Speaker
Description
Since the beginning of the 21st Century, Africa has witnessed phenomenal growth in Internet penetration and the use of Information Communications Technologies (ICTs). The continent has especially made significant progress in adapting to smart technology, with a continuously increasing use of mobile and web application services especially in the domain of urban transport and agriculture. Alongside the computer network security concerns wrought by the spread of ICTs and Internet penetration and raised at regional and sub-regional governance forums in the continent, there have also been worries regarding online privacy and protection of individuals of these services in relation to the personal information which they progressively submit to the providers of these ICT and smart services for processing purposes. Among such worries, and quite crucial, are personal data security breaches, the risk of which only keeps increasing as the African and global economy keeps getting increasingly data-driven, which in turn leads to higher risks of identity theft and significant economic loses for potential victims. In a general response to these developments, African intergovernmental organizations have develop legal frameworks focused or touching on personal data protection. At the sub-regional level, the Economic Community of West African States (ECOWAS) has adopted a Data Protection Act, while the Common Market for Eastern and Southern Africa (COMESA) and the Southern African Development Community (SADC) have adopted model laws which, though principally focused on computer network security, could serve as significant foundations towards the development of data protection policies. At the regional level, the African Union (AU) has adopted a Convention on Cyber Security and Personal Data Protection, a three-pronged instrument regulating electronic commerce, data protection and cybersecurity within the continent. However, while other aspects of data protection law are more or less dealt with in these instruments, very little stress is put on the security of personal data or safeguards against and management of breaches of personal data security.
This paper, in an attempt to present a critique of the state of affairs as regards personal data breach regulation in Africa, will argue that the ECOWAS Data Protection Act as well as the the AU Convention on Cyber Security and Personal Data Protection do not provide a satisfactory framework for regulating breaches in personal data security in African states. This situation does not help in harmonizing personal data security legislation or data protection law as a whole across the continent, which already presents some level of fragmentation with some African countries having adopted national personal data protection legislations but with uneven standards of data breach regulation. Both the AU Convention and ECOWAS Data Protection Act are significantly lacking in pre-breach and post-breach regulation, including breach prevention, preparedness, reporting and available remedies for affected data subjects. Moreover, both instruments do not define or lay down a clear notion of what constitutes or should constitute a data security breach in Africa, leaving grey this subject matter of African data protection law, with no compliance test available to data controllers or processors to determine or limit their responsibility in the event of a breach. The paper will recommend the adoption of an amendment or protocol to both supranational instruments which clearly defines the notion of a data breach, and shall also make a case for the adoption, within the framework of the above instruments, of pre and post regulatory mechanisms to guide African data controllers and processors in preventing and managing personal data security breaches.
Summary
Keywords:
Africa,
Data Breaches,
ECOWAS,
African Union,
Data protection.
