Data protection in Africa: where do we stand one year before GDPR
Albeit essentially a European statute, the new General Data Protection Regulation (GDPR), which will be applicable as of May, 25th 2018, is expected to have much impact in African countries, as its scope will also cover many data controllers and processors established outside of the European Union – namely, all those who process data of individuals located within the EU as part of the selling of goods and services to such individuals or the monitoring thereof. Those, which especially include e-commerce websites or targeted advertising providers and/or their Africa-based processors, will be directly subject to the new provisions.
Moreover, the now well-established rules on international transfers set high requirements for third countries to be deemed as offering sufficient protection of personal data, so that companies and public bodies in said countries be able to receive such data from EU entities. The free flow of data between European and African countries will therefore be conditional upon proactive lawmaking and good practices in the latter, oriented towards the offering of an “adequate level” of data protection – that is, a level equivalent to the one set by GDPR.
However, it appears that most African countries still lack a comprehensive, GDPR-compliant data protection legislation, if not a data protection legislation at all: countries such as Algeria, Comoros or the Central African Republic thus appear to not dispose yet of such specific normative protection.
In many other cases, recently adopted legal frameworks (such as Burundi’s, Cameroon’s, Congo’s or Rwanda’s) exclusively focus on security and confidentiality of electronic communication data (which in the EU is dealt with as lex specialis only), leaving aside all other categories of personal data. Though they stem from laudable concern about individuals’ right to privacy, such provisions will without doubt fall short of European data protection authorities’ expectations, when it comes to assessing adequacy.
A narrower set of countries (Benin, Burkina Faso, Ivory Coast, Gabon, Mali, Morocco, Senegal and Tunisia) seem in contrast to be more advanced on the path to sufficient protection, each having created its own data protection authority, which in turn joined the Association Francophone des Autorités de Protection des Données Personnelles (AFAPDP). Founded in 2007, the Association plays a great role in coordinating and promoting data protection laws and practices within the francophone sphere around the world, with a strong involvement of the French Commission Nationale de l’Informatique et des Libertés (CNIL).
Among those countries, Morocco is remarkable for having requested an adequacy recognition decision from the European Commission, as early of 2009. This request is still pending to this day, mostly due to the simultaneous changing of the European framework; Moroccan officials have yet reaffirmed their will to reach compliance as soon as possible.
The Moroccan case however sheds light on the European Commission’s rationale for the scrutiny of adequacy recognition applications, and thus might serve as an example for other concerned countries: adequacy, in the views of the Commission, is primarily a matter of effectiveness; African data protection authorities should therefore be provided with the necessary means to enforce relevant legal provisions, so that compliance be thoroughly ensured by companies and public bodies under their jurisdiction.
As for such companies and public bodies that might soon fall within the extended scope of GDPR, equivalent high-standard domestic provisions might very well be the best incentive to ensure compliance with the new European regulation.
