Research ICT Africa and the Centre for Internet and Society (Delhi, India) partnered in 2021 to examine the design, development, governance, and implementation of evolving socio-digital identity ecosystems in ten African countries. (We explained the background to and reasons for this work in a previous blog.)
With support from the Omidyar Network, the joint team worked with local researchers in Ghana, Kenya, Lesotho, Mozambique, Nigeria, Rwanda, South Africa, Tanzania, Uganda, and Zimbabwe to extract a snapshot of the state of digital identity, using an evaluation framework specifically designed by CIS for assessing digital identity ecosystems.
The ten case studies arising from this project were published individually this past week, followed by this comparative report in which the RIA and CIS teams analyse similarities, differences, policy windows, and concerns highlighted in the reports.
As we mentioned in earlier blogs, we undertook this project because digital forms of (legal) identification are becoming increasingly popular and prevalent on the continent. The Covid-19 pandemic has, similarly to other forms of digitisation, increased both the appetite for and potential utility of socio-digital identities (e.g., for vaccine certifications). This, we believe, underlines the need for critically assessing the design, development, implementation, financing or funding, and governance of digital identities.
Digital identities are not only shaped by the complex realities (and even more complicated histories) in which they are deployed on the continent, but they can shape the everyday socio-digital realities of most of us who live on the continent. Some are optimistic about these impacts, others less so. Some of these concerns are grounded in pragmatic reality, others less so. Despite these contradictions, the partial digitisation of identity management seems to be inevitable on the continent – whether some may like it or not.
At the same time, and like other information and communication technologies (ICTs), digital identities are actively designed, in part by a series of institutional choices that enable or disable certain affordances. They are neither inevitably nor necessarily detrimental from a developmental, human rights, and/or inclusion perspective. We, therefore, started this project with hope; believing that if digital identities can be conceived and designed with concepts like human rights, developmental goals, sustainability, and safety at the forefront, they might yet hold a beneficial impact on the continent.
The 10 country case studies indicate that this hope is sometimes marred by fraught colonial histories that often lead to crowded and disorganised digital ecosystems, opaque public-private interplays, a frequent lack of institutional capacity (or will), difficult interactions with aid agencies’ agendas, and a seemingly unquenchable thirst for digital Kool-aid in the absence of much strategic vision, political will, or institutional capacity.
In the comparative report, we note that there might be a sad irony here in that colonially-rooted digital identity ecosystems – even when in their guises of improving most aspects of life on the continent – might be introducing the risk of new and different forms of (data) colonialism, defined by their increasingly invasive systems for making all aspects and layers of human experience the target of profitable extraction (and extraction to the primary benefit of masters in countries outside of the continent).
While different contextual realities in each of the 10 countries examined mean diverse priorities and recommendations, we argue that the similarities across the countries also means that countries could start by learning from the experiences of other African countries and dear lessons from the ICT for development space (which RIA has long worked in). We not only recommend the use of more collaborative and multistakeholder approaches for the design, financing or funding, implementing and governance of digital identity ecosystems, but emphasize the importance of involving the so-called beneficiaries of these systems from the conceptualisation stages.
More collaborative, consultative approaches are especially important because we found that many of the countries examined are currently in the process of reforming or creating policy instruments of direct or indirect relevance to digital identity ecosystems. Examples include:
- Following a court case that challenged, among other things, the use of executive tools to make substantive changes to the existing national identity law, our Kenyan country partner calls for a new policy framework to be debated in Parliament, with more meaningful public participation and the inclusion of social interests (Mutung’u, 2021). Her concerns were underlined in a more recent high court judgment (issued after her research was finalised) which ordered that a data protection impact assessment must be conducted before either the processing of data or the roll-out of Huduma cards;
- In Lesotho, besides the need for establishing a functioning data protection regulator (in line with the country’s existing data protection regulation), the draft Computer Crime and Cybercrime Bill awaits promulgation;
- In Mozambique, both a data protection law and a national cybersecurity policy are currently being drafted and/or prepared;
- In Rwanda, a new law on data protection and privacy – reportedly posing significant implications for the digital ID landscape by containing a set of rights for data subjects and obligations for data processors – was published on 15 October 2021. As this development happened after the case study was finalised, its implications were not covered in depth, but should be further assessed and tracked.
- In South Africa, a Draft Official Identity Management Policy was published in late 2020. While the deadline for public comments has passed, the process is worth following for subsequent opportunities for input, also in Parliament; and
- In Zimbabwe, a Cyber Security and Data Protection Bill has been tabled before Parliament and is reportedly currently receiving public input in response.
These policy windows and related opportunities arguably present an invaluable opportunity (and responsibility) for civil society and other interested stakeholders to help shape a landscape in which digital identity can be more truly beneficial from a developmental, human rights, and/or exclusion perspective.
Besides these general recommendations, the paper concludes with a detailed list of specific and distinct recommendations for policymakers, civil society, the technical community, private sector actors, donor agencies, and for further research.