Leveraging the African Union Data Policy Framework to Bolster National Data Governance Practices

By CIPESA Staff Writer |

Earlier this month, stakeholders from around Africa met in Kigali, Rwanda to discuss how to implement the recommendations of the African Union (AU) Data Policy Framework to enable member states to improve their data governance policies and practices, including respect for citizens’ rights. Held on the sidelines of the World Telecommunications Development Conference (WTDC), the convening discussed the prevalent data governance challenges and how the Policy Framework can help to address them.

In 2021, the AU Commission embarked on developing the Policy Framework, which was endorsed by the Executive Council in February this year. The Policy Framework offers guidance to member states on how to derive value from data generated by governments and private entities. Further, it makes the case for policy interventions to optimise cross-border data flows, such as harmonising data governance frameworks. The Policy Framework envisages the creation of a shared data space and standards that regulate data production and use across the continent. In turn, the AU is devising an implementation plan to support the domestication of the Policy Framework by member states and putting in place the necessary mechanisms to enable data flows across the continent.

The continental policy comes at a time when the role of data in powering socio-economic growth is taking centre-stage, but so are various data governance concerns that are undermining more effective usage of data and the uptake of data-based initiatives. In some countries, the data regulation is retrogressive and unduly restricts data flows. Other countries lack data protection laws. 

Prevailing digital rights concerns include increased surveillance, proliferation of regressive laws and regulations that undermine digitalisation efforts, large-scale data collection programmes by governments amidst weak oversight and rampant privacy breaches including by business entities. Many governments in the region are undertaking rapid data collection and digitalisation initiatives, such as digital ID, biometric voters’ cards, drivers’ licences and SIM card registration.

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) was invited to participate at the Kigali convening, specifically to discuss what the Framework means for ordinary citizens and how its implementation can uphold rights, sustain trust and enable data flows that support economic growth and digital transformation.

Speaking at the meeting, CIPESA’s Dr. Wairagala Wakabi indicated that the Framework promises to deliver enhanced data governance in Africa. By providing common benchmarks for states to embrace and be assessed by, it could help engender good policies and practices, which is not the case in some countries currently. However, for this to be realised, common challenges must be addressed. These challenges mostly relate to the security and privacy of data, and the fear by governments that flexible data outflows would undermine local capacity development and job creation and result in revenue losses.

Further, Dr. Wakabi stated that citizens’ trust was “critical to stimulating” the uptake of data-based initiatives. Yet low trust prevailed, mostly due to the lack of public education and awareness among data subjects, little or no information provided on uses of data, and citizens’ previous experiences of data misuse and data breaches by the state or data controllers. To build trust, African countries should institute procedures and systems to ensure data is not breached or abused; enact enabling laws to protect data and rights; conduct adequate education on data handling and usage; grow data controllers’ understanding of the regulatory requirements and ensure they comply with them.

The aspiration of the Framework to increase policy harmonisation and improve data flows across countries holds much promise for economic integration and offers citizens and businesses wider opportunities including for trade beyond national borders. The facilitation of flexible data flows and greater public access to data held by governments and private entities can provide evidence to inform policy and aid the attainment of development objectives such as the Sustainable Development Goals (SDGs).

Similarly, flexible data flows guided by common frameworks that are well defined can serve the public good by enabling innovation, jobs creation and e-services development, and facilitating intra-Africa digital trade. As such, there is a need to address policy measures that restrict data flows across borders and mandatory legal requirements that data be stored or processed in a specific country.

“Many countries have prohibited cross-border transfers of personal data unless authorised by Data Protection Authorities or other designated entity. Common drivers are fears of losing local digital economy jobs, tax revenue and local capacity, for example in data infrastructure, and the need to ensure adequate data security. However, laws and policies are rarely clear on the rationale behind data localisation,” said Dr. Wakabi.

African countries have adopted different approaches to data localisation. Many use laws on financial services (e.g. Nigeria, Ethiopia and Rwanda), cybersecurity and cybercrimes (Rwanda, Zambia and Zimbabwe), telecom (Cameroon, Rwanda and Nigeria) and data protection (Kenya, South Africa, Tunisia and Uganda) to place restrictions on cross-border data transfer. Some specify data that can not be exported without authorisation. Kenya specifies all public data; Nigeria mentions all government data, subscriber and consumer data; while Zimbabwe, Malawi and Tunisia cite personal information. Sierra Leone prohibits the cross-border transfer of subscribers’ registration information. Other countries have data location requirements related to telecom providers’ data, data of entities operating in sectors of “vital importance”, in e-commerce, and those offering cloud services. 

The laws generally provide similar grounds for when personal data may be sent across borders, with transfers easier to make to countries that offer an equivalent level of protection. However, recognition of equivalence among fellow African countries is limited. For instance, Morocco’s 2015 list of countries with a sufficient level of protection featured no African country, while Tunisia’s 2018 list of 49 countries had just Algeria, Mauritania, Mauritius, Morocco, and Senegal.

Those national data sovereignty moves can hamper regional data sharing, trade, foreign investment, and innovation, and run counter to the AU Policy Framework. They also do not always result in greater protection for data or respect for citizens’ rights. As such, a framework is needed to govern cross-border flows, but it should primarily be enabling and not restrictive as is currently the case with most countries.

In sum, it is crucial to build trust among citizens and governments, including by generating evidence to debunk theories that inform current localisation moves and to demonstrate that data can flow freely across borders without undermining national interests. There is also a need to create awareness among citizens of their data rights and how to protect them, grow awareness among data controllers of their obligations and conduct audits of their performance. This alongside empowering regulators to function independently and with sufficient resources. Finally, it is essential to build the capacity of data collectors, regulators, government departments and data intermediaries to robustly protect the rights of data subjects.

Council of Europe to Host Session on Cybercrime Legislation in Africa at the Forum on Internet Freedom in Africa 2018 (FIFAfrica18)

Announcement |
The Forum on Internet Freedom in Africa 2018 (#FIFAfrica18) is pleased to announce the participation of the Council of Europe (CoE), through its Cybercrime Division, at the landmark event which is set to take place in Accra, Ghana, at the end of September.
The panel aims to contribute to the on-going efforts on harmonisation of national cybercrime laws with international and regional standards in the African continent, and provide a specific focus on human rights safeguards. International experts, with background on drafting, implementing and enforcing cybercrime legislation, will facilitate an interactive discussion with the participants by introducing the current state of cybercrime legislation in the African continent, debating the progress made in the recent years and discussing the entailed human rights challenges.
FIFAfrica convenes various stakeholders from the internet governance and online rights arenas in Africa and beyond to deliberate on gaps, concerns and opportunities for advancing privacy, access to information, free expression, non-discrimination and the free flow of information online. This year’s forum, which runs from September 26 to 28, is hosted by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and the Media Foundation for West Africa (MFWA).
According to recent statistics, Africa is exhibiting one of the fastest growth rates in Internet penetration worldwide, with digital connectivity that has almost tripled in the last five years. In the same period, both governments and private sector entities in Africa have been experiencing an equally increasing trend of cyber-attacks.
The CoE has taken steps to protect the pillars of democracy in the digital age particularly as  large-scale theft of personal data, computer intrusions, bullying, harassment and other forms of cyber violence, or sexual violence against children online, affect the extent to which the use of online tools enables participation in democratic processes. Moreover, it is notable that hate speech, xenophobia and racism may contribute to radicalisation, leading to violent extremism.
Attacks against computers used in elections and election campaigns are attacks against democracy. Daily attacks against critical information infrastructure affect national security and economic and other national interests as well as international peace and stability. Moreover, evidence in relation to fraud, corruption, murder, rape, terrorism, the sexual abuse of children and, in fact, any type of crime may take the form of electronic evidence, which is volatile, often intangible and probably in other jurisdictions. And accessing such evidence also has implications for human rights and the rule of law. Effective, legally compliant and robust procedures for the identification, collection and preservation of electronic evidence are therefore essential.
It is in regard to these trends that the CoE will host a panel discussion at FIFAfrica18 that will include reference to the Budapest Convention. The convention is an international treaty that aims at providing substantive legislation and procedural powers for criminal justice authorities to effectively tackle cybercrime, while upholding rule of law and human rights. Since its entry into force in 2004, the Budapest Convention has proven to be a solid baseline for enhanced cooperation across borders, and many governments in Africa, as well as in the rest of the world, have undertaken legal reforms using it as a guideline.

Cyber Diplomacy with Africa: Lessons From the African Cybersecurity Convention

By Mailyn Fidler |
Two years ago, the African Union (AU) adopted its Convention on Cybersecurity and Personal Data Protection. The Convention seeks to improve how African states address cybercrime, data protection, e-commerce, and cybersecurity. However, only eight of the AU’s fifty-four members have signed the Convention, with none ratifying it. Despite this currently limited uptake, the Convention, and how the AU produced it, signals that African states value political autonomy and independence when developing cyber policy. The U.S. government should keep this in mind as it reaches out to AU member states in promoting cyber norms and capacity building efforts.
Development of the Convention
The AU’s development of the Convention reflects a desire of African states to have autonomy over their response to cyberspace challenges. The AU chose to develop its own Convention instead of promoting African participation in existing cyber treaties, most notably the Council of Europe’s Budapest Convention on Cybercrime (2001). Only one African state, South Africa, participated in the Budapest Convention negotiations, and, even then, had to ask to be included.  The Council of Europe approved three other African country requests to accede, a low rate compared to other regions in the global south, and only one African state has ratified it. South Africa has refused to ratify the Budapest Convention because of sovereignty concerns.
Instead, the AU began work on its own approach in 2007. By this time, African states had already started to act as a bloc in international cyber negotiations. For instance, African countries advocated for more equitable access to the Internet and participation in Internet governance during the 2003 and 2005 World Summit on the Information Society (WSIS) – a stance that challenged prevailing Western views.
Read the full article here.