By Edrine Wanyama |
Leaders in charge of various data protection agencies and Civil Society Organisations (CSOs) who met at the East African Exchange on Data Protection held in Kampala, Uganda on March 6, 2024, recognised the need to buttress data protection by promoting the right to privacy in the region.
The event drew representatives of government agencies and CSOs from Burundi, the Democratic Republic of Congo, Kenya, Rwanda, Somalia, South Sudan, Tanzania, and Uganda. Speaking to the importance of the Data Exchange programme, Stella Alibateese, the Director of the National Personal Data Protection Office in Uganda emphasised the need to enhance the right to privacy.
“As we navigate these waters, we must recognise the diverse stages of development and implementation of data protection and privacy laws across our partner states in the East African Community,” she said. “Yet, within this diversity lies our strength – the unparalleled opportunity for knowledge exchange, peer learning, and collective growth.”
Dr. Chris Baryomunsi, Uganda’s Minister of ICT and National Guidance, underscored the need for collaboration in dealing with the complexities of data protection. “As a bloc, we must therefore embrace innovative solutions and continue these collaborative efforts amongst regulators, development partners, businesses, and the general public so as to achieve effective data protection and respect for privacy rights,” said Baryomunsi. “I am confident that the outcomes of this knowledge exchange will go a long way in defining a regional approach to addressing emerging threats in data protection.”
Data privacy is necessary for enhancing state relations in trade and business. This includes e-commerce, transport, movement of goods and services, efficiency of service delivery, movement of persons and labour, and information exchange for a quicker economic integration process.
While the East Africa Community (EAC) stands on four pillars (the Customs Union, the Common Market, Monetary Union and Political Federation), which are the core foundations for economic development, the Customs Union, movement of persons, movement workers and the Monetary Union involve mass collection of personal data including in trade and business and travel.
Additionally, not all the states in the region have established strong safeguards on data protection and privacy. For instance, while Kenya, Rwanda, Somalia, South Sudan, Tanzania, and Uganda have specific legislation on data protection, some of the laws are criticised for failing to meet internationally accepted standards by, among others, not having clear and independent authorities to oversee and manage personal data and privacy. Another concern is that Burundi and the Democratic Republic of Congo are yet to enact specific laws on data protection, which puts data movement in the region at risk.
At the regional level, the Draft EAC Legal Framework For Cyber Laws of 2008 has been largely unimplemented. Also, Rwanda is the only country within the EAC that has signed and ratified the African Union Convention on Cyber Security and Personal Data Protection, (the Malabo Convention). As such there is no unified code or standard on data protection and privacy in the region.
Nevertheless, according to Annette Ssemuwemba, Deputy Secretary General for Customs, Trade and Monetary Affairs at the EAC, the bloc is undertaking measures to come up with a harmonised framework on data security. She said such a harmonised framework has the potential to inform data protection practices across the region with high chances of setting a common standard amongst the member states.
Meanwhile, the existing data protection agencies in the EAC Member States face common challenges. These include limited financial resources, lack of sufficient technical and competent staff with a firm grasp of data protection and privacy issues, and receiving of complaints which are not necessarily related to the right to privacy. These challenges have undermined the potential of a transformational data privacy era in the region including in carrying out investigations into data breaches and adjudicating complaints.
Nevertheless, the need to leverage more opportunities for data exchange were highlighted. These include through knowledge exchange, collaboration, governments’ political will, professionalisation of the technology sector, independence of the data protection agencies, ratification of the Malabo Convention, picking lessons from the General Data Protection Regulation (GDPR) of the European Union and the adoption of a uniform code for personal data protection in the region. Such measures could spur the protection and promotion of the right to privacy nationally, regionally, and internationally. Similarly, EAC countries without data protection should swiftly enact them to be on the same page with the rest.