Mandira Bagwandeen: The domination of foreign companies in Africa's digital landscape could impact a country's digital sovereignty

Dr Mandira Bagwandeen is a Senior Research Fellow at the Nelson Mandela School of Public Governance at the University of Cape Town (UCT). She also lectures at various South African Universities on international relations and the political economy of Africa-China ties.

This interview is also available in French.

What are the common and specific challenges posed to sovereignty by data governance and digital transformation in Africa?

Data sovereignty and digital transformation pose various challenges to sovereignty, specifically state sovereignty. The two primary global challenges are around data privacy and data protection, and cybersecurity threats and cyber espionage.

In the age of big data and surveillance capitalism, protecting people's data privacy and ensuring it is managed ethically and securely is a significant challenge. Like many countries worldwide, African states are at various stages of developing data protection regulations and frameworks. As of February 2023, 36 of 54 African countries had adopted data protection laws. Drawing on best practices, many of these laws were influenced and modelled after the European Union's (EU) General Data Protection Regulation. The impetus to adopt GDPR-like data laws stems from the need to develop a legislative framework that facilitates data protection as well as economic growth, innovation and trade between African countries and their Western trading partners, notably the EU, the continent's biggest trade partner. Approved in 2017, Benin's Digital Code is so evidently informed by the GDPR that it's been described as having "enacted the most GDPR-like legislation outside the EU."

Like many countries around the world, African states have to deal with cyber security threats such as hacking, phishing, and malware, which can harm a computer system or network, damage data, or disrupt digital activities. Additionally, several cyber espionage incidents (also known as cyber-spying or cyber-collection) have been reported in recent years. Some popular headlines include allegations of Chinese state-sponsored cyber espionage. For example, in 2018, reports emerged that China had spied on servers at the Chinese-built AU headquarters for more than five years, gaining access to confidential information. Following this, in December 2020, a Chinese hacking group nicknamed Bronze President reportedly "rigged a cluster of servers in the basement of an administrative annexe to quietly siphon surveillance videos from across the AU's sprawling campus." And in May 2023, allegations were reported that a Chinese state-linked hacking group calling themselves Backdoor Diplomacy conducted a cyber espionage campaign over three years targeting the Kenyan government to gain sensitive information about their debt owed to China.

There are three additional challenges that are noteworthy and specific to the African continent. These have to do with the continent’s infrastructural deficit and the resulting dependence on foreign technology providers, issues around data localisation, and the lack of regulatory harmonisation.

Many African countries lack the necessary ICT infrastructure, including a reliable electricity supply, broadband internet, and data centres. Another challenge is a shortage of technology skills in the labour market and a lack of financial and material resources to develop ICT infrastructure indigenously. As such, many African countries depend on foreign technology and digital services. With foreign companies dominating Africa's digital landscape, they could impact a country's digital sovereignty. For example, foreign suppliers could influence digital governance practices or threaten national security.

The infrastructural deficit also has an impact on any aspirations toward data localisation. While data localisation is considered a means to ensure data sovereignty, it is challenging to achieve, primarily because of the financial resources and technical capabilities required to develop data centre infrastructure. Nonetheless, many commentators consider it essential for African states to build data centres to ensure digital sovereignty. Currently, most of the data content consumed in Africa is hosted outside the region, and the market is severely underserved. With digitisation increasing across Africa and the increasingly important issue of digital sovereignty garnering more attention, several African countries have or are in the process of building data centres with the assistance of foreign investment and companies. So far, Chinese companies, especially Huawei, a Chinese telecoms giant, have made significant inroads into Africa's ICT sector and data centre market.

Furthermore, achieving regulatory and legal harmonisation on cyber laws and regulations at the regional and continental level in Africa is very challenging due to diverse legal frameworks, different forms of governance, and linguistic differences. For example, the African Union's Malabo Convention received lacklustre support; it took nine years for the convention to obtain 15 ratifications, eventually coming into force in June 2023.

How do you assess the different policies set up by various African countries to pursue "digital sovereignty"? What are the variations that you see?

African countries have produced various policies to achieve digital sovereignty, which can be simply understood as a state exerting control over digital infrastructure, data, and technology to protect national interests. Some of the various policies include (but are not limited to) data localisation and protection laws, establishing national internet exchange points, content regulations and internet censorship, national digital platforms and e-government initiatives. While many policies, especially data localisation and protection laws draw on global best practices some legislation such as Nigeria’s Data Protection Act, 2023, has some unique provisions. It includes a new classification of data controllers and processors “of major importance” and specific obligations attached to them, as well as broader protections for exempt processing activities.

How do foreign actors like China, European countries, the US and private actors understand and deal with the discourse on local data ownership?

China takes a state-led or authoritarian approach to data sovereignty, stressing the importance of local data ownership. The Chinese government requires all data generated within the country to be stored locally and subject to Chinese laws and regulations, allowing the government to exert considerable control over data access and usage.

As prescribed by the European Union's General Data Protection Regulation (GDPR), European countries emphasise individual data rights and privacy more. The GDPR limits cross-border data flows and instructs that personal data must be processed following strict privacy and security measures. This empowers users to have more control over their data. Since European countries are concerned about data protection, they often require companies to obtain user consent for data processing.

The United States takes a more market-driven approach to data ownership. Data ownership is often left to individual or corporate discretion, with less emphasis on local data ownership. However, in recent years, there has been a growing concern in American policy circles about the potential of large tech companies (such as Amazon, Apple, Google, Meta, and Microsoft) to undermine democratic values and institutions, resulting in increased calls for the US government to implement digital regulations. Some argue that the dominance of a few large tech companies gives them too much power in cyberspace and poses a direct challenge to state authority.

Private entities, especially multinational tech companies, must often balance adhering to data localisation requirements of various jurisdictions and ensuring efficient data utilisation and analytics.

How can regional and international organisations better support a shared vision of data governance and regulation in Africa?

Developing a shared vision of data governance and regulation in Africa requires that regional and international organisations, governments, stakeholders and communities collaborate earnestly – there must be sustained cooperation and synergy to achieve policy and regulatory harmonisation. While several areas require cooperative efforts, I think that four initiatives are key to advancing the establishment of a common African vision on data governance.

First, there is a need for capacity building and policy development Initiatives. Regional and international organisations can assist with providing training and capacity-building programs or courses to help African governments and national departments improve their expertise on data governance, equipping them to develop more well-informed and sound policies. Organisations can also contract their staff to African governments to help develop data governance policies to ensure that legislation aligns with best global practices while reflecting the unique local contexts and priorities.

Second, financial and technical assistance is crucial. Through grants, partnerships, and funding programmes, organisations can provide financial support to assist African governments in implementing their data governance policies. Technical support can be provided through advisory services and technological transfer initiatives.

Also, collaborative research as well as monitoring and evaluation need to be expanded across the continent. To better understand data governance challenges and opportunities across Africa, collaborative efforts should be established between African and international organisations to produce research that can inform the development of comprehensive policies. And regional and international organisations can work together to establish monitoring and evaluation mechanisms to assess the effectiveness of data governance policies. Regular M&E can provide valuable information to tweak or improve policies and regulations.

Finally, regional and international organisations can partner with African ICT departments to promote and establish multi-stakeholder engagements with governments, civil society, the private sector, and academia to ensure that data governance policies that are produced reflect the diverse interests of African citizens.

This interview is part of the Negotiating Africa’s digital partnerships: interview series led by Dr Folashade Soule with African senior policymakers, ministers, private and civic actors to shed a light on how African actors build, negotiate and manage strategic partnerships in the digital sector in a context of geopolitical rivalry. The series is part of the Negotiating Africa’s digital partnerships policy research project hosted at the Global Economic Governance programme (University of Oxford) and supported by the Centre for International Governance Innovation (CIGI).