Personal data and law enforcement purpose(s).

Data about people, including their communications metadata and information about their devices and their connections online are of increasing importance in the prevention, investigation and prosecution of crimes. ‘Crimes’ may range from ‘cybercrimes’ such hacking and the theft of data (that may impact on and hold the potential of harm for many millions of people and that may in turn facilitate other crimes); to murder; financial crime such as money laundering; terrorism; harassment; the non-consensual sharing of intimate images; or ‘traffic offences’.

The collection and use of personal data for law enforcement purposes involves an interference with the right to privacy (and associated fundamental rights and freedoms) afforded by international human rights instruments and the constitutions of many countries. Law enforcement may also require cross border co-operation and sharing of data.

The data sought by law enforcement agencies (LEAs) may held by public authorities but is often held by data controllers in the private sector such as telecommunications companies or social media companies for example. Where data protection laws exist, they may provide exemptions that facilitate the disclosure of data to LEAs for the purposes of preventing and detecting crime, and the apprehension and prosecution of offenders where it is necessary and proportionate. However, beyond broad exemptions, data protection laws may not set out any conditions for what is proportionate and necessary. What guidance exists for controllers? How do data controllers assess whether a requested disclosure is necessary and proportionate and that a failure to disclose is likely to prejudice the crime related purposes for which the data were requested? Such exemptions must apply on a case by case basis. No blanket exemption may apply. Requested data may be exempt from subject access rights up to a point and so raises questions about impact of such exemptions on other rights and freedoms.

The use of personal data for law enforcement purposes raises multiple questions of the application of human rights principles across multiple regulatory frameworks and laws. It raises the question of how to regulate the investigatory powers of the state in a manner that respects the essence of fundamental rights and freedoms particularly as new technologies are deployed such as facial recognition for example or in the use of communications metadata. At a practical level it also raises the need to consider data protection by design and the role of data protection impact assessments in identifying and mitigating risks posed by technology and practices adopted by LEA and private sector.

Speakers for this workshop include:

Murray Hunter is a South African researcher and digital rights advocate and has worked on research and advocacy about communication surveillance through the Right2Know Campaign, and the Media Policy and Democracy Project at the University of Johannesburg. He is the author of numerous reports including; ‘A Patchwork for Privacy: Mapping communications surveillance laws in southern Africa’ and ‘Cops and call records: Policing and metadata privacy in South Africa’ and ‘Track and trace, trial and error: Assessing South Africa’s approaches to privacy in Covid-19 digital contact tracing’. Murray is also the author of a children’s book about digital privacy. Drawing on experiences from South Africa and the SADC region, Murray will discuss how metadata requests are used in policing, and the need for strong(er) legal protections for this kind of data in order to protect against abuses and uphold fundamental rights.

Koliwe Majama Koliwe is a Zimbabwean digital rights and policy specialist who is currently working with the Association of Progressive Communications as coordinator of the African Declaration on Internet Rights and Freedom Coalition (AfDec) strengthening a human rights based approach to data protection in Africa. Koliwe is also the organiser of the African School on Internet Governance. Koliwe is co- author of a recent report 'Digital ID in Zimbabwe: A case study'. Koliwe’s Masters thesis explores Data protection policy making under the African Continental Free Trade Area. Koliwe will speak about what constitutes accountable use of data by law enforcement agencies and intelligence services.

Justice Alfred Mavedzenge is a Zimbabwean born constitutional lawyer and academic. He is currently managing a research project on how governments in Africa are regulating access to the digital space and the impact of such regulation on democratic and other human rights. Justice Mavedzenge is also the Global Lead on independence of Judges and Lawyers at the International Commission of Jurists. Justice will speak about necessity, proportionality and accountability in law enforcement use of personal data, drawing from experiences across multiple African countries.

Programme

• Practical guide on the use of personal data in the police sector
• A Patchwork for Privacy – Mapping communications surveillance laws in southern Africa by Murray Hunter
• Track and Trace, Trial and Error – Assessing South Africa’s approaches to privacy in Covid-19 digital contract tracing by Murray Hunter
• The Right to Privacy v National Security in Africa: Towards a Legislative Framework which Guarantees Proportionality in Communications Surveillance (Justice Alfred Mavedzenge)

• Accountable data use by Law Enforcement Agencies & Intelligence Services (Koliwe Majama)
• Metadata matters: communications metadata in law enforcement (Murray Hunter)
• Necessity, Proportionality and Accountability in Law Enforcement Use of Personal Data (Justice Alfred Mavedzenge)

Platforms’ law enforcement request portals

• Facebook
• Whatsapp LEA portal

Transparency reports

• Facebook’s report on governments requests for user data
• Vodafone (headquartered in UK): Law enforcement disclosure and demands for customer data
• MTN (headquarter in South Africa): Transparency report for 2019