With nearly 600 million people across Africa using the internet today, African countries are increasingly recognising the need to legislate and invest in data and privacy protection.
Internet Society, a non-profit advocacy organisation, estimates that more than 17 African countries have enacted comprehensive personal data protection legislation.
Additionally, according to the United Nations Conference on Trade and Development, 33 countries had some form of legislation that guaranteed data and privacy protection as of 2021.
Speaking at the 2023 Global Data Privacy Week in Abuja, Nigeria’s Minister of Communications and Digital Economy, Isa Pantami, said the Nigeria Data Protection Bureau (NDPB) had invested extensively in personnel to grow capacity.
“The NDPB has created many jobs that the value as of today amounts to N5.5 billion ($12 million),” he said.
Between 2019 and 2022, nearly 10 African countries enacted laws reaffirming data and privacy protection.
In November 2022, Tanzania became the latest African country to pass the Personal Data Protection Law and subsequently established its Data Protection Commission.
Botswana, South Africa, Kenya, Rwanda, Nigeria, Uganda, Togo and Ghana have been front-runners in legislating pro-data and privacy protection policies.
Beyond efforts at the individual country’s levels, regional economic blocs have policies that safeguard data and privacy protection.
The Southern African Development Community (SADC) modelled the SADC Model Law on Data Protection in 2010, which it adopted in 2013.
The Economic Community Of West Africa Supplementary Act A/SA.1/01/10 on Personal Data Protection (2010) and the East Africa Community Framework for Cyber laws (2008) are some regional bloc-level policies targeting data and privacy protection.
Despite the developments in legislation, Brandon Muller, Kaspersky tech expert and consultant African region, highlights the many areas African countries can improve on, especially in averting industrial cybersecurity.
According to Muller, 40% of industrial control system (ICS) computers globally were attacked with malware in 2022, with Kaspersky projecting 47% of the cases occurred in Africa.
Industrial control systems involving manufacturing, processing, product handling, production and distribution are the basis of economic growth.
Kaspersky lists Ethiopia (62%), Algeria (59%), and Burundi (57%) as having experienced the highest number of malware attacks on their industrial control systems last year.
Others listed include Rwanda (46%), Kenya (41%), Nigeria and Zimbabwe (40%), Ghana (39%), Zambia (38%) and South Africa and Uganda (36%).
However, these countries are actively improving efforts to elevate their data protection systems.
Ethiopia is currently in the advanced stages of legislating the Data Protection Proclamation, which will establish a Personal Data Protection Commission.
Algeria’s Law No. 18-07 was recently passed and established the legal framework for collecting, processing, using, and disclosing personal data concerning data processing activities.
With some listed countries recording relatively high vulnerability rates, more laws and policies are needed to ensure safe digital browsing.
Muller outlines the significance of anti-malware systems and practising safe practices as it will ensure long-term safety.
“One infected USB drive or a single spear-phishing email is all it takes for cyber criminals to bridge the air gap and penetrate an isolated ICS network,” Muller notes.
While some malware sources remain complex, especially in advanced systems, Muller explains that “human error still plays a significant role in compromising ICS systems.”
However, Africa is broadly trying to confine itself to the framework set out in the African Union Convention on Cyber Security and Personal Data Protection.
African Union and Internet Security, in a 2018 report dubbed “Personal Data Protection Guidelines for Africa”, recommend creating trust, privacy, and responsible use of personal data, commitment and actions by individual governments and multi-sectorial approaches.
bird story agency
With nearly 600 million internet users in Africa, African nations are increasingly focusing on data and privacy protection legislation. The Internet Society notes that over 17 African countries have enacted comprehensive personal data protection laws, and the UN reports 33 countries had some form of such legislation by 2021.
Nigeria's Data Protection Bureau has invested significantly in personnel, creating jobs worth N5.5 billion ($12 million). Between 2019 and 2022, almost 10 African countries established new laws supporting data privacy. Tanzania introduced the Personal Data Protection Law in November 2022 and set up a Data Protection Commission.
Prominent countries in data protection legislation include Botswana, South Africa, Kenya, Rwanda, Nigeria, Uganda, Togo, and Ghana. Regional organizations like the Southern African Development Community, the Economic Community Of West Africa, and the East Africa Community have their frameworks for data protection.
However, industrial cybersecurity remains a challenge, with 47% of global malware attacks on industrial control systems (ICS) purportedly occurring in Africa. Ethiopia, Algeria, and Burundi faced the highest malware attack rates on their ICS in 2022, and other countries like Rwanda, Kenya, and Nigeria also reported significant attacks.
Despite these challenges, countries are improving their data protection systems. Ethiopia is advancing its Data Protection Proclamation, and Algeria recently enacted Law No. 18-07 to govern personal data processing activities.
Kaspersky's Brandon Muller emphasizes the importance of anti-malware systems and safe practices to enhance long-term cybersecurity, while acknowledging that human error significantly contributes to ICS breaches. Africa is aligning its efforts with the African Union Convention on Cyber Security and Personal Data Protection to enhance data security across the continent.