International and regional commitments in African data privacy laws: A comparative analysis

Abstract

Thirty three of the 55 African countries have enacted data privacy laws since 2001. This paper analyses two types of potential legal influences on these national laws: standards and obligations originating from outside Africa (international); and those developed within Africa, both at the continental (African Union) level, and at the level of Regional Economic Communities (RECs).Analysis commences with which countries have laws or Bills, and constitutional requirements International influences are shown to be indirect, with only slight UN influences, but with accessions by African countries to data protection Convention 108 significant in converting it into a global Convention. EU influences are also indirect (aspirational) with both the DPD and the GDPR perceived as standards to be emulated in African instruments. Of African multilateral agreements, the African Union's data protection and cybercrime Convention (2014) is yet of limited influence because it is not in force. In contrast, the ECOWAS Supplementary Act (2010) has been of considerable practical influence in West Africa. The HIPPSA ‘Model Acts’ with higher standards (particularly SADC Model Law, 2013) remain of potential influence in other regions of sub-Saharan Africa.European instruments are presented as typifying ‘three generations’ of development of data privacy laws (exemplified by (i) Convention 108, 1980; (ii) EU DPD, 1995; and (iii) EU GDPR, 2016 plus Convention 108+, 2018). The three main African multilateral instruments (ECOWAS Act, AU Convention, SADC Model Law) are compared with them, as well as between themselves.These comparisons enable conclusions to be drawn, some of which are as follows.The African regional framework does not display any Africa-specific approach to data protection. Less individualist and more communitarian African culture or human rights discourse is absent from the texts of these laws.Drafters of the African instruments seem to accept, tacitly or expressly the necessity to be consistent with other international texts, in particular European instruments. They have adopted many ‘2nd generation’ DPD elements but have anticipated relatively few of the ‘third generation’ GDPR standards.Sub-regional agreements (ECOWAS Act and model laws) have provided a means to move forward despite the lack of progress in bring the regional AU convention into force.