AfriSIG 2018: How does the General Data Protection Regulation affect Africa?

One of the ways the African School on Internet Governance (AfriSIG) equips leading African scholars and activists from diverse sectors, backgrounds and ages to participate in local and international internet governance structures is through a hands-on practicum. This practical exercise is intended to give AfriSIG fellows the chance to participate in multistakeholder decision-making, using available methods and processes in a realistic environment, while discussing an issue related to internet governance. This year, the practicum is focused on the topic of the General Data Protection Regulation (GDPR).

So, what is GDPR and what does it mean for Africa? How can the African Union address this issue? These were the main questions that fellows tackled on Day 3, with the plan to produce specific policy recommendations and outcomes by the end of Day 4.

Implemented on 25 May 2018, GDPR is a regulation in EU law that provides new ways for people to protect their personal data, privacy and other human rights. It applies to all individuals within the European Union and European Economic Area. By regulating how businesses, governments and other organisations collect, process and store personal data, and by mandating disclosure of information about these practices, GDPR is designed to give citizens greater control over their own data.

Digital rights, as a form of human rights, are fundamental and universal, but at a time when we share so much of ourselves online, our privacy is one of the rights we must fight hardest to protect. In Africa specifically, the absence of existing data protection laws, and lack of support from different AU members present a significant challenge for the African Union to fight for members’ privacy rights.

Though GDPR has been implemented in Europe, it will affect data practices outside the EU because it applies to any organisation that offers free or paid goods and services to EU citizens or monitors their online activity, regardless of the organisation’s location.

In comparison to GDPR, the current AU Convention is inadequate for the purpose of data protection and regulation. The African Union must therefore update its laws and regulations to effectively protect and empower its members.

I would recommend that the AU develop new laws include:

  • Review and Justification of Data Collection and Usage
  • Consent processes for online data collection, including IT and cookie policies.
  • Implementation of privacy by design and default in terms of how user data is collected and used
  • Quicker response to subject access requests
  • Proper staff training for all the key stages of GDPR implementation

However, while we wait for the AU to implement stronger regulations, let us be mindful of how we use the internet because as the saying goes, “human beings may forget whatever they put online but the internet never forgets.”

Afi Edoh (Afia Faith) is Togolese and works for the Afrotribune Media Group in Togo as chief technology officer. She also works as a systems engineer at E-hub.  She is a pass volunteer of Tech Needs Girls. She is a fellow of Afrinic (2017) and a member of Internet Society Ghana and Togo chapter. By attending AfriSIG 2018, she wishes to learn more about internet governance in Africa and how she can contribute more to its safety and availability.