By Atuhairwe Benardine |

The Fingerprint that Changed Everything

A citizen stands at a counter, and their finger is pressed against a scanner, and watches a system decide that they do not exist. Their finger is scanned severally yet the machine looks back blankly, unconvinced.

The frustration is immediate. Time is lost, opportunities are missed. But consider a harder question: what if that counter had been a hospital reception desk? What if the service being sought was not administrative, but medical? What if the person standing there was elderly, unwell, or had walked for hours to get there? What if being turned away did not mean inconvenience, but harm?

This is not a hypothetical. It is the lived reality of millions of Africans navigating Digital Public Infrastructure systems that were not designed with them in mind. And it is precisely why DPI can no longer be treated as a purely technical conversation.

What Is DPI, and Why You Should Care?

Digital Public Infrastructure (DPI) refers to the foundational digital systems that enable governments, businesses, and citizens to interact at scale. The three most discussed layers are digital identity systems, digital payment platforms, and data exchange systems. Together, they determine who can access healthcare, social protection, education, financial services, and even the right to vote.

Across Africa, governments are investing heavily in DPI as the backbone of their digital transformation strategies. The promise is enormous; more efficient service delivery, greater financial inclusion, broader civic participation. But promise and reality are two very different things.

Bias Baked into the Blueprint: The Technical Reality

When a fingerprint scanner fails to recognise an individual after ten attempts, most people assume something is wrong with their finger. The deeper problem, however, lies in the system’s training data.

Fingerprint recognition systems are powered by machine learning models; algorithms trained on large datasets of fingerprint images. The critical question is: whose fingerprints were in that dataset? If the training data skewed towards certain populations, skin tones, or age groups, the model will perform accurately for those groups and poorly for everyone else. Factors like darker skin tones, the effects of manual labour on fingerprints, age-related changes, and even environmental humidity significantly affect recognition accuracy. These are not random errors. They are predictable, systemic failures embedded into the system long before any citizen places their finger on that scanner.

This is what makes DPI so consequential. Every design decision: what data to collect, which vendor to procure from, which dataset to train on, what error rate is acceptable; reflects a value judgment. And when those decisions are made without diverse, representative voices in the room, the systems that emerge will serve some citizens well and fail others consistently. The tragedy is that those failed most consistently are almost always those who were already most marginalised.

Rights Without Remedy: The Legal Reality

From a legal standpoint, what is described above is not merely a technical inconvenience. It is a potential violation of fundamental rights that African states are bound to protect.

Africa’s legal obligations are clear. The International Covenant on Civil and Political Rights (ICCPR), ratified by the majority of African states, alongside the African Charter on Human and Peoples’ Rights,  specifically Articles 9 to 13 provide binding protections on privacy, freedom of expression, association, and political participation. When a digital identity system excludes citizens from healthcare or social protection, it does not operate in a legal vacuum. It operates in direct tension with these obligations.

Yet the enforcement architecture is deeply fragile. Of Africa’s 54 countries, 44 now have national data protection laws,  a significant leap in recent years. Yet only 15 have ratified the African Union’s Malabo Convention, the continental framework for data protection and cybersecurity. Data protection authorities, where they exist, are frequently underfunded, understaffed, and structurally dependent on the very governments they are meant to hold accountable. Independent oversight remains the exception, not the rule.

Hence, the legal architecture exists. The implementation gap is where rights go to die

A pattern, not an Accident: the Advocacy Reality

Kenya’s Huduma Number initiative attempted to consolidate all national identity systems into a single centralised biometric database. Civil society organisations challenged it in Nubian Rights Forum & 2 Others v Attorney General & 6 Others; Child Welfare Society & 9 Others (Interested Parties) [2020] eKLR, Consolidated Petitions No. 56, 58 & 59 of 2019 in the High Court of Kenya. The petitioners challenged the absence of a data protection framework, the collection of children’s data without parental consent, and the government’s explicit threat that citizens without the Huduma Number would lose access to public services. The case forced the government to fast-track a data protection law and operationalise a data protection authority before proceeding. This was a hard-won victory; but a reactive, expensive, and slow one.

In Uganda, older persons without national IDs were excluded from the Social Assistance Grants for Empowerment (SAGE) programme. Civil society organisations including the Initiative for Social and Economic Rights, Health Equity and Policy Initiative, and Unwanted Witness challenged this exclusion in ISER & 2 Others v Attorney General & NIRA (HCT-00-CV-MC-0066-2022), but High Court of Uganda dismissed the case on 10^th June 2025. Despite a compelling Amicus Curiae brief from CIPESA, Access Now, and ARTICLE 19, the court ruled that exclusions were isolated rather than systemic, allowing the scheme to continue requiring national IDs for access to social protection. Millions of vulnerable Ugandans remained locked out.

These developments present a pattern of systems built without adequate consultation, deployed without adequate safeguards, and only evaluated after the damage is done.

Conclusion and Recommendations

DPI is not just technical infrastructure; It is a constitutional infrastructure. It defines the digital contract between the state and its citizens. And like any contract worth the paper it is written on, it must be negotiated, not imposed.

The fingerprint scanner does not know it is excluding anyone. But the governments that procure these systems, the vendors that build them, and the policymakers that deploy them without asking whether they will work for everyone have a choice. Civil society’s role is to ensure that choice is made responsibly, transparently, and with the full weight of Africa’s human rights obligations in mind.

civil society should shift from a reactive to a proactive posture, and engage with DPI from the onset of the architecture.

Specific actions must be undertaken including among others:

• Demanding human rights impact assessments before systems go live.
• Insisting on privacy-by-design principles in procurement contracts and vendor agreements.
• Participating meaningfully in public consultations during the drafting of DPI legislation and policies.
• Using regional mechanisms like the African Commission on Human and Peoples’ Rights to submit shadow reports and push for binding normative standards on DPI governance.