- Tunisia's 'National AI Strategy: Unlocking Tunisia's Capabilities Potential' was developed in 2018 following a workshop hosted by the UNESCO Chair on Science, Technology, and Innovation Policy, in collaboration with the National Agency for Scientific Research Promotion-ANPR.¹
- In 2019, the Tunisian Ministry of Industry, Mines, and Energy (MIEM) launched an initiative to promote the establishment of an AI ecosystem encompassing multiple applications in the public sector.²
- Tunisia passed its “Startup Act,” the first-ever AI startup legislation in Africa, in 2018.³
- Tunisia has been using AI applications to enhance its Public Finance Management Information System, enabling it to detect fraudulent activities, improve budget efficiencies, and conduct sophisticated financial analytics.⁴
- The creation of the Tunisian Digital Observatory (OTN) is underway. The organization will serve to inform public decision-making in the digital sector. A “code of digital uses” is also in the process of being approved by Parliament, with a view to establishing a unified legal framework to speed up the transition.
- On February 19, 2022, a memorandum of understanding was signed between the Ministry of Technology, the Ministry of Industry, the Ministry of Economy, and the Ministry of Higher Education. Its purpose is to outline the development of the national artificial intelligence (AI) strategy and its implementation plan. The memorandum establishes the key directions of the national AI strategy and will be followed by the preparation of the envisaged study in this regard. It also aims to identify the priority areas for implementing the strategy, determine the projects to be undertaken, establish a timeline for completion, and estimate the associated financial costs.
- There is a code for the right to privacy in the Tunisian Constitution of 2014, and in Law No. 63 of data protection (adopted in 2004).⁵ However, online privacy and the protection of personal data and information are still limited in Tunisia.
The essential principles of Organic Law No. 2004-63 and Deliberation No. 4 regarding the processing of health data are as follows: These principles require that personal data be:- Processed lawfully, fairly, and transparently (principle of lawfulness, fairness, and transparency);
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (principle of purpose limitation);
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimization);
- Accurate and kept up to date (principle of accuracy);
- Retained for no longer than necessary (principle of storage limitation);
- Properly protected against unauthorized use, loss, or disclosure (principle of integrity and confidentiality).
- Processed lawfully, fairly, and transparently (principle of lawfulness, fairness, and transparency);
- A National Authority for the Protection of Personal Data (INPDP) was established as declared by the 2004 law, however, with no regulatory nature.⁶ The National Authority is not authorized to generate laws and regulations, or to decide on actions of data violations. Article 76 of the law states that the National Authority’s mandate is to receive official complaints and recommendations on data protection issues. However, it does not have the authority to implement the law to prevent violations of personal data.
- Decree No. 2007-3004 of November 27, 2007, establishes the conditions and procedures for the declaration and authorization of the processing of personal data.¹⁰
- In 2017, Tunisia signed the Council of Europe’s Convention 108 for the Protection of Individuals regarding “Automatic Processing of Personal Data.” By signing this convention, Tunisia has committed to undertaking political and legal reforms geared towards improving its local data protection law, following the Convention 108’s guidelines.⁷ Simultaneously, Tunisia signed an Additional Protocol No. 181 concerning supervisory authorities and the international flow of data.
- A new draft law on the protection of personal data was introduced in March 2018. The law included key guidelines of the EU’s General Data Protection Regulation (GDPR) and expanded to include the protection of non-Tunisians’ personal data. The language used in the 2018 draft law widened the definition of personal data to include online information and activities such as Internet Protocol (IP), GPS coordinates, email addresses, and biometric data, among others.
The 2018 bill also concerned the organization of the National Authority for the Protection of Personal Data (INPDP). It became an independent public authority with strengthened jurisdictional character: per the new bill, it was given the power to act as a court of first instance in cases related to administrative and financial matters, and was attributed decision-making powers as a regulatory authority in the field of personal data protection.
However, this definition still lacks a differentiation between personal data and public data—a gap which may affect the principles of transparency and the right to access to information.⁸ - On December 5, 2018, the National Authority for the Protection of Personal Data (INPDP) adopted Deliberation No. 4 of September 5, 2018, concerning the processing of personal data related to health. This deliberation aims to strengthen and clarify the legal principles of personal data protection. This text takes into consideration technological advancements and addresses, among other things, the issue of the Internet of Things (IoT) and specifically devices that enable the development of medical practices, such as lifestyle-related applications and personalized monitoring and consultation systems.⁹
- Conditions for processing health data under the 2004 law and the 2018 deliberation (regulatory power of the INPDP - Article 76.3):⁹
- Prior authorization from the INPDP
- Internal ethical charter
- Clear and legitimate purpose
- Minimization of data collection
- Sufficient information
- Free, explicit, informed, and unambiguous consent with proof of consent
- Pseudonymization or anonymization of data
- Data security
- Accredited national hosting provider
- Limited retention period
- Access and portability of data
- Prior authorization from the INPDP
- A new organic law on data protection is currently being drafted.
- Decree No. 2007-3004 of November 27, 2007, establishes the conditions and procedures for the declaration and authorization of the processing of personal data.¹⁰