Comparing African Data Privacy Laws: International, African and Regional Commitments

Abstract

Since 2001, 32 of the 55 African countries have enacted data privacy laws, over 20% of all countries with such laws. This article commences with an analysis of which countries have these laws, which have Bills, and which have neither. The extent to which their constitutions require protection of data privacy is also assessed. We suggest that this legislation is not characterized by distinctively African elements, but is more a product of urbanization and globalization. The article focuses on two types of influences on these national laws: standards and obligations originating from outside Africa (international); and those developed within Africa, both at the continental (AU) level, and at the level of Regional Economic Communities (RECs). International influences on African data privacy legislation is indirect. UN influences are as yet slight, but Africa is playing a significant role in the conversion of data protection Convention 108 from a European into a global Convention. The influences of the EU’s data protection Directive (DPD, 1995) and Regulation (GDPR, 2016) are also indirect (aspirational), because no African countries have been assessed as providing ‘adequate protections’ under either instrument. Of potentially great importance is the 2014 adoption of the African Union Convention on Cyber-security and Personal Data Protection (‘Malabo Convention’), but it has only yet only received a third of the necessary ratifications. Of other Africa-wide developments, formation of the African DPA Network of eleven national data protection authorities is important. Of more practical effect have been data privacy agreements and model laws in Regional Economic Communities (RECs). The most mature development as yet, and the earliest, has been from the Economic Community of West African States (ECOWAS), which has had eleven of fifteen member enact legislation in compliance with its 2010 Supplementary Act, Africa’s only binding data protection agreement yet in force, and was influenced strongly by the EU DPD (1995). Following the ECOWAS ‘pilot’, the ITU’s EU-funded HIPPSA project assisted in the development of ‘model laws’ (or similar) in all of the other RECs in Sub-Saharan Africa (SADC, EAC, ECCAS and CEMAC), with improvements on the ECOWAS standards. The three main African instruments (AU Convention, ECOWAS Act, SADC Model Law) are compared with the European instruments typifying the ‘three generations’ of development of data privacy laws (Convention 108, 1980; EU DPD, 1995; and EU GDPR, 2016 and Convention 108+). Conclusions are drawn on the extent to which the three African instruments require, on average, that national laws should include the standards of each of these three generations of international instruments. The article concludes with observations about the consistency of the African instruments. The following article in this series will compare the standards embodied in each of the 32 national laws, taking the same ‘three generation’ approach.