世界銀行 -非洲數(shù)字?jǐn)?shù)據(jù)監(jiān)管

PublicDisclosureAuthorizedPublicDisclosureAuthorizedPublicDisclosureAuthorizedPublicDisclosureAuthorized

GOVERNANCEANDTHEDIGITALECONOMYINAFRICA

TECHNICALBACKGROUNDPAPERSERIES

RegulatingDigitalDatainAfrica

GOVERNANCEANDTHEDIGITALECONOMYINAFRICATECHNICALBACKGROUNDPAPERSERIES

RegulatingDataProtectionandCybersecurityinAfrica:FindingsfromtheGlobalDataRegulationDiagnostic

TechnicalBackgroundPaper:RegulatingDataProtectionandCybersecurityinAfricaFindingsfromtheGlobalDataRegulationDiagnostic

iii

Copyright?2023

TheWorldBank

1818HStreetNW

WashingtonDC20433

Telephone:202-473-1000

Internet:

Disclaimer

ThisworkisaproductofthestaffofTheWorldBank.Thefindings,interpretations,andconclusionsexpressedinthisworkdonotnecessarilyreflecttheviewsofTheWorldBank,itsBoardofExecutiveDirectors,orthegovernmentstheyrepresent.

RightsandPermissions

Thematerialinthisworkissubjecttocopyright.Anyqueriesonrightsandlicenses,includingsubsidiaryrights,shouldbeaddressedtoWorldBankPublications,TheWorldBankGroup,1818HStreetNW,Washington,DC20433,USA;fax:202-522-2625;e-mail:pubrights@.

TechnicalBackgroundPaper:RegulatingDataProtectionandCybersecurityinAfricaFindingsfromtheGlobalDataRegulationDiagnostic

iv

Acknowledgements

ThisBackgroundNotewaspreparedbyRongChen(Economist,DigitalDevelopment),LillyanaDazaJaller(consultant),andTaniaBegazo(SeniorEconomist)withcontributionsfromAnaRuival(consultant,DigitalDevelopment).

TheBackgroundNotebenefitedimmenselyfromtheparticipation,assistance,andinsightsfromotherexperts.TheteamisespeciallygratefulforreferencesoncybersecurityassessmentsinAfricaprovidedbyAnatLewin,SeniorDigitalSpecialist,thepeerreviewersDavidSatola,LeadCounsel,Technology&Innovation,LegalandAnatLewin,andthepriorworkconductedfortheWorldDevelopmentReport2021‘DataforBetterLives’thatallowedforthedevelopmentofthesurveyusedtocomparethestatusofdataregulationacrosscountriesinAfrica.

TechnicalBackgroundPaper:RegulatingDataProtectionandCybersecurityinAfricaFindingsfromtheGlobalDataRegulationDiagnostic

v

CommonAbbreviationsandDefinedTerms

Thissectionexplainsthecommontermsandabbreviationsusedinthispaper.

Abbreviation/Term

FullTerminology/Definition

ARP

AdministrativeRedressPanel

ATI

AccesstoInformation

CERTs

ComputerEmergencyResponseTeams

CNDP

Morocco’sDataProtectionNationalCommission

CSIRTs

ComputerSecurityIncidentResponseTeams

CSSSI

Morocco’sCommitteeforInformationSystemsSecurity

DGSSI

Morocco’sDirectorateGeneralforInformationSystemsSecurity(,

DPC

Kenya’sDataProtectionCommissioner

ECCAS

EconomicCommunityofCentralAfricanStates

FRAND

Fair,reasonableandnon-discriminatoryterms

GCI

GlobalCybersecurityIndex

IPR

Intellectualpropertyright

maCERT

MoroccanComputerEmergencyResponseTeam

NCS

Nationalcybersecuritystrategy

NIN

NationalIdentificationNumber

vi

TableofContents

1ImportanceofDataRegulation 1

2Personaldataprotection 2

2.1ObservationsoftheregulatorylandscapeonpersonaldataprotectioninAfrica 3

2.2Regionalcollaborationonpersonaldataprotection 7

2.3Africavs.otherincomegroupsonpersonaldataprotectionframeworksonthebook 8

2.4Implementationandcompliance 10

3Cybersecurityandcybercrime 14

3.1ObservationsoftheregulatorylandscapeoncybercrimeandcybersecurityinAfrica 15

3.2Regionalcollaborationoncybersecurityandcybercrime 18

3.3Africavs.otherincomegroupsoncybersecurityandcybercrime 19

3.4Implementationofcybersecurityinitiatives 22

4Dataregulationandgovernance 23

5Useandreuseofdataandcrossborderdataflows 26

5.1Enablingtheuse/reuseofpublicintentandprivateintentdata 26

5.2Cross-borderdataflows 28

6Conclusion 31

7References 33

ListofFigures

FigureI.Individuals’concernabouttheironlineprivacy 3

FigureII.DataprotectionlegalframeworksinAfrica 4

FigureIII.ComprehensivenessofAfricandataprotectionlaws 6

FigureIV.ResponsibilitiesofAfricanDataProtectionAgencies 7

FigureV.Percentofcountriespercountryincomegroupthathaveadoptedgoodregulatorypracticesonpersonal

dataprotection 9

FigureVI.CybersecurityandcybercrimeframeworksinAfrica 15

FigureVII.ComprehensivenessofAfricancybersecurityframeworks 16

FigureVIII.ComprehensivenessofAfricancybercrimeframeworks 17

FigureIX.Regulatoryqualityandcybersecurityandcybercrimescore 25

FigureX.Governmenteffectivenessandcybersecurityandcybercrimescore 25

vii

FigureXI.RuleofLawandcybersecurityandcybercrimescore 25

FigureXII.Regulatoryqualityscoreandpersonalprotectionscore 25

FigureXIII.Percentofcountriesperincomegroupthathaveadoptedgoodpracticesonpublicintentdata 27

FigureXIV.Percentofcountriesperincomegroupthathaveadoptedgoodpracticesonprivateintentdata 28

FigureXV.Averagescoresondifferentdatagovernancedimensionsbyincomegroup/region[Notefornextversion:

includeNorthAfrica,E&SandW&Clines] 32

ListofTables

TableI.Implementationandenforcementofdataprotectionlaws 14

TableII.Implementationandenforcementofcybersecurityrules 23

1

1TheImportanceofDataRegulation

RapiddevelopmentofdigitaltechnologiesinrecentyearshasshownitsgreatpotentialforAfricatopromotejobcreation,improvedeliveryofpublicservices,andenhanceindividualwelfare.Forinstance,itisestimatedthate-commerceplatforms,suchasJumia,couldcreateaboutthreemillionnewjobsinAfricaby2025.1Mobilemoney,exemplifiedbytheglobalhouseholdname—M-Pesa,contributestopovertyreductioninmanyAfricancountries.2TheCOVID-19globalpandemicledtoanacceleratedriseintheuseofdigitaltechnologiesaroundtheworld,increasinginnovationbutalsoleadingtovariousgovernancechallengesandrisks.

Thereisagrowingconcernondataprotectionandcybersecurityrisksassociatedwithvariousdigitaleconomicactivities.Dataprotectionisatthecoreofthisapprehensionforindividualsaroundtheworld.Fromsocialmediatomobilepaymentstotelehealthappointments,ourpersonalinformationisstoredindatabasesonanunprecedentedscale.Whiletheseinnovationsmakeourliveseasierandkeepusconnected,unlessthedataareadequatelyprotecteditcanbemisusedforallkindsofpurposes,fromharassmenttofraud.

TheincreaseduseoftheInternetforbothpersonalandprofessionalneedshascreatedopportunitiesfordangerousplayersseekingtotakeadvantageofvulnerabilitiesforpersonalgain.In2020,Kenyaninternetusersfaced14millionmalwareattacksbetweenJanuaryandAugust.ThenumberofcyberattacksinZimbabwegrewfivetimesduringthesameperiod.3InAugust2020,Experian,aglobalconsumercreditreportingcompany,soldpersonaldataofabout24millionSouthAfricanstoafraudsterposingasalegitimateclient.4InDecember2020,personallyidentifiableinformationbelongingtoAbsaBank’scustomers-whoarespreadthroughouttwelveAfricancountries-wereleaked.AccordingtotheAfricanUnionConventiononCyberSecurityandPersonalDataProtection,cybercrime“constitutesarealthreattothesecurityofcomputernetworksandthedevelopmentoftheInformationSocietyinAfrica”.5

Adequatelegalandregulatoryframeworksarekeyforcountriestobeabletofullyreapthebenefitsofemergingtechnologieswhileminimizingtheassociatedrisks.Theinternationalnatureoftheuseandimpactofthesetechnologiescomplicatetheirregulation.Concernsabouthowdataisacquired,handled,used,sharedandreusedhaveledtogovernmentsestablishingheterogeneousapproachesfordatagovernance.Dataarethebuildingblocksoftheserevolutionarytechnologiesandrestrictingtheirflowcanhampertrade,innovation,andeconomicgrowth.6Governmentshaveadifficulttask:ensuringadequateflowofdataacrossbordersandwithinacountrytoallownoveltechnologiestooperateadequatelywhilesafeguardingindividualrights.Arights-basedapproachcanleadtoincreasedtrust,whichcaninturnfosterdataflowsanddata-baseddigitalsolutionsfordevelopment.7Thisnotefocusesonfewkeyregulatoryaspects:dataprotection,cybersecurityandcybercrimetoboostdigitaltrust;andrulesontheuse,transferandre-useofdatatoenablenewdigitaltechnologies.OtheraspectsofthedataecosystemasdescribedintheWordDevelopmentReport‘DataforBetterLives’arenotcoveredinthisnote.

Tomaximizethedividendsfromaboomingdigitaleconomy,thecontinentshallbepreparedtoaddressrisksassociatedwiththevarietyofdigitaleconomyactivities,whileenablingtheuseofdatafordevelopment.Arobustdatagovernanceenvironmentisessentialinpromotingthesustainabledevelopmentofthedigitaleconomy.Acomprehensiveregulatoryframeworkthatspecifiesrightsand

2

responsibilitiesofdifferentstakeholdersincollecting,using,andreusingofdata,independentauthoritiestoenforcelawsandaddresspubliccomplaintsonviolations,aswellaspublic-privatepartnershipandregionalcollaborationareallimportantcomponentsofsucharobustdatagovernanceenvironment.

ThisnoteaimstoprovideanoverviewofdatagovernanceframeworksinAfricaandexplorelinkswithengenderingpublictrustandimprovingaccountabilityandtransparency,aswellasprovidinganenablingenvironmentforparticipatinginthedigitaleconomy.ItexploitsdatafromtheGlobalDataRegulationDiagnostic(GDRD)8whichcollectedinformationondataregulationsacross80countriesglobally,including24Sub-SaharanAfricancountriesandthreeNorthAfricancountries,asofJune2020.9AdditionalinformationforselectedcountrieswascollectedthroughdeskresearchandinterviewstounderstandchallengesintheimplementationofrulescapturedbytheGDRD.ThiscomplementaryinformationisasofFebruary2022.

Thisnoteisorganizedasfollows.Section1coversdataprotection,whilesection2looksintocybersecurityandcybercrime,bothimportantaspectsfordigitaltrust.Section3looksatthelinkagesbetweendataprotectionandcybersecurityandcybercrimeframeworksandbroadergovernanceindicators.Section4highlightsaspectsthatcanaffecttheuseandreuseofdata-datacollectedforpublicpurposesandbytheprivatesectoraspartofroutinebusinessprocess-forthedevelopmentofdigitaltechnologies.

2Personaldataprotection

Personaldataprotectionisacrucialaspectofaneffectivedatagovernanceenvironment.Personaldatareferstodatathatconveysinformationthatisspecifictoaknownorknowableindividual.Lackoftrustinthewaypersonaldataismanagedmakesindividualsuncomfortableaboutsharingsuchdata,whichcouldlimitthegrowthofthedigitalmarkets.10AccordingtotheDataConfidenceIndex,11internetusersinAfricaareparticularlyconcernedabouttheimpactoftheinterneton“personalprivacy”.12ConsumersinKenyaexpressedpreferencesondigitalloanproductswithmore“dataprivacy”features.13Inastudyconductedin2019,96percentofEgyptiansexpressedconcernabouttheironlineprivacy,wellabovetheglobalaverageof78percent.14Ontheotherhand,Kenyastoodoutwiththehighestlevelofconfidenceamongalltheeconomiescovered(FigureI).Governmentscanhelpengendertrustbygrantingdatasubjectrightswithregardtotheirpersonalinformationandimposingtechnicalrequirementsondatacontrollersanddataprocessorstoensuretheadequateprotectionoftheinformation.Theestablishmentofacapableandeffectiveenforcementauthorityisalsokeytoensureadequateimplementationofthelegislation.15

3

FigureI.Individuals’concernabouttheironlineprivacy

Source:CIGI-Ipsos(2019)

2.1ObservationsoftheregulatorylandscapeonpersonaldataprotectioninAfrica

OverhalfofthecountriesinAfricahaveintroducedgeneraldataprotectionlegislation,applicabletoallsectors(FigureII).Tunisia,Mauritius,andBurkinaFasowereregionalpioneersinthisregard,introducingdataprotectionlawsasearlyas2004.Duringthefollowingdecade,severalcountriesfollowedsuit,andasofDecember2021twenty-sixAfricancountrieshaveadoptedgeneraldataprotectionlaws.Notably,MauritiuspasseditsDataProtectionAct,whichiscloselyalignedwiththeEUGeneralDataProtectionRegulation(GDPR),fivemonthsbeforetheEUregulationwasimplementedinMay2018.Theyear2020wasoneofgreatadvancesfordataprotectionlegislationinAfrica.Egypt’sLawontheProtectionofPersonalDatacameintoforceinOctober2020.Priortotheapprovalofthislaw,Egypthadsector-specificlegislationwhichaddresseddataprotectionissues,suchastheLaborLawandtheBankingLaw.InSouthAfrica,althoughtheProtectionofPersonalInformationActwassignedintolawin2013,mostoftherelevantprovisionswerenotoperationaluntilJuly2020.Mostrecently,RwandapublishedadataprotectionlawinitsOfficialgazetteinOctober2021.Othereconomieshavereportedlyengagedindiscussionstointroducegeneraldataprotectionlaws,includingEthiopia,Malawi,andTanzania;however,nopublicdraftsofthoselawswereavailableasofFebruary2022.

AsmallernumberofAfricancountrieshaveintroducedsector-specificlaws,andsomerelyonconstitutionalprovisionsforprivacyprotection.Forexample,althoughCameroonhasnogeneraldataprotectionlaw,itsLawonCybersecurityandCybercrime–applicabletoelectroniccommunicationsnetworksandinformationsystems—includesprovisionsondataprivacy.AlthoughtheDemocraticRepublicofCongoandLiberiahavenotintroducedanylawsaddressingtheissueofdataprotection,bothcountries’Constitutionsincludeprovisionsregardingtheindividualrighttoprivacy.However,thesemeasuresarenotsufficienttotacklethesituationsdatasubjectsanddataprocessorsareexposedtoin

4

today’sworld.Finally,eightAfricancountries(denotedingrayinthemapbelow)lackanymentionofdataprotectionorprivacyintheirlegalframeworks.

Note:atopscoreof1(darkorange)indicatestheexistenceofageneraldataprotectionlaw,ascoreof0.5indicatestheexistenceofonlyasector-specificpersonaldataprotectionlegislation;ascoreof0.25(lightestorange)indicatesthatthereareprivacyand/ordataprotectionrightsprotectedinthecountry'sconstitution.

FigureII.DataprotectionlegalframeworksinAfrica

Source:AuthorsbasedonGlobalDataRegulationDiagnosticandDataGuidance(2021)

5

Afteradoptingadataprotectionlawofgeneralapplication,comprehensivenessofsuchlawdeterminesthelevelofprotectionprovidedtodifferentmarketplayers.AspointedoutintheGlobalDataRegulationDiagnostic,itiscrucialtoexaminewhetherthedataprotectionlawspecifiesdatasubjectrightssuchasredressandtherighttochallengetheaccuracyofdatacollected,andrequirementsforcollectionandprocessing,suchaspurposelimitation,dataminimization,andstoragelimitation(Box1).Itisalsoimportanttolookatwhetherlimitationsexistontheabilitytomakedecisionsaboutindividualsonlyonthebasisofautomatedprocessing,whichmightleadtosocialdiscrimination,andwhetheranecessityand

proportionalitytestappliestoexceptionstolimitationsongovernmentdatacollectionorprocessing.Finally,otherkeyinformationincludeswhetherdatasubjectrightsareeffectivelyprotectedonthetechnicalsidethroughtheimplementationofmeasuresbasedonthedataprotectionbydesignanddataprotectionbydefaultprinciples,aswell

BoxI.Dataprocessingrequirements

Purposelimitation

Datamustonlybecollectedforaspecifiedpurpose

Data

minimization

Datamustbeadequate,relevant,andlimitedtowhatisnecessaryinrelationtothespecifiedpurpose

Storagelimitation

Datamustnotbekeptlongerthanisnecessaryforthespecifiedpurpose

Source:ICO(2021)

asbythemonitoringactivityofadataprotectionauthority.

TheexistingdataprotectionframeworksinAfrica16arelargelycomprehensive(FigureIII).Governmentsthathaveintroducedanoverarchingdataprotectionlawhavetendedtoincludewhatareemergingascommonelementsofgoodinternationalpracticeinthisarea,suchaspurposelimitation,dataminimization,anddatasubjectrights,whichfeatureinsourcesrangingfromtheOECDPrinciplesandGDPR.KenyaandBeninhavealsoincludedmorenovelmeasures,suchasdataprotectionbydesignanddataprotectionbydefault.Notably,SouthAfrica’sdataprotectionlaw,whichcameintoeffectin2020,leavesouttheserequirements.Dataprotectionbydesignmeansthatentitiesshouldconsiderdataprotectionattheinitialdesignstagesoftheirproductsandsystemsandthroughoutthelifecycleofthedatacollected,andnotasanafterthought.Theprincipleofdataprotectionbydefaultentailsincorporatingtheprincipleof‘dataprotectionbydesign’bydefaultintoitsdataprocessingactivities.Olderdataprotectionlaws,whichcalledfor‘a(chǎn)ppropriatetechnicalandorganizationalmeasurestoprotectdata’,weretoobroad,allowingcontrollerstobereactivewithregardtodataprotectioninsteadofimplementingpreventativemeasuresfromtheoutset.Finally,PrivacyEnhancingTechnologies(PETs)aretechnologiesdesignedtoalloworganizationstoextractthefullpotentialofdatawithoutputtingadatasubject’sprivacyatrisk.

6

Datasubject'srighttoredressDatasubject'srighttochallengeaccuracyDatasharingrestrictions

Storagelimitation

Dataminimization

Purposelimitation

DataProtectionAuthoritySafeguardsonautomateddecisionsNecessity&proportionalitytest

Dataprotectionbydesign/default,PETs

25

25

25

25

25

25

24

2

9

19

0510152025

#ofnationallawsthatadoptedtheprovision

FigureIII.ComprehensivenessofAfricandataprotectionlaws

Source:AuthorsbasedonGlobalDataRegulationDiagnosticanddesktopresearch

EveryAfricancountryinthesamplethathasadoptedadataprotectionlawofgeneralapplicationhasbuttresseditwiththerequirementtoestablishadataprotectionauthority(DPA),butthisauthorityisnotalwaysindependentorinoperation.InseveralAfricancountries,includingAngolaandEgypt,althoughthedataprotectionlawrequirestheestablishmentofaDPA,ithadnotbeenestablishedinpracticebyFebruary2022.AnindependentDPAisregardedasacriticalelementofaneffectivedataprotectionregulatoryframework17andmostdataprotectionlawsinthecontinentcallforit,howevermanyAfricancountriescannotaffordtoestablishanindependentDPAandthereforeestablishitaspartofanexistingagencyasafirstphase.ThisisthecaseinNigeria,Rwanda,andUganda,forexample,wherethedataprotectionauthoritiesarenotseparatefromtheministry.Othercountriesintheregionareenvisioninganalternativeapproach,includingBurundiandSomalia,wheretheDPAwillbepartofthetelecommunicationsregulator.Thisphasedevolution,aspartofanexistingregulator,canhelpdevelopingcountriessetuptheirDPAs,focusingonbuildingtheagency’sresourcesbeforeitbecomesfullyindependent.

Finally,legallymandatedDPAsinAfricaaretaskedmainlywithresponsibilitiessuchaspromotingawarenessoftherisks,rules,andsafeguardsofrightspertainingtopersonaldata,providingaredressmechanism,providingguidanceontheinterpretationofthelaworregulation,andenforcingnationaldataprotectionrightsandobligationsenshrinedunderthelaworregulation(FigureIV).However,taskssuchaspublishingactivityreportsandencouragingthecreationofcodesofconductandcertificationsreviewarescarceramongDPAmandatesinAfrica,limitingtheagencies’powertoensurecompliance.Finally,fewAfricanlegalprotectionframeworksrequirekeepingrecordsofsanctionsandenforcement,reducingthetransparencyandaccountabilityoftheagencies.

7

24

22

22

21

20

19

18

Codesof

conductand

certification

review

ActivityreportsSanctionsandenforcement

records

Raisingawareness

Redressmechanism

Guidanceand

interpretation

ofrules

Enforcement

FigureIV.ResponsibilitiesofAfricanDataProtectionAgencies

Source:AuthorsbasedonGlobalDataRegulationDiagnosticanddesktopresearch

2.2Regionalcollaborationonpersonaldataprotection

Withthebourgeoningofdigitaltrade,dataflowsarenotboundtonationalterritories.Forinstance,cross-borderremittancesorcross-bordere-commercerequiresconsistentrulesacrosscountriestoprovidesimilarlevelofconsumerprotection.18Reachingregionalconsensusondataprotectionstandardsisneededtoensurecompatibilityandavoidfragmentation.19Regionalcollaborationalsohelpsamplifythevoiceofsmallerdevelopingcountriesinglobalnegotiationsrelatedtodatagovernance,especiallygiventhelackofrepresentationinafewongoinginternationaltalkssuchasthediscussionledbytheWorldTradeOrganization(WTO)onadatagovernanceframeworkforcross-borderdataflows.

AfewAfricanregionalcommunitieshavetakeninitiativestopromoteregionalintegrationonpersonaldataprotection.TheEconomicCommunityofWestAfricanStates(ECOWAS)hasbeenworkingtowardsregion-wideconvergenceinIT-relatedstandardsandtheharmonizationofregulations.ThecommunityadoptedtheSupplementaryActonPersonalDataProtectionin2010.Thelegallybindingactspecifiesdatasubjectrights,includingtherightofaccessandtherightofdeletion,aswellasrequirementsforcontrollers,suchasconfidentialityandsecurityofthepersonaldata.TheActalsorequiresallmemberstoestablishanindependentdataprotectionauthoritytoensurecompliance.AlthoughimplementationwasrequiredwithintwoyearsoftheadoptionoftheAct,onethirdoftheMemberStateseitherhavenolegislationorarestillintheprocessofadoptinglegislation.Benin,BurkinaFaso,andSenegalhadalreadyintroduceddataprotectionlawspriortotheSupplementaryAct,andMali,Ghana,andCoted’IvoireareamongthecountriesthatincorporatedtheAct.

Similarly,theAfricanUnion(AU)ConventiononCyberSecurityandPersonalDataProtection(alsoknownastheMalaboConvention),whichseekstocreateapan-Africanframeworktoaddresselectronictransactions,personaldataprotection,andcybercrime,wasadoptedbytheAUin2014.Todate,ithasbeensignedbyfourteencountriesandratifiedbyeightcountries.20However,theConventionmustberatifiedbyfifteenofthefifty-fiveAUstatestoenterintoforce.Thechapteronpersonaldataprotectionaddressesautomatedandnon-automateddataprocessingbypublicandprivateentities.Itimposesanobligationonallstatepartiestoestablishadataprotectionagency,responsibleforinformingindividuals

8

anddataprocessorsoftheirrightsandobligations.Italsolaysoutdataprocessingprinciples,includingspecificprinciplesfortheprocessingofsensitivedata.GiventheConvention’sdeficienciesandlackoftraction,recentconversationsamongtheAfricanUnionhavefocusedonhowtoreboottheMalaboConvention.Additionally,inFebruary2022,theAfricanUnionExecutiveCouncilendorsedtheAfricanUnionDataPolicyFrameworkthataimsatprovidingguidanceonvariousareasincludingdataprotection.21

Finally,BurkinaFaso,CaboVerde,Mauritius,Morocco,Senegal,andTunisiahaveratifiedtheCouncilofEurope’sConvention108.Thisisaninternationalhumanrightstreatyfocusedondataprotection,settingoutprinciplesthatarecompatiblewiththerequirementsofEuropeanUnion(EU)regulation.Itistheonlyexistingbindinginternationaldataprotectionconvention.In2018,21statessignedaprotocolmodernizingConvention108,knownas“Convention108+”,whichalignswiththeEUGDPR.MauritiusandTunisialatersignedtheamendingprotocol,andotherpartiestoConvention108,suchasMorocco,areintheaccessionprocessfor108+.Atthesametime,Moroccoisupdatingitsowndataprotectionlegislation

toseekanadequacydeterminationfromtheEuropeanUnionundertheGDPR.Thislatterapproachis

alsoanoptionforotherAfricancountriestofacilitatetradeandcrossborderdataflowswithkeytradepartners.

2.3Africavs.otherincomegroupsonpersonaldataprotectionframeworksonthebook

Comparedtoothercountriesincludedinthesample,theexistingdataprotectionlegalframeworksofAfricancountriesarecomprehensive.Thecontinentperformsonparwithorbetterthanlow-and-middle-incomeeconomiesinotherregionsonmostofthedimensionsstudied.AdoptionoftheregulatorypracticeondataprotectionbydesignislowerAfricathaninothercountriesstudiedacrossdifferentincomegroups.However,fortherestofthedimensions,Africancountriesareamongthetopperformers.Forexample,althoughonlynineAfricandataprotectionlawsincludeatestofnecessityandproportionalitytodeterminewhetheranexceptiontolimitationsondatacollectionorprocessingbythegovernmentislegitimatelyapplied,theregionfaresbetterinthisregardthanotherlow-incomecountries(LICs),andothermiddle-incomecountries(MICs)inthesample(FigureV).Furthermore,Africaisinlinewithorslightlybelowtheado