We are still looking into data privacy issues that arises in respect of trade in goods and services under the AfCFTA.
With the emergence of digital technology and the increased usage of Internet-based platforms, the inclusion of E-commerce in the African Continental Free Trade Agreement (AfCFTA) becomes pertinent as technology is rapidly changing the way individuals, businesses and the world operate.
Digital trade involves transfer of data across borders of the member States. Hence, insufficient data protection measures can create negative market effects by reducing stakeholders and consumer confidence in the trading engagements particularly with the adoption of Pan-African payment settlement system (PAPSS), which has a lot to do with cross-border exchange of data through the payment processes.
The African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention) 2014 serves as a great measure put in place to ensure protection of personal data and cybersecurity in Africa. The Convention seeks to establish a credible framework for cybersecurity in Africa through the organization of electronic transactions, protection of personal data, and promotion of cybersecurity, and combating cybercrime through each state establishing a legal framework to be aimed at strengthening fundamental rights and public freedoms, protection of physical data, and punishing any violation of privacy without prejudice to the free flow of personal data through the national protection authorities.
However, despite the data protection strategy and enforcement procedure embedded in the convention, so far only 8 states of the 55 member states have ratified the convention and as such most African states today have no data protection regulation.
So far, Data privacy is a fundamental right that is yet to be completely established across many countries in Africa. It is on record that in 2019, Kenya, Nigeria, Togo, and Uganda enacted data protection policies. They were followed by Egypt, which in April 2020 became the most recent AU member to create a data protection framework with its Personal Data Protection Law. Next came South Africa, whose Protection of Personal Information Act came into force in June 2020. Other countries are amending existing data protection policies or working to establish structures to enforce existing laws and regulations.
Many African countries have been reluctant in having legislation for data protection or refused to ratify the existing law for reasons which could include:
- Priority of interest: Many African countries are still battling with political instability (internal political issues) and other gross infrastructural deficit, catching up with the continental data protection requirement is the least of their problems.
- Poor Awareness: Issues concerning data protection still look esoteric to some African countries and they find it too difficult to acclimatize to the essence of data protection.
- The absence of a common enforceable data protection law or regulation applicable across the continent.
- Uneven Patchwork of Regulations: Regulatory barriers can also hamper the development of digital trade in several African markets.
However, despite these impediments, some countries are forging forward in their data protection law and regulation. For instance, Mauritius was the first African country to adopt the Budapest Convention on Cybercrime 2014 and the second non- European country to ratify Europe’s Convention for the protection of individuals with regard to automatic Processing of Personal Data. Mauritius has also enacted its Data protection Act 2017 which came into force in January 2018. Also, Kenya was ranked the first in Africa by the International Telecommunication Union (ITU) under legal and cooperation pillars of cybersecurity. The main regulation for data protection affairs in Kenya is the Data Protection Act. Rwanda according to Global Competitiveness Index (GCI) 2018 was reported to be the country that performs best in organizational capacity, Nigeria comes In 5th place in the GCI 2018 ranking.
On enforcement, taking a leaf from the Malabo Convention, there are some strategies that are embedded in the convention to ensure its compliance, which are.
- Each state is expected to commit to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, protection of physical data, and punishing any violation of privacy without prejudice to the free flow of personal data.
- Processing of certain kinds of personal data both general and sensitive, may only be undertaken upon an authorization principle from the national protection authority.
State parties are also expected to adopt legislative and or regulatory measures as they deem necessary to confer specific responsibility on institutions and their officials in relation to their responses to cybersecurity incidents, coordination, and cooperation.
