Bvekerwa has an LLM in IT and IP Law, and is presently working part-time as a consultant at Emerging Africa Advisory Group (EAAG). She is also in the throes of establishing a consultancy through which she hopes to help African firms navigate local and international data protection laws.
She commented that most companies would be unable to do business without complying with data protection laws because they could not avoid being “controllers or possessors” of data.
“Although Zimbabwe and South Africa have recently taken positive steps towards the development of their data protection legislation, they are not trailblazers,” she said, citing Senegal and Morocco as being among the first to enact legislation of this kind.
Many others have followed suit, including Nigeria, Kenya, Uganda and Rwanda, but the implementation of this legislation has been staggered, and “lack of uniformity” adds to the perception that doing business in Africa can be risky and confusing, Bvekerwa commented.
She describes the General Data Protection Regulation (GDPR) adopted by the European Union in 2018 “as one of the most important data protection regulations in the past 20 years”.
Comparing this to, say, Zimbabwe’s Data Protection Act (DPA), she said the DPA only applied to processing and storage of data where the means used are located within Zimbabwe and the processing and/or storage is not for mere transit through Zimbabwe.
“The effect of this is that the application of the DPA is more limited than that of the GDPR and one may be in compliance with the DPA but not necessarily with the GDPR,” she explained. “Although consent is not always required under the GDPR, where it is required, it cannot be implied and must be given through an opt-in. Under Zimbabwe’s DPA, however, consent for processing of non-sensitive data can be implied. This is problematic and potentially dilutes the effect of the DPA as organisations are given the opportunity to use ‘implied’ consent as an out from seeking active, opt-in consent where necessary.”
The GDPR also extends the definition of personal data to include IP addresses, internet cookies and location data, whereas the DPA does not. This means the GDPR encompasses more protected categories of data for individuals.
“Because of the borderless nature of the internet, the GDPR requires organisations to not only ensure that they are GDPR compliant, but that other organisations that they deal with, to whom EU citizens’ data may be transferred, are also compliant,” Bvekerwa explained. “As a result, the more disparity there is between Africa’s data protection legislations and the GDPR, the more restricted African companies are in doing business with Europe.”
Under the GDPR, each member state is required to designate a Data Protection Authority (DPA) which is responsible for monitoring compliance. For example, if a Zimbabwean company offers goods or services through an online shop accessible to French citizens, the Zimbabwean company can be fined under the GDPR by the French DPA for any breaches of the GDPR.
Fines are substantial – up to €20 million or 4% of an organisation’s annual worldwide turnover, whichever is greater. Bvekerwa says this is primarily to protect EU citizens from data protection noncompliance rather than to impose its provisions on other jurisdictions and/or their citizens.
To join Africa Legal's mailing list please click here