OPINION: How African citizens can take control of their data in the age of surveillance

Across Africa, mobile connectivity has surged, outpacing traditional infrastructure and ushering in a data-driven economy. But as digital services expand, so too does the quiet erosion of privacy. Every tap, swipe, and search feeds into vast stores of personal data, much of which is collected without informed consent or proper oversight. In East Africa, the question is no longer whether privacy matters, but how citizens can protect themselves in real time.

Laws meant to safeguard data often lag behind digital adoption. Surveillance, once the domain of intelligence agencies, is now routine, often framed as national security or administrative efficiency. In some countries, tools designed for health monitoring or digital ID systems have been repurposed to monitor dissent. Meanwhile, lax regulation enables private firms, especially telecoms and fintechs, to harvest and monetise data with little scrutiny.

While legal advocacy remains essential, many rights groups are turning to more direct interventions. Self-defence in the digital sphere now relies on citizen knowledge and practical tools. One such example is Ayeta, a digital resilience toolkit developed by Paradigm Initiative. Unlike generic cybersecurity kits, Ayeta is customised for African realities, providing resources in multiple languages and emphasising accessible, everyday security measures such as encrypted messaging, safer browsing, and metadata hygiene. It redefines cybersecurity as a civic skill rather than a specialised task.

This localisation is important. Many African users depend on second-hand devices, outdated software, and subsidised data bundles that limit access to broader internet tools. For journalists, activists, and ordinary citizens, these gaps pose serious vulnerabilities. In such environments, knowing how to manage app permissions or secure communications isn’t optional—it’s vital for safety.

Ayeta’s strength lies in its integration of behavioural and psychosocial strategies alongside technical guidance. It tackles the fatigue and anxiety that come with constant surveillance, which often lead to lapses in discipline. Its peer-to-peer approach fosters communal resilience, recognising that digital safety is rarely a solo effort.

However, as civil society advances, governments are starting to respond. In Kenya, the Office of the Data Protection Commissioner issued updated guidelines in 2023 to enhance compliance among data controllers and processors. These cover consent management, cross-border transfers, and sharing data with third parties. While the purpose is clear, enforcement remains weak, and most citizens are unaware of their rights. Without substantial investment in public awareness and institutional independence, such efforts risk being merely symbolic.

This regulatory fragility is not exclusive to Kenya. Throughout the region, oversight bodies are often underfunded or politically biased. Multinational technology companies operating in African markets frequently abide by opaque government requests for data access, citing local laws. Legal frameworks are in place but are seldom tested in courtrooms. In this context, responsibility falls on citizens and civil society to fill the gap.

That shift must be addressed through strategic investment. Resources like Ayeta should be incorporated into national curricula, journalism training, and civil service development. Building a resilient digital culture demands much more than just firewalls. It requires political will, public education, and a rebalancing of power between users and institutions.

Encouragingly, grassroots momentum is growing. Digital security hubs, informal training networks, and community-led privacy clinics have emerged in Nairobi, Kampala, and beyond. While fragmented, these efforts reflect a deeper shift: people recognising that their rights are now contested not only in parliaments or protest grounds, but inside smartphones, app permissions, and data logs.

The threat environment is also evolving. Biometric databases, algorithmic profiling, and predictive policing are gaining traction without adequate safeguards. The most effective forms of control in the digital age are not overt, but systemic, built into the architecture of platforms, contracts, and code. In this new reality, digital rights are not theoretical. They are existential.

Protecting those rights won’t come solely from courtrooms. It will also come from the inbox, the chat thread, or the local internet café. It requires a shift in mindset, from passive use to active stewardship. Tools like Ayeta don’t provide immunity, but they do provide agency. They remind users that security is a shared responsibility and that silence or inaction only increases the risk.

The challenge for institutions, both public and private, is whether they will support this movement or simply tolerate it. Until structural reforms catch up, resilience will remain a key focus. African citizens are not waiting. With knowledge, networks, and the right tools, they are starting to take back control over their data and, by extension, their democratic space.

[The write is the Communications Manager, Paradigm Initiative.]