Kenyan and Ugandan citizens are slowly losing their rights to privacy, data protection, and access to information in the wake of COVID-19 surveillance by their governments.

Kenya and Uganda confirmed their first cases of COVID-19 on 13 and 21 March 2020, respectively, resulting in a raft of measures taken as far as policy, regulatory, and legislative levels were concerned in an effort to control the spread of the pandemic.

Such measures included the suspension of public gatherings, social distancing requirements, local and international travel restrictions and limitations, curfew imposition, mandatory quarantine, and new laws to formalise the measures.

In a report by the Article 19, Kenya ICT Network and Policy it has, however, emerged that the measures put in place to contain the COVID-19 pandemic are reducing the iFreedoms of the citizens of the two countries.

“The surveillance measures and practices adopted including Coronavirus applications (apps), did not comply with the three-part test under international law and national laws guaranteeing the rights to privacy, data protection, freedom of expression, and access to information,” read a part of the report.

According to the report, the authorities are also not independent; they lack the functional and operational capacity to oversee surveillance measures and practices to contain the COVID-19 pandemic.

Additionally, both governments utilized existing surveillance practices such as closed-circuit television (CCTV) and communications surveillance (mobile phone monitoring using location data) and augmented them with new COVID-19 surveillance laws and measures, including digital contact tracing. These were all under the guise of public health protection.

The recently enacted data protection laws in both countries were expected to provide a framework for the transparent and rights-respecting collection of personal data. However, the documented surveillance trends and unsupervised collection of data during the first year of the pandemic revealed the lack of independent supervision of these data protection laws resulted in poor enforcement and implementation of obligations that apply to data controllers and processors, including public health authorities.

There is also the fact that this supervision challenge did not limit or check the surveillance capabilities and practices of state and non-state actors.

“State actors continued to use CCTV cameras with biometric features for mass surveillance in public or publicly accessible spaces, which compromised individuals’ privacy and personal data. Instead, the Ugandan government announced that it would use the data protection law to prosecute individuals for ‘spreading misinformation and fake news whereas the Kenyan Government used the Data Protection Act 2019 to charge a blogger, Edgar Obare, with unlawfully disclosing the personal data of a Kenyan YouTuber,” read part of the report detailing examples of misuse of the laws.

International human rights law requires governments to protect human rights while corporate organizations are obligated to observe human rights in their operations with or without a pandemic.

Among the recommendation of the report were complying with international human rights standards and laws protecting the rights to privacy, data protection, freedom of expression, and access to information. There is also the need for developing and implementing comprehensive data protection measures and practices for the regulation of personal data collection, processing, and storage.