The African Union’s Data Policy Framework: Context, Key Takeaways, and Implications for Data Protection on the Continent
Authors: Mercy King’ori, Ulric Quee, Hunter Dorwart
On July 28, 2022, the African Union (AU) released its Data Policy Framework (Framework) following extensive multi-stakeholder engagements. The Framework aims to provide a multi-year blueprint for how the AU will accomplish its goals for Africa’s digital economy. It also sets forth the AU’s vision, scope, and priorities for Africa’s data ecosystem, the regulatory policies underpinning the digital economy, and the creation of the African Digital Single Market (DSM). Broadly, the Framework provides data governance guidance for Africa’s data market by helping Member States navigate complex regulatory issues. The goal of the Framework is to bolster intra-African digital trade, entrepreneurship, and digital innovation while safeguarding against risks and harms of the digital economy.
The Framework builds off the work of the Digital Transformation Strategy (DTS), which the AU adopted in 2020 to spur digital development across the continent, as well as other prior initiatives such as the Africa Continental Free Trade Agreement (AfCTFA) and the Policy and Regulatory Initiative for Digital Africa (PRIDA). African leaders created the Framework to respond to identified needs, opportunities, and risks of the digital economy, including the need to re-think policy around data and its relationship to larger social goals and institutions. In particular, the Framework recognizes that while data may create value, it also brings harms that regulators must address. The AU acknowledges the vast ongoing transformations to regional and global data policies and the need for African leadership to promote harmonization of legal frameworks across the continent.
Notably, the Framework contains many features that align with international approaches to data protection such as the need to root data policy in the rule of law, protect fundamental rights, and strike an appropriate balance between innovation and privacy. However, it also conveys unique and nuanced views on key emerging issues, including:
- Separating data sovereignty (a principle it generally supports) from data localization under the guise of data security, and taking a stance against using security policies to undermine human rights;
- Dissuading Member States from adopting broad data localization requirements. Rather, focus on localization for certain categories of data to ensure broad flow of data in line with policies such as the African Free Continental Free Trade Area Agreement.
- Highlighting areas where Member States can take novel approaches that fit the context of Africa, including prioritizing collective privacy rights and the need for data stewardships and other forms of data trusts; and
- Contextualizing the Framework within the larger process of creating a digital single market to assert Africa’s voice in ongoing global policy conversations and indicate that Member States will no longer be “standard takers” of data protection policy but rather “standard makers” in the future.
This blog post provides a descriptive analysis of the Data Policy Framework to draw attention to key data protection proposals under it. It does not identify challenges of the Framework or delve into specific policy priorities. Rather, we summarize the scope of the Framework and offer a reference guide to understand its contents.
The Framework consists of six sections, each detailing a core feature of how regulators should balance policy harmonization across Member States with respect to digital policy. These sections include: (i) guiding principles, (ii) definitions and categorization of data, (iii) value enablers, (iv) data governance, (v) international and regional governance, and (vi) an implementation framework.
1. Guiding Principles: From Sovereignty, to Fairness and Inclusiveness
The Framework sets forth high-level principles to guide data policy creation and harmonization across Africa. These principles primarily apply to African Union Member States but extend to other stakeholders such as public-private partnership bodies, civil society organizations, regional cooperation fora, and other entities engaging in the digital economy. The principles aim to ensure that the creation and adoption of digital rules aligns with international law and standards and remains balanced. These principles include:
- Cooperation – Stakeholders (including private, public, and civil society bodies) should cooperate to foster exchange and interoperability of data systems within the African Digital Single Market, as well as promote coherence and harmonization of policies;
- Integration – Policies should remove legal barriers to intra-African data flows subject to necessary data protection, human rights, and security considerations;
- Fairness and Inclusiveness – Benefits and opportunities of the digital economy should be equitable and inclusive to redress national and global inequalities to those marginalized by technological developments;
- Trust, Safety, and Accountability – Policies should promote a trustworthy data ecosystem that is safe, secure, accountable, and ethical to stakeholders;
- Sovereignty – Stakeholders shall cooperate to enable Member States to self-manage, govern, and utilize data;
- Comprehensive and Forward-Looking – Policies should strive to create an environment that promotes investment and innovation through the development of infrastructure, human capacity, and harmonized regulations and legislations; and
- Integrity and Justice – Member States must ensure the collection, processing, and usage of data is just, lawful, and not used to discriminate or infringe on individual rights.
2. (Not) Defining and Categorizing Data
The Framework does not define data, stating that the variety of uses and types of data pose practical constraints to formulating a comprehensive definition. However, the drafters highlight that a better understanding of how data functions within the larger technological and digital ecosystem will help support policymaking.
The Framework proposes that Member States—and their data protection authorities (DPAs) in particular—categorize data to clarify and differentiate between different types of data, including personal and non-personal information. This clarification will aid companies’ compliance strategies to align their collection, storage, and use of data with data protection regulations. Furthermore, specifying the types of data, especially personal data, could help DPAs to more efficiently protect and uphold data subject rights.
3. Driving Value in the Digital Economy
Recognizing the power of data to transform economies and facilitate development, the Framework recommends Member States to create an environment that captures the value of the data economy while also preventing harms. In particular, the Framework encourages the creation of dependable regulatory systems to facilitate trust and enhance human, institutional, and technical capabilities to create value from data. The Framework highlights five areas of focus: (i) foundational infrastructure and trustworthy systems, (ii) institutional arrangements for complex regulation, (iii) the need to rebalance the legal system, (iv) create public value, and (v) promote coherent sectoral policies.
Enhanced research and development (R&D) plays a prominent role in the Framework, which encourages further investment in fields such as big data analytics, artificial intelligence, blockchain, and quantum computing. For each of these areas, the Framework stresses the need to place the digital economy within the wider complexities of the digital ecosystem, giving special attention to the role of the state in processing data.
The AU recognizes that digital infrastructure is the backbone of the data-driven economy and stresses the need for Member States to coordinate on investment and development. The Framework proposes policy recommendations for deploying broadband, enabling information communication technology (ICT) architectures, and creating trustworthy digital ID systems through public-private partnerships to spur entrepreneurship and public data reuse. Member states are encouraged to build stakeholder engagement at all levels to ensure organizations use data to further public interests. Specific foundational infrastructures identified include:
- Cloud computing, including cloud services and cloud-based services, to spur system efficiency and reduce capital expenditure on IT equipment, internal servers, storage resources, and software;
- Big data services for both the public and private sector to improve decision-making, forecasting, and consumer segmentation; and
- “Platformization” for new business models and e-commerce services to facilitate trade across geographical borders.
Additionally, the Framework identifies the importance of creating trustworthy data systems to underpin the larger political, economic, and societal environment. AU policymakers stress that a key aspect of this system includes safeguarding basic human rights through the rule of law. The continental challenge is to ensure Member States have all the necessary tools and legal requirements to adapt to rapidly evolving technological challenges. To this end, the Framework proposes a comprehensive benchmarking policy centered around five interrelated considerations:
- Cybersecurity – The Framework recognizes that while regulatory tools to strengthen cybersecurity can mitigate vulnerability threats, they can also if misused, undermine fundamental rights of equity, dignity, and security. Policies should therefore be proportional and limit infringement on online human rights;
- Cybercrime – The Framework stresses that governments must tailor policies to implement regional and global conventions on cybercrime.
- Data Protection – According to the AU, data protection forms the backbone of any data framework as it helps ensure that organizations do not harm individuals when processing their personal data. Data protection policies must fit particular contexts and be adaptive to user interaction and capability online. The Framework cautions against relying too heavily on consent as a regulatory mechanism and promotes other concepts like data stewardships;
- Data Justice – The Framework states that in order to expand the safeguarding of rights from the individual to the collective level, Member States should promote data justice in their policies. Data justice extends to social and economic rights to redress inequalities resulting from historical, structural, and discriminatory injustice that have been reproduced through digital technologies; and
- Data Ethics – Codes of ethics developed by all stakeholder groups can guide the use and design of systems that run on data. The Framework recommends leveraging such codes to mitigate harm in particular technological contexts. The creation of such codes must be as inclusive as possible.
The Framework recommends Member States establish policies that bolster these five considerations to foster trust and safeguard basic human rights through rule of law at the regional and continental levels.
Highlighting that data economies require future-facing, agile regulatory systems, the Framework specifies areas where regulators can work proactively and recommends Member States to prioritize building regulatory capacity and avoiding regulatory silos.
Of note, a key recommendation is for Member States to enable data regulators – Member States should create conditions that build institutional capacity and capabilities to optimize the potential use of data for enforcement mechanisms across sectors. Regulators that have wide authority and competence over data generally may also help to address issues resulting from competition and consumer protection law. Member States should also create a transparency portal to monitor data breaches and consumer data flows.
The Framework proposes concrete recommendations for each of these considerations and recognizes that data regulation cannot happen unless authorities have capacity both internally within Member States and externally on the regional and continental level in collaboration with other regulators. As a result, the AU places special emphasis on regional harmonization mechanisms.
The Framework also identifies key challenges for regulatory coordination including incoherent sectoral policies and incompatible regulatory goals. After outlining these areas and analyzing where regulatory tension could arise, it provides recommendations for overcoming challenges in competition, trade, data flows, and e-commerce policy. Notably, it specifies the privacy and data protection considerations in each of these policies and charts emerging variations in regulatory approaches to data transfers.
Member States are encouraged to harmonize sectoral policies and coordinate in regional fora on these regulatory issues. Complementary policy design choices can help regulators foster intra-African digital trade and data-enabled entrepreneurship while weighing trade-offs of data governance. The Framework recommends coordination in the following areas:
- Competition policy instruments that address anti-competitive behaviors;
- Data portability regulations, provisions, and other enabling activities for open data.;
- Collaboration with international bodies like the OECD and the WTO;
- Regional data infrastructures and data systems including human, technical, and institutional capacity; and
- International harmonization of AI and big data technical standards, ethics, governance, and best practices.
4. Data Governance
The Framework sets forth a multi-prong strategy for data governance on the continent to enable data access and use while encouraging data combination and repurposing to limit the harms and risks of processing. The strategy prioritizes using data for its greatest economic and social value but recognizes that restricting data flows will be necessary in some circumstances to ensure societal protection.
The Framework recognizes that narrowly defining data governance to just encompass data protection is a risk within most African countries. Rather it acknowledges that data governance interacts with other disciplines including competition, cybersecurity, electronic transactions, and intellectual property. For this reason, the Framework proposes a multi-prong strategy for understanding and tackling these related policy areas. The prongs of this strategy include: data control, processing and protection, access and interoperability, security, cross-border flows, data demand, and special categories of data.
The Framework recognizes the importance of facilitating the control of data for individuals, firms, and government and the need for policy to clarify the obligations and responsibilities of parties to find an appropriate balance that governs when entities may control data. The AU stresses that Member State policies should at a minimum design data subject rights to provide personal data control, but the AU also points towards emerging ownership models such as data trusts and stewardships as alternatives to the individual-rights focused model.
On the national level, the Framework recognizes data sovereignty and localization as two mechanisms through which states currently exert control over data, but cautions against pursuing both without specifically tailored reasons.
- Data Sovereignty – The Framework recognizes that AU Member States have a right to formulate digital rules in line with their national interests and that such states should prioritize politically neutral partnerships to avoid foreign interference into domestic affairs. Exertion of domestic sovereignty should be based on multilateral agreements with recourse avenues for cases of infringement.
- Data Localization – The Framework states that localization must be evaluated against potential harms to human rights and generally cautions against adopting such measures. Localization requirements, if adopted, should be as specific as possible and involve multi-stakeholder engagement to avoid over-restrictive policies.
Data Processing and Protection
The AU stresses the need to construct robust data protection mechanisms for the processing of personal data, including the promulgation of data subject rights. Such mechanisms are encouraged to realize privacy, foster trust in digital technologies, and create a sound digital economy. The Framework recognizes the need to ensure that constraints to personal information processing do not impede data flows and for Member States to harmonize policies across regions.
Additionally, the Framework urges Member States to implement a privacy-by-design approach that incentivizes organizations to incorporate privacy into new technology by default via design and development processes. The Framework identifies de-identification (including anonymization and pseudonymisation) in its outline, but also acknowledges that such techniques must be accompanied by strong legal rights for data subjects and regulatory capacity to enforce data protection. Specific recommendations in the Framework include:
- Creating independent, funded, and effective data protection authorities (DPAs) that are accountable and cover all relevant data processing entities. DPAs should drive multi-stakeholder partnerships across the continent;
- Requiring data protection risk assessments (DPIA) for the deployment of new technologies; and
- Promulgating codes of conduct to promote sector-specific needs and ensure best practices in mitigating risks and harms associated with processing.
Data Access and Interoperability (Open Data)
The Framework stresses the need for Member States and regional institutions to take proactive measures to spur data access through open government data, as well as broader data portability to facilitate access and consumer benefits. In particular, the Framework recommends creating open data standards for public data, strengthening data portability rights and policies, promoting data partnerships, and facilitating data categorization. It also urges Member States to establish open data policies, DPAs to issue codes of conduct, and multi-sectoral bodies to implement open data initiatives. Policymakers should make use of regulatory sandboxes and other data hubs to promote data use and management.
Throughout the Framework, AU policymakers acknowledge the importance of data security for preserving privacy, confidentiality, and integrity, as well as building trust in the larger digital ecosystem. Data security refers not only to the physical security of hardware systems but also the logical security of networks, applications, and software and the norms and regulations underpinning such systems. The Framework points to the following areas of focus:
- Data Security and Localization – The Framework highlights the importance of not allowing data security to serve as a barrier to the free flow of data or a justification for data protectionism. Data security may positively enhance integrity and trust but also undermine other values if used for negative ends;
- Transparency Challenges – The Framework also specifies the difficulties of upholding transparency via data security policies. To promote transparency, policymakers should increase efforts to coordinate on incident and vulnerability reporting, adhere to international cybersecurity standards, and create mature markets for cybersecurity and data processing. DPAs and policymakers should especially focus on building capacity and specify data processing roles for security protection; and
- Regional Coordination – The Framework recommends Member States establish a joint sanction regime for cyber-attacks across Africa to promote interoperability and coordination of cybersecurity regimes.
Cross-Border Data Flows
The Framework stresses the importance of aligning national personal data regulations with other African jurisdictions’ regulations to foster trust and data exchange. The Framework acknowledges emerging tensions in cross-border data flows, like the relationship between data sovereignty and cross-border data flows, as well as the regulation of data flows in environments that lack comprehensive data protection laws. Specific recommendations to Member States to facilitate cross-border data flows include:
- Providing minimum standards for cross-border data flows;
- Enshrining reciprocity as a central principle for permitting such flows;
- Prioritizing data specificity to avoid unintended restrictions;
- Incorporating law enforcement considerations into policymaking; and
- Building enforcement capacity and regional coordination.
Data Demand, Sectoral Governance, and Special Categories of Data
The Framework acknowledges the need to bolster data demand across sectors and avoid creating data silos that render data less usable. To promote access to data, the Framework recommends Member States to clearly identify special categories of data and employ codes of conduct for specific sectors to help organizations comply with regulatory expectations. Special data regimes should be integrated into national data regimes to avoid regulatory distortion. To address potential risk of harm to specific groups, the Framework stresses the need to identify and include different data communities into the policymaking process when crafting special categories of data. Although the AU recognizes that special treatment of data based on its particular characteristics is necessary, the Framework stresses that such policies should be in harmony with general data governance principles.
5. International and Regional Governance
The AU recognizes the importance of promoting cooperation between countries to increase dialogue and enforcement coordination. Over the next few years, the AU will develop a consultation framework for interstate collaboration, strengthen links with other regions such as the EU and APAC to coordinate Africa’s common position on data in international negotiations and support the creation of a continental data infrastructure to enable data-driven technologies.
The Framework acknowledges the importance of aligning Africa’s technical standards with internationally-recognized best practices but also states that such standards may not be sufficient for the continent’s unique needs. Rather, regional engagement on standards should take priority. One area outlined in the document where African policymakers can exert leadership is open data arrangements. The Framework specifies initiatives such as the African Development Bank’s central open-data portal, institutional data portals, and volunteer-driven community data sharing initiatives as unique examples of facilitating data sharing and creating a collaborative digital ecosystem.
Continental Instruments and Regional Institutions
The AU stresses the need to develop and bolster continental instruments and institutions to accomplish core goals, such as facilitating data flows while ensuring data protection and safety online.
The Framework calls for the creation of a regional cross-border data flow mechanism, the ratification of the Malabo convention, and the implementation of the African Continental Free Trade Agreement. The Framework also gives priority to the RECs and various human rights courts in Africa to coordinate governance and identifies other bodies like the African Network of Data Protection Authorities, ICT regulatory associations, and the African Competition Forum that could likewise play a role in fostering cross-border transfer rules.
6. Implementation Framework and Stakeholder Mapping
Finally, the Framework proposes an implementation framework divided into five phases and identifies important stakeholders for each phase of implementation.
- Phase 1: Member States would adopt the Framework and work with the AU to develop mechanisms to monitor and centralize regional engagement;
- Phase 2: to establish buy-in, the policy recommends ensuring alignment with continental instruments, engaging continental and regional structures like the RECs, and assessing international frameworks.
- Phase 3: institutions would work towards developing broadband infrastructure and regulatory frameworks before engaging with stakeholders from all sectors
- Phase 4: institutions would evaluate domestic policy instruments; and
- Phase 5: the AU will prioritize intra-African collaboration with RECS and other continental institutions.
As the most ambitious policy document on data regulation in Africa to date, the Framework represents the AU’s desire to form a lasting roadmap for how African nations can safely and responsibly leverage the power of data through the creation of an African Digital Single Market. The Framework attempts to instill broad principles of transparency and accountability of institutions and actors into the fabric of national and regional approaches to data regulation. It prioritizes the inclusion of multiple stakeholders from both the public and private sectors, equity among citizens, and fair competition amongst market players. It also focuses on regional processes, mechanisms, and instruments that stakeholders can leverage to develop a cohesive data policy framework across the continent.
Particularly for data protection and privacy on the continent, the Framework is significant because it centers part of the proposed solutions on data protection that is recognized as the “backbone” of any data framework, while at the same time advancing ideas such as the prioritization of collective privacy rights, fit for the African context. Data justice and data ethics are other pillars proposed for advancing digital policies, in recognizing that economic growth and value from digital markets must not come at the expense of the rights of people and communities.
Concerns about a coherent cross-border data transfers policy for the continent add to the focus on data protection and privacy of the Framework. A significant contribution made is also separating the concept of “data sovereignty” from that of “data localization” under the guise of data security, and taking a stance against using security policies to undermine human rights. The Framework recognizes there is value in data-sovereignty-inspired policies, but understood as a more complex concept and different than mere data localization mandates, which may in fact be more harmful to the rights of individuals and communities.
At its heart the Framework calls on Member States in Africa to collaborate through regional institutions such as the Network of African Data Protection Authorities and relevant stakeholders towards regional and continental harmonization of digital policies. Like African Continental Free Trade Area Agreement and other initiatives, the Framework is designed to spur the creation of a common digital market. The AU stresses that collaboration between national and regional stakeholders is necessary for African countries in their aim to become more competitive in global policy fora. As such, the Framework attempts to set the foundation for African policymakers to engage with stakeholders on a broad set of data regulation issues and prioritizes intra-Continental collaboration through regional institutions.