THE AFRICA CONTINENTAL FREE TRADE AGREEMENT AND CROSS-BORDER DATA TRANSFER: MAXIMISING THE TRADE DEAL IN THE AGE OF DIGITAL ECONOMY
By: Oloyede Ridwan
“Data fuels the commercial activity of our digital world.” Increasingly, more businesses are transitioning and harnessing the power of the internet and technology and as a result of this, trade needs a vast amount of free moving and stream of personal data to optimally function. The growth is evident in the growing number of internet-enabled businesses and increased internet penetration; with the continent recording the “world’s fastest growth in internet use over the past decade.” Internet connectivity in the sub-Saharan region of the continent is predicted to increase by 130% by 2025. The ubiquitous adoption of the internet, increasing use of technologies and growth of digital economies reduces the traditional concept of territorial boundaries as it relates to trade to analytics. The internet has enabled improved access to digital goods and services across traditional boundaries, creating opportunities for both formal and informal sectors and creating employment across the continent.
Africa, a continent of 1.3 billion people and home to six of the fastest growing economies in the world in 2018 and predicted to increase to 2.5 billion people by 2050 has a combined Gross Domestic Product (GDP) of over USD$ 2.5 trillion has the lowest intra-continental trade volume in the world at 15% compared to Europe (67%), Asia (58%) and Latin America (20%). In order to bridge this gap, the African Union (AU) developed a common free trade agreement. The Africa Continental Free Trade Agreement (AfCFTA) was conceived to build a single market for the continent. The AfCFTA has been signed by 50 member states. The agreement “aims to create a single continental market for goods and services, boost intra-African trade,” increase trade by about 52.3% by 2020, double trade flows by the year 2022 with free movement of business persons and investments, remove 90% tariffs on goods produced, enhance competitiveness at the industry and enterprise level, liberalize services and tackle other barriers to intra-African trade.
The rise of Africa’s Digital Economy
Digital economy “can provide a boost to competitiveness across all sectors, new opportunities for business and entrepreneurial activity, and new avenues for accessing overseas markets and participating in global e-value chains. It also provides new tools for tackling persistent development problems.” The continent’s economy has been projected to be ready for digitization. According to Louis Otieno “digital data flow is what defines the economic area as opposed to traditional boundaries. For Africa to compete globally with the likes of China, we have to incorporate at scale. We have a billion people, which makes us a viable market today, with the youngest billion people, which makes us a viable market tomorrow.” Also, according to Jacqueline Musetiiwa “we know all too well the opportunities trade can offer for development and growth. Africa is in a unique position in that it has the chance to trade with an untapped market: itself. Nobody is saying that will be easy. But technology will go a long way to making this ambition a reality.”
Increasingly, African governments are committing to building a digital economy. Also, there has been digitalization of government services, growth of technology hubs and clusters and more private businesses are transitioning online without traditional border restrictions. The Africa Smart Alliance Initiative was recently announced by President Kagame. The initiative is seeking to bring about 600 million African youth into the continent’s digital economy.
There are 450 million internet users in Africa, which amounts to 35.2% internet penetration on the continent. The size of the digital economy is not as large compared to other geographic blocs or union. The problem of expensive internet access, digital illiteracy, and lack of essential infrastructures like broadband, power and logistics remain a clog to a continent-wide digital market. In addition, some African countries are more digitally mature than the others, which make uniform adoption and model technically impracticable and unrealistic in the short term.
Data Protection and security in Africa in the age of digital economy
According to UNCTAD’s World Investment Report 2017, cyber threats and data security will be part of the factors that will influence future global Foreign Direct Investment (FDI) activity. Africa-wide trade in digital space is only possible with the movement of personal data across borders. While free trade regimes are fraught with the common problems of competition, dilution of the market, fear of loss of jobs, and intellectual property counterfeiting, the increased digitization of commerce could portend dire privacy and online security risk.
Most African states have no data protection regulation. The continent currently lacks a common enforceable data protection framework like the European Union. The absence implies a variegated framework for the protection of personal data. Trading online is built on trust, and trust is reinforced where users are assured of safety nets for their personal data as it moves across different territories.
The AU in 2014 released the African Union Convention on Cyber Security and Personal Data Protection. The convention set a strong intention for the protection of personal data and online security on the continent. However, only 11 countries have signed the convention. “Currently, only 23 out of 55 African nations have passed or drafted personal privacy laws, and only nine of them have data protection authorities.” The convention set forth rules essential for establishing a credible digital space.
The privacy and safety of personal data are vital for the actualization of a digital economy. According to the Global Risk Report (GRR) 2019, data fraud or theft and cyber-attacks ranked 4th and 5th respectively on top 10 risks in terms of likelihood. Cyber-attacks and critical information infrastructure breakdown ranked 7th and 8th respectively on top 10 risks in terms of impact. The risk is expected to increase in 2019. According to Serianu’s Africa cybersecurity report, cybercrime cost the continent over US$3.5 billion in 2017.
Some African countries now have laws designating certain sectors of the economy as critical national infrastructure (CNI). Examples are the financial services and information technology sectors. These sectors are integral to a fully functional digital economy, for example, a Chadian buying an Ethiopian coffee online will require transfer of both personal and payment data to complete the transaction. Consequently, this has led to the establishment of a National Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT). The core mandate of CERTs or CSIRTs is to ensure the protection of a nation’s critical national infrastructure. Currently, there are 13 African countries with either CERT or CSIRT. A cyber-attack or data breach could have a dire effect on productivity, impact on revenue and financial loss, erosion of trust, dent to brand reputation, the risk of sanction and fines and risk to personal security. Currently, with the policy landscape, Africa is not well-positioned to tackle the growing challenges of data breaches and cyberattacks.
The uneven level of protection amongst countries leaves privacy and trust on a slippery slope. The fragmented frameworks create a spectrum of countries with legal protection, some with none and some inadequate; with flaccid enforcement regime. According to the Global Cybersecurity Index (GCI), 50 African countries were ranked under the “initiating” and “maturing” stage of cybersecurity development, while only two was considered as “leading”; which reflects largely the vulnerability of the continent to a wide-scale attack.
A fragmented legal framework creates uncertainty, unpredictability and also problems for multi-national companies seeking compliance. According to Tomslin Samme-Nlar, “non-compliance to the different data protection regulations may preclude companies from potential business exploits in the region. To be compliant in the current state of things, organisations will need to adopt different data protection policies that take into consideration the legislative nuances in the region. This would create unnecessary barriers to trade in the region, would be expensive and time-consuming. Thereby, negating the benefits of the free trade area.”
Cross-border data transfer and trade
Ability to move data across border is intrinsic to the soul of modern businesses. Cross data transfer is the transfer of personal data from a data controller in a geographic territory to another recipient in another territory. The framework allows data controllers and processors to move data across territories other than their point of origin securely while ensuring the protection of privacy and fundamental rights and freedoms of the data subjects. Data protection laws prohibit transfer of personal data outside their location unless the recipient country has a similar framework for the protection of personal data or deemed adequate. Data protection legislation like the European Union General Data Protection Regulation (GDPR) provides for data transfer mechanisms like adequacy, standard contractual clauses, and binding corporate rules. The adequacy mechanism under the EU law only allow data to be transferred to countries with similar level of protection as the EU and whose law is deemed adequate by the European Commission (Commission) – no African country has been certified adequate by the Commission.
Data protection laws equally allow for derogations in deserving instances where data could be transferred to another territory outside the general mechanisms. The permissible derogations where data could be moved across border include obtaining the individual’s explicit consent; necessary to perform the contract between individual and controller or a contract which is in the individual’s interest, necessary for important reasons of public interest or for establishment, exercise or defence of legal claims; and to protect the vital interests of the individual.
AcFTA and Data flow
Under the Article 15 (c) (ii) of Protocol on Trade in Services of the AcFTA, protection of “privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts” is an exception to restraint on trade. This is similar to Article XIV (c) (ii) of the World Trade Organisation’s (WTO) General Agreement on Trade in Services (GATS). The AcFTA, though lacking a protocol on cross-border data transfer, clearly conceives the importance of protection of personal data and exalts it to an exception to doing trade.
Article 14 (6) (a) of the African Union Convention on Cyber Security and Personal Data Protection prohibits the transfer of personal data to non-member states except “the state ensures an adequate level of protection of the privacy, freedom, and fundamental rights of persons whose data are being or are likely to be processed.” Similarly, Section 72 of South Africa’s Protection of Personal Information Act 2013, Section 36 of Mauritius Data Protection Act 2017, Section 31 of Kenya’s Data Protection Bill 2018 and the recently signed Nigeria’s NITDA Data Protection Regulation 2019 has comparable provisions on cross-border data transfer. Though, the scope is limited in some of these laws.
According to UNCTAD “data protection is directly related to trade in goods and services in the digital economy. Insufficient protection can create negative market effects by reducing consumer confidence, and overly stringent protection can duly restrict business, with adverse economic effects as a result.”
What will Africa be missing?
According to Siemens African Digitalization Maturity Report 2017, USD$300 billion could be added into the continent’s economy by 2026 through the adoption of digitalization. Also, according to Kolawole Opeyemi, a doctoral researcher in International trade and intellectual property law at the University College, Dublin “what the continent will be missing is data sensitive Foreign Direct Investment (FDI). The big corporation will rather cater to Africa outside Africa by establishing their data centres and offices in the European Union. We lose jobs. We lose taxes. We also increase the risk and exposure of corporations doing business in Africa (cost of doing business). More so, the benefit of the AcFTA will be limited to trade in primary products (i.e. raw materials) because, without a good data protection law to complement, a large chunk of international trade is left untapped.”
In addition, the continent will be losing more not yoking the benefit of its youthful population. The continent has the youngest population between 15 and 24 in the world – a phenomenon that could open a floodgate of opportunities across the continent if harnessed, and a challenge if neglected. According to Tomiwa Ilori, a doctoral researcher at the University of Pretoria’s Centre for Human Rights, “in reducing tariffs and establishing a single market in Africa, the AcFTA does not only look to open physical borders for easy movement of goods and services alone but also ensure that services enabled by the digital economy are bolstered. The digital economy, for example, is projected to contribute US$ 300 billion to Africa’s GDP by 2030 according to McKinsey and Company. There is however a missing link between this future and data protection. Due to a deluge of data transfers that is most likely to occur as a result of AcFTA, data subjects might suffer a great deal.”
Tomiwa further explained that “of the 14 out of 54 countries with data protection laws in Africa, only Western Sahara has not signed the AcFTA meaning just 13 countries have data protection laws in place to regulate data transfers as a result of the AcFTA. This is a major setback for the AcFTA in building a continental trade in a global digital economy. The risk profile of data subjects is bound to rise with no data protection framework in place. What the AcFTA can do in this regard, is to work with the African Union on more adoption of the African Union Convention on Cyber Security and Personal Data Protection (the Convention) by States or encourage States to adopt best-standard practices in data protection through laws. The AcFTA needs to engage the digital economy within the context of more data and consumer protection in order to be able to effectively build trust that can encourage wholesome participation in Africa’s continental trade initiative.”
Recommendations – Surviving the tide
There government will need to address protection of personal data and protection of critical national infrastructure. Cross border data transfer is essential for doing business and the African Union Convention on Cyber Security and Personal Data Protection readily sets a strong baseline intention for the continent and should be adopted by all African countries to create an integrated implementation framework to protect cybersecurity and personal data. Similarly, more African countries should also consider acceding to the Council of Europe Modernised Convention 108. The Convention is “the only international legally binding instrument on the protection of private life and personal data.” The Convention could also ease signatory state’s consideration for an adequacy decision by the European Commission. The Adequacy decision will ease the free flow of data. Four African countries (Senegal, Tunisia, Mauritius and Cape Verde) have already ratified the Council of Europe Modernised Convention 108.
An efficient digital economy can only be accomplished when government and other stakeholders drive policies and solve basic infrastructural problems that can ease and drive down the cost and ease of doing business, strengthening digital infrastructure, promote digital literacy, and make affordable high-speed internet to increase access. The government will need to support the development of innovation hubs to provide succour to local entrepreneurs in developing new online services and business models. Adoption and increase e-government services and policies to ease access to fun like crowdfunding – the Tunisian Start-up Act is a viable model.
There is an urgent need for digital infrastructure that will enable the Free Trade Area to address the kind of scale for a billion people on the continent. There is a place for government policies around data privacy and cybersecurity and strict enforcement regime to build trust in the ecosystem and allow for unhindered data flow across boundaries. Businesses use personal information across borders to both improve their services and maximise their profits, there is a need to balance regulation for protection and over-regulation for data sovereignty.
Also, a protocol could be negotiated for cross-border transfer of data to strengthen the existing provision of the African Union Convention on Cyber Security and Personal Data Protection. The continent can take a cue from Trans-Pacific Partnership’s E-Commerce chapter and the Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) in designing a cross border data transfer framework. The protocol should promote free movement of data consistent with respective member state’s interest in protecting privacy and ensuring security, support a single global Internet, common prohibition against data localization, cooperation on cybersecurity, protection of personal information of consumer and protection against fraud, and defining commonly agreed-upon principles and rules. These basic principles are already established in the African Union Convention on Cyber Security and Personal Data Protection.
More African countries need to establish their respective computer emergency response unit to ensure a safer cyberspace. Similarly, both public and private organisations transferring data will need to ensure they have resilient cybersecurity hygiene to guarantee security of data both at rest and in transit.
Conclusion – Africa’s imminent win
The article concludes that data is the life-blood of business in the digital economy. Consequently, the movement of data is important to trade in the similar way protection of personal data is crucial to trust online. When trust is eroded, the fabric of the digital economy technically crumbles. Data security and protection of privacy is crucial to facilitating intra-continental trade, and consequently vital to the successful implementation of the AfCTA. Lack of a common framework will continue to hinder the integration and optimization of the imminent benefit of the trade agreement. The continent cannot afford to miss out on the immense prospect of continental digital market and harnessing a global digital economy due to the absence of a data protection regime. “Aligning the trade policies, regulations and institutions of the 54 countries to promote continental trade will enhance the economies of scale, structural transformation, diversification, efficiency and productivity boosts. This will benefit producers, consumers and governments in phenomenal ways.”
African leaders must see the nexus between protection of privacy rights, online security and commerce. A comprehensive digital development strategy should address investment in digital infrastructure, complex cross border internet regulatory concerns, bridge digital divide and inclusion, and curtail prospective undesirable social and development effects. Beyond a privacy and data protection framework, the success of the AcFTA will be hinged on policies around addressing e-transaction and consumer protection, content restrictions and censorship laws, Intellectual property protection, Intermediary liability and competition.
The implementation will see multi-national companies navigate global data protection compliance with ease, trade more with Africa without fear of inadequate protection, and increase the intra-continent trade volume. A proper harmonisation of data protection and AfCTA would create opportunities and a sustainable path for Africa’s youthful and growing population. Also, Africans will dare to build digital businesses products and models not just for the African market, but equally to expand and seek global competitive advantage. Finally, the cybersecurity and data protection laws will be nothing without an efficient enforcement framework.