Digital Data Rights Policies by African Regional Organizations and Their Adoption  In Zambia and Kenya

In the digital age, protecting personal data has become a pressing issue and Africa is no exception. As more Africans continue participating in the global digital economy, the continent faces both immense opportunities and significant risks when it comes to how personal information is collected, used, and protected.

To address these challenges, African regional organizations have developed policies to guide member states on data protection, privacy, and cybersecurity. But how far have countries like Kenya and Zambia gone in adopting these frameworks?

 Regional Efforts: Building a Continental Foundation

The African Union (AU) has led the way with initiatives like the Malabo Convention, adopted in 2014. This landmark treaty promotes personal data protection, electronic transactions, and cybersecurity. It sets out key principles of consent, purpose limitation, data accuracy, and security designed to protect citizens’ privacy. However, despite its promise, the Malabo Convention has seen slow uptake, with only a handful of African countries ratifying it by 2024. In addition to the Malabo Convention, the AU has developed the Digital Transformation Strategy for Africa (2020-2030), which emphasizes the importance of harmonizing data protection laws across the continent and building capacity for effective implementation

Complementing the AU’s efforts, other regional blocs have stepped up:

• COMESA (Common Market for Eastern and Southern Africa): In 2018 COMESA introduced the Digital Free Trade Area, recognizing that cross-border e-commerce cannot thrive without strong, harmonized data protection.
• SADC (Southern African Development Community) adopted a Model Law on Data Protection in 2012 and a Harmonized Cyber Security Legal Framework in 2015, both aimed at encouraging member states to align their national laws with regional standards.
• EAC (East African Community) In 2010, EAC adopted a regional legal framework for cyber laws which includes provisions related to electronic transactions, electronic signatures and authentication, data protection and privacy, consumer protection, and computer crime. While not exclusively focused on data protection, this framework laid the groundwork for addressing digital data rights in the region. In 2021, EAC developed a Digital Economy Strategy and is finalizing a Data Protection Bill, both aimed at boosting regional digital trade while safeguarding data rights.

These frameworks are critical because fragmented data policies can hinder innovation, restrict cross-border trade, and leave citizens vulnerable to data misuse.

Kenya and Zambia: National Progress and Gaps

Kenya, a member of COMESA and EAC enacted its Data Protection Act in 2019. The establishes clear rules for how personal data is collected, processed, and shared. It closely reflects the principles outlined in the East African Community’s Cyber Laws Framework and aligns with COMESA’s broader digital initiatives, though Kenya has gone further by adopting European Union’s General Data Protection Regulation (GDPR) like protections. The act also draws inspiration from Kenya’s constitutional right to privacy (Article 31). The Office of the Data Protection Commissioner (ODPC), tasked with enforcing and implementing the act has faced several challenges such as funding and staffing limitations, and balancing innovation with privacy is an ongoing concern. There is also a lack of public awareness of digital data rights and the available mechanisms for redress under the Data Protection Act.

Zambia, a member of both SADC and COMESA, passed its Data Protection Act in 2021. The Act establishes key principles for lawful data processing, the rights of data subjects, and the obligations of data controllers and processors. It also provides for the appointment of a Data Protection Commissioner under the Ministry of Technology and Science. The act draws from the Southern African Development Community’s Model Law on Data Protection, though its data localization requirements extend beyond what regional policies typically recommend. Like many African countries, Zambia struggles with limited technical capacity and low public awareness, which hamper effective implementation of its data protection laws. Notably, both countries have yet to ratify the African Union’s Malabo Convention, highlighting a gap between regional aspirations and national legal commitments.

The Road Ahead: Harmonization and Capacity Building

The experiences of Kenya and Zambia highlight both progress and persistent gaps. The experiences of Zambia and Kenya highlight both the influence of regional policies and the importance of tailoring approaches to national contexts. Regional organizations have laid the groundwork, but successful data protection depends on national action and adequate resources.

 Looking ahead, greater harmonization of data protection laws across Africa is vital to support regional integration and digital trade. Equally important is building the technical capacity of national regulators and raising public awareness, so citizens not only have rights on paper but can exercise them in practice. As Africa’s digital economy grows, safeguarding data rights will be key to ensuring that technological progress benefits all without compromising privacy and security.