Back to main site

    Data Protection

    Module 4: Data Privacy and Data Protection

    Data protection is one of the primary ways through which the right to privacy is given effect. At least 36 African states have so far enacted data protection laws, and more are in the process of doing so.(1) In addition to giving effect to the right to privacy, data protection legislation also facilitates trade among states, as many data protection laws restrict cross-border data transfers in circumstances where the state receiving the information does not provide an adequate level of data protection. Framed more positively, data protection laws enable the regulated transfer of personal information across borders where both jurisdictions have put in place adequate data protection laws and procedures to protect data subjects’ rights.

    Key data protection principles

    Data protection laws are aimed at protecting and safeguarding the processing of personal information (also sometimes called personal data). Personal information is typically defined as any information relating to an identified or identifiable natural person — i.e. the data subject — by which the data subject can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity. A data controller, also sometimes called the responsible party, can typically be either a public or private body and is the person or entity responsible for processing personal information about the data subject.

    Key data protection principles

    Most comprehensive data protection laws in Africa make provision for a core set of principles which can be summarised as follows:(2)

    • Personal information must be processed fairly and lawfully and must not be processed unless the stipulated conditions are met.
    • Personal information must be obtained for a specified purpose (or purposes) and must not be further processed in any manner incompatible with that purpose.
    • Personal data must be adequate, relevant, and not excessive in relation to the purpose (or purposes) for which it was collected.
    • Personal information must be accurate and, where necessary, kept up to date.
    • Personal information must not be kept for longer than is necessary for the purpose.
    • Personal information must be processed in accordance with the rights of data subjects provided for under the data protection law.
    • The data controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
    • Personal data must not be transferred to another country that does not ensure an adequate level of protection for the rights and freedoms of data subjects.

    In addition, most data protection laws establish a regulatory body to monitor and enforce the provisions of the law: this type of regulatory body is often referred to as a data protection authority (DPA).

    International law standards

    The United Nations Special Rapporteur (UNSR) on the Right to Privacy released a report in 2022 providing an in-depth analysis of the principles of legality, lawfulness and legitimacy, consent, transparency, purpose, fairness, proportionality, minimisation, quality, responsibility, and security in the context of data protection legislation, which serves as a seminal guide for the development and harmonisation of data protection regulations around the world.(3)

    In relation to the protection of personal information, General Comment No. 16 on Article 17 of the ICCPR (General Comment No. 16) provides as follows:(4)

    “The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.”

    In 2023, in response to the rapid and widespread collection of personal information ostensibly to combat the COVID-19 pandemic from 2020-2022, the UNSR on Privacy released a report elaborating on the implementation of the principles of purpose limitation, deletion of data and demonstrated or proactive accountability in the processing of personal data collected by public entities in the context of the pandemic.(5)

    Regional law standards

    There are several African regional instruments that deal with data protection:

    • The African Union (AU) Convention on Cyber Security and Personal Data Protection 2014(6) (the Malabo Convention): This instrument, aimed at a continental level, includes provisions relating to data protection, e-transactions, cybercrimes and cybersecurity. The provisions relating to data protection are contained in Chapter II and contain the conditions for the lawful processing of personal information, as well as the rights afforded to data subjects. After finally receiving ratification from the required 15th state, the Malabo Convention came into force in 2023.(7)
    • EAC Legal Framework for Cyberlaws 2008(8) (EAC Legal Framework): This instrument covers topics relating to data protection, electronic commerce, data security and consumer protection. It is not intended to be a model law but instead provides guidance and recommendations to states to inform the development of their laws. Data protection is dealt with briefly in paragraph 2.5 of the EAC Legal Framework, as part of Phase I which was adopted by the EAC Council of Ministers in 2010.(9)
    • Supplementary Act on Personal Data Protection within ECOWAS 2010(10) (ECOWAS Supplementary Act): This instrument is designed to be directly transposed into a domestic context among West African states and provides in detail the conditions for the lawful processing of personal information and the rights of data subjects. Importantly, it is also legally binding on ECOWAS States. ECOWAS also adopted the Directive on Fighting Cyber Crime in 2011 in an effort to harmonise member states’ cybercrime legislation.
    • SADC Data Protection Model Law 2013(11) (SADC Model Law): This is a model law that can be adapted into domestic contexts among southern African states. It seeks to ensure the harmonisation of information and communications technologies (ICT) policies and recognises that ICT developments impact the protection of personal data, including in government and commercial activities. It also deals with whistle-blowing, by providing that the data protection authority must establish rules to govern the whistleblowing system that preserve data protection principles, including the principles of fairness, lawfulness, purpose specification, proportionality, and openness.

    In addition to giving effect to the right to privacy, data protection laws also often further facilitate a right of access to information, by providing for data subjects to request, and be given access to, the information being held about them by a controller. This mechanism can enable data subjects to determine whether their personal information is being processed in line with applicable data protection laws and whether their rights are being upheld.

    Mapping the state of data protection in Africa

    Given the importance of data protection legislation in protecting the right to privacy in the digital age, as well as the rapid progression of legislation and regulation in this area, it can be hard to keep up to date with the state of data protection in Africa. Data Protection Africa is an open, online resource that aims to provide a detailed analysis of the governance of data protection across the continent, mapping and analysing the legislation in place in all 55 member states of the African Union. As of February 2024, it notes that 36 out of the 55 AU-recognised states have passed data protection legislation, with three draft bills also being under consideration.

    Emerging challenges to data protection

    As more states across the continent have passed data protection legislation, so too have the risks and challenges of regulating and protecting privacy in the digital age become more complex. Many states, particularly those in West Africa, passed their laws some time ago,(12) raising concerns that they may no longer be suited to the challenges of the modern age. In South Africa, for example, the Protection of Personal Information Act was passed in 2013 but only came into effect in July 2020 with a further grace period given for full compliance. This has raised concerns among critics that the Act already requires amendments to stay up to date with new issues such as AI.(13)

    In addition, the enforcement challenges of these many new data protection laws have become increasingly apparent. For example, research has found that 14 countries’ laws provide for the data protection authority to be established within or to receive instructions from another public body, such as a government ministry, raising questions about regulatory independence.(14) 11 countries were found not to have adequate protections in place to prevent the undue removal of members of the Authority for political or other reasons.(15)

    Enforcement challenges: example from Kenya

    Many data protection authorities across the content have struggled to meaningfully hold accountable violators of data protection legislation, particularly powerful multinational corporations.  

    For example, in 2023, Tools for Humanity piloted a new cryptocurrency campaign called Worldcoin that paid people a small sum of money in the cryptocurrency to have their biometric data collected, resulting in thousands taking up the opportunity,(16) with very little information about how the data would be used. In May, Kenya’s Office of the Data Protection Commissioner (OPDC) ordered the company to halt processing,(17) an order which was reportedly ignored. The company finally stopped data collection only when, in August, the Ministry of the Interior ordered the suspension of Worldcoin’s operations in the country, citing data protection concerns.(18) The OPDC subsequently launched litigation against Tools for Humanity in the High Court.(19)  

    This demonstrates the challenges data protection authorities face in holding these powerful international companies to account.

    Another barrier to the advancement of data protection on the continent is the limited scope of data protection laws, with many containing extensive national security or private sector exemptions that undermine their efficacy. In this regard, it is also important to note the track record on the continent of national security justifications being abused, as detailed in Module 9 in this series.

    Footnotes

    1. See https://dataprotection.africa/ for more information. Back
    2. Information Commissioner’s Office, ‘A guide to the data protection principles’ (accessible at https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/). Back
    3. UNSR on Privacy, ‘Promotion and protection of human rights: human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms’ (2022) (accessible at https://documents.un.org/doc/undoc/gen/n22/594/48/pdf/n2259448.pdf?token=u1h0GXrW9xSVX7VFHW&fe=true). Back
    4. UNHCHR, ‘CCPR General Comment No. 16: Article 17 (Right to Privacy)’ (1988) (accessible at https://www.refworld.org/legal/general/hrc/1988/en/27539) at para 10. Back
    5. UNSR on Privacy, ‘A/HRC/52/37: Implementation of the principles of purpose limitation, deletion of data and demonstrated or proactive accountability in the processing of personal data collected by public entities in the context of the COVID-19 pandemic – Report of the Special Rapporteur on the right to privacy’ (2023) (accessible at https://www.ohchr.org/en/documents/thematic-reports/ahrc5237-implementation-principles-purpose-limitation-deletion-data-and). Back
    6. AU, ‘African Union Convention on Cyber Security and Personal Data Protection’ (2014 ) (accessible at https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf). Back
    7. ALT Advisory, ‘Africa: AU’s Malabo Convention set to enter force after nine years’ (2023) (accessible at https://altadvisory.africa/2023/05/19/malabo-convention-set-to-enter-force/). Back
    8. EAC, ‘EAC Legal Framework for Cyberlaws’ (20228) (accessible at http://repository.eac.int:8080/bitstream/handle/11671/1815/EAC Framework for Cyberlaws.pdf?sequence=1&isAllowed=y). Back
    9. UNCTAD, ‘Harmonizing Cyberlaws and Regulations: The experience of the East African Community’ (2012) (accessible at https://au.int/sites/default/files/newsevents/workingdocuments/27223-wd-harmonizing_cyberlaws_regulations_the_experience_of_eac1.pdf). Back
    10. ECOWAS, ‘Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWS’ (2010) (accessible at http://www.statewatch.org/news/2013/mar/ecowas-dp-act.pdf). Back
    11. HIPSSA, ‘Data Protection: SADC Model Law’ (2013) (accessible at https://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/Documents/FINAL DOCUMENTS/FINAL DOCS ENGLISH/sadc_model_law_data_protection.pdf). Back
    12. Data Protection Africa, ‘Standing Alone: The Independence of African Data Protection Authorities’ (2024) (accessible at https://dataprotection.africa/standing-alone-the-independence-of-african-data-protection-authorities/). Back
    13. IT Web, ‘POPIA principles must align with AI governance, say experts,’ (2023) (accessible at https://www.itweb.co.za/article/popia-principles-must-align-with-ai-governance-say-experts/RgeVDvPRrn8MKJN3). Back
    14. See above n 17. Back
    15. Id. Back
    16. Njenga, Schmitz, ‘Worldcoin: Thousands flock KICC to have eyeballs scanned for Ksh.7k’ (2023) (accessible at https://www.citizen.digital/news/worlcoin-thousands-flock-kicc-to-have-eyeballs-scanned-for-ksh7k-n32464 3). Back
    17. TechCrunch, ‘Worldcoin ignored initial order to stop iris scans in Kenya, records show’ (2023) (accessible at https://techcrunch.com/2023/08/15/worldcoin-in-kenya/?guccounter=1). Back
    18. Kenya Ministry of Interior, ‘Statement on Worldcoin’ (2023) (accessible at https://twitter.com/InteriorKE/status/1686709534075629568). Back
    19. See above n 22. Back