I.

PROTECTION OF PERSONAL DATA

I.1 Introduction

With the advent and boom of digital economy in the world at large and Cameroon in particular,
amelioration of internet access, and the development of IT and its diverse applications, the
traditional domain privacy is enriched every day with new elements (user information) as the
population quest for better consumer experiences keeps expanding. The more data gets combined
and aggregated, the more substantial the personal data becomes, the more difficult it becomes to
identify and the higher the risks and responsibilities.

As a part of these elements circulating in communication media, personal data turn out to be a
highly coveted resource. Their treatment therefore must be carried out "in accordance with rights,
fundamental freedom, and the dignity of natural persons ". From this in fact, the legislation on
personal data proves to be an instrument of general protection with regard to the fundamental rights
and freedom of persons.

Hence the great necessity to put in place, robust mechanisms to combat against breaches of privacy
that may be caused by the collection, processing, transmission, storage and use of data of an
individual.

It ensures that any treatment of any form, strictly respects the fundamental rights and freedom of
natural persons; it also takes into consideration, the prerogatives of the State, the rights of local
authorities, the interests of businesses and civil society. It ensures that Information and
Communication Technologies (ICT) do not infringe on individual or public liberties, and on life
in particular.

Before examining mechanisms that can be used to combat the unauthorized or illegal access to
personal data or privacy, lets briefly define some key terms or aspects necessary for a better
comprehension of the subject matter.

I.2 Definitions

I.2.1 Data

Data can be referred to as the representation of facts, information or concepts in a form suitable
for processing by terminal equipment, including a program allowing it to perform a function

The facts or numbers, collected can be examined and considered and used to help decision-making,
or information in an electronic form that can be stored and used by a computer. Data is normally
considered to be the raw form of information, which requires some processing.
I.2.2 Protection / Security

To protect here means to keep data safe from damage or loss. Security is the state of being protected
from attacks and threats and other unauthorized access to information (processed data).

It’s also a situation in which someone or something is not exposed to any danger. Mechanism to
prevent any havoc or their attendant effects

The three main pillars or objectives of information security, known as the triad of security are

 Confidentiality (quality of secrecy)

 Integrity (maintained in the same manner)
 Availability (accessible whenever needed)

Confidentiality

Integrity Availability

I.2.2.1 Confidentiality
Maintenance of the confidentiality of information and transactions to prevent unauthorized
disclosure of information to non-recipients enabling the reading, listening, intentional or
accidental, illegal copying during storage, processing or transfer.

I.2.3 Availability

security criterion of resources of electronic communication networks, information systems and

terminal equipment being accessible and usable as required (time factor);

I.2.4 Cyber-criminality

Infraction of the law carried out through cyberspace using means other than those habitually used
to commit conventional crimes;
I.2.5 Cybersecurity

Technical, organizational, legal, financial, human, procedural measures for prevention and
deterrence and other actions carried out to attain set security objectives through electronic
communication networks and information systems, and to protect privacy.

I.2.6 Security Audit

Systematic examination of components and security actors, policies, actions, procedures and
resources used by an organization to protect its environment, conduct compliance tests controls to
assess the adequacy of (organizational, technical, human and financial) resources allocated for
risks, optimization, efficiency and performance.

I.2.7 Personal Data

Personal data is any information that relates to an identified or identifiable living or natural
individual (Data Subject). Different pieces of information, which when collected together can
lead to the identification of a particular person, also constitute personal data.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person. In practice, these also include all data
which are or can be assigned to a person in any kind of way. For example, the telephone, credit
card or personnel number of a person, account data, number plate, appearance, customer number
or address are all personal data.

To determine whether a natural person is identifiable, account should be taken of all the means
reasonably likely to be used, such as singling out, either by the controller or by another person to
identify the natural person directly or indirectly.

Since the definition includes “any information,” one must assume that the term “personal data”
should be as broadly interpreted as possible.

Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-
identify a person remains personal data and falls within the scope of the law.

Personal data that has been rendered anonymous in such a way that the individual is not or no
longer identifiable is no longer considered personal data. For data to be truly anonymized, the
anonymization must be irreversible.

Pseudonymization is one of the appropriate technical and organizational measures to ensure a level
of security appropriate to a risk.

The law protects personal data regardless of the technology used for processing that data – it’s
technology neutral and applies to both automated and manual processing, provided the data is
organized in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t
matter how the data is stored – in an IT system, through video surveillance, or on paper; in all
cases, personal data is subject to the protection requirements.
 I.2.7.1 Examples of Personal Data
 a name and surname;
 a home address;
 an email address such as name.surname@company.com;
 an identification card number;
 location data (for example the location data function on a mobile phone);
 an Internet Protocol (IP) address;
 a cookie ID
 Radio Frequency Identification (RFID) tags
 the advertising identifier of your phone;
 data held by a hospital or doctor, which could be a symbol that uniquely identifies a
person.

I.2.7.2 Examples of data not considered personal data

 a company registration number;
 an email address such as info@company.com;
 anonymized data.

II. Personal Data Protection Mechanisms

With security becoming a major threat worldwide in this present era, many national (if not all),
international and world organizations and legislations have developed laws governing the
general exchange of information as well as personal data in particular over many communication
media.

II.1 Examples

Prominent amongst the texts and laws governing personal data protection includes:

 The European Union Charter on Fundamental Rights

 Article 8 “Protection of Personal Data” which stipulates
 Everyone has the right to the protection of personal data concerning him or her.
 Such data must be processed fairly for specified purposes and on the basis of the
consent of the person concerned or some other legitimate basis laid down by law.
Everyone has the right of access to data which has been collected concerning him or
her, and the right to have it rectified.
 Compliance with these rules shall be subject to control by an independent authority
 Commonwealth Model Law on Privacy (2002)
 Processing of ‘personal information’ by ‘public authorities’
 Office of Privacy Commissioner
 African Union Convention on Cyber Security and Data Protection
  OHADA
 Through it uniform Acts and most importantly, the recently ended seminar on the
Protection of Personal Data held on the 29th and 30th of April 2018 at Dakar, Senegal.

II.2 Protection of Personal Data in Cameroon

In Cameroon, the Protection of Personal Data is governed by;

LAW N° 2010/012 OF 21 DECEMBER 2010

RELATING TO CYBERSECURITY AND CYBERCRIMINALITY,

Part IV: “Protection of Privacy”

II.2.1 Domain of Application

This law governs the security framework of electronic communication networks and information
systems, defines and punishes offences related to the use of information and communication
technologies in Cameroon.

Accordingly, it seeks notably to:

 build trust in electronic communication networks and information systems;

 establish the legal regime of digital evidence, security, cryptography and electronic
certification activities;
 protect basic human rights, in particular the right to human dignity, honor and respect of
privacy, as well as the legitimate interests of corporate bodies.

The law shall not cover the specific applications used in national defense and security. The
electronic communication networks targeted by this law shall include: satellite, ground and
electronic networks when they are used to route electronic communications and audio-visual
communication broadcast or distribution networks.

II.2.2 The Personal Data Protection Laws in proper

Chapter IV of this text termed “Security Activities” elaborates on the laws governing the
protection of personal data.

Offences and Penalties in view of a violation of these laws are stipulated in Chapter II, Section
74 of the afore mentioned Text.
II.2.3 Observations

1) It can be examined that, this law, which in terms of not only charging those who are
responsible for the processing of personal data with a minimum obligation of protection,
uses a repressive and impersonal tone that suggests that it is more for third parties than
responsible for commercial sites.
2) chapter II section 74, paragraph 3 seems to apply in a particular way to contractual
relations because it punishes even higher authority or power.

Therefore, this ungrounded and hesitant protection leaves a field of all the possibilities to the
persons in charge of the treatment of these data. This is the case of operators of commercial
sites, whose general conditions of sale (GCS) provide clauses that under other conditions
would be unacceptable.

II.2.4 The urgent need to strengthen the protection of personal data

Given that, the gold mine of personal data is based on what man has more expensive, defenders
of rights and freedom are therefore called to act. Faced with this new concern for individual
freedom and privacy, many countries have incorporated the protection of personal data into their
internal law. In Europe, it is enshrined in Article 8 of the Charter of Fundamental Rights of the
European Union, under the Freedom chapter and in Africa by the African Union Convention on
Cyber Security and Data Protection.

II.2.5 Perspectives

As a way of preventing devastating outcomes, the Cameroonian legislation must make every
effort to fill the existing legal gap but also and specially to provide as much clarification as
possible on the already regulated sections. It would then be commendable to address a number of
issues quickly, including:

1) Create a body for control and regulation of personal data, because the current National
Agency for Information and Communication Technologies (ANTIC), bends under its
many statutory missions that it is hard to believe that it will be effective in the protection
of personal data.
2) Clearly define the principle of temporality as to the duration of storage and processing of
personal data.
3) Ensure the protection of cross-border transfers of personal data outside Cameroon; Indeed,
as a comparative law, to transfer outside France, it is necessary, depending on the case, to
apply for a specific authorization to transfer, governed either by the "Binding Corporate
Rules" (BCR) or by the" standard contractual clauses (CCT) adopted by the European
Commission ";
 4) Introduce the mandatory prior declaration of all files (videos, customers ...) of personal
data by any person and the modalities of their modification and deletion.
5) To oblige all companies to implement "accountability" measures relating to internal
procedures and compliance with data protection rules.
6) Create the field of "Correspondant Informatique et Libertés" which will ensure the legal
security of data in accordance with the law. Any enterprise will therefore have the
obligation to recruit or appoint one.
7) Prescribe the membership of Cameroon to the French Association of Personal Data
Protection Authorities (AFAPDP) which has real French expertise in the protection of
personal data.
8) Clarify the fate of personal data of deceased persons. After the death of a third party, who
could have access to these data and under what conditions.
9) Strengthen the criminalization of any breach and hamper the processing of data.

II.2.6 Conclusion

Serious reforms are urgently needed so that Cameroon enters the digital modernity, protects its
citizens and creates confidence in its international partners to finally disprove the quote available
on the CNIL website: "no law [ protection of personal data], ... this country is not recognized by
the European Union as adequate ". Which is far unacceptable, hence the need for quick measures.

II.3 References

https://gdpr-info.eu/issues/personal-data/

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

https://www.i-scoop.eu/gdpr/gdpr-personal-data-identifiers-pseudonymous-information/

https://www.village-justice.com/articles/Cameroun-emergence-commerce-difficile-protection-
des-donnees-personnelles,22593.html