Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: Data protection

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Data protection
04Feb

Why Data and AI Governance Are Central to Africa’s Digital Trade Ambitions

Author CIPESA Posted on

By CIPESA Writer |

Digital technologies are changing how African businesses trade and connect across borders. However, digital trade on the continent remains hugely constrained, including by regulatory fragmentation, infrastructure gaps, and bureaucratic hurdles. How then should African countries leverage the growing digitalisation and emerging technologies such as Artificial Intelligence (AI) to boost their digital economies?

According to the World Trade Organization (WTO), in 2024, Africa’s exports of digitally delivered services (DDS) were valued at USD 41.3 billion, representing just one percent of global exports. Nonetheless, the continent’s prospects are promising. The WTO and the World Bank project that greater use of digital technologies could boost Africa’s digital services exports by USD 74 billion between 2023 and 2040, doubling Africa’s share of global exports.

Evidently, if African countries do not address existing barriers and take decisive action, the continent risks becoming an even more marginal player in the global digital trade ecosystem. How to bridge the barriers and leverage data and AI to shape digital trade and Africa’s economic future was at the centre of discussions at the African Economic Research Consortium (AERC) Summit 2025, held in Nairobi, Kenya, last December.

A panel on digital trade and the governance of digital and AI economies, where the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) featured, stressed that, although frameworks such as the African Continental Free Trade Area (AfCFTA) Digital Trade Protocol are a step in the right direction, they could fail to significantly grow digital trade if member states lack enabling data and AI governance systems and practices.

Today, DDS account for approximately 35% of Africa’s total services export value, and have been rising at a double-digit rate, outpacing growth in other regions globally. However, growth in digital services trade remains uneven, concentrated in a handful of countries, mostly South Africa, Morocco, Ghana, Egypt, and Mauritius. Kenya, Nigeria and Tunisia are also notable players but with lower export values than the leading African countries.

Regional initiatives such as the AfCFTA Digital Trade Protocol can help to expand digital trade beyond domestic markets, including in countries that currently lag. The protocol, which was adopted two years ago, aims to harmonise rules for cross-border digital trade across Africa, including on electronic transactions, data governance, and digital payments. Meanwhile, the African Guidelines on Integrating Data Provisions in Protocols on Digital Trade of 2024, emphasise harmonised data governance as an enabler of secure and inclusive digital trade across Africa.

The African Union Data Policy Framework (AUDPF) similarly provides for interoperable data ecosystems across the continent, that are enabled by harmonised laws that support both innovation and rights protection. The various regional efforts support the dream of a Digital Single Market by 2030, as envisaged by the Africa Digital Transformation Strategy of the African Union.

The Galore of Barriers

The region currently lacks an operational continent‑wide harmonised framework for data protection, e‑commerce regulation, digital taxation, or AI governance. This gap raises compliance costs and presents a barrier to businesses that aim to scale operations across borders. This undermines cross‑border digital trade and data flows. Moreover, lack of regulations for paperless trade, including on electronic invoicing, e-signatures and e-contracts, presents an additional hurdle.

On the other hand, high taxes on goods, services, data, and devices drive up costs for businesses, yet several entrepreneurs struggle to access affordable digital financial services, including for effecting cross-border payments. These challenges are made worse by low internet speeds, unreliable electricity supply, as well as weak understanding of export regulations, data protection, and cybersecurity.

Addressing these barriers would offer entrepreneurs a range of benefits. Businesses can reach new customers beyond national borders without investing much in physical export infrastructure, which can reduce costs and expand their market reach. Also, interoperable digital payments can help to minimise settlement delays and overcome currency conversion hurdles.

Priorities on AI and Data Governance

Projections by a WTO 2025 report show that AI could boost the value of cross-border flows of goods and services by around 40% by 2040, due to productivity gains and lower trade costs. However, Africa’s readiness for AI regulation and uptake, particularly by small and medium enterprises, remains low. The WTO report points to AI’s potential to reduce logistics costs, overcome language barriers, ease regulatory compliance, and boost productivity.

In a March 2025 survey among firms from across the world, the most cited benefits of AI were improved trade efficiency (22%), optimised trade decision-making (14%), expanding the foreign customer base (10%), enhanced supply chain management (9%), and broader import and export product ranges (9% and 8% respectively).

How data and AI are governed is therefore key for the future of Africa’s digital economy. If African countries do not put in place robust and harmonised legislation, they will risk perpetuating patterns of the so-called “AI colonialism” in which African data and users fuel global AI markets yet their economies do not receive proportionate economic benefits. Many African countries are adopting AI in the public and private sectors but lack comprehensive AI-specific laws and governance frameworks and often rely instead on outdated laws that pre-date the current technologies.

The State of Internet Freedom in Africa 2025 report calls for human‑centred AI laws that ensure transparency in algorithms, clear accountability, and effective mechanisms for liability and redress. The report urges governments to strengthen independent AI and data oversight institutions, invest in digital infrastructure and inclusion, expand internet access, and ensure AI tools serve local languages. The report also highlights that Africa’s AI market is projected to grow from USD 4.51 billion in 2025 to USD 16.5 billion by 2030.

Africa thus urgently needs cross-border data governance frameworks that support trusted data flows, reduce fragmented national rules, and establish interoperable standards to boost regional digital trade under initiatives such as AfCFTA and the AUDPF. At the same time, investments in affordable connectivity, local cloud capacity, public digital platforms, and datasets in African languages are essential.

The Role of Civil Society and Think Tanks

The Summit discussion stressed the urgent need for research to inform policy, particularly on cross-border data flows, AI adoption, and ways for Africa to avoid new forms of dependency while getting greater value from its data and digital innovation.

Also essential is civil society engagement in monitoring the implementation of continental digital trade and data initiatives, supporting harmonisation of policies and standards, and building the capacity of policymakers, regulators, and businesses.

Actions to Grow Digital Trade in Africa

  • Embrace digital transformation and connectivity by investing in robust networks and backup systems.
  • Implement robust cyber security frameworks while ensuring effective cyber leadership and prioritising investments in cyber infrastructure, skilling, awareness.
  • Recognise data as a trade enabler by ensuring trade agreements have provisions that prevent unnecessary restrictions on data flows.
  • Harmonise data protection standards to reduce compliance costs for businesses and build trust among different stakeholders.
  • Adopt and implement Intellectual Property (IP) laws to ensure that local innovators and individuals in the region benefit.
  • Build robust digital infrastructure with a focus on Digital Public Infrastructure (DPI) and data privacy.
  • Assess and address the impact of emerging technologies like artificial intelligence, blockchain and IoT, ensuring they foster innovation and address ethical challenges.

Source: CIPESA – Policy Considerations for Enhancing Digital Trade in East Africa

Surveillance
12Mar

The Surveillance Footprint in Africa Threatens Privacy and Data Protection

Author CIPESA Posted on

By Edrine Wanyama 

Digital and physical surveillance by states, private companies that develop technology or supply governments and unscrupulous individuals globally and across Africa is a major threat to the digital civic space and operations of civil society organisations (CSOs), human rights defenders (HRDs), activists, political opposition, government critics and the media. The highly intrusive technology, which is often facilitated by biometric data collection systems such as for processing of national identification documents, voter cards, travel documents, mandatory SIM card registration and the installation of CCTV cameras for “smart cities”, adversely impacts the digital civic space. 

Given these developments, the Digital Rights Alliance Africa (DRAA), a network of CSOs, media, lawyers and tech specialists from across Africa that seeks to champion digital civic space and counter threats to digital rights on the continent, recently held a learning session on “Understanding Surveillance Trends, Threats and Challenges for Civil Society.” The Alliance was created by the International Center for Not-for-Profit Law (ICNL) and the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) in response to rising digital authoritarianism. It currently has members from more than 12 countries, who collectively conduct research and advocacy and share experiences around navigating digital threats and influencing strategic digital policy reforms in line with the alliance’s outcome declaration

The virtual learning session built capacity among the Alliance members to better understand digital surveillance and the related threats facing democracy actors. Discussions delved into the nature of surveillance, the regulatory environment, and strategies to navigate and counter surveillance risks and threats. The threats and risks include harassment, arbitrary arrests, persecution and prosecution on trumped up charges. 

While emphasising the need to understand emerging surveillance technologies, ecosystem and deployment tactics, Richard Ngamita, the Team Leader at Thraets, highlighted the huge investment (estimated at USD 1 billion annually) which African governments have made in acquiring surveillance technologies from China, Israel, the United States of America and Europe. Ngamita urged CSOs, HRDs and other actors to build digital security capacity to protect against illegal surveillance.

Victoria Ibezim-Ohaeri, the Executive Director of Spaces for Change, while referencing the  Proliferation of Dual-Use Surveillance Technologies in Nigeria: Deployment, Risks & Accountability – Spaces for Change report, highlighted weak regulation and unaccountable practices by states that facilitate unlawful surveillance across the continent and their implications on rights. According to the report,

“The greatest concern around surveillance technologies is their potential misuse for political repression and human rights abuses. Surveillance practices also undermine the citizens’ dignity, autonomy, and security, translating to significant reductions in citizens’ agency. Agency reductions are magnified by the state’s power to punish dissent. This creates a chilling effect as citizens self-censor or avoid public engagement for fear of being surveilled or punished. The citizens have little agency to challenge or resist the state’s surveillance because of low digital literacy, poverty and broader limitations in access to justice.”

Michaela Shapiro, the Global Engagement and Advocacy Officer at Article 19, United Kingdom, discussed the governing norms of surveillance globally while paying particular attention to the common gaps that need policy action at the country level in Africa. Recalling the intensification of digital and physical surveillance as part of state responses to curb the spread of Covid-19 in the absence of clear oversight mechanisms, Michaela emphasised the role of CSOs in advocating for data and privacy protection. 

To-date, the leading instrument of data protection on the continent, the African Union Convention on Cyber Security and Personal Data Protection has only 16 ratifications out of 55 states, while only 36 states have enacted specific laws on privacy and data protection rights.

Surveillance in Africa generally poses a major threat to individuals’ data and privacy rights since governments exercise wide access over the data subjects’ rights. National security and the loopholes in the laws are usually exploited to abuse and violate data rights. While there are regional and international standards, these are often overlooked with governments taking measures that are not provided for by the law, rendering them unlawful, arbitrary and disproportionate under human rights law. 

By way of progressive actions, speakers noted and made recommendations to States and non-state actors to the effect that:

States and Governments 

  • Address surveillance and bolster personal data and privacy protections through adopting robust legal and regulatory frameworks and repealing restrictive digital laws and policies.
  • Promote and enhance transparency and accountability through the establishment of independent surveillance oversight boards.
  • Strictly regulate the use of surveillance technologies by law enforcement and intelligence agencies to ensure accountability.
  • Collaborate with other countries to develop harmonised privacy standards within the established regional and international standards to have settled positions on cross-border controls on surveillance.

Civil Society Organisations

  • Build and enhance capacities of HRDs and other players in data governance and accountability to equip them with knowledge to counter common data privacy threats by governments and corporate entities.
  • Push for ethical and responsible use of technology to prevent and minimise technology-related violations. 
  • Challenge all forms of unlawful use of surveillance practices through legal action by, among others, taking legal actions.

Tech Sector

  • Conduct regular audits and impact assessments to address potential privacy breaches and enhance accountability and transparency. 
  • Prioritise privacy and integrate privacy protections into their products and services including data collection minimisation and establish strong security measures for privacy.
  • Prioritise ethical considerations in the development and deployment of new technologies to guarantee strong protections against potential violations.

13Mar

Robust Data Protection Standards Could Spur Regional Economic Integration

Author CIPESA Posted on

By Edrine Wanyama |

Leaders in charge of various data protection agencies and Civil Society Organisations (CSOs) who met at the East African Exchange on Data Protection held in Kampala, Uganda on March 6, 2024, recognised the need to buttress data protection by promoting the right to privacy in the region. 

The event drew representatives of government agencies and CSOs from Burundi, the Democratic Republic of Congo, Kenya, Rwanda, Somalia, South Sudan, Tanzania, and Uganda. Speaking to the importance of the Data Exchange programme, Stella Alibateese, the Director of the National Personal Data Protection Office in Uganda emphasised the need to enhance the right to privacy. 

“As we navigate these waters, we must recognise the diverse stages of development and implementation of data protection and privacy laws across our partner states in the East African Community,” she said. “Yet, within this diversity lies our strength – the unparalleled opportunity for knowledge exchange, peer learning, and collective growth.”

Dr. Chris Baryomunsi, Uganda’s Minister of ICT and National Guidance, underscored the need for collaboration in dealing with the complexities of data protection. “As a bloc, we must therefore embrace innovative solutions and continue these collaborative efforts amongst regulators, development partners, businesses, and the general public so as to achieve effective data protection and respect for privacy rights,” said Baryomunsi. “I am confident that the outcomes of this knowledge exchange will go a long way in defining a regional approach to addressing emerging threats in data protection.”

Data privacy is necessary for enhancing state relations in trade and business. This includes e-commerce, transport, movement of goods and services, efficiency of service delivery, movement of persons and labour, and information exchange for a quicker economic integration process.

While the East Africa Community (EAC) stands on four pillars (the Customs Union, the Common Market, Monetary Union and Political Federation), which are the core foundations for economic development, the Customs Union, movement of persons, movement workers and the Monetary Union involve mass collection of personal data including in trade and business and travel. 

Additionally, not all the states in the region have established strong safeguards on data protection and privacy. For instance, while Kenya, Rwanda, Somalia, South Sudan, Tanzania, and Uganda have specific legislation on data protection, some of the laws are criticised for failing to meet internationally accepted standards by, among others, not having clear and independent authorities to oversee and manage personal data and privacy. Another concern is that Burundi and the Democratic Republic of Congo are yet to enact specific laws on data protection, which puts data movement in the region at risk. 

At the regional level, the Draft EAC Legal Framework For Cyber Laws of 2008 has been largely unimplemented. Also, Rwanda is the only country within the EAC that has signed and ratified the African Union Convention on Cyber Security and Personal Data Protection, (the Malabo Convention). As such there is no unified code or standard on data protection and privacy in the region.

Nevertheless, according to Annette Ssemuwemba, Deputy Secretary General for Customs, Trade and Monetary Affairs at the EAC, the bloc is undertaking measures to come up with a harmonised framework on data security. She said such a harmonised framework has the potential to inform data protection practices across the region with high chances of setting a common standard amongst the member states. 

Meanwhile, the existing data protection agencies in the EAC Member States face common challenges. These include limited financial resources, lack of sufficient technical and competent staff with a firm grasp of data protection and privacy issues, and receiving of complaints which are not necessarily related to the right to privacy. These challenges have undermined the potential of a transformational data privacy era in the region including in carrying out investigations into data breaches and adjudicating complaints. 

Nevertheless, the need to leverage more opportunities for data exchange were highlighted. These include through knowledge exchange, collaboration, governments’ political will, professionalisation of the technology sector, independence of the data protection agencies, ratification of the Malabo Convention, picking lessons from the General Data Protection Regulation (GDPR) of the European Union and the adoption of a uniform code for personal data protection in the region. Such measures could spur the protection and promotion of the right to privacy nationally, regionally, and internationally. Similarly, EAC countries without data protection should swiftly enact them to be on the same page with the rest.

29Sep

State of Internet Freedom in Africa 2022: The Rise of Biometric Surveillance

Author Evelyn Lirri Posted on

FIFAfrica22 |

Digital biometric data collection programmes are becoming increasingly popular across the African continent. Governments are investing in diverse digital programmes to enable the capture of biometric information of their citizens for various purposes.

A new report by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) documents the emerging and current trends in biometric data collection and processing in Africa. It focuses on the deployment of national biometric technology-based programmes in 16 African countries, namely Angola, Cameroon, Central African Republic, Democratic Republic of Congo, Kenya, Lesotho, Liberia, Mozambique, Nigeria, Senegal, Sierra Leone, Tanzania, Togo, Tunisia, Uganda, and Zambia.

The report published today is the ninth consecutive one issued by CIPESA since 2014 under the State of Internet Freedom in Africa series. It was released at the Forum on Internet Freedom in Africa (FIFAfrica), which is taking place in Lusaka, Zambia.

The biometric data collection programmes reviewed by the report include those related to civil registrations, such as the issuance of National Identity cards, biometric voter registration and identification programmes, government-led CCTV programmes with facial recognition capabilities, national ePassport initiatives, refugees’ registration, and mandatory biometric SIM card registration.

The report highlights the key trends, potential risks, challenges and gaps relating to biometric data collection projects in the continent. These include limited public engagement and awareness campaigns; inadequate legal frameworks that heighten risks to privacy; exclusion from accessing essential services; enhanced surveillance, profiling and targeting; conflicting interests and the wide powers of third parties; and limited capacity and training. 

Consequently, the study notes that these biometric programmes are being implemented in countries with poor digital rights records, declining democracy and rising digital authoritarianism, which casts doubt on the integrity of biometric data collection programmes and the resultant databases. Thus, viewed collectively, the developments, trends and risks outlined in the report heighten concern over the growing threats to the right to privacy of personal data and potential violations of digital rights on the continent. 

Finally, the report presents recommendations to various stakeholders including the government, civil society, the media, the private sector and academia, which, if implemented, will go a long way in addressing data protection and privacy gaps, risks and challenges in the study countries. 

The key recommendations include a call to:

  • Governments to implement the laws and policy frameworks on identity systems and data protection and privacy while paying keen attention to compliance with regionally and internationally recognised principles and minimum standards on data protection and privacy for biometric data collection and require the adoption of human rights-based approaches. 
  • Countries without data protection and privacy laws such as Liberia, Mozambique, Sierra Leone and Tanzania should expedite the process of enacting appropriate data protection laws so as to guarantee the data protection and privacy rights of their citizens. 
  • Governments to ratify the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention) to ensure government commitment to regional data protection and privacy as a means to hold them accountable.
  • Governments to establish independent and robust oversight data protection bodies to regulate data and privacy protection including biometric data.
  • Civil society to engage in advocacy and lobby governments to develop, implement and enforce privacy and data protection policies, laws and institutional frameworks that are in compliance with regional and international minimum human rights standards.
  • Civil society to monitor, document and report on the risks, threats, abuses and violations of privacy and human rights associated with biometric data collection programmes, and propose effective solutions to safeguard rights in line with international human rights standards.
  • The media to progressively document and report on initiatives such as advocacy by civil society and other stakeholders to keep track of developments. 
  • The media to conduct investigative journalism to identify and expose privacy violations arising from the implementation of biometric data collection programmes.
  • The private sector to take deliberate efforts to ensure that all their respective biometric data collection programmes and systems are developed implemented and managed in compliance with best practices prescribed by the national, regional and international human rights standards and practices on privacy and data protection, including the UN Guiding Principles on Business and Human Rights.
  • The private sector to ensure that they progressively adopt and develop comprehensive internal privacy policies to guide the collection, storing and processing of personal data. 
  • The private sector to take deliberate efforts aimed at involving data subjects in the control and management of their personal data by providing timely information on external requests for information. 
  • Academia to conduct evidence-based research on data protection and privacy including biometrics, highlighting the challenges, risks, benefits and trends in biometric data collection programmes. 

The full State of Internet Freedom in Africa 2022 Report can be accessed here.

15Sep

FIFAfrica22: Recognising Access To Information As A Fundamental Digital Right

Author CIPESA Posted on

Greetings from #FIFAfrica22 |

On September 28 the International Day for Universal Access To Information (IDUAI) will be commemorated globally. The day was proclaimed by the United Nations Educational and Scientific and Cultural Organisation (UNESCO) General Conference in 2015, following the adoption of the 38 C/Resolution 57 which recognised the significance of access to information. The 2022 edition of the Forum on Internet Freedom in Africa (FIFAfrica) will also commemorate this day through a series of discussions pertaining to access to information as a fundamental digital right.
Since its inception, FIFAfrica has coincided with  IDUAI commemorations every September 28 during which it has endevoured to create awareness about access to information offline and online and its connection to wider freedoms and democratic participation. These engagements have drawn consistent partnerships from UNESCO, among other global and regional actors.

In 2017, the African Commission Special Rapporteur for Freedom of Expression and Access to Information, Advocate Pansy Tlakula, addressed FIFAfrica, where she received special recognition for her contributions to promoting access to information.

The theme for IDUAI 2022 is “Artificial Intelligence, e-Governance and Access to Information” which echoes various sessions that will feature at FIFAfrica22.

The opening of FIFAfrica22 will feature Honourable Ourveena Geereesha Topsy-Sonoo, the Africa Commission on Human and Peoples Rights (ACHPR) Commissioner on Freedom of Expression and Access to Information. Further sessions like Building Resilient Access to Information Legislation in the Digital Age; The Internet as a Tool for Promoting Information Integrity, Addressing Information Pollution Online and Offline; Artificial Intelligence Policy and Practice: Towards a Rights-Based Approach in Africa; Data Protection Trends and Advocacy in Africa; and Digital Inclusion: Acces, Data Governance and Ethical Innovation in Africa which resonate with this year’s global IDUAI theme will form part of the discussions at FIFAfrica22.

Speakers at the sessions will represent a diversity of actors working on advancing the free flow of information,  each of whom brings new insights and approaches to addressing practice and policy gaps affecting the realization of access to information in Africa.  The speaker lineup includes representatives from  Panos Institute, Africa Freedom of Information Centre (AFIC), African Centre for Media Excellence (ACME), Bloggers of Zambia, International Training Programme on Media Development in a Democratic Framework (ITP), International Centre for Non-For-Profit Law (ICNL), ALT Advisory, Center for Intellectual Property and Information Technology (CIPIT), Paradigm Initiative, Lawyers Hub Kenya, World Benchmarking Alliance, Development Initiatives, Data Science for Health Discovery and Innovation in Africa (DSI-Africa), Internet & Jurisdiction Policy Network, Internews, and Access Now.

Be part of the online conversation using #FIFAfrica22 and share your vision for #InternetFreedomAfrica! | Follow @cipesaug on FacebookTwitterLinkedInVisit the event website

About FIFAfrica
The Forum on Internet Freedom in Africa (FIFAfrica) is an annual landmark event which convenes a spectrum of stakeholders from across the internet governance and digital rights arenas in Africa and beyond. Hosted the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the Forum will offer a platform for government representatives, civic actors, journalists, policymakers and technologies to come face to face.
1 2 3 5