In 2017, I moved from Silicon Valley back to my home country of Kenya in East Africa. In 2018, I hosted Nairobi’s first ever IAPP event — a Privacy After Hours session on Data Privacy Day. And, years after my November 2015 formative reflection on trans-Atlantic privacy, A Newbie’s Safe Harbor Odyssey, I am struck by my experiences in Africa. The continent is an oxymoron of leapfrogging technological advancements and a frontier in privacy-related regulatory developments. It is, nonetheless, clear that companies and organizations should pay more attention to Africa lest they get swept away by unforeseen regulations. Data protection authorities have long been enforcing privacy laws and are set to strengthen the trend, including through the Network of African Data Protection Authorities.
Africa has areas with more than 80% mobile phone penetration that have seen leapfrogging technologies take root, particularly telecommunications and mobile money, and more recently, financial technology and artificial intelligence. Kenya is perhaps the premier exemplar of innovation, easily demonstrated by the widely popular mobile money application MPESA, which has set a global standard for including unbanked masses in a formal financial system. But many parts of the continent have less than 50% mobile phone penetration and minuscule internet access, resulting in stunted innovative growth. Not to mention civil and political instability, which precludes the possibility of technological developments, even as basic necessities such as food, water and shelter continue to be scarce in various parts of the continent.
From my perch in Kenya, coined “Silicon Savannah” by then-Google Chairman Eric Schmidt, it is clear Africa is experiencing growing pains in protecting the right to privacy even as it takes important steps forward. As it stands, nearly two-thirds of the 55-country continent has a data protection law in the books — making Africa the largest jurisdiction of privacy law in the world. At the same time, the 55-nation African Union Convention on Cybersecurity and Personal Data Protection 2014, also known as the Malabo Convention, is yet to come into force because less than 15 member countries have ratified the Convention. Presently, Angola, Congo, Ghana, Guinea, Mauritius, Mozambique, Namibia, Rwanda, Senegal and Zambia have ratified the Convention, and in July 2021, the Togolese Parliament gave its approval for the Togolese government to ratify the Malabo Convention.
At the African Union level, deliberations on regulating data protection (along with cybersecurity, cybercrime and electronic transactions) began in the 1990s and were formally initiated in 2009 at the Extra-Ordinary Conference of African Union Ministers in charge of Communication and Information Technologies held in South Africa. This led to the Convention on Cybersecurity and Personal Data Protection 2014 being adopted by the Heads of State and Government in Malabo, Equatorial Guinea — hence the Malabo Convention. Pursuant to the African Union Digital Transformation Strategy 2020-2030, the Malabo Convention was supposed to enter into force by 2020. But with COVID-19 and other hindrances, efforts to get the Convention to enter into force did not meet the 2020 deadline. The new timeline for the Malabo Convention is 2023.
The slow pace in adopting the Malabo Convention can be traced to the lack of political will among member states, most of whom have developed their own national regulations and standards and see no use for an additional legal instrument. Moreover, the Malabo Convention had insufficient marketing and publicity, which precluded universal acceptance. However, the African Union recognized the need to build momentum two years post the deadline for adoption and asked me to revamp the Malabo Convention — taking into account recent national, regional and global developments and the present and future African circumstances. The effort was underwritten by the African Union Department of Infrastructure and Energy and entailed line-by-line evaluation of the Convention. It is clear there is forward momentum for the Malabo Convention to meet the 2023 deadline for adoption.
The changes to the Malabo Convention that I initiated and later approved by the African Union Management were categorized into: primary or review 1.0 and secondary or review 2.0. Review 1.0 was concerned with basic housekeeping matters like instituting coherence in definitions and aligning the various articles and provisions. For example, some definitions were incomplete or simply wrong. In contrast, others existed but were not referenced in the Convention, and others failed to account for the letter and spirit of the Convention. Review 2.0 dealt with equally weighty matters that sought to bridge gaps such as relating to, among others, the right to access, risk-based approaches to compliance and enforcement, children’s privacy, educational and student privacy, the establishment of a Council of National Data Protection Authorities, Privacy Impact Assessment and Privacy by Design.
Africa has been making steady strides since 2001, when Cape Verde became the first country to enact a data protection regulation that mirrored the Council of Europe’s Convention 108 and the EU General Data Protection Regulation predecessor, the EU Data Directive. The most recent countries to enact a data protection law include Rwanda, Zambia and Zimbabwe.
In 2022, it is expected that approximately 13 countries will enact new legislation or amend existing laws and guidance. Should these developments take place, 41 out of 55 countries in Africa will have a privacy law. If data is the new oil, Africa is abundant as the last frontier, given that user adoption for technology has flattened in the U.S. and EU. As a result, the focus will shift to looking at how enforcement shapes up. The Network of African Data Protection Authorities has already embedded joint enforcement initiatives, including recently signing a memorandum of understanding with Smart Africa, an organization of more than 32 African countries.