Data privacy in Africa: Regulation and reality
Data privacy in Africa: Regulation and reality18 December, 2017 •
Ridwaan Boda and Era Gunning of ENSafrica answer questions about data privacy, data sharing and what related regulations mean for financial service providers in Africa.
Do you think it is likely that the commencement of the General Data Protection Regulation (GDPR) in the European Union (EU) will:
- Result in any African countries reworking their related legislation and introducing similarly punitive fines for contraventions?
- Require any changes in the way companies outside of the EU operate?
In many of the African jurisdictions that have legislation in place, the legislation has been modelled on the EU directive that GDPR seeks to replace. It would make sense for African jurisdictions to update and/or effect legislation in line with the GDPR, taking into account the realities of developing countries. However, we have not yet seen evidence of any African state taking proactive measures to update their legislation in this way.
Due to the extraterritorial effect of the GDPR, companies outside of the EU, which process personal data of EU residents (including African companies), will have to change their oversight, technology, processes and human resources processes and functions to comply with the GDPR. This is mandatory.
Will the implementation of the second European Payment Services Directive (PSD2) in 2018 have any implications for African banks and fintechs?
PSD2 is expected to come into force in January 2018. It allows for new purchase payment methods for consumers and will allow online merchants to request permission to securely access a consumer’s bank account, with a simple yes or no response as to whether sufficient funds are available.
As a result, multiple intermediaries are removed from the payment lifecycle – leading to cost savings and fewer potential points of failure. New players, with far less restrictive requirements than commercial banks, will also be permitted to register as payment institutions. This will increase consumer choice and lead to further cost-cutting benefits. Within Africa, even South Africa – which prides itself on its progressive banking and payments industry – has surprisingly not yet begun to follow suit and PSD2 will currently not have any implications for African banks and fintechs.
In South Africa, moving towards a PSD2-type of regulatory environment would open the doors for fintechs to register as payment institutions. In addition, the onboarding of new merchants in an efficient and speedy manner, would be an effective way of increasing local e-commerce and boosting the economy in general.
Do the current considerations for data sharing vary significantly from country to country (within Africa) or are there common principles that can be applied by financial service providers when developing new products?
The vast majority of African countries are yet to effect any legislation related to data and information privacy. Even advanced markets such as Nigeria (and South Africa, whose legislation is not fully in effect yet) lack rules pertaining to data sharing. For countries that have legislation in place, while the rules for data sharing are not uniform, they are on a principle basis, largely consistent. We would, however, always advise companies to consider the specific requirements of the jurisdiction in question as opposed to applying blanket principles across the continent.
In your view, is the “typical” consent-based framework (relating to data privacy and data sharing) outdated given data and technological innovations/advancement?
While consent remains key, most legislation has been drafted with exceptions to obtaining consent in order to process personal data. As long as legislation is drafted to remain technology/format neutral in the manner in which consent is obtained and exceptions continue to apply, consent will still remain a key principle when lawfully processing personal information. The draft Protection of Personal Information Act regulation in South Africa is a good example of how regulation can go wrong in trying to be too prescriptive in the way consent is obtained.
Do you think people can realistically expect to exert control over their personal data and the way it is shared/used?
In the age of big data, mobile networks and the internet, this is increasingly becoming more difficult. The idea of having full and total control over one’s personal data seems to be far-fetched for anyone who uses technology. However, legislation can still go a long way to protect people who feel aggrieved in the way their personal data has been shared and or used.
Is there an ethical case (not necessarily enshrined in the law), to be made for restricting the collection and use of certain types of data, regardless of consent and manner of collection and storage? If so, what do you think these are?
Yes. A good example is in the context of group data as opposed to personal data. There was an instance in a certain African country where a study was conducted relating to the transmission of a particular disease from one part of a country to another via human transmission. In healthcare research terms, the study was invaluable and helped pick up trends related to human transmission of the disease and greatly aided prevention efforts. This study was conducted with all respect to the rights of individuals and their privacy. However, suppose that in the same country there was a history of ethnic violence between people from the affected region and such research was made public; an entire ethnic group would potentially be placed at harm if the research got into the wrong hands. So, while legislation protected the rights of individual data subjects, the group harm or potential for group harm is clear. This is one instance where, ethically, the collection and processing of certain data types becomes questionable while, legally, such processing does not violate any legislation. There are many other instances where the processing of certain types of data becomes ethically questionable but remains lawful.
Ridwaan Boda is a director in ENSafrica’s corporate commercial department, where he heads up the Technology, Media & Telecommunications team. He is also a member of the United Nations Global Pulse Panel of International Data Privacy Experts.
Era Gunning is a director in ENSafrica’s banking and finance department. She is an admitted solicitor of the Supreme Court of New South Wales, Australia, and has advised various clients on anti-money laundering initiatives and statutory compliance issues.