Leveraging the African Union Data Policy Framework to Bolster National Data Governance Practices

By CIPESA Staff Writer |

Earlier this month, stakeholders from around Africa met in Kigali, Rwanda to discuss how to implement the recommendations of the African Union (AU) Data Policy Framework to enable member states to improve their data governance policies and practices, including respect for citizens’ rights. Held on the sidelines of the World Telecommunications Development Conference (WTDC), the convening discussed the prevalent data governance challenges and how the Policy Framework can help to address them.

In 2021, the AU Commission embarked on developing the Policy Framework, which was endorsed by the Executive Council in February this year. The Policy Framework offers guidance to member states on how to derive value from data generated by governments and private entities. Further, it makes the case for policy interventions to optimise cross-border data flows, such as harmonising data governance frameworks. The Policy Framework envisages the creation of a shared data space and standards that regulate data production and use across the continent. In turn, the AU is devising an implementation plan to support the domestication of the Policy Framework by member states and putting in place the necessary mechanisms to enable data flows across the continent.

The continental policy comes at a time when the role of data in powering socio-economic growth is taking centre-stage, but so are various data governance concerns that are undermining more effective usage of data and the uptake of data-based initiatives. In some countries, the data regulation is retrogressive and unduly restricts data flows. Other countries lack data protection laws. 

Prevailing digital rights concerns include increased surveillance, proliferation of regressive laws and regulations that undermine digitalisation efforts, large-scale data collection programmes by governments amidst weak oversight and rampant privacy breaches including by business entities. Many governments in the region are undertaking rapid data collection and digitalisation initiatives, such as digital ID, biometric voters’ cards, drivers’ licences and SIM card registration.

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) was invited to participate at the Kigali convening, specifically to discuss what the Framework means for ordinary citizens and how its implementation can uphold rights, sustain trust and enable data flows that support economic growth and digital transformation.

Speaking at the meeting, CIPESA’s Dr. Wairagala Wakabi indicated that the Framework promises to deliver enhanced data governance in Africa. By providing common benchmarks for states to embrace and be assessed by, it could help engender good policies and practices, which is not the case in some countries currently. However, for this to be realised, common challenges must be addressed. These challenges mostly relate to the security and privacy of data, and the fear by governments that flexible data outflows would undermine local capacity development and job creation and result in revenue losses.

Further, Dr. Wakabi stated that citizens’ trust was “critical to stimulating” the uptake of data-based initiatives. Yet low trust prevailed, mostly due to the lack of public education and awareness among data subjects, little or no information provided on uses of data, and citizens’ previous experiences of data misuse and data breaches by the state or data controllers. To build trust, African countries should institute procedures and systems to ensure data is not breached or abused; enact enabling laws to protect data and rights; conduct adequate education on data handling and usage; grow data controllers’ understanding of the regulatory requirements and ensure they comply with them.

The aspiration of the Framework to increase policy harmonisation and improve data flows across countries holds much promise for economic integration and offers citizens and businesses wider opportunities including for trade beyond national borders. The facilitation of flexible data flows and greater public access to data held by governments and private entities can provide evidence to inform policy and aid the attainment of development objectives such as the Sustainable Development Goals (SDGs).

Similarly, flexible data flows guided by common frameworks that are well defined can serve the public good by enabling innovation, jobs creation and e-services development, and facilitating intra-Africa digital trade. As such, there is a need to address policy measures that restrict data flows across borders and mandatory legal requirements that data be stored or processed in a specific country.

“Many countries have prohibited cross-border transfers of personal data unless authorised by Data Protection Authorities or other designated entity. Common drivers are fears of losing local digital economy jobs, tax revenue and local capacity, for example in data infrastructure, and the need to ensure adequate data security. However, laws and policies are rarely clear on the rationale behind data localisation,” said Dr. Wakabi.

African countries have adopted different approaches to data localisation. Many use laws on financial services (e.g. Nigeria, Ethiopia and Rwanda), cybersecurity and cybercrimes (Rwanda, Zambia and Zimbabwe), telecom (Cameroon, Rwanda and Nigeria) and data protection (Kenya, South Africa, Tunisia and Uganda) to place restrictions on cross-border data transfer. Some specify data that can not be exported without authorisation. Kenya specifies all public data; Nigeria mentions all government data, subscriber and consumer data; while Zimbabwe, Malawi and Tunisia cite personal information. Sierra Leone prohibits the cross-border transfer of subscribers’ registration information. Other countries have data location requirements related to telecom providers’ data, data of entities operating in sectors of “vital importance”, in e-commerce, and those offering cloud services. 

The laws generally provide similar grounds for when personal data may be sent across borders, with transfers easier to make to countries that offer an equivalent level of protection. However, recognition of equivalence among fellow African countries is limited. For instance, Morocco’s 2015 list of countries with a sufficient level of protection featured no African country, while Tunisia’s 2018 list of 49 countries had just Algeria, Mauritania, Mauritius, Morocco, and Senegal.

Those national data sovereignty moves can hamper regional data sharing, trade, foreign investment, and innovation, and run counter to the AU Policy Framework. They also do not always result in greater protection for data or respect for citizens’ rights. As such, a framework is needed to govern cross-border flows, but it should primarily be enabling and not restrictive as is currently the case with most countries.

In sum, it is crucial to build trust among citizens and governments, including by generating evidence to debunk theories that inform current localisation moves and to demonstrate that data can flow freely across borders without undermining national interests. There is also a need to create awareness among citizens of their data rights and how to protect them, grow awareness among data controllers of their obligations and conduct audits of their performance. This alongside empowering regulators to function independently and with sufficient resources. Finally, it is essential to build the capacity of data collectors, regulators, government departments and data intermediaries to robustly protect the rights of data subjects.