Skip Navigation

Data Protection in Africa: A Look at OGP Member Progress

Africa Data Protections Paper Cover

The global adoption of data protection legislation has been slow. Only 66 per cent of countries in the world have legislation in force, while an additional 10 per cent have draft legislation. African countries are behind this global trend, with only 52 per cent having data protection legislation in force. Of OGP’s fourteen African members, ten states have enacted data protection legislation, these are: Burkina Faso, Cabo Verde, Côte d’Ivoire, Ghana, Kenya, Liberia, Malawi, Morocco, Nigeria, Senegal, Seychelles, Sierra Leone, South Africa, and Tunisia. Malawi and Nigeria, have draft legislation, and Liberia and Sierra Leone have no law at all.

Significantly, all fourteen African OGP members recognise the right to privacy domestically, and there is growing consensus that the right (as well as the right to be free of unlawful discrimination, bias, or any other denial of due process) must evolve to include considerations of data protection. Importantly, it was noted throughout the report that the regulation of data protection must strike an appropriate balance with important human rights, such as access to information and freedom of expression.

This report aims to understand and analyse the context and major barriers to effective data protection in the fourteen African OGP members and to make informed recommendations that strengthen data protection on the African continent. In doing so, this report focuses on three thematic areas that are of particular interest to OGP: transparency, accountability, and participation. Within these thematic areas, eighteen focus areas were analysed, consisting of common mechanisms included in data protection legislation that enable an effective framework and contribute to greater transparency, accountability, and participation.

A summary of the outcomes and findings of the contextual and legislative analysis in each thematic area are briefly detailed below. 

For details on all the findings and recommendations, please see the full report here.

Transparency

Transparency is an important tenet of data protection legislation: it builds trust between the data subject and the data controller, and it empowers the data subject to exercise control over their data and make informed decisions about which service providers to use. It further enables data subjects to seek redress if necessary and works to increase accountability. The legislation of all African OGP members included some commitment to transparency, with five members explicitly including it as a condition for lawful processing. It was recognized by stakeholders that transparency, at a bare minimum, requires the publication of information, specifically relating to data controllers and data processors.

Within this thematic area, four focus areas were analysed, see the findings and recommendations for each, below:

  • The Right to Notification
    • Twelve OGP members provide data subjects with the right to be notified that their personal data is being processed.
    • In the absence of notification from a data controller that a data subject’s personal data is being processed a data subject may be unaware of non-compliance, which undermines their ability to exercise additional rights.
  • Breach Notification  
    • Only four members require notification in the event of a data breach.
    • It was noted that the obligation to notify a data subject in the event of a data breach contributes to increased transparency and enables a data subject to control their personal data. The purpose of such an obligation may be undermined by the legal text in three ways: (1) through the absence of a prescribed timeframe for notification; (2) through the use of vague terms for the notification period; and (3) through the inclusion of exceptions which allow for non-reporting.
  • Data Processing Registers
    • Eight OGP members require the development of a data processing register, which is a consolidated bundle of information that the regulatory authority develops and maintains. To be effective, and to contribute to transparency and enable the exercise of data subject rights, the register must be accessible which requires digital access.
  • Terms of Service Icons
    • None of the members require the use of terms of service icons.

Recommendations to Strengthen Transparency

  • Proactive audits of data controllers should be conducted in order to confirm their compliance with data protection legislation. Such audits are useful to ensure that data subjects have been notified that their personal data is being processed, which will enable the exercise of additional rights. It is envisaged that members will be the implementing actors, although private sector actors may also consider conducting such audits.
  • The obligation to notify the regulatory authority and data subjects in the event of a breach must prescribe specific and certain time frames. The use of vague time-frames is open to abuse and may lead to non-compliance. It is envisaged that members will be the implementing actors.
  • Data processing registers should be made available to the public. Any prescribed fee must not limit access to certain members of the public. The mechanism that provides access to the register must be accessible, and is recommended to include digital access. It is envisaged that members will be the implementing actors.
  • The mechanisms or processes that enable the exercise of the right to access information must be accessible. It is envisaged that data controllers will be the implementing actors.

Accountability

Accountability in data protection is context-dependent, which makes it difficult to develop uniform rules or standards for an institutional framework for accountability. However, certain common measures have been included in the data protection legislation of the African OGP members—the most prominent of which includes the appointment of a regulatory authority tasked with enforcing compliance with the law. Data protection legislation provides for several accountability measures and mechanisms that allow different actors to hold the various principals accountable. This report explores these mechanisms in three accountability relationships below:

Mechanisms for the Data Subject to Hold the Data Controller Accountable

  • Civil Liability
    • The effectiveness of civil liability is undermined by the lack of expertise in the judiciary, the police service, and the legal profession.

Mechanisms for the Regulatory Authority to Hold the Data Controller Accountable

  • The Power to Investigate
    • This power significantly impacts on a regulatory authority’s ability to sanction non-compliant parties and requires it to have the necessary resources and capacity, as investigations into non-compliance entail a high level of technical expertise. This in turn requires that the regulatory authority be appropriately resourced with such technical expertise.
    • Nine of the twelve members provide regulatory authorities with such powers of access and seizure.
  • The Power to Sanction
    • It was noted by stakeholders that a sanction will only be effective if it is prohibitive, which requires that the fine must be sufficiently high to act as a deterrent. Legislatively low amounts weaken the role of the regulatory authority.
    • The legislation of eleven of the twelve members provides for criminal sanctions and seven of the twelve members provide for administrative penalties which generally include the imposition of a fine.
  •  Independence
    • Institutional independence is undermined by concerns relating to budget, collaboration and reporting requirements, and security of tenure which in turn may undermine adjudicatory independence.
  • Resources
    • In order for the regulatory authority to function effectively, it requires sufficient financial resources to hire appropriately skilled staff members.

Mechanisms for the Public to Hold the Regulatory Authority Accountable

  • Regular Reporting
    • The regulatory authority should provide publicly available reports that allow external actors to hold it accountable.
    • The legislation of nine of the twelve OGP members requires the regulatory authority to submit an annual report.

 Recommendations to Strengthen Accountability

  • All key-players in the accountability ecosystem should have the requisite technical capacity and knowledge to handle data protection matters. This includes members of the regulatory authority, members of the police service, lawyers, and judges. All of these actors must be appropriately trained with the skills to determine whether a data protection violation has occurred and to understand and enforce the appropriate remedies. It is envisaged that members, regulatory authorities, and professional bodies will be the implementing actors.
  • Specialised courts, or units and registries within courts, should be designated to adjudicate on data protection issues. It is envisaged that members will be the implementing actors.
  • Sanctions in terms of monetary fines must be sufficiently high to act as a deterrent. It is envisaged that members will be the implementing actors.
  • The institutional independence of the regulatory authority must be secured in order to ensure adjudicatory independence; this requires a sustainable financial model that secures the regulatory authority’s financial independence. It is envisaged that members will be the implementing actors.
  • The regulatory authority must be appropriately capacitated. This requires sufficient funding to employ technically skilled staff. Members of the regulatory authority should consider alternative ways to draw in technical skills, such as public-private partnerships, the development of networks, and internships. It is envisaged that members and regulatory authorities will be the implementing actors.
  • The regulatory authority should publicly report on its activities and functions to enable external actors to hold it accountable. It is recommended that such reports be released quarterly and should include disaggregated statistics and information. It is envisaged that regulatory authorities will be the implementing actors.

Participation

This thematic area concerns participation in three instances: first, the data subjects’ participation in, and control over, the processing of their personal data; second, the participation of the regulatory authority domestically through its engagement with stakeholders and its ability to participate in legislative and policy developments; and third, the participation of the regulatory authority regionally through its cooperation in regional associations, networks, and organizations. Within this thematic area, six focus areas were analyzed: the right to access personal data, the right to request the correction or deletion of personal data, consent, stakeholder engagement, policy formulation, and regulatory authority participation.

Data Subject Participation

  • The Right to Access Personal Data
    • This right is undermined in two ways: (1) there is gap between the type of information required to lay a complaint and the type of information that a data subject has access to, which in turn undermines a data subject’s right to an effective remedy; and (2) it is made inaccessible by processes that are uncertain, are complicated, or provide complex language and literacy hurdles.
    • Twelve OGP members provide data subjects with the right to access their personal data.
  • The Right to Request the Correction or Deletion of Personal Data
    • These rights rely on the data subject’s awareness that a data controller is processing their personal data and is accordingly enabled through this right to request access and their right to notification. The undermining of these rights diminish their capacity to exercise the right to request the correction or deletion of their personal data.
    • Twelve OGP members provide data subjects with the right to request the correction or deletion of their personal data.
  • Consent
    • Opt-in consent is not generally required in OGP members.
    • Kenya is the only member that expressly requires opt-in consent.

The Regulatory Authority’s Domestic Participation

  • Stakeholder Engagement
    • Effective engagement requires the regulatory authority to have a cross-cutting mandate to facilitate engagements with multiple stakeholders, and it requires stakeholders have direct access to the regulatory authority.
  • The Regulatory Authority’s Mandate to Participate in Policy Formulation
    • The regulatory authority will have the relevant expertise to guide data protection policy and their inclusion in the process provides an opportunity to strengthen weaknesses that exist in the regulatory system.
    • Eight of the twelve members are empowered to participate in domestic policy

The Regulatory Authority’s Regional and International Participation

  • Regulatory Authority Participation in Regional Bodies
    • Effective data protection requires the regulatory authority to be integrated into regional associations in order to assist with coordination and the development of jurisprudence and resources.

Recommendations to Strengthen Participation

  • Audits should be conducted to determine what information a data subject has access to and what information is required in order to lay a complaint. The two must align to enable a data subject to exercise their right to an effective remedy. It is envisaged that data controllers will be the implementing actors.
  • Data controllers must ensure that the process they implement to realize a data subject’s right to request access to their personal data is clear, is certain, and considers contextual language and literacy barriers. The law should provide for minimum requirements that notes a timeframe for a response, it should not entail a cost, and the information should be provided in an intelligible format. It is envisaged that data controllers and members will be the implementing actors.
  • Data subject participation is undermined by a lack of awareness of data subject rights. Awareness campaigns should be undertaken to facilitate data subject participation. It is recommended that linking data protection concerns to real-life harms makes the content more accessible. It is envisaged that the regulatory authorities, members, and civil society organizations will be the implementing actors.
  • The regulatory authority should have a cross-cutting mandate and the capacity to facilitate multi-stakeholder conversations. It is envisaged that members and the regulatory authorities will be the implementing actors.
  • Data protection should be a participatory process: to enable this, regulatory authorities should consult with stakeholders before releasing regulatory documents such as guidance notes. It is envisaged that regulatory authorities will be the implementing actors.
  • A body or mechanism should be established to enable greater regional cooperation. It is recommended that such coordination take place at the African Union level and an office similar to the European Data Protection Board should be established. Such a body could provide regional guidance to states on data protection issues. It is envisaged that members and the African Union will be the implementing actors.

The information in this report is as of 1 July 2021.

Acknowledgements

OGP would like to thank the following stakeholders who generously gave their time to contribute to this report and whose input has been invaluable: Alison Tilley, Amrit Labhuram, Anri Van der Spuy, Chawki Gaddes, Fatou Jagne, Gabriella Razzano, ‘Gbenga Sesan, Grace Bomu, Hlengiwe Dube, Mugambi Laibuta, Mustafa Mahmoud, Teki Akuetteh Falconer, and the four stakeholders who wished to remain anonymous.

For the drafting of this report, OGP is grateful to Tara Davis of ALT Advisory, supported by Avani Singh and Wendy Trott. For initial reviews of the preliminary draft of this report, OGP is thankful to Michael Power, Joseph Foti, Sandy Arce, and Jessica Hickle.

Downloads

No comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Open Government Partnership