Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Africa: The state of cross-border transfer of personal data in the SADC region
The Southern African Development Community ('SADC') is one of the thriving regional economic blocks on the African continent which has taken steps to support and enable the flow of personal data in the region. In this article, Melody Musoni, an independent privacy professional, discusses data protection laws and provisions on cross-border data flows in countries in Southern Africa, with a particular focus on Botswana.
Background
The free and secure flow of personal data across the African continent is key to boosting economic growth and intra-regional, intra-continental, and international trade. Policy and legal frameworks which promote cross-border data transfers inadvertently meet the objectives of different initiatives and existing instruments on international trade. The African continent has experienced a sharp increase in the use of information and communication technologies and in internet access, investment in ICT infrastructure, and adoption of cloud computing technologies. This has also resulted in a lot of personal data of African citizens being processed. The proverbial 'data is the new oil' or 'data is the new gold' represents the value that personal data plays in today's economy. In fact, due to the non-rivalrous and non-excludable nature of data, data is even more valuable than gold or oil. The value of data, of course, is derived in how it is processed, transmitted, stored, and used to meet the different needs of different target markets. Further, there is an additional layer of value generated when personal data can be transferred to other countries.
SADC and cross-border data flows
The SADC consists of sixteen Member States, namely Angola, Botswana, Comoros, Democratic Republic of Congo, Eswatini, Lesotho, Madagascar, Malawi, Mauritius, Mozambique, Namibia, Seychelles, South Africa, Tanzania, Zambia, and Zimbabwe. Each Member State plays an important role and contributes towards the economic growth within the region. As with other economic regions, the SADC region notes the importance of data, particularly the role played by personal data in the information society.
Noting the value of personal data, the SADC published the Southern African Development Community (SADC) Model Law ('the SADC Model Law')1. This model law acts as a guideline for Member States on how to develop and draft data protection laws. At the African Union level, the African Union Convention on Cyber Security and Personal Data Protection ('the Malabo Convention') was adopted on 27 June 2014. Chapter II of the Malabo Convention deals with the protection of personal data. Of the 13 countries which have ratified the Malabo Convention, five are SADC Member States, namely Angola, Mozambique, Mauritius, Namibia, and Zambia, with Comoros signing, but not yet ratifying it.
For intra-regional trade to be successful and for the SADC Member States to benefit from each other, it is important for Member States to have enabling legal frameworks to promote cross-border data transfers. Part XI of the SADC Model Law provides guidance to Member States on transborder flow of personal data. Article 43(1) of the SADC Model Law provides that '[w]ithout prejudice to Articles 11, 12, 13 and 17, personal data shall only be transferred to recipients subject to the national law adopted for the implementation of this model law, (a) [i]f the recipient establishes that the data are necessary for the performance of a task carried out in the public interest or subject to the exercise of public body, or (b) [i]f the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject's legitimate interests might be prejudiced'.
Transfer of personal data to non-Member States or to Member States with no data protection laws is only permitted if an adequate level of protection is ensured in the country of the recipient or within the recipient's international organisation, and the data is transferred solely to allow tasks covered by the competence of the controller to be carried out (Article 44 (1)(a)). Transfers of personal data outside of the SADC region to a country that does not ensure adequate level of protection are permitted under certain cases. Article 45 lists some of these exceptions to include consent of the data subject, transfers for the performance of a contract or implementation of pre-contractual measures, public interest grounds, or protection of vital interests of data subjects.
SADC Member States are also members of the African Union. At the African Union level, the Malabo Convention does not include extensive provisions on cross-border data flows. However, an adequate level of protection by the recipient country is also a requirement. Article 14(6) of the Malabo Convention provides that the data controller should not transfer personal data to a non-member state of the African Union unless such a state ensures an adequate level of protection of the privacy, freedoms, and fundamental rights of persons whose data is being or is likely to be processed. Article 14(6)(b) further provides that the previous prohibition is not applicable where, before any personal data is transferred to the third country, the data controller should request authorisation for such transfer from the national protection authority.
SADC Member States' approaches to cross-border data transfers
SADC Member States have also adopted their own data protection laws at a national level. Member States with enacted data protection laws approach cross-border data flows differently. For instance, the tests for adequacy differ from state to state, or the conditions for cross-border transfer of personal data are also different.
Recently, Botswana released its list of countries where personal data can be transferred. In terms of Section 48(1) of the Botswana Data Protection Act, 2018, the transfer of personal data from Botswana to another country is prohibited. However, the Minister of State President may provide a list of countries where transfer of personal data is permitted (Section 48(2)). Pursuant to this provision, the Minister of State President published a Transfer of Personal Data Order 2022 ('the Order') on 29 July 2022. The Order declared that personal data may be transferred from Botswana to 45 countries. All countries covered are included on the list. In addition, the UK, New Zealand, Israel, Japan, Isle of Man, Guernsey, Switzerland, Uruguay, Republic of Korea, Andorra, Argentina, the Faroe Islands, and Jersey are also listed.
South Africa is the only SADC Member State included on the Botswana list. Kenya is the other African country on the list. While the Order does not provide an explanatory guide on how the Government of Botswana came up with this list, one can note that it could be based on these countries having made progress in enforcing their data protection legal frameworks. Specifically, South Africa enacted the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') and Kenya enacted its Data Protection Act, 2019. In both jurisdictions, independent data protection authorities were appointed to ensure enforcement with their respective data protection laws. Both South Africa's Information Regulator ('the Regulator') and Kenya's Office of the Data Protection Commissioner ('ODPC') are now in operation, and activities such as the registration of data controllers, data processors, and information officers, are currently underway. The requirement for an independent national personal data protection authority is found in Article 11 of the Malabo Convention. Similarly, Part III of the SADC Model Law requires an independent and administrative authority to be established who will have oversight and control of the SADC Model Law and the respective rights of privacy in the national territory.
It is also curious to note that Mauritius, a SADC Member State with a data protection la ( i.e. the Data Protection Act 2017) and an independent supervisory authority (i.e. the Data Protection Office), was not included on the Botswana list. Similarly, Angola has passed Law No. 22/11 on the Protection of Personal Data and has also established the National Data Protection Agency ('APD') as its supervisory authority. Both Angola and Mauritius not only implemented their own national data protection laws, but they also ratified the Malabo Convention.
Unlike Botswana, South Africa does not contain a general prohibition on cross-border data flows. There are different bases that a responsible party may rely on to transfer personal data outside the Republic of South Africa. For example, if the recipient of the information is subject to a law, Binding Corporate Rules ('BCRs'), or binding agreements which provide an adequate level of protection, or if the data subject consents to the transfer (Section 72 of POPIA), such cross-border transfer of personal data is permitted.
Zambia, another SADC Member State, also approaches the issue of cross-border data differently. Zambia recently passed its Data Protection Act No. 3 of 2021 ('the Zambia Data Protection Act') in March 2021. Part X of the Zambia Data Protection Act regulates transfers of personal data outside of the Republic of Zambia. Notably, a data controller is required to process and store personal data and sensitive personal data on a server or data centre located within Zambia (Section 70(1) and (3)). The Minister of Transport, Works, Supply and Communications ('the Minister') may also prescribe categories of personal data that may be stored outside Zambia (Section 70(2)). Section 71(1) provides that personal data other than personal data categorised in accordance with Section 70(2) may be transferred outside the Republic where:
- the data subject has consented and:
- the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Office of the Data Protection Commissioner; or
- the Minister has prescribed that transfers outside the Republic are permissible; or
- the Office of the Data Protection Commissioner approves a particular transfer, or set of transfers, as permissible due to a situation of necessity.
The Minister may, by statutory instrument, prescribe criteria for cross-border data transfers under Subsection (1)(a)(ii) where the Minister considers that the relevant personal data should be subject to an adequate level of protection, having regard to the applicable laws and international agreements, and that the enforcement of data protection laws by authorities with appropriate jurisdiction is effective (Section 71(2)).
Conclusion
The initiatives taken by SADC Member States in protection of personal data are commendable. It is recommended that SADC Member States adopt a consolidated and harmonised approach to data protection. While it is important for purposes of international trade to permit data flows to overseas countries, SADC Member States should strive to promote intra-regional sharing of personal data. Member States should be guided by their regional and continental frameworks on data protection, intra-continental trade, e-commerce, and cybersecurity. This also includes promoting the objectives of frameworks like the African Continental Free Trade Agreement, the African Union Digital Transformation Strategy 2020-2030, and the African Union Data Policy Framework 2022. It is recommended that SADC Member States with no data protection laws in place should take legislative steps to ensure that data protection laws are promulgated. This will make it easier for regional data sharing.
Melody Musoni Independent Privacy Professional
[email protected]
1. Available at: https://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/Documents/FINAL%20DOCUMENTS/FINAL%20DOCS%20ENGLISH/sadc_model_law_data_protection.pdf