Growing focus on data protection across Africa, though implementation issues remain

PrivSec catches up with Teki Akutteh Falconer, founder of the Ghana-based Africa Digital Rights Hub, ahead of PrivSec Global 2020

In recent years, Africa has seen a growth in the introduction and implementation of individual country laws protecting the data of citizens, as well as increased interest in developing a unified approach to data protection across the continent.

At the forefront of this movement is Teki Akutteh Falconer, founder of the Ghana-based Africa Digital Rights Hub – a not-for-profit think tank that advances and promotes research and advocacy on digital rights. Falconer has a background in both law and drafting legislation – she is currently partner at a Ghanaian law firm, but was also instrumental in developing the country’s 2012 Data Protection Act and was the first executive director of the country’s Data Protection Commission.

My first brush with privacy and data protection was back in 2003, when I started my LLM programme. This was on the implementation of the UK Data Protection Act and the European Directive on personal data protection… I think my interest was predominantly because of the need to find that right balance between personal data handling processes and other human rights such as the right to privacy, and even to some extent, freedom of expression and other things. I thought it was quite fascinating,” she recalls.

On returning from her LLM at the University of Strathclyde, she returned to Ghana, where she was able to play a key role in shaping data protection and privacy laws.

“For me it was the need to build a structure that will enable some of the things that I believed in regarding privacy and data protection come to pass, but also an opportunity to lend your hand to the nation building; to develop this aspect within the country,” she explains.

But, on leaving that position in 2017, she decided to broaden her focus beyond her home country.

“I realised that a lot was still not being done on the continent. We needed to start looking at the impact of IT and telecom laws on people – so whether it’s their use of the technologies or development of the technologies, I thought that the rights and the protections associated with this need to be amplified, and we need to raise a lot more voice around how it’s impacting people… we needed to have a lot more research into the issues of how it was impacting,” she explains.

“Most of our legislations have been influenced by the developed world, and communities and donor agencies and all of that. And so there was a big question of how are these things really impacting: are these really issues of concern to us, to our communities, to people living in Africa? Or are these something that we are adopting because somebody has a grant for us?”

These questions led to her founding the Africa Digital Rights Hub, which looks at the impact on cyber security, online child protection, intellectual property and privacy on African citizens. The Hub produces Afro-centric research and publications, advocacy, as well as resource tools to generate governmental engagement.

According to figures by Privacy International, there are currently 24 countries with data protection laws – up from just 10 or 11 at the time the Africa Digital Rights Hub was formed, according to Falconer. And more are in development.

An interest in the topic across the continent has been driven by a number of factors, she says, such as pressure from industry and businesses who found themselves impacted by the GDPR, calls from organisations such as her own and civil society bodies concerned about data protection, surveillance, security and exclusion in the digital identity sphere – a significant issue in Africa, for which the Africa Digital Rights Hub has published a code of practice – and input from international agencies.

But bringing in legislation is only one step of the journey, she explains, because many regulatory regimes in the continent lack capacity to enforce legislation effectively.

“We’ve seen a lot of laws being passed, we’ve seen some mature regulators, but still a very large number of our regulators are not very strong and effective,” she says.

“We’ve been pushing advocacy and other engagement on how to strengthen the regulators so that they’re in a better position to effectively implement and enforce the laws. Because when you have all these beautiful laws and yet you do not push for an enforcement, then there is the likelihood of people getting fatigued with being asked to comply with certain standards and, essentially, people just waiting it out because they know that eventually the regulator will not come at them.”

The issue can be two-fold, Falconer explains, sometimes coming down to both a lack of legislative teeth and regulatory might. Some of the laws are themselves weak, although most are adequate, she says.

But the implementation side is patchier, with not all countries having regulators in place yet, and some stymied by relatively light sanctions – although this is changing, for example, with tough penalties in Mauritius, which can issue fines of up to 200,000 rupees and imprisonment up to five years, and recent changes in Kenya, which last year beefed up its legislation to include a fine of five million Kenyan shillings and/or imprisonment for up to ten years.

“But I am sure that if you do a thorough survey across Africa with all the data protection authorities you will find that very few, possibly less than half of those that have authorities, are actively sanctioning,” she says.

She explains: “It boils down to their capacities. If you look at the structure of a lot of the data protection commissions and authorities around Africa, a lot of them are not fully equipped with the technical and the administrative resources that they need in terms of human capacity to be able to effectively enforce. When I left Ghana’s Data Protection Commission – and I don’t think that has changed significantly – I don’t think currently the Commission, made up of its board, which is about 11 members, and other staff, I don’t think they make up about 30 people. So you’re going to find a Commission that is supposed to regulate a country with estimated data estimated data controllers of over a million, and their staff capacity is 30.”

Currently data protection in Africa is on a country-by-country basis, as the African Union Convention on Cybersecurity and Data Protection (the “Malibu Convention”), has yet to become due to a lack of ratification among countries, despite being adopted in 2014.

But Falconer takes a positive view of progress on this, citing an increase of ratifications in the last year.

There’s been significant progress in the past year, I would say, towards ratifying it and maybe in the next year we are likely to see it becoming effective,” she says.

“The challenge has also been that the Malibu Convention itself was more modelled after the 1998 European Directive. There has been that position and mindset that the Convention itself is a bit obsolete as far as data protection is concerned…. GDPR has replaced the ‘98 Directive, so some organisations’ position is that the Convention needs to be reviewed. But, from where we sit, the Convention is a good start to having some kind of regional and continental unification… If you decide that you’re going to going to pull it out or review it now, it’s probably going to take us another five to 10 years to get it to where it needs to be. So there’s some progress, and I think most of it will depend on how quickly we’re able to get the number of countries needed to ratify it to make it effective. I think we’re very close to that so that should be happening any moment from now.”


Hear more from Teki Akutteh Falconer at PrivSec Global, 1 December, on Bridging the Gap Between Policy and Implementation in Africa. Click here for more information.

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.