As African societies have digitized in recent years, the need for securing individuals' personal data has grown exponentially.

A new policy paper from global digital rights advocacy group Access Now showed 35 African countries passed data protection legislation in the last 10 years. However, throughout the continent, a general disconnect exists between the policy objectives of data protection legislation and its implementation in the countries that have enacted such laws.

During a recent web forum unpacking the group's new report, Access Now Senior Policy Analyst Bridget Andere said the two overarching issues inhibiting stronger implementation of data protection laws across Africa, much like other jurisdictions, are the number of exemptions in countries' laws and a lack of independence among data protection authorities.

Andere used Kenya's Miscellaneous Amendments Act of 2020, which empowers security services to access personal data from any phone or computer, as an example of an overly intrusive exemption.

"Most of the exemptions that exist, at least in this region … are security exemptions: national security, public exemptions are the ones we keep hearing over and over again," Andere said. "The reality is that whenever we have exemptions like this, and especially exemptions that have to do with national security, it can be a problem in the context in which they exist. Especially because they're not very specific as to when these exemptions apply, in what way they can be applied, who is subject to these exemptions, and just basically how these authorities can utilize these provisions in the law to their own advantage."

Independent researcher Grace Mutung'u said the biggest concern among privacy professionals in the region she has encountered are the numerous exemptions for entities accessing public data that may contain personally identifiable information. She supported African countries adopting the African Union Convention on Cyber Security and Personal Data Protection, also known as the Malabo Convention, which would require countries to implement a regulatory framework on "cybersecurity and personal data protection (that) takes into account the requirements of respect for the rights of citizens."

However, Mutung'u said governments remain wary of codifying civil liberties protections mandated in the Malabo Convention out of concern of diminishing the power of their domestic security and intelligence services.

"Perhaps that is one of the one of the reasons countries have been so slow to adopt the convention, which at the same time is a win for civil society," she said, "because awareness was raised among states that this digital revolution is not just about revenue authorities and national security agencies getting more access to data, this digital revolution should also be about people receiving a higher quality of life."

According to Access Now's report, most DPAs on the continent are "not substantially independent." The report attributes the main causes of the lack of independence to DPAs often structured within certain governmental ministries and/or are not adequately financially resourced to conduct robust investigations.

As an example, the Access Now report presents an instance when the authority of Kenya's Office of the Data Protection Commissioner, contained within the Ministry of Information, Communications and the Digital Economy, was disregarded by Tech for Humanity after it abruptly ended its pilot Worldcoin cryptocurrency program in the country. The ODPC issued an order for TFH to cease the collection of personal data in August of last year. However, the company "flagrantly ignored the order" and then attempted to justify its actions by claiming a nonresponse by the regulator to its request to resume processing served as justification to do so, according to the report.

"Companies like TFH are not likely to engage in this kind of behaviour if they have the perception that data protection laws in a country are robust and that infractions will carry substantial consequences," the report states. "Strengthening data protection laws …  by ensuring that DPAs are independent and sufficiently resourced, can not only better protect peoples' rights, it can prevent foreign companies from operating in an unacceptable colonialist manner, where they benefit from the lack of accountability or recourse for those harmed by their actions."

Mutung'u indicated data protection authorities put their best foot forward "to go out and do their job and try to be as independent as possible from the executive" and "have done pretty well in terms of implementation," especially in countries that haven't yet made data protection matters a major point of focus. 

The forum also highlighted the model provisions in existing African data protection laws, despite lingering issues hindering implementation to the full spirit of their respective texts. 

Data privacy and protection consultant Mugambi Laibuta, CIPM, said the Nigerian Data Protection Act and South Africa's Personal Information Act, which predates the EU General Data Protection Regulation entering into force, could be model legislation for African countries to build upon as they look to strengthen or enact their own data protection laws.

"I believe that when they were drafting (the Nigerian Data Protection Act), they took into consideration the gaps that are there under existing law in Africa," said Laibuta, who is also an Advocate at the High Court of Kenya. "The Personal Information Act of South Africa interestingly came before GDPR and it has really stood the test of time."

Mutung'u said while the text of several countries' privacy laws is strong on paper, the execution on implementation and enforcement generally leaves more to be desired.

"On the model law, you can look at it in terms of the text and in terms of implementation," Mutung'u said. "Nigeria has done really well trying to fix all the gaps that are in the law," adding that regulators at the Data Protection Commission are empowered to proactively investigate consumer data protection matters without receiving a formal complaint.

Access Now's report identified several recommendations for improving the existing data protection paradigm on the continent.

The major recommendations include states that have already passed data protection laws to sign onto Malabo Convention, and "remove overbearing control of other government agencies or officials, and by making substantive provisions for the resourcing of DPAs" and eliminating "overbroad exemptions" in their data protection laws.

To accomplish these goals, Laibuta said the private sector in each country will have to be active in promoting the need for more privacy and security professionals to operationalize new data protection law reforms.

"One of the gaps that we have is the (lack of) data governance professionals," Laibuta said. "But we also need to learn from each other. What we've realized is that this kind of camaraderie and sharing of knowledge, sharing of skills, and mentorship, it has helped a lot of us whether you have many years of experience, or whether you have a only few years of experience."