Maurice Kabazzi Lwanga, Human Rights Practitioner and Lawyer, Afya na Haki Institute

The adoption of the AU Malabo Convention on Cyber Security and Personal Data Protection in 2014 marked a significant turning point for civil society organisations (CSOs) in Africa, galvanising their efforts in advocating for data protection across various sectors, including health. As digital health initiatives proliferate, the need for robust protections against data breaches, privacy violations, and misinformation has become increasingly urgent. Civil society activism plays a pivotal role in addressing these challenges by fostering accountability, promoting awareness, and engaging policymakers to harmonise data protection standards. This collaborative dynamic between CSOs and regulatory frameworks is essential for ensuring citizens’ rights are upheld in the rapidly evolving digital health landscape.

Despite existing data protection legislation, there is a notable lack of harmonised standards for digital health at the regional level. In this context, civil society organisations (CSOs) play a crucial role in supporting the development of these standards by conducting research and engaging with policymakers to harmonise data protection laws in digital healthcare.

Domestic civil society organisations and human rights NGOs are relatively new phenomena in Africa, having proliferated since the 1980s. They have increasingly become vital advocates for human rights, using activism as a tool for social justice and accountability in digital health data protection. CSOs serve as early warning mechanisms and act as buffers against both state and market excesses. By broadening developmental agendas to include social justice and political concerns, civil society seeks to find solutions to pressing developmental challenges.

CSO activism takes place in different domains, such as the academia policy and in communities. In the women’s movements and activism, civil society organisations greatly contributed to the making of gender-sensitive laws and policies attributed their success to the power of caucusing, sisterhood and women’s collective voice. During transitions to democracy CSO activism has historically also often led to the creation of structures in the State to promote social justice and equality. These structures have the ability to consolidate policy initiatives or to rally support among key actors in government for specific policy issues and legislative demands by the citizen populations. In the context of digital health protection, CSO movements can leverage the positive impact in law reforms to influence social justice in key development outcomes. The civil society organisations influence and promote awareness and sensitize the citizens about their rights and obligations in digital health protection. 

The African Union (AU) Convention on Cyber Security and Personal Data, commonly known as the Malabo Convention, presents an opportunity for civil society activism to thrive towards participation, partnership and implementation of this regional legislation. The Malabo Convention highlights the crucial role of civil society in promoting cybersecurity and data protection through advocacy, capacity building, and stakeholder engagement. It emphasises collaboration between civil society and governments to ensure effective implementation and accountability. 

Critical to note, the AU Malabo convention greatly improved as a result of positive civil society input into the drafting process. Article 32 (g) of the Malabo Convention also emphasises partnerships with African civil society to promote cybersecurity. 

CSOs are necessary for ensuring adherence to the Malabo Convention, but they are struggling to do so. Article 24(1) of the Malabo Convention mandates African states to collaborate with stakeholders in developing national cybersecurity policy. Civil society plays an instrumental role in promoting cybersecurity. A case in point is the Ghana’s DPA named Data Protection Commission (DPC) that is mandated to investigate and receive complaints on data breaches. To support Data protection commissioners, civil society organisations can monitor and report violations of data subjects rights in their use of digital health services and technologies. This can help to ensure efficient and critical investigations and decisions by the Data protection commissioners. Civil society actors also can leverage these Data Protection Commissions to facilitate regulation of digital health systems. CSOs can work directly with Data protection commissioners to monitor as ‘watchdogs’ the activities of the state and nonstate actors in digital health systems. This monitoring can help, as Kasfir puts it, ‘in making the African state more democratic, more transparent and more accountable. The Malabo Convention under Article 25 (3) of the Convention protects the rights of citizens which is a pathway to holding violators accountable to the aggrieved citizens via digital health surveillance.  There are some success stories in advocacy by CIPESA which has progressed in digital health rights work. Afya na Haki Institute has designed a course on Advocacy for Digital Health justice in Africa which complements CSO activism and capacity building around digital health regulation but also utility of health technologies in sub-Saharan Africa.

Challenges of civil society activism for digital health protection

Digital health organisations face a number of needs and challenges ranging from resource constraints at the local level to global economic inequalities that affect their constituencies at the local level (the idea of “glocal” – that the global influences the local). Article 26 (1) of the Malabo Convention facilitates participation and management of cyber security by civil society organisations. States have an obligation to foster involvement of civil society in cyber security.

The biggest challenge to Africa CSO activism is the limited awareness of the digital health protection laws. Due to the limited awareness and nonratification of this AU cybersecurity law, nonstate actors including civil society organisations fail to effectively advocate against digital health surveillance. In cases where there are data protection laws, there is still low implementation which undermines the effectiveness of  strong data protection laws against digital domination. There are also gaps in technical aspects issues. Limited individual skills, system capabilities, financial resources and a lack of SOPs for supporting, using and maintaining digital health resources, equipment and infrastructure. This has stalled a lot of process in having a unified front to digital health surveillance and regulation in Africa. CSOs face a challenge of legitimacy. The rapid rise in the number of NGOs has not been matched by an increase in the quality of their work, resulting in many common problems regarding accountability and transparency.

The resource constraints associated with inadequate funding for digital health work hampers growth of digital health movements. Organisations that receive funding from government, political parties, or international charity organisations, are often obliged to make certain compromises, like maintaining a professional public image, which places limitations on the kind of protest action that they can engage in. 

Civil society organisations face legitimacy issues in tacking the most pressing issue of digital health surveillance. The lack of a strong social base, external dependence, as well as a predatory legal and regulatory regime contributes significantly to the crisis of legitimacy. Engaging the State has its own pitfalls for digital health movements, though the relationship of civil society movements and the State is invaluable for civil society activism to be successful. When organisations become NGOs (NGOisation) they face similar problems with conditionalities imposed on them by funders (often from the Global North).

Absence of robust laws and regulation on digital health undermines accountability and access to justice in digital health for African populations. Some African countries, including Burundi, Cameroon and the Gambia, lack data privacy regulations entirely, which poses significant challenges for protecting individuals against digital health surveillance. For instance, without such laws, sensitive health information may be vulnerable to unauthorised access and misuse, undermining trust in digital health initiatives. 

A key challenge in digital health protection is the lack of collaboration, which shows that laws alone cannot protect individual rights without active public participation. Africa’s fragmented approach to personal data protection makes this issue even more pressing, as many countries create legislation that does not lead to meaningful protections at the regional level. Civil society organisations (CSOs) play an important role here; they can amplify the voices of marginalised communities, ensuring their concerns are heard. Additionally, by working with grassroots movements, CSOs can improve coordination and create unified advocacy efforts. This collaborative approach is vital for developing effective policies that address the complex challenges of digital health and data protection across the continent. 

In conclusion, civil society organisations (CSOs) play a crucial role in advocating for digital health protection across Africa. By collaborating with digital health institutions under the AU Malabo Convention, CSOs can amplify their activism, pushing for greater accountability and justice in the digital health sector. Their efforts to promote regional cooperation on cyber laws are essential for driving meaningful change. Through united activism, CSOs can help create a more equitable health landscape, ensuring that all Africans benefit from safe and secure digital health services.

Part of the SLSA Blog Series, Exploring the Intersections of Technology, Health, and Law, guest edited by Prof. Sharifah Sekalala and Yureshya Perera. Written as part of the project There is No App for This! Regulating the Migration of Health Data in Africa, funded by the Wellcome Trust (grant number: 224856/Z/21/Z).