Abstract
In its simplest sense, data governance refers to the overall management of (personal and non-personal) data to facilitate organizational goals. Data protection, on the other hand, predominantly regulates the management of personal data for the protection of users’ privacy and other fundamental rights and freedoms. The Fourth Industrial Revolution has greatly increased the processing of personal data for business and social purposes in Africa, hence the imminent need to regulate dealings with such personal information for undesirable purpose(s) by setting up relevant legal framework to address. The research analyses the regional legal framework around data protection in Africa in the light of their salient provisions, adequacy, efficiency and enforceability in relation to data governance.
Barrister and Solicitor of the Supreme Court of Nigeria; Managing Partner, Olumide Babalola LP, Nigeria; Member, International Association of Privacy Professionals (IAPP); Member, International Network of Privacy Law Professionals (INPLP).
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
4.1 Introduction
Data protection refers to strategies and processes that are applied to provide security to privacy, availability and integrity of data use and production.Footnote 1 On the other hand, data governance is defined by the Data Governance InstituteFootnote 2 as the ‘system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.’ Additionally, within the context of data protection and data governance, digital rights are ingrained in production and utilization of the data through digital gadgets. With increased use of digital space to generate data, protection on the rights of the user is vital when formulating the legal framework.
Data protection reportedly surfaced in Europe in 1970 when the German Federal State of Hesse (Mayer-Schonberger, 1997) enacted its data protection law, which was followed by the Swedish national Data Act in 1973 (Oman, 2010). In Africa, the Republic of Cape Verde led the way in 2001 when it enacted the first data protection law in Africa. The Cape Verdean Data Protection Act was passed on the 22nd day of January 2001, to create a legal framework for protection of personal data in the country (Makulilo, 2012).
Unlike in Europe where member states transposed the provisions of the regional international instruments into their various municipal legislation on data protection, Cape Verde heavily relied on Portuguese Data Protection Law, which itself transposed the EU Data Protection Directive 95/46/EC (Wong, 2012)Footnote 3 before it was replaced by the EU General Data Protection Regulation (GDPR) (Traca & Embry, 2011). Between 2001 and 2014 when the first and only pan-African international treaty on data protection was adopted in Equatorial Guinea,Footnote 4 fourteen African countriesFootnote 5 had already enacted their respective data protection laws without the benefit of drawing legislative inspiration from the convention as most of the laws were modelled after European data protection legal framework (Greenleaf & Coltier, 2018; Schwartz, 2019; Mercer, 2020; Scott & Cerulus, 2018).
In the age of digitalization, legal frameworks for data protection are inevitable for Africa. More businesses and government are conducting meetings, transactions and data storage online. African Union has envisioned a digital single market (DSM), with legislation on it started in Tunisia and Senegal to support the business environment. Other policy frameworks such as Declaration of Principles on Freedom of Expression and Access to Information in Africa and the Declarations on Internet Governance are a basis of protection of digital rights and privacy of citizens. However, digital rights are still being violated in terms of Internet shutdowns and social media taxation (Boakye, 2021).
As these data protection legal frameworks are being adopted across Africa and the globe, the increased data produced and utilized in the digital space cannot be ignored. The digital rights of the producers and users are imperative for effective data use for socio-economic and political growth in Africa.
In a description approach, this paper examines the major international instruments regulating data protection in Africa by briefly chronicling the events that culminated in their adoption vis-à-vis their aims and objective. The paper also analyses the salient provisions of the instruments in the light of their applicability and the extent to which they have sharpened data protection compliance on the continent. This paper then analyses the nexus between data protection and data governance in Africa within the context of the regional instruments, and it then concludes with the necessity of legal framework for data protection in relation to data governance in Africa, with some recommendations that could be adopted to either develop new or strengthen the existing data protection framework especially in relation to data governance.
This paper, in a descriptive and normative manner, poses and analyses a number of questions thus:
-
1.1
What are the laws or quasi-legal guidelines (legal framework) that regulate or support data protection in Africa?
-
1.2
How does this legal framework measure up to international standards?
-
1.3
How enforced or enforceable is the framework on the continent?
-
1.4
In what manner does this framework influence or ought to influence data governance in Africa?
-
1.5
What are the incentives for data protection and data governance on the continent?
4.2 Legal Framework on Data Protection in Africa
Unlike what is obtainable in the European Union (EU) where the General Data Protection Regulation (GDPR) provides some sort of formidable harmonization of the erstwhile irregular data protection laws across the union, its African counterpart does not have a pan-African legislation that is immediately enforceable across board without domestication. This is not however to say that Africa does not have an existing legal framework on data protection; let us just say the elephant in the room remains the institutional capacity and political will to enforce the available instruments. Hereunder, the paper discusses the extant legal framework for data protection on the continent.
4.2.1 African Union Convention on Cyber Security and Personal Data Protection 2014 (Malabo Convention)
Conversations around regulation of the cyberspace effectively began in the late nineties when the committee of the United Nations General Assembly contemplated an instrument on ‘disarmament and international security’ whose deliberations were spearheaded by a draft resolution introduced by Russia in 1998 (Kavanagh, 2017). Upon Russia’s proposal, the United Nations subsequently constituted a Group of Government Experts (GGE) engaged in the developments in the field of information and telecommunications in the context of international security.Footnote 6
In one of its reports (UN General Assembly, 2021), the GGE notes that: ‘The use of ICTs in future conflicts between states is becoming more likely, the risk of harmful ICT attacks against critical infrastructure is both real and serious and states are rightfully concerned about the danger of destabilizing misperceptions, the potential and economy deriving from the difficulty of attributing the source of an ICT incident’ (Tikk & Schia, 2020). However, the UN’s activities around cybersecurity did not spur many African countries into the anticipated regulation of the data protection as only eleven member statesFootnote 7 instituted frameworks on data protection as of 2011 (Ball, 2017).
In 2011, the AU took a bold step towards regulating data protection when it published a draft AU Convention on Establishment of a Credible Legal Framework for Cybersecurity in AfricaFootnote 8 which sought to, among other objectives, harmonize the laws of member states on data protection and sundry matters (Orji, 2012). In 2013, the draft was however reviewed and renamed the African Union Convention on the Confidence and Security in Cyberspace,Footnote 9 but it was also reviewed and went through another name change that culminated in the AU Convention on Cybersecurity and Personal Data Protection in 2014, which was preceded by a conference of experts from AU member states’ ministry of justice where the content of the convention was thoroughly considered (Abdulrauf & Fombad, 2016).
Ultimately, on the 27th day of June 2014, during the 23rd ordinary session of the AU Summit in Malabo, Equatorial Guinea, the draft Convention on Cybersecurity and Personal Data ProtectionFootnote 10 was adopted by the heads of state to establish a credible framework for cybersecurity in Africa through ‘protection of personal data etc.’Footnote 11
The Malabo Convention has a total of 38 articles, preceded by a 20-paragraphed preamble. The Convention seeks to encourage member states to create frameworks and mechanisms to protect personal data and fundamental right as well as easing free flow of data within the continent. The first article defines essential data protection terms like consent, data controller, data subject, direct marketing, encryption, health data, personal data processing, recipient, sensitive data, third party and so forth but surprisingly omitted the definitions of equally important concepts like pseudonymization, data processor, data breach, data protection authority or supervisory authority, cross-border processing and so forth. While one may argue that the omission of such term does not superficially appear far-reaching, the convention is meant to be a compass for data protection laws on the continent as gleaned from its Articles 8(1) and (2) which seek to establish a framework for protection of ‘physical’ data and mechanism to ensure data processing guarantees the protection of fundamental rights. Yet even this falls short of the status of a legislative model in such material respect. Hence, it is desirable that the Convention is supplemented by relevant instruments to comprehensively define the omitted regular and fundamental data protection clauses, otherwise its enforcement may engender unimaginable conceptual confusion.
The convention applies to automated or non-automated processingFootnote 12 of personal data within the territory of a member state.Footnote 13 Like the GDPR, the Convention does not provide a definition or description of what constitutes ‘automated’ or non-automated processing, but the European law defines ‘profiling’ (Wiedemann, 2018). Automated processing has however been defined as ‘a processing operation that is performed without any human intervention; conversely, non-automated processing is such that it is performed partly or wholly with human intervention.Footnote 14 Profiling and automated decision-making within the African context is increasing in the banking sector, especially with the rising development of FinTechs and proliferation of automated teller machines (ATM); however, there exists no pan-African legislation on this.
The convention requires member states to establish independent national authorities assigned with the statutory responsibility of ensuring that personal data within their respective territories are processed in accordance with the provision of the convention while keeping faith with the universal role of Data Protection Authorities (DPAs) (Giugiu & Larsen, 2016). The Convention expects the respective national DPAs to educate the public on their data protection rights within their respective territoriesFootnote 15 while its membership is insulated from government influence, thereby underpinning their independence and impartiality (Greenleaf, 2012). As of June 2021, out of the 30 countries with proper data protection laws in Africa, only 20 have data protection authorities (DPAs),Footnote 16 while others are either yet to establish one or constitute its members. The Convention makes provisions for the duties and powers of the DPAs to include informing the public of their rights, issuing opinions, receiving and resolving complaints, data processing audit, imposing administrative sections, maintaining a data processing directory, regulating transborder transfer, establishing cooperation mechanisms with other national DPAs,Footnote 17 authorizing certain processing activities,Footnote 18 such as data involving genetic information, information on offences, national identification number, biometric data, historical and statistical data and so forth.
In what appears a renaming and rearrangement of the universally recognized principles of data protection, the Convention groups consent together with legitimate processing,Footnote 19 separate from the principle of lawfulness and fairness; it then fuses purpose with storage limitation,Footnote 20 accuracy and transparency as a stand-alone principle while confidentiality is grouped with security of personal data.Footnote 21 In all, the convention recognizes six re-designated principles, none of which contemplates the principle of data minimization or accountability as recognized under European law, even though it provides for specific principle in the event of processing sensitive personal data.Footnote 22 The consequence of such regrouping and muddling of principles would not only be evident in enforcing the clustered concept, it is potentially capable of confusing data controllers on their obligations thereunder.
The Convention, like most other data protection laws, recognizes data subject’s right to information, right to access, right to object, rectification or erasure, but it again omits right to lodge complaint with regulator, right to data portability, restriction of further processes and so forth.Footnote 23 It also mandates data controllers to ensure confidentiality and security of personal data in their custody.Footnote 24
Although the Convention was adopted in 2014, it is yet to enter force by reason of Article 36 makes it enforceable only thirty days after its ratification by fifteenth member states. As of 20th day of June 2021, only Angola, Ghana, Guinea, Mozambique, Mauritius, Namibia, Rwanda, Senegal and Zambia have ratified the Convention.Footnote 25 In spite of its limitation, Abdulrauf (2021) however argues in favour of the Convention’s perceived expansive provision and authoritative stance, especially as far as they influence subsequent data protection legislation on the continent.
Though the AU Malabo Convention sought to enhance data protection in both the physical and digital data collection, use and storage, there are no articles which stipulated how to enhance digital rights in utilization and production of data online. There is evidence of digital rights violation in Africa in terms of online users’ arrests and intimidation, Internet blocking and introduction of counterproductive laws and regulations undermine use technology and data generated to drive growth in Africa (CIPESA, 2019). The legal framework does not cover the sale and utilization of the data by third parties. This has seen infringement on privacy and sometimes adversely affects livelihoods of those affected. Furthermore, the issue of cybercrime is a matter of concern as more countries do private and government businesses online (Interpol, 2021).
4.2.2 Supplementary Act on Personal Data Protection Within the ECOWAS (ECOWAS ACT)
The Economic Community of West African States (ECOWAS) was established for the promotion of regional cooperation among member states especially for economic growth, among other objectives (Terwase et al., 2015). Its consequent ECOWAS Treaty mandates the harmonization and coordination of national policies and promotion of integration programmes in science, technology, legal matters and so forth (Ashiru, 2021).Footnote 26
On the 16th day of February 2010, twelve heads of government within the ECOWAS gathered in Abuja, Nigeria, and adopted the Supplementary Act A/SA.1/01/10 on personal data protection within ECOWASFootnote 27 (the Act) which predominantly seeks to regulate data protection within the member states.
The Act defines data protection terms like consent, data protection authority, personal data, sensitive data health data, data subject, data controller, data processor, third party and recipientFootnote 28 but omits important terminologies like processing, profiling, pseudonymization, anonymization, profiling, personal data breach, cross border and so forth. The consequence of the omission may however come to play when the Act is invoked to settle issues relating to transborder processing of data, especially before the regional courts, when faced with questions of conflict of laws and decision on lead national DPA and so forth (Estadella-Yuste, 1991). The Act applies to processing of personal data by public or private bodies by automated or non-automated means carried out within the ECOWAS, with exceptions.Footnote 29
The Act mandates each member state to establish its own independent national DPA with parameters guaranteeing their impartiality and professional secrecyFootnote 30 and highlights the responsibilities of DPAs, their secrecy and powers to impose sanctions on erring parties.Footnote 31 In its own version of seven data protection principles, the Act states that processing is legitimate where it is done with data subject’s consent but gives exception where the requirement of consent can be dispensed with.Footnote 32
The second principle of legality and fairness requires processing to be done in a legal, fair and non-fraudulent manner.Footnote 33 In what appears a bifurcation of some sort, the Act separates consent, which is a ground of lawful processing, from the principle of legality and fairness, which is fused under the EU principle of lawfulness, fairness and transparency (Kosta, 2013). As its third principle, the Act fuses purpose limitation, data minimization, storage limitation into one principle styled ‘principle of purpose, relevance and preservation’Footnote 34 which requires data to be obtained for specific purpose, kept adequate and not kept beyond the required period. The principle also imports an element of the lawfulness principle.Footnote 35 Other principles are accuracy, purpose relevance and preservation, transparency, confidentiality and security and choice of data processor.Footnote 36
Taking a cue from the European model on transborder transfer of data to third countries, the Act restricts transfer of personal data outside ECOWAS sub-region to only countries where there is an adequate level of protection (Wagner, 2018)Footnote 37 for fundamental rights and freedoms. Although the Act does not provide elaborate mechanisms for regulating such transfers, it simply mandates data controllers to inform DPAs before the transfers.Footnote 38 On data subject’s rights, the Act recognizes right to be informed,Footnote 39 right to access,Footnote 40 right to objectFootnote 41 and right to rectification and destruction.Footnote 42 Again, the Act omits vital data subject’s right like right to restriction of further processing, right to data portability, right in relation to automated decision-making and so forth. The Act substantially concludes on the obligations of data controller to be confidentiality, security, preservation and durability,Footnote 43 which however appear similar to data protection principles in their objectives.
4.2.3 Southern African Development Community (SADC) Model Law on Data Protection
In 2009, the imperativeness of creating a harmonized and uniform set of policies for the information communication technology industry for the sub-Saharan countries in the group of African, Caribbean and Pacific states necessitated the enactment and adoption of the Southern African Development Community (SADC) Model Law on Data ProtectionFootnote 44 which was adopted in 2013. Like many data protection laws, the Model Law defines terminologies such as consent, data controller, processor, data subject, genetic data, child personal data, processing, protection authority, recipient, sensitive data third party and transborder flow. The law however does not define anonymization, pseudonymization, profiling, personal data breach, data subject access request and so forth.
From the wording of Article 2, it appears that the scope of the law is not limited to the SADC sub-region as it only refers to ‘given country’ or ‘territory’—terms which are not even defined therein. Even from the preamble, it does appear that the Model Law is not restricted to any region especially as contained in the concluding paragraph that:
It is with the above in mind that it is acknowledged that the protection of personal data involves the establishment of a specific and adapted regime to the participants of each region as set out in this Model Law.
It is however worthy of note that, in spite of its pan-African scope, the Model Law is a soft law without a legally binding effect on member states, but like the OECD Guidelines in Europe, it only provides a guide to member states on the approach to law-making on the data protection as well as an attempt at harmonizing the laws in the region (Shumba, 2015; Makulilo & Mophethe, 2016).Footnote 45
The Law envisages the establishment of independent regulator for member states to be constituted by judges appointed by the executive and non-governmental organizations with competent and requisite knowledge of data protection and the benefit of immunity.Footnote 46 Unlike other regional instruments in Africa, the Model Law provides the most comprehensive provisions on the nature, independence duties and powers of national DPAs, but it unfortunately contemplates the DPA reports to an undefined institution instead of the parliamentFootnote 47 and thereby erodes its independence (Greenleaf, 2012). The Model Law recognizes the principle of data quality, lawfulness and purpose limitation, and it makes copious provisions on processing of sensitive and non-sensitive data, children’s data and data relating to litigation,Footnote 48 but it however omits principles like data minimization, storage limitation accuracy, accountability, integrity and confidentiality and so forth. The Law outlines the duties of controllers in cases where personal data are collected directly from data subjects and otherwise, duty to ensure data security and accountability for third parties that access data through them, data breach or incident notification.Footnote 49
The law recognizes the following data subject’s rights: access, objection, automated decision-making right of representation and right to judicial redress.Footnote 50 Under the law, members of DPAs are meant to be administered to oath of secrecyFootnote 51 as they are empowered to impose fines on controllers for violation as well as prosecution of offenders in the law court.Footnote 52 The law subjects cross-border transfer of data to the relevant provisions of the national law adopted for the implementation of the Model Law, and this appears as the only provision that is fixated on member states of the SADC as it requires adequate level of protection before personal data can be transferred to non-member states.Footnote 53 Although the law references adequacy level, unlike the EU GDPR, it does not provide the parameters for determination of such level of protection (Wagner, 2018).
Despite the laudable provisions of the Model Law, it merely serves as an advisory framework for the enactment of national laws as opposed to a legally binding instrument that can be ratified.Footnote 54
4.2.4 East African Community (EAC) Legal Framework for Cyberlaws 2008
In its strides to deepen East Africa’s regional integration via digital interconnectivity for the seamless provision of services, the East African Community constituted a Task Force which recommended a legal framework for cyberlawsFootnote 55 with the main objective of developing policies facilitating cooperation between member states (Mwiburi, 2019).
The Framework defines ‘data protection’ as the obligations assigned to entities processing personal data. It also recognizes that a data protection regime ought to guarantee certain data subjects rights.Footnote 56 Thereunder, data controllers are duty-bound to comply with muddled principles of accountability, transparency, fairness, lawfulness data accuracy, data security and processing limitation.Footnote 57 The Framework omits data minimization, purpose limitation and accountability but suggests a self-regulatory system to minimize the cost associated with conventional compliance enforcement approach.Footnote 58
Without prejudice to Legal Framework’s progressive but brief provisions on data protection, they are mere guides for member states but not legally binding on them until they transpose the provisions into their respective national laws (Greenleaf & Georges, 2014). It is worthy of note that the legal framework remotely or otherwise influenced the data protection legislation in Kenya, Uganda and Rwanda which passed the legislation afterwards.
4.3 Interplay Between Data Governance and Data Protection in Africa
Data governance (DG) is the ‘exercise of authority and control over the management of data’ (Abraham et al., 2019). It also entails the trust reposed in data and its accountability for any adverse result occasioned by its poor quality. The whole gamut of data governance as a concept speaks to the data processing principle of accountability (Weber et al., 2009). Otto et al. (2007) define the concept as a ‘companywide framework for assigning decision related rights and duties to be able to adequately handle data as a company asset’. It is the ‘formal orchestration of people, process and technology to enable an organization to leverage data as an enterprise asset’ (Zornes, 2006).
DG is concerned with the apportionment of responsibilities and liabilities among the various players in a data management system with respect to the decision-makers’ rights and accountability over an entity’s data assets. While data governance principally relates to collection and management of data that ensures effective and efficient use for the overall productivity of an entity (Cheong & Chang, 2007), data protection, on the other hand, safeguards the collected personal dataFootnote 59 from misuse, compromise and/or corruption within the confines of certain principles. It is instructive that data governance is not restricted to personal data, but data protection in this context only protects the personal data managed alongside the big data (Elgendy & Elraga, 2014)Footnote 60 under the data governance framework. Hence, certain principles of data processing significantly impart data governance as far as personal data handled by the legal entity is concerned.Footnote 61 Unlike in Europe where the principles of data processing are uniformly provided by the GDPR (Bygrave, 2014), in Africa, the only readily binding and enforceable regional instrument is the ECOWAS Supplementary Act on Data Protection (Greenleaf & Coltier, 2020); the AU Convention on Cybersecurity is not yet in force as its commencement provision has not been activated since less than 15 members have signed it.Footnote 62
Notwithstanding its comatose state, the Convention provides for the principles of accuracy and storage limitation,Footnote 63 but it does not expressly provide for accountability.Footnote 64 However, this principle is an offshoot of the transparency principle (Alhadeff et al., 2021), hence since the convention provides for the latter, accountability can be discussed thereunder in relation to data governance. Since the Malabo Convention is pan-African in its coverage, I will discuss some of its principles which interplay with data governance in Africa albeit in its current unenforceable predicament.
4.3.1 Accuracy Principle
Accuracy is one of the components of data quality (Cong et al., 2017). The principle of accuracy entails the accuracy, completeness and consistency of data, and it goes without saying that organizations require the highest quality of data for them to function optimally (Joshi, 2020). In an entity’s use of (personal) data, privacy issues like transparency, security and compromise of (personal data) are always thrown up and sometimes the relevant questions are left unanswered. Bair notes that data quality is defined by ‘data type and domain, completeness, uniqueness, and referential integrity, consistency across all data bases, freshness and timeliness and business rules conformance’ (Bair, 2004).
On the relationship between the principle of accuracy and data governance, Cohn argues that ‘data governance is a catalyst for quality and value is derived from well governed quality data. Relevant, timely, consistent, reliable and accurate data is an expectation, and it is not achieved serendipitously’ (Cohn, 2015). In data protection parlance, the principle of data quality (Hoeren, 2018) requires personal data to be effective, fit, relevant and all-embracing for its intended purpose of processing.Footnote 65 The principle stipulates that, when organizations collects data for decision-making, they must ensure that such personal information is not only utilized in a manner that is relevant to the purpose of collection, but it must also be accurate, wholesome and regularly updated. This will ensure that personal information used for critical organizational decisions is accurate to prevent undue violation of fundamental rights and freedoms of data subjects (Bygrave, 2002).
Under this principle, organizations (private and public) are duty-bound to ensure the accuracy of information they keep and the opinions that they express regarding data subjects, especially when decisions affecting the latter are made (Hallinan & Borbesius, 2020). It mandates data controllers to take reasonable steps to ascertain aptitude of personal information processed within the context of their organizational activities. As a representation of this principle, Article 13, Principle 3 of the Malabo Convention mandates data collection to be adequate, relevant and not excessive in relation to the purposes for which they there collected.Footnote 66 Ultimately, legal entities must set up mechanisms to ensure the validity and quality of personal data in their custody by imbibing a business culture of periodic updates and timely deletion of the outdated or irrelevant ones.
4.3.2 Storage Limitation
Storage of data is one of the main components of data governance. Sometimes, they are stored indefinitely in unregulated and unguarded databases for the controllers’ whimsical analyses and/or utility, oftentimes without the consent of data subjects (Pike, 2020).Footnote 67 The passage of data protection legislation in Europe, for example, threw many organizations into panic mode, especially when auditing the legal bases for collecting and/or storing online visitors’ data through their digital platforms without necessarily fixing the mechanisms for obtaining informed consent (Francesco et al., 2021). On the other hand, while businesses are not precluded from storing customers’ personal data, such storage must be within the confines of the applicable data protection laws and its exceptions (Duceto, 2020). For example, data processing for research purposes constitutes one of the exceptions to the principle of storage limitation, since data can be kept for longer than necessary, especially for verification of research results (Pormeister, 2017).
The indiscriminate and indefinite storage of customers and other data subjects’ personal data by organizations poses unimaginable privacy risks attributable to unregulated and, most times, insufficient and inadequate technical and organization security measures (if any) by data controllers (Biega & Finick, 2021). Essentially, personal data must not be kept in a form that identifies data subjects for longer than is justifiable by law. Where personal data are no longer needed or have become irrelevant or out of date, data controllers can either outrightly delete, anonymize or pseudonymize them in certain cases (Mourby et al., 2018).
Under the AU Malabo Convention, the storage limitation is however not a principle but an obligation on the data controllers. Article 22 emphatically prohibits personal data from being kept for longer than necessary for its purpose of collection, but the provision is of exceptions or parameters for the applicable retention period. The principle interplays with data subject’s right to be forgotten or deletion or erasure of personal data which is no longer relevant or up to date. Without prejudice to the circumstances surrounding an organization’s collection of personal data, this principle still operates to provide them from keeping and/or storing the data for longer period than reasonably necessary. Hence, once data have been used for the purpose of collection, it behoves the organization to immediately delete or anonymize such personal data to reduce the risk of violating the principles of data minimization and accuracy when they become irrelevant, surplus to requirement, inaccurate or outdated. There are no specific retention periods in the regional instruments; however, resort should be had to the relevant national laws on data retention limits, but ultimately a formidable data governance policy ought to be devised to plug the legislative gaps in this regard.
Legislative and stakeholder’s engagement for data governance however becomes very important when it is considered that out of 55 African countries, at least 49 have (or about to) enacted laws or regulations requiring prospective subscribers to provide personal data as conditions to own telephone lines (Donovan & Martyin, 2013), but sadly, only about 19 of those countries have established Data Protection AuthoritiesFootnote 68 to enforce compliance with relevant data protection laws.
4.3.3 Accountability
This principle originated from the OECD GuidelinesFootnote 69 of 1980 and repeated in its revised version of 2013. The principle principally requires legal entities to acknowledge and assume liability for their operations on personal data in the course of the organizational activities. Data controllers have the bounden duty of demonstrating adequate technical and organizational measures to secure data in compliance with the relevant data protection legislation for the ultimate protection of data subjects’ rights (de Hert et al., 2012). In compliance with this principle, legal entities are obliged to document the observance of their obligations under the relevant data protection legislation (Becker, 2019).
Accountability is not expressly provided under the Malabo Convention, but the principle is closely linked to the principle of transparency, and it has been regarded as a privacy and data protection—enhancing principle (Guagnin & Leon, 2012; Zimnerman & Cabinakova, 2015). In demonstrating their accountability, organizations must take hands-on approach to data protection and privacy issues by adopting effective and contemporary measures, which are not only discernable at a glance but transparently demonstrable upon regulatory request or audit (Falk, 2016).
Data controllers must take full responsibility for how they directly or indirectly deal with data and implement appropriate measures and documentation in proof of their compliance with applicable laws (Bennet, 2021). They are responsible and must demonstrate data quality.
4.3.4 Confidentiality and Integrity
This is recognized under Principle 6 of the Malabo Convention. This principle simply mandates organizations processing personal data to employ appropriate organizational and technical measures to protect such personal information from misappropriation, corruption, theft and/or destruction. Confidentiality in this sense speaks to the duty of the organization handling data to ensure that such information is not shared or exposed to unintended persons while keeping it as safe and secret as technically possible.
4.4 Incentives of Legal Framework for Data Protection/Data Governance in Africa
The benefits of data protection to data governance are numerous. However, for the purpose of this paper, I shall briefly discuss the incentives from the rights protection and economic gains for organizations and governments.
4.4.1 Privacy Right Guarantees
Even though the African Charter does not expressly recognize privacy as a fundamental right, it does not rule out African’s entitlement to enjoy private family life.Footnote 70 This idea of a privacy entitlement for individuals is what also underpins the notion of data protection. In fact, data protection originated from the right to privacy, hence a proper and formidable legal framework for data protection would not only guarantee certain data subjects rights, but it would also ensure considerable control over their personal information and ultimately repose consumers’ trust in the processing activities.
4.4.2 Healthy Democracy
A healthy democratic state is one in which its citizens can make informed and autonomous choices (Forde, 2016). Yet processing data without consideration for the impact it may have on individuals may have the effect of limiting the ability of individuals to make choices or limit the choices available to such individuals in a way that limits their autonomy (Feldman, 1994). This is even more crucial in today’s world of technological reliance where automated processing and digital identities are gradually becoming more significant determinants of an individual’s real-life choices. Data protection laws militate against this. The idea that when consent is relied upon as the legal basis for processing, it must be informed and must not be obtained using coercive tactics echoes these concerns for democratic autonomy. Furthermore, even in instances where data are processed without consent, the notion of data subjects’ rights and the transparency, fairness and accountability obligations grant the much-needed controls individuals need to maintain their ability to make truly free choices. Thus, it is safe to conclude that a world where data protection is respected is one in which the seeds of corporate or governmental totalitarianism cannot flourish.
4.4.3 Economic Gains from Free Flow of Data
The concept of free flow is not merely one where there are no legal barriers to cross-jurisdictional data transfers. Instead, it entails that where these legal barriers exist, they do not impose data localization requirements Data localization requirements have the direct effect of raising the costs for doing business across jurisdictions. Particularly for data-driven businesses such as cloud service providers, these costs have the added effects of posing significant barriers for entry into new markets within the continent. This disincentivizes the creation of such businesses and creates an environment that limits the growth of African start-ups and SMEs. Furthermore, the free flow of personal data would ease information dissemination and beneficial collaboration of businesses and corporate entities within the region. However, these benefits extend to collaboration opportunities outside the region. The European Data Protection framework is setting the global trend for technological collaborations across the world. Implementing and initiating an African data protection framework may create an opportunity for the recognition of African countries as having an adequate level of data protection. This has the potential to facilitate more cross-border collaboration and even non-data-driven businesses looking to partner with African businesses in a capacity.
4.5 Conclusion
Data governance predominantly speaks to the management of data for organizational growth. Experience has shown that the management of big data would always involve the handling of personal data, hence the activation of data protection principles.
African currently has only one binding regional instrument—ECOWAs Supplementary Act on Data Protection—among other international instruments with provisions on various principles that persuasively impart data governance on the continent. Out of 55 African countries, only 30 have fully dedicated data protection laws and 19 of them have established DPAs to enforce compliance with the laws; hence, it is crystal clear that data governance on the continent remains largely unsupported by legislative and enforcement framework.
With the magnitude of personal data exchanged, stored or transmitted within the data governance system in Africa, an appropriate and formidable data protection legal framework becomes essential to guarantee users of control over their personal information, on the one hand, and to regulate the data controllers’ processing/management of such information against misuse, compromise, theft or other untoward dealings with personal data, on the other hand.
For a properly regulated data governance, it is hoped that African countries would evenly ratify the Malabo Convention and strengthen their respective municipal data protection legal frameworks to complement public and private organizational management of personal data not only within their respective territories but also across the continent.
The transborder cooperation of national DPAs envisaged by the regional treaties ought to be encouraged and strengthened to boost enforcement of regional and municipal data protection laws with the aim of enhancing trans-border flow of data and international data governance within the confines of uniform cross-border data protection rules.
Notes
- 1.
Cloudian. Data Protection and Privacy: 12 ways to Protect User Data. https://cloudian.com/guides/data-protection/data-protection-and-privacy-12-ways-to-protect-user-data/ (accessed on April 9, 2022).
- 2.
Data Governance Institute. Definition of Data Governance. https://datagovernance.com/the-data-governance-basics/definitions-of-data-governance/ (accessed online on 9 April 2022).
- 3.
The Directive was enacted by the European Union in 1995, to harmonize all the data protection laws within the Union and to regulate the processing of personal date stored in digital database.
- 4.
The AU Convention on Cybersecurity and Personal Data Protection was adopted in Malabo on the 27th day of June 2014.
- 5.
Cape Verde (2001), Mauritius (2004), Seychelles (2004), Tunisia (2004), Burkina Faso (2004), Senegal (2008), Morocco (2009), Benin (2009) Angola (2011), Gabon (2011), Lesotho (2011), Ghana (2012), Mali (2013) and Cote d’voire (2013).
- 6.
The United Nations: Recent development in the field of information telecommunications in the context of international security. https://ccdcoe.org/incyder-articles/united-nations-recent-developments-in-the-field-of-information-and-telecommunications-in-the-context-of-international-security/. Accessed 25 May 2021.
- 7.
Cape Verde (2001), Mauritius (2004), Seychelles (2004), Tunisia (2004), Burkina Faso (2004), Senegal (2008), Morocco (2009), Benin (2009) Angola (2011), Gabon (2011) and Lesotho (2011).
- 8.
Found at https://au.int/en/cyberlegislation
- 9.
- 10.
- 11.
The 23rd Ordinary Session of African Union ends in Malabo. See https://au.int/fr/newsevents/29258/23rd-ordinary-session-african-union-ends-malabo#:~:text=Malabo%2C%20Equatorial%20Guinea%2030%20June,from%2026%2D27%20June%202,014. Accessed 26 May 2021.
- 12.
Article 9(1), Malabo Convention.
- 13.
The 55 members of the AU include: Burundi, Cameroon, Central African Republic, Chad, Congo, DR Congo, Equatorial Guinea, Gabon, Sao Tome, and Principe, Comoros, Djibouti, Eritrea Ethiopia, Kenya, Madagascar, Mauritius, Rwanda, Seychelles, Somalia, South Sudan, Republic of Sudan, Tanzania, Uganda, Algeria, Egypt, Libya, Mauritania, Morocco, Sahrawi Arab Democratic, Tunisia, Angola, Botswana, Kingdom of Eswatini, Lesotho, Malawi, Mozambique, Namibia, South Africa, Zambia, Zimbabwe, Benin, Burkina Faso, Cape Verde, Cote d’voire, Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone and Togo.
- 14.
IAPP https://iapp.org/resources/article/automated-processing/. Accessed 29 May 2021.
- 15.
Art. 11(1)(a).
- 16.
Angola, Benin, Burkina Faso, Cape Verde, Chad, Côte d’Ivoire, Egypt, Gabon, Ghana, Kenya, Lesotho, Mali, Mauritius, Morocco, Niger, Nigeria, Sao Tome and Principe, Senegal, South Africa and Tunisia. See Paradigm Initiative and Olumide Babalola, ‘Data Protection Authorities in Africa: A Report on the establishment, independence, impartiality and efficiency of data protection supervisory authorities in the two decades of their existence on the continent’ Data protection, cybercrimes and/or cybersecurity laws Africa 2021 (werksmans.com) Accessed 26 October 2021.
- 17.
Article 12(2) (a)–(o).
- 18.
Art. 10 (4).
- 19.
Article 13 (1).
- 20.
Article 22.
- 21.
Article 13 (3)–(6).
- 22.
Article 14.
- 23.
Articles 16 and 17.
- 24.
Articles 20 and 21.
- 25.
Status List found at https://au.int/sites/default/files/treaties/29560-sl-AFRICAN%20UNION%20CONVENTION%20ON%20CYBER%20SECURITY%20AND%20PERSONAL%20DATA%20PROTECTION.pdf. Accessed 20 June 2021.
- 26.
Art. 32(a) ECOWAS Reviewed Treaty 1993 found at https://www.ecowas.int/wp-content/uploads/2015/01/Revised-treaty.pdf
- 27.
https://www.statewatch.org/media/documents/news/2013/mar/ecowas-dp-act.pdf. Accessed 22 June 2021.
- 28.
Art. 1.
- 29.
Art. 3 and 4.
- 30.
Art.14 and 19.
- 31.
Art. 20.
- 32.
Art. 23 (1) and (2).
- 33.
Art. 24.
- 34.
Art. 24.
- 35.
Art. 25.
- 36.
Articles 25, 26, 27, 28 and 29.
- 37.
This is a European concept which was recognized by the OECD Guidelines but became prominent under the repealed Data Protection Directive 95/46EC by regulating international transfer of personal data.
- 38.
Art. 36.
- 39.
Art. 38.
- 40.
Art. 39.
- 41.
Art. 40.
- 42.
Art. 41.
- 43.
Art. 42–45.
- 44.
Found at https://www.itu.int/ITU-D/projects/ITU_EC_ACP/hipssa/docs/SA4docs/data%20protection.pdf. Accessed 19 June 2021.
- 45.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. https://www.oecd.org/digital/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm. Accessed 9 June 2021.
- 46.
Art. 3(2).
- 47.
Art. 3(10).
- 48.
Art. 11–17.
- 49.
Art. 21–27.
- 50.
Art. 31–38.
- 51.
Art. 41(1)
- 52.
Art. 42.
- 53.
Art.44 (1)(a).
- 54.
Parliament of the Republic of South Africa. https://pmg.org.za/files/RNW2764-150825.docx. Accessed 9 June 2021.
- 55.
Found at http://repository.eac.int:8080/bitstream/handle/11671/1815/EAC%20Framework%20for%20Cyberlaws.pdf?seq. Accessed 11 June 2021.
- 56.
Clause 2.5.
- 57.
Ibid.
- 58.
Ibid.
- 59.
This is defined under the Malabo Convention as: “any information relating to an identified or identifiable natural person by which this person can be identified directly or indirectly in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.”
- 60.
Defined as “Big data refers to datasets that are not only big, but also high in variety and velocity, which makes them difficult to handle using traditional tools and techniques”.
- 61.
The principles of accuracy, storage limitation and accountability will be discussed in detail later in this paper.
- 62.
List of Countries Which Have Signed, Ratified/Acceded To The African Union Convention On Cyber Security And Personal Data Protection. https://au.int/sites/default/files/treaties/29560-sl-AFRICAN%20UNION%20CONVENTION%20ON%20CYBER%20SECURITY%20AND%20PERSONAL%20DATA%20PROTECTION.pdf. Accessed 22 June 2021.
- 63.
Article 13 (3).
- 64.
The principle has been part of the European data protection law since 1980 when it was introduced into the Organization for Economic Cooperation and Development’s ‘The Recommendations of the Council Concerning Guidelines Governing Protection of Privacy and Transborder flow of Personal Data’ on 23 September 1980. https://www.oecd.org/digital/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm. Accessed 21 June 2021.
- 65.
‘Processing’ is a technical word for alteration, use, transmission, collection, storage, destruction, transfer and any operation or sets of operation on personal data as defined by Article 1 of the Malabo Convention.
- 66.
Art. 13 (4) provides that data collected shall be accurate and, where necessary, kept to date.
- 67.
Elizabeth R. Pike, ‘Defending Data: Towards Ethical Protections and Comprehensive Data Governance’ (2020) 69(687) Emory Law Journal, 687.
- 68.
Angola (Agência de Protecção de Dados); Benin (Autorité de Protection des Données à caractère Personnel); Burkina Faso (Commission de l’Informatique et des Libertés); Cape Verde (Agência de Protecção de Dados); Chad (Agence Nationale de Sécurité Informatique et de Certification Électronique); Côte d’Ivoire (Autorité de Régulation des Télécommunications de Côte d’Ivoire); Egypt (Personal Data Protection Centre); Gabon (Commission nationale pour la protection des données à caractère personnel); Ghana (Data Protection Commission); Kenya (Office of Data Protection Commissioner); Madagascar (Commission Malagasy de l’Informatique et des libertés); Mali (Autorité de Protection des Données à Caractère Personnelles); Mauritius (Data Protection Office); Morocco (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel); Niger (Haute Autorité de Protection des Données à caractère Personnel); Nigeria (National Information Technology Development Agency); Sao Tome and Principe (Agência Nacional de Protecção de Dados Pessoais); Senegal; (Commission des Données Personnelles); South Africa (Information Regulator); and Tunisia (Instance nationale de protection des données personnelles).
- 69.
Article 14 provided that: “A data controller should be accountable for complying with measures which give effect to the principles stated above.’
- 70.
Article 18, African Charter of Human and Peoples Rights enjoins member states to protect the family—‘natural unit and basis of society’, African Union (1981).
References
Abdulrauf, L. A. (2021). Giving ‘teeth’ to the African Union towards advancing compliance with data privacy norm. Information and Communication Technology Law, 30(2), 1.
Abdulrauf, L. A., & Fombad, C. M. (2016). ‘The African Union’ data protection convention 2014: A possible cause for celebration of human rights in Africa. Journal of Media Law, 8(1), 1–8.
Abraham, R., vom Brocke, J., & Schneider, J. (2019). Data governance: A conceptual framework, structured review and research agenda. International Journal of Information Management, 49, 1.
African Union. (1981). Article 18, African Charter of Human and Peoples Rights enjoins member states to protect the family – ‘natural unit and basis of society’.
Alhadeff, J., van Alsenoy, B., & Dumorhier, J. (2021). The accountability principle in data protection regulation: Origin, development and future directions. In D. Guagnin, C. Iiten, D. Neyland, L. Hempel, I. Kroener, & H. Postigo (Eds.), Managing privacy through accountability (p. 15). Palgrave Macmillan.
Ashiru, A. (2021). A comparative analysis of the legal framework for the criminalization of cyberterrorism in Nigeria, England and the United States. NAUJILJ, 12(1), 99, 107.
Bair, J. (2004). Practical data quality: Sophistication levels? http://www.knightsbridge.com/pdfs/in_the_news/. Accessed 21 June 2021.
Ball, B. M. (2017). Introductory note to African union convention on cyber security and personal data protection. The American Society of International Law, 165.
Becker, R. (2019). A data information system for accountability under the general data protection regulation. Giga Science, 8(12), 122.
Bennet, C. J. (2021). The accountability approach to privacy and data protection: Assumptions and caveats. In D. Guagnin, C. Iiten, D. Neyland, L. Hempel, I. Kroener, & H. Postigo (Eds.), Managing privacy through accountability (p. 15). Palgrave Macmillan.
Biega, A., & Finick, M. (2021). Reviving purpose limitation and data minimization in personalization, profiling and decision-making system. Max Planck Institute for Innovation and Competition Research Paper No. 21.04, 1, 5.
Boakye, B. (2021). Tech policy in Africa. Emerging trends in internet law and policy.
Bygrave, L. A. (2002). Data protection law: Approaching its rationale, logic and limits (p. 1). Kluwer International.
Bygrave, L. A. (2014). Data privacy law. An international perspective (p. 145). Oxford University Press.
Cheong, L. K., & Chang, V. (2007). The Need for Data Governance: A case study. 18th Australasian conference on information system, 999.
CIPESA. (2019). Digital rights in Africa: Challenges and policy options. Uganda.
Cloudian. Data protection and privacy: 12 ways to protect user data. https://cloudian.com/guides/data-protection/data-protection-and-privacy-12-ways-to-protect-user-data/. Accessed on April 9, 2022.
Cohn, B. L. (2015). Data governance: A quality imperative in the era of big data, open data and beyond. Journal of Law and Policy for the Information Society, 10(3), 812.
Cong, G., Fan, W., Geerts, F., & Ma, S. (2017). Improving data quality: Consistency and accuracy. Conference: Proceedings of the 33rd international conference on very large data bases. University of Vienna, Austria, September 23–27, 1.
de Hert, P., Konstantinou, V. P., Wright, D., & Gutwirth, S. (2012). The proposed regulation and the construction of a principles driven system for individual data protection. The European Journal of Social Science Research, 26(1), 1.
Donovan, K. P., & Martyin, A. K. (2013). The rise of African SIM registration: The emerging dynamics of regulatory change. https://firstmonday.org/ojs/index.php/fm/article/view/4351/3820. Accessed 15 June 2021.
Duceto, R. (2020). Data protection, scientific research and the role of information. Computer & Security Review, 37, 1–5.
Elgendy, N., & Elraga, A. (2014). Big data analytics: A literature review paper. Lecture Notes in Computer Science, 8557, 214–227.
Estadella-Yuste, O. (1991). Transborder data flows and the sources of public international law. North Carolina Journal of International Law and Commercial Regulation, 16(2), 380–412.
Falk, T. T. (2016). The concept of accountability as a privacy and data protection principle. https://www.cpomagazine.com/data-privacy/concept-accountability-privacy-data-protection-principle/. Accessed 17 June 2021.
Feldman, D. (1994). Secrecy; dignity or autonomy? Views of privacy as a civil liberty. Current Legal Problems, 47(2), 42, 54.
Forde, A. (2016). The conceptual relationship between privacy and data protection. Cambridge Law Review, 1, 135–137.
Francesco, G., Palazzani, L., Dimitiou, D., Domingo, J. D., Fons-Martinez, J., Jackson, S., Vignally, P., Tozzi, A., & Rizzo, C. (2021). Digital tools in the informal consent process: A systematic view. https://www.researchsquare.com/article/rs-1273/v2. Accessed 13 June 2021.
Giugiu, A., & Larsen, T. A. (2016). Role and power of national data protection authorities. EDPL, 3, 342.
Greenleaf, G. (2012). Independence of data privacy authorities: International standards and Asia-Pacific experience. Computer Law & Security Review, 28(1), 1.
Greenleaf, G., & Coltier, B. (2018). Data privacy laws and bills: Growth in Africa, GDPR influence. 152 Privacy Laws & Business International Report, 11.
Greenleaf, G., & Coltier, B. (2020). Comparing African data privacy laws: International, African and regional commitments. University of New South Wales Law Research Series, 1, 21.
Greenleaf, G., & Georges, M. (2014). African regional privacy instruments: Their effect on harmonization. 132 Privacy Law and Business International Report, 19–21.
Guagnin, D., & Leon, H. (2012). Managing privacy through accountability (p. 15). Palgrave Macmillan.
Hallinan, D., & Borbesius, F. Z. (2020). Opinions can be incorrect (in our opinion) on data protection law’s accuracy principle. International Data Privacy Law, 10(1), 1.
Hoeren, T. (2018). Big data and data quality. In T. Hoeren & B. Kolany-Raiser (Eds.), Big data in context legal, social and technological insights (p. 2). Springer.
Interpol. (2021). African Cyberthreat Assessment report: Interpol’s Key Insight into Cybercrime in Africa.
Joshi, A. (2020). Data quality and data governance, where to begin. https://www.collibra.com/blog/data-quality-vs-data-governance. Accessed 11 June 2021.
Kavanagh, C. (2017). The United Nations, cyberspace and international peace and security: Responding to complexity in the 21st century. https://www.unidir.org/files/publications/pdfs/the-united-nations-cyberspace-and-international-peace-and-security-en-691.pdf. Accessed 25 May 2021.
Kosta, E. (2013). Consent in European data protection law (p. 195). Nijhoff Publishers.
Makulilo, A. B. (2012). Privacy and data protection in Africa: A state of the art. International Data Privacy Law, 2(3), 163.
Makulilo, A. B., & Mophethe, K. (2016). Privacy and data protection in Lesotho. In African data privacy laws (pp. 337–347). Springer International.
Mayer-Schonberger, V. (1997). Generational development of data protection in Europe. In P. Agre & M. Rotenberg (Eds.), Technology and privacy: The new landscape (pp. 219–242). The MIT Press.
Mercer, S. T. (2020). The limitations of European data protection as a model for global privacy regulation. AJIL Unbound, 114, 20–25.
Mourby, M., Mackey, E., Elliot, M., Gowans, H., Wallace, S. E., Bell, J., Smith, H., Aidinlis, S., & Kaye, J. (2018). Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK. Computer Law & Security Review, 34, 222–233.
Mwiburi, A. J. (2019). Preventing and combating cybercrime in East Africa. Lessons from Europe’s cybercrime frameworks (p. 141). Duncker & Humblot.
Oman, S. (2010). Implementing data protection in law. Stockholm Institute for Scandinavian Law.
Orji, U. J. (2012). The defects of the draft African Union convention on the establishment of a credible legal framework for cybersecurity. IEEE, 1.
Otto, B., Wende, K., Schmidt, A., & Osl, P. (2007). Towards a framework for corporate data quality management. 16th Australasia conference on information systems University of Southern Queensland, Toowoomba Australia (pp. 916–926).
Pike, E. R. (2020). Defending data: Towards ethical protections and comprehensive data governance. Emory Law Journal, 69, 687.
Pormeister, K. (2017). Genetic data and the research exemption: Is the GDPR Going too far? International Data Privacy Law, 7(2), 137–140.
Schwartz, P. M. (2019). Global data privacy: The E.U. way. New York University Law Review, 94, 771.
Scott, M., & Cerulus, L. (Jan. 31, 2018). Europe’s new data protection rules export privacy standards worldwide. POLITICO.
Shumba, T. (2015). Revisiting legal harmonization under the Southern African development community treaty: The need to amend the treaty. Law Democracy Development, 19, 1.
Terwase, I. T., Abdul-Talib, A.-N., & Zengeni, K. T. (2015). The role of ECOWAS on economic governance, peace and security perspectives in West Africa. Mediterranean Journal of Social Sciences, 6(3), 257.
Tikk, E., & Schia, N. N. (2020). The role of the UN security council in cybersecurity. In E. Tikk & M. Kerttunen (Eds.), Routledge handbook of international cybersecurity (p. 354). Routledge.
Traca, J. L., & Embry, B. (2011). An overview of the legal regime for data protection in Cape Verde. International Data Privacy Law, 1, 3.
UN General Assembly. (2021). Final substantive report. https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf. Accessed 26 October 2021.
Wagner, J. (2018). The transfer of personal data to third countries under the GDPR: When does a recipient country provide an adequate level of protection? International Data Privacy Law, 8(4), 318–337.
Weber, K., Otto, B., & Osterle, H. (2009). One size fits all – A contingency approach to data governance. Journal of Data and Information Quality (JDIQ), 1(1), 1–27.
Wiedemann, K. (2018). Automated processing of personal data for the evaluation of personally traits: Legal and ethical issues. Max Plank Institute for Innovation and Competition Research Paper No. 18-04, 3.
Wong, R. (2012). The Data Protection Directive 95/46/EC: Idealisms and Realisms. International Review of Law Computers & Technology, 1.
Zimnerman, C., & Cabinakova, J. (2015). A conceptualizing of accountability as a privacy principle. In W. Abramowicz (Ed.), BIS (p. 1). Springer.
Zornes, A. (2006). Corporate data governance best practice. The CDI Institute Market Plus TM Depth Report, 1.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this chapter
Cite this chapter
Babalola, O. (2023). Data Protection Legal Regime and Data Governance in Africa: An Overview. In: Ndemo, B., Ndung’u, N., Odhiambo, S., Shimeles, A. (eds) Data Governance and Policy in Africa. Information Technology and Global Governance. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-031-24498-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-24498-8_4
Published:
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-031-24497-1
Online ISBN: 978-3-031-24498-8
eBook Packages: Political Science and International StudiesPolitical Science and International Studies (R0)