor enforcement
2014-38/Loi No. 2014-38 et les libertés (CMIL)
Malawi None None
Mali Law No. 2013-015 of 21 May Autorité de Protection des Données à Poor enforcement
2013 & Law No. 2019-056 of 5 Caractère personnel (APDP-Mali)
December 2019
Mauritania Loi n°2017-20 Still to be established
Mauritius Data Protection Act, 2017 Data Protection Commissioner ('DPC').
proclaimed through
Proclamation No.3 of 2018
Morocco Law No. 09-08/2009 Commission Nationale de Protection des
Données Personnelles
Mozambique None None
Namibia Draft legislation None Draft legislation
Niger Loi n° 2017-28 - adopted Haute Autorité de Protection des
30.4.2020 Données à caractère Personnel (HADP)
Nigeria The Nigerian Data Protection NITDA
Regulations (NDPR)
Rwanda Draft legislation None Draft legislation
Sao Tome & Principe Law No. 03/2016 on the ANPDP
Protection of Personal Data
Senegal Law No 2008-12 of 25 January Commission of Personal Data (CDP) Poor enforcement
2008
Seychelles The Data Protection Act - not None
active
Sierra Leone Draft legislation None Draft legislation
1718
Somalia None None
South Africa Protection of Personal Information Regulator Poor enforcement
Information Act 4 of 2013
(POPIA)
South Sudan None None
Sudan None None
Tanzania Draft legislation None Draft legislation
Togo Law No. 2019-014 Relating to Togolese data protection authority
the Protection of Personal ('IPDCP').
Data
Tunisia Protection of Personal Data, National Authority for Protection of Poor enforcement
2004 Personal Data (The Instance)
Uganda Data Protection and Privacy National Information Technology
Act, 2019 Authority
Zambia Electronic Communications The Zambia Information and
and Transactions Act (ECTA), Communication Technology Authority
2009
Zimbabwe None None
Appendix B
Nigeria Tanzania Egypt South Africa
8: Xender 5: Xender 2: TikTok 6: TikTok
9: TikTok Lite 10: TikTok 3: PUBG Mobile 7: Shareit
23: TikTok 23: Emoji Keyboard 6: Shareit 17: InShot Video
27: InShot 41: Video Downloader 17: PUBG Mobile Lite 19: TikTok Lite
38: Emoji Keyboard 45: WPS Office 20: LOLita 39: QuVideo Editor
49: WPS Office 47: Mafia City 40: TikTok Lite 40: Emoji Keyboard
51: QuVideo Editor 46: All Downloader 49: AppLock 50: Block Puzzle
60: UC Browser 47: VMate 61: WPS Office 65: Sweet Fruit Candy
81: EnjoyMobi Video 68: InShot 62: U-Dictionary 73: Pooking Billiards
69: BeautyPlus 71: VideoShow
1819
72: Sniper Shot 3D 78: MV Master
74: TikTok Lite 79: All Downloader
76: AppLock 84: CamScanner
78: QuVideo Editor 88: Pooking Billiards
89: Pooking Billiards 94: Lords Mobile
100: Prison Escape
These are the Chinese apps appearing in the Google play store in the four case study countries as of May 11th, 2020 (source: App Annie).
Published 6 May 2021 by Oxford China International Consultancy
19You can also read
