Fewer than half of the 54 countries in Africa have any form of data protection legislation in place, according to lawyers with knowledge of the matter.

"Only nine African countries have data protection legislation and another 22 have draft regulations pending," says Bob Kayihura, of counsel at Covington & Burling in South Africa.

Despite the African Union encouraging the adoption of data protection and privacy laws across the continent, it has been a slow process, says Nozipho Mngomezulu, partner at Webber Wentzel.

"Even in South Africa, only parts of the Protection of Personal Information Act (POPI Act), which came into effect 13 years ago, have been implemented."

Now, individuals working from home due to the COVID-19 crisis has opened up new vulnerabilities for cyber criminals to exploit, she added.

"An increasing number of companies are asking for advice about their systems being compromised."  

But with a dawning continent-wide initiative soon to take effect, and COVID-19 heightening the need for better and safer communications, there is a renewed urgency around the issue.

So far, however, solutions have been piecemeal and controversial, with little legal underpinning.

The practice of African governments using biometrics to gather data from citizens, for example for issuing identity cards, is a threat to personal privacy, says Ahmore Burger-Smidt, director at South African firm Werksmans Attorneys.

"How can individuals check what data is being stored on them and whether it is being stored safely?"

The AU has issued model legislation for data protection and cybercrime, but it is already out of date, because it is taking so long to implement, she added. Further, gaps in and misalignments of legislation creates a grey area for multinationals looking to invest in Africa, adds Burger-Smidt.

"It is dealt with through commitments to contract into European legislation, although this can delay transactions." 

Ridwaan Boda, director of technology, media and telecommunication at ENSafrica says the lack of awareness of the vulnerability of data is concerning, as the percentage of the population using smartphones to access the internet is increasing daily.

Lack of data protection laws enables multinationals to access individuals' data more freely than in developed markets, "for example to monitor their use of technologies," says Grant Williams, partner at Eversheds Sutherland's Johannesburg office.

Those working with governments through public/private partnerships can also gain access to all sorts of data, he added.

|

A Change on the Way?

The impetus for change appears to be increasing, not least by way of an ambitious plan to create a single digital economy in Africa by 2030, Covington's Kayihura says.

"This includes building technology platforms that can track goods and services and exchange data securely."

The aim of the Digital Economy Initiative for Africa – tabled by the African Union – is to ensure that every individual, business and government on the continent will be digitally enabled by 2030. The World Bank estimates that the initiative will cost a total of $100 billion, towards which it has pledged to invest $25 billion between now and 2030.

Ever since the first new generation undersea optic fiber cable landed in Africa in 2009, the concept of a digital economy has been promoted under the banner of the need for 'universal access to broadband connectivity' on the continent. Optimists suggest this is the catalyst for change in a continent in desperate need of a coherent set of cyber laws and regulations.

This month, Zimbabwe introduced its Cyber Security and Data Protection Bill, according to Nellie Tiyago, partner at Harare based Scanlen & Holderness.

"Having been suddenly cut off from the world as borders closed around it due to the COVID-19 lockdown, the government realised that the country cannot operate as a village." 

One of the challenges to achieving uniform laws is that the African continent is divided, particularly in terms of language.

"Countries like Zimbabwe that were colonised by the British and Portuguese tend to follow similar legal processes," says Tiyago.

Cameroon, in central Africa, adopted cybercrime legislation in 2010, but has yet to introduce a specific data protection law, says Danielle Moukouri, managing partner at D.Moukouri and partners, in the city of Douala.

"It is challenging for users to control the use of their data," she says.

But not all action has been slow. ENSafrica's Boda says businesses and governments are adopting artificial intelligence codes of practice, with the primary focus being data protection and privacy.

Still, there is a danger that the need for regulations are being undermined by ambitious plans to adopt new tech, seemingly at any cost. Alice Namuli Blazevic, partner at Katende Ssempebwa Advocates in Kampala, says while businesses are adopting AI and Blockchain technologies, many are oblivious to their data vulnerabilities.

Some nations, however, have working legislation in place, that other countries would do well to take heed of. For example, the Uganda Data Protection and Privacy Act, 2019 regulates the processing of personal information and its Computer Misuse Act is used to combat cybercrime.

"If companies are found to have cybercrime breaches they have not reported, the fine is 2% of their annual revenue," Blazevic says.

|

Read more

Law Firms Across Africa Respond to the Spread of COVID-19