In January this year, Kenya’s High Court halted the roll-out of the country’s controversial biometric ID, the Huduma Namba, citing the lack of a regulatory framework to protect the privacy of citizens.
Once distribution is complete before the end of 2021, Kenyans will need the ID – which holds their fingerprints, contact details and occupational information – to access government services. When asked in 2019 why the government was pursuing the project, Kenya’s Information and Communication Technology Principal Secretary, Jerome Ochieng, responded, “Data is the new oil.”
According to the World Bank, Africa is home to roughly half of the estimated one billion people in the world who are unable to prove their identities. To help remedy that, the World Bank has mobilised more than $1.2bn to support ID projects in 45 countries.
Nearly every African country with a stable government now has active biometric ID programmes in place or under way, according to ID4Africa, with South Africa and Nigeria’s biometric IDs among the most developed.
The eagerness of African governments to build biometric ID systems, coupled with the wealth of international funds available, makes Africa a ripe and coveted market for biometric ID providers.
But data protection experts and watchdogs are raising concerns that gaps in Africa’s legal and regulatory ecosystem leave citizens, including vulnerable LGBTQ communities, exposed to privacy abuses.
Activists also argue that Africa’s ID programmes could also be harnessed to facilitate the deportation of migrants and refugees from Europe.
The case for biometric ID for everyone
ID’s capacity as a tool for development is beyond question. In 2010, the World Bank discovered a direct correlation between a lack of identity and lack of development.
“We felt the digital divide was going to become greater, creating a potential humanitarian issue,” says Joseph Atick, formerly of the World Bank, now executive chairman of ID4Africa, an association that brings together ID companies, African governments and donors.
“In a world that’s becoming more digital, you cannot exist by being invisible,” he told Al Jazeera.
Atick says a digital identifier allows citizens to access government services, move freely and transact without friction.
But do digital IDs have to be biometric – that is, contain biological characteristics like fingerprints, iris scans, facial patterns or voice cadence – to be effective?
In a world that's becoming more digital, you cannot exist by being invisible.
Atick insists that biometrics offer necessary “uniqueness”. Many African states have incomplete citizen registries, meaning that people without birth certificates, or a biometric identifier, cannot prove their identity. In sub-Saharan countries, for example, rural birth registration for children under five is less than 50 percent.
But watchdogs like Privacy International (PI) argue that centralised databases are intrusive to privacy, and unnecessary if the goal is for citizens to access public services.
PI Programme Director Ilia Siatitsa advocates for storing data locally, and limiting its application to authentication – ensuring a person is who they claim to be. “It prevents the use of the same biometric data for the far more intrusive process of identification, which allows the authorities to find the identity of a person when it is not known,” she says.
The data protection landscape in Africa
“Biometric ID doesn’t expire,” says Teki Akuetteh, a Ghana-based lawyer specialising in IT and telecoms, and the founder of the Africa Digital Rights’ Hub. “So where is that information sitting? How will it be processed? How will it be securitised?” she asks.
Akuetteh developed legislation for Ghana’s 2012 Data Protection Act and established the country’s data protection commission. Despite her achievements, she says that Ghana and its continental neighbours still lack comprehensive policies to protect individual privacy.
“The focus has unfortunately been more on the ID than the impact on the people,” she tells Al Jazeera.
About 25 countries in Africa have a data protection law, but few have a data protection authority well-funded enough to enforce it.
Atick has encountered cases in which an authority is in place, but is not independent.
“[This] does not give us comfort that they are watchdogs, protecting the interests of the general public,” he said.
The focus has unfortunately been more on the ID than the impact on the people.
Without independent regulatory bodies, systems are vulnerable to “function creep”, in which data collected for one purpose is used for another.
Citizens in Europe are protected from function creep by the General Data Protection Regulation (GDPR).
The second principle of GDPR is “purpose limitation“, a requirement that personal data be collected for specific purposes, and not further processed in a manner incompatible with those purposes.
But African states contracting ID systems with EU funds do not have to abide by European data laws – only their national data laws.
Europe’s objectives for ID in Africa
Last month, PI released a report raising concerns that ID projects in Senegal and Ivory Coast funded by the European Union Emergency Trust Fund for Africa (EUTF), an EU financial aid instrument, diverged from international data protection standards. It also warned that the systems could be used to facilitate deportations from the European Union (EU).
The contracts to modernise the countries’ civil registries, amounting to 60 million euros ($72.66m), were awarded to Civipol, a consulting firm for France’s interior ministry part-owned by arms producers Thales, Airbus DS, and Safran, and will be implemented in Senegal with the help of Belgium’s development agency, Enabel.
In an email to Al Jazeera, Enabel said it had no access to identity management systems developed by Senegal. A spokesperson added that Enabel is not in favour of “a generalization of biometrics at other levels than the ID management”.
Civipol did not respond to a request for further information on its operations in West Africa.
The EUTF for Africa was founded in 2015, at the height of the so-called “migrant crisis” for “stability and addressing root causes of irregular migration and displaced persons in Africa”.
Raphael Shilhav, an Oxfam policy adviser, authored a report on the fund, and argues that it mixes up development objectives, which are in the interest of recipient countries, with migration management objectives, which are in the interest of the EU.
“The problem is when [the objectives] are contradictory,” Shilhav told Al Jazeera. “Who prevails?”
The report revealed that European government and commission officials allocated budgets to specific regions in accordance with the nationalities arriving from across the Mediterranean. They also expressed a desire to use the fund to enhance deportation efforts.
With regard to the EUTF projects in Senegal and Ivory Coast, Shilhav says that regardless of whether biometric data is shared with EU authorities to deport migrants from Europe, the EU would only be willing to fund the projects if the recipient country agreed to accept returnees.
“It’s a political conditionality,” he says.
The risk to vulnerable populations
Achieng Akena, Kampala-based executive director of the International Refugee Rights Initiative (IRRI), argues that the risks to migrants’ privacy within EU-funded ID systems is enormous. For her, it comes down to consent.
“If you’re making a biometric register in my country, I’m giving consent to access services here. So, under which mechanism can that data be transferred to a European government and used against me?” she asks.
Akena points out that it is not just states that employ biometrics to trace citizens. The United Nations High Commissioner for Refugees (UNHCR) launched a biometric registry in 2017 to help fairly distribute aid to refugees.
But Akena worries that vulnerable migrants and refugees are not in a position to refuse food and medicine if they do not want their fingerprints or irises scanned. “It’s not neutral,” she says.
It's because they wanted the data. It was an economic imperative.
In Ethiopia, which hosts 900,000 displaced people, most of whom fled conflict in Eritrea, Somalia, Sudan and Yemen, refugees voiced concerns that their data would be shared with third parties, but feared exclusion from services if they declined to consent to prints, according to research by Global Voices.
There are approximately 18 million displaced people in Africa, many of whom have crossed multiple borders, navigated checkpoints and passed through refugee camps.
Akena argues that the subsequent digital trail could influence asylum decisions, or rule out any chance of gaining citizenship outside a country of origin. In Kenya, the World Bank reported that officials are able to cross-check fingerprints of anyone who applies for a national ID with UNHCR data.
Stigmatised people could also be placed at greater risk from ID systems. In Uganda, where a new biometric ID card was rolled out last month, data gathered for health purposes could potentially be used by police to target sex workers and LGBTQ communities for arrest, warn activists.
Most LGBTQ sex work communities hide beneath anonymity, but if they are clearly identifiable by a biometric identifier, there are few protections in the system. “It’s fertile ground for exclusion,” says Akena.
One of the UN’s Sustainable Development Goals is to “provide legal identity to all, including birth registration, by 2030”. The goal is ambitious but seems well in reach if ID systems continue to be implemented at the current rate. What remains to be seen is whether Africa’s data protection landscape can keep up, and with the right objectives.
Akena, who is Kenyan and well-versed in the Huduma Namba case, is still hounded to this day by Jerome Ochieng’s comment that data is the new oil. “Clearly, the [ID project] was not about all these public benefits to citizens,” she says. “It’s because they wanted the data. It was an economic imperative.”