In early May, I had the privilege of participating in the Network of African Data Protection Authorities (NADPA/RAPDP) annual conference under the theme of promoting regional data governance for digital transformation. Privacy and data protection authorities from across the continent converged in Nairobi for the event, joined by delegates from the private sector, academia and civil society. An impressive and well-attended event, one had the feeling of being surrounded not only by numerous policymakers, regulators and other technical experts, but also immersed in Africa’s geographic and linguistic diversity.
As an organisation, NADPA facilitates exchanges and cooperation between its members while amplifying Africa’s voice in global data protection discussions. Niger currently holds the network’s presidency, and the 2024 conference and its co-located NADPA Annual General Meeting were hosted by the Data Commissioner of Kenya, Immaculate Kassait, MBS, who was elected as First Vice-President of the NADPA Council last year.
The conference featured wide-ranging discussions on some of the most pressing issues of our time. It was a testament to the importance of protecting the personal data of Africa’s citizens and the huge progress that has been made in recent years. Three recurring topics were evident in the discussions: the importance of cross-border data flows, the need for localised approaches reflecting each African country’s institutional make-up and cultural nuances, and the capacity and independence of African data protection authorities.
It was clear from the speeches and panels that the free flow of data is recognised as essential to international trade and digital transformation — this is not up for debate. Free flow of data attracts investment that is key for innovation encouraging companies to develop new technologies and business models for the benefit of consumer. However, despite the continent making great strides on cross-border data through the Convention on Cyber Security and Personal Data Protection (Malabo Convention), the African Continental Free Trade Area (AfCFTA) and the Africa Union Digital Transformation Strategy for Africa (2020–2030), the challenges are still significant and considerable implementation work remains.
The GSMA has long advocated for the free flow of data across borders and the benefits of harmonised, interoperable regional frameworks. However, the persistence of strict data localisation requirements and a variety of other sector—and subject-specific rules are still threatening the tremendous benefits of digital services and economies.
We see much to be done, whether it is enacting regulations and policies that facilitate responsible cross-border flows, removing unnecessary localisation measures and legacy sector-specific privacy rules, or providing more clarity and guidelines on adequacy or other mechanisms for the transfer of data.
There is also much to be learned through sharing experiences, examining the variety of mechanisms for data transfers provided in other parts of the world, building on the positives, avoiding the mistakes of others and adapting to local requirements and conditions.
The NADPA and its supervisory authority members are essential to administering a culture of data privacy in Africa. Their roles in raising awareness, educating individuals and businesses, encouraging good practice, dealing with complaints, investigating and taking enforcement actions are pivotal in building trust across the region. To realise its ambitions, Africa needs empowered, appropriately resourced and independent supervisory authorities — a requirement recognised by the GSMA in its Smart Data Privacy Laws report.
The GSMA was honoured to participate in the NADPA 2024 conference and stands ready to support existing and emerging data protection authorities on the African continent through its extensive Capacity-building courses (provided free to government and policymakers), by sharing best practices and experiences from the mobile ecosystem, or through participation at the GSMA Ministerial Programme at MWC Barcelona, to which all data protection agencies have an open invitation.