Data protection regulation is gaining momentum in Africa, with 31 countries having passed specific data protection laws. Out of these 31 countries, only Benin, Burkina Faso, Cape Verde, Chad, Côte d’Ivoire, Gabon, Ghana, Kenya, Mali, Mauritius, Morocco, Nigeria, Senegal, São Tomé and Príncipe, South Africa, Togo, Tunisia and Uganda have operational data protection enforcement agencies. The other countries that have specific data protection laws (that is, Algeria, Angola, Botswana, Egypt, Equatorial Guinea, Lesotho, Madagascar, Mozambique, Niger, Rwanda, Seychelles, Zambia and Zimbabwe) are yet to set up and operationalise such enforcement mechanisms. Despite the prevalence of data protection regulation in the African continent, the various legislations providing for data protection vary, making it necessary to have a country-specific approach when it comes to ensuring data protection compliance in any given jurisdiction. This is not efficient for data controllers and data processors setting up shop in Africa because they would need to implore more resources to ensure data protection compliance in each country they operate in. Therefore, to simplify and make efficient data protection compliance in Africa, there is a need to move towards harmonisation of data protection regulation.
Currently, the data protection laws that have been adopted by African countries are not harmonised. However, in 2014, the African Union (AU) adopted the AU Convention on Cyber Security and Personal Data Protection, a convention that deals with the regulation of personal data protection in the broader context of Africa. Article 12 (1) of this Convention requires the setting up of national data protection authorities in various African countries to ensure that the processing of personal data is consistent with the Convention to harmonise data protection regulation and enforcement in Africa. The Convention outlines the duties and powers of national data protection authorities and the basic principles governing the processing of personal data. Since this Convention was adopted before the European Union (EU) General Data Protection Regulation, 2018 (EU GDPR), there are nuances between its provisions and those of the EU GDPR. So far, this Convention has only been ratified by 8 African countries (that is, Angola, Ghana, Guinea, Mozambique, Mauritius, Namibia, Rwanda and Senegal) and is yet to come into force. It will come into force 30 days after the date of receipt by the Chairperson of the Commission of the AU of the 15th instrument of ratification. Once this Convention comes into force and is implemented by member countries, it is expected to create more harmonisation among the various data protection regimes across the continent. However, there has been an inertia towards its ratification by African countries. Therefore, it is important to carry out an analysis of whether this Convention meets the needs of African countries and if it is up to date when it comes to data protection international best practice.
The Agreement establishing the African Continental Free Trade Area (AfCFTA) entered into force on 30 May 2019 for the countries that had deposited their instruments of ratification. The AfCFTA is intended to create a single continental market for goods and services, while also providing for intellectual property regulation, investment and dispute resolution. Currently, 34 countries have ratified the Agreement establishing the AfCFTA. Trading under the AfCFTA is set to begin on 1 January 2021. Notably, Article 15 of the Agreement establishing the AfCFTA provides that laws and regulations relating to data protection may be enacted by member countries if their enactment does not result in the arbitrary or unjustifiable discrimination between member countries where there are similar provisions in their laws and regulations or result in a disguised restriction on trade in services. This is both a good and a bad thing. In the context of the promotion of autochthonous data protection laws, this provides member countries with the leeway to see how to best provide for data protection to fit the needs of the specific country. However, promoting the enactment of laws by the individual member countries in AfCFTA moves away from the hope of having a harmonised data protection regime for Africa which would have optimally fallen under the AfCFTA as has the EU GDPR which provides for data protection regulation in the EU. Such a framework has been very beneficial to the EU since harmonisation has made it simple for data controllers and data processors that are setting up in any country or in several countries in the EU. This is because they will only need to carry out an analysis to see if they comply with the EU GDPR as opposed to having to analyse if they are complaint with the legislation of every single country they will have a presence in within the EU (factoring in the margin of appreciation allowed under the EU GDPR). A similar approach would be a great value add for the AfCFTA as it gradually scales up to become a customs union with the eventual possibility of becoming a political union.
Despite no harmonised data protection regime in Africa, the specific data protection legislations across Africa have common features. For example, the consent of the data subject is provided for as a ground for the lawful processing of personal data; there is an obligation on the data controller to notify the national data protection authority of data breaches; and, most of the data protection laws enacted by the various African countries provide for the establishment of a national data protection authority that independently oversees the implementation and enforcement of the data protection law in the respective country. For example, Kenya’s Data Protection Act provides for the establishment of the Office of the Data Protection Commissioner, which is currently being set up following the appointment of the Data Commissioner. Notably, Nigeria and Uganda have different approaches when it comes to this as the national ICT regulatory body, the National Information Technology Development Agency (NITDA) in Nigeria and the National Information Technology Authority (NITA) in Uganda, are directly in charge of the implementation and enforcement of Nigeria’s and Uganda’s data protection governance respectively.
Harmonisation of data protection laws in Africa would be of great benefit to African countries, especially with trading under the AfCFTA having begun on 1 January 2021. With increased intra-African trade, many organisations which might either be data controllers or data processors will inevitably set up shop in Africa, and having a one-stop-shop when it comes to data protection regulation will simplify their operations.