Navigating data privacy regulation in Africa

Africa has seen a significant increase in the adoption of privacy laws in recent years, driven by a number of dynamics and concerns at both global and local levels. Data-reliant companies doing business on the continent need to understand and keep track of these legislative undercurrents in order to ensure appropriate compliance levels, as well as anticipate and mitigate regulatory risk. Non-compliance may preclude organisations from capitalising on their local activities, for example by restricting their ability to transfer personal data to third parties beyond borders. 

New regulatory frameworks 

Governments and civil society are increasingly concerned about international technology companies’ utilisation of data across the continent. NGOs have called on the AU to protect the data of African citizens in a similar way to Europe, while also highlighting homegrown solutions as alternatives to international tech services. 

In addition, most countries are keen to promote the development of the digital industry, which can only be achieved by building confidence in new technologies and emerging business models. Data privacy laws are a vital part of this trust-building exercise.

Countries in Africa also face exogenous pressure to adopt data privacy laws. The EU’s General Data Protection Regulation (GDPR), along with other privacy frameworks, have been particularly influential. The Council of Europe’s Convention 108 is gaining traction in Africa, while the AU is urging countries to ratify the 2014 Malabo Convention, as well as regional initiatives such as the ECOWAS Supplementary Act.  

Although the African Continental Free Trade Area’s (AfCFTA) language on data privacy is vague, its operationalisation might serve as a catalyst for harmonisation, by prompting the ratification of a common framework like the Malabo Convention. As African markets merge, but legal standards differ, it is likely that private and public stakeholders, data controllers and processors will begin to adopt common frameworks – when requesting consent, for example – benchmarked or interpreted using a continental standard such as the Malabo Convention. 

For now, there are numerous variations between national frameworks. These differences mainly revolve around: the scope of regulation, i.e. whether or not data processors using local data, but based abroad, fall within it; the requirements pertaining to the appointment of a local data representative and cross-border data transfers; and registration with the national data authority. Enforcement is also often limited and/or ad hoc.

Company positioning and stakeholder engagement 

Map: Countries with a data protection law (and a supervisory authority)

Given the above, companies tend to engage with public sector stakeholders to determine the exact compliance requirements. Such engagement is prioritised in jurisdictions whose data-specific legislative framework is applicable to data processors and controllers operating outside the market. 

Local data protection authorities (DPA) are and will increasingly become key interlocutors on data regulation, as will DPA networks such as the Network of African Data Protection Authorities. 

In this context, private companies, via various initiatives and coalitions, are also seeking to position themselves as government allies and champions of data sovereignty. This can be achieved either by the financing of data centres, or by increasing their external communications with regards to how they use local data to help governments reach their objectives. 

Africa Practice can help you anticipate and mitigate these risks, as well as seize the right opportunities.  Read more about our services here.

About the author

Daphne Piriou is a Consultant at Africa Practice. She can be contacted at [email protected]