Lawyers across Africa comment on the continent’s urgent need for data privacy and security law

The pandemic has driven home the high value of personal data to the global economy, while also highlighting its vulnerability to abuse and attack. In response, governments around the world, including those in Africa, have been reviewing their data privacy and protection laws and regulations to ensure they are adequately protected. Lawyers in Ghana, Kenya, Madagascar, Morocco, Rwanda, South Africa, Togo, Uganda and Zimbabwe recently commented on this issue in Baker McKenzie’s new Africa Data Security and Privacy Guide.

According to Enid Baaba Dadzie, Senior Associate at Kimathi & Partners in Ghana, the African Union has adopted the African Union Convention on Cybersecurity and Personal Data Protection (also known as the Malabo Convention). This Convention encourages AU member states to recognise the need to protect critical cyber/ICT infrastructure, personal data and the free flow of information, with the aim of developing a credible digital space in Africa. However, it has not taken effect as only a few countries in Africa have ratified it. Some African countries have implemented domestic laws and regulations to protect personal data, while others offer little to no protection.

“In light of the current technological trends and innovations, and digital trade, it is imperative for African countries to implement data privacy and protection policies. African countries must have laws that take care of the local nuances and fit the local context, without simply replicating the provisions of the General Data Protection Regulations (GDPR) and other frameworks,” she said.

Sonal Sejpal, Partner at ALN Kenya | Anjarwalla & Khanna agreed, noting that Africa was more connected now than ever to the rest of the world in terms of trade, and the increasing number of foreign entities doing business in Africa.

“The natural consequence of this is that personal data will continue to move across borders. Therefore, it is imperative that data privacy and data protection laws are implemented across the continent,” she explained.

The benefits of such laws are numerous. Sonal noted, “With implementation of data protection laws, the resultant effect is that there will be more protections to data subject rights. Additionally, Africa will have more control over those who process the personal data of data subjects present in Africa, limiting what they can do with personal data once collected, and throughout the life cycle of processing personal data. Furthermore, African countries will be able to exert more influence over the transfer of personal data from African countries, both intra-Africa and inter-Africa. This will ensure that measures are in place to secure personal data during personal data transfers,” she said.

Raphael Jakoba, Managing Partner at MCI Law Firm in Madagascar, concurred that it was essential for African countries, such as Madagascar, to adapt to the evolution of technologies and the new realities of digital development.

“These new issues raise new risks and problems that African countries must imperatively address, and to which they must respond through the adoption of modern and updated regulations,” he said.

Pierre Deprez, an Associate at Nasrollah & Associés Baker McKenzie in Morocco, said, “Baker McKenzie in Morocco, noted, “Having strong regulations on data protection is nowadays crucial in Africa in general, and especially in Morocco, regarding the exponential rise of data processing due to the use of smartphones and e-commerce this past decade. On the one hand, it ensures the protection of citizens and their fundamental rights. On the other, a solid data protection law helps to reassure the foreign investor/interlocutor who wishes to exchange personal data for business purposes.”

Saad Khaldi, an Associate at Nasrollah & Associés Baker McKenzie in Morocco, agreed, “Strong data privacy regulation should be seen by African countries and businesses as a competitive advantage in a globalized word, where local and international data processing is key to gaining profitability.”

Ijeoma Uju, Partner at Templars Law Firm in Nigeria, noted that it was imperative that African countries develop a strong and more coherent framework for data protection by enacting comprehensive laws and regulations for the protection of personal data and privacy of its citizens.

Ijeoma said that the growth of e-commerce and business in general in African countries makes the need for data protection more pressing. Multinational organizations looking for investment opportunities in these countries may limit their business explorative activities in Africa due to the absence of, or lack of clarity around, data protection law. This is particularly because multinational companies collect and process a large amount of personal data in the ordinary course of their business. Thus, in order to conduct business effectively and safely in Africa, organizations need to understand the scope of data protection laws in such countries.

Emmanuel Muragijimana, Principal Associate at K-Solutions & Partners in Rwanda, commented that data was increasingly becoming an important asset, and collecting and sharing data could serve as big business in the present day’s digital economy. In addition, citizens are also increasingly becoming aware of the importance of protecting one’s personal data.

“African countries, therefore, cannot afford to be left behind. They have to ensure that they put in place legislation to secure the protection of data and privacy in order to prevent issues stemming from unprotected data, such as unauthorized use of one’s personal data without their knowledge, as well as the negative impact on a company or organization’s reputation should it face sanctions, among other factors,” he explained.

Janet MacKenzie, Partner and Head of the IPTech Practice at Baker McKenzie in South Africa, said that rapid digitization, boosted by the pandemic, meant that it is now critical to implement policy, legislative and regulatory frameworks that are intended to guide and enforce the protection and security of personal data, not just in Africa but around the world.

“Failure to do so will lead to business failure, massive financial loss, loss of investment and a devastating rise in criminality,” she noted.

Kafui Achille Amekoudi, Avocat at AMKA Law Firm in Togo (Cabinet Me AMEKOUDI), explained that the penetration rate of the internet in Africa was constantly increasing, because Africa has realized the importance of the internet as a vector of development.

 “With a population of more than a billion inhabitants, Africa is potentially a huge mine of personal data, which explains the proliferation of GAFAM projects to better connect the continent. It is therefore important, already at the primary stage, to regulate data privacy and protection,” he said.

Arnold Lule Sekiwano, Partner at Engoru, Mutebi Advocates in Uganda, explained that recently, there has been an upsurge in the data processing industry in respect of the data mining and data analytics areas.

“The COVID-19 pandemic has also led to an increase in remote access to information and data globally. It is therefore imperative that African countries raise awareness, invest in training and set up relevant infrastructure to enable the implementation of data privacy and protection.

“There is a vast need for autonomous data protection and privacy regulatory bodies which can independently impose and collect fines so that funds are not lost in corruption and embezzlement, and so that personal data is lawfully collected and processed, and breaches are managed throughout the continent, to promote economic and social development,” he said.

Amalia Manuel, Partner at Atherstone & Cook in Zimbabwe agreed, stating that it was “crucial for African countries to put in place laws regulating the protection of data in light of global technological advancements.