Introduction
This article is based on excerpts from the second episode of Tech Hive’s Pulse Point Series event titled "Data Protection in Africa: Roundup on 2023 and Projections for 2024." The session aimed to analyse Africa's data protection landscape in light of emerging technologies and project the trajectory of data protection and privacy expectations for the upcoming year.
Overview of the 2023 African data protection landscape
This year, there was substantial legislative progress across the continent, with the Democratic Republic of Congo, Nigeria, and Somalia enacting a data protection law, Botswana postponing the implementation of its data protection law, and Namibia awaiting legislative approval of the draft data protection law, amongst other countries that have successfully drafted data protection laws. Regionally, progress was also made with some regulatory frameworks. The implementation of the Malabo Convention in 2023 marked a significant milestone. The convention came into force after the 15th ratification from Mauritania, underscoring its growing influence. Also, in September, the African Union's (AU) attainment of permanent membership in the G-20 emerged as a pivotal event. This membership is important because it could provide the continent with enhanced capabilities to address digital trade barriers comprehensively. Another crucial aspect was the AU Data Policy Framework publication in 2022. This forward-looking framework recommends a regional approach to address data protection issues, aiming to overcome silo effects in regulatory approaches. It is hoped that the continent’s plans to harmonise legislative efforts materialise. This consolidation is anticipated to alleviate trade barriers and challenges related to data transfer within Africa, fostering a unified approach to regulatory compliance.
Enforcement was also increased during the year. For example, the South African regulator issued its first fine against the Department of Justice and Constitutional Development and an enforcement notice against a pharmaceutical company. In addition, the Kenyan data protection authority issued fines to some organisations for unlawful processing of personal data. The Worldcoin case was notable this year, as it reinforced the importance of compliance with the data protection law, irrespective of an organisation’s registration status.
Some initiatives from the data protection authorities received much attention during the year, largely due to their significance to the data protection space. There was also a shared trend towards child protection and concerted efforts to create age-appropriate online experiences for children in the region. Notable initiatives included Mali's Data Protection Authority, which issued a public notice urging women and children to safeguard their data online. Countries like Senegal, Nigeria, and South Africa undertook similar initiatives.
Despite the progress made, some countries still had some setbacks. Notable regulatory challenges include the lack of substantial regulatory efforts to address the challenges posed by artificial intelligence (AI). Despite initiatives dating back to 2019 to draft a regulatory framework for AI, regulators missed the opportunity to collaborate and establish comprehensive AI regulations. Rather than relying on European Union legislation, it was suggested that countries in the region establish guidelines or protocols for intervening in AI-related matters. Interestingly, there has been remarkable progress in this area as governments have begun adopting AI strategies and policies. Some countries, like Nigeria and Kenya, have drafted bills on AI regulation.
Another challenge was the lack of democracy, which affected the implementation of laws. The coup d’etat patterns in some countries impact the implementation of digital rights and personal data law. During transitional periods, governments say they are at liberty to take steps in the interest of civil peace or protecting national sovereignty, usually without accompanying accountability mechanisms. The steps taken by the government allow interference with personal data, which ultimately hinders democracy and the right to privacy. Generally, the slow development of data protection laws in this era of digitalisation has been a major challenge.
How businesses can comply with laws in the emerging technology space
The path to compliance for data protection, AI and emerging technologies is multifaceted. On the one hand, there is a need for private-public partnerships in developing regulations; on the other hand, there is a need to weave compliance models into each step of operation for companies.
It is advised that organisations thoroughly familiarise themselves with existing data protection laws and map out how the provisions of the laws apply at every stage of their operations. This can be done by appointing a data protection officer, balancing existing processes with regulatory requirements, and creating awareness for the staff. This will go on to aid in carving out a comprehensive data protection program for the company. Likewise, considerations should be made for data protection by design and by default in product development. This is regarded as a proactive approach as it provides an ample avenue to weave data protection compliance into companies' operations.
The prospects of AI and other emerging technologies cannot be sidelined in the compliance discourse. Organisations are rapidly adopting AI into their processes, and this poses some risks of exposure to their databases and proprietary information. The approach adopted by some organisations is to instruct their employees against using AI-enabled solutions like ChatGPT for business-related matters. This will not be sufficient to address these risks. Rather, risk assessment and management may be developed to mitigate such risks and develop better compliance.
There is also an emphasis on the role that organisations play in the development of policies. Where organisations lend their weight towards harmonising certain policies and practices, this could be regarded as industry best practices. Consequently, it becomes difficult for the government to depart from such practices; rather, the government often gives the force of the law to such practices. While this provides an avenue for businesses to contribute to policies, it also helps them have smooth sailing with compliance.
Understanding different countries' regulatory landscapes will also help organisations navigate compliance better. For instance, the regulatory landscape in Francophone Africa is slightly different from that of Anglophone Africa. However, there is still a need to encourage uniform compliance requirements to ease compliance for organisations that serve customers across Africa. There are different approaches to achieving this, such as organisations pushing to implement the AfCFTA in their countries. The treaty has the potential to not only promote free trade but will also give room for possible collaboration in developing more uniform data protection regulations in Africa.
In addition, businesses should consult with regulatory experts to dispel all myths surrounding data protection, which could stiffen innovation while maximising profit and, at the same time, ensuring compliance with data protection laws. Another strategy is staff training in data protection to understand legal parameters clearly. Businesses can invest in educating their staff to navigate the complexities of data protection laws effectively. Businesses also need to understand local legislation comprehensively. This awareness is crucial for ensuring compliance and adapting strategies to align with specific legal frameworks in their operating regions.
Fostering an inter-African free flow of data for innovation
To foster an inter-African transfer of data, a multi-stakeholder approach is suggested. In addition to advocacy, there is a need for cooperation between the data protection authorities and the government. Advocacy will also involve citizens engaging a local government representative or any representative they can access. Companies' Chief Security Officers and Data Protection Officers are also advised to contribute to discussions on the subject.
Balancing the protection of privacy and access to data sharing for innovation
Data protection laws should be evaluated to determine the legal basis for processing and to understand how much can or cannot be done with data for the innovation phase. There should also be an understanding that data protection laws are not intended to prevent businesses from operating; rather, they are in place to ensure businesses operate responsibly. A commercial lawyer with a data protection focus could be engaged to help organisations balance their regulatory obligations with business requirements.
Reducing the cost of compliance while ensuring the protection of privacy
In the face of the rising cost of compliance, regulators need to consider taking a guidance approach towards helping organisations stay compliant. Regulators should consider implementing model privacy policies, model consent causes, training materials for staff, and other model documents or toolkits to aid compliance. This will cut the cost of compliance for a lot of businesses.
Expectations for 2024
This year, there is anticipation for a continued effort by various organisations to set their own rules around AI and other emerging technologies. There will be more AI regulations in the coming year as countries intend to adopt AI laws, guidelines and strategies. These rules may likely have similar content. However, achieving a unified AI standard in Africa may pose challenges due to the lack of harmonisation with data protection laws, even when the region could align them.
Addressing the harmonisation issues, the year may witness a more harmonised approach towards the regulation of data protection in Africa. The ratification of the Convention will prompt better alignment and collaboration in that regard. In addition, it is projected that the AU will develop and adopt a central regulation on AI and data protection. This might be aided by the data protection discussion during the African Continental Free Trade Area (AfCFTA).
Additionally, there may be a surge in cyber threats, with companies facing increased internal and external hacking risks from employees and external service providers. Regulators will become more proactive through preparedness and equipping themselves to handle such attacks efficiently.
Furthermore, more data protection regulations will be amended. There will be more engagement from a regional perspective, global trends affecting the African region market because of the trade inflows, and a rise in emerging technologies affecting the various sectors. Regulators will adopt a sectoral approach to data protection regulation, as seen in Kenya, and the trend may continue in other African countries.
Finally, the year may spark collaboration among data protection authorities through regional engagement. There will be more engagement from a regional perspective, global trends affecting the African region market because of the trade inflows, and a rise in emerging technologies affecting the various sectors.
Conclusion
The year is poised to be interesting for the data protection landscape, with new technologies sprouting and increased conversations about their regulation. With this trend, more countries are expected to adopt regulations that ensure data security and protection and designate supervisory authorities. There may be a significant shift in the approach to regulation by countries in the region, with preference given to unification and harmonisation.
The webinar featured industry experts, including Ridwaan Boda, Catherine Kariuki Mulika, Ilamosi Ekenimoh, and Maha Jouini, who shared their insights, drawing from their extensive experiences. Mercy King’ori, a policy analyst for Africa at the Future of Privacy Forum, moderated the conversation. You can watch a recording of the session here.