What does the AU Data Policy Framework mean for African Digital Enterprises?

The AU Data Policy Framework is a document that provides guidance and recommendations for African countries to develop and implement data policies that support the digital transformation and economic integration of the continent. It also aims to foster a harmonized and interoperable data ecosystem that enables the free and secure flow of data across borders,…

data protection in the AU

The AU Data Policy Framework is a document that provides guidance and recommendations for African countries to develop and implement data policies that support the digital transformation and economic integration of the continent. It also aims to foster a harmonized and interoperable data ecosystem that enables the free and secure flow of data across borders, while respecting human rights, privacy, and data protection. It serves more as a guideline than hard and fast rules but where are we right now?

State of data protection on the continent

Africa did not have a universally adopted Data policy framework but rather each country was drafting a policy within that country’s jurisdiction. In Africa, a total of 33 countries have implemented legislation on data protection and privacy, 6 are in the draft legislation phase, and 19 either have no legislation or have no data available. The main aspects of these policies have so far been focused on 2 main aspects. The protection of personal data with cyber security standards to reduce the prevalence of access to personal data by unauthorized actors. The other is standards for systems that house data to reduce vulnerability to cyber attacks.

AngolaLaw No. 22/11, June 17, 2011 (passed)
BeninBook V of the Digital Code of the Republic of Benin Protection of Personal Data (passed) and Law No. 2009-09
BotswanaData Protection Act 2018 (passed)
Burkina FasoLaw No. 010-2004/AN (passed but has been revised, and the revision has not passed yet)
Cape VerdeLaw No. 133, Law No. 41 and Law No. 42 as a supplement (passed)
GabonLaw No. 001/2011 (passed)
GhanaData Protection Act of 2012 (passed)
Ivory CoastLaw No. 2013-450 (in French) (passed)
KenyaData Protection Act No. 24 of 2019 (passed)
LesothoData Protection Act 2011 (passed, not enforced)
MadagascarLaw No. 2014-038 (in French) (passed, not enforced)
MalawiPartial Protection via the Electronic Transactions and Cybersecurity Act No. 33 of 2016 (Has some provisions that cover personal data protection) (passed)
MaliLaw No. 2013/015 (in French) (passed)
MauritiusData Protection Act 2017 (passed)
MoroccoLaw No. 09-08 along with Implementation Decree No. 2-09-165
Data Regulator: CNDP
MozambiqueNo data protection law but some protections under the Constitution, Civil Code and the Penal Code
NigerLaw No. 2017-28 (passed)
NigeriaNigeria Data Protection Regulation (passed)
RwandaPartial, via the Information and Communication Technology Law No. 24/2016 (passed)
SenegalLaw No. 2008-12 (passed)
SeychellesData Protection Act of 2003 (not enforced yet)
South AfricaProtection of Personal Information Act (passed)
TogoLaw No. 2019-014 (in French) (passed)
TunisiaOrganic Act No. 2004-63
UgandaData Protection and Privacy Act 2019 (passed, not in effect yet)
ZambiaPartial via the Electronic Communications and Transactions Act No. 21 of 2009 (not passed yet)
ZimbabweCyber Security and Data Protection Bill (passed)
Source: (International Association of Privacy Professionals )

For a continent-wide data protection bill to be adopted is no mean feat. It involves institutional changes to the way individual countries and their institutional entities handle data. A certain level of standardization of data in how it is collected, processed, and stored means standardized systems and protocols at hardware and software levels across the board and across borders.

First and foremost, the lack of regulations across the continent underscores the need for resources. There is not enough funding allocated toward government employees training or creating entities within the government that could be responsible for data protection and privacy, in general.

(International Association of Privacy Professionals )IAPP

A form of this standardization just for perspective can be seen in developments in SADC. Road routes that are part of the Trans-Africa highway that is being rehabilitated at the moment (Beitbridge-Harare-Chirundu highway), are being done so using standard specifications in terms of lane width, road width, and the road signs and markings as a way of standardizing trade routes within SADC.

Zimbabwe also recently moved away from legacy metal driver’s licenses to plastic ones that expire after 5 years and license types for different classes of vehicles that follow the latest standards set by SADC. This means that officials in South Africa can correctly and competently interpret a Zimbabwe-issued driver’s license. Such ideals are the ones that are also being translated to the specifications of the AU Data Policy Framework.

To achieve this, a decent amount of commitment in investment is required and that is what has hampered the progress of data-related policies being implemented on the continent versus Western nations. The rate at which technology is advancing is also widening the chasm between the availability of data and policy addressing the numerous new ways in which data is handled.

…improve unevenly developed infrastructure across the continent, leveraging existing REC regional efforts to support efficient broadband network coverage, reliable energy supply, and foundational digital (data) infrastructure and systems (FDI) (digital identity (Digital ID)), interoperable trustworthy payments, cloud and data infrastructure, and open data sharing systems, for cross border digital trade, e-commerce…

AU Data Policy Framework

Effects on country-to-country flow of data

At present there is not much in the way of a restriction of flow of data on the continent. The two major hindrances to the movement of cross-border data are that;

  1. a majority of useful data on the continent is still offline and;
  2. the data that is available online is not standardized.

While solving the problem of bringing several tonnes of data in filing cabinets into the digital space will take some time, standardizing the formats and categories of data will go a long way in terms of easing the usefulness of data as it crosses borders.

On the side of businesses and economic developments, more transparent forms of data mean more accurate deductions of a market and its performance. Such is crucial when trying to determine how viable and effective a solution will be in a market. Often times the data shows a different sentiment from what the public might suggest. With enough data, businesses like Kwese would have had a different approach to how they deliver content on the continent and perhaps different outcomes.

Transparent data also promotes innovation on top of existing products and services. A mobile wallet like EcoCash can work with a startup in the business of offering credit solutions and an individual’s EcoCash transaction history as well as other bank account history to offer short-term loans based on their financial activity instantly. Removing the need and inconvenience of paperwork, seeking bank statements dating back 3 months, or imagining collateral to attach to the loan.

Senegal’s Case Study of information flow for mapping mobility & economic activity

One case study on Senegal, when big data was used to map Call Data Records (CDR), mobility, and economic activity, is the one conducted by researchers from the State University of New York, Buffalo, and the Brookings Institution. They used CDR data from a major mobile operator in Senegal to create detailed poverty maps at a finer spatial resolution than the existing household surveys. They also analyzed the relationship between poverty, mobility, and social network characteristics, such as degree, centrality, and clustering.

The researchers obtained CDR data from 9 million mobile phone users in Senegal, covering a period of 6 months in 2013. They constructed a virtual network of the country based on the “who-calls-whom” network and divided the country into 552 regions based on the Voronoi tessellation of the cell towers. They then extracted various features from the CDR data, such as call frequency, duration, diversity, balance, and mobility patterns. They also used satellite imagery data to obtain the night-time light intensity and the normalized difference vegetation index (NDVI) for each region.

The researchers concluded that their study demonstrates the potential of using big data, such as CDR data, to create more detailed and timely poverty maps, and to understand the socio-economic dynamics of poverty in Africa. They also suggested that their approach can be applied to other countries and regions, and can be used to monitor the progress and impact of poverty alleviation programs and policies.

Big Data Innovation in Kenya Using M-Pesa

One of the most innovative uses of big data on M-Pesa mobile money transactions was the creation of M-Shwari, a savings and loan product that was launched in 2012 by Safaricom and the Commercial Bank of Africa (CBA). M-Shwari allows M-Pesa customers to open a bank account, save money, and access credit through their mobile phones. The credit scoring algorithm used by M-Shwari is based on the analysis of the customer’s M-Pesa transaction history, such as the frequency and amount of deposits, withdrawals, transfers, and payments. The algorithm assigns a credit limit to each customer, which can range from 100 to 50,000 Kenyan shillings (about $1 to $500), and charges a flat interest rate of 7.5% per month. The loan repayment period is 30 days, and the default rate is around 2%

M-Pesa mobile money transactions were also used to create credit profiles for small-holder farmers in the Kilimo Salama project, which was launched in 2009 by the Syngenta Foundation for Sustainable Agriculture and UAP Insurance. Kilimo Salama, which means “safe agriculture” in Swahili, is a micro-insurance scheme that protects farmers against weather risks, such as drought and excess rainfall. The scheme uses M-Pesa to collect premiums and pay out claims, as well as to verify the weather conditions using automated weather stations. The scheme also uses the M-Pesa transaction data to assess the creditworthiness of the farmers and to provide them with input and harvest loans through partner financial institutions, such as KCB Bank and Equity Bank. The loans are tailored to the specific crops and regions of the farmers and are linked to the insurance coverage.

Such a framework coming into play this early means some of its elements can be implemented relatively quickly. A majority of the countries on the continent do not yet have any form of data protection policies set up allowing them to start from the ground up with the continDataental framework in mind. There will still be challenges with countries lacking the capacity to implement the infrastructure to satisfy the requirements of the AU Data Policy Framework.

Unavoidable hindrances to unrestricted transborder flows of data

In as much as the complete restriction-free movement of data across borders is the most preferred scenario, there is a need to ensure that the data preserves privacy, protects personal data from being used without the consent of the user, and preserves the integrity of data that has to do with national security.

Cyber security then becomes an integral part of the Data Policy Framework. In terms of data protection in cross-border data flows provisions, Article 13 of the Malabo Convention and Articles 23 to 29 of the ECOWAS Supplementary Act on Personal Data Protection set out that the principles of processing personal data include:

  • consent and legitimacy
  • legality, and fairness
  • purpose, relevance, and preservation
  • accuracy
  • transparency
  • confidentiality and security
  • and choice of data processor.

The World Economic Forum goes on to describe a 6 step roadmap towards cross-border data flows with each level essentially adding a layer of security to the data.

  1. Allow data to flow by default: Prohibit data localization requirements except in very specific circumstances in order to create regulatory certainty for businesses
  2. Establish a level of data protection: Establish national legal frameworks that protect the data of private individuals. Complement this with laws that protect proprietary rights.
  3. Prioritize cybersecurity: Enact cybersecurity legislation in line with international norms and maintain robust data security infrastructure.
  4. Hardware accountability between nations: Establish cooperation mechanisms between national authorities to hold governments accountable for the security and confidentiality of the data they share, while making allowances for compliance.
  5. Prioritize connectivity, technical interoperability data portability, and data provenance: Prioritize the provision of connectivity infrastructure as a prerequisite to building a local data economy, encourage technical standards to increase interoperability, facilitate data portability at the B2B level to support SMEs and encourage data publishers to ensure data integrity.
  6. Future proof the policy environment: Allow for the possibility of future alternative models (such as federated learning models and data trusts) that can also fulfill the spirit of cross-border data flows.

Africa for the moment has the most unrestricted flow of data across its borders according to ITIF as of April 2017 with the exception being Nigeria.

In 2014, Nigeria enacted the “Guidelines for Nigerian Content Development in Information and Communications Technology (ICT),” which introduced several restrictions on cross-border data flows and mandated that all subscriber, government, and consumer data be stored locally. Furthermore, in 2011, Nigeria’s Central Bank introduced a measure that required all point-of-sale and ATM transactions to be processed locally. Under no circumstances are these transactions to be processed outside Nigeria.

ITIF – Cross border data flows | Where are the barriers and what do they cost

Lessons from the General Data Protection Regulation (GDPR)

The GDPR is a short form for the General Data Protection Regulation, which is a European Union regulation that aims to protect the privacy and security of personal data of individuals in the EU and the European Economic Area (EEA). The GDPR also applies to organizations outside the EU and EEA that collect or process the personal data of individuals in the EU and EEA.

The EU created an infrastructural, and legal framework that is standardized across the EAA. What this has done is remove the bottlenecks associated with businesses navigating different frameworks in different countries, especially for multinationals who would appreciate the convenience of a ‘one size fits all’ approach to implementation. GDPR is the only framework they will need to satisfy when working with data that is within the definitions of the GDPR.

The GDPR itself went live in 2016 and by then a number of African countries had already developed their own national data protection frameworks. Since these were already in motion, such countries did not adopt the GDPR however there are elements within these frameworks in individual countries that line up with the GDPR. Common intersects are definitions of data and procedures for collecting and processing the data.

Ghana: Ghana’s Data Protection Act was passed in 2012, ahead of the adoption of the GDPR, so it does not expressly follow the GDPR framework. However, the Act regulates the collection and processing of personal data through similar principles provided in the GDPR.

Kenya: Although the provisions of the DPA are similar to those of the GDPR, they are not identical.

Madagascar: The Malagasy Data Protection Law is based on the 1995 European General Data Protection Directive (95/46/EC). However, as the 1995 European General Data Protection Directive was repealed by the GDPR when adopted in 2018, the Malagasy Data Protection Law is no longer up to date.

Mauritius: The DPA 2017 is aligned with international standards, namely the GDPR and the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. However, there are certain instances in the DPA 2017 where the provisions are not the same as contained in the GDPR, for example, the hefty administrative penalties under the GDPR have not been reflected in the DPA 2017. The Mauritian legislator has adopted a criminal regime for sanctioning contravention of the DPA 2017. However, if an individual has suffered prejudice as a result of a breach of the DPA 2017 by a controller or processor, e.g., following a personal data breach, the individual may claim damages or that breach under the law of tort.

Morocco: Current data privacy law in Morocco follows the “declarative” framework of the EU Directive #95/46 which prevailed in Europe before the GDPR was passed.

Nigeria: The NDPR is significantly modelled after the GDPR. Both laws are reasonably similar in terms of rationale and core principles. The NDPR and the GDPR both aim to provide data subjects with a certain level of protection regarding their personal data. The material scope of the laws are consistent, with common definitions and principles on the processing of personal data in general. Beyond the similarities, both laws also have notable differences. Unlike the NDPR, the GDPR is a more unified framework. Although the NDPR and the Data Protection Bill aim to achieve this goal, Nigeria’s laws on data protection and privacy are currently not as comprehensive or unified.

Rwanda: Both Law Nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy and the draft Regulation Governing use of Personal Data in Rwanda 2019 follows the same framework as the GDPR. These legislations have some highlighted similarities, including principles relating to the processing of personal data, obligations on the companies and organizations in order to ensure the privacy and protection of personal data, providing data subjects with certain rights, and assigning powers to regulators to ask for demonstrations of accountability or even impose fines in cases
of non-compliance

South Africa: POPIA was first prepared as a draft bill in 2009, and was based on the regulations of the EU’s first data privacy legislation – the EU Data Protection Directive (1995), which was replaced by the GDPR in 2018. There are similarities and major differences between POPIA and the GDPR

Uganda: Partially. The Act aims to protect the privacy of the individual and of personal data and is, in some limited aspects, inspired by the GDPR. The Act also mirrors the UK Data Protection Act, of 1998, which revolves around several principles concerning data protection and collection. The Act created the personal data protection office in NITA-U, also an independent body synonymous with the UK’s Information Commissioner’s Office, set up under Chapter 6 of the GDPR. One of the main contrasts with GDPR is the absence of legitimate interest as a legal basis for processing in the Ugandan Act

Zimbabwe: Zimbabwe does not have a comprehensive data privacy law and the legislative provisions in place do not follow the framework of the GDPR

It is evident that harmonizing the data protection framework on the continent is not going to happen in as rapid a manner as was the case with the GDPR in Europe. A lot of infrastructural and legislative hurdles need to be crossed at national levels for the universal data protection framework to be realized on the continent. The AU data policy framework proposes a legal system constituting of :

  • Bill of Rights (Privacy, Freedom of expression, Access to information)
  • Competition law
  • Cybersecurity law
  • Data protection law
  • Electronic transactions law
  • Intellectual property law

The policing of these legal frameworks is for the moment being entrusted to AU member states with reference to specifications that are yet to be decided upon as stated in the AU data policy framework.