6 Nov. 2024

DPAs and AI regulation in Africa

Some of the concerns are extensive collection and processing of personal data without an appropriate lawful basis, AI's capacity to analyze and infer sensitive information from data, perpetuating biases, the use of AI in surveillance and facial recognition technologies to misidentify people, and unauthorized monitoring, which pose significant risks to anonymity and freedom.

The opaque nature of AI algorithms also introduces challenges in ensuring transparency and accountability in data processing, leaving individuals in the dark about how their data is processed and how decisions that affect them are made.

Cassie IAPP Leaderboard - AI Checklist-041024-WP

DPAs' role in AI regulation

Data protection authorities are pivotal in regulating AI, primarily overseeing personal data processing and safeguarding data subjects' rights.

So far, 39 African countries have enacted data protection laws, while 33 have established or designated an authority to enforce the law. Two key safeguards under the laws include the principle of fairness — which ensures data subjects are protected from risks, harms and biases — and the right not to be subjected to decisions made solely through automated processing that could significantly impact the data subject.

Among the 39 African countries with data protection laws, 35 recognize the right not to be subject to automated decision-making and 32 specify fairness as a principle of data processing.

DPAs are positioning themselves as key stakeholders in AI regulation. Their interventions have focused largely on conducting studies, issuing guidelines, announcing plans to regulate AI in the context of data protection and, in extreme cases, placing moratoriums on technologies like facial recognition.

This reflects a keen awareness of the challenges and opportunities presented by emerging technologies and a commitment to regulating them.

These interventions have manifested through enforcement, guidance, public engagements and discourse, and more.

Enforcement of existing data protection law to address AI risk

Some of Africa's DPAs have taken proactive steps to address risks associated with AI by applying existing data protection laws.

For instance, in 2019, Morocco imposed a seven-month moratorium on the use of facial recognition technology, a decision driven by the need to regulate and strictly control the use of the technology. This initial ban, extended through the end of 2020, set the stage for broader public and stakeholder engagement.

In 2023, Senegal's Personal Data Protection Commission rejected a company's application to use facial recognition for monitoring employees, citing significant privacy risks. This decision was accompanied by a directive limiting the use of biometric data in the workplace, highlighting the authority's stance on safeguarding data subjects.

Similarly, in 2023, the Office of the Data Protection Commissioner of Kenya suspended the operations of Worldcoin — a product that scans the Iris of data subjects and combines blockchain technology with AI for digital identification and financial networking — due to data protection concerns. These instances highlight a trend where DPAs leverage their existing legal frameworks to regulate AI technologies, particularly when they pose potential risks to individuals' data protection rights.

Publication of advisories, opinions, and guidelines on the use of emerging technologies

DPAs have issued and published advisories, guidelines and regulations on the responsible use of AI.

In 2018, the Senegal's DPA advised financial sector entities to integrate data protection measures into technological innovations, such as AI and online banking, in a manner compliant with the country's data protection law.

In 2020, Morocco's DPA published two opinions on using facial recognition technologies. The same year, Mauritius' Data Protection Commission published the "Guide on Data Protection for Health Data and Artificial Intelligence Solutions," providing crucial insights into handling sensitive health data within AI solutions and emphasizing the intersection of health care innovation and data protection. In addition, Senegal's DPA published guidance on using biometric technologies in the workplace, including considerations for facial recognition technology.

Public consultations and engagements on AI

Some DPAs have called for public contributions through consultation to understand AI. This is noticeable in Senegal, where the DPA called for public contributions to understand emerging technologies, including AI and the Internet of Things, exemplifying the inclusive approach.

Similarly, Côte d'Ivoire's DPA initiated a comprehensive study to assess the impact of emerging technologies, including drones, video surveillance, biometrics and AI, in the professional and private sectors, inviting public input to ensure a well-rounded regulatory intervention. Another study was initiated in April 2024 on the challenges and issues of AI, 5G networks and services, and the metaverse for developing the digital economy in Côte d'Ivoire. The study aims to promote an inclusive, ethical and responsible adoption of emerging technologies by highlighting their benefits to the country.

DPA's participation in global AI discourse

At the global level, DPA contributions have been notable. Some of Africa's DPAs have co-sponsored resolutions at the Global Privacy Assembly.

In 2023, the Moroccan DPA co-sponsored resolutions on generative AI systems and AI and employment. Also, Burkina Faso's DPA co-sponsored a "Resolution on Principles and Expectations for the Appropriate Use of Personal Information in Facial Recognition Technology," "Resolution on Accountability in the Development and Use of Artificial Intelligence" and "Resolution on Facial Recognition Technology." These resolutions reiterated the importance of privacy by design and data protection considerations in AI development.

Additionally, Africa's DPAs are lending their voices to other global initiatives and collaborating with DPAs outside Africa. For instance, Morocco's DPA collaborated with 11 global DPAs in issuing a joint letter to major technology companies addressing the critical issue of data scraping. These efforts indicate a proactive approach to addressing the complexities of AI and its implications for data protection globally.

Challenges with AI regulation by DPAs

As much as Africa's DPAs are making efforts toward regulating AI from a data protection perspective, there have been some challenges. DPAs often operate with insufficient budgets, hindering their ability to hire the required human resources, invest in necessary technology and conduct comprehensive investigations.

Also, the lack of skilled staff, particularly those with AI and data protection expertise, hampers the DPAs' effectiveness in understanding and regulating complex AI systems. For example, a lawsuit has been filed against Nigeria's government for not funding the DPA. In Mauritius, the DPA complained about the cut in funding that undermined its capability to function effectively and hire competent hands. Similarly, in Kenya, a report by KICTANet indicates limited funding and low staffing are plaguing the country's DPA and affecting its independence.

Additionally, the effectiveness of laws, the competence and independence of DPAs, and the existence of outdated laws present operational challenges.

Recommendations for strengthening DPAs' role in AI regulation

To strengthen their role in AI regulation, DPAs should:

Invest in training programs to equip staff with the necessary skills to understand AI systems and other emerging technologies.
Develop clear and comprehensive guidelines that provide practical guidance on understanding and mitigating the risks associated with AI technologies.

Create public input and feedback opportunities in the regulatory process, such as consultations, workshops and online forums.
Collaborate with authorities across competition, consumer protection, human rights, product safety, intellectual property and sector-specific regulators for a coordinated approach to AI regulation.
Encourage collaboration with other DPAs globally to enhance AI regulation and join AI regulation forums to align Africa's policies with international standards.

Looking ahead: What's next?

Africa's DPAs are taking significant strides toward ensuring technological advancements are harnessed responsibly and ethically, with privacy and human rights at the forefront of their efforts.

These identified trends are expected to continue, with DPAs playing a crucial role in shaping the responsible and ethical development and deployment of AI in Africa.

As the landscape of AI continues to evolve, DPAs are increasingly positioned to become the proxy regulators of AI technology.

Dorcas Tsebee, CIPP/E, is privacy counsel at Tech Hive Advisory.

Ridwan Oloyede, CIPP/E, CIPM, FIP, is AI governance and technology policy lead at Tech Hive Advisory.

This article is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Interested in writing for us? Visit our Contributor Guidelines Page