confidentially speaking
The Africa Confidential Blog
Should African states buy into Europe's data protection rules?
Patrick Smith
The European Union's offer of data access deals at the summit of African Data Protection Authorities in Nairobi on 7 May should prick the interest of more than just pointy-heads. Brussels wants Kenya, whose 2019 data protection law was modelled on the EU's, to be the first of a group of African states to obtain regulatory equivalence, paving the way for an African Single Digital Market, one of the long-term goals of the African Continental Free Trade Area.
Obtaining equivalence – known in EU jargon as an 'adequacy' agreement – would require African states to align their data protection laws with the EU's General Data Protection Regulation – a landmark law, in force since 2018, which sharply increased individual control over storage and use of data.
There are commercial incentives to embrace the offer. Adequacy status would open access to the EU's €800 billion data economy, business process outsourcing and digital services exports to African states. Organisations in Africa that offer goods and services in the EU or work with an EU business where personal data is shared are already bound by the GDPR.
Most African states are signed up to the African Union Convention on Cyber Security and Personal Data Protection. But this has no legal status. Of 55 African states, 36 have data protection laws, of which Nigeria and Somalia have the newest. Many are over a decade old and three are considering drafts.
