2023 in Review and 2024 Outlook: Data Protection and Privacy in Africa — by TripleOkLaw — Catherine Kariuki and Janet Othero

Now that we have just transitioned from 2023 to 2024, it’s imperative to reflect on a year that has been momentous for data protection and privacy in Africa. The past twelve months have not only shaped the legal and regulatory landscape but have also set the stage for critical developments in the coming year. For general counsel across the continent, understanding these shifts is more than a necessity. It’s a strategic imperative. To gain deeper insights into this evolving field, we held a round table discussion with the renowned experts at TripleOKlaw – Catherine Kariuki-Mulika, Janet Othero, and Sherry Bor. Each brings a wealth of knowledge and experience in data protection, telecommunications, media, technology (TMT), the African Continental Free Trade Area (AfCFTA), Payments, digital Policy and fintech sectors.

This article offers a comprehensive review of the significant milestones achieved in 2023 and a forward-looking analysis into what 2024 holds for data protection and privacy in Africa.

  • Could you provide a brief overview of 2023’s data protection landscape in Africa and share your perspective on the most significant developments. 

In 2023, we witnessed groundbreaking policy implementations, increased international representation, and a strengthening of legal frameworks. These developments have been instrumental in reshaping how data is protected and managed across African nations. As we look ahead, it becomes increasingly clear that the upcoming year will not only build upon these foundations but also introduce new challenges and opportunities. Our firm, with its deep expertise in data protection, TMT, AfCFTA, and fintech, has been instrumental in collaborating with Gc’s to guide businesses across Africa, through this evolving terrain. 

2023 was a definitive one for data protection in Africa, marked by several key developments;

  1. Implementation of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), following Mauritania’s ratification in May 2023, was a significant stride towards a unified legal framework for data protection. The African Union’s (AU) initiative to realize a single digital market in Africa is poised to bring transformative benefits across various sectors, particularly in terms of regulatory compliance, cross-border trade, data transfer, and market integration.

Currently, if a business was to expand across Africa, they would have at least 36 different Data Protection Laws to comply with which implies dealing with 36 different regulatory authorities.  By establishing a uniform set of data protection standards and digital regulations, businesses operating across multiple African countries can expect a more predictable and cohesive regulatory environment. This uniformity reduces the complexity and cost of compliance, allowing companies to focus more on innovation and growth, while ensuring data protection and privacy standards are met consistently across the continent. 

The issue of siloed market approaches, which have long been a challenge in Africa due to varying national regulations and market conditions, would be a thing of the past. This integration would allow for greater scalability of digital solutions and services across the continent, encouraging innovation and competition, and providing consumers with a wider range of products and services. 

Further, with harmonized data protection laws, businesses can transfer data across African countries more efficiently, without the need to navigate a patchwork of different national regulations. 

  1. The African Union was admitted as a permanent member of the G20 (now G21) in September 2023. This has now opened new avenues for Africa to influence global digital economy policies. It not only enhances its role in the global digital economy but also significantly impacts the data protection and privacy sector. This strategic elevation offers numerous opportunities for Africa to shape international policies in a way that directly affects data protection and privacy standards both within the continent and globally. In a crucial era where dataflows transcend borders, a unified approach to data governance is important. We witnessed the effect of EUGDPR on African businesses, in 2016-2018, where they were all required to comply as long as they processed data of European residents. 

With its new position, the AU can push for the harmonization of data protection standards at a global level. This harmonization is vital for African countries that engage in cross-border data exchange with nations outside the continent. It allows for smoother international transactions, reduces the complexity of compliance for multinational corporations, and enhances consumer trust in digital and also protect data of African residents as a whole.

The AU now has a chance to champion data privacy in digital trade agreements, advocate for equitable digital privacy frameworks, and drive collaboration in cybersecurity. 

  1. The realization of key elements within ambitions of the 2022 AU Data Protection Policy Framework, particularly in the context of the AU’s admission to the G20 and the efforts by data protection authorities to strengthen the Network of African Data Protection Authorities (NADPA), marks significant progress in the realm of data protection and privacy in Africa.  In 2023, significant efforts were made by data protection authorities across Africa to strengthen this network. This is a good starting point aimed at initiatives for capacity building, sharing best practices, and harmonizing data protection laws across the continent. 
  2. The enactment of data protection laws in several African countries, including Nigeria’s Data Protection Act, significantly boosted the continent’s commitment to data privacy and security.
  3. Some Data Protection Authorities across Africa, notably South Africa, took bold steps in enforcing data protection laws and setting legal precedents. In July 2023, South Africa’s Information Regulator (IR) took a groundbreaking step by issuing an infringement notice accompanied by a substantial fine against a high-profile government entity. The Department of Justice and Constitutional Development (DoJ&CD) was fined ZAR 5 million (approximately USD 279,000) for violations of the Protection of Personal Information Act (POPIA). This action was particularly notable as it targeted a governmental department, demonstrating the IR’s commitment to impartial enforcement of data protection laws regardless of the stature of the entity involved.

This decisive move by the IR not only reinforced the principle that no organization, including government departments, is above the law when it comes to data protection, but it also sent a clear message about the seriousness of non-compliance with POPIA. The enforcement action was a reflection of the IR’s autonomy and its role as a robust custodian of personal information rights in South Africa. 

  1. Some Data Protection Authorities further displayed a heightened level of vigilance and independence in enforcing data protection laws by actively auditing companies and imposing penalties where necessary, thereby promoting a culture of compliance and accountability in data handling practices. The actions of these data protection authorities in 2023 were pivotal in shaping the data protection landscape in Africa. 

In Kenya, there was a landmark case that involved Worldcoin, a global cryptocurrency company regarding its operations in the country. Worldcoin’s initiative to create a unique global digital currency attracted attention due to its method of collecting biometric data, specifically iris scans, from individuals as part of its user onboarding process.

Despite being registered, as a data controller, with the Kenya Data Protection Authority (ODPC), there was public outcry which forced ODPC to take a keen interest in this matter, considering the sensitive nature of the biometric data being collected. Concerns were raised about the implications for privacy and the potential risks of such data collection, especially considering the vast amounts of personal information that Worldcoin aimed to gather.

In response to these concerns, the ODPC launched an investigation into Worldcoin’s activities. The authority scrutinized the company’s compliance with the Data Protection Act of Kenya, focusing on key areas such as the consent mechanism used for data collection, the purpose of data collection, data storage, and security measures, as well as the rights afforded to the individuals whose data was being collected.

The case highlighted the challenges and complexities involved in regulating emerging technologies that utilize personal data in novel ways. It is a prime example of how data protection authorities in Africa are increasingly playing an active role in overseeing new technology deployments, especially those involving sensitive personal data. 

  • What trends did you expect to see that did not materialize?

Despite the progress, some anticipated trends in data protection did not fully materialize in 2023;

  1. The standardization of data sharing protocols across Africa did not progress as expected, impacting the development of a cohesive digital economy.
  2. The Network of African Data Protection Authorities did not achieve the envisioned level of operational synergy and cooperation.
  3. Government accountability in data protection, save for countries like South Africa, did not see the robust increase expected. We expected to also see courts contribute in this. Earlier in 2022, we had seen a landmark case in Kenya where the role of the judiciary in holding governments accountable was notably exemplified in the Huduma Namba case. This case serves as a landmark in the context of government accountability and the protection of privacy and personal data. The High Court of Kenya delivered a significant ruling regarding the Huduma Namba system, a national biometric identity project initiated by the Kenyan government. The project aimed to create a central database of personal and biometric data for all citizens and residents to streamline public service delivery. However, it raised substantial concerns regarding data privacy, security, and the potential for misuse of personal information.

Civil society organizations and privacy advocates challenged the implementation of the Huduma Namba, arguing that it violated constitutional rights to privacy and did not comply with data protection standards. The High Court’s ruling in this case was groundbreaking. The court acknowledged the potential benefits of such a system in improving government services but emphasized the paramount importance of safeguarding personal data.

The court mandated that the government ensure full compliance with the Data Protection Act and put in place adequate data security measures before full implementation of the Huduma Namba system. This included conducting a comprehensive data protection impact assessment, establishing clear data handling and access protocols, and ensuring transparent oversight mechanisms.

  1. The comprehensive implementation of the recommendations in the AU Data Protection Framework was slower than anticipated. 
  2. The integration of emerging technologies like AI and IoT into data protection strategies was not as prominent as hoped.
  3. A significant number of businesses across Africa still did not fully integrate data protection and privacy into their core strategic planning, despite the increasing importance and legal requirements surrounding these areas. This oversight or delay in prioritizing data privacy and protection represents a crucial gap in the contemporary business environment, especially considering the evolving legal landscape and the heightened awareness among consumers regarding their data rights.
  • Which African data protection authority stood out?

2023 saw commendable efforts by various Data Protection Authorities (DPAs) across Africa:

  1. South Africa’s Information Regulator effectively advanced the Protection of Personal Information Act (POPIA), demonstrating a proactive and impactful approach in making the government accountable for data protection and privacy. 
  2. Kenya’s Data Protection Authority made significant strides in establishing a comprehensive data protection framework. This advancement was a multi-faceted endeavor, encompassing widespread awareness campaigns, stakeholder workshops, the release of sector-specific guidelines, rigorous audits, and the enforcement of penalties where necessary.
  3. Ghana’s Data Protection Commission was noteworthy for its public and private sector education efforts on data protection responsibilities.
  4. The collaborative efforts in harmonizing data protection laws under the African Union by implementing the recommendations of the AU Data Protection framework was key in steps taken towards creating a unified data protection regime. 
  • What are the potential breakthroughs in technology or policy that could significantly impact data protection and how will these impact regulatory changes?

The interplay between emerging technologies and policy developments presents both challenges and opportunities.

  1. The enactment of the Malabo Convention is set to be a game-changer, encouraging member states to harmonize their laws or operate under one agreed on framework.
  2. Following admission to G20, mirroring entities like the European Union and the United Kingdom, the AU can now negotiate trade agreements and international deals as a unified bloc, potentially securing more advantageous terms for its member states. This collective bargaining power positions the AU to better advocate for the interests of African nations in the global arena, particularly in sectors influenced by digital transformation. Such unity in negotiation can lead to more favorable trade deals, increased foreign investment, and enhanced cooperation in areas like technology transfer and digital infrastructure development.
  3. Deepfakes and AI are pushing the boundaries of intellectual property and privacy rights, necessitating legal adaptations.
  4. Blockchain and cryptocurrency are redefining data ownership and regulatory oversight, requiring innovative legal frameworks. In Kenya, this dynamic was underscored by the introduction of the Capital Markets Amendment Bill 2023, which marked a significant step toward the formal recognition, regulation and taxation of cryptocurrencies. This reflects a growing trend towards the recognition and regulation of digital assets, calling for innovative legal responses to the unique challenges presented by these technologies.  
  5. The burgeoning use of AI in sectors like healthcare and agriculture across the continent underscored the urgent need for effective data governance to balance technological benefits with privacy risks, necessitating tailored research, collaborative approaches, and robust regulatory frameworks.
  • What are your predictions for the data protection landscape in 2024?

Looking ahead to 2024, several trends are expected to shape the data protection landscape in Africa;

  1. The AU’s evolving role will likely drive stronger, harmonized data protection regimes across the continent.
  2. The AU Data Protection Framework’s implementation will be crucial in fostering a secure digital environment and encouraging digital innovation.
  3. Emerging technologies will continue to redefine data protection, challenging regulators to adapt frameworks to new realities.
  4. Regulators will need to balance innovation with robust data protection, understanding the implications of new technologies and adapting regulations proactively.

How can businesses and stakeholders effectively prepare for these evolving changes?

  • Influence policy in their government

Businesses and stakeholders should actively participate in policy discussions and legislative processes within their countries. This can be achieved by engaging in dialogue with policymakers, providing expert insights, and offering constructive feedback on proposed laws and regulations. By influencing policy, businesses can help shape a favorable regulatory environment that supports both innovation and data protection.

  • Understand and advocate for AfCFTA implementation

To leverage the benefits of AfCFTA, businesses need to understand its implications, particularly regarding digital trade and cross-border data flow. They should advocate for policies that facilitate seamless trade under AfCFTA, ensuring that data protection regulations are harmonized across member states. This advocacy can help in reducing trade barriers and promoting a unified African market.

  • Make data protection and emerging technologies key strategy pillars

Data protection and the adoption of emerging technologies should be integral to business strategies. This means investing in state-of-the-art data security measures, adopting advanced technologies like AI and blockchain responsibly, and ensuring that these technologies comply with data protection laws. Businesses should view data protection not just as a compliance requirement but as a competitive advantage that grows business.

  • Engage in collaborative initiatives

Collaborate with industry associations, regulators, trade groups, and other stakeholders to create unified positions on key issues like data protection, privacy, and digital trade. Such collaborations can lead to more effective advocacy efforts and the development of industry standards.

  • Build internal expertise

Develop internal expertise on data protection laws, AfCFTA regulations, and emerging technologies. This could involve training staff, hiring experts like trained DPO’s, having experts in board position, or creating dedicated teams focused on these areas.

  • Monitor and adapt to technological advancements

Stay abreast of technological advancements and assess their impact on business operations and compliance obligations. This proactive approach enables businesses to leverage new technologies effectively while mitigating associated risks.

www.tripleoklaw.com

More Posts