Privacy Is Paramount Personal Data Protection In Africa
Privacy is ParamountPersonal Data Protection in Africa
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in Africa2
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaThe importanceof compliancewith personaldata protectionlegislation forbusiness growthand internationaltradeWith the advancement of technologicalinnovation and cross-border trade,compliance with international personaldata protection legislation and standardshas become imperative. This is dueto the fact that non-compliance withpersonal data protection legislation couldimpede an organisation from transferringpersonal data cross-border, therebyhindering its business operations. Thisis particularly relevant for multinationalorganisations with a global footprintwho transfer personal data cross-borderin the ordinary course of business inconducting international trade. Personaldata protection legislation may potentiallyrestrict a multinational organisation’sability to conduct international businesstrade if compliance is inadequate. Whetheror not an organisation is being preventedfrom transferring personal data crossborder, is an issue of data sovereignty, inaddition to being a data protection issue.Data sovereignty is the principle that data,especially in electronic form, is regulatedby the laws of the country in which suchdata resides. Personal data protectionlaws contain data sovereignty principles inthat they prevent the transfer of personaldata to another country, unless certainconditions for such transfer are compliedwith under the laws of the country fromwhich the personal data transfer is to bemade.has been placed on personal data andits ability to either promote or hinderinternational trade. Hence, e-commercehas ushered in a new era of internationaltrade, particularly on the resource-richAfrican continent, where business growthand foreign direct investment continuallyallow the harnessing of new opportunities.Business in Africa is expanding at a rapidpace due to a proliferation of investmentopportunities on the continent. Toeffectively conduct business in Africa,organisations need to understandthe African personal data protectionregulatory landscape. Non-compliancewith personal data protection legislationin Africa may potentially precludemultinational organisations fromcapitalising on their African exploits,by restricting their ability to transferpersonal data to third parties beyondAfrican borders, thus hindering businessoperations.In the digitally disruptive age of theinternet and electronic commerce(e-commerce) involving the cross-borderflow of personal data, a high premium3
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaIn order for multinational organisationsto facilitate the cross-border transferof personal data between their variousgeographical operations and optimisetheir business processes in Africa, we setout the following: the current African personal dataprotection regulatory landscape; the compliance challenges which thisregulatory landscape precipitates formultinational organisations with anAfrican footprint seeking to leverage offthe vast investment opportunities inAfrica; and how multinational organisations maypotentially overcome pertinent personaldata protection regulatory obstacles,while concurrently augmenting businessgrowth, stakeholder confidence andmarket competitiveness.A core theme with regard to internationaltrade and personal data protectionregulatory compliance, is the issue ofcross-border personal data transfers,which are necessary in order for globalorganisations to conduct businessinternationally. As will be discussed furtherin this whitepaper, African personal dataprotection laws (in the African countrieswhere they do exist) place restrictionson the transfer of personal data tothird parties who are situated outsidethe borders of the country in whichan organisation has a presence, andfrom which the personal data is beingtransferred.4However, these restrictions are notintended to be a barrier to organisations’African (and global) business operations.Rather, they outline the conditions whichmust be fulfilled for cross-border personaldata transfers to be within the limits of therelevant African personal data protectionlegislation. In the event that these laws arenot complied with, organisations wouldnot be able to lawfully transfer personaldata (whether relating to customers,employees, suppliers, business partnersor others) across borders as part of theirbusiness operations. This could potentiallyresult in lost business opportunities andhamper an organisation’s ability to tradeinternationally, leading to a diminishedgeographical footprint which in turn, couldresult in reduced revenues and marketcompetitiveness.An example of the above issue is thatof cloud technology and cloud-basedsolutions, which seek to improve amultinational organisation’s efficiency andmake its data (including personal data)instantly available all over the world. Thiswould ultimately entail the cross-bordertransfer of personal data, firstly, to thecloud provider’s data centres (should theynot be located in the same country as theorganisation i.e. offshore), and secondly,to the geographic locations from whichthe data will be accessible (by anyonewithin the organisation from any location).A multinational organisation would haveto ensure that it engages a cloud providerwhose data servers are located in acountry with adequate personal dataprotection laws, especially if such datais to be stored on the African continent.Africa for the most part, does not havepersonal data protection law, save for afew countries (to be discussed).
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaUnderstanding the Africanpersonal data protectionlandscapeIn Figure 1 below, we provide an outline of the personal data protection coverage in Africa. As is evidentfrom the diagram, there is no unified approach to personal data protection across the African continent,with some countries having comprehensive personal data protection legislation in place and others haveno legislation or constitutional protection. Adapting personal data compliance programmes to be in linewith disparate legislation and regulation is no minor feat.TunisiaFigure 1:Africa personal data protectionregulatory urkinaFasoGuineaSierra beriaEritreaChadTogoBeninThe GambiaSenegalaz-BrgoGabonDemocraticRepublic ofthe CongoConSao Tomeand PrincipezaEquatorial zaniaZanzibarZimbabweNamibiaBotswanaNo dataprotectionMayottebamozMeiqucarZambiaagasIn oresHas data outh Africa5
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaThere are currently 17 countries inAfrica that have enacted comprehensivepersonal data protection legislation,namely Angola, Benin, Burkina Faso,Cape Verde, Gabon, Ghana, Ivory Coast,Lesotho, Madagascar, Mali, Mauritius,Morocco, Senegal, Seychelles, South Africa,Tunisia and Western Sahara1. In addition,the African Union (AU), adopted the AUConvention on Cybersecurity and DataProtection (AU Convention) in June 20142.However, the AU Convention has notcurrently taken effect as it has, to date,not been ratified by 15 out of the 54 AUmember jurisdictions3. Nonetheless, theAU Convention does provide a personaldata protection framework which Africancountries may potentially transpose intotheir national legislation, and encouragesAfrican countries to recognise the need forprotecting personal data and promotingthe free flow of such personal data,taking global digitalisation and trade intoaccount4. In this regard, there are threecountries, namely Kenya, Uganda andZimbabwe, which have already enactedpersonal data protection legislation,the promulgation of which has not yetbeen made effective, as the laws are stillin the form of bills. Tanzania is anothercountry which is currently in the processof enacting personal data protectionlegislation5.Comparison with the EuropeanUnion Personal Data ProtectionRegulatory FrameworkWe have noted the EU personal dataprotection position here for comparativepurposes as far as the AU Conventionand the African personal data protectionregulatory framework is concerned.We have also highlighted the EUposition with a view to demonstrate thebenefit to organisations in developingand implementing a comprehensivecompliance programme for their Africanpersonal data protection regulatoryframework – similar to that which would bedeveloped and implemented in respect oforganisations’ EU operations, if any.The European Union (EU) General DataProtection Regulation (GDPR), which willofficially come into force on 25 May 2018,will replace the current Data ProtectionDirective 95/46/ec (the Directive). Thedifference between the GDPR and theDirective is that, unlike the Directive,the GDPR is automatically enforceablewithin EU member states and doesnot, in contrast to the Directive, have tobe transposed into EU member statelegislation. Hence, it can be said that theAU Convention is similar to the Directive,in that the AU Convention will not haveany legal force unless it is transposedinto an African country’s legislation.Furthermore, the EU is similar to Africa inthe sense that there are disparate dataprotection legislative requirements acrossthe various EU member states, which canpresent unique compliance challenges toorganisations with an EU presence. Thus,the GDPR will unify the EU’s personaldata protection regime, thereby makingit somewhat simpler for organisationswith an EU presence (throughout severalEU member states) to streamline theircompliance activities across their EUfootprint. It is easier to comply with asingle piece of personal data protectionlegislation across multiple EU jurisdictions,as opposed to several disparate pieces oflegislation within the region.Along these same lines, it is elucidatedfurther below, how organisations withan African presence may conduct theirpersonal data protection complianceprogrammes to achieve adequatecompliance with disparate Africa legislativeregimes – in light of Africa and its AUConvention not currently having a “GDPRequivalent” personal data protectionframework in place.There are common personal dataprotection themes or principlescontained in the legislation adoptedby the African jurisdictions which haveenacted comprehensive data protectionlegislation6. These themes comprise: notice choice and consent data security data access and correction data quality and integrity data retention and destruction registration with a data protectionauthority (DPA) cross-border data transfers personal data breach notification appointment of a data protection officer(DPO)71. Cynthia Rich (2016) Privacy Laws in Africa and the Near East (16) 6 Bloomberg BNA World Data Protection Report, 12. Ibid 13. Ibid 44. Ibid 1, 45. Ibid 26. Ibid 27. Ibid 26
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaDespite most of the aforesaid personal data protection themesbeing contained in the legislation adopted by the abovementioned African countries, there are particular principles thatdiffer significantly from country to country. The pertinent personaldata protection principles to which these differences relate, are:In this regard, while some jurisdictions require organisations toregister with a DPA, others do not. Moreover, 15 of the 16 abovementioned African countries require that organisations put inplace mechanisms for the cross-border transfer of personal data9.The legislative disparities between the various African jurisdictionsin respect of personal data protection may prove challenging tomultinational organisations with an African presence. Accordingly,any compliance programmes will need to be tailored to accountfor these disparities. Lack of compliance will result in stiff penaltiesif all legislative nuances are not sufficiently addressed10. registration with a DPA cross-border data transfers data breach notification appointment of a DPO8.The diagram below (Figure 2) is demonstrative of such challenges:TunisiaFigure 2:Cross-border data transfer and breach notification requirement in African countries which have adoptedpersonal data protection ross-border datatransfer restrictionsYesNoAngolaMauritiusMadagascarPersonal data breachnotification requiredSeychellesLesothoSouth Africa8. Ibid 29. Ibid 210. Ibid 2-311. Cynthia Rich (2016) Privacy Laws in Africa and the Near East (16) 6 BloombergBNA World Data Protection Report7
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaIt is evident from Figure 2 that whileorganisations with a presence in anyof the above African jurisdictions willneed to ensure that it has cross-bordermechanisms in place within each relevantjurisdiction, it only needs to implementbreach notification mechanisms withinits business processes where it has apresence in Ghana and South Africa.However, international personal dataprotection best practice dictates thatdespite breach notification mechanismsnot being required in all otherjurisdictions, it is nonetheless imperativefor organisations who have suffered apersonal data breach, to notify affectedindividuals that their personal data mayhave been compromised.12. Ibid 313. Ibid 314. Ibid 38Existing Trends andAggressiveness of African DPAsin enforcing personal dataprotection legislationCurrent statistics reflect DPA activity incountries such as Ghana and Mauritius asbeing more robust due to recent actiontaken or fines issued for non-compliancewith relevant personal data protectionlegislation12. The Ghanaian DPA hasrecently issued fines against certainorganisations in the aviation industry forbreaching the Ghanaian Data ProtectionAct. In respect of DPAs in countries suchSenegal and Tunisia, there have notbeen any reports of particularly robustDPA activity13. In contrast, the MoroccanDPA has recently investigated the dataprotection practices of several websitesand applications which collect and processpersonal data in the context of providingonline services14. In countries such asAngola, Cape Verde, Madagascar, Mali andSouth Africa, there has been minimal DPAenforcement and activity – for example,in South Africa, the Information Regulator(Regulator) was only recently appointedand is still in the process of getting itsadministrative affairs in order.It is therefore evident that the legislativedisparities as well as the disparities inDPA enforcement and activity across theAfrican continent, pose a compliancechallenge to organisations with a global aswell as an African footprint.
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaPotential Solutions for MultinationalOrganisations with an AfricanFootprint to Overcome ComplianceChallengesFor multinational organisations with aglobal and African footprint to achieveoptimal compliance with disparate, oreven similar personal data protectionregulations, especially those in Africa, ahigh standard of personal data protectioncompliance should be applied. To usean example, the EU’s GDPR or SouthAfrica’s Protection of Personal InformationAct 4 of 2013 (POPI) (which is modelledon the EU’s personal data protectionframework, especially the Directive).If a higher compliance standard isapplied, based on a particular country’slegislative requirements, it wouldpotentially streamline the complianceefforts within countries with a lowercompliance standard, as there wouldpotentially be automatic compliance dueto not having to apply a lower standardof compliance. Thereafter, peculiarlegislative requirements may be nuancedwhere necessary, and complied withonce the similar legislative requirementsand common personal data protectionprinciples and themes (outlined above)have been met. Accordingly, applying a“one-size-fits-all approach” would not beprudent in ensuring that all legislativerequirements have been sufficientlycovered.Considering the implementationof a globally endorsed personaldata protection compliancestandard: a GDPR standardIf the GDPR standard – considered tobe among the highest global personaldata protection standards – were to beapplied by multinational organisationswith an African footprint, this wouldensure compliance with most, if notall African personal data protectionrequirements. Organisations would stillneed to have a thorough understandingof the data protection legislation (if any)in the African jurisdictions in which theyhave a presence, and map the similaritiesand differences relating to the commonpersonal data protection themes, withinevery pertinent piece of personal dataprotection legislation. This will, as part ofan organisation’s personal data protectionprogramme, enable more streamlinedembedding of policies, processes andprocedures within business processesto achieve a level of compliance whichis mature, across its entire geographicalfootprint. Such an approach would enablean organisation’s commercial relationshipsto be preserved while at the same time,achieving legislative compliance.Applying the GDPR standard would alsoallow for disparate cross-border datatransfer requirements to be more easilycomplied with, since the GDPR (being ahigh global standard) sufficiently catersfor most scenarios involving the crossborder transfer of personal data and therequirements that need to be adhered toin such circumstances.Binding Corporate RulesIn this regard, binding corporate rules(BCRs) could be utilised within a groupof undertakings to ensure compliancewith cross-border transfers – therebypromoting an organisation’s ability totrade internationally and expand itsmarket share and market competitiveness– irrespective of the sector or industry.BCRs are effectively intra-grouppersonal data protection policies andprocedures. They serve as a mechanismfor multinational organisations with avast African presence to share personaldata within the organisation’s groupof undertakings, despite some of theundertakings being based in jurisdictionswhich do not have adequate personal dataprotection legislation. For cross-borderdata transfers to third parties outside ofthe multinational organisation’s groupof undertakings, it would be prudent toengage in a binding contract with airtightpersonal data protection clauses to ensurethe privacy and security of any personaldata shared with such third parties.Furthermore, the countries whichpersonal data is transferred to mustbe assessed from a data sovereigntyperspective to ensure that there are noother laws which place the personal dataat risk. For example, is the government ofthe destination country able to subpoenasuch data or are there any other lawswhich dictate how personal data in such acountry is to be dealt with?9
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaConclusionOrganisations with an African footprintwill need to set the ball in motion as faras understanding their African personaldata protection regulatory frameworkis concerned. Doing so would ensurethat they are able to effectively capitaliseon the vast investment opportunitiesin Africa, as personal data is the newcurrency with which to effectively conductbusiness operations globally. In thisregard, all stakeholders, including anorganisation’s business partners, would beconfident in partnering with organisationswho place a high premium on personal10data protection on the African continent.Hence, organisations should proactivelyaddress questions such as: “Do weknow and understand our geographicalfootprint, especially within Africa”, “dowe know whether there are personaldata transfer restrictions in the Africanjurisdictions (and elsewhere) within whichwe have a presence”, and “are our crossborder operations legally compliant”?Our Privacy and Technology team canassist organisations in answering thesequestions and in effectively structuringtheir personal data protection complianceprogrammes.
Privacy is Paramount Personal Data Protection in Africa Personal Data Protection in AfricaContactsSouthern AfricaNavin SingManaging Director:Risk Advisory AfricaTel: 27 83 304 4225Email: navising@deloitte.co.zaDean ChiversRisk Advisory Africa Leader:Governance, Regulatory &RiskDaniella KafourisDirector: Risk Advisory AfricaTel: 27 72 559 0360Email: dkafouris@deloitte.co.zaTel: 27 82 415 8253Email: dechivers@deloitte.co.zaEast AfricaWest AfricaJulie NyangayaRisk Advisory RegionalLeader: East AfricaWilliam OelofseDirector:Risk Advisory East AfricaAnthony OlukojuRisk Advisory RegionalLeader: West AfricaTemitope AladenusiDirector:Risk Advisory West AfricaMobile: 254 720 111 888Email: jnyangaya@deloitte.co.keMobile: 254 20 423 0000Email: woelofse@deloitte.comMobile: 234 805 209 0501Email: aolukoju@deloitte.com.ngMobile: 234 805 901 6630Email: taladenusi@deloitte.com.ngCentral AfricaTricha SimonRisk Advisory RegionalLeader: Central AfricaRodney DeanDirector:Risk Advisory Central AfricaMobile: 263 772 234 932Email: tricsimon@deloitte.comMobile: 263 867 700 0261Email: rdean@deloitte.co.zw11
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK privatecompany limited by guarantee (“DTTL”), its network of member firms, and their relatedentities. DTTL and each of its member firms are legally separate and independententities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.Please see www.deloitte.com/about to learn more about our global network of memberfirms.Deloitte provides audit, consulting, financial advisory, risk advisory, tax and relatedservices to public and private clients spanning multiple industries. Deloitte serves fourout of five Fortune Global 500 companies through a globally connected networkof member firms in more than 150 countries and territories bringing world-classcapabilities, insights, and high-quality service to address clients’ most complex businesschallenges. To learn more about how Deloitte’s approximately 245 000 professionalsmake an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.This communication contains general information only, and none of Deloitte ToucheTohmatsu Limited, its member firms, or their related entities (collectively, the “Deloittenetwork”) is, by means of this communication, rendering professional advice or services.Before making any decision or taking any action that may affect your finances or yourbusiness, you should consult a qualified professional adviser. No entity in the Deloittenetwork shall be responsible for any loss whatsoever sustained by any person whorelies on this communication. 2017. For information, contact Deloitte Touche Tohmatsu LimitedDesigned and produced by Creative Services at Deloitte, Johannesburg. (000000/dbn)
rivac is aramount Personal Data Protection in Africa Personal Data Protection in Africa 7 Despite most of the aforesaid personal data protection themes being contained in the legislation adopted by the above-mentioned African countries, there are particular principles that differ significantly from country to country. The pertinent personal
u Explanation of Financial Relationship Between Paramount Care of Michigan, Inc. and Participating Providers. Or, send your request in writing to: PARAMOUNT CARE OF MICHIGAN, INC. 106 PARK PLACE DUNDEE, MI 48131-1016 (734) 529-7800 1-888-241-5604
EY data protection and privacy portfolio EY's data protection and privacy services and solutions are designed to help organizations protect their information over the full data lifecycle - from acquisition to disposal. Our service offering helps organizations stay up to date with data security and data privacy good
Why should I use a 3M privacy filter (compared to other brands or switchable privacy)? When it comes to protecting your data, don't compromise, use the best in class "black out" privacy filters from 3M. Ŕ Zone of privacy, protection from just 30-degree either side for best in class security against visual hackers
2 FTI Consulting Inc. DATA PRIVACY SERVICES Reliance on personal data grows and companies continue to innovate against a backdrop of enhanced privacy regulation, changing consumer privacy
Excel sheets (53%) and data mapping or visualization tools such as Vizio (41%) are most commonly used to manage data privacy and compliance. However, commercial or dedicated data privacy tools are also becoming increasingly prevalent as 51% of respondents admit to using them. What tools does your organization currently use to manage
The DHS Privacy Office Guide to Implementing Privacy 4 The mission of the DHS Privacy Office is to preserve and enhance privacy protections for
U.S. Department of the Interior PRIVACY IMPACT ASSESSMENT Introduction The Department of the Interior requires PIAs to be conducted and maintained on all IT systems whether already in existence, in development or undergoing modification in order to adequately evaluate privacy risks, ensure the protection of privacy information, and consider privacy
Botany-B.P. Pandey 3. A Textbook of Algae – B.R. Vashishtha 4. Introductory Mycology- Alexopoulos and Mims 5. The Fungi-H.C. Dube . B.Sc. –I BOTANY : PAPER –II (Bryophytes, Pteridophytes, Gymnosperms and Palaeobotany) Maximum marks- 50 Duration - 3 hrs. UNIT -1 General classification of Bryophytes as Proposed by ICBN. Classification of Pteridophytes upto the rank of classes as proposed .
