advertisement
Africa’s Accelerating Data Protection Laws And Governance
John Omo is the Secretary-General, Africa Telecommunications Union, a specialised agency of the African Union (AU) organ coordinating ICT development in Africa. With the ICT motto increasingly becoming more, faster, better, he believes, “it is imperative to integrate interactions between ourselves and us and other things. It brings in more income, power and control. Without a system of governance, we grapple with a wild west.” It was in this spirit that AU adopted a digital transformation initiative for Africa, which at its core is data management and privacy. Think about this for context all through this conversation.
The unifying law, the Malabo Convention on Cybersecurity, adopted in 2014 June, is known as the AU Convention On Cybersecurity And Personal Data Protection. The AU Heads of State approved it on 27th June 2014. The convention takes a holistic approach to cybersecurity governance and personal data protection by imposing obligations on member states to establish national legal, policy and institutional governance mechanisms.
The problem afflicting this considered law is this; for the Malabo Convention to be in force and be implemented, a minimum of 14 AU member states must ratify it, So far, only Ghana, Guinea, Mauritius, Namibia, and Senegal have ratified it. Even so, according to United Nations Conference on Trade and Development (UNCTAD) statistics, out of the surveyed 54 African countries, 50% had some form of data protection and privacy legislation, 17% draft legislation, 24% had no law, and 9% had absolutely no data to work with.
advertisement
One way to collect this data, says Omo is if through unstructured data. “We think for there is a lot of data sitting with the government. Data not being put into productive use. There is merit in encouraging organisations to access that data for commercial use, and to make sure data protection laws work. We don’t see so much of this in African legislation.” It would also help if moving data across borders happened quickly. There is merit in Africa sticking together for instance, and invoking Malabo.
According to UNCTAD statistics, out of the surveyed 54 African countries, 50 percent had some form of data protection and privacy legislation, 17 percent draft legislation, 24 percent had no legislation and 9% had absolutely no data to work with.
ISfA founder Aireni Omerri’s philosophy springs from a personal standpoint. “Technology doesn’t solve anything. Solutions have to be people-centric,” is her mantra. “Five years ago, I discovered a fake LinkedIn page set up in my mother’s name. I contacted LinkedIn, and once they did their investigation, they took down the page. But what was interesting is that alongside her name, that page also listed her contact information. It made her think the fraudsters had access to her email. After several attempts to have it shut down, the service provider recommended freezing the faux account. In jumped the legal department, he said this would not be possible if her mother, who at the time was suffering from dementia, did not come to the phone and directly answer their questions.
“On that day, she had gotten lost, and we were trying to find her. At that particular time I wasn’t even sure we would find my mum alive so you can imagine how infuriated I was with their response. I see data legislation protection as bringing some kind of accountability. At a personal level.” She profoundly notes, “As Kenyans, who do we turn to when things like these are going on?” The American ISP later explained to her that she would need to get a court order from an American court. Before it was resolved, her mother passed away. “There is no accountability. We are at a disadvantage, and that needs to change.”
advertisement
We think there is a lot of data sitting in government and it is not being put into productive use. there is merit in encouraging organisations to access that data for commercial use and to make sure data protection laws are complied with.
In what is emerging as a universal law, the General Data Protection Regulations (GDPR) took two years from May 2016 to be implemented. In Kenya, the Data Protection Act law was both passed and implemented in November 2019. As Omo reflected, laws take time to be implemented. They need time to seep into the legal consciousness. In Kenya, however, this rush leaves glaring holes, the biggest one; the office of data commissioner which is yet to be established. At the time of writing this article, it is believed that there is a job posting to fill in the position. For now, we don’t have recourse as data subjects because this appointment has not been made.
One of the advantages of having a data commissioner is they would seek to join something like the Malabo Convention for capacity building and to act as a sounding board. S/he would take a look at who the members are. It matters. A Deloitte report on the existing Trends And Aggressiveness Of African DPAs when it comes to enforcing personal data protection legislation reveals this has been the case with Ghana, Mauritius, Morocco, Angola, Cape Verde, Madagascar, Mali and South Africa. On a scale of 1-10, Ghana and Mauritius score 10 with their robustness; Morocco hugs the middle while the rest are making an effort. Should our person be part of this, they can implement fair trade practises.
So how now can we get governments such as ours to ratify goodies such as the Malabo Convention? Omo concludes that “Examples of incentives for better data management at government level, which are tax incentives. This is the case within the American context; to gather as much data as possible for their economic interest. Closer to home, tax rebates and tax incentives.”