The Centre for Human Rights, Faculty of Law, University of Pretoria (Centre) joins the global community in commemorating Data Protection Day 2024. Launched by the Council of Europe (CoE) in 2006, Data Protection Day was set for January 28 of every year in recognition of the day that the CoE opened its data protection convention (Convention 108) for signature. The day is now celebrated across the globe, known sometimes as International Data Privacy Day to raise awareness about data protection and privacy. In celebrating the day, the Centre notes the commitments by the African Union (AU) and its member States to ensure the protection of personal information through data protection frameworks in Africa. However, given the ever-evolving nature of data use, there is a need to increase these efforts.
Adopted by the AU in 2014, the AU Convention on Cybersecurity and Personal Data Protection (Malabo Convention) came into force in June 2023 after Mauritania became the 15th African country to ratify it. The Malabo Convention is the most elaborate and binding regional treaty concerning the protection of personal data in Africa and its entry into force is a positive step towards the protection of personal information in the region. However, the Convention took more than nine years to come into force. It therefore requires some of its provisions to be updated to keep up with the use of personal information in the age of new and emerging digital technologies.
In addition to this, the Convention will require a clear and measurable implementation plan to ensure that it is actively mainstreamed into domestic contexts in the region.
In February 2022, the AU developed the AU Data Policy Framework (Framework) to provide a continental guidance for data governance in the digital economy. The Framework addresses how states can manage the flow of data responsibly, securely, and in a manner that promotes and protects human rights. It acknowledges the importance of data protection in implementing these measures and identifies the roles of member States in such implementation. However, the Framework is non-binding and as a result, it relies on the willingness of member States to incorporate its recommendations into their own domestic policies. This, combined with the varying levels of digital infrastructure and regulatory capacity among AU member States is likely to affect implementation and enforcement of recommended practices in the Framework. Therefore, while the Framework provides an opportunity to harmonise data protection frameworks, its effectiveness is contingent upon working more closely with member States to realise its objectives.
In addition to these efforts, in 2019, the African Commission on Human and Peoples’ Rights (African Commission) adopted the revised Declaration of Principles on Freedom of Expression and Access to Information in Africa (revised Declaration) which provides for AU member States’ responsibilities to protect privacy and personal information in Africa. Principle 42 of the Declaration requires AU member States to adopt laws for the protection of personal information that also provide for the establishment of oversight mechanisms such as Data Protection Authorities (DPAs) to ensure the effective implementation of such laws.
Since Cape Verde enacted the first data protection law in 2001, 35 of the 55 AU member States have enacted data protection laws. Out of this number, only 26 have established DPAs.
As digital technologies become increasingly intertwined with our everyday life – both as individuals and societies – the development of data protection frameworks has become an urgent policy need. On this Data Protection Day, the Centre urges the African Union and its member States to address this need by increase their efforts.
To increase these efforts, the Centre therefore calls on:
- The AU to increase its efforts to update the provisions of the Malabo Convention and collaborate with member States to develop an implementation plan that mainstreams it into domestic contexts in Africa;
- The African Union Commission (AUC) to centre human rights protection in the implementation of relevant regional frameworks including the AU Data Policy Framework;
- AU member States to enact relevant laws and establish independent and functional DPAs; and
- The AU to work towards the harmonisation of existing data protection frameworks in the region while also encouraging differentiated but effective approaches to data protection by AU member States.
For more information, please contact:
Expression, Information & Digital Rights Unit
Tel: +27 (0) 12 420 4397
Fax: +27 (0) 86 580 5743
oluwatomiwa.ilori@up.ac.za