The proliferation of technology and the growing digital landscape have led to an unprecedented collection, processing, and sharing of personal data. This has exposed individuals to potential privacy breaches, identity theft, and unauthorised use of their personal information. As a result, a need for robust data protection measures in the African market has become paramount. In the blog post below, we unpack the challenges related to data protection laws on the continent, highlight the most significant risk factors, showcase examples of how some countries are managing the implementation of these laws and regulations, and unpack the importance of having these regulations in place.
Challenges related to data protection laws and regulations across Africa
Digital transformation has accelerated the need for data protection laws and regulations. This is because of the large volumes of data being collected and processed across digital channels. With this comes a need for the protection of this data, which is a challenge in and of itself. One of the biggest challenges related to data protection within the African market is the lack of regulation.
Stephanie Manguele, a lawyer at Thiam & Associรฉs, LEX Africa’s member firm in Guinea Conakry, shares her opinion on this evolving topic below.
Lack of regulation is a common issue with data protection and data privacy across the African continent. Despite the African Union adopting the Malabo Convention in 2014, which aims to strengthen and harmonise national legislation, it has been slow to come into force because only a few countries – including Senegal, Guinea, Togo and Mauritania have ratified it.
Adherence to the convention is essential to ensure that Africa’s citizens are protected, their rights are effectively guaranteed, and to ensure cooperation between the states.
However, the institutional framework is often outdated, and the laws that have been adopted are not always adapted to the ever-changing digital landscape and the threats related to cybersecurity. For example, Ivory Coast passed binding legislation in 2013, but no controls have been put in place.
While some countries, such as Senegal, stand out in recognising the rights and actions of their citizens, most remain silent, including Guinea and Benin. The strongest regulation is the General Data Protection Regulation (GDPR), which aims to strengthen and unify data protection in the European Union and applies outside the borders of Europe.
Companies face huge consequences and fines for non-compliance with the GDPR and have to carry out frequent audits to ensure they know their level of compliance.
Human error is the biggest risk to data privacy and security
Over and above the lack of regulations and controls over data security, human error remains one of the biggest risks to data protection and privacy. Manguele explains in more detail below.
Company data is a corporate asset that needs to be safeguarded and protected against external threats. When it comes to IT security, the main risk remains human error. That’s why users of a company’s information system need to be made aware of the risks involved in using a database and both the applicable laws and potential malicious acts.
An IT charter should be set out for all employees with the best practices to adopt when using their workstations.
As more African nations adopt stringent data protection measures, they signal to the global business community that they take it seriously. This, in turn, fosters trust and facilitates cross-border data flows and foreign investments. Moreover, compliance with international data protection standards opens doors to increased trade opportunities.
Cameroon’s data privacy and protection regulations
As mentioned above, several African countries are slowly starting to understand the importance of data privacy and protection regulations. They are working towards ensuring that these regulations and laws are common practice. One country making headway in this regard is Cameroon. Danielle Moukouri, Managing Partner at D. Moukouri and Partners, the LEX Africa member firm in Cameroon, elaborates on this in more detail below.
Cameroon is working towards introducing data protection regulations. On 30 May 2023, Cameroon issued a draft law and a draft decree that covered all the key issues concerning data protection rights. We are grateful for that innovation in the regulatory landscape and to be counted among the countries in Africa with a published draft law on data protection. We are expecting the adoption of the draft regulation by the end of this year.
Moukour explains that more than half of the six member states in the Central African economic zone have a published law on data protection. So, having Cameroon on board as a country with a soon-to-be-published regulation is seen as a great move, and we are pleased about it.
In Cameroon, data is sometimes stored in local data centres within the country and sometimes stored in the cloud, in which case the data is actually stored outside the country. As far as electronic communications are concerned, local laws provide that the relevant data must be available in the device/system present on the Cameroonian territory on which it was generated. This data is kept for a specified period of 10 years.
We recently had a brief which involved data stored by financial institutions. We were advising a company involved in international remittance. The law would not be imposed on the international company to have the facilities to store the data locally that it collected inside the country. Instead, the responsibility would be imposed on the bank or financial institution that is the partner of that international actor to have the facility to store the data that the international actor is collecting and to make the data available within a specific duration of time in case of an audit. Even when an international actor generates transactions, the burden of storing the data it has generated in the country will fall on the local actor, in this case, a bank.
On known data breaches, the most commonly established incidences in case law in Cameroon have to do with image rights. This goes back to a landmark case in the 1970s when the image of a lady that was captured in the US during the celebrations of Cameroon’s independence in 1960 was used for promotional purposes in a marketing campaign in Cameron relating to the selling of alcohol. She discovered on her return to Cameroon that her picture was being used for commercial purposes without her consent, and the court awarded a substantial amount in damages to her.
In another case, a lady discovered her picture was still being used after the contracted period had expired, and in this case, the court agreed that it is expected to consider continuing to broadcast this image after the end of the contract without the owner’s consent constitutes an infringement of her image rights.
As the new laws and regulations are implemented, we expect to see more issues related to data protection and privacy come to light.
Data protection as a shield
It is clear that data protection serves as a shield against the onslaught of cybercrime. By implementing stringent protocols for data collection, secure data storage, and sharing, organisations can significantly reduce their vulnerability to cyberattacks.
Ahmore Burger-Smidt, director at Werksmans Attorneys, the LEX Africa member for South Africa, says South Africa is rated as the number one targeted country on the African continent for data breaches. He explains that cybercrime is driving data privacy breaches through electronic infrastructure such as email communication or data that is grabbed from a server. Phishing and ransomware attacks are the two main issues on the continent that stand out from a cybercrime perspective.
Malware attacks often go hand in hand with ransomware demand, where a cybercriminal gains access to IT infrastructure, encrypts the data and then demands a ransom to release it. But when the data is released, there is no guarantee that the cybercriminal is not holding on to a copy of the data and making it available for sale on the dark web.
A significant issue across the continent is the lack of IT security skills to address or pre-empt cyber-attacks and protect the IT infrastructure, and this is one of the aspects driving data breaches.
It’s one thing to store your data in the cloud, where there are security measures, but within your organisation, if you don’t have them, your infrastructure remains vulnerable. This has led to the increasing practice and implementation of security measures that include two-factor authentication, data encryption, Secure Sockets Layer (SSL), Intrusion Detection System (IDS), identity and access management, network security measures and other access controls. Organisations have also been encouraged to ensure they have data backup and recovery measures in place, as well as firewall protection. The implementation of many of these measures is often viewed as an irritation by users but is a necessity, says Burger-Smidt.
According to Burger-Smidt, human beings tend to expect everything to happen as quickly as possible with as little effort as possible. So, people get annoyed about two-factor authentication and other protection methods. This calls for a change in mindset in raising awareness of the value of personal data and the need to protect that information.
The data subjects in African jurisdictions are not immune to global data breaches either. Burger-Smidt says a matter for debate is whether an African country’s regulator has jurisdiction over international companies when they experience a data breach. For example, does Facebook or its parent company Meta have obligations to announce the data breach to its users in African jurisdictions, and can they be held accountable for the loss of data?
Conclusion
With digital transformation continuing to change and shift the African market, more and more importance is being placed on data protection laws and regulations. Many inroads are being made in terms of countries putting laws in place, but more controls and measures need to be implemented for these to be effective. A lot of work is required to ensure users understand the intricacies of data protection regulation and the nuances underlying the application of the legislation. We expect to see significant data protection developments over the next five to ten years, which will create a lot of changes and shape data protection on the continent.