The task of making data protection work for Africa cannot rest with the regulators alone. Citizens can only enjoy the benefits of a data protection law when there’s a well-funded and fully supported watchdog and where government and the private sector treat data privacy as a priority, write Murray Hunter and Mukelani Dimba.
Saturday marks Data Protection Day across the world. It might not be a date circled on most people’s calendars, but it’s an opportunity to take note of some encouraging changes for data protection in Africa – and do some reflection on the challenges ahead.
For years the slow pace of data protection policymaking has bedevilled privacy activists, lawmakers, and regulators alike. Nearly a decade has passed since the African Union passed the Malabo Convention in 2014, which seeks to create a data protection framework for the whole continent. Yet, to the frustration of many data protection advocates, the Convention has yet to come into force, as most governments on the continent have been slow to ratify it.
Still, the once gloomy story of data protection in Africa is starting to look a bit more hopeful. In 2007, when a handful of states observed the first-ever Data Protection Day, there were just four countries in Africa with a data protection law on the books. Today, there are 33 such states on the continent (find the full list at dataprotection.africa) and more than half of their laws were passed in the last decade.
Privacy safeguards for Africans
This uptick of new data protection on the continent, however, delayed, promises new privacy safeguards for hundreds of millions of Africans. But there is a long way to go. A sizeable minority of African states still do not have their own data protection law in place. And many of the countries that do have such regulations face all kinds of thorny implementation issues.
Much can be said about the challenges of rolling out these types of laws, especially in developing countries. Data protection policy is notoriously complex, especially in a time of massive technological change, and often requires significant changes from government, business, and of course the broader public.
But the progress we have already seen on the continent really does matter. Data protection laws are an important bulwark against some of the major digital hazards of the modern era, including data profiteering from foreign tech giants, risks of cybercrime and mass data breaches, and unchecked surveillance of citizens by their own governments.
Even for those not persuaded by the value for human rights, there’s a strong economic case. Unified data protection laws across the region would help African economies compete in the global information economy. Flagship data protection laws like the European Union’s GDPR, and equivalent domestic laws in African states, restrict how businesses and government agencies can transfer people’s personal information across borders to countries without adequate data protection laws of their own – which effectively hampers non-privacy protecting countries from participating in global trade and commerce.
Data protection laws are also vital to other major economic goals for the continent: the African Union’s vision of an African single market – the African Continental Free Trade Area – will require all participating countries to have a law in place to ensure the protected flow of personal information across national borders.
High costs of not implementing
So, though local officials or business leaders may fret about the cost of enacting data protection, it is worth remembering the cost of not doing so.
So what’s to be done to build on the progress we have seen in the region?
Bringing the long-stalled Malabo Convention into force will be one step towards a united front from African countries. This first step may be easier than it sounds: only two more AU states need to ratify the Convention in their home countries to bring it into operation across the continent.
Having this continental framework in place will make the laws more effective where they exist and lobby for enactment where they don’t. It would help neighbouring countries (and their respective privacy regulators) to cooperate and share best practices, lower the cost of doing business across borders, and give African societies greater collective power to hold foreign tech giants accountable.
The other steps may be harder but are no less important. Once the continental framework is in place, all the work must begin to bring it to life (and, where necessary, to update it). To start with, the situation calls for the urgent enactment of local data protection laws in the remaining 22 African countries that still have no policy framework in place.
And for those countries that have cleared the hurdle of passing a law, the focus must shift to proper implementation. For some, that includes reviewing and updating the laws themselves, to ensure they align to democratic norms and international best practice. But many countries face even simpler stumbling blocks, including simply setting up and properly funding the local watchdog agency to enforce their new data protection law. These agencies, known as data protection authorities, often face a host of growing pains, including budget constraints, lack of inter-departmental cooperation, and low levels of awareness among officials and ordinary citizens alike. Fixing this is a slow process, and African data protection authorities have already set up regional cooperation to build their collective capacity and share best practices.
But the task of making data protection work for Africa cannot rest with the regulators alone. Citizens can only enjoy the benefits of a data protection law when there’s a well-funded and fully supported watchdog and where government and the private sector treat data privacy as a priority.
Thus, there’s genuine progress in the region to recognise as we mark Data Protection Day. There will be even more to come, if institutions of power can recognise data protection not as a costly obstacle or an afterthought but as a real pathway to better and more just societies.
– Dimba is Executive for Education and Communication at the Information Regulator, South Africa’s data protection authority. Hunter is a digital rights researcher for ALT Advisory. They write in their personal capacities.