Data Regulation in Africa: Free Flow of Data, Open Data Regimes and Cybersecurity

Hlomani, Hanani; Ncube, Caroline B.

doi:10.1007/978-3-031-24498-8_5

Hanani Hlomani⁶ &
Caroline B. Ncube⁶

Part of the book series: Information Technology and Global Governance ((ITGG))

2163 Accesses

Abstract

This chapter seeks to address the concerns associated with data regulation on the African continent. In particular, the paper zooms in on three major aspects of data regulation that hold the reigns to the potential development of the continent. These are the free flow of data, the adoption of open data regimes and cybersecurity. This will be in the general context of Africa, with a focus on regulatory instruments from the different bodies at continental and sub-regional level as well as some national legislation from countries that have developed any legislative instruments that address the same concerns. Emphasis will also be paid to the strides that have been taken by the European Union, the first continental body that has taken a geographically concerted approach to comprehensive data regulation. The aim is to draw lessons from such efforts with the intention of determining an appropriate African centred approach to data regulation, particularly in the context of increased inter-African trade as envisaged by the Agreement on the African Free Continental Trade Area and an enhanced digital economy as motivated for in the Digital Transformation Strategy for Africa (2020–2030).

You have full access to this open access chapter, Download chapter PDF

The Extraterritoriality of the Right to Data Portability: Cross-Border Flow Between the European Union and Brazil

The Emergence and Analysis of European Data Protection Regulation

Unravelling cross-country regulatory intricacies of data governance: the relevance of legal insights for digitalization and international business

Article Open access 06 October 2023

5.1 Introduction

Fast-paced technological advancements have made it difficult for legal scholars, policymakers, and legislators to stay abreast of all the considerations and important policy debates that are necessary to ensure that the law is not outpaced and eventually invalidated by technology. The Covid 19 pandemic period (2020–2022), evidenced that it is possible for the world to move to a partially or fully digitised ecosystem. It has already been said that several global corporations are contemplating whether reverting to the old way of working in the post pandemic period would make sense given how efficiently the world has been able to adapt, collaborate and produce results in a digital ecosystem. At the centre of it all, has been the need to move data from device to device, from one location to another and from one person to the next. This creates a legal conundrum for those tasked with legislating and policymaking, who have the task of formulating sound policies and legislative instruments that ensure that such data can move freely, lawfully and without impeding on any personal or commercial interests in a safe digital environment that is protected against cyberattacks.

Data can be defined as pieces of information that can either be qualitative or quantitative (OECD, 2021). Such information can be abstract or about one or more persons. Data can also be defined as a collection of facts such as words, numbers or observations or a way of describing things. The term “data” is not to be confused or used interchangeably with the term “information”. This is because data is a collection of facts that are unstructured and unorganised whereas information relates to how one understands those unorganised facts contextually (Diffen, 2021). Because of the nature of the digital ecosystem, that is heavily reliant on decentralisation, data has been coined as the “new frontier for economy” after gold (Manzo, 2019). This is principally because data is the means through which devices communicate with one another and the main asset on which markets, research, governments and corporate companies rely daily. Given the decentralisation of modes of communication and the flood in web connectivity, a lot of data is exchanged amongst users of the internet and may include information ranging from personal details of people to anything in between of a non-personal nature. As more data becomes available and accessible, the practice of data analytics becomes increasingly important. Data analytics is a process that uses advanced analytic techniques such as predictive analysis, statistical analysis and data mining on sets of data to discover new facts, to predict future events or behaviours or to explain past phenomena that previously had no logical explanations (Russom, 2013). Such analytic techniques have the potential to impact a number of economic sectors across the African continent positively mostly by equipping various stakeholders with information that they previously did not have and from a wealth of resources that were previously blocked by legislation or as a result of geographical barriers.

Currently, debates around data regulation hinge on whether the data in question is personal or non-personal because of the starting premise that from a regulatory approach, personal and non-personal data should not be subjected to the same scrutiny. Personal data can be defined as any information which are related to an identified or identifiable natural person.^{Footnote 1} This means that a data subject is identifiable if it is possible to directly/indirectly identify the subject through identifiers such as name, identification number, location data, physical, genetic data, cultural data, etc.^{Footnote 2} Practically, this can also include all data which are or can be assigned to a person such as the telephone, credit card or personal numbers of a person. The opposite and therefore the definition of non-personal data is electronic data that does not contain any information that can be used to identify a natural person. Examples include data that is non-personal to begin with, for example, weather data and stock prices, or it can be data that was previously personal in nature but has become anonymised (void of all personal data) (Indian Express, 2020). As has been stated, the rate at which technology is advancing makes it increasingly difficult to keep up with how best to regulate data. The African continent has seemed to be more concerned with the protection of personal data of its citizens. It is estimated that approximately 24 of Africa’s 55 countries have enacted or embraced some form of regulation, with the chief aim of protecting personal data, while there are currently about 4 draft laws (Alt Advisory, 2023). This has largely been attributed to the enactment of the European General Data Protection Regulation (GDPR)^{Footnote 3} which was adopted in 2016 and is very influential due to its regulation of cross border data flows, which has impacted a number of countries data protection models globally (Daniel, 2021). However, most innovation-driven countries have realised the value in formulating regulatory regimes that protect personal data, while ensuring, at the same time, that non-personal data can be extracted from personal data so that innovation is fostered. In other words, in addition to the value of naturally non-personal data, there is also value in data that was locked away in data sets that have personally identifiable information.

As data regulatory framework take root in Africa and robust digital space, enabling production and consumption of data, digital rights cannot be understated. Digital rights encompass online privacy, freedom of expression, access to internet without arbitrary shutdown and costly internet prices (Hutt, 2015). A big part of upholding digital rights entails being able to use digital spaces without social, political or economic hindrances and being victims of criminal activities through cybercrime. Cybercrime is a concern in Africa, Interpol (2021). The incidences of cybercrime include online scams, digital extortions, business email compromise, ransomware and botnets. Lack of standard and protocols to mitigate against the cybercrime is prevalent in Africa where approximately 570 million people are online as at 2022 (Statista, 2023).

In view of the above, this paper will seek to address the following issues. Firstly, it will interrogate the manner in which data (both personal and non-personal) has been dealt with by the EU as a yardstick, with the aim of imagining how a harmonised data regulation system that encompasses both personal and non-personal data would look either on a continental scale or on a regional scale within Africa. Emphasis will be placed on determining how legal instruments guide or mandate the identification of non-personal data. This is because, in addition to the already existing efforts to protect personal data, it is necessary to regulate how non-personal data is used to ensure that both personal and non-personal data are able to move freely across the continent and across the globe underpinned by sound regulation and policies. Such free movement is necessary to reap the potential economic benefits and may aid in realising Africa’s development agenda and the sustainable development goals (SDGs). With the central theme being that of the free movement of data, the paper will then delve deeper into aspects such as the use of and liberalisation of open data policies (the notion that specific data should be freely available for use and reuse, especially public sector information). The paper will then discuss, in addition to the potential legal conundrums that come with the liberalisation of data and its movement, the cybersecurity concerns that come with such a regulatory regime. This would be done by considering how the Malabo Convention protects personal data as well as Regional Economic Communities (RECs) and individual approaches by AU member states to cybersecurity.

5.2 Defining Personal Data

Demarcating what falls within the boundaries of personal data has befuddled scholars for a while. While obvious data such as names, ID numbers etc. are unmistakably personal data, the EU’s definition of personal data in Article 4.1 of the GDPR defines personal data as any information which are related to an identified or identifiable natural person. Since the definition includes “any information”, one must assume that the term “personal data” should be as broadly interpreted as possible. It is for this reason that the bounds of what data is personal or not are constantly being debated.

In the Breyer case,^{Footnote 4} the Court of Justice of the European Union (CJEU) in attempting to define what “personal data” is, held that any piece of information, that when additional information is sought from a third party, is able to identify a data subject shall constitute personal data (Bird & Bird, 2019). As such, if one were to apply the principles of Breyer practically, the likelihood of data which initially presented itself as non-personal data may eventually fall within the ambit of the GDPR’s definition of personal data. As that is the case, failing to account for non-personal data may mean that it is subjected to the same restrictions as personal data or other data localisation requirements.

In addition to the blurred lines on what constitutes personal data, data localisation requirements also pose a threat to radical economic transformation on the African continent on the back of the data revolution. Data localisation requirements are typically restrictions on the flow of data from one country to another. For example, it may be required by law that all processing of data relating to a certain country’s citizens be carried out using servers located within such a country’s borders and thus making it illegal to process such data anywhere but within that territory (Bird & Bird, 2019). Such restrictions raise the cost of doing business across borders and in a digital ecosystem, the threat to efficiency is real. Further, they stifle the access of businesses and public sector bodies to cheaper and more innovative services or force companies operating in multiple countries to contract excess data storage and processing capabilities.^{Footnote 5} For start-ups and SMEs, this constitutes a serious obstacle to growth, to entering new markets and to the development of new products and services. The EU has adopted a regulatory framework for the free flow of non-personal data in the EU (European Union, 2018) which lists some of the non-personal data as being data generated by artificial intelligence, the Internet of Things and machine learning as potential sources of non-personal data along with a few very specific examples.^{Footnote 6}

5.3 Current African States’ Approaches and Significance for the African Continental Free Trade Area (AfCFTA)

The African Union (AU) in 2014 adopted the Convention on Cyber Security and Personal Data Protection at the Twenty-third Ordinary Session of the Assembly, held in Malabo, Equatorial Guinea (known as the Malabo Convention), which has only recently come into force (May 2023) following the last necessary ratification by Mauritania. This convention much like the GDPR focuses on personal data and cybersecurity. At the time of writing, October 2021, the AU Commission has also formulated the Africa Data Policy Framework, which is informed, in part, by the Malabo Convention (African Union, 2022). Several regional economic communities (RECs) have also adopted regulatory instruments which will be summarised in Sect. 5.4. Outside of this concerted effort, very little has been done in terms of a collective continental/regional legislative instrument on data protection with most countries opting to attempt protection individually.

As the continent moves to realise the promises of the AfCFTA, it will be important to have a measure of harmonisation in regulatory frameworks so that inter-Africa trade is enhanced. Businesses and individual entrepreneurs trading in different countries across Africa would benefit if they had some assurance that similar principles of data protection and data governance models are aligned across the continent. E-commerce and digital trade grew exponentially during the last two years due to restrictions on physical interactions between persons to curb the spread of the COVID-19 pandemic. The AU is spearheading the growth of digital trade through the Digital Transformation Strategy for Africa 2020–2030 (African Union, 2020a) and in this context, an e-commerce protocol is being negotiated under the AfCFTA Agreement. (African Union, 2020b) It is envisaged that the AfCFTA and the Digital Transformation Strategy for Africa will catapult Africa’s digital economy (Chaytor, 2020). As elaborated in Sect. 5.3, the free movement of data is a core element of promoting inter-Africa trade and cross-border data flows to bring significant benefits. Beyond the AfCFTA e-commerce protocol negotiations, there is global momentum on similar negotiations. Specifically, the World Trade Organization (WTO) began negotiations on trade-related aspects of e-commerce in January 2019 and these are continuing (WTO, 2021). The development of common African approaches will therefore be instrumental in shaping the global WTO agenda.

5.4 The European Union’s Approach to Data

The EU has been at the fore of establishing a comprehensive regulatory framework on data of both a personal and non-personal nature. Since 2014, the European Commission has developed a number of directives and laws to facilitate the development of a data-agile economy. Examples include the Regulation on the free flow of non-personal data, the Open Data Directive, the GDPR^{Footnote 7} and the Cybersecurity Act. (European Union, 2018, 2019). The recently adopted EU Data Strategy^{Footnote 8} takes on an interdisciplinary approach to regulation of the data economy. The strategy is chiefly rooted in the need to expand the responsible use, demand and development of digital products and services within the European Single Market for the period 2020 to 2025 and is backed by the intention to make the EU a leader in a data-driven society. Therefore, by creating a single market for data, this will allow it to flow freely within the EU and across sectors for the benefit of businesses, researchers and public administrations.

As has been stated before, the GDPR principally applies to the processing of personal data.^{Footnote 9} This extends to both an identified person as well as an identifiable natural person.^{Footnote 10} If this is applied practically, it therefore means that the GDPR and by extension, data protection does not apply to anonymous information or information which does not relate to an identified or identifiable natural person. The same can be said for personal data which has been so diluted or encrypted that it is rendered anonymous because the data subject is no longer identifiable. It is on this background that the EU adopted the Regulation on a framework for the free flow of non-personal data in the EU,^{Footnote 11} also known as the FFD Regulation. The regulation makes it clear that it “applies to the processing of electronic data other than personal.”^{Footnote 12}

The formulation of this regulation was rooted in the realisation that the expanding Internet of Things (IoT), artificial intelligence and machine learning, which are major sources of non-personal data, continuously presented legal problems for legislators and the courts alike because there was no precedence on how to deal with such data. In a competitive environment where practices such as data analytics may establish a competitive advantage, non-personal data such as real-time traffic avoidance navigation, has the potential to save corporations up to 730 million hours in transit time and up to €20 billion in labour costs among many other examples.^{Footnote 13}

Having realised the value and utility of non-personal data, the FFD regulation seeks to ensure four main objectives.

The Free movement of non-personal data across borders within the EU. In the same breath, it seeks to ensure that any interested organisation, which has the capacity and means to do so, should be able to store and process data anywhere in the EU.
The availability of data for regulatory control. In this sense, it aims to ensure that public authorities retain access to data, even when it is located in another EU country, or when it is stored or processed in the cloud.
The ability to effectively and easily switch between cloud service providers for professional users. The Commission has started facilitating self-regulation in this area, encouraging providers to develop codes of conduct regarding the conditions under which users can move data between cloud service providers and back into their own IT environments.
Full consistency and synergies with the cybersecurity package, and clarification that any security requirements that already apply to businesses storing and processing data will continue to do so when they store or process data across borders in the EU or in the cloud.

The GDPR already provides for the free movement of personal data within the EU^{Footnote 14} subject to compliance with/the provision of certain guarantees.^{Footnote 15} In this way, an amalgamation of all laws connected to data regulation in the EU ensures that there is a comprehensive and coherent approach to the free movement of all data in the EU.

5.4.1 Lessons from the EU Approach

The key lessons to be taken from the European approach are that firstly, the EU has realised the fact that various kinds of data exist, and it is not only personal data that is of value or worthy of protection/regulation. Secondly, that data is not valuable when it is stagnant. Rather, any value to be derived from data only emerges when data is allowed to flow/move freely across the EU. Thirdly, the EU’s approach to data regulation takes the form of a multi-faceted approach. In addition to having adopted a data strategy which serves as a guide against which all legislative efforts must aspire to effectuate, there was the realisation that to achieve the goals of the strategy, different legislation would have to be enacted albeit with the same goal in mind. Because there are so many aspects to regulating data and technology is constantly evolving, not only does the multi-faceted approach give more legal clarity and certainty on different regulatory issues, but it also makes it easier to amend and develop distinct parts of the law without disrupting ancillary legislative pieces. The effectiveness of this strategy, although still unfolding, has thus far yielded positive results and admiration from the rest of the world as evidenced by how many countries have “borrowed” various provisions from the different EU laws for implementation within their domestic and regional regulatory efforts.

5.5 African Regulatory Approaches to the Liberalisation of Data and Its Movement

5.5.1 The Free Movement of Data

The advent of the internet presented the world with a means to send copious amounts of data to almost any part of the world with minimal cost. In fact, it can be said that the costs of sending data across borders costs no more than sending data within the same borders. The COVID-19 pandemic has highlighted just how important data flows are important for the global economy. Data flows have been shown to have influence in areas such as healthcare (contact tracing/medical research/vaccine production), business/ecommerce (online shopping, streaming services, virtual meetings/conferences) as well as socially (family video calls, online concerts). The extent to which these fields have been influenced (positively) is an indicator that in future, data flows will only continue to rise as more countries and sectors embrace digital transformation. It has already been determined that between 2007 and 2017, global data flows multiplied more than 20-fold and was anticipated that by 2022, the situation as of 2017 would have quadrupled (World Bank, 2021).

Within the African context, international and regional frameworks that facilitate cross-border data flows will be essential for the facilitation of a common market and by extension, the realisation of the continental developmental goals such as the realisation of the African Free Continental Free Trade Area (AfCFTA) (World Bank, 2020) and the African Union’s Agenda 2063 (Africa Union, 2015). While some countries allow data to freely flow in and out of their borders, many others have enacted legislative frameworks that speak to the protection of personal data and which contain, in most instances, data localisation clauses. Generally, data localisation laws require that data (mostly personal) about a nation’s citizens or residents be collected, processed and stored within the borders of the country (Bowman, 2017). Where a request is made that such data is transferred internationally, several approvals and a lot of bureaucracy must be observed. Data localisation laws are often necessitated by concerns relating to data security. Such laws aim to ensure, through surveillance and other supervisory methods, that where data must be exchanged, that such data is lawfully obtained (through freely given consent), that the data is being used/exchanged for a specific purpose and that the data is not being used for unauthorised activity such as profiling or surveillance by governments or any other third parties without consent (unless otherwise required under the law) (World Bank, 2019). While it is understood that it is essential for digital transactions to be supported by formidable regulatory frameworks in privacy, security and consumer protection; such frameworks can impede the cross-border transfer and use of data by imposing substantial effort and costs on businesses, especially micro, small and medium enterprises (MSMEs), thereby deterring international exchanges (World Bank, 2021).

In today’s digital and physical economies, the freedom to move data of both a personal and non-personal nature without restriction between countries generates positive outcomes for organisations, individuals and countries.

5.5.2 Benefits of Cross-Data Flows

Benefits of cross-data flows are discussed with a focus on individuals, countries and organisations.

5.5.3 Benefits for Individuals

For individuals, the reach and influence of the internet has already enabled their seamless interaction with people and organisations from all across the world. In the same breath, individuals have also been exposed to goods and services from foreign markets that are available online and may be delivered in short periods of time where such products are physical (GSMA, 2018). As has been mentioned before, the practice of data analytics has enabled organisations to cater for more geographic markets, giving those customers access to a wider range of goods and services based on their interests, wants and needs which further improves competition in the markets and overall customer satisfaction. Additionally, cross-data flows also enable individuals to carry out remote work from wherever they are in the world. The surge in remote work has come to be known as the “human cloud”. The human cloud is defined as a budding set of online or digital marketplaces for labour where competent professionals and those looking to hire professionals can locate and engage one another in employment/work arrangements (Staffing Industry, 2017). By the end of 2018, it was estimated that the money spent on using the human cloud spend was estimated to generate around $82 billion globally, a figure that was expected to grow exponentially. The facilitation of Cross border flows will not only allow the host country the opportunity to export talent, but also the chance to reduce unemployment rates and generate foreign currency.

5.5.4 Benefits to the Country

Free cross-border flows have enabled more national businesses and consumers to enter the digital commerce sphere, thereby encouraging the endorsement of data-driven business strategies and stimulating the national economy (GSMA, 2021). Public-sector bodies and government departments also benefit from cross-border data flows allowing them to deliver better quality public services at a lower cost and pursue public policy objectives that might not otherwise be achievable.

5.5.5 Benefits to Organisations

The free movement of personal data delivers social and economic benefits much faster than the alternative, which would require businesses to actively construct their back-offices and to streamline their processes and storage functions to serve multiple individual markets.^{Footnote 16} Countries that adopt regulatory regimes that support the free international transfer of data allow small, specialised organisations to establish an internet presence that is simultaneously national and international.^{Footnote 17} In this way, it is possible to have services successfully adopted in one national market, then expanded to other markets, bringing rapid benefits for second and subsequent countries.^{Footnote 18}

A key advantage of the internet is that it allows any organisation, no matter how small, to use the internet to market and deliver its ideas, goods and services, wherever data is allowed to flow. In this sense, if there are restrictions on the movement of data, organisations would not be able to provide information and products in response to individuals’ requests.^{Footnote 19} Multinational organisations are also able to become more efficient by centralising and virtualising their internal operations. Examples of improved efficiency include the cost-effective expansion of business by utilising flexible, cloud-based infrastructure and specialist application service providers and minimising investment in additional IT equipment.^{Footnote 20}

The COVID-19 pandemic’s unseen benefit amid all the negatives, is that more and more international businesses have seen the importance of adopting data-driven digital transformation strategies to secure their future. Such strategies tend to depend on being able to collect, analyse, process and store data across multi-country operations. The Practice of data analytics becomes even more amplified as organisations seek to generate new customer insights and the performance of their operations and products.^{Footnote 21}

5.6 Data Localisation Laws in Africa

This section gives an overview of some African states’ data localisation laws. In lieu of the views expressed in Sect. 5.5.1 of this paper, that data localisation laws do not support the free flow of data; the enactment and implementation of these laws, for example through hefty fines for using remote data storage, has detrimental effects. However, each state is entitled to enact and implement its domestic laws. The contribution of this paper is that in legislative and policy making processes, African states ought to consider the impact of data localisation on data flows.

5.6.1 Cote-d’Ivoire

In 2013, The Ivory Coast/Cote-d’Ivoire enacted privacy laws which required firms to get pre-approval from the regulator before processing personal data outside of the Economic Community of West African States (ECOWAS).

5.6.2 Ghana

In 2019 Ghana enacted the Ghana Payment Systems Bill & Guidelines, which among other things, set out the requirements to obtain a payment systems operator license which pertain to local ownership and the appointment of Ghanaian directors. Prior to this, in July 2018, Ghana issued draft regulation that required all domestic transactions to be processed by the Ghana Interbank Payment and Settlement Systems Limited (GhiPPS, which is wholly owned by the Central Bank of Ghana).

5.6.3 Kenya

Kenya’s 2019 Data Protection Act does not contain the explicit data localisation provisions which appeared in earlier drafts of the law. However, it still includes restrictive provisions governing personal data which require explicit consent for transfers of “sensitive personal data”^{Footnote 22} and that data controllers ensure and provide proof that personal data transferred abroad receives the same protection as if stored within the borders of Kenya.^{Footnote 23} Regulations implementing these provisions are still being developed.

Proposed Measures (2021): Following the enactment of the 2019 Data Protection Act, Kenya has released three draft data protection regulations to aid in the implementation of the Data Protection Act.^{Footnote 24} These are the Data Protection (General) Regulations (ODPC, 2021), the Data Protection (Registration of Data Controllers and Data Processors) Regulations and the Data Protection (Compliance and Enforcement Regulations). Under the proposed measures, the General regulation requires that where data processing is done for the purpose of producing a public good, the processing should be carried out through a server and data centre located within Kenya’s borders^{Footnote 25} and that at least one serving copy of the personal data should be stored in a data centre located in Kenya.^{Footnote 26} The regulations also include provisions on the cross-border transfer of personal data. Under the General Regulations, it is required that before transferring personal data outside of Kenya, the recipient ought to know they are bound by legally enforceable obligations to ensure the same level of protection to the transferred personal data as that provided for under the Data Protection Act in Kenya and the General Regulations^{Footnote 27}; that the data subject is informed of the safeguards and the implications and risks involved in the cross-border transfer^{Footnote 28}; that the data subject has consented to the transfer of their data to that recipient^{Footnote 29}; that the transferring entity has taken reasonable steps to ensure that transferred personal data is not used for any unintended purposes^{Footnote 30}; and that the data subject’s rights are safeguarded.^{Footnote 31} The General regulations also provide that cross-border transfers of data may be allowed without restrictions where the transfer is “necessary” as provided under Section 48(c) of the Data Protection Act^{Footnote 32}; where the requirements arbitrarily or unjustifiably discriminate against any person^{Footnote 33}; where the requirements impose a restriction on trade^{Footnote 34}; and where the restrictions on transfers of personal data are greater than are required to achieve the objectives of the Data Protection Act.^{Footnote 35} The General Regulations also prescribes the terms that are to be contained in cross border transfer agreements between transferring entities and the recipients of personal data albeit without prescribing the template model standard clauses as is seen in the European Union.^{Footnote 36}

5.6.4 Nigeria

In 2015, Nigeria enacted broad data localisation requirements as part of the Guidelines for the Nigerian Content Development in ICT (NITDA, 2019). In the guidelines, it is required that all telecommunication companies interested in hosting subscriber and consumer data within Nigeria, should host such data within the country and in line with existing legislation.^{Footnote 37} The same applies to Networking Service Companies^{Footnote 38} and Data and Information Management Companies.^{Footnote 39}

In 2011, The Central Bank of Nigeria also introduced a local storage and processing requirement for entities engaging in point of sale (POS) card services (Central Bank of Nigeria, 2011). Under guideline 4.4.8, All domestic transactions including but not limited to POS and ATM transactions in Nigeria must be switched using the services of a local switch and shall not under any circumstance be routed outside Nigeria for switching between Nigerian Issuers and Acquirers.^{Footnote 40}

5.6.5 Rwanda

In 2012, Rwanda enacted a regulation that all critical information data within government should be hosted in their national data centre (MINICT, 2012). In terms of indirect application of data localisation laws, in 2017 Rwanda’s telecommunications regulator fined MTN the sum of US$8.5 million for maintaining Rwandan customer data in Uganda and for running its IT services outside the country in breach of its license (CNBC Africa, 2017). Comments have already been made in the introductory Sect. 5.5.3 on the enactment and implementation of data localisation laws. Further, it could be argued that the imposition of such large fines may chill investment by firms that wish to use remote data storage facilities.

5.6.6 Senegal

In 2021 and in the light of the new Government data centre being built in Senegal, President Macky Sall announced that all government data and applications will be hosted at the centre and the repatriated from foreign servers in hopes of strengthening Senegal’s digital sovereignty (Swinhoe, 2021).

5.6.7 South Africa

In 2018, following the realisation that domestic South African banks intended to move more of their transactions to global payment service networks, the South African Reserve Bank suspended the migration of all domestic transaction volumes from Bankserv (South Africa’s bank-owned domestic payment switch) to international payment schemes (Cory & Dascoli, 2021). The suspension was to remain in place until a new policy was developed and enacted. Such a policy has not yet been developed and enacted at the time of writing.

In 2013, South Africa enacted the Protection of Personal Information Act (the POPI Act),^{Footnote 41} but which only came into full force on the 1st of July 2021, makes the transfer of personal information outside of South Africa subject to certain exceptions. These include the requirement that the recipient of the data be able to offer complimentary protection of the data,^{Footnote 42} that the data subject consents to the data transfer,^{Footnote 43} that the transfer is necessary for the performance of a contract between the data subject and the responsible party^{Footnote 44} or for the conclusion/performance of a contract in the interest of the data subject^{Footnote 45} and if the transfer is for the benefit of the data subject.^{Footnote 46} While these are not explicit localisation laws, there is concern as to how they will be interpreted and enforced, as they could become de facto data localisation tools.

5.6.7.1 Proposed Measures

More recently, South Africa’s “Draft National Policy on Data and Cloud” of 2021 recommends the adoption of data localisation standards and local data processing for all data incidental to “critical information infrastructure”^{Footnote 47} and data mirroring for personal data.^{Footnote 48} It also states that all data generated in South Africa shall be the property of South Africa, regardless of the nationality of the firm involved in collecting it.^{Footnote 49}

5.6.8 Egypt

In Egypt, President Abdel Fattah el-Sisi ratified the Personal Data Protection Law^{Footnote 50} on the 13th of July 2020. The law aims to protect and regulate the collection and processing of personal data of Egypt’s citizens and residents. In relation to data localisation, the law prohibits the transfer or retention of personal data to a foreign country or territory without the permission of the Egyptian Data Protection Centre and unless that country or territory has adequate levels of personal data protection.^{Footnote 51} Egyptian Minister of Communications and Information Technology, Amr Talaat, was also quoted stating that the data protection law was formulated in support of the Ministry’s efforts to localise the data centre industry and create a safe environment for the circulation of information within the cyberspace (Data Centre Planet, 2020). Egypt also belongs to the Arab Maghreb Union who have so far not attempted to regulate data collectively as a union.

5.6.9 Angola

The Data Protection Law^{Footnote 52} draws inspiration from provisions found in the EU and Portuguese legal regimes for the protection of personal data. The enforcement authority, known as the Agência de Proteção de Dados (APD), was only created in October 2019 despite the law being created in 2011; and there is presently no significant level of enforcement. The law requires that the APD be notified prior to any international transfers of personal data to countries deemed to have an adequate level of protection^{Footnote 53} in addition to specific requirements that must be met such as consent of the data subject.^{Footnote 54} Angola also belongs to the Economic Community of Central African States (ECCAS) which, in 2016, adopted a model law (with the support of ITU and EU). However, because ECCAS does not have binding community law instruments, only three member states out of ten have adopted a national privacy law (Le Bihan, 2018).

5.7 Open Data Policies/Standards

Open data policies are a new phenomenon in Africa, with a track of less than ten years of implementation. The drive for the open data is largely driven by civil societies to enhance citizenry engagement with government’s service delivery (Mutuku & Tinto, 2019). Most of the open data in Africa are anchored by the government’s information system. There are more than 20 countries, regional and international organisations that initiate open data drives specifically for Africa. In SSA, governments have adopted the Open Government Partnership (OGP) and the implementation African Peer Review mechanism by AU members, which has strengthened the creation of open data initiatives.

Open standards/policies for data can also be particularly useful tools that make it easier for individuals and organisations to access, use, publish and share better quality data while simultaneously addressing cybersecurity concerns. Open standards for data are reusable agreements that necessitate the access, use, publication and the sharing of better-quality data (Open Data Institute, 2018). Open data standards can also be defined as sets of specifications or requirements for how specific sets of data should be made publicly available (Data Standards, 2017).

They are particularly helpful because:

1.
They increase interoperability: Data interoperability is a feature of datasets where data can be easily retrieved, processed, re-used and re-packaged (“operated”) by other systems with little to no effort.^{Footnote 55}
2.
They improve comparability of data: Because open data standards enable easy access to datasets, they make it easier to compare data from different sources and to draw more concrete conclusions by drawing from a pool of like data sets.
3.
They enable aggregation: By lowering the barriers to access to data, open standards for data encourage the publication of new data and better-quality data that is structured in a similar way, making it easier to combine them. In the process, the cost and complexity of combining similar data from multiple sources is significantly decreased (Open Data Institute, 2018).
4.
They Enable linkability: Open standards make it easy to combine diverse data sets to give useful insights.

5.7.1 Common Uses of Open Standards for Data

As has been stated, open standards are essential in aiding the creation of a strong data ecosystem. Within this ecosystem, there are data assets,^{Footnote 56} the organisations responsible for the operation and maintenance of the data assets, and guides that set out how to use, store and manage the data.^{Footnote 57} A strong data infrastructure is critical to fostering business innovation, driving better public services and creating healthy, sustainable communities.^{Footnote 58}

5.7.1.1 To Promote Common Understanding

Many open standards exist today for different purposes and in different sectors. The commonality across all successful open standards is that they focus on tackling specific issues with reusable agreements that support better quality data. Therefore, where there is a need for people and organisations to agree on common guidance, a shared language or common models when solving problems, open standards are ideal.^{Footnote 59}

5.7.1.2 To Support Policy and Legislation

When implementing policies and substantiating legislation adopted or developed by governments and other public bodies, open standards for data can be useful support tools. By establishing standards on how to disclose data, how to automate compliance checks, how to aggregate or report on data and in the process, this can produce better quality data and strengthen a data infrastructure.^{Footnote 60}

5.7.1.3 To Fill Gaps in a Data Infrastructure

A strong data infrastructure^{Footnote 61} is grounded on principles that promote accountability, transparency, business innovation, civil society and public services. Within the infrastructure are data assets, the organisations that operate and maintain them, and the regulations that describe how to use and manage the data.^{Footnote 62} It is therefore important that a strong data infrastructure is supported by open data standards. The identification of gaps is made easier by lessening the barriers to entry in data pools as well as the participation of more stakeholders.

5.7.2 Benefits of Open Data Standards

The benefits of open data standards can be summarised by the image below (Fig. 5.1).

A 2-level semicircular chart depicts the benefits of open data standards. Performance benefits are improving efficiency and quality of public services. Economic benefits are developing innovative services and creating new business models. Social benefits are transparency and enhanced participation. — **Fig. 5.1**

5.7.2.1 Economic Benefits

The economic benefits of Open Data Standards are of greater importance to this discussion. The crux of the benefits presented by open data standards are that standards create new commercial opportunities and ecosystems that encourage competition. First, standards help to deconcentrate authority. Well established market leaders and authorities are discouraged from using custom and proprietary formats and opt instead to make use of cooperatively produced and shared standards (Open Data Institute, 2018). This effectively levels the playing field for data production and data use, allowing new uses of data and new entries to the market.^{Footnote 63}

Therefore, by effectively reducing barriers to entry and the costs associated with the collection and aggregation of data in a particular sector, standards also allow more organisations to enter the ecosystem to provide more diverse products and services within the data ecosystem.^{Footnote 64} Examples include translation, conversion, combination, reporting, training, analytics, consumer products, business-to-business services and more. Open standards for data mean that an organisation can focus on providing value at any stage of the data pipeline.

5.7.2.2 Social Benefits

Open data standards encourage multi-stakeholder collaboration. Essentially, developing a standard that is useful to the community and used by stakeholders needs multi-stakeholder collaboration. Multi-stakeholder collaboration connects people and organisations working within a sector. Data publishers are interested in who else publishes data using standards so they can understand how issues were overcome and improve their processes. Data users are interested in connecting with other data users with similar goals or issues. In the process a focus for shared vision may be developed (Open Data Institute, 2018). When people and organisations with a common problem or an unmet need work together to reach an agreement about producing or using better-quality data, the people and organisations involved need a shared vision of the open standard including a common understanding of the problem they are trying to solve and agreement on how they will solve it.^{Footnote 65}

In the process, an open standard for data can aid in coordinating activities to understand the problem or unmet need; agreeing on the current ecosystem, data assets, concepts and language in use; agreeing on the data and models needed to solve the problem or meet the need; pooling resources to work towards clearly defined goals for the standard, leading to mutually reinforcing activities; forming connections across sectors to support the standard’s goals, which can help to build trust, peer learning and peer support; and producing and reusing tools that strengthen a data infrastructure, including supporting data publishers, providing data users with insight and making it easier for developers to create tools and services.^{Footnote 66}

5.7.2.3 Policy Impacts

From a policy perspective, open standards can support implementation of policy. In the past, policymakers requiring organisations to publish data have focused on what data must be published but not on how. This leads to situations where disclosure is widespread but the data is difficult to collate and use. By adopting open standards for data and linking them to policy and regulation, policymakers can make data more usable, provide clear guidance on how to disclose data, automate compliance checks, data aggregation and reporting open standards for data provide clarity to data publishers, the opportunity for stakeholder engagement and help ensure consistent and comparable results (Ibid).

5.7.2.4 Technological Benefits

The key technological benefits of open data are that standards produce better quality data (McGilvray, 2008). Open standards encourage the development of tools and services to help data publishers produce good quality data, including tools to validate, preview and compare data (Open Data Institute, 2018).

Open standards can advise data publishers how often data should be published. Some standards include ways to share publication schedules, publication dates, location and methods of accessing data. Sharing this information makes it easier to trust published data.^{Footnote 67}

In addition, when data is published consistently, the time, cost and processes involved in using it are reduced. Consistent publication encourages the creation of new tools and services that are designed to take advantage of data that conforms to a standard.^{Footnote 68}

5.7.2.5 Example of Open Data Standards in Use

Probably the most famous open data standard is the General Transit Feed Specification (GTFS) which is a standard which was developed by tech giant Google. The GTFS allows public transit agencies to publish their transit data in a format that can be interpreted and used by a variety of software applications.^{Footnote 69} Because of the interoperability of open data standards, GTFS data can be used by many other third-party software applications for a variety of purposes. Examples include trip planning, timetable creation, mobile data, data visualisation, accessibility, analysis tools for planning and real-time information systems.^{Footnote 70} Among public transportation data formats, GTFS stands out because it was conceived to meet specific, practical needs in communicating service information to passengers. It is designed to be relatively simple to create and read for both people and machines.^{Footnote 71} The value of an efficient transport system has real implications on the economy of a country, but because it is so easy to access and share data in this manner, efficiency is amplified even beyond borders.

5.8 Cybersecurity Concerns

The movement of data entails considerable security risks, hence the need for cybersecurity and the protection of both personal and non-personal data. As indicated above, the Malabo Convention is the only current continental legal instrument that focuses on the protection of personal data and cybersecurity. It is relevant to data governance to the extent that it pertains to these two aspects, which are integral to data governance. Indeed, as noted above, the AUC is shepherding the development and formulation of the Africa Data Policy Framework, which is informed, in part, by the Malabo Convention. A well-crafted data governance framework ought to include both aspects because “security and privacy have become one of the crucial concerns related to data storage and usage within organizations” (Yang, 2019). Leading up to the adoption of the Malabo Convention in 2014, several RECs adopted regulatory instruments on privacy and cybersecurity (Ncube, 2016). These are ECOWAS’ Supplementary Act on Personal Data Protection within ECOWAS (2010); the ECOWAS Directive on Fighting Cybercrime (2011); the Common Market for Eastern and Southern Africa (COMESA)’s Model Cybercrime Bill (2011); the Southern African Development Community (SADC)’s Model Law on Data Protection and a Model Law on Computer Crime and Cybercrime (2012). Of these, only the SADC Model covers both privacy and security, however, as it a non-binding instrument, and consequently the Malabo Convention stands out as the only binding instrument regulating both privacy and security. Further, according to its preamble, it “embodies the existing commitments of AU Member States at sub-regional, regional and international levels to build the Information Society”, making it the continental blueprint. Accordingly, this section reprises the Malabo Convention’s provisions on cybersecurity and privacy. As already noted above, this section is succinct, due to the coverage of the same content, in greater detail, by another paper which constitutes part of the project.

5.8.1 Privacy

As indicated above, the Malabo Convention focuses on the protection of personal data (privacy) rather than non-personal data. Its definition provision sets out the following fundamental definitions:

Personal data means any information relating to an identified or identifiable natural person by which this person can be identified, directly or indirectly in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

Personal data file means all structured package of data accessible in accordance with set criteria, regardless of whether or not such data are centralized, decentralized or distributed functionally or geographically.

Sensitive data means all personal data relating to religious, philosophical, political and trade-union opinions and activities, as well as to sex life or race, health, social measures, legal proceedings and penal or administrative sanctions.

It then turns to the regulation of the processing of personal data which is defined as

any operation or set of operations which is performed upon personal data, whether or not by automatic means such as the collection, recording, organization, storage, adaptation, alteration, retrieval, backup, copy, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination and locking, encryption, erasure or destruction of personal data.

The core of such regulation consists of the basic principles governing the processing of personal data as set out in Article 13. These are:

Principle 1: Principle of consent and legitimacy of personal data processing.
Principle 2: Principle of lawfulness and fairness of personal data processing.
Principle 3: Principle of purpose, relevance and storage of processed personal data.
Principle 4: Principle of accuracy of personal data.
Principle 5: Principle of transparency of personal data processing.
Principle 6: Principle of confidentiality and security of personal data processing.

Their meaning is the same as of the GDPR’s principles as set out at Sect. 5.2 above. They are supplemented by Article 14 which sets out specific principles for the processing of sensitive data. Another core component of privacy in the Malabo Convention is its Section IV on the Data Subjects’ following rights: Right to information (Article 16); Right of access (Article 17); Right to object (Article 18) and Right of rectification or erasure (Article 19). Personal Data Controllers have the following obligations: Confidentiality obligations (Article 20); Security obligations (Article 21); Storage obligations (Article 22) and Sustainability obligations (Article 23).

5.8.2 Cybersecurity

The Malabo Convention does not contain a definition of cybersecurity, which would have been useful to underpin a significant aspect that it regulates. Yang et al. define cybersecurity as “the practice of protecting computer and network infrastructures, the operating systems, software programmes run on the infrastructures, and all the data stored or transmitted through the infrastructures from digital attacks and any other misuse” Chap. 3 of the Convention is intended to promote cybersecurity and prevent cybercrime. Article 24 addresses national cybersecurity frameworks, specifically national policies and strategies relating to the Critical Information Infrastructure (CII). The Malabo Convention defines CII as “the cyber infrastructure that is essential to vital services for public safety, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace.”

Article 25 then proceeds to address legal measures, namely (1) cybercrime national legislation; (2) regulatory authorities; (3) citizens’ rights and (4) protection of critical infrastructure. According to Article 25.1 national cybercrime legislation is required to effectively sanction “criminal offences acts which affect the confidentiality, integrity, availability and survival of information and communication technology systems, the data they process and the underlying network infrastructure”. Data is expressly mentioned here, so it is clear that some national cybersecurity measures in relation to data is mandated. Further, Article 25.2 requires “effective procedural measures to pursue and prosecute offenders.” Article 26 then proceeds to require state parties to establish a national cybersecurity system comprising of the necessary institutions, which are appropriately staffed, to oversee implementation of the legal measures through actions including responding to cybersecurity incidents, and coordination and cooperation in forensic investigations and prosecution, amongst others. Such legal measures and their implementation must have due regard to the human rights of citizens.^{Footnote 72} State parties are also required to establish legislative or regulatory measures to protect priority sectors that are important for national security by, for instance, introducing more severe sanctions for offences in these sectors.^{Footnote 73}

Article 26 provides for some further detail regarding the national cybersecurity system through mandating each state “to promote the culture of cyber security” and suggests measures which may include cybersecurity plans and awareness campaigns. Article 27 proceeds to deal with national cybersecurity monitoring structures which state parties are required to adopt for cybersecurity governance within a national framework. Article 28 provides for international cooperation through harmonisation, encouraging states to offer each other mutual legal assistance and the exchange of information, along with the use of existing means for international cooperation. Article 29 then provides for offences that are specific to ICTs. It requires state parties to create offences relating to attacks on computer systems for instance to gain unauthorised access and data breaches such as the interception or attempted interception of computerised data. There are also provisions relating to content related offences in Article 29 and the adaptation of property offences and sanctions to ICTs in Articles 30–31, but these are not pertinent to the chapter’s area of focus.

The Malabo Convention’s provisions provide a baseline, but more is needed for a robust approach to privacy and security for non-personal data because its privacy provisions are primarily for personal data and its cybersecurity provisions place emphasis on national infrastructure or the CII.

In summary, this section shows that most African states need to create, enhance or strengthen their privacy and cybersecurity frameworks. In view of the aims of both the AfCFTA and the Digital Transformation Strategy for Africa, to facilitate and grow e-commerce and digital trade in Africa, it will be important to align domestic frameworks. This gives a measure of certainty for entrepreneurs trading in multiple jurisdictions. As also indicated above, and reinforced below, the negotiations of the AfCFTA e-commerce protocol will provide a platform to agree on fundamental data governance principles.

5.9 Conclusion

What this paper has managed to expose in part is the fact that one of two things are happening on the continent. On the one hand, concerted continental efforts may be unrolling sluggishly while the data revolution is unfolding at a much faster rate. Because this is the case, progressive nations, in a bid to compete within the data economy, have elected to attempt data governance on their own, thereby proffering the present situation of discordant and possibly conflicting data regulation laws. While on the other hand, what we may be witnessing is a lack of trust and confidence amongst African states in unified regulatory efforts. In some instances, because the data that is of the highest value is personal, such a lack of trust may be coupled with paranoia and suspicion by mostly individuals. It will therefore be imperative that a trusted data environment grounded in the rule of law; comprehensive institutional arrangements and regulations; and competent institutions responsible for overseeing the use of public and private data is established as soon as possible.

Such an environment can be created through multistakeholder efforts to improve data access and use. This may mean active dialogue between governments, consultations and collaborations with the private sector, and the establishment of Data Protection Authorities (DPA’s) competent in the investigation and prosecution of cross border breaches. On top of the inter-governmental dialogue agenda should be the negotiation of mutual assistance agreements that will guarantee similar protection of data in contracting member states and pledges to investigate and prosecute cross-border cybercrimes comprehensively.^{Footnote 74} This will go a long way in moderating the concerns related to the free movement of data. Also, because the majority of African states are still in a developmental state, with some more advanced than others, capacity-building in relation to data protection, cybersecurity and institutional data governance in relevant agencies should be prioritised and realised through policy and asset allocation. In addition, where institutional arrangements and regulations come about as a result of the consultations and dialogue, these arrangements ought to be established through inclusive, consultative and transparent processes. Accountability and transparency are the answer to most of the concerns that follow the shift to data liberalisation and use.

As argued at Sect. 5.2, it is important to highlight that personal and non-personal data should not be treated the same, hence distinct approaches exist in other parts of the world. Whilst the concerns around the protection and regulation of personal data are legitimate, non-personal data which has a lot of value within itself, should not be subject to the same scrutiny. In this regard, lessons can be drawn from the approach that the EU has taken in ensuring that the two are distinct (see key lessons outlined at Sect. 2.1).

The current position, as summarised at Sect. 5.3, confirms that most African countries’ attempts at regulating data have overly pre-occupied themselves with personal data, neglecting non-personal data. In the same breath, because personal data is of higher value, it is no surprise that protection laws in this regard may be overbearing. While the current forms of data localisation laws may be thought of as being national governments’ attempts to assert sovereignty over data, a borderless medium, the reality is that as more countries enact updated data protection frameworks, it is highly likely that some policymakers will propose more stringent data localisation laws as they believe that the best way to protect data is to store it within a country’s borders. However, evidence has shown that the security of data does not depend on where it is stored. Instead, by allowing for the free movement of data across international borders, cybersecurity concerns are less likely to materialise. By allowing cloud service providers to draw from data flows from all over, they will be able to establish best practices in cybersecurity. Similarly, while cloud computing does not guarantee security, it will lead to better security because implementing a robust security program requires resources and expertise, which many organisations and African countries lack. But large-scale cloud computing providers are better positioned to offer this protection. In fact, the security of data depends primarily on the logical and physical controls used to protect it, such as strong encryption on devices and perimeter security for data centres. The nationality of who owns or controls servers or which country these devices are located in, has little to do with how secure they are. Therefore, given the potential benefits that open cross-border flows would bring about, it would be prudent to start aligning policy with the promotion of open cross border data flows. Furthermore, because a comprehensive data regime also makes provision for data sovereignty, data specificity should also be prioritised. Data specificity is used to refer to countries being able to specify what kinds of data can and cannot move freely. Data specificity should be prioritised to avoid unintended restrictions on productive data sharing.

As the AfCFTA and the Digital Transformation Strategy for Africa (2020–2030) seek to increase e-commerce and digital trade in Africa, it is important to consider how supporting the free movement of data across Africa can enhance these efforts. It has been shown that cross border data flows are instrumental and have the potential to greatly influence a new economic resurgence for the continent, as can be drawn from experiences of countries or regional bodies that have adopted a liberal approach to data regulation. Their experience has evidenced that data localisation does not serve the purpose that many think that it does and in actual fact could be thought of as being counterproductive in terms of securing and drawing value from data. Most African countries that have enacted data localisation laws in one way or the other have done so under the justification that the security of data is dependent on where it is stored or collected, which is in fact a fallacy. It has been shown that open policies towards cross-border data flows have generated better security measures and better revenues for the countries that have adopted these systems and the African continent can learn from these experiences now to adequately support the free flow of data. It is also necessary to emphasise that the adoption of open standards for data which will complement the cross-border data flows ensuring that they are the flows are conducted in a safe and transparent manner and to ensure that barriers into accessing the data economy are reduced, thereby encouraging more players to get involved within the data economy. By adopting open data standards and decentralising the power to collect, use and aggregate data, participation in the data economy is encouraged and the chances of illegitimate uses of data are lessened. In the process, Governments are also afforded the opportunity to work on and strengthen their impact in key areas such as policy, technology and development as well as the economy. Such an approach recognises the importance of cybersecurity and supports it within an ecosystem that encourages open data participation.

Ultimately, there is a need to adopt a cohesive legal approach that is unambiguous and offers protection and obligations across the continent while taking cognizance of the value that the liberalisation of data has. Going forward, existing legal instruments should be revisited regularly, where necessary, to eliminate conflicts in law and also to keep abreast with the latest levels of protection and obligations within member states.

Notes

1.
Art 4(1) of the GDPR.
2.
‘Personal Data’ General Data Protection Regulation (GDPR) <https://gdpr-info.eu/issues/personal-data/> accessed 17 January 2022.
3.
The General Data Protection Regulation 2016/679.
4.
Patrick Breyer v Bundesrepublik Deutschland Case C-582/12.
5.
Ibid.
6.
Bird and Bird supra note 16.
7.
The General Data Protection Regulation Supra note 11.
8.
https://op.europa.eu/en/publication-detail/-/publication/ac9cd214-53c6-11ea-aece-01aa75ed71a1/language-en
9.
Article 2.1. GDPR Supra note 11.
10.
“[that is] one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4.1 of the GDPR) including quasi-identifiers and metadata (Article 4.1).
11.
The FFD Regulation supra note 23.
12.
Article 2.1 of the FFD Regulation supra note 23.
13.
https://medium.datadriveninvestor.com/digital-europe-200-billion-investment-strategies-for-artificial-intelligence-data-and-blockchain-f7f656e66603
14.
Article 1(3) of the GDPR states that the overarching goal of the GDPR is to ensure that” the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
15.
See Chap. 2 (Art 5 to 11) of the GDPR.
16.
Ibid.
17.
Ibid.
18.
Ibid.
19.
Ibid.
20.
Ibid.
21.
Ibid.
22.
Section 44 of the Act read with Section 25.
23.
Section 25(h) of the Act.
24.
Supra note 56.
25.
Regulation 25(1)(a) of the Data Protection General Regulations.
26.
Regulation 25(1)(b) of the Data Protection General Regulations.
27.
Regulation 38(1)(a) of the Data Protection General Regulations.
28.
Regulation 38(2) of the Data Protection General Regulations.
29.
Regulation 38(1)(b) of the Data Protection General regulations.
30.
Regulation 38(1)(c) of the Data Protection General regulations.
31.
Section 38(1)(d) of the Data Protection General regulations.
32.
Regulation 40(1)(a) of the of the Data Protection General regulations.
33.
Regulation 40(1)(b) of the Data Protection General regulations.
34.
Regulation 40(1)(c) of the Data Protection General regulations.
35.
Regulation 40(1)(d) of the Data Protection General regulations.
36.
Regulation 39 of the Data Protection General regulations
37.
Section 11.1.3 of the Guidelines for the Nigerian Content Development in ICT.
38.
Section 12.1.4 of the Guidelines for the Nigerian Content Development in ICT.
39.
Section 13.1.2 and 13.2.3 of the Guidelines for the Nigerian Content Development in ICT.
40.
Guideline 4.4.8 of The Central Bank of Nigeria’s mandatory 2011 Guidelines on Point of Sale (POS) Card Acceptance Services.
41.
The Protection of Personal Information Act No 4 of 2013 available at https://popia.co.za/
42.
Section 72(1)(a) of the POPI Act.
43.
Section 72(1)(b) of the POPI Act.
44.
Section 72(1)(c) of the POPI Act.
45.
Section 72(1)(d) of the POPI Act.
46.
Section 72(1)(e) of the POPI Act.
47.
“National critical information infrastructure” as defined in section 9 of the Policy means all ICT systems, data systems, databases, networks (including people, buildings, facilities and processes), that are fundamental to the effective operation of the Republic of South Africa.
48.
Policy Intervention 10.4.1.
49.
Policy Intervention 10.4.4. of the Draft National Policy on Data and Cloud.
50.
The Personal Data Protection Law (Law No. 151 of 2020).
51.
Article 14 of the Data Protection Law of 2020.
52.
The Data Protection Law (Law 22/11).
53.
Section VI of the Data Protection law.
54.
Article 34 of the Data Protection Law.
55.
https://aims.gitbook.io/open-data-mooc/unit-4-sharing-open-data/lesson-4.2-introduction-to-data-interoperability
56.
The term data asset is used to refer to data that is expected to generate future revenues. This differs from one industry to the other and ultimately what is considered a data asset depends on the relevant business model. Examples include Design and methodology, knowledge/know-how, user input, sensor data, calculated data etc. See 7 examples of a data asset available at https://simplicable.com/new/data-asset
57.
“When to use open standards for data” Supra note 99.
58.
Ibid.
59.
Ibid.
60.
Ibid.
61.
Data infrastructure consists of data assets supported by people, processes and technology.
62.
When to use open standards for data” Supra note 99.
63.
Ibid.
64.
Ibid
65.
Ibid.
66.
Ibid.
67.
Ibid.
68.
Ibid.
69.
GTFS: Making Public Transit Data Universally Accessible available at https://gtfs.org/ accessed 10/10/2021.
70.
GTFS Background available at https://gtfs.org/gtfs-background accessed on 10/10/2021.
71.
Ibid.
72.
Article 25.3.
73.
Article 25.4.
74.
Chapter 7 of the GDPR.

References

Regulations, Laws, Policies and Guidelines

Angola – The Data Protection Law (Law 22/11).
Google Scholar
EU – The General Data Protection Regulation 2016/679 (EU).
Google Scholar
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, OJ L 303.
Google Scholar
Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information.
Google Scholar
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
Google Scholar
Egypt – Personal Data Protection Law (Law No. 151 of 2020).
Google Scholar
Kenya – Data Protection Act No 24 of 2019.
Google Scholar
Kenya – Data Protection (Registration of Data Controllers and Data Processors) Regulations. (2021). Available at. https://www.odpc.go.ke/resources/data-protection-compliance-and-enforcement-regulations-2021/
Kenya – Data Protection (General) Regulations. (2021). Available at. https://www.odpc.go.ke/resources/data-protection-general-regulations-2021/
Kenya – Data Protection (Compliance and Enforcement Regulations). (2021). Available at. https://www.odpc.go.ke/resources/data-protection-registration-of-data-controllers-and-data-processors-regulations-2021/
Ivory Coast – Law No. 2013 450 dated June 19, 2013 on the protection of personal data available at. https://ictpolicyafrica.org/fr/document/4wo0y6uby6j
Nigeria – Guidelines for Nigerian Content Development in Information and Communications Technology (ICT) of 2015 and as amended in Aug 2019. Available at https://nitda.gov.ng/wp-content/uploads/2020/11/GNCFinale2211.pdf
Nigeria – The Central Bank of Nigeria’s mandatory 2011 Guidelines on Point of Sale (POS) Card Acceptance Services. Available at https://www.cbn.gov.ng/cashless/POS_GUIDELINES_August2011_FINAL_FINAL%20(2).pdf
Rwanda – Ministerial order N°001/MINICT/2012. Available at https://www.rlrc.gov.rw/fileadmin/user_upload/LawsofRwanda/Laws%20of%20Rwanda/7._Administrative/5.9.%20State%20Finance/5.9.3.%20Procurement/5.9.3.3._M._Instructions_Procurement_of_ICT_goods_and_services_by_public_institutions.pdf
South Africa – Protection of Personal Information Act No 4 of 2013.
Google Scholar
South Africa – Draft National Policy on Data and Cloud. Available at https://www.gov.za/sites/default/files/gcis_document/202104/44389gon206.pdf

Cases

Patrick Breyer v Bundesrepublik Deutschland Case C-582/12.
Google Scholar

Secondary Sources

African Union. (2020). Decision on the African Continental Free Trade Area (AfCFTA). Assembly/AU/Dec.751(XXXIII). Available at https://www.tralac.org/documents/resources/cfta/3176-au-assembly-decision-on-the-afcfta-february-2020/file.html
African Union. (2022). https://au.int/en/documents/20220728/au-data-policy-framework
African Union. Digital Transformation Strategy for Africa 2020–2030. Available at https://au.int/en/documents/20200518/digital-transformation-strategy-africa-2020-2030 Accessed on 30/04/2021.
African Union. Agenda 2063 – Background Note. Available at. https://au.int/sites/default/files/documents/33126-doc-01_background_note.pdf Accessed on 30/04/2021.
Analysts, Staffing Industry. The human cloud, the gig economy & the transformation of work. (2017). Available at https://www2.staffingindustry.com/content/download/246507/9128496/HumanCloudSummary2017_170912.pdf Accessed on 30/04/2021.
Aryan, A. (27 July 2020). Explained: What is non-personal data? The Indian Express. Available at https://indianexpress.com/article/explained/non-personal-data-explained-6506613/ Accessed 17 January 2022.
Bird and Bird. (2019). EU data economy: Data-related legal, ethical and social issues. Available at https://www.twobirds.com/~/media/pdfs/eu-data-economy-legal-ethical%2D%2Dsocial-issues.pdf Accessed on 30/04/2021.
Bowman, C. (6 January 2017). Data localization laws: An emerging global trend. Jurist. Available at https://www.jurist.org/commentary/2017/01/courtney-bowman-data-localization/ Accessed on 30/04/2021.
Chaytor, B. (2020). AfCFTA, an enabler of digital trade and e-commerce. Available at https://resilient.digital-africa.co/en/blog/tech_voices/afcfta-an-enabler-of-digital-trade-and-e-commerce-1-4/ Accessed on 30/04/2021.
CNBC Africa ‘Rwanda Utilities Regulatory Authority fines MTN US$ 8,5 M‘17 MAY 2017. Available at https://www.cnbcafrica.com/2017/rwanda-utilities-regulatory-authority-fines-mtn-us-85m-non-compliance/ Accessed on 30/04/2021.
Communication from the Commission to the European Parliament, The Council, The European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data. Available at HTTPS://OP.EUROPA.EU/EN/PUBLICATION-DETAIL/-/PUBLICATION/AC9CD214-53C6-11EA-AECE-01AA75ED71A1/LANGUAGE-EN accessed on 30/04/2021.
Cory, N., & Dascoli, L. (2021). How barriers to cross-border data flows are spreading globally, what they cost, and how to address them. Information Technology and Innovation Foundation. Available at https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost
Daniel, J. (15 February 2021). Data protection laws in Africa: What you need to know. CIO Africa. Available at https://www.cio.com/article/3607734/data-protection-laws-in-africa-what-you-need-to-know.html?upd=1619734077195 Accessed on 29/04/2021.
Data Centre Planet ‘Egypt New Data Law Supports Data Center Localization’ (Daily News..., 5 August 2020). Available at https://www.datacenterplanet.com/data-center/egypt-new-data-law-supports-data-center-localization/ Accessed 11 November 2021.
Data.Europa.EU. The economic benefits of open data. Available at https://data.europa.eu/en/highlights/economic-benefits-open-data accessed 09/10/2021 Accessed on 27/08/2021.
Data Protection Africa | By ALT Advisory. (2023). https://dataprotection.africa/
Google Scholar
Diffen ‘Data vs Information’. Available at https://www.diffen.com/difference/Data_vs_Information Accessed on 28/04/2021.
GSMA. Cross-Border Data Flows: Realising benefits and removing barriers. Available at https://www.gsma.com/publicpolicy/resources/cross-border-data-flows-realising-benefits-and-removing-barriers Accessed on 30/05/2021.
GTFS: Making Public Transit Data Universally. Available at https://gtfs.org/ Accessed 10/10/2021.
Hutt, R. (2015). What are your digital rights?
Google Scholar
Interpol. (2021). African Cyberthreat Assessment Report: Interpol’s Key Insight into cybercrime in Africa. AfriPol.
Google Scholar
Le Bihan, J.-F. (16 July 2018). Regional regulatory capacity building. GSMA Africa Policy Day. Available at https://www.gsma.com/publicpolicy/wp-content/uploads/2018/07/M360-Africa-Policy-Day-Presentation.pdf Accessed on 11/11/2021.
Manzo, V. (2019). The internet of things and intellectual property rights: The protection of data. WIPO Academy, University of Turin and ITC-ILO – Master of Laws in IP – Research Papers Collection – 2017–2018 Available at SSRN: https://ssrn.com/abstract=3387417.
Math is fun ‘what is data?’. Available at https://www.mathsisfun.com/data/data.html Accessed on 28/04/2021.
McGilvray, D. (2008). Executing Data Quality Projects: Ten Steps to Quality Data and Trusted Information (TM).
Google Scholar
Ncube, C. B. (2016). Recent developments in African regulation of cybercrime: An overview of proposed changes to the South African framework. Journal of Internet Law, 19(7), 3–20.
Google Scholar
OECD. Glossary of statistical terms. Available at https://stats.oecd.org/glossary/detail.asp?ID=532 Accessed on 28/04/2021.
Open Data Institute. (2018). Social Impacts of open standards. The open standards for data guidebook. Available at https://standards.theodi.org/creating-impact/social-impacts/ Accessed on 28/08/2021.
Open data Institute. (2018a). Economic Impacts of open standards. The open standards for data guidebook. Available at https://standards.theodi.org/creating-impact/economic-impacts/ Accessed 27/08/2021.
Open data Institute. (2018b). Policy Impacts of open standards. The open standards for data guidebook. Available at https://standards.theodi.org/creating-impact/policy-impacts/ Accessed on 27/08/2021.
Yang, L., Li, J., Elisa, N., Prickettm, T., & Chao, F. (2019). Towards big data governance in cybersecurity. Data-Enabled Discovery and Applications, 3, 10. https://doi.org/10.1007/s41688-019-0034-9
Article Google Scholar

Download references

Author information

Authors and Affiliations

Department of Commercial Law, University of Cape Town, Cape Town, South Africa
Hanani Hlomani & Caroline B. Ncube

Authors

Hanani Hlomani
View author publications
You can also search for this author in PubMed Google Scholar
Caroline B. Ncube
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hanani Hlomani .

Editor information

Editors and Affiliations

Kenya’s Ambassador, Belgium and the EU Mission, Brussels, Belgium
Bitange Ndemo
African Economic Research Consortium, Nairobi, Kenya
Njuguna Ndung’u
African Economic Research Consortium, Nairobi, Kenya
Scholastica Odhiambo
African Economic Research Consortium, Nairobi, Kenya
Abebe Shimeles

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Hlomani, H., Ncube, C.B. (2023). Data Regulation in Africa: Free Flow of Data, Open Data Regimes and Cybersecurity. In: Ndemo, B., Ndung’u, N., Odhiambo, S., Shimeles, A. (eds) Data Governance and Policy in Africa. Information Technology and Global Governance. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-031-24498-8_5

Download citation

DOI: https://doi.org/10.1007/978-3-031-24498-8_5
Published: 15 August 2023
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-031-24497-1
Online ISBN: 978-3-031-24498-8
eBook Packages: Political Science and International StudiesPolitical Science and International Studies (R0)

Publish with us

Policies and ethics