The new challenges of data protection for African companies

By Merav Griguer


The European data protection framework is currently undergoing deep mutations. The new General Data Protection Regulation, passed on April, 27th 2016, will be enforceable from May 2018. It will bring important changes to the applicable rules, and will enhance the applicable penalties in case of infringement or lack of compliance up to €20M or 4% of the overall turnover of the concerned company.

Every company or otherwise public body is therefore getting prepared as of now, in order to achieve compliance by May 2018, and avoid any risk of penalty. The French control authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has indeed already stated that it will start its control activities from the point of view of these new rules right from that date.

For African companies doing business within the European Union, or oriented towards the European Union, taking these rules into account is an equally important stake, whether they process personal data related to persons located within the EU for their own purposes, or whether they provide services to European companies or public bodies.

What risks for African companies?

A lack of compliance with the GDPR would entail two types of risks, namely commercial and legal risks.

On one hand, there are risks of a commercial nature, if a compliant level of protection is not sufficiently guaranteed, especially concerning security and confidentiality of personal data, European companies or public bodies would be entitled to break the contract at stake. Moreover, in the context of a bid solicitation or of a competitive call, the lack of proof or guarantee of compliance with the GDPR would necessarily lead to the loss of any chance to win the concerned market or project.

On the other hand, there are legal risks, for the new regulation provides a shared liability between controllers and processors. In case of infringement, both of them will be subject to heavy administrative or even criminal penalties. It is therefore crucial that African processors working for European companies or public bodies limit their risks of liability, as well as any African company processing personal data related to persons located within the EU for its own purposes.

It must also be reminded that the GDPR prohibits any transfer of personal data outside of the EU, except for a few limited exceptions, if an adequate level of protection, equivalent to the level set by European law, is not guaranteed. African companies which intend to keep on receiving data from their European partners will therefore have to provide sufficient guarantees of such an adequate level of protection.

Which African companies are concerned?

Some companies are concerned as data processors. Those are companies which, in a context of provision of services to European companies or public bodies, process personal data related to employees, customers, users or other providers, or to any natural person living within the EU.

Such companies are in particular computer or consulting service providers, like audit, computer or user rescue plans, hotline services or call centers. Such may also provide outsourcing operations of whole branches of the activity of European companies or public bodies.

Some other companies are concerned as data controllers. Those are companies which determine by themselves the purposes and means of their own personal data processing, if this processing is related to persons located within the EU, for the purpose of providing them goods or services, or for profiling purposes.

Such companies are in particular e-commerce companies which sell goods to customers located within the EU, and which edit and manage customer files for that purpose.

The notions of processing and personal data are intended to be very broad, so as to cover basically any category of data (any information relating to an identified or identifiable natural person, including by means of cross-referencing) and any type of use (consultation, access, editing, modification, erasure, recording, storage, transfer, etc.). Moreover, every field of business or activity is concerned.

What should I do now?

First, companies should identify and assess their own practices in terms of use and protection of personal data, so as to be able to properly describe which of those practices must be corrected, the additional measures to be taken, the documentation and new procedures to set up.

States themselves are also concerned: by enacting sufficiently protective laws from the point of view of the GDPR, they will make transfers of personal data from within the EU possible. Morocco, for instance, passed its own Data Protection Act in 2009, which provides a regime that is almost equivalent to the current EU framework. It is now positioning itself ahead, in order to anticipate the new rules of the GDPR, to obtain an official adequacy recognition decision from the European Commission as soon as possible.

At their respective level, African companies must therefore implement European data protection standards right from now, at least as good practices, in order to preserve their commercial partnerships and prevent any risk of penalty. The process of compliance undertaken by European companies should be followed by every African company which intends to maintain or initiate commercial relationships with the EU, regardless of its field of activity.