Firms’ growing use of data has been paralleled by discussions in Africa and around the world about appropriate data privacy and transfer policies, especially to govern individuals’ data. Numerous countries, including many countries in Africa, have in the past few years created data privacy and data transfer laws. Much like their peers in other parts of the world, African governments are also amid discussing cross-border data transfer rules in the context of the African Continental Free Trade Agreement (AfCFTA).
In addition, six African countries (Benin, Burkina Faso, Cameroon, Ivory Coast, Kenya, and Nigeria) also form part of the World Trade Organization (WTO) Joint Statement Initiative (JSI) on Electronic Commerce, which aims at a plurilateral agreement on ecommerce covering multiple digital economy issues, including the transfer of data across borders.
The purpose of this report prepared by Nextrade Group for the USAID -backed Alliance for eTrade Development is to contribute to the growing discussions on cross-border data transfer policies in Africa, and to discuss regional data transfer policies that are compatible with the aims of free trade and MSME cross-border ecommerce. There are seven conclusions:
-
African firms already access and use data from individuals, businesses, and their own operations, and especially exporters and online sellers tend to use data from abroad and send data to foreign markets as part of their daily operations. Cross-border transfer of data is common across different types of firms, including firms that sell in-person services and physical products, and firms that sell digital goods or services. Firms that use data as well as cloud computing services to store and analyze data report significant productivity gains, cost savings, and innovations of new products and services.
-
Compared to their peers in other parts of the world, African countries are at relatively early stages in regulating data privacy and transfer. In our mapping of data transfer regimes in 54 African countries, 28 countries have a data privacy and transfer law in place, and at least 7 countries are amid drafting a data privacy law. Enforcement of these laws has commenced, but is still in most countries incipient.
-
African firms have mixed views about their respective countries’ data privacy and transfer laws. Overall, micro and small firms are in the countries we surveyed (Egypt, Kenya, and South Africa) still quite unaware of their countries’ data privacy laws and how these laws might apply to them; midsize and large firms are more informed and already implementing laws. Firms in general feel that their countries’ data privacy laws are helping to cement consumers’ trust in online transactions and enabling companies themselves to learn to treat consumers’ data appropriately. However, over a quarter of firms that know about the new laws also view them as costly and/or complicated to implement.
-
African firms also appear to be concerned about the implications of the proliferation of data privacy laws in Africa and beyond for their ability to sell online to foreign customers. Especially online sellers that export report that proliferating data privacy rules represent a major obstacle for them to grow their export sales – in part probably because foreign rules can be hard to keep up with and decipher, and in part because especially multimarket sellers struggle to deal with the many disparate national data privacy regimes.
-
African governments have also pursued various regional efforts to guide the development of national data privacy laws over the past decade, such as the African Union Convention on Cyber Security and Personal Data Protection (that was completed in 2014 but has yet to take effect), ECOWAS Supplementary Act on Personal Data Protection of 2010, and the South African Development Community (SADC) Model Law on Data Protection on 2013. These are useful steps forward, but they have had limited impact on national policymaking and address cross-border data transfer only tangentially.
-
This setting points to two-fold policy agenda for Africa – one, to ensure that national data privacy laws are more compatible with each other, and two, to enable African firms and especially online sellers to use and move data across borders safely and with ease. There are both policy and technology solutions to consider:
-
One, countries in many other regions have wrestled with similar data policy issues and challenges African countries face today – in a similar setting where countries are adopting data privacy laws at different speeds and where the national laws that are being adopted differ somewhat or significantly from each other. There exist useful regional data transfer models that balance the objectives of free transfer of data across borders, data privacy, and ability for countries to maintain their national data privacy laws. Some leading examples include the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system and two free trade agreements with robust digital trade chapters, the 11-country 2018 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the 2020 U.S.-Mexico-Canada Agreement (USMCA), which endorsed the CBPR system. Our survey suggests that African companies would be strongly in favor of adopting in Africa the kind of data privacy and transfer rules as included in these agreements.
-
Two, policy is not the only solution to enable secure and safe cross-border data transfers. Technologies that secure data at rest, in transit, and in use are developing rapidly. Emerging solutions such as encryption and confidential computing can significantly aide African firms that leverage data and transfer data to third parties and across borders – and pre-empt onerous regulation and costly enforcement. In the next decade, these and other privacy-preserving technologies are bound to become much more prevalent. Our survey suggests that majorities of African companies are concerned about the security of personal data they transfer to third parties, and keenly interested in technology solutions to help them safeguard data. African companies can in the coming years be empowered to adopt and use these emerging technology solutions, to maximize the opportunities opened by data for their growth and development, while minimizing the likelihood of data breaches and misuse of data by third parties.
-
There is likely also an important role for technical assistance, to accelerate the development and implementation of emerging data privacy and transfer laws in various African countries, and to support the development of a regional framework for data transfer. However, support should be provided to countries and work that are compatible with the aims of free trade and MSME cross-border ecommerce.