According to a report by Positive Technologies, the number of successful cyberattacks globally has more than doubled in the past five (5) years. In the second quarter of 2023, Africa as a continent experienced the highest average number of cyberattacks per organisation per week. There was a staggering 23% increase compared to the same period in 2022. Between 2022 and the first half of 2023, financial institutions (18%), telecommunication companies (13%), government agencies (12%), and organisations in the trade (12%) and industrial (10%) sectors were the most targeted sectors. According to another report by AAG, Nigeria experienced a 1616% increase in data breaches, from 35,472 in Q2 2022 to 608,765 in Q3 2022.

This alarming rise in cyber-attacks has more than ever brought to the centre stage the importance of African countries having robust data protection laws and effectively implementing these laws. In developing data protection laws, many African countries have been influenced mainly by the laws of western democracies. This article explores the current African data protection landscape, its relationship with foreign data protection frameworks, and how African countries can create data protection laws that are "Made in Africa, for Africa" and facilitate the continent’s participation in the global digital economy.

The African Data Protection Landscape

39 out of 55 African countries have enacted data protection laws, and five countries have draft bills, leaving 11 countries without data protection laws. 

However, foreign laws have influenced data protection laws in Africa. Many older data protection laws in Africa (pre-2016) were influenced by the Convention for the Protection of Individuals concerning Automatic Processing of Personal Data (“Convention 108”), now replaced by Convention 108+. Cape Verde (2018), Mauritius (2016), Morocco (2019), Senegal (2016) and Tunisia (2017) have all ratified the convention. Although Burkina Faso’s application to accede to Convention 108 was accepted in 2017, the convention has yet to be ratified. Gabon is also an observing member of the Consultative Committee of Convention 108. On the regional level, the African Union’s Convention on Cyber Security and Personal Data Protection (“Malabo Convention”), the ECOWAS Supplementary Act on Personal Data Protection and the SADC Model Law on Data Protection were also substantially influenced by Convention 108 and the Data Protection Directive (Directive 95/46/EC) of the European Union (the “EU Directive”). 

Following the introduction of the EU General Data Protection Regulation (“GDPR”), a new wave of data protection laws emerged in Africa. These newer laws (post-2016) (e.g., Nigeria (2023), Kenya (2019), Congo (2019), Rwanda (2021), Mauritius (2017), Egypt (2022), Botswana (2018), and even Morocco drew inspiration from the GDPR's framework, which was considered the most robust data protection legislation at the time.

Drawing Inspiration from Existing Data Protection Frameworks

It is essential to point out that this article does not advocate for a complete rejection of pre-existing data protection frameworks.  Here are several compelling arguments in support of adopting and adapting these foreign laws:

(a) Re-inventing the Wheel:

In developing data protection laws, African countries can draw lessons from jurisdictions like the EU, which has decades of experience in this area. The EU data protection frameworks have undergone revision and refinement, and various lessons have been learned during implementation. African countries can draw inspiration from other jurisdictions and leverage the accumulated wealth of knowledge and experience instead of reinventing the wheel. 

(b) Global Alignment:

Another benefit of adopting the data protection framework from other jurisdictions is alignment with international best practices and global standards. Such an alignment would substantially simplify the compliance process for foreign businesses in Africa. These foreign investors can quickly adopt similar processes as their home base, substantially reducing legal uncertainty and transaction costs that would have otherwise arisen from navigating compliance in a jurisdiction with disparate regulatory regimes. 

(c) Learning from the Experience of Others:

By studying the development process of laws like the GDPR, their impact, and challenges with implementation and enforcement, African policymakers can identify the best method for developing a homegrown regulation, anticipate potential pitfalls from the experience of others, and tailor the implementation of existing laws to suit local contexts.

Challenges of Direct Adoption in Developing Countries

Although these external influences have played a significant role in developing Africa’s data protection jurisprudence, it is essential that the adoption methodology is not a direct transplant from one jurisdiction into another without considering local contexts and realities. Data protection laws should be culturally relevant and address the unique challenges of the market they are enacted to regulate. In drafting or implementing data protection laws, policy and lawmakers must take the following into consideration:

(a) Socioeconomic and Technological Disparities

Concerning social, economic, technological, and infrastructural development, Africa is still decades, if not centuries, away from the European countries whose laws and policies have greatly influenced the African data protection landscape. A data protection law designed for technologically advanced economies might be difficult or impossible to implement in countries with limited resources. 

To put this in context, let us examine the lawful basis of consent, which is a cornerstone of data protection worldwide. For consent to be deemed valid, it must be freely given, informed, specific and unambiguous. The qualification” of “informed” consent requires that data subjects must understand how their data will be processed before they give their consent for consent to be valid. , the law requires data controllers to provide privacy notices at every data collection point to fulfil this requirement. So we find that this notice is placed on the official website or the mobile applications, and in the context of CCTV cameras, a “CCTV in use on-premises” is the more common mode of notification. Such notices are typically presented in the country's official language (English, French, Portuguese, Arabic, etc.), which less literate data subjects may not understand, thus rendering the consent given by such subjects questionable. Some have advocated translating these notices to other local languages to manage this challenge. However, this approach may not be sufficient to eradicate the problem because reading, unlike speaking, is a learned skill taught in a formal or informal educational setting. Many speakers of these native languages may be unable to read.  This challenge renders translated notices functionally redundant and defeats the very purpose of their publication. To address this, local regulators should consider requiring data controllers to adopt visual aids, icons and symbols, short video explainers in regional languages, or audio recordings for their privacy notices. 

With respect to technological disparity, the use of the internet and the percentage of internet penetration in Africa also raises some concerns. As of 2022, about 43% of the African population had internet access, below the global average of 68.6%. A data protection law designed for populations with high internet penetration might not be relevant for a population of predominantly offline people.

(b) Limited Institutional Capacity for Enforcement

The EU data protection framework, which is the most significant influence on African data protection laws, is backed by the immense economic and political impact of the European Union, which African countries do not possess. Therefore, a direct transplant of its provisions without enforcement capabilities to back these provisions up renders them without effect. An excellent example of this is the extraterritorial application of these laws, which can be found in the data protection acts of Nigeria and Kenya. These provisions imply that data controllers that offer goods or services to data subjects in these countries or process citizens' data will fall under the scope of the data protection laws, regardless of their base of operation. 

While the goal is to ensure optimal protection for personal data, it is difficult to see how data protection authorities (“DPAs”) will enforce these laws beyond their borders. Instead of focusing on extraterritorial enforcement, African countries should be realistic about their capacity and influence. They must consider prioritising the development of local enforcement capabilities before seeking to enforce beyond their borders and, subsequently, explore partnerships with sister DPAs to implement within the continent.

(c) Balancing Data Protection with Economic Development Goals

African countries must strike the right balance between data protection and economic growth.  While ensuring the highest possible level of safeguards for data subjects and personal data is vital, those safeguards must be relaxed enough for organisations to comply and do business effectively and profitably. Laws should be designed to protect personal data while encouraging a robust and conducive ecosystem for business growth. An excellent example of navigating this balance between protection and economic development is the cross-border data transfer process. One of the key concepts in international data transfer is the concept of "adequacy", popularised by the GDPR and its predecessors.  This principle allows for the free flow of personal data between the EU and third countries deemed to have data protection laws that offer equivalent levels of protection as the GDPR. Like other provisions of the GDPR, the adequacy basis for transfer has been adopted in African countries, including Botswana, Kenya, Nigeria and South Africa. The direct transplant of the adequacy principle raises some issues. These African countries have not only adopted the concept of adequacy but also the determination criteria and procedures which were designed specifically for the EU market. A key sign that a blanket adoption of this system/process may not fit the African market is that no African country has received an EU adequacy decision.

Relatedly, the adequacy determination process is complex and requires in-depth knowledge of data protection and substantial technical expertise. These African countries may need more resources to replicate the same process. So, instead of issuing separate adequacy decisions to simplify the process, some countries have adopted the adequacy list/safelist approach, where the national DPA issues a list of countries with perceived adequate data protection laws. Unfortunately, this approach has had its flaws. 

One extreme is Nigeria, which deems countries with no domestic data protection laws, like Guinea-Bissau, Sierra Leone, and Togo, as having adequate data protection laws. On another extreme is Botswana, whose adequacy list can be described as pro-European. It lists all 27 EU states first, with only two African countries (South Africa and Kenya) on the list out of 45 countries. This further lends credence to the argument above that an adequacy determination system designed for the EU may not suit the African landscape.  

This is not to say that Africa should become a haven for questionable data practices. However, directly transplanting European ideals and principles for cross-border transfer is not the solution. The focus should shift to a risk-based system where the appropriate data transfer mechanism should be determined based on the sensitivity of the personal data involved, as well as the recipient's data processing practices, rather than the adequacy of the national laws of the recipient country. Notably, countries like Mauritius and Rwanda have abandoned the adequacy requirement, albeit with concerns about their adopted transfer mechanisms.

The Way Forward

(a) The Role of Data Protection Authorities

DPAs are crucial in the developmental phase of Africa's data protection jurisprudence. The continent needs solid and independent DPAs to shape its data protection landscape. To build strong DPAs, these authorities require sufficient funding, trained personnel, technical expertise, and political support. The need to form regional alliances among DPAs cannot be overemphasised. They need to collaborate across Africa and with their international counterparts to share best practices and address cross-border data protection and extraterritorial enforcement challenges. 

(b) Prioritising Training and Capacity Development

There is also the need to bridge the knowledge gap for all stakeholders in the ecosystem. African countries should focus on building expertise and developing capacity by training data controllers and processors on good data processing practices and compliance obligations under the law. Educating citizens about their data protection rights, managing their online privacy, and identifying and reporting data protection violations is also necessary.

(c) Building on Existing Legal Frameworks

Another strategy countries could adopt is leveraging existing legal frameworks, e.g., cybersecurity, consumer protection, and freedom of information laws, which have been successfully implemented and enforced. Adopting previously utilised implementation strategies will facilitate the development of data protection frameworks in Africa on a familiar foundation, preventing duplication of efforts and maximising the use of limited resources. 

(d) Regional Harmonization Integration

It is clear from examining the EU's approach to data protection that a harmonised regional approach to data protection is critical to advancing data protection in Africa. The Malabo Convention, like the ECOWAS Supplementary Act in West Africa and the SADC Model law, was envisioned as such an instrument, embodying the spirit of Pan-Africanism. However, its non-binding nature and slow adoption—taking nine years for deposit by 15 countries (2014-2023)—highlight challenges in its reception across the continent.  This Pan-Africanism goal is also one of the mandates of the Network of African Data Protection Authorities (NADPA – RADPD), established in Burkina Faso in 2016. Hopefully, we will see some progress on this front soon. With respect to individual countries, Nigeria has taken a rather pan-African approach by designating all signatories to the Malabo Convention as having adequate data protection laws, an interesting position given that Nigeria is not a signatory to the Malabo Convention. In contrast, Botswana has adopted a pro-European stance, favouring primarily European countries as having 'adequate' data protection regimes over African states, as discussed above. 

For data protection laws in Africa to be effective, they must consider the specific context within which they will be implemented. Simply transplanting laws and policies from developed markets without adapting to local realities is unlikely to achieve the same or similar success as they did in their countries of origin. African countries should avoid adopting Western models holistically to attain global competitiveness.  That said, data protection laws in Africa should be similar to internationally accepted norms and standards that Africa becomes isolated. The key lies in balancing global best practices and local realities. Fundamental tenets like fair information principles, similar across jurisdictions, data subject rights transparency and accountability in data processing should remain consistent with international standards. On the other hand, implementation mechanisms and enforcement systems must be tailored to the specific needs and resources of the target markets.

References

Abdulrauf Lukman, “African Approach(es) to Data Protection Law”, African Data Protection Laws: Regulation, Policy, and Practice, p. 31-53 (2024) [https://www.degruyter.com/document/doi/10.1515/9783110797909/pdf?licenseType=open-access] 

African Union Convention on Cybersecurity and Personal Data Protection, [https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf]

Boshe/Hennemann/von Meding, Global Privacy Law Rev. 2022, 56-88

Botswana Transfer of Personal Data Order 2022 [https://www.michalsons.com/wp-content/uploads/2022/10/Botswana-Transfer-of-Personal-Data-Order-2022.pdf]

Charles Griffiths, “The Latest 2024 Cyber Crime Statistics” (updated May 2024) [https://aag-it.com/the-latest-cyber-crime-statistics/]

Data Guidance, “Africa” [https://www.dataguidance.com/jurisdiction/africa] 

Data Guidance, “Ethiopia: Parliament approves Personal Data Protection Bill”, (2014) [https://www.dataguidance.com/news/ethiopia-parliament-approves-personal-data-protection] 

Internet World Stats, “Internet Users Statistics for Africa (Africa Internet Usage, 2023 Population Stats and Facebook Subscribers)” (2023) [https://www.internetworldstats.com/stats1.htm]

Interpol, “African Cyberthreat Assessment Report Cyberthreat Trends Outlook” (2023) [https://www.interpol.int/content/download/19174/file/2023_03%20CYBER_African%20Cyberthreat%20Assessment%20Report%202022_EN.pdf ]

Kenyan Data Protection Act 2019 [https://www.kentrade.go.ke/wp-content/uploads/2022/09/Data-Protection-Act-1.pdf] 

Kenya Data Protection Regulations 2021 [https://www.odpc.go.ke/regulations/data-protection-general-regulations-2021/] 

Lawyers Hub, “Africa Privacy Report 2023/2024: A Review of Policy Trends and Digital Frontiers in Africa’s Data Protection Landscape” (2023) [https://www.lawyershub.org/Digital%20Resources/Africa%20Privacy%20Report%202023-24/Africa%20Privacy%20Report%202023-2024.pdf]

Malabo Convention Status List [https://au.int/sites/default/files/treaties/29560-sl-AFRICAN_UNION_CONVENTION_ON_CYBER_SECURITY_AND_PERSONAL_DATA_PROTECTION_0.pdf] 

Mauritian Data Protection Act 2017 [https://dataprotection.govmu.org/Documents/DPA_2017_updated.pdf?csf=1&e=0rlrff] 

Nigeria Data Protection Regulation Implementation Framework [https://nitda.gov.ng/wp-content/uploads/2021/01/NDPR-Implementation-Framework.pdf] 

Nigeria Data Protection Act [https://ndpc.gov.ng/Files/Nigeria_Data_Protection_Act_2023.pdf] 

Positive Technologies “Cybersecurity threats scape of African countries 2022–2023”, (2023) [https://www.ptsecurity.com/ww-en/analytics/africa-cybersecurity-threatscape-2022-2023/#:~:text=Social%20engineering%20attacks%20are%20one,main%20threats%20in%20the%20region.] 

Rwanda Law No 058/2021 of 13/10/2021 relating to the protection of personal data and privacy [https://www.risa.gov.rw/index.php?eID=dumpFile&t=f&f=65369&token=15e7fad700949646dd7c1faae89f9663048f4f92]

Victoria Oloni, “Cross-Border Data Flows: Oiling the Wheel of the African Digital Economy” African Data Protection Laws: Regulation, Policy, and Practice [https://www.degruyter.com/document/doi/10.1515/9783110797909/pdf?licenseType=open-access ]