Personal data protection and cybersecurity in Africa is codified in domestic laws as well as regional and international legislation which some African countries have adopted. Apart from the Malabo Convention which was examined here, some other regional/international legislation that have been adopted by African countries include:
- The 2010 Supplementary Act on Personal Data Protection;
- The 2011 Supplementary Act on Cybercrime;
Both published by the Economic Community of West African States (ECOWAS).
- The Model Data Protection Act published by the Southern African Development Community (SADC);
- The East African Community Legal Framework for Cyber Laws.
In spite of the adoption of the above legislations, African countries are not on the same level of performance with respect to data protection and cybersecurity, as some African countries such as Togo, the Gambia, Guinea Bissau and Liberia, are yet to enact data protection laws.
In this article we will look at countries that are ahead in data protection and cybersecurity laws in Africa, based on current practices and the Global Cybersecurity Index 2018 (GCI 2018) published by the International Telecommunications Union (ITU) of the United Nations (UN).
2. Country Spotlight
The Republic of Mauritius is an island nation in East Africa. In addition to enacting the Malabo Convention, Mauritius was the first African country to adopt the Budapest Convention on Cybercrime 2014 and the second non-European country to ratify Europe’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
Mauritius has also enacted its Data Protection Act 2017 which came into force in January 2018.
The ITU ranks Mauritius highly because of the organizational structure of its data protection and cybersecurity agencies. Firstly, Mauritius has a Data Protection Office which is under the control of the Data Protection Commissioner (DPC). The Mauritian DPC is empowered to:
- make regulations concerning data protection;
- investigate any breach of the Data Protection Act, 2017 and enforce the provisions of the act by imposing sanctions on the offender;
- designate any of its officers to enter and search any premises based on search warrants issued by a Magistrate;
- carry out audits of the systems of data controllers to ensure that personal data is being processed in accordance with the act and;
- carry out other functions.
The Mauritius government established the National Disaster Cybersecurity and Cybercrime Committee to facilitate decision making in the event of a cyber crises at the national level.
Lastly, there is the Computer Emergency Response Team of Mauritius (CERT-MU) which is aimed at monitoring security incidents in both the public and private sectors. The CERT-MU provides both virtual and physical avenues for cybersecurity incident reporting.
Kenya is an East African country ranked first in Africa by the ITU under the legal and cooperation pillars of cybersecurity. Kenya boasts of a multi-stakeholder collaboration between the government and sectors such as the telecommunications, health, and academia, among others.
The main regulation for data protection affairs in Kenya is the Data Protection Act, 2019. The act cuts across all sectors in Kenya and applies to all data processors and controllers in Kenya. Prior to the enactment of the act, the following are some sector-specific legislation that had been in force to govern the processing of personal data in those sectors:
- The Kenyan Information and Communications Act which applies to licensed telecommunications service providers;
- The Public Health Act, the Health Act, and the HIV and AIDS Prevention and Control Act which apply to medical institutions and their personnel, including third parties;
- The National Payment Systems Act applies to payment systems and payment service providers.
Furthermore, Kenya has a national Computer Incident Response Team (CIRT) established pursuant to its Information and Communications Act and is responsible for managing cyber incidents and coordinating responses to such incidents in collaboration with the relevant stakeholders.
Rwanda is located in East Africa and according to the GCI 2018, it performs best in organizational capacity. This ranking is influenced by its National Cybersecurity Agency; an agency responsible for the protection of Rwanda’s critical national infrastructure.
Rwanda is a party to the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce and has various consumer protection laws particularly with respect to electronic messages, electronic transactions and the use of electronic signatures.
In terms of enforcement, personal data and cybersecurity policies are protected by established crime units of the Rwandan Police and the Rwanda Defense Force.
Rwanda is yet to enact a comprehensive data protection legislation like Mauritius and Kenya; however, its Draft Data Protection and Privacy Law was published by the Minster of ICT and Innovation in January 2020. Local Rwandan news reported that the draft legislation was to be submitted to the Rwandan Parliament for approval.
Nigeria comes in 5th place in the GCI 2018 ranking. Nigeria’s major data protection legislation is the Nigerian Data Protection Regulation (NDPR) which is laid down by the data protection regulatory body – the National Information Technology Development Agency (NITDA). In addition to the NDPR, personal data protection and cybersecurity principles are enshrined under the National Health Act 2014 which specifically regulates healthcare users and personnel, the Cybercrimes (Prevention, Prohibition etc.) Act 2015, the Freedom of Information Act 2011, among others.
The NITDA is responsible for enforcing the provisions of the NDPR and monitoring compliance with its provisions. The NITDA receives data protection audit reports from data controllers and processors. The audit reports are to be filed and verified by Data Protection Compliance Officers who are licensed and regulated by NITDA.
To protect the transfer of personal data to foreign countries and international organisations, the NDPR provides that such transfers must be made subject to the supervision of the NITDA and the Attorney General of the Federation.
Finally, there have also been judicial decisions on data protection on the basis of the right to privacy under the Nigerian Constitution such as Godfrey Nya Eneye v. MTN Nigeria Communication Ltd and Ezugwu Anene v. Airtel Nigeria Ltd. In both cases, the Nigeria Courts, held that it was unconstitutional and a breach of the plaintiffs’ right to privacy for their telecommunications service provider to disclose their mobile phone number to third parties without consent of the user.
Awareness on data protection and cybersecurity rights in Africa is on a steady rise. It is expected that in the coming years, the countries leading the pack will continually improve the legislative and regulatory framework for the enforcement of these rights, while others lagging will be guided by the agenda that will be set out at the Data Protection Conclave conference and commit to building world-class cybersecurity and personal data protection infrastructure.