This landscape of patchy privacy legislation presents a significant risk to local organizations working with marginalized communities or around sensitive subjects, leaving both themselves and the people they are trying to help vulnerable. It also creates problems for international groups looking to partner with local agencies, raising questions about what information can safely be gathered and shared.
The AU Commission is the force behind the main document guiding data protection policy on the continent: The African Union Convention on Cyber Security and Personal Data Protection, often referred to as the Malabo Convention, adopted in 2014.
The convention was motivated by an understanding of the risks posed by unmitigated access to private data and the need to protect citizens’ information, but it was also designed to spur information and communication technology development while respecting national security demands. Offering more than lip service to these ideals, it looked to provide guidance on how to establish an effective domestic data protection effort, with the collaboration of civil society groups and other nonstate actors. It also explored how privacy demands could interact with a national security apparatus whose work might require access to some of this information.
“It is unique,” Yedaly said. “No other region in the world [has one].”
That has not translated into widespread, national-level adoption, unfortunately. According to Yedaly, only 10 of the 55 member states have signed on to the convention, and three more have ratified it, though he noted that 18 have used it as a guidance for drafting their own cyber legislation. The commission plans to ramp up its advocacy around the convention this year.
Observers say there are several reasons for the slow pace of adoption.
“The problem is that it’s absolutely massive,” said Lucy Purdon, a policy officer with Privacy International, an advocacy organization. “It’s mixing all of these aspects in one piece of legislation. It’s a bit too much for governments to get to grips with.”
Another problem, experts say, is that data protection simply is not a priority for many governments.
For international organizations, these gaps present a problem. Often headquartered in countries that do have strict data protection guidelines, and working across myriad locations, they can enter African settings with policies that are far more stringent than anything they will encounter locally.