Michael Mudd, managing partner at Asia Policy Partners, discusses his research into the changing attitudes to cybersecurity and privacy in Africa…
I recently travelled to Africa for a Microsoft sponsored public sector cloud event. It was clear that the efficiency and scale enabled by cloud technologies are having a huge impact in lowering public sector IT costs, driving social inclusion, and delivering greater digital services for African citizens.
In this context of cloud proliferation, and of particular note, was the significant movement toward enacting or enforcing data privacy laws. This was especially evident in Ghana which now has a robust law under its privacy commissioner.
Other countries are considering implementing new laws, such as South Africa which has a draft data privacy law going through the system. Nigeria has already enacted a data content law which specifies that data created in Nigeria must be stored and processed within Nigeria. However, in reality, this is an overly restrictive legislation and is not practical in today’s connected world.
The majority of countries in Africa have some form of consumer privacy protection in place. But relatively few have data protection laws that would have any equivalence to laws in Europe or Australia, such as the European Union’s General Data Protection Regulation (GDPR) which comes into force next May.
Countries which are less developed have not necessarily invested as much in data security as more wealthy economies
While there is considerable awareness around data security and privacy as a policy in both the public and private sector, governments in Africa are still overly restrictive in the sharing of data, establishing data classification policies that over-classify data in terms of confidentiality.
In addition, there is a clear lack of data managers that have the relevant skills, both within the public and private sectors.
From observation, there isn’t a greater cybersecurity threat to countries in Africa compared to similar countries of the same GDP level or income level. It is evident that countries which are less developed have not necessarily invested as much in data security as more wealthy economies.
This is where the use of cloud solutions may make more sense as the security of data is a shared responsibility with the Cloud Service provider (CSP). This is a growing area with both local and international CSPs establishing a presence in Africa. Microsoft, for example, has announced that it will build its first cloud data centre in South Africa in 2018.
There are several initiatives by both the Economic Community of West African States (ECOWAS) and the East African Community (EAC) to try and harmonise laws relating to data as the realisation emerges that data actually has a value.
The EAC has launched a Task Force with a particular focus on cyber laws in close cooperation with the EAC secretariat and the support of the United Nations Conference on Trade and Development (UNCTAD). Phase I of the framework is covering electronic transactions, electronic signatures and authentication, and cybercrime, as well as data protection and privacy.
In ECOWAS the United Nations’ logistics team has also been working on a similar programme, calling for more capacity-building initiatives for policymakers, legislators, the police, the judiciary, prosecutors and computer emergency response teams (CERTs). The initiative also seeks to strengthen enforcement agencies to enable cross border e-commerce.
Private sector initiatives from IT service providers such as IBM, Facebook and Microsoft are further gathering pace in the region. However, limitations on reliable power supplies in some countries, as well as cross-border data transfer issues, are acting as obstacles to major data centre development.