Data Localization laws, regulations and policies are spreading rapidly around the world. Data localisation refers to the requirement that data about citizens/residents and/or transactions within the economy shall be collected, processed, or stored within the boundaries of a particular “jurisdiction”, such as a country or a regional economic community or bloc. These restrictions on digital trade and services or limitations on data processing or data transfer are often stipulated in data protection laws or regulations.
The financial services and payments industry has become increasingly reliant on digital platforms and service providers operating in different countries. Cross-border data flows have become an integral part of almost every type of transaction or payment within Africa. Free data flows are therefore critical for boosting cross-border transactions such as online payments, funds transfers and remittances usually enabled by Banks and fintechs with cross-border presence.
Kholofelo Kugler through the Mandela Institute of Wits University in South Africa has published a policy brief about Impact of Data Localisation Laws with focus on impact on trade in Africa. I have made references to Kugler’s research brief to drive home the advocacy that African Governments and Central Bank Regulators need to take a second look at their data localisation regulations.
Published regulations on data localisation in the last decade by African Governments and Regulators have had cascading and detrimental effects on progressive developments in the rapid development of the financial services sector, thereby affecting financial integration and intermediation across Africa.
Justifications for Data Localisation by Governments
There are divergent views on the need and the benefits of data localisation. According to proponents of data localisation, unrestricted data flows can lead to loss of jobs, tax revenue, and local capacity in areas such as data hosting infrastructure within their countries.
It has been suggested that the increased enactment of data localisation laws in Africa is attributed to the unfounded fears that sending citizens’ data across borders could increase vulnerability to data privacy and security breaches.
Kugler asserts that there are generally three main types of data localisation requirements by Governments. First, governments restrict the transfer of data outside their borders (strict data localisation requirements). Second, governments restrict data considered sensitive such as related to financial services, health, or national security. Third, governments permit cross-border data flows on the fulfilment of certain conditions (conditional flow regimes).
It has also been argued that countries generally adopt data localisation requirements for the following reasons:
- To ensure data protection, privacy and cybersecurity;
- To support local law enforcement by ensuring local authorities have access to the data needed to support investigations;
- To mitigate geopolitical risk and financial sanctions;
- For protectionism and development of local economy
The most basic reason for the increase in data localisation regulations across the world may be traced to the economic value of data. Data is more valuable today than ever before, and perhaps for practical reasons, countries want to have what is valuable closer to them as it gives them a greater sense of control.
African Union Data Policy on Continental Data Governance
The AU Commission developed the AU Data Policy Framework which was published in July 2022. The AU’s theme of Adopting the Digital Transformation Strategy (DTS) for Africa 2020-2030, along with the operationalisation of the African Continental Free Trade Area (AfCFTA), introduces huge opportunities for more interconnected and interoperable markets and offers avenues for financial services to open new frontiers across African markets.
Also, the AU Data Policy Framework represents a significant step towards creating a consolidated data environment and harmonized digital data governance systems to enable the free and secure flow of data across the continent while safeguarding human rights, upholding security and ensuring equitable access and sharing of benefits.
With regards to the scope of the AU Data Policy framework, it is concerned with data governance that includes personal, non-personal, industrial and public data, not only personal data protection that has been the focus of attention internationally and on the continent in recent years.
The AU Commission asserts in the Data Policy framework that the development of the Policy Framework is necessary to realize the shared vision of an African data ecosystem that shall support the establishment of an Africa Digital Single Market (DSM), foster intra-Africa digital trade, and boost the development of inclusive, data-enabled financial services.
Current Laws/Regulations on Data Localisation in Africa
Many African countries have enacted laws that require data to be stored locally and place restrictions on cross-border transfers of data unless authorized by the data protection authorities or other designated entities.
These include Algeria (article 44 of data protection law); Gabon (article 94 of the Law No. 001/2011 on the protection of personal data); Niger (article 24 of the data protection law); Morocco (articles 43 and 44 of the law No. 09-08 on Processing of Personal Data, 2009); Angola (article 34 of the data protection law); Benin (article 391 of the Benin Digital Code); Burkina Faso (article 42 of the law No.001-2021 / AN), and Cape Verde (article 19 of the Data Protection Act).
Others include Madagascar (article 20 of the Personal Data Protection Law); Mauritius (section 36 of the Data Protection Act 2017); Lesotho (article 52 of the Data Protection Act 2011); Guinea Conakry (article 28 of the cybersecurity and personal data protection law); Ivory Coast (article 7 of the data protection law); Congo Brazzaville (article 23 of the personal data protection law 2016); Sao Tome & Principe (article 19 of the law on data protection), and Togo (article 28 of the data protection law). Data protection laws in Kenya, South Africa,
Many use laws on financial services (e.g. Nigeria, Uganda, Rwanda and Ethiopia), cybersecurity and cybercrimes (Rwanda, Zambia and Zimbabwe), telecom (Cameroon, Rwanda and Nigeria) and data privacy (Kenya, South Africa, Tunisia and Uganda) to place restrictions on cross-border data transfer and effectively put in place data localisation. Some governments specify the categories of data that cannot be exported without authorisation.
Impact of Data Localisation Laws on Financial Services Industry in Africa
The banking, insurance and investment services that make up the financial services industry drive their operations using technology platforms and shared data. Many African banking groups have adopted either a centralized shared technology and data model or a distributed technology and data model. Thus, unrestricted cross-border data flow is crucial for seamless technology operations.
Financial integration and cross-border banking in Africa have been growing strongly in recent years. Banking and financial services Groups with their headquarters in Africa are reshaping the landscape in the wake of the exit of traditional European and American banking groups.
Banks based in South Africa, Morocco, Nigeria, and the West African Economic and Monetary Union (WAEMU) have emerged. For instance, banking groups such as Ecobank, ABSA, Standard Chartered, Guaranty Trust Bank, UBA, Zenith Bank, FNB South Africa, etc. are household names across Africa.
The International Regulatory Strategy Group (IRSG) study on the trends towards data localisation in impacting financial services highlights that data localisation requirements impacting financial institutions can arise in several ways:
- Requiring individuals to consent to data transfers given practical or legal difficulty of obtaining such a consent
- Outright per se prohibitions on transferring data
- Requirements to maintain local copies of data in certain jurisdictions
- Outsourcing restrictions on technology service providers
- Requiring recipient countries to have identical data protection laws as transferring countries
For example, Kenya has enacted a new Data Protection Law that has justified the need to control data flows through a multitude of reasons including national security, cybersecurity, personal data protection, data sovereignty, protection of intellectual property, regulation of corporate behavior among others.
Data Localisation requirements are having a serious toll on cross-border data flows essential to provide financial services by financial services groups that rely on the centralized shared technology and data services model. The restrictions placed on shared data across African countries by Central Banks make it practically difficult for a Banking Group to harmonize its financial products and services accessible for customers across jurisdictions, prevention of financial fraud and effective anti-money laundering coordination.
Can AfCFTA lead harmonization of Data Protection Laws in Africa?
The Agreement establishing the African Continental Free Trade Area (AfCFTA) creates an African single market to guarantee the free movement of persons, capital, goods and services. The Africa single market will rely heavily on the processing of the data of persons resident within and outside the AU, thereby creating the need for an effective data protection regime. However, from the above discussion, the data protection regime across Africa is fragmented, with each country having a distinct data protection framework. This lack of a uniform and harmonized continental framework threatens to derail the gains envisioned for the AfCFTA, because by demanding compliance with the various data protection laws in each African country, free trade of goods and services will be inhibited, the very problem the AfCFTA seeks to address.
The key points of critical importance in the AU Data Policy Framework highlighted above are these three (3) recommendations
- developing a cross border data flows mechanism,
- establishing a common data categorization and sharing framework, and
- working with national data protection authorities to establish a coordination mechanism and body that oversees the transfer of data within the continent.
I encourage the AfCFTA Secretariat to work closely with the various African Governments and their regulators on cyber security and data protection to fully harmonize the African Union Data Policy and create domestic laws that aligns with the principles and objectives of that published Data Policy.
Conclusion
Central Banks in countries like Nigeria, Rwanda, Tanzania, Uganda and Kenya and regional blocs such as the CEMAC and UEMOA have adopted sectoral data localisation laws that have inhibited the free flow of data required by multi-national financial services organisations.
To ensure greater financial integration and cross-border banking in Africa, the Author believes Regulators of banking and financial services in African countries must support the objectives of the African Union Data Policy Framework to harmonize continental data governance and remove the existing restrictions on cross-border data to facilitate inclusive financial services across Africa.