Data Protection in Africa: A Look at OGP Member Progress
The global adoption of data protection legislation has been slow. Only 66 per cent of countries in the world have legislation in force, while an additional 10 per cent have draft legislation. African countries are behind this global trend, with only 52 per cent having data protection legislation in force. Of OGP’s fourteen African members, ten states have enacted data protection legislation, these are: Burkina Faso, Cabo Verde, Côte d’Ivoire, Ghana, Kenya, Liberia, Malawi, Morocco, Nigeria, Senegal, Seychelles, Sierra Leone, South Africa, and Tunisia. Malawi and Nigeria, have draft legislation, and Liberia and Sierra Leone have no law at all.
Significantly, all fourteen African OGP members recognise the right to privacy domestically, and there is growing consensus that the right (as well as the right to be free of unlawful discrimination, bias, or any other denial of due process) must evolve to include considerations of data protection. Importantly, it was noted throughout the report that the regulation of data protection must strike an appropriate balance with important human rights, such as access to information and freedom of expression.
This report aims to understand and analyse the context and major barriers to effective data protection in the fourteen African OGP members and to make informed recommendations that strengthen data protection on the African continent. In doing so, this report focuses on three thematic areas that are of particular interest to OGP: transparency, accountability, and participation. Within these thematic areas, eighteen focus areas were analysed, consisting of common mechanisms included in data protection legislation that enable an effective framework and contribute to greater transparency, accountability, and participation.
A summary of the outcomes and findings of the contextual and legislative analysis in each thematic area are briefly detailed below.
For details on all the findings and recommendations, please see the full report here.
Transparency is an important tenet of data protection legislation: it builds trust between the data subject and the data controller, and it empowers the data subject to exercise control over their data and make informed decisions about which service providers to use. It further enables data subjects to seek redress if necessary and works to increase accountability. The legislation of all African OGP members included some commitment to transparency, with five members explicitly including it as a condition for lawful processing. It was recognized by stakeholders that transparency, at a bare minimum, requires the publication of information, specifically relating to data controllers and data processors.
Within this thematic area, four focus areas were analysed, see the findings and recommendations for each, below:
- The Right to Notification
- Twelve OGP members provide data subjects with the right to be notified that their personal data is being processed.
- In the absence of notification from a data controller that a data subject’s personal data is being processed a data subject may be unaware of non-compliance, which undermines their ability to exercise additional rights.
- Breach Notification
- Only four members require notification in the event of a data breach.
- It was noted that the obligation to notify a data subject in the event of a data breach contributes to increased transparency and enables a data subject to control their personal data. The purpose of such an obligation may be undermined by the legal text in three ways: (1) through the absence of a prescribed timeframe for notification; (2) through the use of vague terms for the notification period; and (3) through the inclusion of exceptions which allow for non-reporting.
- Data Processing Registers
- Eight OGP members require the development of a data processing register, which is a consolidated bundle of information that the regulatory authority develops and maintains. To be effective, and to contribute to transparency and enable the exercise of data subject rights, the register must be accessible which requires digital access.
- Terms of Service Icons
- None of the members require the use of terms of service icons.
Recommendations to Strengthen Transparency
Accountability in data protection is context-dependent, which makes it difficult to develop uniform rules or standards for an institutional framework for accountability. However, certain common measures have been included in the data protection legislation of the African OGP members—the most prominent of which includes the appointment of a regulatory authority tasked with enforcing compliance with the law. Data protection legislation provides for several accountability measures and mechanisms that allow different actors to hold the various principals accountable. This report explores these mechanisms in three accountability relationships below:
Mechanisms for the Data Subject to Hold the Data Controller Accountable
- Civil Liability
- The effectiveness of civil liability is undermined by the lack of expertise in the judiciary, the police service, and the legal profession.
Mechanisms for the Regulatory Authority to Hold the Data Controller Accountable
- The Power to Investigate
- This power significantly impacts on a regulatory authority’s ability to sanction non-compliant parties and requires it to have the necessary resources and capacity, as investigations into non-compliance entail a high level of technical expertise. This in turn requires that the regulatory authority be appropriately resourced with such technical expertise.
- Nine of the twelve members provide regulatory authorities with such powers of access and seizure.
- The Power to Sanction
- It was noted by stakeholders that a sanction will only be effective if it is prohibitive, which requires that the fine must be sufficiently high to act as a deterrent. Legislatively low amounts weaken the role of the regulatory authority.
- The legislation of eleven of the twelve members provides for criminal sanctions and seven of the twelve members provide for administrative penalties which generally include the imposition of a fine.
- Institutional independence is undermined by concerns relating to budget, collaboration and reporting requirements, and security of tenure which in turn may undermine adjudicatory independence.
- In order for the regulatory authority to function effectively, it requires sufficient financial resources to hire appropriately skilled staff members.
Mechanisms for the Public to Hold the Regulatory Authority Accountable
- Regular Reporting
- The regulatory authority should provide publicly available reports that allow external actors to hold it accountable.
- The legislation of nine of the twelve OGP members requires the regulatory authority to submit an annual report.
Recommendations to Strengthen Accountability
This thematic area concerns participation in three instances: first, the data subjects’ participation in, and control over, the processing of their personal data; second, the participation of the regulatory authority domestically through its engagement with stakeholders and its ability to participate in legislative and policy developments; and third, the participation of the regulatory authority regionally through its cooperation in regional associations, networks, and organizations. Within this thematic area, six focus areas were analyzed: the right to access personal data, the right to request the correction or deletion of personal data, consent, stakeholder engagement, policy formulation, and regulatory authority participation.
Data Subject Participation
- The Right to Access Personal Data
- This right is undermined in two ways: (1) there is gap between the type of information required to lay a complaint and the type of information that a data subject has access to, which in turn undermines a data subject’s right to an effective remedy; and (2) it is made inaccessible by processes that are uncertain, are complicated, or provide complex language and literacy hurdles.
- Twelve OGP members provide data subjects with the right to access their personal data.
- The Right to Request the Correction or Deletion of Personal Data
- These rights rely on the data subject’s awareness that a data controller is processing their personal data and is accordingly enabled through this right to request access and their right to notification. The undermining of these rights diminish their capacity to exercise the right to request the correction or deletion of their personal data.
- Twelve OGP members provide data subjects with the right to request the correction or deletion of their personal data.
- Opt-in consent is not generally required in OGP members.
- Kenya is the only member that expressly requires opt-in consent.
The Regulatory Authority’s Domestic Participation
- Stakeholder Engagement
- Effective engagement requires the regulatory authority to have a cross-cutting mandate to facilitate engagements with multiple stakeholders, and it requires stakeholders have direct access to the regulatory authority.
- The Regulatory Authority’s Mandate to Participate in Policy Formulation
- The regulatory authority will have the relevant expertise to guide data protection policy and their inclusion in the process provides an opportunity to strengthen weaknesses that exist in the regulatory system.
- Eight of the twelve members are empowered to participate in domestic policy
The Regulatory Authority’s Regional and International Participation
- Regulatory Authority Participation in Regional Bodies
- Effective data protection requires the regulatory authority to be integrated into regional associations in order to assist with coordination and the development of jurisprudence and resources.
Recommendations to Strengthen Participation
The information in this report is as of 1 July 2021.
OGP would like to thank the following stakeholders who generously gave their time to contribute to this report and whose input has been invaluable: Alison Tilley, Amrit Labhuram, Anri Van der Spuy, Chawki Gaddes, Fatou Jagne, Gabriella Razzano, ‘Gbenga Sesan, Grace Bomu, Hlengiwe Dube, Mugambi Laibuta, Mustafa Mahmoud, Teki Akuetteh Falconer, and the four stakeholders who wished to remain anonymous.
For the drafting of this report, OGP is grateful to Tara Davis of ALT Advisory, supported by Avani Singh and Wendy Trott. For initial reviews of the preliminary draft of this report, OGP is thankful to Michael Power, Joseph Foti, Sandy Arce, and Jessica Hickle.