You are here:

Is The AfCFTA a Catalyst for Uniformity of Data Protection Laws in Africa?

Data protection laws ensure the privacy and integrity of people by assuring that personal information is not misused, exploited, or mishandled when being processed. It involves the proper handling of data and the rights of individuals to have control over their personal data and how it is handled, processed, collected, or shared.

Is The AfCFTA a Catalyst for Uniformity of Data Protection Laws in Africa?

Data protection laws ensure the privacy and integrity of people by assuring that personal information is not misused, exploited, or mishandled when being processed. It involves the proper handling of data and the rights of individuals to have control over their personal data and how it is handled, processed, collected, or shared. Having adequate data protection laws and enforcing them is relevant for organizations to gain or increase their consumers’ trust as individuals become increasingly concerned with how their personal information is handled. On this point, the United Nations Conference on Trade and Development (“UNCTAD”) noted in 2016 that “insufficient protection can create negative effects by reducing consumer confidence.”

Most countries, those belonging to the Organisation for Economic Co-operation and Development (“OECD”) and those non-OECD countries, have enacted data protection laws and have been enforcing them for decades. In most countries, failure to comply with data protection laws can have serious consequences, ranging from an economic penalty to criminal prosecution. However, in Africa, only twenty-eight out of fifty-four countries have passed data protection laws, with nine additional countries having varying degrees of draft legislation according to the statistics held by UNCTAD. This may represent a challenge in reducing trade barriers among State Parties to the African Continental Free Trade Agreement (“AfCFTA”), as consumers in one State Party may not feel confident to conduct transactions in another State Party if their personal data is not effectively protected. 

While, with the AfCFTA, other African States may develop data protection laws to remove any restraint on trading with other State Parties under the AfCFTA. However, contrary to other free trade agreements in other regions as the EU General Data Protection Regulation (“GDPR”) or the US-Mexico-Canada Agreement (“USMCA”), it is unfortunate that AfCFTA failed to provide any regulation on data protection or a set of principles such laws should follow to be AfCFTA compliant. Section 15(c)(ii) of the Protocol on Trade in Services of AfCFTA only allows State Parties to adopt measures necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of such Protocol but does not provide any principles or guidelines on what these laws should cover.  

Considering such regulatory silence in AfCFTA, the State Parties could use the data protection laws of other State Parties as a basis to draft and implement their own data protection regulations. The uniformity of data protection laws guarantees that all African countries uphold the same high standards of care and integrity when processing and disseminating personal information. For example, the State Parties could use the Protection of Personal Information Act 4 of 2013 (“POPIA”)[CLG2]  in South Africa, which only became fully operational in July 2020. POPIA provides a set of data protection principles following global standards that most countries that wish to develop data protection laws would be advised to follow. Such key aspects include:

  • Rights of data subjects: The person to whom the personal information relates has various rights, including being notified, requesting access, and object to processing, amongst others.
  • Legal basis for processing: The principles and conditions that must be followed to process personal information lawfully. Some requirements include accountability, openness, security safeguards, information quality, and other prohibitions and limitations. 
  • Data breach notification: The Regulator and the relevant data subject must be notified when personal information has been accessed or acquired by an unauthorized person. How the notification must be made is also further explained. 
  • Data protection impact assessment: Determines whether an instance of processing of personal information complies with the provisions of POPIA.
  • Appointment of data protection officer: The powers, duties, and functions of the Regulator include monitoring and enforce compliance, consulting with interested parties, handling complaints, conducting research, and report to Parliament, amongst others.
  • Remedies, enforcement, and sanctions: Remedies include a civil claim for damages. Penalties include a fine or imprisonment where a person is convicted of an offense in terms of POPIA. The procedure to be followed when laying a complaint regarding interference with personal information is also explained. 

The POPIA regulates the processing of personal information by public or private bodies. ‘Personal information’ has a broad definition. It is information including, but not limited to

  1. Information relating to identity;
  2. Information relating to education, medical, financial, criminal, or employment history;
  3. Information relating to personal contact details;
  4. Biometric information;
  5. Information relating to personal opinions, views, or preferences, including others’ opinions or views of the individual;
  6. Private or confidential correspondence; and
  7. A person’s name is included in other personal information or where the name itself would reveal information about the person.

‘Processing’ such information includes everything from creating to destructing the info. This means the collection, storage, use, distribution, transmission, merging, and erasure of personal information. 

Section 72 of POPIA regulates transborder information flows. In general, cross-border data transfers are prohibited. However, there are circumstances in which personal information may be transferred to a third party in a foreign country, such as:

  1. Where the third party is subject to a law or other binding agreement which provides an adequate level of protection that is substantially similar to the conditions for the lawful processing of personal information and includes provisions similar to section 72 regarding the further transfer of data across borders.
  2. Where the data subject consents to the transfer.
  3. Where the transfer is necessary for executing a contract between the data subject and the other party that holds such personal information.
  4. Where the transfer is necessary for the conclusion or execution of a contract in the data subject’s interest.
  5. Where the transfer is for the benefit of the data subject, and it is not possible to obtain such person’s consent, but if it were possible, the data subject would consent. 

The exception to the prohibition of cross-border data transfers relating to the conclusion and execution of a contract is essential for the trade of goods and services. The provision is that the shared personal information must be handled with care and dignity. Under the enactment of such a provision, it is clear that international and cross-border transactions were considered. This demonstrates the importance of uniformity of data protection laws amongst African countries to promote economic participation and strengthen intra-state relationships. 

Since the POPIA was drafted following the principles of the GDPR, its provisions are comprehensive yet broad. It covers all aspects of data protection while leaving room for a broad interpretation of these provisions to exclude any point that may prove relevant. The POPIA is internationally compliant, which eases the ability to conclude cross-border transactions and acts as a contributing factor to making South Africa an international role player. Therefore, the POPIA may be a good reference point for African countries looking to update existing or enact new data protection laws. 

Although the provisions of the AfCFTA are silent regarding the full scope of data protection rules that the State Parties should abide by, the enactment of this free trade agreement may be a nudge in the right direction. Either more comprehensive data protection provisions are yet to be included in the AfCFTA, or it is the responsibility of the African State Parties to turn to one another and unify their data protection laws independent of the AfCFTA. Regardless of which path is to be followed, unity of data protection laws amongst African countries is necessary to enable the free trade of goods and services under the AfCFTA and comply with international standards of data protection. 

Centurion Law Group

Centurion Law Group is a leading pan-African legal and energy advisory group covering a full suite of practice areas. Included in Centurion’s industry expertise are the Technology, Media, and Telecommunications field. One of Centurion’s core practice groups is Data Protection and Privacy. Centurion is at the forefront of understanding the AfCFTA and its legal implications. 

Get in touch with the Centurion team should you require any legal assistance or advice. 

Authors: Andres Vega Sanchez, International Associate

            Caitlin Naidoo, Junior Legal Advisor