Africa’s Multilateral Legal Framework on Personal Data Security: What Prospects for the Digital Environment?

  • Rogers AlungeEmail author
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 311)


As the African continent continues to embrace technological innovations and corresponding infrastructures like the Internet of Things, certain concerns have been raised as regards the security risks related to critical ICT network infrastructures in the continent, as well as the safeguarding of the fundamental rights of Africans through the protection of their personal data, especially those shared online. One of such concerns is personal data security, which becomes more crucial as huge amounts of sensitive personal data are increasingly generated across the continent, especially with the proliferation of mobile banking. In response to these developments, African intergovernmental organizations have developed legal frameworks on personal data protection: the Economic Community of West African States (ECOWAS) has adopted a Supplementary Data Protection Act, while the African Union (AU) has adopted a Convention on Cyber Security and Personal Data Protection. However, while other aspects of data protection law are more or less addressed in these instruments, relatively very little focus is put on managing and safeguarding personal data security.

This paper, in an attempt to present a critique of the state of affairs as regards personal data security regulation and online trustworthiness in Africa, strives to show that the above African instruments do not provide a satisfactory response to current personal data security challenges Africa faces. Both instruments can hardly be said to ensure a trustworthy environment for data sharing, as they lack essential pre-breach and post-breach regulation mechanisms, including breach reporting, liability for mismanagement of personal data and available remedies for affected data subjects. The paper concludes by recommending that these deficiencies be addressed in additional protocols to these instruments or in relevant future texts.


Personal data protection Personal data security Africa African Union ECOWAS 



This research is funded by the Erasmus Mundus program LAST-JD (Joint International Ph.D. in Law, Science and Technology) coordinated by the University of Bologna.


  1. 1.
    Adesoji, A.: Mobile technology, social media and 180 million people. J. Bus. Adm. Manag. Sci. 6, 82–85 (2017)Google Scholar
  2. 2.
    Kayisire, D., Wei, J.: ICT adoption and usage in Africa: towards an efficiency assessment. Inf. Technol. Dev. 22(4), 630–653, 641 (2016)Google Scholar
  3. 3.
    Harris, A., Goodman, S., Traynor, P.: Privacy and security concerns associated with mobile money applications in Africa. Wash. J. Law Technol. Arts 8, 245–246 (2012)Google Scholar
  4. 4.
    Tchouassi, G.: Can mobile phones really work to extend banking services to the unbanked? Empirical lessons from selected Sub-Saharan Africa Countries. Int. J. Dev. Soc. 1(2), 70–81 (2012)Google Scholar
  5. 5.
    GSMA: The Mobile Economy Report 2013, p. 3. A.T. Kearney, London, United Kingdom (2013)Google Scholar
  6. 6.
    Ericson Mobility Report, June 2017. Accessed 26 June 2019
  7. 7.
    Madakam, S., Ramaswamy, R., Tripathi, S.: Internet of Things (IoT): a literature review. J. Comput. Commun. 3(05), 164 (2015)CrossRefGoogle Scholar
  8. 8.
    Emiliani, P.L., Stephanidis, C.: Universal access to ambient intelligence environments: opportunities and challenges for people with disabilities. IBM Syst. J. 44(3), 605–619 (2005)CrossRefGoogle Scholar
  9. 9.
    Orji, U.J.: The African union convention on cybersecurity: a regional response towards cyber stability. Masaryk UJL Technol. 12, 91 (2018)Google Scholar
  10. 10.
    Orji, U.J.: Multilateral legal responses to cyber security in Africa: any hope for effective international cooperation? In: 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace (CyCon), pp. 105–118. IEEE (2015)Google Scholar
  11. 11.
    Goodman, S., Harris, A.: The coming African tsunami of information insecurity. Commun. ACM 53(12), 24–27 (2010)CrossRefGoogle Scholar
  12. 12.
    Fuster, G.: The Emergence of Personal Data Protection as a Fundamental Right of the EU, vol. 16. Springer, Cham (2014). Scholar
  13. 13.
    Lynskey, O.: The Foundations of EU Data Protection Law. Oxford University Press, Oxford (2015)Google Scholar
  14. 14.
    Rich, C.: Privacy laws in Africa and the Middle East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg (2015)Google Scholar
  15. 15.
    Schwartz, P.M., Solove, D.J.: The PII problem: privacy and a new concept of personally identifiable information. NYUL Rev. 86, 1814 (2011)Google Scholar
  16. 16.
    Purtova, N.: The law of everything. Broad concept of personal data and future of EU data protection law. Law Innov. Technol. 10(1), 40–81 (2018)CrossRefGoogle Scholar
  17. 17.
    Hustinx, P.: EU data protection law: the review of directive 95/46/EC and the proposed general data protection regulation. Collected courses of the European University Institute’s Academy of European Law, 24th Session on European Union Law, pp. 1–12 (2013)Google Scholar
  18. 18.
    Solove, D.J.: The new vulnerability: data security and personal information. In: Chander, A., Gelman, L., Radin, M.J. (eds.) Securing Privacy in the Internet Age. Stanford University Press, Palo Alto (2008)Google Scholar
  19. 19.
    De Hert, P., Gutwirth, S.: Data protection in the case law of Strasbourg and Luxemburg: constitutionalisation in action. In: Gutwirth, S., Poullet, Y., De Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 3–44. Springer, Dordrecht (2009). Scholar
  20. 20.
    Mantelero, A.: The future of consumer data protection in the EU Re-thinking the “notice and consent” paradigm in the new era of predictive analytics. Comput. Law Secur. Rev. 30(6), 643–660 (2014)CrossRefGoogle Scholar
  21. 21.
    Soeder, M.O.: Privacy challenges and approaches to the consent dilemma. Masters thesis. SSRN 3442612 (2019)Google Scholar
  22. 22.
    Whitman, M., Mattord, H.: Principles of Information Security. Thompson Course Technology, Boston (2009)Google Scholar
  23. 23.
    Gady, F.: Africa’s cyber WMD. Foreign Policy, 24 March 2010Google Scholar
  24. 24.
    Dalton, W., van Vuuren, J.J., Westcott, J.: Building cybersecurity resilience in Africa. In: 12th International Conference on Cyber Warfare and Security 2017 Proceedings, pp. 112–120. Academic Conferences and Publishing International Limited, Reading (2017)Google Scholar
  25. 25.
    Makulilo, A.B.: The Context of Data Privacy in Africa. In: Makulilo, A.B. (ed.) African Data Privacy Laws. LGTS, vol. 33, pp. 3–23. Springer, Cham (2016). (citing Westin’s Privacy and Freedom (1967)CrossRefGoogle Scholar
  26. 26.
    Makulilo, A.: Privacy and data protection in Africa: a state of the art. Int. Data Priv. Law 2(3), 163–178 (2012)CrossRefGoogle Scholar
  27. 27.
    Kamwangamalu, N.M.: Ubuntu in South Africa: a sociolinguistic perspective to a pan-African concept. Crit. Arts 13(2), 24–41 (1999)CrossRefGoogle Scholar
  28. 28.
    Olinger, H.N., Britz, J.J., Olivier, M.S.: Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa. Int. Inf. Libr. Rev. 39(1), 31–43 (2007)CrossRefGoogle Scholar
  29. 29.
    Bakibinga, E.M.: Managing electronic privacy in the telecommunications sub-sector: the Ugandan perspective. In: Africa Electronic Privacy and Public Voice Symposium (2004)Google Scholar
  30. 30.
    Makulilo, A.B.: A person is a person through other persons-a critical analysis of privacy and culture in Africa. Beijing L. Rev. 7, 192 (2016)CrossRefGoogle Scholar
  31. 31.
    Rich, C.: Privacy laws in Africa and the Near East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg, September 2017Google Scholar
  32. 32.
    Rich, C.: Privacy laws in Africa and the Middle East. The Bureau of National Affairs, editor. Privacy and security law report. BNA, Bloomberg, June 2015Google Scholar
  33. 33.
    Adejumobi, S.: Engendering accountable governance in Africa. In: International Institute for Democracy and Electoral Assistance (IDEA) and Development Policy Management Forum (DPMF) Regional Conference on “Democracy, Poverty and Social Exclusion”: Is Democracy the Missing Link (2000)Google Scholar
  34. 34.
    Abdulrauf, L.A., Fombad, C.M.: The African Union’s data protection convention 2014: a possible cause for celebration of human rights in Africa? J. Media Law 8(1), 67–97 (2016)CrossRefGoogle Scholar
  35. 35.
    Banisar, D.: Linking ICTs, the right to privacy, freedom of expression and access to information. East Afr. J. Peace Hum. Rights 16(1) (2010)Google Scholar
  36. 36.
    Sutherland, E.: Digital privacy in Africa: cybersecurity, data protection & surveillance. LINK Centre (2018)Google Scholar
  37. 37.
    Makulilo, A.B.: Myth and reality of harmonisation of data privacy policies in Africa. Comput. Law Secur. Rev. 31(1), 78–89 (2015)CrossRefGoogle Scholar
  38. 38.
    Hustinx, P.: The role of data protection authorities. In: Gutwirth, S., Poullet, Y., De Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 131–137. Springer, Dordrecht (2009). Scholar
  39. 39.
    Stevens, G.M.: Data security breach notification laws. Congressional Research Service (2012)Google Scholar
  40. 40.
    Esayas, S.: Breach notification requirements under the European Union legal framework: convergence, conflicts, and complexity in compliance. John Marshall J. Inf. Technol. Priv. Law 31, 317–368 (2014)Google Scholar
  41. 41.
    Schwartz, P., Janger, E.: Notification of data security breaches. Mich. Law Rev. 105, 913 (2006)Google Scholar
  42. 42.
    Boillat, P., Kjaerum, M.: Handbook on European Data Protection Law, p. 77. Publications Office of the European Union, Luxembourg (2014)Google Scholar
  43. 43.
    See for example Paragraph 44, EU Article 29 Working Party. The future of privacy, WP 168. Accessed 1 December 2009
  44. 44.
    Cunningham, M.: Privacy in the age of the hacker: balancing global privacy and data security Law. George Wash. Int. Law Rev. 44, 643 (2012)Google Scholar
  45. 45.
    Weber, R.H.: Internet of things: privacy issues revisited. Comput. Law Secur. Rev. 31(5), 618–627 (2015)CrossRefGoogle Scholar
  46. 46.
    Europa, Privacy Enhancing Technologies (PETs), 2 May 2007. Accessed 24 Feb 2019
  47. 47.
    Gellert, R.: We have always managed risks in data protection law: understanding the similarities and differences between the rights-based and the risk-based approaches to data protection. Eur. Data Prot. L. Rev. 2, 481 (2016)CrossRefGoogle Scholar
  48. 48.
    Rodrigues, R., Wright, D., Wadhwa, K.: Developing a privacy seal scheme (that works). Int. Data Priv. Law 3(2), 100–116 (2013)CrossRefGoogle Scholar
  49. 49.
    Rodrigues, R., Barnard-Wills, D., De Hert, P., Papakonstantinou, V.: The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR. Int. Rev. Law Comput. Technol. 30(3), 248–270 (2016)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020

Authors and Affiliations

  1. 1.LAST-JD Program, CIRSFIDUniversity of BolognaTurinItaly

Personalised recommendations