The Price of Surveillance: Why Africa’s New Health Security Partnership Deserves Scrutiny
What happens when activists opposing public health policies are flagged as “threats”? Or when marginalized communities are targeted in data-driven responses?
Shabnam Palesa Mohamed – Activist, Journalist, Lawyer, Strategist
The African Sovereignty Coalition opposes the surveillance and control of Africa.
On 29 May 2025, the World Health Organization (WHO), Africa CDC, and Germany’s Robert Koch Institute (RKI) announced the expansion of the Health Security Partnership to Strengthen Disease Surveillance in Africa (HSPA). While the initiative aims to enhance disease detection and response across the continent, it raises significant concerns about data sovereignty, privacy, and the potential for misuse of genomic information.
What’s Really Being Built?
The HSPA model integrates health and security sectors to monitor, track, and respond to public health threats. This includes:
Genomic surveillance of pathogens and individuals
AI-assisted epidemic prediction tools
National security integration
Cross-border health data sharing
While this approach may enhance disease detection, it also introduces risks related to data control and potential misuse.
Why It’s Risky
1. Data Sovereignty at Risk
The partnership is funded by Canada and the UK, coordinated by WHO and RKI. This raises questions about who controls the data collected. African nations may find themselves with limited access to or control over their own health data, potentially infringing upon their sovereignty.
2. From Healing to Policing
By merging health systems with national security, the HSPA risks turning health interventions into surveillance and enforcement tools. This could lead to the militarization of public health, where health data is used for purposes beyond disease control, such as monitoring political dissent.
3. Real-World Misuse of Genomic Data
A cautionary tale comes from the West. In 2023, the popular genetic testing company 23andMe confirmed a major data breach in which over 7 million users’ genetic and personal data were stolen and sold on dark web forums. The leak specifically targeted individuals of Ashkenazi Jewish and Chinese descent, exposing sensitive ancestry, health, and familial data.
What does this mean for Africa? If a well-funded, Silicon Valley-based company cannot secure its data, what protections exist for African genomic databases, especially when developed under foreign direction and stored in cloud systems beyond local control?
Earlier, the Human Genome Diversity Project (HGDP) faced fierce backlash for collecting Indigenous DNA without fully informed consent, with fears that such data could be misused for racial profiling or intellectual property theft. These are not theoretical risks—they’re historical and ongoing violations.
Legal Protections and Gaps
Several South African laws are relevant to the concerns raised by the HSPA:
Constitution of South Africa, Section 14: Protects the right to privacy, including the privacy of communications and health information.
Protection of Personal Information Act (POPIA), 2013: Regulates the processing of personal information, including biometric data. Section 11 requires that personal information be processed lawfully and in a reasonable manner that does not infringe on privacy rights.
National Health Act, 2003: Governs the management of health records. Section 17(2) criminalizes unauthorized access to health records, emphasizing the need for strict controls over health data.
National Health Insurance Act, 2023: Establishes a framework for universal health coverage, which may involve the collection and management of health data.
However, these laws may not fully address the complexities introduced by international partnerships like the HSPA. The integration of health data with national security frameworks could conflict with existing privacy protections, and the cross-border sharing of genomic data may not be adequately regulated.
The Right to Public Participation: Erased
One of the most alarming omissions in the rollout of the HSPA is the lack of public participation. Decisions about expanding surveillance infrastructure, collecting genetic data, and integrating national health with security sectors have not involved the public in any meaningful way.
This contradicts both international human rights law and South African constitutional protections.
Legal Foundations:
Section 59(1)(a) and Section 195 of the Constitution of South Africa guarantee the public's right to participate in policy-making and the obligation of public administration to be transparent and responsive.
The Promotion of Access to Information Act (PAIA), 2000 grants citizens the right to access information held by the state, including contracts or partnerships like the HSPA.
The African Charter on Democracy, Elections and Governance (ratified by many AU states) emphasizes public participation as a foundation for good governance and accountability.
The Aarhus Convention (though not yet ratified by most African nations) is a global standard that links environmental and public health decision-making to the rights of access to information, participation, and justice.
And yet, there has been no wide-scale public consultation, no parliamentary debate in most participating countries, and no clear mechanism for civil society to oversee the surveillance infrastructure now being embedded into public health systems.
Why This Matters:
Public participation is not a box to tick—it is how democracy protects itself.
When communities help shape health responses, trust increases and outcomes improve.
When decision-making is opaque, it fosters suspicion, misinformation, and resistance.
Without informed consent and civic engagement, health surveillance can become health authoritarianism.
We must ask: Who gave consent for genomic data collection?
Where are the independent oversight bodies?
Why are civil society, health professionals, and the people themselves left out?
Why It’s Expensive
Implementing a bio-surveillance framework across multiple countries—including genomic data systems, AI-driven analytics, and laboratory networks—is extremely costly.
Most of the funding flows to external consultants and foreign technologies.
Local health workers, clinics, and community initiatives are often sidelined.
African governments may find themselves indebted to donor countries for maintaining systems they didn’t design or fully control.
Even more concerning: there’s little transparency on how this funding is monitored, who audits these systems, or what happens if a country decides to withdraw.
Why It’s Dangerous for Democracy
With public health now under the eye of national security, there’s a thin line between disease monitoring and political surveillance. We’ve seen these dynamics play out in authoritarian regimes—now they’re being normalized in global health partnerships.
What happens when activists opposing public health policies are flagged as “threats”? Or when marginalized communities are disproportionately targeted in data-driven responses?
We must not allow systems built for pandemics to become tools of repression.
Sovereignty Is an Idea. Solidarity Is Action.
The real path to a healthier Africa is not deeper surveillance. It is solidarity-led health sovereignty—where countries, communities, and local scientists build systems by and for the people.
Because sovereignty is not just about borders; it's about control over our data, our health, and our futures.
The Bottom Line
Africa is not a lab. Our people are not test subjects. And our health data is not for sale.
The HSPA may claim to protect us—but without structural safeguards, it risks repeating colonial patterns of extraction, surveillance, and control, this time through health infrastructure.
We must ask: Who benefits? Who decides? And who is watching the watchers?
Let us remember: We are the 99%. The power of the people is greater than the people in power.
And a better world will not be built through surveillance—but through solidarity.
Your Genetic and Life Data For Sale
The 23andMe data breach, which compromised the personal information of approximately 6.9 million users, is a significant example of the risks associated with genomic data collection and sharing.
In October 2023, hackers accessed user accounts through a method known as credential stuffing, where previously exposed login credentials were used to gain unauthorized access. This breach affected about 0.1% of 23andMe's user base, approximately 14,000 accounts. Through these accounts, attackers accessed the DNA Relatives feature, which connects users with genetic matches, and downloaded personal information from millions of other profiles. The stolen data included names, birth years, geographic locations, family tree details, and profile pictures. Notably, DNA records were not compromised. BBC+5The Verge+5The Hill+5BBC+5WIRED+5The Verge+5The Guardian+6BBC+6BBC+6BBC
The breach raised concerns about the adequacy of 23andMe's security measures and its handling of user data. In response, the company implemented password resets and two-factor authentication for all users. Additionally, 23andMe agreed to a $30 million settlement in a class-action lawsuit, which includes compensation for affected users and enhanced security monitoring. The Guardian+1The Guardian+1WIREDThe Verge+1Reuters+1
This incident underscores the importance of robust cybersecurity practices and transparent data handling policies, especially when dealing with sensitive genetic information.
Why Focus on South Africa?
South Africa is not just one of the first countries involved in the WHO–Africa CDC Health Security Partnership—it is also a symbolic frontline in the global push for increased health surveillance.
Here’s why this matters:
Early Adopter: South Africa was among the first six countries to implement the HSPA model. Its experience will influence how this surveillance system expands across the continent.
Strong Legal Framework: With robust privacy laws and a constitutional commitment to human rights and public participation, South Africa provides a test case for whether surveillance systems can coexist with democratic accountability.
Regional Influence: As a political and economic leader in Africa, what South Africa embraces—or resists—sets a precedent for other African Union states.
Ground Zero for Genomic Data Expansion: South Africa hosts major genomic research projects and biotech collaborations, making it especially relevant in debates about data sovereignty and bioethics.
A Legacy of Resistance—and Risk: With a history shaped by surveillance under apartheid, South Africa knows the dangers of unchecked data collection. But foreign influence and digital expansion now threaten to replicate new forms of control—this time under the banner of global health.
Lived Experience, Local Voice: As a South African journalist, lawyer, and activist, I write from within the system—not just about it. This is both a national responsibility and a continental and international call to action.
Because what happens in South Africa may soon happen across Africa. And what happens in Africa (and Palestine) will shape the world.
References
"Protection of Personal Information Act, 2013." Wikipedia. https://en.wikipedia.org/wiki/Protection_of_Personal_Information_Act%2C_2013
"National Health Act, 2003." Reddit. https://www.reddit.com/r/SanitySouthAfrica/comments/tj871d
"National Health Insurance Act, 2023." Wikipedia. https://en.wikipedia.org/wiki/National_Health_Insurance_Act%2C_2023
"AU Convention on Cyber Security and Personal Data Protection | Malabo Convention." Michalsons. https://www.michalsons.com/blog/au-convention-on-cyber-security-and-personal-data-protection-malabo-convention/65281
"African Union adopts framework on cyber security and data protection." Access Now. https://www.accessnow.org/african-union-adopts-framework-on-cyber-security-and-data-protection/
"Budapest Convention on Cybercrime." Wikipedia. https://en.wikipedia.org/wiki/Budapest_Convention_on_Cybercrime
"23andMe hack hits 6.9 million accounts
Thanks very much, again, SHABNAM, for this overview.
The future goes through Africa and people such as yourself!