Melody Musoni: “Diversity in digital sovereignty approaches highlights the global impact of differing national policies in the digital sphere”

Melody Musoni is a Policy Officer at ECDPM, a think tank where her work focuses mainly on digital governance and digital economy. She is also an expert advisor on a project on Artificial Intelligence in Primary Education in Africa. She previously assisted the SADC Secretariat with its data protection and compliance programs. She has worked for over a decade in legal practice where she specialised on ICT law, data protection and information security.

This interview is also available in French.

What are the different approaches to digital sovereignty?

To understand the various approaches to digital sovereignty, it's crucial to first define the concept. Digital sovereignty is essentially a state's control over digital infrastructure and data within its territory, regardless of where this data is hosted. The approach a country takes towards digital sovereignty is shaped by its social, economic, and political interests, technological capabilities, domestic priorities, and digital foreign policies.

In the European Union, lagging behind technologically compared to China and the USA, the strategy has been to assert digital sovereignty by setting global legal norms and promoting European technologies. A notable example of this is the General Data Protection Regulation (GDPR) which is part of the European strategy that involves imposing stringent data governance standards and extending EU authority over data processing, even beyond its borders. The EU, by setting these norms, encourages other regions to adopt GDPR-like laws. It also collaborates with the African Union in developing Africa's Data Policy Framework, a crucial policy document poised to transform the utilisation of African data for the continent's advancement.

The United States adopts a laissez-faire approach, prioritising unrestricted data flows, which benefits its tech companies who happen to be control the largest global market share. However, through the CLOUD Act, the US maintains sovereignty by requiring US entities to disclose data upon request, regardless of the data's location.

China, on the other hand, exercises tight control over both domestic and international operations. This is evident in its surveillance-oriented data protection law and stringent data transfer requirements. The Chinese government has privileged access to all data originating in China and mandates companies to transfer critical information to state-run servers. Chinese companies are also required to provide access to data for national security review when the state submits a request for access them.

In Africa, there's a common misinterpretation equating digital sovereignty with data localisation. There is a conception that if data infrastructures and data centres are on the African continent and owned by African entities, African governments have more control over the data, the infrastructures and any data processing activities taking place in their territory, thus exercising digital sovereignty. The African Union's strategies, such as the Digital Transformation Strategy of 2020 and the AU Data Policy Framework of 2022, acknowledge the need for sovereignty over data while cautioning against strict local data storage mandates. The 2030 vision of Africa under the DTS is on building digital infrastructures (such as African data centres) on the continent and setting up of a Digital Sovereignty Fund to attract investment and funding on digital infrastructure. Positively, the Data Policy Framework identifies the importance of maintaining data sovereignty but also cautions against the stringent local data storage mandates as contradictory to sovereignty principles. African countries display varied national data laws and attitudes towards cross-border data flows and local data storage requirements. This diversity in digital sovereignty approaches highlights the global impact of differing national policies in the digital sphere.

How do you assess the policies set up by various African countries to pursue "digital sovereignty"?

Policies regarding digital sovereignty across African nations reveal challenges in standardisation and policy harmonisation concerning data sharing and transfer, and alignment with continental objectives. For example, Ghana adopts a liberal stance on data sharing outside its borders without local storage mandates, whereas Zambia enforces strict local data storage for cross-border transfers. Several African countries are concerned about foreign dominance in the cloud market affecting their sovereignty. South Africa is considering a policy for digital sovereignty through data localisation while Djibouti aims to become a hub for African data centres and is conducting a market study and defining a roadmap on construction and exploitation of regional data centres in Africa.

The AU Data Policy Framework and the African Continental Free Trade Area (AfCFTA) could influence changes in African nations' approaches to cross-border data flows. The AU Data Policy Framework advocates for digital sovereignty but opposes data localisation as a means to achieve it. The operationalisation of the AfCFTA presents an opportunity for African countries to reconsider strict data localisation laws and adopt intra-African data sharing as guided by the AU Data Policy Framework. I believe that as African countries implement this framework, they will maintain their own data centres but be more open to transborder data sharing, which could foster trade within Africa.

How can regional and international organisations better support a shared vision of data governance and regulation in Africa?

The progress in data governance in Africa over the last five years has been significant, with countries enacting personal data protection laws, criminalising unlawful cyber activities, and establishing data regulators. The adoption of the AU Data Policy Framework and progress towards operationalising the African Union Convention on Cyber Security and Data Protection (Malabo Convention), now ratified by 15 member states, are notable achievements. These, along with efforts towards a continental free trade area and digital single market, position Africa for economic growth, societal advancement, and human rights protection.

For further progress, closer collaboration among African countries is essential to align national laws with continental frameworks and bridge policy gaps. Regional Economic Communities (RECs) can assist member states in enacting data protection laws. The Smart Africa Alliance and other regional alliances can provide technical and financial assistance to AU member states. The African Network of Data Protection Authorities (NADPA), under the AU's leadership, could play a significant role in capacity-building, knowledge sharing, and conducting workshops on data protection.

The African Union should continue its leadership in guiding member states on regulations for artificial intelligence, digital identities, and effective implementation of data policy frameworks. Support from the private sector, civil society, and academia is also crucial.

Lastly, the partnership between Africa and Europe can be expanded, with the EU’s Team Europe Initiatives potentially providing technical and financial support to African countries. Africa can benefit from the EU's experience in data governance to develop and enforce its own frameworks.

This interview is part of the Negotiating Africa’s digital partnerships: interview series led by Dr Folashade Soule with African senior policymakers, ministers, private and civic actors to shed a light on how African actors build, negotiate and manage strategic partnerships in the digital sector in a context of geopolitical rivalry. The series is part of the Negotiating Africa’s digital partnerships policy research project hosted at the Global Economic Governance programme (University of Oxford) and supported by the Centre for International Governance Innovation (CIGI).