Over the past decade, tech companies have risen to become the biggest in the world, all while operating with little formal, structured government oversight. But this lack of oversight has come at a cost. But in Europe, today, they have introduced a couple of instruments to regulate the activities and services of tech companies. Since the introduction of the General Data Protection Regulation (GDPR), big tech firms are compelled to make significant changes to their privacy policies. And its real effects are still to come. In some instances where these tech companies have not been compliant they have faced the rigours of the law. As of now, Facebook and Google have been incredibly victims of EU penalties, resulting from court decisions. For example, on October 3, 2019, the Court of Justice of the European Union (CJEU) issued its judgment in ‘Eva Glawischnig-Piesczek v. Facebook Ireland Ltd’., interpreting the EU Electronic Commerce Directive, where the EU top Court ruled that host providers, such as Facebook, may be ordered to remove or block access to information which it stores, the content of which is identical or equivalent to the content of information previously declared as unlawful. In addition, it may be required to remove or block access to such information on a worldwide basis within the framework of the relevant international law. For Google, on 24 September 2019, the EU Court (CJEU) ruled that de-referencing (measures discouraging internet users from gaining access) by Google should be limited to EU Member States’ versions of its search engine with some important qualifications and when Google receives a request for de-referencing relating to a link to a web page on which sensitive data are published, a balance must be sought between the fundamental rights of the person requesting such de-referencing and those of internet users potentially interested in that information. Google has already faced the issue related to the right to be forgotten before the CJEU in the landmark ‘Google Spain’ where the court ruled that a search engine operator can be obliged to remove links to information about an individual from its list of results. This decision led to a large number of requests from individuals to remove such links and notably four complaints to the CNIL [a France’s Data Protection Authority] from individuals following the rejections by Google of their requests for de-referencing. Likewise, there’s growing clamour in Africa—by businesses, lawmakers, regulators and internet users—calling for big tech companies regulation in Africa. So, what is the right way to regulate the tech industry? The AU as well as Regional Economic Communities (RECs) have regulatory and policy instruments regulating activities and services of tech giants, namely Facebook, Google, among others. However, African RECs are at varying stages in regulating the ICT industry. Importantly, for instance, ECOWAS, in 2010, adopted a ‘Supplementary Act on Personal Data Protection’, which is the only binding data protection instrument in Africa. At country level, for example, in Rwanda, the law n°24/2016 of 18/06/2016 governing information and communication technologies establishes a framework for ICT policy and regulation. Particularly in the case of Facebook, as earlier noted, the foregoing ICT law, under Article 190, paragraph 5, the Internet Service Providers (ISPs)—including social media and phone companies—are under obligation to remove or disable access to the electronic record, which is potentially questionable, it has stored upon receiving a ‘take-down notice’. What is ‘take-down notice’? It is a process operated by online hosts in response to court orders or allegations that content is illegal. Content is removed by the host following notice. Notice and take down is widely operated in relation to defamation and/or libel and other illegal content. When the hosting company or platform receives a notice, it usually removes or blocks access to the infringed material to avoid incurring liability for it. Major platforms such as eBay, Facebook, Twitter, Instagram, Pinterest or YouTube provide standard web-based forms for the submitting the notice. These forms are straightforward to complete, but it is important that all the requested information is provided to reduce the chances of having your notice rejected. As such, social media, like Facebook, can be notified of any objectionable or harmful content to remove or disable access to that content as expeditiously as possible. However, like in many jurisdictions, Rwandan ICT law does not require the host provider, or ISP, to monitor generally information which it illegally stored in its wires. Given that data privacy is an integral part of fundamental rights, the regulatory and legal landscape surrounding the use of data, and data privacy, is rapidly becoming more complex. As Africa is on the right path to digitalizing various activities and services, regulating tech companies, which play a pivotal role in this industry, must be alive and kicking. As earlier noted, the EU General Data Protection Regulation laid the groundwork for others to follow in passing their own versions of stricter data privacy laws. At the African level, a similar commitment for protecting data privacy is of paramount importance. These tech giants, which control and process personal information, must comply with data protection principles. The writer is a law expert.
