Data protection laws in Africa: What you need to know

African countries have been trailing their global counterparts when it comes to enacting laws to protect the digital data of their citizens. But that is changing, and enterprise technology leaders doing business on the continent need to be aware of current legislation in order to make sure digital services are in compliance with new laws.

Almost half of Africa’s 53 countries — including some of the biggest sub-Saharan markets —have adopted some form of regulation with the goal of protecting personal data, according to Privacy International. The forward momentum around data protection in the region has, to a large extent, been driven by the European Union’s ground-breaking GDPR legislation, which was adopted in 2016, and which has provided a superb framework and a successful model for many countries’ legislation globally.

In addition to the GDPR, another accelerant was undoubtedly the exposure of the dirty tricks being employed by the British consulting firm Cambridge Analytica. Those revelations revealed how vulnerable African countries were to digital manipulation.

In March 2018, the Guardian and New York Times reported how the firm had been hired in both Nigeria and Kenya to influence elections. In the Nigerian case, the firm was hired to dig up ‘kompromat’ on the leader of the opposition, Muhammad Buhari, while in Kenya, they had been hired to influence the results of both the 2013 and 2017 presidential campaigns. To add insult to injury, Cambridge Analytica was also revealed to be actively working to stoke racial resentment and intolerance in South Africa.

African nations move to coordinate data laws

In the wake of these events, and fearing the possibility of having to negotiate different data protection rules in different countries, many enterprise leaders have been hoping for some sort of coordination on data protection legislation among African Union countries.  

One possible framework for such legislation is the African Union’s Convention on Cyber Security and Personal Data Protection, which would obligate AU nations to enact policy and regulatory measures for cybersecurity. But even though the document was adopted by the AU in 2014, progress toward actually implementing it has been slow — at least 15 member AU states must sign and ratify the convention for it to come into force, and that has not happened yet. (Among theratifying countries so far: Angola, Ghana, Guinea, Mozambique, Mauritius, Namibia, Rwanda, Senegal, and Zambia. Some large countries, like South Africa and Nigeria, have passed data protection laws without ratifying the convention.)

One of the recurring stumbling blocks seems to be the apparent indifference of local populations to the issue. Anecdotal evidence reveals that many people don’t really care very much about data protection and are unaware of their right to privacy. They are also so starved of internet access that when it does finally come, they are happy to go along with it and sort out the issues around data privacy at a later stage.

“Unfortunately in many cases we are dealing with asymmetric data scenarios where the individual may be ‘obliged’ to divulge data ‘voluntarily’ in order to receive assistance or tangible benefits, without being able to assess the value of what they are divulging, or being able to bargain for fair value,” said Joseph Atick, executive director of ID4Africa, a non-profit organisation  committed to the responsible adoption of modern digital identity systems.

Public pressure could be a real accelerant to speed up adoption of legislation, but it seems that is unlikely to come to pass without a major cybersecurity threat that serves to highlight just how vulnerable most people’s data really is. 

More emphasis on educating the public about data and its value would help, Atick said.  

“Generally speaking there is still no broad awareness of  the value of data by the general public in Africa, and hence the question of privacy and data protection and associated regulations appears to be a secondary priority for the population at this stage of development of digital societies,” Atick said. “This will change as the data economy emerges in Africa, as it did in the rest of the world, and the value of data gets established within a market economy guided by robust data governance frameworks.”

Common elements of data protection laws

Though African countries are far from moving in lock step toward data protection laws, there are many common principles that form the basis of legislation that has passed in Africa, based on elements of the GDPR.

Basic principles enshrined in the GDR that are reflected in African data protection laws that have been passed so far include:

• Organizations that are collecting data need to make clear that they are doing so, and explain why they are doing so
• They should only collect data for as long as is necessary to complete the aforementioned purpose
• They should try to minimize, or limit, the amount of data they need to collect as a way of safeguarding individuals in the event of a breach
• Inaccurate or incomplete data should be erased as quickly as possible
• Data should be deleted once it is no longer necessary for a given purpose

These basic elements form the core of most modern data protection legislation. With that in mind, here are steps taken by four of the major African economies to create laws that match the moment in the digital economy.

Nigeria

Nigeria’s progress over the last 18 months has been somewhat erratic, yet there has been progress in the adoption of a robust data protection regulation framework. The Data Protection Bill of 2020 is making its way through the legislature with the stated objective of promoting “a code of practice that ensures the privacy and protection of personal data without unduly undermining the legitimate interests of commercial organisations and government security agencies to collect such data.”

Data protection is a crucial aspect of the Digital Economic Policy and Strategy espoused by the National Information Technology Development Agency (NITDA).

There are a number of plainly stated goals that the Bill aims to achieve:

• To protect data subjects’ data vis-à-vis the use of such data by organisations and security agencies;
• Establish a regulatory authority that will coordinate data protection and privacy issues and
• Have oversight on data controllers and data processors; and ensure that personal data is processed in accordance with NITDA’s data protection principles.

The bill places a large degree of responsibility on the shoulders of Nigerian data controllers, who are defined as ‘‘a person, company, or other body that determines the purpose and means of personal data processing.” Hefty fines and imprisonment are on the books for any contravention of the legislation.

Kenya

Kenya has been at the forefront of African technology and innovation for some time, so it’s surprising that the country only passed its Data Protection Regulations in November of 2019.

The Act has four distinct components to it, which provide a comprehensive overview:

• The establishment of the Office of the Data Protection Commissioner,
• The regulation of the processing of personal data,
• Provision for the rights of data subjects
• Establishment of the obligations of data controllers and processors.

Offences can result in jail time and fines of up to five million Kenyan shilling although progress has been slow following the approval of the act. For example It took another 12 months for the new Data Protection Commissioner, Immaculate Kassait, to be sworn into the position (although the delay can be attributed in part to the understandable focus on fighting the global pandemic). 

South Africa

South Africa’s long-awaited Protection of Personal Information Act (PoPIA) was finally signed into law on July 1, 2020. A grace period of 12e months has been permitted to give companies time to become compliant, and from July 1st 2021, liability comes into effect.

The goal of the Act is to force both public and private bodies to follow strict guidelines when collecting, processing, storing and sharing personal information. It’s very similar in spirit to the EU’s GDPR, but extends the terms to apply not only to individuals but also to companies, trusts and various other collective institutions. In that sense, it goes further than the GDPR does, although it is limited to information that is processed within the borders of South Africa, while the GDPR provides a blanket cover for all European citizens, no matter where on earth that information is gathered.

Ghana

Ghana has been way ahead of most African countries in cybersecurity legislation, establishing the Data Protection Act in 2012, “to protect the privacy of the individual and personal data by regulating the processing of personal information.” In October 2020, the Data Protection Commission launched new software tools that streamline the registration and renewal process and improve the user experience for Data Controllers and Processors.

It also announced a six-month amnesty period that runs until March 2021, “during which any applicable arrears will be waived allowing defaulting Data Controllers to register with the Commission and pay the current year’s fee due only.”

What Africa’s data laws mean for business

Despite the slow route many African nations are taking toward implementing data protection rules, there is overall steady movement toward a common set of principles that underly such regulations.

 “Data knows no boundaries and neither do data protection laws,” said John Giles, the managing attorney at South African law firm Michalsons.

But Africa and Nigeria, among other nations, show that even countries that are moving ahead of their regional peers in Africa may use GDPR and the AU’s data protection convention as a basis to chart their course. As such, IT leaders in business would do well to focus on the basic principles of the GDPR when rolling out digital services on the continent, especially in those countries that have not yet enacted their own specific regulations.

“We’re fast getting to a world in which each organisation has to comply with the data protection laws of many countries,” Giles concluded. “Luckily, data protection laws around the world are very similar and we really have a set of global principles. There will always be some local differences as different cultures value privacy differently. But about 80% will always be the same.”