Africa Takes Strides in Data Protection
Africa Focus
The protection of personal data has become an increasingly critical issue in the digital age, with countries around the world enacting comprehensive laws and regulations to safeguard the privacy of their citizens.
Law Update: Issue 370 - From Africa to Asia: Legal Narratives of Change and Continuity
Shouq Al MajaliAssociate,Dispute Resolution
Ayman HaiderAssociate,Dispute Resolution
The protection of personal data has become an increasingly critical issue in the digital age, with countries around the world enacting comprehensive laws and regulations to safeguard the privacy of their citizens. In Africa, the landscape of data protection has been evolving, with some countries taking significant strides to align their legal frameworks with global standards, while others have lagged behind. As the digital landscape continues to evolve, the need for robust data protection frameworks has become increasingly critical. As of January 2024, 36 African countries (65%) now have a data protection law, whilst 3 countries currently are in the process of implementing a data protection law. The number of data protection laws in Africa has more than doubled in the last decade, and a third of these laws were passed in just the last five years. African Union (AU) Convention on Cyber Security and Personal Data Protection, 2014 was adopted to establish a cyber friendly framework for the continent, by mandating states to develop legal frameworks for the protection of personal data, among other considerations.
Established in 2002, the African Union is the primary intergovernmental organisation on the African continent. In a landmark move, the African Union (AU) enacted the Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention, which was ratified by fifteen member states in May 2023. This long-awaited agreement represented a significant step forward in Africa's efforts to establish a cohesive digital framework and reinforce data privacy across the continent.
The Malabo Convention was initially drafted in 2011. After a thorough review by AU-convened experts in 2014, the Malabo Convention was finally adopted in June 2014 however, required the signature of at least 15 countries in order to be ratified. As recently as 2023, the convention has been ratified by Angola, Benin, Chad, Congo, Egypt, Gabon, Gambia, Guinea-Bissau, Lesotho, Mauritania, Namibia, Niger, Sao Tome and Principe, Senegal, and Zambia.
The ratification of the Malabo Convention marks a significant milestone in Africa's digital transformation journey. This holistic framework not only targets cybercrime and data protection but also seeks to foster a secure and trustworthy digital environment across the continent. By aligning national laws with the convention, member states aim to bolster digital rights, enhance trust in electronic transactions, and stimulate economic growth through a secure cyber ecosystem. However, the full implementation of the Malabo Convention remains a challenge, as several key African Union member states, including South Africa, have yet to adopt the agreement.
As established, not all African countries have signed or ratified the Malabo Convention. Nonetheless, this is not a cause for concern as many of them have taken proactive steps to enacting their own data protection laws and regulations.
Cabo Verde is considered a pioneer in the African data protection ecosystem as it was the first country on the continent to enact a data protection framework. As early as 2001, Cabo Verde initially proposed legislation which was similar to European data protection standards at the time and was amended in 2013 to bring it in line with evolutionary advancements. Examples of the amendments include the establishment of the Comissao Nacional de Protecao de Dados (CNPD) as the national data protection authority. There have been several concerns as to why Cabo Verde refused to adopt the Malabo Convention, having been considered the trailblazer of data protection. This is likely due to the fact that Cabo Verde updated its data legislation one year prior to the formal adoption of the Malabo Convention. The updated legislation is already closely aligned with European standards therefore it is likely that the country felt that its existing framework is sufficient.
On the other hand, Nigeria has faced criticisms in the past for the lack of adequate data protection regulations, given that it is the most densely populated country in Africa, and considered an economic powerhouse for the region. The country had previously relied on the Nigeria Data Protection Regulation, 2019 (NDPR), which was considered a stopgap measure. However, over the years, the framework has been subject to scrutiny and criticism for lacking necessary enforcement mechanisms to ensure the application of the legislation and the safeguarding of information. Such scrutiny was further exacerbated by the digitisation of the Nigerian economy, which raised concerns about potential cybercrimes and data breaches.
In response to the growing concerns, Nigeria recently took a significant step forward by introducing the Data Protection Act in 2023. The Act aims to address the urgent need for comprehensive data protection in the country. The Nigerian Data Protection Act includes several key provisions that align with international standards. Additionally, the Act emphasizes the need for data subjects' consent for specific purposes and defines their rights, such as the right to access and control their personal information.
In contrast, South Africa has been hailed as a regional leader in data protection. The country's journey towards comprehensive data regulation has been a complex one The country's Protection of Personal Information Act (POPIA), enacted in 2013 but only fully implemented in 2020, is considered to be one of the most comprehensive data protection laws on the continent. POPIA aligns with international standards, such as the EU's General Data Protection Regulation (GDPR), and provides individuals with the right to privacy and protection against unlawful collection, retention, and use of their personal information.
The South African legislation introduced the Information Regulatory (IR), which has the authority to audit organisations, impose penalties and enforce compliance with the POPIA. This strong enforcement mechanism is a key feature that sets POPIA apart from other data protection laws in the region. The POPIA is considered to set a high standard for data protection, in comparison to Nigeria and Cabo Verdes’ national legislations, as it includes provisions on automation and data portability – reflecting alignment with the GDPR. In contract, Cabo Verde and Nigeria’s data protection legislations focus primarily on foundational aspects such as processing and the rights of data subjects, without addressing technological considerations.
The data protection efforts of African countries both inside and outside the Malabo Convention demonstrate the continent’s evolving approaches to the issue. The data protection landscape continues to evolve, and is marked by persistent challenges and progressive milestones. The national and regional initiatives highlight African nations commitment to ensuring the protection of information, even in the absence of a unified framework.
For further information,please contact Shouq Al Majali and Ayman Haider.
Published in September 2024