Article contents
Implementing the AfCFTA Agreement: A Case for the Harmonization of Data Protection Law in Africa
Published online by Cambridge University Press: 06 May 2022
Abstract
The Agreement Establishing the African Continental Free Trade Area (AEAfCFTA) is a revolutionary treaty of the African Union (AU) which creates an African single market to guarantee the free movement of persons, capital, goods and services. The AEAfCFTA is geared towards enabling seamless trade among African countries. The single market relies heavily on the processing of the personal data of persons resident within and outside the AU, thereby necessitating an effective data protection regime. However, the data protection regime across Africa is fragmented, with each country either having a distinct data protection framework or none at all. This lack of a uniform continental framework threatens to clog the wheels of the African Continental Free Trade Area (AfCFTA), because by demanding compliance with the various data protection laws across Africa, free trade will be inhibited, the very problem the AEAfCFTA seeks to remediate. These concerns are considered and applicable solutions are proposed to ensure the successful implementation of the AfCFTA.
- Type
- Research Article
- Information
- Copyright
- Copyright © The Author(s), 2022. Published by Cambridge University Press on behalf of SOAS University of London
Footnotes
Emmanuel Salami is a doctoral candidate in Information Technology, Data Protection, and Intellectual Property Law at the Faculty of Law, University of Lapland, Finland.
References
1 European Commission, Commission Staff Working Document “A digital single market strategy for Europe: Analysis and evidence. Accompanying the document: Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. A digital single market strategy for Europe”, COM(2015) 192 final, Brussels, 6.5.2015, SWD(2015) 100 final at 3. See also R Simo “The African Continental Free Trade Area in a decaying multilateral trading system: Questioning the relevance of the enabling clause” (2019) SSRN at 1, available at: <https://ssrn.com/abstract=3501539> (last accessed 11 August 2021).
2 African Union “Assembly of the Union: Eighteenth ordinary session” (January 2012), available at: <https://au.int/sites/default/files/decisions/9649-assembly_au_dec_391_-_415_xviii_e.pdf> (last accessed 14 August 2021).
3 For further reading on the aims and objectives of the AfCFTA, see Onyejekwe, C and Ekhator, E “AfCFTA and lex mercatoria: Reconceptualising international trade law in Africa” (2021) 47/1 Commonwealth Law Bulletin 95CrossRefGoogle Scholar.
4 The World Bank “The African Continental Free Trade Area” (2020), available at: <https://www.worldbank.org/en/topic/trade/publication/the-african-continental-free-trade-area> (last accessed 14 August 2021).
5 The Trade Law Centre (Tralac) “African Continental Free Trade Area (AfCFTA) legal texts and policy documents” (2021), available at: <https://www.tralac.org/resources/our-resources/6730-continental-free-trade-area-cfta.html#legal-texts> (last accessed 17 March 2022).
6 “About AfCFTA” (2021), available at: <https://www.africancfta.org/aboutus> (last accessed 14 August 2021).
7 African Union Convention on Cyber Security and Personal Data Protection (27 July 2014) EX.CL/846(XXV).
8 See the Preamble of the Convention.
9 At the time of writing, only eight out of a total of 55 AU countries have ratified the AU convention. Thirteen other countries (Benin, Chad, Comoros, Congo-Brazzaville, Guinea-Bissau, Mauritania, Mozambique, Rwanda, Sierra Leone, Sao Tome & Principe, Togo, Tunisia and Zambia) have signed but not ratified it. “List of Countries which have signed, ratified/acceded to the African Union Convention on Cyber Security and Personal Data Protection” (18 July 2020), available at: <https://au.int/sites/default/files/treaties/29560-sl-AFRICAN%20UNION%20CONVENTION%20ON%20CYBER%20SECURITY%20AND%20PERSONAL%20DATA%20PROTECTION.pdf> (last accessed 17 March 2022). See also G Greenleaf and B Cottier “Comparing African data privacy laws: International, African and regional commitments” (2020) University of New South Wales Law Research Series, available at: <https://ssrn.com/abstract=3582478> (last accessed 28 October 2020).
10 Art 36 of the Convention makes its ratification by fifteen AU member states a condition of its coming into force.
11 Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS (16 February 2010), available at: <statewatch.org/media/documents/news/2013/mar/ecowas-dp-act.pdf> (last accessed 17 March 2022).
12 Available at: <https://www.dataguidance.com/legal-research/data-protection-southern-african-development-community-sadc-model-law-0> (last accessed 5 April 2022).
13 For other relevant regional data protection laws, see Greenleaf and Cottier “Comparing”, above at note 9 at 20. For further reading, see Makulilo, A (ed) African Data Privacy Laws (2016, Springer)CrossRefGoogle Scholar.
14 See Greenleaf and Cottier “Comparing”, above at note 9 at 3.
15 This clause necessarily includes not just privacy law but also data protection law. This is because the “processing and dissemination of personal data” falls within the purview of data protection law. See for example the Data Protection Act of Kenya 2019, sec 2.
16 See AEAfCFTA, part V, art 18(2).
17 Id, art 9 (Protocol on Rules and Procedures on the Settlement of Disputes) establishes a dispute settlement panel tasked with the resolution of disputes arising out of the AEAfCFTA.
18 For example, see the dispute resolution mechanism established under sec 4(2) of the Nigerian Data Protection Regulation 2019, which varies from other national legislations.
19 From an African perspective, this kind of business model is to be expected in a single market. In the EU, in Weltimmo sro v Nemzeti Adatvédelmi és Információszabadság Hatóság, a Slovakian entity was transacting business in Hungary even though it had no physical office there. The Court of Justice of the European Union held that the fact that the Slovakian business had a website aimed at Hungarians, and other factors that showed intent to target them, was sufficient justification to indicate that it was targeting Hungarians. See Weltimmo sro v Nemzeti Adatvédelmi és Információszabadság Hatóság [2015] C-230/14.
20 Synchronization in this context requires that state parties align their respective laws in a manner geared towards the facilitation of the objectives of the single market; harmonization requires that state parties of the AU will have a single law for the regulation of data protection law across the continent.
21 See the Nigerian Data Protection Regulation.
22 Data Protection Act of Kenya, sec 50.
23 Act No 4 of 2013, vol 581, no 37067. POPIA came partly into force on 1 July 2020 and became fully applicable on 30 June 2021. For further readings on POPIA, see Werksmans Attorneys “An introduction to POPIA” (May 2020), available at: <https://www.werksmans.com/legal-updates-and-opinions/popia-a-guide-to-the-protection-of-personal-information-act-of-south-africa/> (last accessed 16 May 2021).
24 POPIA refers to personal data as personal information. See the definition of personal information in POPIA, sec 1.
25 On the definition of personal data and sensitive personal data within the Act, see id, secs 1 and 26.
26 Id, sec 32(5)(b) also authorizes the processing of health-related data for health purposes.
27 This article makes no comment on the necessity or effects of these provisions on the protection of personal data or the right to data protection as this is not its objective.
28 For instance, a business requiring client confidentiality (e.g. cloud computing companies storing client data) might be reluctant to transact business in countries where there are no data protection laws for reasons which include the possibility of unlawful data requisition by national governments. Conversely, such companies might find such countries attractive for business because of little or no need for data protection compliance. Either way, the rights to data protection of data subjects are bound to be violated.
29 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, OJ L 281, 23.11.1995, at 31.
30 A directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. See European Union “Regulation, Directives and other Acts”, available at: <https://europa.eu/european-union/law/legal-acts_en#:~:text=A%20%22directive%22%20is%20a%20legislative,how%20to%20reach%20these%20goals> (last accessed 15 November 2020).
31 European Commission “A digital single market strategy for Europe”, above at note 1 at 46.
32 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016.
33 Id, recitals 7 and 13.
34 Id, recital 13.
35 Some specific rules may necessarily differ between EU and non-EU businesses. An example of this can be found in id, art 27 on the appointment of representatives by entities offering goods to EU residents or monitoring EU residents from outside the EU.
36 V Reding “The EU data protection regulation: Promoting technological innovation and safeguarding citizens’ rights” (4 March 2014), available at: <https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_14_175> (last accessed 19 November 2020).
37 European Commission “A digital single market strategy for Europe”, above at note 1.
38 At the time of writing, one of the major shortcomings of the Convention which makes it less suitable as an appropriate law for data protection regulation across the continent is the fact that it does not regulate the processing of personal data by data controllers not located within the AU. In other words, the Convention does not contain a provision similar to GDPR, art 3(2).
39 Data Protection Act of Kenya, sec 50.
- 6
- Cited by