The world witnessed in the past years unprecedented technological advancements and the emergence of new trends thanks to one thing: data. It is not surprising that the latter was an essential enabler of digitalization because it is the basis of almost every technological innovation. Given the importance of data, governments and international entities have established relevant frameworks, laws and regulations in order to avoid data breaches and sanction perpetrators in case they took place. However, in Africa, a technologically emerging continent, data protection hasn’t reached quite the right level.
Unlike in Europe and the United States, where data-privacy laws provide a level of protection to consumers, there is no unified approach to personal data protection across the African continent, with some countries having comprehensive personal data protection legislation in place and others have no legislation or constitutional protection.
According to a report commissioned by Deloitte, there are currently 17 countries only in Africa that have enacted comprehensive personal data protection legislation, namely Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia and Western Sahara.
For instance, in Nigeria, the African country with the most internet users, a data-protection bill that was introduced in 2010 is still making its way through parliament. The proposed Nigerian legislation would prohibit the processing of data for purposes other than their original intended use and companies could be fined for breaches of personal information.
In Kenya, a country of 44 million people with some 8.5 million Facebook users on a monthly basis, there are no specific data-protection laws that exist.
In Rwanda, an ICT law provides that, “every subscriber or user’s voice or data communications carried by means of an electronic communications network or services, must remain confidential to the subscriber and or user for whom the voice or data is intended”.
However, no comprehensive data protection and privacy law was enacted to protect people’s data, despite the fact that Africa is known for having a large and fast growing population of mobile technologies and internet users.
The African Union (AU), had adopted the AU Convention on Cybersecurity and Data Protection (AU Convention) in June 2014. However, the AU Convention has not taken effect yet as it has, to date, not been ratified by 15 out of the 54 AU member jurisdictions.
The Convention offers a data protection framework to African countries that they can adapt according to their own national legislation. The main goal that the African Union aims to achieve from this convention is to raise awareness among the African countries of the need to protect personal data.
According to Fraser Graham, senior director for policy engagement at GSMA, the transformation of the industry’s landscape towards more digitalization requires specific legislation that protect people’s data and privacy.
“What we are thinking is that the introduction of enabling policies is important for the continent. We are, in fact, calling for fundamental review of policy and regulatory frameworks to make them fit for the digital ecosystem,” he said in Kigali at the M360 Africa Series conference.
The GSMA has been focusing in its discussions lately on addressing data protection and privacy issues in Africa. “One of the priorities that came out is about bringing attention of Africans to data protection; basically, ensuring stability, safety and confidentiality of online data,” Graham said when talking about the conversation at M360 Africa series.
“We have seen the development of data privacy laws in some parts of Africa. But the question is, how can we push for the right results and make sure that data protection laws are adopted across the region?” Boris Wojtan, Director of Privacy at the GSMA noted.
Wojtan considers that having a smart data privacy framework enables trust and innovation and allows Africa to tap the digital opportunity. However, he expressed a sense of skepticism over having data protection authorities in Africa capable of enforcing the laws if established.
Indeed, according to Reuters, data privacy groups say that many African governments have a vested interest in not introducing such laws because they use citizens’ data for their own ends – whether for political campaigns, as in Kenya, or for suppressing political dissent, as rights groups allege that the government in Tanzania has done since passing a cybercrime law in 2015.
In order to effectively capitalize on the vast investment opportunities in Africa, businesses with an African footprint have to understand the data protection landscape in Africa first. Each African country has its own data protection framework that, as limited and undeveloped as it may seem, has to be respected. According to Deloitte’s report, non-compliance with personal data protection legislation could impede an organization from transferring personal data cross-border, thereby hindering its business operations, notably multinational organizations with a global footprint who transfer personal data cross-border in the ordinary course of business in conducting international trade.