The African Union’s Continental AI Strategy: Data Protection and Governance Laws Set to Play a Key Role in AI Regulation

By Chuma Akana, Former FPF Global Privacy Summer Fellow and Mercy King’ori, FPF Policy Analyst, Global Privacy

The African Union (AU) Executive Council, composed of representatives of the 55 African Member States, approved the highly anticipated AU AI Continental Strategy (the Strategy) in July 2024. The adoption of the Strategy follows a period of stakeholder consultations that sought to broaden the understanding of African AI needs and create awareness of the risks of AI use and development in Africa. The adoption of the Strategy marks a significant step in global AI policy and will serve as a guiding light for African countries developing and adopting national AI rules. 

The Strategy takes a development-focused and inclusive approach to AI, and places emphasis on five focus areas: harnessing AI’s benefits, building AI capabilities, minimizing risks, stimulating investment, and fostering cooperation. These focus areas give rise to fifteen action points that will help to achieve the strategic objectives of the AU with regard to AI use in Africa, while addressing the societal, ethical, security, and legal challenges associated with AI-driven systems. One of the Strategy’s first action points focuses on establishing appropriate AI governance systems and regulations at regional and national levels. Another focuses on encouraging cross-border data sharing among AU Member States to support the development of AI.

This blog post offers a comprehensive analysis of the Strategy, with a focus on its approach to AI governance as a fundamental building block of AI adoption in the continent. We explore the role of AI governance within the Strategy before delving into its specific components, such as strengthening data governance frameworks, balancing innovation and responsibility, harmonizing data protection laws, establishing AI regulatory bodies, and developing ethical principles to address AI risks. This post also covers some developments in AI policy across the continent and analyzes the tension in African policymaking between pursuing the transformative capabilities of AI and mandating strong safeguards to manage its risks. 

AI Governance as an Essential Building Block of the Strategy

The Strategy centers AI governance as a foundational aspect for the successful development and deployment of AI in the continent. In fact, the Strategy considers AI governance as an essential element for addressing all of the focus areas, including minimizing risks associated with the increasing use of AI and as a catalyst for the realization of all other action areas. To achieve this goal, the Strategy calls on Member States to develop national strategies that would, in addition to providing a roadmap for implementing the priority areas, facilitate the creation of normative governance frameworks that are adapted to local contexts and are transparent and collaborative.  

The Strategy emphasizes the importance of adequate governance to ensure that AI development and use is inclusive, aligned with African priorities, and does not harm African people, societies, or the environment. It calls for robust AI governance based on ethical principles, democratic values, human rights, and the rule of law, consistent with the AU’s Agenda 2063. 

As countries and regions around the world have been developing their own AI frameworks, an emerging task for AI policymakers has been to identify context-specific and inclusive components of a governance system. The AU’s AI Strategy attempts to solve this by proposing a multi-tiered governance approach that will ensure responsible AI ecosystems. The multi-tiered governance approach for Africa consists of five core activities: 

1. 1. Amendment and application of existing laws and frameworks: According to the Strategy, legal frameworks relating to data protection, cybersecurity, consumer protection, and inclusion are essential for responsible AI development in Africa. Enacting and fully implementing these laws will be crucial, and Member States may need to amend existing laws to address AI-related risks effectively. Most African countries have enacted at least some of these laws. Also, some African data protection laws specifically impose restrictions on the automated processing of personal data that produces legal effects or has similar significant effects. The Strategy considers data protection laws crucial to addressing data-related concerns of AI. On the enforcement level, there are few AI-specific actions to examine, though data protection agencies in Senegal and Morocco have previously issued administrative actions against the use of facial recognition technologies. It is likely that as existing data protection laws mature, a more comprehensive picture of how they are applied across the AU will emerge. Other data-related legal frameworks to be considered include open data policies, necessary for availing data for AI. 

2. 2. Identification of regulatory gaps: Governments, with the support of the AU and Regional Economic Communities, will need to consider what regulatory gaps exist to safeguard the development and use of AI and ensure the rule of law in its adoption across the continent. The Strategy recommends reviewing labor protections, AI procurement standards, and healthcare approvals, while aligning social media regulations with international standards. Other regulatory gaps to be filled relate to protection against algorithmic bias and discrimination.

3. 3. Establishment of enabling policy frameworks: The Strategy stresses the importance of national AI strategies that align with development priorities, focusing on areas like job creation, health, and education. These strategies should be developed through open consultations with a broad range of stakeholders, including the public and private sectors, academia, and civil society. 

4. 4. Development and roll-out of AI assessment and evaluation tools and institutional mechanisms: The Strategy underscores the importance of independent review mechanisms, including impact assessments like UNESCO’s Ethical Impact Assessment, in mitigating AI-related harms. These tools will help evaluate and measure AI’s impact on individuals and societies, offering a way to understand and address potential risks by drawing on various methodologies, including consultations with affected communities.

5. 5. Continuous research and evaluation: Ongoing African-led research is needed to assess new risks arising from AI development and use in Africa; evaluate the efficacy of governance tools to promote the development and use of AI systems that are inclusive, fair, sustainable, and just; review best practices in AI governance coming out of similar country contexts worldwide; develop policy innovations with policy-makers and stress-test them in a safe environment; and support regulatory sandboxing initiatives. 

To support these governance measures, the Strategy suggests that Member States should consider global best practices such as the recent EU AI Act while aligning with existing national and continental frameworks to address regulatory gaps and policy needs.

Comparing the AI Strategy with Existing National AI Frameworks on the Continent

Discussions about AI governance in Africa predate the Strategy and have continued following its adoption. Notable efforts include the release of national AI strategies by multiple AU Member States including Algeria, Benin, Egypt, Mauritius, Nigeria, and Senegal. Rwanda is the only country with a national policy while other countries like Ethiopia, Morocco, Ghana, Kenya, South Africa, Mauritania, Tanzania, and Tunisia are making significant steps to define their AI strategies. As a result, the Strategy is designed to inform an environment of ongoing efforts aimed at ensuring robust AI governance in the continent.

Many countries with existing strategies appear to have considered some of the foundational principles in the AU’s Strategy even if their efforts predate its adoption, demonstrating some convergence in AI governance across Africa. The key similarities between the Strategy and various national AI strategies and policies include an emphasis on:

• Adopting global best practices, as seen in Rwanda’s national AI policy;
• Acquiring high-quality and diverse data sets for AI development, as seen in Rwanda, Benin, and Nigeria;
• Stimulating adoption of AI in similar industries, as in Mauritius;
• Adopting AI in public and private sectors; and
• Adopting and implementing ethical principles for AI that respect human rights.

On the other hand, some notable differences relate to the flagship sectors under consideration in the various national AI strategies. While the AU’s regional AI Strategy marks the agricultural, healthcare, public service delivery, climate change, peace, and security sectors as those that stand to benefit from AI solutions, Rwanda includes these and others such as construction, banking, digital payments, and e-commerce. On AI governance, while the AU proposes a multi-tiered approach as explained above, countries such as Benin view their path to AI governance as mostly consisting of updating existing institutional and regulatory frameworks for AI. 

From Theory to Implementation of Practical AI Governance Frameworks in Africa: Balancing Innovation with Responsibility

The Strategy’s timeline for implementation extends from 2025 to 2030, with a preparatory phase in 2024. The process is set to unfold in two phases:

• Phase 1 (2025-2026) will focus on establishing governance structures, creating national AI strategies, and mobilizing resources. This phase will include developing strategic documents, organizing forums and workshops, and setting up AI advisory boards and centers of excellence;
• Phase 2 (starting in 2028) will concentrate on executing the core projects and actions of the Strategy, informed by a review in 2027 to ensure effective implementation.

The Strategy appreciates that the road to establishing normative AI governance frameworks is multi-pronged and will require bringing together a variety of different stakeholders, with the AU playing a pivotal role. For example, private sector actors are expected to play an important role and contribute to responsible AI initiatives by funding such initiatives and developing AI solutions that meet the objectives laid out by the Strategy. Public actors, such as Member State governments, are encouraged to develop policies that provide a conducive environment for AI development and promote the rule of law. As with the AU’s Continental Data Policy Framework (2022), which sets out a common vision for the use of data in Africa, a key tenet of the AI Strategy is to reach a unified level of AI governance despite differing levels of development among countries. 

In exploring how harmonized AI rules can be developed across the continent, the Strategy highlights the steps taken by other regions in advancing AI governance, such as the EU’s  AI Act, which is part of a broader policy package promoting trustworthy AI; the Association of Southeast Asian Nations’ (ASEAN) Guide on AI Governance and Ethics to establish common principles; and the 2024 Santiago Declaration for Latin America and the Caribbean which aims to strengthen regional cooperation in AI governance. As Africa’s regional body, the AU identifies several considerations for ensuring a harmonized, regional AI governance landscape for Africa, including:

1. Strengthening Data Governance as a Prerequisite for Responsible AI

The AU has consistently sought to develop consultative frameworks, particularly on data governance, for Member States to adopt when shaping their domestic policies. In 2014, the AU adopted the Malabo Convention to establish general rules and principles in three key areas: personal data protection, electronic commerce, and cybersecurity across the continent. The Malabo Convention was designed to provide a holistic, continent-wide framework to harmonize African data protection policies and promote digital rights, including privacy and internet freedom. Although adopted in 2014, the Malabo Convention did not come into force until receiving its 15th national ratification in 2023. With only 15 ratifying nations of 55 AU Member States, the Convention’s impact and influence have been limited. Aside from the Convention, in 2022 the AU released its Data Policy Framework to provide guidance on data governance for Africa’s growing data market. 

The AI Strategy emphasizes the critical role of data in AI innovation and development, noting that AI systems rely on identifying patterns in existing data and applying this knowledge to new datasets. To effectively identify these patterns, a large volume of data is required. This data must be high-quality, diverse, inclusive, and locally sourced to effectively address local challenges. While protecting personal data is essential, it is equally important to ensure open and secure access to data to support the development of AI algorithms. This makes the AU Data Policy Framework vital, as it offers the necessary guidance to strike a balance between these priorities.

 In line with this, the AI Strategy encourages:

• Alignment of AI governance with existing national laws in order to complement these laws and address regulatory gaps and policy areas;
• Adoption of governance frameworks that outline the principles and practices for ensuring high levels of data quality and security. The Strategy emphasizes the need for African countries to establish National Data Strategies focused on data protection, privacy, and quality data for AI, including data sharing and reuse. African countries collect data from a variety of sources, including government agencies, businesses, and individuals. Countries can store data in secure and accessible locations, create comprehensive datasets through data sharing, and undertake data analysis to identify patterns and trends that can be used to improve AI systems.
• Development of agile, forward-looking, and risk-based regulations at both national and regional levels. These regulations should foster accountability and transparency in the design and deployment of AI systems.
• Cooperation and the sharing of experiences on AI regulations, including the development and implementation of regulatory frameworks at the national level.
• Development of national and regional data pools and data markets, with a focus on facilitating cross-border data transfers within Africa.

2. Establishment of Regulatory Bodies to Oversee the Implementation of the AI Strategy 

Regulatory bodies are crucial to the implementation of the AI Strategy. In this regard, the Strategy:

• Advocates that Member States establish independent institutions responsible for overseeing AI use, enforcing compliance with emerging standards, and providing access to redress and remedies when violations occur; 
• Argues for a regional independent AI Ethics Board, which would review applications from AI research groups seeking to develop novel, large-scale AI systems with the potential to impact African societies significantly; and
• Proposes an Advisory Board on AI to support the African Union and Member States, including research on AI governance approaches, technical assistance, and capacity strengthening for policy-makers.

3. Encouraging Data Sharing Among Stakeholders

The AI Strategy notes a significant gap in the quality, inclusiveness, and availability of data for AI models across Africa. Much of the data from the public and private sectors remains inaccessible because many organizations lack the necessary infrastructure, resources, and data-management protocols to collect and make this data available, which is crucial for accelerating AI adoption. To address these challenges, the Strategy proposes:

• Promoting African cross-border data transfers and open data initiatives among member countries, as well as mechanisms for sharing AI expertise and best practices between member countries;
• Encouraging countries to establish standards to ensure that data is shared in a consistent and interoperable format that enables responsible data management, and in compliance with the AU Data Policy Framework;

• Member countries create policies and strategies that enable access to and sharing of non-personal data for AI, aligned with the AU Data Policy Framework. These strategies should focus on promoting the collection, management, and use of national datasets, addressing data localization and classification, and developing mechanisms for building data skills;
• Public, private, and research access to open data, as well as support for research and innovation in data management;
• Member countries establish and implement data governance frameworks and legal structures for personal data protection, along with protocols that establish standards for sharing data ethically, responsibly, and securely, as recommended by the AU Data Policy Framework; and
• Increasing awareness of AI data needs and encouraging the development of national and regional data pools and data markets, with a focus on facilitating cross-border data transfers within Africa. This approach will enhance data exchange across the continent, fostering collaboration and enabling the development of more robust AI models that benefit from diverse and comprehensive datasets. This also aligns with the goals of the AU Data Policy Framework to create an interconnected data ecosystem that supports AI innovation across African nations.
• Establishing a regional instrument to guide data sharing and cross-border transfers for AI that aligns with national laws, the AU Data Policy Framework, and the Malabo Convention.

4. Harmonizing Data Protection Laws

The Strategy recognizes that enhancing data privacy and security is a key component of safeguarding human rights in the context of AI. It highlights the significant challenges that arise from AI systems collecting and processing vast amounts of personal data, particularly concerning privacy breaches and the unauthorized use of sensitive information. The Strategy further notes that while privacy concerns have a direct impact on individuals’ rights and freedoms, they disproportionately affect vulnerable groups such as children, women, and girls. 

The Strategy notes that a key privacy concern in Africa is the low awareness of privacy rights, and emphasizes the importance of promoting media and information literacy to help people understand how their data is processed as well as the potential consequences of processing. Additionally, it calls for strengthening and re-aligning the continental, regional, and national legal and regulatory regimes related to child online safety to integrate risks posed by AI and build AI skills of law enforcement agencies and regulatory bodies dealing with child protection. 

The Strategy acknowledges the progress made in addressing data protection issues across Africa, as seen with the growing number of data protection laws and authorities. Furthermore, the  Strategy notes that 25 African countries have launched national open data portals, and nearly all of these countries have adopted open data policies, strategies, and plans. Certain African countries, such as Ghana, Nigeria, Rwanda, Sierra Leone, Senegal, and South Africa, have recognized the importance of data in the development of AI and have drafted comprehensive data strategies.

These strategies emphasize data literacy, data infrastructure, open government data, data sovereignty, and the responsible use of data.

Beyond data governance and personal data protection, the Strategy also underscores the need for legal protection against algorithmic bias and discrimination. It recognizes that existing legal frameworks may need to be updated to address the new challenges posed by AI, including compensating for bias and discrimination based on race, gender, or other factors, as well as addressing the potential loss of personal privacy through predictive analytics and other AI-driven processes. The Strategy advocates for a comprehensive approach to AI governance that integrates data protection principles with broader ethical considerations to ensure the responsible development and deployment of AI technologies across the continent.

5. Creating Ethical AI Systems to Address AI Risks 

Crucially, the AU’s Strategy recognizes bias, widening inequalities, marginalization of groups who are not ready to embrace AI, loss of culture and identity, and the widening of social and technological gaps as risks to be avoided. 

It therefore emphasizes that AI ethics should be a foundational element in the development and use of AI, ensuring that these systems are deployed in ways that benefit society and avoid harm to individuals or groups. The Strategy urges African countries to prioritize ethical AI practices by establishing unified legal frameworks that define AI ethics and support the ratification and implementation of relevant regional and international conventions and recommendations. It calls for the development and adoption of codes of ethics for AI developers and users, while noting that systems such as Generative AI pose particularly timely ethical concerns. 

Closing Reflections

The Strategy offers African countries a structured approach to AI governance. Presently, many African nations lack comprehensive AI policy frameworks that could support responsible AI implementation, regulate AI-enabled business models, and promote AI-driven socioeconomic growth. The Strategy encourages African nations to develop governance frameworks, including legislation, that facilitate AI adoption, particularly in countries without existing AI strategies or regulatory frameworks. As the phases of implementation of the AI Strategy begin, the AU and its Member States will have to address potential regulatory fragmentation across the region and the presence of varying AI governance structures that continue to persist, including differing privacy protection processes, security safeguards, and transparency measures. As African countries explore AI governance frameworks, it is important that these frameworks integrate and harmonize data protection principles and other ethical considerations, to ensure responsible AI development optimizes socioeconomic benefits.