Africa’s growing digital economy is churning out tonnes of data daily. This has spawned challenges in managing the data while securing privacy rights. The huge amounts of data are both a landmine and goldmine for the continent’s economy.
Many African nations lack comprehensive data safety and privacy laws, and where they exist, implementation leaves a lot to be desired. Therefore, there are legitimate concerns about how the privacy of consumers will be protected in such a vulnerable environment as economies increasingly become digital.
With the continent still seeking to find its digital footing, it is quite understandable why the regulatory environment is at the formative stage.
The hurdle faced by many countries is how to strike the correct balance between requisite regulations that protect citizens’ privacy and safeguard online freedoms, while enabling States to take necessary measures to wage war on cybercrime and other online malpractices
This challenge, experts say, will always exist in Africa so long as the wheels of policymaking and regulations will keep driving behind technological innovations.
“Africa has always been lagging when it comes to innovating around, and addressing, privacy issues,” notes Arthur Gwagwa, a senior research fellow with the Center for Intellectual Property and Information Technology (CIPIT) at the Nairobi-based Strathmore University.
The situation is bound to get more onerous with the continent witnessing rapid expansion in internet adoption, rising smartphone uptake, and progressively robust innovation environment.
Internet is particularly promising to be a major force for transformation socially and economically. Internet penetration in Africa is the fastest globally, with the people connected rising from a paltry 2.1 percent in 2005 to 24.4 percent in 2018. This is according to the International Telecommunication Union (ITU), a UN agency.
While these trends are a good reason for Africa’s optimism in technological sphere, little preparedness and subdued progress in dealing with personal data breaches by social media networks, spying by rogue regimes, rising threats of cybercrime and flood of fake news are casting a pall over digital advancements.
What’s worrying is that despite the existence of huge gaping holes on the continent’s general privacy regulatory environment, there seems to be no urgency to seal them. As it stands, only 23 out of 55 African nations have passed or drafted personal privacy laws, and just nine of them have instituted data protection authorities, says Ephraim Kenyanito, a lawyer and digital expert.
“Africa is really vulnerable to data breaches, and the lack of robust laws could have devastating implications,” Mr Kenyanito says.
There is also the question of multinational telcos giving African citizens fewer rights than they do elsewhere. The firms collect huge amounts of data from African consumers and how they use them remains a grey area.
Governments have also been digitising various processes and services, leading to collection of large amounts of data. Yet they are no guarantees that the data is being used exclusively for the intended purposes.
Take Kenya for instance. Before the 2017 elections, the country introduced biometric registration system in a bid to deliver credible poll results. However, it emerged that there were no proper mechanisms to protect the data captured in the voter register. Some of these data is said to have been sold to the highest bidder under the Access to Information (ATI) law.
The sale of the election data saw voters get unsolicited short message texts (SMS) from politicians through their mobile phones. The SMS contained name, and polling station of a voter. Yet Kenyans were never consulted on the move to allow third parties access such private data.
Such breaches exemplify the level to which privacy can be violated through unauthorised access to personal data, while underlining the need to institute far-reaching regulatory and legal protection.
Besides enacting new watertight laws, Mr Kenyanito says proactive efforts ought to be made to create awareness among consumers on the existing legislation and their rights. When consumers are kept well informed on the scope of their rights, he notes, they are able to question government and company actions regarding their privacy.
Another incident of blatant violation of privacy in Kenya was when data mining company Cambridge Analytica harvested millions of Facebook profiles in relation to the 2017 elections. This brought to the fore the pressing need to act with a sense of urgency in protecting citizens’ online rights.
While the continent has a long road to travel before overcoming these set of challenges, it is encouraging that it has set off on the journey. Some African nations have taken the initiative to design a data protection framework whose objective is to harmonise and centralise data protection laws while coming up with strategies to bolster e-commerce across Africa.
The framework is being piloted by five countries before being expanded to all African countries. The countries are Rwanda, Senegal, Mauritius, Namibia and Guinea.
The initiative was born out of the Africa Union Convention on Cyber Security and Personal Data Protection, also referred to as the Malabo Convention for Cyber Security and Data Protection.
Adopted on June 27, 2014, the Malabo Convention underlines protection of privacy rights by tightening existing laws.
It focuses on personal privacy, digital privacy, customer protection and intellectual property. Ultimately, the convention aims to foster a seamless transfer of data among all African nations by harmonising respective regulatory environments. This is contrary to the current situation where such transfers are subjected to labyrinthine processes as each country has its own regulations.
As the momentum for free trade area in Africa picks up, global best practices in management of private data will assume even a more important dimension in the region. Increasing e-commerce means generation of tonnes of data.
And in order for such a large market to be efficiently regulated, forging a common ground in implementations of cyber security and data protection regulations across the continent will be paramount. The best way to do that, experts say, would be to adopt the Malabo Convention which has set out comprehensive guidelines to make privacy protection in Africa.
Nigeria’s National Information Technology Development Agency (NITDA) states that the push for a joint cross border data transfer policy for Africa is timely as it will make the continent more attractive to multinationals who prize clear data guidelines in investment destinations.
Economic analysts say with its 1.3 billion population, Africa has a stronger voice when it acts in one accord on issues such as trade and technology, as it inspires more confidence in its business environment.
This is because a single data privacy standard for Africa makes it predictable to companies keen on the security of their data. Thus, promoting best practices and cooperation on data across borders will be key to boosting the continent’s economies.
With such promising prospects, Africa ought to be moving with speed to ratify the Malabo Convention. Apparently, this does not seem to be the case. By January 2020 only 14 of the 55 AU member states had signed the convention while just seven had ratified it. The convention is therefore yet to take effect as a minimum of 15-member states are required to ratify it.
Some countries have made attempts to pass laws on data privacy and cyber security. However, these laws are not comprehensive and their implementation leaves a lot to be desired. In some cases, they are used for selfish political ends rather than to protect the rights of citizens.
Despotic regimes deploy the Internet as a propaganda outlet, a spy tool and an instrument to muzzle dissenting views. Cases of complete shutdowns of social media sites, messaging apps, or the entire Internet are common. In 2018, there were 21 partial or total Internet shutdowns, an increase from 13 in 2017 and four in 2016.
How can the continent overcome these challenges?
The AU needs to be more aggressive in urging member states to sign up to the Malabo Convention. It needs also to work with players drawn from different fields- businesses, governments, the civil society, among others – in order to fast-track a more robust and holistic regulations.
Aside from engaging local players, the need to hold talks with international players is crucial because technology is borderless and requires international global coordination. There is also need for policymakers to keep abreast with latest advances in technology, while working to ensure that regulations do not stifle innovation.
It is, however, not all doom and gloom in Africa regarding data management. Countries such as South Africa, Kenya, Nigeria and Mauritius are already setting the pace.
Mauritius has made admirable strides in rolling out a comprehensive cyber strategy complete with forward-looking laws.
It was the first country in Africa to sign the Budapest Convention on Cybercrime in 2014, and the second non-European state to ratify Europe’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. It has also signed up to the AU Convention on Cybersecurity and Personal Data Protection in 2018.
Mauritius, ranked among the top three in Africa in the 2018 ITU Global Security Index, has a lot to teach other States regarding data privacy and protection laws as well as design of a national cyber policy.
Ghana is also doing quite well having enacted a data law that protects people’s personal information and privacy. The country came up with the Data Protection Act, 2012 (Act 843) to protect citizens’ privacy.
South Africa’s own Protection of Personal Information Act, or POPI Act, is also progressive in many respects, and in fact mirrors the rules enshrined in Europe’s GDPR.
Kenya is also making admirable advances in protecting the privacy rights of its people. The laws passed last year have also borrowed from international best practices, particularly the GDPR. The Data Protection Act 2019 brings about comprehensive laws on personal information.
It establishes the Office of Data Protection Commissioner, makes more transparent the processing of personal data, safeguards the rights of data subjects while unequivocally spelling out obligations of data controllers and processors.
Other countries would thus do well to take the cue from Kenya, Ghana, Mauritius and South Africa by enacting domestic laws that respect the privacy of citizens while spurring digital adoption and innovation.
Africa does not have to reinvent the wheel. Europe has set the pace in data laws and regulations. The General Data Protection Regulation (GDPR), are fundamentally changing how technology companies store, process and use personal information. Data subjects or consumers of digital services have been substantially empowered regarding how companies and governments can use their data.
And the GDPR are not just an important benchmark for African countries in coming up with their own laws. Understanding the European data laws is also key because they will have a huge bearing on companies operating on the continent.
The GDPR laws apply to all companies processing and holding the personal data of people residing in the European Union, regardless of the company’s location. This includes any organisation on the African continent that conducts business with European companies or deals with EU data subjects