More than 1000 experts from around the world, including Kenya, will be gathering in Ghana this week to address a key challenge facing Africa’s digital future – data privacy. The Africa International Data Protection and Privacy Conference (24-27 June) will bring together national authorities from African Member States, as well as policy makers, data protection officers (DPOs) and data protection and privacy experts.
Africa has great potential to profit from a digital transformation that could provide much-needed jobs and improve access to quality services, including finance, healthcare, education and agriculture. Home to the youngest population in the world, Africa is progressing rapidly in digital adoption. Underpinned by rising mobile connectivity, the continent has recorded the highest growth globally in Internet access, moving from 2.1% in 2005 to 24.4% in 2018. According to the GSMA the “mobile economy” is forecasted to reach 7.6% (US$ 214 billion) of the overall African GDP by 2020.
The right approach to data privacy will be critical to building trust in new technologies and systems, but there is a need to accelerate the progress being made. Countries across Africa are at varying points on their journeys towards enacting Data Protection and Privacy laws. Less than 15 out of 54 countries in the region have passed a Data Protection Law.
In 2018 Kenya consulted on a draft Data Protection Bill and Policy. Adoption of such a law and policy would be significant step in the right direction helping Kenya to seize the opportunities arising from digital transformation. The proposal is largely in line with international frameworks, but the GSMA believes there are a number of areas that could be improved.
To support countries and other stakeholders move forward as they consider Data Protection and Privacy, the GSMA released its new ‘Guiding Principles for Smart Data Privacy Laws’ at the Africa International Data Protection and Privacy Conference.
“Establishing the right approach to data privacy is critical to Kenya’s digital transformation,” said Jean-Francois Le Bihan, Public Policy Director, Sub-Saharan Africa, GSMA. “To be successful, Kenya must protect individuals while allowing organisations the freedom to innovate and secure positive outcomes for society. Data privacy laws should put the responsibility on organisations to identify and mitigate risks while remaining flexible, technology- and sector-neutral and allowing data to move across borders easily.
“Without adhering to these guiding principles, poor data privacy enforcement could put at risk the US$ 214 billion mobile economy Africa has the potential to reach by 2020. Kenya has the opportunity to harness the digital economy as a driver of growth and innovation. If it fails to seize the opportunities, it runs the risk of economic isolation and stagnation.”
In summary the key learnings from the GSMA report for Kenya’s development of a data privacy law include:
The law should embrace the concept of Accountability and encourage companies to adopt responsible data governance practices to identify and mitigate privacy risks. Such accountable practices should be taken into consideration when investigating or imposing sanctions. This is by far the best way to promote effective protection for individuals. In particular, the current proposal [ss15-19] mandates excessive registration requirements that create huge administrative burden for companies with little gain for the privacy of individuals. It would be far better to remove these in favour of a model of accountability;
Cross-Border Data Flows and Localisation
Kenya can benefit enormously from the promotion of data flows within Africa. The current proposal would mandate very tough localisation measures forcing companies to keep data in Kenya. Such measures act as a disincentive to foreign investors and ultimately fragment the internet, depriving local businesses of the knowledge and services they need to innovate and grow. They should be replaced by a range of possibilities for transferring data responsibly including mechanisms based on accountability; and
Implementation & Supervisory Authorities
Once the law is passed, the government should ensure that the independent authority is set up swiftly and with sufficient powers and resources to be effective. The authority should also be equipped to participate in international networks of data protection supervisory authorities in order to develop a mutual understanding of laws and enforce data privacy rules on each other’s behalf.
The GSMA’s ‘Guiding Principles for Smart Data Privacy Laws’ report is available in English