GEFONA’s Response to AUC’s Consultation on Africa Data Policy Framework

Delivered by Tomslin Samme-Nlar 26 July 2021 The African Union Commission (AUC) is in the process of drafting a Policy Framework for the Creation of a Common Data System. The policy framework, which according to the AUC will be principle based, is a recommendation from the African Union Digital Transformation Strategy […]

Delivered by Tomslin Samme-Nlar

26 July 2021

The African Union Commission (AUC) is in the process of drafting a Policy Framework for the Creation of a Common Data System. The policy framework, which according to the AUC will be principle based, is a recommendation from the African Union Digital Transformation Strategy and has an ambitious aim to regulate production and use of data in Africa.

GEFONA participated in the consultation process which included a call for inputs and consultation phase meant to inform the drafting of the policy and an online consultative workshop convened by the AUC. Our submission to the consultation phase can be found here below:


Question: What other high-level principles should inform the Data Policy Framework? Should any be removed?

Our Response:

We believe the following should inform the framework:

  • Non-sensitive public data open by default
  • Data portability
  • Notification in case of Data sharing
  • Transparency


Question: With the uneven distribution of harms, what differential risk mitigation strategies are required to deal with harms in developing country contexts?

Our Response:

  • Privacy and security by default policies
  • The responsibility to secure data and guarantee privacy should be on the data collector, controller and processor.


Question: What human rights considerations are necessary for the attainment of an inclusive African digital economy and society, in addition to data privacy? What might these require from the private sector?

Our Response:

Basically all. We’ll list some below but all human rights should be relevant in the digital word.

  • Right to privacy
  • Right to education
  • Right to work
  • No torture & inhuman treatment.

To the second part of the question, it calls for several considerations. First, a more inclusive approach to opportunities in the enterprises. This applies to gender, disability and the disadvantaged people (especially in member states with areas where there are few or no computers or even electricity).


Question: What capabilities and factors are needed for the public sector and other key actors to create value from data for enhancing holistic sustainable socioeconomic development?

Our Response:

  • Technology
  • Education
  • Data Governance
  • Data driven culture
  • Digitalisation
  • Experts/Skills (technology skills, management skills, Analyst, Policies & regulation skills, etc.
  • Timely access to data, regardless of where it is store.


Question: How important is the difference between value-creation and value-extraction in regulation? Can the extractive nature of monopoly platforms feasibly be curbed by regulators?

Our Response:

It is clear from evidence that value-creation is customer-centric, something of value is offered by a firm to customers, who in return offers value to the firm for that valuable thing. This should be the focus even in a data ecosystem, more so because the data is owned by the customer. The firm shouldn’t focus on how much value they can extract from users’ data for themselves without offering anything of value to the data owner.

Also important is that, not only should the firm offer something of value to the data owner, opportunity must be given to the data owner to decide if the value being offered for their data is worth the data being given.

Contextualising this to Africa, care must be taken to ensure that whatever value is being created contributes directly to sustainably alleviate poverty and provide economic opportunity to the grassroots, not only to a privilege few. Value for public good should drive the value-creating activities.

Supervising the market to provide guidance and incentives for firms to take into consideration the public good in their data practices will be important to avoid the extractive tendency of platforms.


Question: How can African countries with nascent digital economies formulate regulation that simultaneously protects consumers, facilitates innovation, and creates an enabling environment that can encourage knowledge transfers and build local technical and management expertise from the domestic presence of data transnationals, who have proprietary data or algorithms?

Our Response:

Incentives which encourage local physical presence of data transnationals is a start. Combined with laws which require transfer of knowledge to locals for every overseas employee hired.
Create and established strategic collaboration centers to promote collective action on digital issues like security, data sharing and rights of digital actors.


Question: What structural economic or policy deficits need to be addressed, as they may hinder many African countries’ ability to leverage the positive effects associated with the emerging data economy?

Our Response:

African states have even begun discussing and enacting policies that deal with data privacy, open data, e-governance, cyber security; which are all important for an information society, albeit without a defined strategy that brings together all the individual strategies together to achieve the benefits of an information society.

To benefit from a data economy specifically, policy deficits in the following areas need to be addressed:

  • Implementation of e-government
  • Improving national capacities of IT personnel
  • Improving investment and financing policies
  • Improving policy research
  • Improving the integration of information infrastructure
  • Improve the competitiveness of the IT industry
  • Building a national information security system


 Question: What are the crucial enablers needed to reap positive impacts from datafication and digitalisation of the economy and society? And what analogue and digital preconditions are necessary to foster an African Digital Common Market?

Our Response:

Crucial enablers to reap the positive impacts from digitalisation are

  • Cost of consumer devices
  • Good business environment
  • Ease of starting a business
  • Protecting small investors
  • Security


Question: What regulatory limits that require compliance and safeguard rights are necessary?

Our Response:

  • Accountability for personal data collected from clients
  • Usage of personal channels to spread information
  • Rules for data and innovation


Question: How can governance establish and maintain a trusted data environment? What are the elements of a trusted data environment; are security, legitimacy and integrity sufficient?

Our Response:

Governance establishes a trusted data environment through

  • Transparency on how data are collected, processed an disposed,
  • Policies and standards
  • Appropriate/ automated security controls
  • Communication

One of the key element of a trusted data environment is a strong data based culture and security culture.


Question: In addition to the pillars outlined under the SmartAfrica Continental initiative (, which sectors, if any, do you think stand to benefit from the better use or availability of data as defined in this document?

Our Response:

  • Health
  • Education
  • Media and Entertainment.
  • Technology products and services.
  • Financial services.
  • Telecommunications.


Question: If countries wish to support data cross border flows for economic purposes but are concerned about the welfare of their citizens’ privacy and the protection of their data would controlling the use of the data at a higher level in the architecture, while enabling the physical flow of data on which the efficiency and effectiveness of the data economy is dependent meet both objectives?

Our Response:

A strong regional cooperation with some supervisory authority established at the AU level might help here. Provision should be made at the AU level as a basis of sharing data between member states without national data protection laws.


Question: Are there areas, issues or topics covered in this outline which might be outside the remit of the AUC?

Our Response:

We believe all topics covered correctly sit within the remit of the AUC.


Question: What areas might be best addressed in a Data Governance Framework, and which may be best addressed by other policy frameworks?

Our Response:

Capability and skills development and the security of data.


Question: What principles are required for data governance in Africa?

Our Response:

  • Accountability
  • Auditability
  • Oversight
  • Standardization
  • Interoperability


Question: What implications does the decentralised architecture of the Internet have for informing policy recommendations on sovereignty? What institutions are currently engaged in data governance in Africa or in particular your region?

Our Response:

The implication of a decentralised architecture of the Internet is the need for a more nuanced data location policy, rather than a broad data localisation policy. For example, rather than have a broad localisation policy for all data of a country, the policy might only require sector specific data like health data with personal identifiable information and national security sensitive data to be stored and processed in the country.

In Cameroon, there is no data policy in place. However, the National Agency for Information and Communication Technologies, ANTIC is the defacto agency with regulatory and supervisory role in data governance.


Question: What institutions are needed for effective and equitable data governance in Africa?

Our Response:

Regional institutions which promote cooperation between member states on data governance, interoperability and transfer.


Question: What are specific examples of sectoral cases that may require targeted forms of sovereignty solutions?

Our Response:

  • Health sector data with personal identifiable information
  • National security sensitive data


Question: How can compliance burdens across sectors be managed?

Our Response:

Data and sectors must first be correctly classified according to their value and importance to the core priorities, safety and economic competitiveness of member states. With this, policies which recognise that different sectors have different needs and compliance requirements can be developed.


Question: It is essentially presumed that non-personal data need not be subject to any specific processing requirements. A counter position may be requiring specific forms of processing for grades of ‘sensitive’ data, assuring such sensitivity is well defined (bearing in mind this section relates to domestic processing requirements – cross-border transfers are dealt with later). Is there any case to be made for other forms of processing specification?

Our Response:

It is not only personal data which is sensitive data to a nation, but also data of national security significance and economic competition. All these categories or classes of data should have processing requirements defined.


Question: Are existing (or emerging) data security strategies, policies, norms and rules able to ameliorate harm resulting from risks to confidentiality, integrity and availability of data?

Our Response:

To enhance CIA, there is a need to develop ‘security and privacy Compliance standards’ across African nations in different sensitive sectors such as:

  • Finance
  • Health

The compliance standard will define the requirements and accepted security and privacy mechanisms to be used when transferring, processing, storing and manipulating data.


Question: What type of collaboration between different domestic regulators and policy makers needs to take place to have a holistic approach across various mandates?

Our Response:

We believe a Whole-of-Country (WoC) approach to data governance is necessary for a holistic policy. Not only does it help create a consistent policy across all sectors, it can also be cost effective.


Question: What regional coordination mechanisms are needed to ensure regulations and policies are in place to ensure that foreign data infrastructure service providers contribute to building infrastructure in nascent African data ecosystems in a manner that does not hinder local and regional data economy development?

Our Response:

Treaty tools might be necessary to help regulate foreign data infrastructure service providers. Especially for member states with little capacity to do so on their own.

Additionally, regional multistakeholder platforms and forums where regional stakeholders can brainstorm policy and regulatory ideas and best practices will be important.


Question: What strategies are needed in the short-term, medium-term and long-term to address the existing human capacity shortages that may hinder the growth of the data economy and are crucial for creating data driven insights for socioeconomic development?

Our Response:

  • Short term : Leverage on experts coming
  • Medium term : Knowledge transfer to our local people
  • Medium term : Develop our own experts via schools and trainings
  • Medium to long term: Incentives should be made available for universities and technical training colleges to offer courses on skills required in a data economy.
  • Medium to long term: Industry-university partnerships should be encouraged as this provides opportunity to develop market-ready students.