Why is it important for African countries to adopt regulations on the transfer of personal data, based on your work?
Protecting personal data is crucial, and it is essential to understand why we do so. There are two main concepts to remember. The first is humanist and democratic, which can be found in the French personal data protection law of 1978, known as the 'Informatique et Libertés' law. To protect citizens from an all-powerful 'Big Brother' state, an independent authority, the Commission Nationale Informatique et Libertés (CNIL), was created. The aim of this trend is to protect individual freedoms such as privacy, freedom of movement, conscience, religion, politics, and trade unions. To achieve this objective, a truly independent protection authority is needed that can stand up to the State. The other approach is more economically globalist. The OECD guidelines, which govern the protection of privacy and transborder flows of personal data, were drafted in 1980 as the first act of this current of thought. At the time, it was evident that personal data protection regulations were underdeveloped worldwide. The rules were highly disparate and not harmonized, hindering cross-border flows of personal data and, therefore, the global economy's development.
The OECD aimed to encourage countries to adopt a minimum level of protection to facilitate international transfers of personal data. To encourage citizens, customers, patients, and others to share their data, it is essential to provide them with protective rules and an independent authority to enforce them. The General Data Protection Regulation (GDPR), adopted in 2016 and enforced in 2018, follows this dual concept, which complements rather than conflicts with each other. The GDPR offers a unified system for data processing across the European Union (EU) and promotes cross-border data transfer within the EU. African nations could take cues from this European approach.
“Currently, only five African countries (Cape Verde, Morocco, Mauritius, Senegal and Tunisia) have signed and ratified the Council of Europe Convention 108”
What is the legislative situation regarding personal data protection in other African countries?
In 2009, I first examined regulations on this topic in Morocco, which was one of the first countries to introduce such regulations, along with Cape Verde and Senegal. In 2009, Benin was not yet subject to the RGPD regime in Europe. However, the country has since developed its legislation to align with this regulation.
Currently, only five African countries (Cape Verde, Morocco, Mauritius, Senegal and Tunisia) have signed and ratified Convention 108 of the Council of Europe, which is a significant international convention for safeguarding personal data. Conversely, no African country is acknowledged by the European Commission as providing sufficient protection in line with EU protection standards. Additionally, a minority of countries have no laws in place to protect personal data.
Cameroon and the Central African Republic are currently considering draft laws. More and more African countries are adopting regulations to protect personal data. This marks a significant acceleration over the last five years, possibly influenced by the impact of the RGPD on the world. China adopted the PIPL (Personal Information Protection Law) two years ago, and India passed a law on the protection of digital personal data (DPDPA) this summer. However, the situation in Africa is less positive due to the slow implementation of regulations. For instance, Algeria's law, which dates back to 2018, only came into force in August 2023, taking four years. South Africa has had a law since 2013, which came into force eight years later. In Egypt, the law passed two years ago is not yet in effect as it is subject to the adoption of a decree that has not been published.
“There is urgent need to accelerate the harmonization and consistency of regulations”
What are the regulatory initiatives in Africa?
There are three noteworthy pan-African initiatives. The first one, the Additional Act on the protection of personal data, dates back to 2010, but it only applies to the Economic Community of West African States (ECOWAS). The Additional Act aimed to provide a framework to assist the various ECOWAS members in adopting national regulations. The African Union's broader initiative, known as the Malabo Convention, dates back to 2014. Both texts encourage countries to adopt consistent regulations that facilitate the transfer of inter-African data.
It is important that these texts promote consistency. For years, we have lived in Europe with non-harmonized regulations. Dealing with different regulations in each country makes it very difficult for players to develop the flow and processing of personal data.
The Southern African Development Community (SADC) has developed a model law on data protection with a slightly different approach. The SADC has invited its member countries to adopt the proposed model law and implement it in their national jurisdictions. However, there has been little uptake.
What are the prospects for effective regulation in Africa?
Regulations in Africa need to be harmonized and made consistent as they are currently too disparate. It is unfortunate that no African country has yet taken the step of having the European Commission recognize that it has adequate protection. This recognition would likely be a significant step forward for the continent. Although several countries have applied for recognition, none have been successful to date. The final issue is promoting education in personal data protection. Studies on personal data regulation are often conducted with foreign firms, which is beneficial. However, developing university courses on personal data protection in Africa would be a significant advantage. In France, for example, university master's degrees in data protection have grown considerably in the last five to six years. Producing knowledge on these subjects helps people understand the law better, comply with it better, and apply it better. It also enables them to develop the law to improve it.