The global data governance landscape is rapidly evolving, presenting an opportune moment for African policymakers to reassess the role of domestic data protection authorities. 

A key aspect to good data governance is balancing the tension between enabling innovation in data driven technologies and protecting individual rights. Since 2016, African states have tended towards the latter, driven by the replication of the European Union’s (EU) General Data Protection Regulation (GDPR). However, the rise of AI and growing geopolitical tension is forcing the EU Commission to rethink, prompting it to table GDPR reforms towards the end of 2025.

African states should use this moment to similarly consider reform. While it is unlikely that they will greatly move away from the pre-reform GDPR template, this blog suggests that, through greater integration of sectoral regulators into national data governance processes, African states may:
(a) Better balance innovation with protecting consumer interests
(b) Pragmatically assist overburdened and capacity-constrained African data protection authorities (DPAs)

The context of reform

In September 2025, the EU Commission released the EU Data Union Strategy. It recognises the unwieldy regulatory burden that the GDPR places on businesses and emphasises the need to promote access to data to enable innovation in emerging technologies. As the European Commissioner for Tech Sovereignty, Security and Democracy stated, “regulation alone is not enough, as we know, we must also move from rulemaking to innovation building…we need immediate steps to get rid of regulatory clutter.”

At the same time, the recent adoption of the African Continental Free Trade Agreement’s Digital Trade Protocol (DTP) and entry into force of the African Union Convention on Cyber Security and Personal Data Protection have generated great momentum for the domestic implementation and reform of data governance across the continent given that both treaties include the first continent-wide, binding minimum standards for national-level data protection frameworks.

This dual context presents an opportune moment for African states to reexamine whether the direct transposition of the GDPR’s (pre-reform) approach to data governance and its innovation implications and capacity requirements is appropriate for African domestic contexts.

The benefits and drawbacks of the omnibus approach to data governance

Embodied by the GDPR, the ‘omnibus’ approach refers to the imposition of an overarching national dedicated data protection regulatory framework that is cross-cutting across all sectors, applies as a single source of protection at all levels, and is enforced by a dedicated DPA.
This approach has seen wide dissemination and reflexive replication by African policymakers concerned that regulatory inaction may stifle digital services trade and foreign direct investment (the ‘Brussels effect’). More recently, this approach has been codified by Article 21 of the AfCFTA DTP and Articles 4-15 of the DTP Annex on Cross-border Data Transfers, creating a binding obligation for African states to adopt or maintain an omnibus approach moving forward.

Such an approach has its benefits:
• Certainty: It provides uniform obligations for all actors regardless of sector
• Consistency: It minimises regulatory gaps given its cross-sectoral application
• Primacy: The right to privacy and data protection is enshrined at a cross-cutting national level, creating a higher-order obligation for actors to ensure that personal data is protected

However, it also has drawbacks:
• Lack of specificity: Regulations may create vague obligations for actors that collect, process and store data in different contexts and for different use cases
• Sector agnosticism: It may not adequately address sector-specific risks or enable sector-specific innovation
• Capacity intensive: There may be an enforcement lag while the requisite institutional infrastructure is created

These drawbacks may be largely mitigated by a dedicated DPA that is quickly established, has a clear mandate, is well resourced, and can provide sector-specific guidance in a timely and comprehensive manner. And here lies the crux of the issue: for many African states, DPAs are generally overburdened, underfunded, face technical shortfalls and capacity constraints, or have yet to even be set up.

For example, Lesotho’s 2011 Data Protection Act has been law for over a decade but the Data Protection Commission has remained unappointed, while South Africa’s Information Regulator (one of the most well-resourced African DPAs) has reported severe capacity constraints, an inability to retain skilled staff and funding shortfalls.

A way forward: integrating sectoral regulators into national data governance processes

African states find themselves in a difficult position, obliged to adopt GDPR-inspired omnibus data protection frameworks under the DTP yet lacking the requisite legal, supervisory, technical and financial resources to effectively enforce them (a textbook example of the ‘transplant effect’, which refers to the direct transposition of foreign legal frameworks without adequate consideration for local context).

However, these resources can often be found in the sectoral regulators that administered and enforced implicit (and rarely, explicit) sectoral data protection requirements prior to the adoption of national data protection legislation.

Financial sector regulators in particular often have a history of sectoral data governance in Africa, and extensive experience in striking the balance between protection and innovation. Moreover, while the DTP obliges the adoption of an omnibus approach, it also recognises its non-mutual exclusivity with sector specific regulation: Article 19(c) of the Annex on Cross-Border Data Transfers calls for states to encourage “the development of industry-specific self-regulatory data codes of conduct.”

As such, it would be prudent for African policymakers and capacity-constrained DPAs to utilise sectoral expertise both to address capacity constraints and promote innovation where appropriate. Sectoral regulators may be trusted to develop and enforce subordinate sectoral regulation with oversight from the DPA, given more independence to interpret or enact national data protection legislation or consulted to co-develop guidelines that translate ‘whole of society’ omnibus legislation into context-appropriate sectoral obligations. Sectoral regulators empowered in such a way are better placed to enable sector-specific innovation balanced against data protection principles contained in overarching data protection legislation.

There is precedent for this approach: South Africa’s Protection of Personal Information Act empowers the Information Regulator to accept and issue sector-specific codes of conduct upon application by a representative industry body (Section 61.1(b)). This has led to the Information Regulator issuing a code of conduct for the Banking Association of South Africa and Credit Bureau Association respectively that were both drafted and submitted by each respective industry body. While these are examples of ‘bottom-up’ policy shaping by industry bodies, it shows that African sectoral expertise can be effectively utilised by DPAs to guide national data policy processes.

As a more explicit international example, the Financial Conduct Authority and Information Commissioners Office in the United Kingdom have a long history of joint data governance regulation in the financial sector. They regularly issue memoranda of understanding (MOU) that establish areas of cooperation, information sharing, and delineate respective regulatory boundaries. Beyond MOUs, they also actively pursue strategic joint initiatives. These include developing AI regulatory sandboxes and open finance frameworks, and issuing guidelines on specific areas of innovation.

The forthcoming reform of the GDPR potentially marks a swing in global data governance towards a more equal balance between innovation and data protection. African policymakers should heed this moment to reexamine whether pre-reform replicant domestic data protection frameworks similarly remain fit for purpose in a world of emerging technologies and national capacity constraints. While the breadth of reform will be governed by the obligations contained in the DTP, African countries could look to enable greater sectoral regulatory participation within an omnibus framework to help address its deficiencies.