On 28 July 2022, the African Union (AU) published the AU Data Policy Framework. The Framework aims to protect citizens’ data rights while many African countries use data to drive their economies. The Framework also sets out the guidelines and principles for AU members to collect, store, and transfer personal data seamlessly across the African continent.

Purpose of the Framework

The AU Data Policy Framework is a comprehensive document containing 84 pages. You can read the full Framework on the AU Website. The purpose of the document is to provide a policy framework for African countries to:

  • maximise the benefits of a data-driven economy.
  • enable data to flow freely and securely across the African continent.
  • ensure that data is used for the public good.

Summary of the AU Data Policy Framework

The AU Data Policy Framework requires member states to create data processing frameworks that align with a few key principles. These principles are intended to guide African countries to collect, store, and process personal data responsibly and ethically. For example:

  1. Consent and legitimacy
  2. Limitations on collection
  3. Purpose specification
  4. Use limitation
  5. Data quality
  6. Security safeguards
  7. Openness (which includes incident reporting, an important correlation to cybersecurity and cybercrime imperatives)
  8. Accountability
  9. Data specificity.

Obligations on organisations

According to the Framework, organisations must:

  • Obtain consent from individuals before collecting their personal data.
  • Only collect data that is necessary for their intended purpose.
  • Take appropriate measures to protect personal data from unauthorised access or disclosure, and
  • Ensure that personal data is accurate, up-to-date, and relevant.

The Framework also sets out guidelines for cross-border data transfers. For example, it contains detailed guidelines to ensure that controllers protect personal data when they transfer it across national borders.

Recommendations for member states

The Framework requires member states to implement these Recommendations.

  • Cooperatively enable data to flow on the continent. while safeguarding human rights, data protection, upholding security and ensuring equitable sharing of the benefits.
  • Cooperate with each other to benefit from data-reliant technologies and services.
  • Create co-jurisdictional frameworks so that data regulators can coordinate with each other.
  • Develop national laws on personal data protection and adequate regulations around data governance and digital platforms.
  • Establish or maintain independent, well-resourced and effective Data Protection Authorities (Authorities). Member states must strengthen cooperation with Authorities from members of the African Union.
  • Promote data portability so that data subjects are not locked into a single provider. This will in turn promote competition and more choices for the consumer.
  • Establish an integrated national data system to enable data-driven public and private value creation, operating on harmonised governance frameworks.
  • Member states who have not yet ratified the AU Convention on Cyber Security and Personal Data Protection, must do so as soon as possible.
  • Promote research, development, and innovation in various data-based areas, including Big Data Analytics, Artificial Intelligence, Quantum Computing, and Blockchain.

Recommendations for AU Commission, regional economic communities, and regional institutions

The Framework requires the African Union Commission, regional economic communities, and regional institutions to implement these Recommendations.

  • Facilitate collaboration between the various entities dealing with data across the continent by establishing a consultation framework.
  • Promote and facilitate data flows within and among AU Member States by developing a Cross Border Data Flows Mechanism that considers the various levels of digital readiness, data maturity as well as legal and regulatory environments of countries.
  • Develop a Common Data Categorisation and Sharing Framework that considers the broad types of data and the associated levels of privacy and security.
  • Work with national authorities to establish a coordination mechanism and body that oversees the transfer of personal data within the continent in compliance with existing laws and rules governing data and information security at national level.
  • Work towards building a secure and resilient cyberspace by developing an AU Cyber Security Strategy and establishment of Operational Cybersecurity Centres to mitigate risks and threats related to cyberattacks, data breaches, and misuse use of sensitive information.

Implementing the Framework

The AU Data Policy Framework is a major step towards protecting data across the African continent. By following the recommendations outlined in the framework, governments, businesses, and organisations can process data in compliance with data protection laws at a national level. Since the AU adopted the Framework, they also commissioned a task team to develop an implementation plan for the framework. Research ICT Africa will provide technical assistance to the task team during this process.

The implementation plan will include a capacity assessment tool and a monitoring and evaluation check list.

The AU is expected to consider the implementation plan for endorsement before the end of 2022. We will update this page once the AU endorses the plan.