Nigeria continues to miss its financial inclusion targets. Because of the numerous constraints surrounding the formal banking system, a significant proportion of the Nigerian population remains excluded from the formal financial sector.

This article emphasises the importance of strengthening mobile money as a means of driving financial inclusion in Nigeria. Read the full article here.

Globally, a plethora of rich and stimulating conversations are currently taking place around the emerging institution of digital governance, reinforcing the  fact that digital governance is inextricably linked to development. A lot of intercontinental initiatives aimed at promoting data and its governance have substantially presented data as ‘the new oil’ that unmistakably drives global transformation. Africa is clearly leaving no stone unturned in proving itself as the next frontier in the global digital space, while following in the footsteps of the 'Big' digital platforms like the United States, the European Union, and China. The African Union’s (AU) recently released Data Policy Framework, a comprehensive and important data policy document developed to unleash Africa’s potential to drive data value creation on the continental level and endorsed by the AU Executive Council in February 2022, is a remarkable initiative, which is largely informed by the Data Transformation Strategy (DTS) of the Commission, as well as the operationalisation of the African Continental Free Trade Area (AfCFTA).

*The Dialogue on Data Development (DDD) Team of the Centre for the Study of Economies of Africa (CSEA) is firmly committed to promoting awareness on the enormous potential of a robust digital economy to the creation of new business opportunities, increment of efficiency, boosting of sustainable development and reshaping of people’s socio-economic lives. It seeks to investigate the .potential contribution of the AU Data Policy Framework towards shaping  digital governance development in the African continent, as well as fixing the peculiar problems that are associated with the institution. To this end, it (the DDD Team) interacts with Professor Alison Giliwald, Executive Director of Research ICT Africa (RIA), the ICT hub of the AU, under whose supervision the development of the policy document was created. Reacting on a range of issues which essentially border on the unique role which the Data Policy Framework is designed to play, Alison Giliwald shares her experience on the direction for data governance in Africa and also reveals the capability of the new data policy environment to make Africa become a leader in the global digital space (Excerpts).

The importance of the AU Data Policy Framework in the continental digital space

The document is important in unleashing the potential in data value creation on the continent.  It is largely informed by the AUC’s Data Transformation Strategy (DTS). DTS is geared towards enabling the African continent to create a Digital Single Market. Here, Data is considered a strategic resource that drives transformation. DTS acknowledges that data must collected, stored, processed and shared in order for it to have value.

The policy allays fears that surround the cross-border data flow by acting more like a global digital awareness policy regarding aspects of digital operations such as data localization. It guarantees  that a country can develop local capacity to protect data flow. It subscribes to the human rights framework. It is progressive, not only in terms of how data is viewed in relation to  economic growth but also in terms of individual privacy.

 It also extends the notion of equity and justice towards data governance. The policy document is committed to redressing the uneven distribution of  opportunities and harms that exist between and within countries. It is not only about data protection and the individual aspects, but also about understanding, from a governance perspective, the need to prioritise the collective interest  of an indigenous community in terms of ensuring that their indigenous knowledge or data is protected. It is a highly principled document, but it is also a compromised document, as it has to be adopted by 53 countries.

Specific problems that the data policy seeks to solve

The AU Data Policy Framework addresses similar policy challenges in digitalisation and datafication that are being faced globally. Each country has its  peculiar challenges. The opportunities and impacts of digital technology vary from country to country and are unevenly distributed both between and within countries. The aim is to create greater opportunities within Africa. While creating an enabling environment at the national level, it also attempts  to safeguard the African digital space from the harms associated with the big digital platforms, as well as the decision-making that relates to them. It also addresses the resulting exclusion of a large number of Africans online, who are often discriminated against as a result of decision-making. It is critical to address these challenges in order to promote economic growth, enhance data value and create a single digital market.

It is important for this regional digital policy framework to encourage private value creation in relation to data and, also, create local conditions for production rather than simply limiting the continent to service consumption. However, in order  to achieve all of this, there is need  for economies of scale and scope which will go a long way in shaping the creation of a single digital market. At the regional level, this will guarantee economic development and  redistribution, as well as address equity concerns. The big challenge from the governance point of view is the enforcement of data protection  and privacy in the digital environment. It is highly necessary for digital technology to be steered towards benefitting the continent more evenly, both across and within countries.

The capability of the new data policy environment to make Africa become a leader in the global digital space

Given its history and legacies as a postcolonial entity, Africa faces some peculiar challenges; thus, its policy needs to be aspirational. Despite being the most densely populated region, Africa has enormous potentials. Hence, there is a lot of room for optimism. There is a lot that Africa as a region can do that will be extremely beneficial for the well-being of the majority of Africans. However, there is much more that can be done digitally to position  us as a  leader in the global digital space. The aspiration of local innovation in the reproduction of relevant goods and services is critical. If Africa can focus innovatively on  targets and objectives that contribute to national and regional aspirations, it will qualify to be ranked as a global leader. Competing with  global digital giants like the US and China, in terms of Artificial Intelligence, development may not be Africa’s immediate goal.

Key enablers for the successful implementation of the AU Data Policy Framework

Policy implementation has always been a major problem in Africa. This is why many good policies, developed by the continent, are still sitting on the shelf, gathering dust. The AU Malabo Convention is an excellent example in this regard. For nearly a decade , the AU has been unable  to  secure the ratification of the Convention by up to 15 Member States  allowing it to become officially binding. Nonetheless, an important part of the recommendations given by the AU Data Policy Framework is that the continent should proceed with the innovation of the data protection and cyber security content of the Malabo Convention. The point that  all Member States have made to the AU, particularly in relation to Digital Transformation Strategy, which is supported by the EU-AU bilateral funding, relates to the second phase of this Framework, that is, the AU Data Policy Framework Implementation or Action Plan. To ensure implementation, a lot of work would go into this Action Plan so the implementation takes the high-level, principled part of the Policy Framework.

In order to ensure proper implementation, roles have been assigned to specific institutions. The Implementation Plan also includes capacity requirements that take into account the unique institutional, contextual, and economic characteristics of each Member State. But the constraint, however, is that Africa does not have the guiding resources to support implementation. The high-level and principled Framework has been incorporated into the Implementation/Action Plan due to how crucial the Implementation Phase is. There is now a pool of strategies from which every Member State can choose and adapt to their respective peculiarities in the areas of budgetary allocations, timelines and so on. However, in addition to the Implementation Plan, there is a third phase with a  much more comprehensive programme on capacity building in all of the identified areas. In this round, the capacity-building programme has different components of institutional skills required to achieve institutional collaboration, which is required at the global level, in order to  drive a vibrant  digital economy.

In addition, for Africa to maintain its pride of place in the digital economy, the AU Data Policy Framework recommends is that it be far more active in global digital governance fora where, as a bloc, its interest can be more effectively represented to ensure a better outcome for the continent. Then, at the national level, African countries must examine their institutions and capacities, identify their needs and capacity challenges, and transfer these to the AU for the regional authority to find technical assistance for these countries in order to fill their various gaps. Furthermore, every country needs to understand the type of monitoring and evaluation it needs at the different phases of implementation. It should include  in its implementation plan, the indicators for which assistance is needed to meet its goals. The interesting thing is that most of these indicators can be derived from cities, data regulators, information and a variety of other sources. However,  many  other data points could be digital and data indicators, which are not immediately obtainable from the continent. As a result, gathering basic socio-economic data is currently a major task in this type of planning and implementation.

The AU’s accomplishment of its data policy objectives in the face of implementation challenge

Remarkably, the AU Data Policy Framework’s objectives are complementary to those of other existing international data protection policy frameworks. Furthermore, these objectives reflect the diversity of the continent as well as the different levels of development in the various countries. However, these objectives are based on quite practical and specific recommendations in each of section of the high-levelled principles, which are aimed at  harmonisation. There are also practical recommendations, such as interoperability, which brings to mind the Malabo Convention. Hence, there is room for the harmonisation of policy objectives within the African continent. A lot of approaches to governance in the Framework take the form of a spectrum, depending on the local contexts and conditions. The Framework shows that different categories of data exist.

It also allows for unrestricted inter-Africa data flows, from which all African countries can  benefit. This development encourages nationally integrated systems of cross-border data flows. The implication  is that, if the AU can protect sensitive personal, health, and other data, it can also be more stringent on cross-border data flows. However, if the regional authority can make non-sensitive data open to cross-border transactions, it will be creating an enormously enabling environment for the AfCFTA to be operational. It is not solely about ensuring digital services on the continent, where value is created in a multi-economy, but also about facilitating the standardisation of customs and duties through digitisation. This would make the systems flow more easily, thus resolving  issues such as information asymmetry within the production system between countries on the continent. As a result,  there is a practical recommendation for achieving the high-level objectives of this Framework.

Collaboration among stakeholders to promote and  safeguard Africa’s digital interest

For this Framework to be progressive, there is a need for unprecedented collaboration, at all levels,  between stakeholders, in order to promote and safeguard Africa’s interests. In order to ensure equitable and secure access to data for innovation and competition, as well as to see this data policy being actualized, Member States across the continent must establish a unified legal approach. Regional collaboration, especially in the area of enforcement, would go a long way in promoting African interests.

African policymakers’ concern on the alignment of regional data governance initiatives with national priorities

This is an essential part of policy formulation. The AU Data Policy Framework is very well cognisant of this concern. It’s a guiding framework for African policymakers to consider this extremely complex global data system that is required to operate at the national level. The development of this Policy Framework is like the extension of the mandate of the regional Data Protection Authority towards the Member States, particularly those that have not enacted any legislation on data protection. The Framework makes it clear that it would require a review of existing data protection laws and policies in the African digital space. Member States need to align with what is going on at the regional level as it would help determine their ability to reap the benefits of economies of scale and scope. This, by extension, is a catalyst for economic growth and development.

The support that Member States can enjoy from the AU for an effective national data governance framework

As a regional authority, the AU is focused on the institutional and capacity building of its Member States. It demonstrates total commitment to many areas of development, including those that may benefit these Member States. However, there are procedures that allow the AU to respond to Member States’ request for assistance or identified areas of need. The truth is that the AU does not have the vast resources to meet all of its Member States’ needs at the same level, because each Member States  have different levels of need for assistance or support.

However,  there are ways by which the Commission can be  assisted, say, by the European Union, in the funding  some capacity-building projects that benefit Member States. The AU's Member States will receive capacity-building assistance in the coming years. Another important feature of this Framework in terms of the support that the Commission can provide to its Member States is the collaborative mechanism that exists at the solidarity level on the continent. Strategic pairing initiatives have been explored to solve many peculiar problems on the continent.

A  recent example was the convergence of  AU power regulators at the University of Cape Town where they focused on the challenges that  various Member States face in  areas such as generation and distribution, bringing in the required expertise to address such challenges. A similar idea, which will be unveiled soon, is currently being proposed by the data protection regulators on the continent. This will make a significant contribution to the digital transformation of the continent.

• The Dialogue on Data and Development (DDD) Team of the Centre for the Study of Economies of Africa (CSEA) is led by Adedeji Adeniran (Ph.D.), and other members that include Sone Osakwe, Drusilla David, Kashema Bahago and Kunle Balogun. 

The history of the National Information Technology Development Agency (NITDA), the public service agency tasked with the sole responsibility of implementing the policies and guidelines that drive ICT in Nigeria, is a study of steady but productive digital innovation. Since its establishment in April 18, 2001, NITDA has undergone stages of transformation, in line with the government’s strategic policy changes. Since October 2019 when the Ministry of Communications was retrofitted as the Ministry of Communications and Digital Economy, the agency has commendably driven a lot of initiatives, which have fuelled the digital explosion.  *The Dialogue on Data Development (DDD) Team of the Centre for the Study of Economies of Africa (CSEA) interviewed Mr. Inuwa Kashifu Abdullahi, Director-General, NITDA, to learn about the digitally innovative services that the agency has been able to offer Africa and the world, as well as the challenges it has faced in recent years. In this conversation with the DDD team, herevealed some giant strides the agency has made, despite some challenges it has had to battle with. Herevealed, with incredible confidence, that the agency has a short-term goal of building the capacity of one million technology developers in the next eighteen months. Excerpts.

What are the novel innovations that have occurred in Nigeria in recent times?

The most critical innovation is the designation of the Ministry of Communications to the Ministry of Communications and Digital Economy. In October 2019, President Muhammadu Buhari approved the designation to include ‘Digital Economy’. This is because while communication implies only technology, it is not used simply for its own sake, but also to improve the economy. As a result, the ministry was given the mandate to formulate a policy, ‘The national digital economy policy and strategy for a digital Nigeria’, which was unveiled and launched on the 28^th of November 2019. The policy has 8 pillars, they include- Developmental Regulation, Solid Infrastructure, Soft infrastructure, Promotion of government digital services, Service infrastructure, Digital literacy and skills, Promotion of indigenous content and Digital society and emerging technology. These pillars are all interwoven and are wound around how to optimally use data for economic purposes to create wealth and prosperity.

As an agency, our purpose is to implement government policies in order to encourage the use of ICT by Nigerians, hence there was a recalibration to come up with a new Strategic Roadmap and Action Plan (SRAP 2021-2024). While the agency was established to implement the Nigerian IT policy which centered primarily on encouraging Nigerians to use ICT, we have now gone beyond that. Less than 500,000 Nigerians were using ICT in 2001, when the agency was established, today there are more than 120,000,000 Nigerians using ICT.

This demonstrates that it has progressed beyond usage and is now focused on economic purposes and benefits. The SRAP has 7 pillars: Development regulation, Digital literacy and skills, Digital transformation, Cyber security, Emerging technologies, Promotion of indigenous content and Digital innovation and entrepreneurship.

Developmental regulation is crucial because ICT is dynamic. As a regulator, the agency exists to safeguard citizens and protect providers as well. However, an understanding of the technological pattern is needed to initiate regulation. Many activities have been carried out regarding developmental regulation such as the Nigerian data protection regulation (NDPR) which was issued in 2019 and aimed at providing an innovative way of regulating data to protect the citizens’ information online by sensitizing the public to be conscious of the information that they provide online and also to hold accountable organizations using such data or information by introducing annual reports and compliance certificate. Also, the data protection compliance organization was established to help organizations comply with the Nigeria Data Protection Regulations.

The president has also approved the establishment of an agency charged with the responsibility of protecting personal data. The agency is called the Nigeria Data Protection Bureau. Beyond the NDPR, we are looking at ensuring the safety of our digital space for usage and levelling the playfield for businesses to foster innovations, growth and competitiveness. To create a new market for them is crucial.   To accomplish this, a code of practice (regulation) will be issued, which will accomplish the goals while holding large technological companies accountable for the information gathered from citizens. These policies and regulations have aided Nigeria in becoming Africa's strongest ecosystem. For example, five of the seven Unicorn companies in Africa originated in Nigeria.

Are there specific cases whereby Nigeria, like Rwanda, has used the digital economy to offer innovative services?

Nigeria is a large and diverse country. When the new government took office, it began by leveraging ICT for good governance which is quite commendable. First, the Treasury Single Account (TSA) has been implemented. Previously, most agencies had multiple accounts and the government had no knowledge of what went in and out of its treasury. Secondly, the IPPIS has assisted the government in saving billions of naira from ghost workers and other cases. Third, is the use of the BVN which has played a huge role in helping the financial system recover debts and lastly, is the National Identity Number (NIN).

The digital economy is driven by three things: broadband penetration, digital identity, and payment system and Nigeria is currently leading globally in payment system innovation and financial technology.

The agency also worked with the Massachusetts Institute of Technology (MIT) on Regional Entrepreneurship Acceleration Programme (REAP) which is designed to help regions easily identify innovation and entrepreneurial gaps, and devise strategies to fill these gaps. Basically, it identifies five stakeholders in the whole eco-system. The first stakeholder is the Government whose role is to provide interventions in terms of policies, regulations and infrastructures in unserved and underserved communities. The second stakeholder is the universities or higher institutions which produce the human capital. The third stakeholder is the entrepreneurs who can start and grow businesses. The fourth stakeholder is the corporate organizations that absorb products and services and also the human capital produced by tertiary institutions. Then, the fifth stakeholder is the risk capital which understands innovation and invests in start-ups. In addition to the innovations, there is the National Centre for Artificial Intelligence and Robotics which was established to assist the agency in creating and capturing value from emerging technology through various means such as innovation challenges.

In Nigeria, the agency uses social media platforms to achieve a variety of goals in government, politics and other areas. Almost all the relevant government agency has a social media handle. People can contact them and contribute to their efforts. The agency is working towards establishing a one-stop shop for all government services. One such domain is the .1gov.net. which is still being developed. Due to Nigeria’s large land mass, population and diversity, such projects will be difficult to implement in comparison to smaller countries like Rwanda. However, the agency is leveraging integrating small silos systems by working on the government enterprise architecture and e-government master plan. Also, included in the agency’s mandate is active project clearance, which involves ensuring that MDAs comply with the government enterprise architecture and the Nigerian e-government master plan. This is because the agency wants them to be design systems with the goal of eventually integrating with other MDAs to exchange information. This allows the silos to be integrated in order to achieve the .1gov.net.

What challenges has NITDA faced so far, especially in the process of bringing about all these innovations?

Essentially, the three key factors typically considered in relation to digital transformation are people, the process and the technology, which is usually considered last. The technology in question is used by people. People will not use this technology if they do not understand its purpose. . Theprocess involves reviewing how activities are carried out manually and considering automation. Without this, any technology brought in will be unable to fit into the process. I have always advocated for the use of tailor-made technology, which ensures the technology's seamless effectiveness. The reason for this is that every organization, culture, and person is unique. However, resistance to change by people is an inevitable issue. This resistance could be due to a fear of job displacement and becoming irrelevant to society, oblivious to the fact that technology has the potential to make jobs easier. As a result, a lot of capacity building is required. As a result, one of the SRAP’s goals is to achieve 95% digital literacy by 2030, which will help create a community of citizens who understand and embrace technology. In addition, we have a short-term goal of building the capacity of one million technology developers over the next eighteen months.

·       The Dialogue on Data and Development (DDD) Team of the Centre for the Study of Economies of Africa (CSEA) is led by Adedeji Adeniran (Ph.D.), and other members that include Sone Osakwe, Drusilla David, Kashema Bahago and Kunle Balogun. 

The recent emergence of Mauritius (an island country in the Indian Ocean, which is located off the eastern coast of Africa) as the most digitally prepared of all African countries is quite remarkable. Featured on the African Digital Preparedness Index, developed by the Centre for the study of the Economies of Africa (CSEA), this emergence teaches a strikingly instructive lesson that the geographical size of a country is never a determining factor for its capability to develop an effective data governance framework. As one of the smallest countries in the African continent, Mauritius has maintained its pride of place as one of the best domestic digital markets, not only in Africa but also in the world. In the cyberspace, Mauritius’ compliance with  international standards has been so impressive that it is being cited by the Council of Europe as one of the best local digital economies which other nations of the world can emulate. It distinguishes itself as maintaining an innovative data policy regime by strategically incorporating the EU's General Data Protection Regulation (GDPR) in its national data protection legislation in a way that makes the regional legislation adaptable to its local context. Also, as a financial hub and onshore jurisdiction to foreign investors, Mauritius has an inimitably effective mechanism for managing cross-border data flows.  

*The Dialogue on Data Development (DDD) Team of the Centre for the Study of the Economies of Africa (CSEA), in its bid to inquire into Mauritius’ data governance status and the approach adopted by the country towards integrating its data governance efforts with those of the regional institutions, like the African Union (AU), to have a central data governance framework in the African continent, engaged Mrs. Drudeisha Madhub in a conversation.  Mrs. Madhub is currently the Data Protection Commissioner for Mauritius. In this conversation with the DDD team,Mrs. Madhub sheds light on a number of strategies, like the digital transformation and digital preparedness strategies, devised by Mauritius’ Data Protection Authority to put the country on  Africa’s digital map. Excerpts.

What does data governance really entail?

Data governance relates to everything about the use and re-use of data in general. It can be any information. It’s not only personal information. It can be non-personal information. It can be industrial. It can be any piece of information in the public sector as well. And this is what we call data. Data governance implies the various rules and principles, which govern how the data is being used or the uses to which the data will be put. So, this is basically data governance.

Why does Africa need data governance in this era of fast-rising global digitalisation?

First of all, as you know, data is global. Data, as we say, is ‘the new oil’ for the world. So, if this is the case, it is not only in the African continent that data governance is needed. All the regions of the world are being influenced by the need for a data governance framework to be able to make effective use of data nationally and internationally. This is why the focus on data governance has become imperative for the African continent as well. Then, why Africa?

Given the size of Africa as a continent, we need to be careful with how we interpret data governance in Africa. This is because the African context is different from, let’s say, the Asian Pacific or the European context in terms of economic development, literacy, digital literacy, critical infrastructure, etc. And all these elements influence the African continent in a different way from how they influence other continents. So, what I’m trying to say is that there is disparity across continents. And there is disparity as well within Africa in terms of countries. That basically impacts how we view data governance. If we are speaking of data governance from an African perspective, we will be looking  up to the high standards to follow in the national context. And, if we want to look at data governance  for a specific country, that may be different from how we look at it from the perspective of the African context generally.

That is why I think the AU is doing a great job in having a regional data policy framework that they have already adopted since 2021. Coming up, however, is the implementation plan, that is, how it is going to be developed in Africa. But as I have said, this is the lofty heights that we are trying to attain. Without having the right infrastructure, political commitment and  private sector initiative as well, it will be highly difficult for specific countries to adopt these principles if these challenges are not tackled at the national level. We can’t be confident to say we are digitally prepared to achieve all the principles in the data policy framework.

What informed Mauritius’ decision to incorporate the EU’s General Data Protection Regulation (GDPR) principles into its domestic data protection and privacy laws?

In Mauritius, we have an economic market for investors from Europe, which operates in Mauritius’ companies and multinationals. So, economically speaking, it was a very broad idea for us to correlate with data protection principles in Europe in order to be recognised by the EU as an adequate country. It is in view of this that our second data protection act, enacted in January 2018 is mainly inspired by the EU’s GDPR principles. It has been customised to be adaptable to the local context. We have taken from the EU’s GDPR but essentially, we believe in the important principles and we have incorporated them in our legislation, along  with other criteria.

There are significant differences in terms of penalties in our data protection act from what the GDPR contains. The idea is to have a smooth economic relationship with the EU. But our relationship is entirely not only from the economic perspective but also from the human rights perspective. If you look around the world right now, the EU’s GDPR, together with Convention 108, appears more credible, organised and disciplined as an instrument. At the UN level, we barely have anything as such, which will inspire the drafting of  data protection laws in a specific country. So, our decision was purely from the policy and the human rights perspectives, and this has given much importance to privacy. Notwithstanding, as I  mentioned earlier, there are differences which are not applicable to the Mauritius context, and these are not incorporated in our legislation.

How will you assess the impact of this amendment's implementation since it went into effect in 2018?

Since 2018, the law has been very well applied in Mauritius. I would explain how we work; by conducting  investigations. After an investigation is carried out, I, in my capacity as Commissioner, give a decision which is like a judgment. And when we recommend a prosecution on a criminal level, people have the right to make an appeal against the decision made by the Commissioner. We have had judgments, even in the Supreme Court where privacy has been debated and some of the elements of my decisions have been reproduced and argued upon. We have cases in Mauritius, which relate to data protection and privacy. This is why the data protection act is well alive. We register practically all data controllers and processors in Mauritius. And again, if there is no compliance with the Law, we issue them with enforcement notices, that is, they have to enforce the laws. We do this on a large-scale basis. We collaborate with the police in terms of enquiry and prosecution. The matter is serious.

With all these, I don’t see why the laws won’t be implemented, although it might take some time in some areas. We do certification of data protection track assessment; we give notification of breaches by controllers and processors; we do registration; we give updates on compliance level; we also do security checks and inspections. So, these and many others are basically what we focus on here. It’s a very lively situation here.

Has the government really enjoyed cooperation from the public and the private sectors in terms of compliance?

Yes! There are more controllers and processors in the private sector, compared with what we have in the public sector. But we collaborate with everyone. We work with everyone that is concerned. I personally do so many citizen sensitisation campaigns now. I can tell you about the media/press activities that we undertake on a regular basis. We train data protection officers regularly. So, basically, we’ve been able to travel quite a long journey since 2009. Notwithstanding, we still have so much to be done. You see, compliance from controllers and processors is a very long process. We can’t say that, in any country, as soon as a law is implemented, you will get success. There are issues with implementation. We have administration sanctioning. It happens. But the quantity is usually bare. It can happen in one case which can trigger compliance by other people. However, quantity isn’t what is material here. What matters is the quality of the work you do, much of which I have been leveraging in our operations.

Given Mauritius’ strategic position as an offshore jurisdiction to foreign investors, how does it manage cross-country differences and intentions in respect of cross-border data flow?

If you look at our Data Protection Act, we have a critical section that pays attention to personal data. And this section is almost identical to what is contained in the EU’s GDPR. The idea is that we allow cross-border data flows. As a rule, there is no need for counties’ authorisation from the Commissioner. Our legislation allows cross-border data flow to happen. However, as you know, there are exceptions in terms of public interest, legitimate interest, vital interest, law provision, obligations, concerns and others which can prevent a data controller or processor from transferring data abroad. But the issue is that we actually retain the supervisory power in the data protection office in terms of, for instance, a dispute on transfers and someone comes to me with a query or complaint and it is proven that there was no appropriate safeguard during the transfer, we can decide against this.

However, we have a device for ensuring effective cross-border data flows but the legal recommendations are not easily understood most times. We often advise companies to come for authorisation. Although in law, they are not required to come to us. This is when they satisfy our conditionalities and extant laws. If, however, there is a dispute such that they fall under any of the afore-mentioned exceptions, they will be deemed to have breached the data protection law. But there are many who have transferred data without seeking authorisation from us.

What innovative efforts has the country been able to make to boost the global digital space? And what lessons do other African countries have to learn from such initiative?

In the competitive edge, Mauritius has always tried to be the first in all areas, even in the IT sector as well. We have what we call a digital transformation strategy,  as you have at the African Union level, which outlines the main actions that Mauritius has undertaken or will undertake in the coming five years as well. It has a national action plan for which it has made ICT one of its economic sectors. We also have digital preparedness as a strategy. In fact, there are many nascent strategies in the digital arena. If you go to the Ministry of Communication and ICT website, you will see all these national strategies which Mauritius has devised to make it number one in the context of African digital preparedness.

Also, just recently, we have modernised the panoply of laws to guide ICT. We have cybercrime and cyber security legislation for 2021. This law aligns with The Budapest Convention on cybercrime.  Also, our data protection laws align with Convention 108 which is the Handbook of the EU’s data protection laws.  Compliance with international standards has been achieved by Mauritius in the cyber world. We have left no stone unturned for all these to happen. Currently, Mauritius is being cited as an example at the Council of Europe level in terms of compliance.

What advice do you have for the AU to record brilliant success with the development of an effective regional data governance framework?

All the regional bodies, including the Economic Community of West African States (ECOWAS) and the South African Development Community (SADC)  need to come together on this data protection agenda and ensure they all work together to produce the same type of documents.. Let us, for instance, put the ECOWAS Principles, SADC Model Laws and others in the same data governance perspective. From the data governance perspective, this is one area where all these regional institutions can come together, sit together and work on one document which will apply to all African countries. At the level of the AU, it’s highly critical to say that we need a technical team of experts detailed by the regional institution to go to each African country to assist it in devising its own strategy. Unfortunately right now, we do not have such a team. I know that the AU is working with the EU, as well as with other stakeholders, to be able to get assistance.

Furthermore, there is a need for AU to create binding principles to be able to influence each African state. This kind of legislation that I am suggesting, combined with the Malabo Convention, is highly recommended. In fact, I don’t want to go into the weaknesses of this Malabo Convention, as it is not attuned to international standards. In view of this, we need to innovate by bringing this much-talked-about Malabo Convention more in tune with the realities on ground. And this is one area where the AU needs to work very quickly and urgently. The existing Malabo Convention may be scraped off or amended or entirely replaced with a new one or redesigned to attract more ratification. That is one. The second issue relates to the data governance framework which the AU has adopted.   Let’s say we don’t have a binding law on data governance right now in Africa. But what can we do? We can work bilaterally for the African Continental Free Trade Agreement (AfCFTA) whereby each country concludes a bilateral trade agreement with the AU by imposing, upon themselves, very important principles in data governance and data protection. That will help in achieving some nascent milestones. So, this is how we should start; but we can work to make things happen at the same time. If, however, we want to achieve all of these one-by-one, we may lose the whole time and fail to accomplish our aim.

What form of support do you think the regional institutions in Africa, like the AU, can provide for African states to thrive in the global digital space?

Good. Let’s take a guiding example of what is happening at the EU level. You have the European Data Protection Board. They are the people who are actually bringing in all these elements of data protection innovation in the whole of Europe. So, let’s think about having such a disciplined structure for data governance and data protection and all types of data you may have, regardless of the names you wish to call such. There is a need for something which would be centred around data, that is, an institution which is lacking at the AU level. If we rely on each African country’s having data protection laws and data protection institutions, and we do not have a higher up body which will be overarching the implementation across the African region, then there will be no point. The AU should take concrete steps beyond the advisory role which it has been playing, by being a value-strong and effective body which is bringing result.

Beyond the foregoing, what steps do you think Africa should take to emerge as the next frontier in the global digital market space?

If I understand the question very well, I will translate it as asking about what actions should Africa take to become a leader in the global digital market. The logical way to answer this question is by asking, “How do we lead actually in any area?” We lead, basically, by creating, by being innovative and bringing in our own expertise. Expertise here is very important. Although we learn from others, it is also important we make our own contributions which is another level of expertise that Africa needs.  So, Africa needs innovation to become leader in the global digital market. There is a need for a team of experts from all the states in Africa to be brought to the table, where actions that all African states should take in order to be digitally prepared, can be properly debated. You see, it’s impossible that all the states will have the same level of digital preparedness and the same level of infrastructure. But what we are looking at here is people. We need people. We don’t really need the infrastructure. We have the private sector which can put in place infrastructure. We also have international and multinational companies which will come and support the country in terms of critical infrastructure. This is what is happening everywhere. We don’t need to worry about infrastructure. What we need to focus on is giving the right level of education to the African people for them to be able to stand on their feet and be able to work in this area. We have people in the ICT sector, like computer scientists and data scientists, who should be given the opportunity, without which the country will never innovate. This should shape the kind of university education we provide people within the country. Furthermore, we need commitment. Having institutions is good. Having data protection authorities is good. But if you have a regulator who is digitally educated with a population of people that are not digitally educated, what is the point?  There is supposed to be a certain level of parity and equity in the country between the institutions, the private sector, the public sector and the citizens

• The Dialogue on Data and Development (DDD) Team of the Centre for the Study of the Economies of Africa (CSEA) is led by Adedeji Adeniran (Ph.D.), and other members that include Sone Osakwe, Drusilla David, Kashema Bahago and Kunle Balogun. 

The Nigeria Data Protection Bureau (NDPB), the newest Nigerian government digital agency, was birthed on February 4, 2022, following President Muhammadu Buhari’s approval of its establishment. Stating its statutory functions, the official press release that announced the establishment of the NDPB said  it would “…be responsible for consolidating the gains of the Nigeria Data Protection Regulation (NDPR) and supporting the process for the development of a primary legislation for data protection and privacy.” The NDPB was established to play an ancillary role to the National Information Technology Development Agency (NITDA), which had been solely saddled with the responsibility of ensuring data privacy regulation and compliance in Nigeria, long before the former was established. Now, the NDPB has been given the mandate to enforce compliance with the provisions of the Nigeria Data Protection Regulations 2019 (NDPR).

The Dialogue on Data and Development (DDD) Team* of the Centre for the Study of Economies of Africa (CSEA) engaged Dr Vincent Olatunji, the NDPB’s pioneer National Commissioner, with a view to finding out about such efforts which the agency, despite its comparatively young age, has since been making to secure a prominent place for Nigeria in the African digital space. In this conversation with the DDD team, he expressed implicit confidence about how the agency is currently fine-tuning well-coordinated plans for the biggest data governance drive in Africa [Excerpts]. 

Given the experience of NITDA and other agencies around digital economy, what unique role is the Nigeria Data Protection Bureau out to play?

Data privacy and protection occupy a unique place in every facet of our lives and livelihoods. This fact is attested to by Section 37 of the 1999 Constitution of the Federal Republic of Nigeria. This is under fundamental rights.  Nigeria Data Protection Bureau (the Bureau), being the institution that is mandated to safeguard the data-related aspect of privacy, plays a very unique role. Other agencies have their roles in the broader socio-economic development of the country. In this regard, there are data controllers who determine the purpose for which data are being used in carrying out their important statutory mandate.

Here at the Bureau, however, we regulate the data processing activities of all data controllers both in the public and in the private sector. Since this is Data Age, the work of this Bureau is essential in ensuring the following: the rights of natural persons to data privacy; safe conduct for transactions involving the exchange of Personal Data; integrity of personal data, global competitiveness of businesses in Nigeria and the accountability of all persons and authorities in data processing activities.

Research has shown that data governance in Africa is confronting human capacity, financial and technical gaps. Is the story different in your institution? If yes, how did you achieve this? If no, is there any idea to both national and regional as to how to mitigate them?

As a new establishment, we have the opportunity to determine our roadmap and action plan at this formative stage. The roadmap is going through our quality assurance process, but we already have our eyes on the fundamentals which are rooted in the Nigeria Constitution, the National Digital Economy Policy & Strategy (NDEPS) as well as the Nigeria Data Protection Regulation (NDPR). Relative to these goals, we cannot say there is a significant gap. Meanwhile, we are lucky to benefit from the visionary support of the President who, in his wisdom, deemed it appropriate to approve of the creation of the Bureau in times like this.  The pioneer Honourable Minister of Communications and Digital Economy, Prof. Isa Ali Ibrahim Pantami, has been tremendously supportive every step of the way. Also, we are lucky to have developed from the National Information Technology Development Agency (NITDA). NITDA has been highly supportive, and so is the National Identity Management Commission (NIMC). We have also received support from the Nigeria Communications Commission. Apart from the statutory bodies, we are also enjoying the support of the ID4D Team in Nigeria. The ID4D draws support from the World Bank, European Investment Bank and French Development Agency. Similarly, many private-sector organizations have also been supportive in the area of capacity building.

Privacy, being a human right issue, naturally attracts public-spirited organizations and individuals. Once you demonstrate a clear understanding of this concept and the willingness to give it institutional expression, you will get the support you need to get things done gradually. However, we are not ignorant of what lies ahead or the task before us. So, we are putting measures in place to ensure that that the work of the Bureau is not hampered by financial and technical gaps. We must also admit that the issue of finance is not quite peculiar to Africa. Data Protection Authorities all over the world do not have all that they need to promote data privacy and protection.

What are the national and global data protection challenges that the Bureau is trying to fix?

There are a number of data protection challenges, both at the national and global levels, which the Bureau is currently fixing. For us, the first challenge is data literacy. Data subjects must first know their rights before they can prevent low-level breaches. They must also enforce their rights at a higher level.  Apart from that, we also have the challenge of data localization. There is no consensus on the issue of data localization. For us as a country, however, data localization is one of the most effective policies through which a country can guarantee its sovereignty and security. We are not oblivious of the implication of this policy for our existing infrastructure. So, we are determined to address this issue in line with the first pillar of the National Digital Economy Policy and Strategy, which is Developmental Regulation. Whatever we do, our objective is to ensure that, through regulation, we are able to stimulate the development of what we desire. We are making sure our economy and national security are not at risk, as we engage with the global marketplace in terms of cross-border data transfer.

What digital economy-related innovation is the agency trying to bring to fore?

As we have stated earlier, this is the Data Age. It means digital economy is the medium through which lives and livelihoods can thrive sustainably. This cannot happen without trust on the part of data subjects. We are bringing in innovations that will inspire data-subject trust for digital economy. Through the implementation of the Nigeria Data Protection Regulation (NDPR) for instance, we certified and licensed the Data Protection Compliance Organizations (DPCOs). The DPCOs are helping data controllers in compliance process. At the moment, we fine tuning our plans for the biggest data governance drive in Africa. World Development Report 2021 that is entitled‘Data for Better Lives’, published by World Bank, identified three core principles for any social contract for data. They are: Value, Trust and Equity. So, we are cognizant of these three core principles in coming up with our innovation for data governance.

What are really the challenges which militate against the thriving of the Nigeria Digital Market?

Indeed, if we critically interrogate what we may refer to as challenges, we will discover that they are opportunities for investment. For instance, if we talk of infrastructure, there is an opportunity for investment infrastructure. A free-market economy such as ours only has to worry about the time it takes to deepen the knowledge-based economy, as well as increase the knowledge on the part of the workforce and on the part of consumers.  Once a critical mass is determined to expand the horizon of our knowledge, what we refer to as challenges will turn to opportunities in the mind of the knowledgeable.

How does the Bureau go about creating awareness as well as sensitizing the public on the need for digital adoption, inclusion, privacy rights and effective data governance framework in the country?

We are using various awareness strategies such organizing working visits to data controllers and ensuring our active presence on social media platforms. We are on Facebook, Twitter and Instagram. We also organize capacity building programmes. Just recently, we organized a data privacy and protection training for Nigeria Television Authority. More activities are coming which will involve schools and other public organizations.

How does the Bureau want to work with both regional and global institutions? What challenges does it anticipate in this respect?

The Bureau will be working to sustain and to deepen what has been achieved, in the last 3 years, through the implementation of the NDPR. You will recall that Nigeria participates in the Common Thread Network (a network of the data protection authorities of Commonwealth nations). Interestingly, the country is currently a full member of the Network of African Data Protection Authorities (NADPA). Nigeria currently holds the position of Vice-Chair, of the Africa Union’s Policy and Regulatory Initiative for Digital Africa (PRIDA).  All these are platforms through which we can advance the cause of data privacy and protection, not only in Nigeria but also around the world. If your data is safe in your country you need to be sure that your trading partners also have an adequate level of data protection. Otherwise, the whole idea will suffer avoidable setbacks. The biggest challenge in this area is getting the commitment of everyone to, at least, take significant measures towards ensuring data protection.

What steps do you think African regional institutions can take to put the continent on the global digital economy?

Three steps are actually needed. The first step is for them to re-engineer regional digital economy framework just like the European Union (EU) did. Africa’s population is about 1.4 billion data subjects strong. This is a huge market for big data. Effective collaboration in terms of regulation can change the rule of the game globally.  The second step is for them to invest in people. Digital economy is otherwise known as knowledge-based economy. In effect, we need to invest in human capital development. India, for instance, is a choice destination for data processing. Africa is even closer to the home of the big data processors and controllers than India is. A significant number of our youths literally trek, swim or paddle to Europe. With the requisite knowledge, they can work for the same companies and people they are risking their lives and dignity to get across to physically. The third step is for them to embrace the need to invest in infrastructure. The importance of these three areas cannot be gainsaid if we are to make a bold appearance on the global digital economy map.

Kindly discuss the pathway for Nigeria to develop model data governance framework in Africa.

Recall we earlier cited a World Development Report 2021 which harped on Value, Trust and Equity. To achieve this, we are putting measures in place to hold data controllers accountable on the principles of data processing. We are ensuring that data are processed lawfully and legitimately, and that data controllers are mindful of purpose limitation, data minimization, data security, data integrity, and storage limitation.  Our approach to this is to have a developmental framework on data protection.  A critical component of this framework is a Data Protection Act. We are working on the bill now. In order to make this a model, we are bringing stakeholders together through focus group discussion, policy dialogue and validation workshop. We are also strengthening our public private partnership compliance model. The DPCOs is being studied by data protection organization.  Soon, we will unveil our data governance networking innovations. These are few in a continuum of measure we are taking in order to become a paragon of excellence in data governance in Africa.

• The Dialogue on Data and Development (DDD) Team of the Centre for the Study of Economies of Africa (CSEA) is led by Adedeji Adeniran (Ph.D.), and other members that include Sone Osakwe, Drusilla David, Kashema Bahago and Kunle Balogun.