Examining Cross-Border Data Flows Provisions in Africa’s Free Trade Agreements
Cross-border data flows are the transfer of information or data across national boundaries. Transfer of data across borders may be necessary to achieve diverse objectives depending on the agreements between the processors, controllers, owners and recipients of data, and the purpose for transferring the data. It has been used increasingly in the context of digital trade and, has been regulated in pertinent provisions. Cross-border data flows enable trade as they transform the form and volumes of trade. The free flow of data also increases the speed at which goods and services are traded.
Not all cross-border data flows result from trade. Cross-border data flows also impact the transfer of personal data. In the African continent, the transfer of personal data is regulated by domestic data protection laws which condition the transfer of data to the availability of regulations and institutions that protect personal data in the receiving state, and by regional laws such as the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention) which calls for harmonisation of laws and policies on cross-border transfer of data amongst its Members.
In addition to the above manifestations of cross-border data flows and their resulting diversity in regulation, existing laws also contain provisions banning data localization and the free flow of data across borders. Thus, free trade agreements (FTAs) amongst and involving African states differently regulate cross-border data flows. Not all existing FTAs, however, regulate cross-border data flows.
While the free flow of data across international borders is vital for international relations and interactions for instance in international trade, there is a need to balance this with data protection and privacy laws. Thus, data protection principles and the rights of data owners ought to be taken into consideration in enabling cross-border data flows. The flow of data across borders should also conform to set-down laws and rules that allow for their free flow.
There currently is no harmonised framework for cross-border data flows in Africa. Instead, African states have in bilateral and multilateral agreements regulated the cross-border flows of data amongst themselves and with third parties. The extent of regulation of cross-border data flows in FTA and preferential trade agreements (PTAs) range from none, to vague, and precise. Some of the existing provisions speak to data protection in cross-border data flows while others are silent. This article, therefore, examines how the existing cross-border data flow provisions in FTAs speak to the protection of data collected from data owners in the African continent.
Cross-border data flows provisions in African FTAs and bilateral agreements
Article XXIV (8) of the General Agreement on Tariffs and Trade (GATT) defines a free trade area as “a group of two or more customs territories in which the duties and other restrictive regulations of commerce ……. are eliminated on substantially all the trade between the constituent territories in products originating in such territories”. Free trade areas allow for the imposition of zero tariffs on goods produced by member states while retaining national tariffs barriers on goods from on-member states. Free trade areas are constituted pursuant to establishing agreements, FTAs.
Were argues that free trade areas are beneficial since they increase trade, investment, price competitiveness, performance and innovation. Free trade areas also result in political and economic reform, reduces the risks of conflict and boost security, and makes the economies more competitive and attractive. Conversely, free trade areas may result in trade diversion, flow of illicit trade, security threats, structural unemployment, inequalities, difficulties for new sectors and industries and increased independence by economies. In the case of cross-border data flows, the dangers lie in data localisation, data mining and market dominance by big tech and industries to the disadvantage of new industries and start-ups. There may also be unequal flow of data across the countries under the free trade areas. In the same breadth, there is a risk of data breach which can only be addressed through express regulation, efficient enforcement and parties acting in good faith.
In the African continent, discussions revolve around allowing for the free flow of data within the continent and at the same time limiting the flow of data outside the continent without necessarily violating non-discrimination requirements that exist under international trade and investment law, for instance, the most-favoured nation principle and national treatment principle. Nonetheless, several FTAs exist within Africa that regulate cross-border data flows differently. Some of the existing FTAs are silent and others are in the process of developing provisions for cross-border data flows, as examined at length below.
The African Continental Free Trade Area (AfCFTA) is the latest free trade area to be constituted in Africa. Forty-six and fifty-four African countries have respectively ratified and signed the Agreement establishing the AfCFTA. The AfCFTA Agreement aims to create a single African market and liberalise trade in goods and services. In addition to the AfCFTA Agreement, there have been successful negotiations of AfCFTA protocols on goods, services, dispute settlement, intellectual property, investment and competition. Negotiations are ongoing for a Protocol on Digital Trade. Important to note, there currently is no express provision under the AfCFTA Agreement or its Protocols that speak to cross-border data flows within the continent. There is, however, an indication that cross-border data flow provisions form part of the ongoing negotiations of the AfCFTA Protocol on Digital Trade. This is coupled with numerous recommendations by diverse authors on the need for the AfCFTA Protocol on Digital Trade to contain provisions and harmonise existing domestic laws on cross-border data flows.
The Agreement establishing the Tripartite Free Trade Area (TFTA) among the Common Market for Eastern and Southern Africa (COMESA), East African Community (EAC) and Southern African Development Community (SADC) similarly, does not contain a provision for cross-border data flows. It does, however, under Article 28(2) call for cooperation in the harmonisation of data management. The TFTA Agreement is yet to receive the required number of ratifications and is therefore currently not in force. Under Article 39(3) of the TFTA Agreement, fourteen ratifications are required for its entry into force. Following the establishment of the AfCFTA, the TFTA seems to have lost popularity and minimal progress towards its operationalization has been made since 2015 when the TFTA Agreement was signed.
Though not an FTA, the Malabo Convention is the key instrument regulating personal data protection in the continent. In terms of cross-border data flows, Article 14 (6) of the Malabo Convention obligates data controllers to only transfer personal data to non-Member States that have adequate level of protection of privacy and human rights of data subjects. This requirement does not however apply where the consent of the national protection authority is obtained before the transfer of personal data to another country. The Malabo Convention entered into force in June 2023 after receiving the required ratifications.
African regional economic communities (RECs) free trade areas have also regulated cross-border data flows differently. The existing frameworks seek to harmonise national laws within the respective RECs. Not all African RECs have frameworks on cross-border data flows. The existing RECs FTAs framework is therefore fragmented and ought to be harmonised, possibly at the continental level. The Malabo Convention harmonises domestic data protection legislations in Africa but it is binding only on those that have ratified it, currently, 15 African countries. This leaves out 40 African states. The Malabo Convention does not also speak to RECs data protection frameworks. There is, therefore, a need to harmonise RECs and domestic data protection frameworks. As highlighted below, RECs FTAs have developed strategies that facilitate the free flow of data across the regions.
Under EAC, the East African Community E- Commerce Strategy speaks to collaboration in data management and hosting of online marketplaces through national and regional data centres. The Strategy also under Pillar 1.2 acknowledges that there is exchange of data within EAC for various socio-economic purposes. It notes that data localisation and sovereignty derail the free flow of data within EAC and therefore, created a need for harmonisation of domestic laws, regulations and policies. To allow for unrestricted flow of data within the EAC, the Strategy calls for adoption of best practices, ratification of the Malabo Convention and adoption of the United Nations Conference on Trade and Development (UNCTAD) Cyberlaw Framework. It also endeavours to develop a regional law on cyber security and personal data protection. In terms of data transfers outside the region, Measure 5.1.5 of the Strategy recommends for the region’s investment in cloud and data hosting infrastructure to minimise the transfer of data outside the EAC.
Under SADC, the Southern African Development Community Customs Information Commination Technology Strategy (SACD ICT Strategy) seeks to harmonise data exchanges and information technology connectivity within SADC. It recognises the need to enhance ICT infrastructure to facilitate the smooth flow of data in the region. The SADC Customs Union adopted the World Customs Organisation’s globally networked customs interconnectivity concept which creates a universal standard for exchange of data. The SADC ICT Strategy, therefore, recommends that the same approached be implemented to allow for data exchanges in SADC. Enforcement at the domestic level is done in accordance with domestic data protection laws. This is problematic in countries with no domestic legislations. There would also be disparities in implementation.
The Supplementary Act on Personal Data Protection of the Economic Community of West African States (ECOWAS Supplementary Act on Personal Data Protection) provides a harmonised framework for protecting personal data within ECOWAS. Under Article 36 of the ECOWAS Supplementary Act on Personal Data Protection, transfer of data to a non-ECOWAS state is conditional on a guarantee by that state that it has adequate mechanisms for protecting personal data, human rights and fundamental freedoms. In any such case, the national data protection authority in the ECOWAS states ought to be notified before the data is transferred. This requirement prioritises data protection while also limiting the free flow of data outside ECOWAS.
The other four RECs recognised by the AU i.e. Economic Community of Central African States (ECCAS), Intergovernmental Authority on Development (IGAD), Arab Maghreb Union (UMA) and Community of Sahel–Saharan States (CEN–SAD), are silent on e-commerce generally, and specifically, cross-border transfer of data, aside from mentioning the need for harmonisation of existing laws. For instance, the ECCAS Medium-Term Indicative Strategic Plan of 2021 to 2025 expects to harmonise systems and the dissemination of data within the region (Strategy 42).
In addition to the foregoing RECs free trade areas, there are in place preferential trade agreements (PTAs) between select African states and regions with states and regions from outside Africa. Not all of the existing PTAs in Africa, however, contain provisions on cross-border data flows. For instance, the Cotonou Agreement concluded in 2000 between the Organisation of African, Caribbean and Pacific States (OACPS) and the European Community and its Members is silent on cross-border data flows. Articles 39 and 73 of the European Union-East African Community Economic Partnership Agreement (EU-EAC EPA) speaks to cooperation in information exchanges among the parties. In line with Article 133, contact points are designated to facilitate information exchanges among the parties.
The Kenya-UK Economic Partnership Agreement considers all the information exchanged to be confidential. The Kenya-UK EPA under Article 10 of Protocol 2 allows for exchange of personal data on condition that there are adequate mechanisms in place for the protection of the data. Interestingly, the mechanisms for data protection ought to be equivalent in the sending and receiving state. Noteworthy, under Article 10(4), the information obtained is used in accordance with the EPA and in case of deviation, the prior written consent to the authority providing the data, must be sought. Use of the information for other purposes is also subject to restrictions by relevant law. The same approach has also been adopted under the UK-Cameroon Economic Partnership Agreement and the EU-SADC Economic Partnership Agreement.
Under Annex I of the UK-Morocco Association Agreement, the UK commits to put in place mechanisms to allow for data sharing. Aside from this, there is no elaborate provision on cross-border data flows between the UK and Morocco. Southern African Customs Union Member States and Mozambique (SACUM)-UK Economic Partnership Agreement is silent on cross-border data flows. There is however collaboration among the parties in information exchanges. This is seen for instance under Article 106 where the parties agree to designate a coordinator for information exchanges. Article 68 of the UK-Côte d’Ivoire Stepping Stone Economic Partnership Agreement speaks to the protection of personal data during the collection, processing and dissemination of the data. This is conditional on there being no arbitrary or discriminatory practices. Parties also agree to facilitate the transfer of information. This approach has also been adopted under the UK-Ghana Interim Trade Partnership Agreement.
Kenya is in the process of negotiating an agreement or other instrument with the United States under the US-Kenya Strategic Trade and Investment Partnership (STIP). The discussions extend to cross-border data flows. However, the parameters for the negotiation of the provision on data flows have not been made public, hence, minimal analysis can be made at this point. The Kenya Data Protection has been cited to be vague and thus, creates uncertainties for cross-border data flows under the STIP. Ongoing negotiations are inclined toward creating certainty in this area. This article argues that such negotiations should place primary focus to the economic disparities between the US and Kenya.
While several other EPAs exist, the above have been highlighted for discussions in this article as they give a synopsis of the approaches taken in regulating data flows across international borders. As noted above, a majority of the FTAs and EPAs contain provisions on cross-border data flows, albeit, in a narrow sense. The article has spoken to the need for harmonisation of the existing frameworks.
Data Protection Assessment in Cross–Border Data Flows Provisions in FTAs
Amidst discussions on cross-border data flows, the primary consideration is the extent of data protection. As highlighted above, the existing cross-border data flows provisions have either directly or indirectly spoken to the need for data protection. Specific reference speak to the need to adhere to data protection laws and obtain the consent of relevant authorities before transferring the data. In other instances, parties have agreed to designate coordinators or put up data centres to facilitate data exchanges.
The cross-border transfer of data is underpinned by certain principles or set requirements contained in some of the existing frameworks. In terms of data protection in cross-border data flows provisions, Article 13 of the Malabo Convention and Articles 23 to 29 of the ECOWAS Supplementary Act on Personal Data Protection set out that the principles of processing of personal data include: – consent and legitimacy; legality and fairness; purpose, relevance and preservation; accuracy; transparency; confidentiality and security; and choice of data processor. The scope of the Malabo Convention compared to the ECOWAS Supplementary Act on Personal Data Protection is broad as it covers personal data and other forms of data as provided for under Article 9(1) of the Malabo Convention. Thus, in allowing for the free flow of data, the above principles ought to be taken into account. Though not expressly spelt ought in most of the EPAs and FTAs, there are references to domestic data protection laws that contain these principles.
ECOWAS Supplementary Act on Personal Data Protection has prioritised personal data protection over the free flow of data as it makes the transfer of data conditional on a guarantee that personal data will be protected in the receiving states. The Supplementary Act also, in particular, limits the free flow of data outside ECOWAS. There is no express requirement amongst ECOWAS Member States to ascertain that they have in place adequate national mechanisms for personal data protection. This raises concerns on the discriminate application of the rules in states without a domestic framework.
Pillar 1.2 of the EAC E-Commerce Strategy recognises the need for data protection and online security in the exchange of data across networks and countries. It also recommends that e-commerce IT systems provide defence against illegal activities such as hacking. To realise this the Strategy calls upon EAC states to develop data protection laws, if they were yet to and enforce and facilitate the implementation of existing data protection laws. The Strategy also identifies the need for a regional instrument to allow for unrestricted flow of data while at the same time protecting data and ensuring online security.
The SADC ICT Strategy does not expressly recognise the need for a harmonised framework on data protection in the course of data exchanges within the region. Instead, it calls upon states to implement, through established national customs enforcement networks, data exchanges in line with domestic data protection laws. Not all SADC Members have data protection legislations and would therefore render implementation problematic and diverse which in the long-run defeats the purpose of a harmonised regional framework.
Significantly, some of the EPAs in place have spoken specifically to data protection in the cross-border data flows. For instance, the UK-Kenya EPA, the UK-Cameroon EPA and the EU-SADC EPA speak to the confidentiality of data and the need to adhere to data protection laws in facilitating the free flow of data. Under the EPAs data is transferred subject to the guarantee that the recipient guaranteeing adequate protection of the data. The EPAs between the UK and Côte d’Ivoire and Ghana also speak to data protection in the collection, processing and dissemination of data. Thus, though not elaborate, the existing agreements necessitates data protection in cross-border data flows.
In conclusion, while the free flow of data is vital for socio-economic development, regard ought to be placed on the protection of data collected and processed. African RECs free trade areas have strategies in place that speak to the free flow of data within the regions. The existing frameworks are however not harmonised as they only regulate regional flow of data and not outside the regions. In addition, FTAs and EPAs in place are either country or region specific and therefore, contributes to the disintegration of existing cross-border data flows provisions. Compared to the existing frameworks, there appears to be increased attention to the negotiation of cross-border data flows provisions, as is the case with ongoing negotiations under the AfCFTA and STIP, as standalone provisions. The parameters of the negotiations are, however, unknown. All in all, there is a need for more nuanced regulation of data protection in cross-border data flows provisions.
image by pixabay.com