A law unto themselves

Data protection legislation is changing fast across Africa, as governments try to balance the rights of citizens to digital privacy and security with encouraging national, regional and international commerce. It is imperative businesses keep up with these developments.

Data protection legislation in Africa can be divided into three camps: the haves, the have nots and the in-betweens. Some progressive African governments have already charged ahead with new data protection laws in the past few years, regulating the collection and use of personal information by the private and public sector. Others are on the right track and are in the process of drafting legislation or establishing bills that will control how data may be handled but which have not yet passed into law (see Data Protection Legislation To Watch).

While some lag precariously behind and are yet to adopt specific measures to safeguard data, or even establish a national protection authority of any kind.

As well as protecting the digital privacy of citizens and outlining the obligations of the businesses that hold customer information, effective data protection legislation can have a big say in the future health of an economy. Governments without effective means to safeguard and regulate data may be endangering future foreign investment, not to mention relegating their citizens to the fringes of the global economy.

Developments to data protection legislation could be a deciding factor for businesses looking to expand across Africa, as they aim to avoid places where the integrity of data is set at a low premium, or where they might get hit hard by protectionist and maverick data laws designed to seal borders and favour indigenous enterprises.

Lessons from the EU
There are many who argue what Africa needs above all is a harmonised, pan-African approach to data protection, such that data is able to flow seamlessly across borders without falling foul of hostile regulation, all while being afforded a uniformly high level of security. The model here is clearly the European Union.

In Europe, an EU-wide data protection framework has recently been agreed between member states, offering a measure of harmonisation. The General Data Protection Regulation (GDPR) places a number of obligations on data-reliant organisations, who now know what rules they face where ever they or their data may reside within EU borders.

The GDPR will replace all current measures, most likely coming into full force in the first half of 2018. It is a clear step towards a digital single market, and a sound platform for individual countries to base their own legislation on.

US law on data protection and privacy has also been tightened. The Stored Communications Act became law in 1986, but has now been clarified and modernised by a number of legal rulings.

It is very early days, but the first steps towards a harmonised African approach were taken in June 2014 with the African Union’s Convention on Cyber Security and Personal Data Protection. Some 53 African states came together to agree on a legal framework to regulate various fields of ICT activity, ranging from e-transactions and personal
data protection to cyber security. The convention is not however any kind of legally binding instrument, and requires that individual countries put its principles into their own statute book. To date the convention remains unratified, but offers a tantalising prospect of a unified African data policy to rival the EU and US.

Danny Preiskel, Senior Partner with law firm Prieskel & Co, believes that in the longer term Africa will increasingly feel the necessity of moving towards a European-style data protection model. “It will happen in time,” he says. “It will be needed to support things like mobile banking, which is so much more important in Africa compared to other parts of the world. It is in everybody’s interest to come up with a healthy data protection environment.”

Carefully assessing African markets
There is concern that a minority of African governments could be considering mirroring Russia’s stringent data localisation law. Russian law mandates that if an organisation is processing certain types of personal data, then it has to be physically located on servers within the country.

laws

“This trend, if followed, could mean that companies which rely on data will need data centres in multiple countries, whereas they might have managed with one,” warns Mike Conradi, a Partner with UK law firm DLA Piper. “This could add quite considerably to the expense of doing business in Africa, which in turn might not be a good thing for African consumers. And it might put less well-resourced companies off establishing data-related services, other than in one or two countries.”

Organisations looking to do business in Africa need to carefully assess the data protection situation on a country by country basis, warns Christophe Fichet, a Partner in the Paris office of law firm Simmons & Simmons.

“In Europe you have a lot of coordination and cooperation between countries, whereas in Africa at the moment you don’t have that,” he says. “It’s more on a country by country basis. Ideally data protection needs to be more integrated. Harmonisation of policy is important. Most countries at least are now theoretically committed to the delivery of a good level of data protection.”

Not throwing caution to the wind
While African data law remains unharmonised, organisations looking to do business across borders should do so with caution. In particular, businesses looking to take advantage of cloud-based services may need to transfer personal information between African countries, or indeed move data in and out of Africa via the US, Asia or Europe. These organisations need to ensure that every country they move data through has appropriate laws to keep it secure. Businesses also need to be certain that data is able to flow legally back out of a country once it has been
routed there. And they need to be clear on the legal burdens placed on them and the network operator they use, country by country, including any criminal and civil sanctions for violations.

As ever, the price to be paid for not complying with data law can include reputational damage, loss of customers, the payment of damages following a civil class action or fines. At this stage of its evolution, African data protection is still fragmented and immature, but is evolving fast and for the most part in encouraging directions. There still needs to be more consensus on the meaning of key terms like ‘consent’, ‘public interest’ and ‘legitimate grounds’. But there is hope that such details can be thrashed out and enshrined in a binding framework that both protects citizens and allows for healthy economic development.

(This is an excerpt from Liquid Telecom’s new report titled: “CYBERSECURITY & DATA PROTECT ION
AFRICA REPORT”).