Posted: 28 January, 2026 Filed under: Hlengiwe Dube | Tags: Access to Information, African Commission on Human and Peoples’ Rights, and sustainable development, data protection authorities, democratic governance, digital age, digital infrastructure, Digital Transformation Strategy For Africa, dignity, e-government systems, freedom of expression, Guidelines for Integrating Data Provisions into Protocols on Digital Trade, human dignity, international human rights framework, International Privacy Day, Malabo Convention, private life, public participation, The Declaration of Principles on Freedom of Expression and Access to Information in Africa
Author: Hlengiwe Dube
Senior digital rights and policy expert
Each year, International Privacy Day invites reflection on the protection of personal data, particularly as the world becomes increasingly digitised. In Africa, this reflection takes on renewed and specific urgency. Governments, corporations, international agencies, and other actors are accelerating digital transformation, through biometric identity systems, AI-driven public services, fintech platforms, and expanding surveillance infrastructures, among other initiatives. Consequently, privacy is emerging as a technical concern and at the same time, a core democratic and human rights imperative.
Privacy underpins freedom of expression, access to information, public participation, human dignity, and other human rights. This understanding is firmly embedded in the African and international human rights framework. Although the African Charter on Human and Peoples’ Rights does not explicitly reference privacy, the African Commission on Human and Peoples’ Rights (ACHPR) has consistently interpreted the Charter as protecting private life, dignity, and personal autonomy. In the digital age, these protections take on renewed and enhanced significance.
Normative Progress
Africa has made notable progress in establishing continental data protection norms. The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) is the continent’s primary binding instrument on data protection and cybersecurity. It provides a shared legal foundation for member states by articulating core principles such as lawful, fair, and transparent processing of personal data; informed consent; purpose limitation; data security safeguards; and the rights of data subjects. The Convention promotes cross-border cooperation and harmonisation of laws, and situates data protection in the context of broader concerns of digital security, economic development, and trust in the digital economy. In terms of institutional oversight, it calls for the establishment of independent national data protection authorities. While its ratification and domestication is uneven, the Malabo Convention nonetheless represents an important normative milestone, signalling continental recognition that protection of personal data is integral to human rights, democratic governance, and sustainable development and digital transformation in Africa.
Beyond the Malabo Convention, the African Union has developed a suite of complementary instruments and initiatives to strengthen data protection, privacy, and governance across the continent. The African Union Data Policy Framework (2022) provides a comprehensive blueprint for responsible data collection, management, sharing, and use, embedding principles of privacy, human rights, ethics, and cross-border interoperability while guiding member states in aligning national laws with continental standards. Building on this, the Guidelines for Integrating Data Provisions into Protocols on Digital Trade (2025) operationalise data protection and privacy in digital trade and e-commerce agreements, ensuring that cross-border data flows support economic integration while respecting human rights and secure governance. The Digital Transformation Strategy For Africa (2020-2030), promotes harmonised national cybersecurity policies, digital identity safeguards, and cross-border information-sharing protocols while incorporating data protection principles, particularly concerning critical digital infrastructure and e-government systems.
These initiatives are complemented by the AU’s broader strategies on cybersecurity, digital transformation, and AI ethics, as well as sectoral frameworks like the African Medicines Agency’s data governance provisions; Together, they signal a growing multi-layered continental approach in which binding conventions, policy frameworks, technical guidelines, and sectoral strategies converge to embed data protection, privacy, and accountability at the heart of Africa’s digital and economic transformation.
The African Commission on Human and Peoples’ Rights (ACHPR) is also contributing to shaping digital rights standards. Resolution 362 (2016) on the Right to Freedom of Information and Expression on the Internet in Africa affirmed that the same rights enjoyed offline must be protected online, including the right to privacy. The Declaration of Principles on Freedom of Expression and Access to Information in Africa (2019) went further, explicitly recognising personal data protection as foundational to democratic participation, accountability, and transparency in digital environments. Through Principles 40–42, it affirms the right to privacy, including the confidentiality of communications and protection of personal information, explicitly recognising anonymity, pseudonymity, and the use of encryption as essential safeguards in digital environments, and warning against blanket measures such as backdoors or data localisation unless strictly justified under international human rights law. It places firm limits on state surveillance by prohibiting indiscriminate and untargeted interception, permitting only narrowly tailored, lawfully authorised surveillance subject to judicial approval, due process, transparency, notification, and independent oversight. Crucially, the Declaration requires states to adopt comprehensive legal frameworks for personal data protection grounded in consent, lawfulness, purpose limitation, data minimisation, accuracy, transparency, and security, while guaranteeing data subject rights to information, access, objection, rectification, erasure, portability, breach notification, and effective remedies. By also mandating independent oversight bodies and criminalising harmful data practices such as the non-consensual sharing of intimate images, the Declaration explicitly links data protection, privacy, and surveillance governance to democratic accountability, human dignity, and the protection of civic space in Africa’s digital transformation.
At sub-regional level, regional economic communities have developed data protection and cybersecurity frameworks that, although they predate the Malabo Convention, significantly complement it. In the Economic Community of West African States (ECOWAS) region, the Supplementary Act on Personal Data Protection (2010) is one of the earliest and most comprehensive regional instruments, establishing principles for lawful processing, data subject rights, cross-border data transfers, and the creation of national data protection authorities, and it has strongly influenced national some of the national data protection laws. In the Southern African Development Community (SADC), the Model Law on Data Protection (2013) provides non-binding but influential guidance to member states. It sets out minimum standards on consent, accountability, security safeguards, and regulatory oversight, while allowing flexibility for domestic adaptation. It is complemented by the SADC Model Law on Cybercrime and Computer-Related Crime. In the East African Community (EAC), the EAC Framework for Cyberlaws (2013) and subsequent regional strategies encourage harmonisation of data protection, electronic transactions, and cybersecurity laws, and have informed national data protection regimes in that region.
There have been developments aimed at revising or strengthening the ECOWAS and EAC data protection and digital governance frameworks to better reflect technological changes, harmonise laws, and prepare for cross-border data flows and enforcement. Member states and the ECOWAS Commission have initiated a formal revision process of the Supplementary Act to update the Act and enhance regional data harmonisation, including issues like cross-border data flows and institutional roles, reflecting the need to align with emerging technology and international standards. The EAC has validated a regional Data Governance Policy Framework (2024) that moves towards harmonising norms across member states and aligning with continental data strategy principles. Under the Eastern Africa Regional Digital Integration Project (EARDIP), is an ongoing initiative led by the East African Community (EAC) in partnership with the Intergovernmental Authority on Development (IGAD) and supported by the World Bank. Its technical working groups are actively drafting a regional legal framework on data protection and cybersecurity to support secure cross-border data flows and a single digital market, signalling ongoing development beyond the original EAC cyberlaws. In 2025 there were joint implementation support missions, technical working group meetings on regional data protection and cybersecurity frameworks, consultations on cross-border roaming and connectivity barriers, and steps toward harmonising digital payment systems
These continental, sub-regional, and AU-driven initiatives demonstrate a remarkable normative consolidation of data protection and privacy in Africa. However, despite this ambitious normative landscape, the gap between principle and practice is still wide. Many states struggle with under-resourced authorities, uneven enforcement, limited public awareness, and the rapid deployment of data-intensive systems without meaningful human rights or privacy impact assessments. These persistent gaps demonstrate the urgent need to strengthen institutional capacity, promote accountability, and ensure that data protection is a lived reality, particularly for vulnerable and marginalised communities who bear the brunt of rights violations in Africa’s accelerating digital transformation.
AI, Surveillance, and the Expansion of State and Corporate Power
Despite Africa’s legal and normative frameworks, the rapid adoption of AI, automated decision-making, and surveillance technologies is testing these protections in practice. As states and corporations deploy algorithmic governance, biometric systems, and large-scale data analytics, risks of opacity, discrimination, and exclusion rise. This signifies an important point: privacy and data protection are not barriers to innovation, they are foundations for accountable, rights-respecting, and democratic governance.
Artificial intelligence (AI) and automated decision-making systems are increasingly being incorporated in governance across the continent, from social protection and border management to policing, content moderation, and public service delivery. Various analyses and expert studies on AI and emerging technologies generally caution that, without effective accountability frameworks, these systems risk entrenching discrimination, opacity, and exclusion. There are several examples that illustrate these risks. In Kenya, biometric fraud enables criminals to carry out unauthorised mobile financial transactions using others’ fingerprints, highlighting vulnerabilities in AI-driven identity systems. Also, the Kenyan Data Protection Commissioner, suspended Worldcoin’s biometric digital ID operations in 2023 due to privacy concerns. In the case of Uganda, Kampala’s “Safe City” initiative deployed over 1,800 CCTV cameras with facial recognition, which raised fears about political surveillance and deep integration across government agencies. In South Africa, facial recognition and other biometric systems have raised questions about accuracy, bias, and potential misuse of centralised identity data.
Surveillance practices raise parallel concerns. The ACHPR has repeatedly emphasised that state surveillance measures must comply with the principles of legality, necessity, proportionality, and independent oversight. Resolution 473 (2020) warned of the growing deployment of interception technologies, spyware, biometric surveillance, and data analytics without sufficient safeguards, creating systemic risks for privacy and other fundamental rights. Resolution 573 (2023) explicitly condemns mass and unlawful targeted communication surveillance, warning that indiscriminate interception, spyware, biometric surveillance, and data analytics without adequate safeguards create systemic risks for privacy and fundamental rights across Africa. These concerns resonate globally. Article 17 of the International Covenant on Civil and Political Rights (ICCPR) protects the right to privacy, while successive reports of the UN Special Rapporteur on the right to privacy have cautioned against mass surveillance, data exploitation, and unregulated AI use in public decision-making. Together, African and international standards make clear that privacy is not an obstacle to governance, but a precondition for legitimate and accountable state power.
Digital Public Infrastructure and the Political Economy of Data
Seen together, the expansion of AI-driven governance and surveillance practices points to a deeper structural shift in how states exercise power in the digital age. These technologies are not deployed as stand-alone tools. They are integrated in the foundational systems through which governments collect data, allocate resources, verify identity, and deliver services. It is in this context that Digital Public Infrastructure (DPI) is emerging as a central, yet under-interrogated, site of political, economic, and rights-based contestation. In Africa, governments are investing heavily in DPI. National digital identity systems, interoperable health records, biometric voter registers, and integrated social protection platforms are presented as the backbone of efficient, inclusive service delivery and state modernisation. Zambia’s Integrated National Registration Information System (INRIS) is digitising civil registration and biometric IDs to expand access to services, with nearly 1.5 million adults enrolled and institutional design safeguards being prioritised in early phases of the DPI lifecycle. South Africa has officially joined the Digital Public Goods Alliance and the 50-in-5 campaign, signalling a commitment to safe, inclusive, and interoperable DPI that supports secure and equitable delivery of government services. DPI is also taking shape through platforms for citizen services, digital ID integration, and data exchange across sectors such as health and education.
However, DPI is not a neutral technical project. Decisions about system design, data collection, interoperability, and access are inherently political, with far-reaching implications for privacy, equality, and democratic accountability. In the absence of sound safeguards for data protection, transparency, and oversight, DPI risks replicate, and in some cases amplify, existing inequalities. Systems intended to expand access to services can instead become instruments of exclusion, mass surveillance, and consolidated political control.
African human rights standards reflect these concerns. The ACHPR 2019 Declaration of Principles on Freedom of Expression and Access to Information in Africa affirms that data governance frameworks must support transparency, accountability, and public participation. The ACHPR also has emphasised that data-intensive technologies deployed without oversight pose structural risks to privacy and democratic governance. Principles embedded in these frameworks converge with ACHPR Resolution 620 (2024), which recognises that equitable access to data, including statistics, research findings, and public datasets, is essential for transparency, accountability, and inclusive participation in the digital age. Therefore, a privacy-centred approach to DPI requires confronting foundational governance choices about how public data is defined, collected, reused, and controlled. It demands clarity on whose interests shape system design, whether those of citizens, private vendors, or security agencies, and the establishment of effective mechanisms through which individuals can challenge exclusion, correct errors, and seek remedies for abuse. An accountable data governance has a clear purpose limitation, citizen-centred system design, and enforceable mechanisms that allow individuals to challenge exclusion, errors, and misuse of their data.
As African states digitise public administration, service delivery, elections, and public finance, democratic accountability increasingly depends on access to data. Yet many DPI ecosystems operate behind opaque data regimes, shielded by national security claims, weak access-to-information laws, or proprietary vendor contracts. This opacity undermines oversight, restricts civic participation, and erodes trust in digital states.
These dynamics reflect concrete governance choices about how DPI is structured and governed: who controls public-sector data, which institutions have access to it, what information is disclosed or withheld from the public, and how private vendors are integrated in core state systems. They also reflect decisions to privilege national security exemptions, proprietary contracting, or administrative efficiency over transparency, public participation, and accountability. Instead of treating digital governance as a generic technical challenge, it is therefore essential to interrogate the political economy of data in Africa. DPI generates vast quantities of public-interest data, yet control over that data is often highly centralised. The public, journalists, researchers, and civil society actors frequently face barriers to accessing the information necessary to scrutinise public systems, while private vendors retain privileged control over analytics, algorithms, and core infrastructure. In this context, Africa’s increasing investment in DPI carries sharply divergent implications. Depending on how data governance is structured, these systems may expand citizen empowerment and public accountability, entrench unchecked executive authority, or devolve into costly “white elephant” projects that primarily serve the commercial interests of extra-African technology suppliers.
The ACHPR has begun to confront this tension. Resolution 620 recognises data as information and as a strategic economic and governance asset, which is foundational to AI development, healthcare innovation, agriculture, and financial inclusion. However, as data’s value increases, control over it is consolidating in the hands of two dominant actors: states, through digital identity systems and surveillance infrastructures; and multinational technology firms, through platform dominance, cloud services, and proprietary analytics. This dual concentration of power creates intersecting risks for privacy, democracy, economic justice, and sustainable development. Without enforceable safeguards, meaningful oversight, and benefit-sharing mechanisms, DPI risks entrenching new forms of dependency and exclusion, echoing concerns around “data colonialism.” Therefore, reclaiming DPI as a democratic project requires deliberate institutional design. Privacy-respecting DPI must be built on principles of data minimisation, purpose limitation, auditability, and user agency. Algorithms and data flows must be subject to independent scrutiny, while oversight mechanisms, including legislative technology committees, empowered data protection authorities, and participatory public review processes, are essential for legitimacy and trust. Access to public-interest data should be understood as a democratic safeguard, not a threat.
Cybersecurity Through a Human Rights Lens
The concentration of data and digital power within DPI ecosystems also reshapes how security is defined and exercised in the digital state. As governments seek to protect critical digital infrastructure and manage cyber risks, security concerns are increasingly used to justify expansive technical and legal interventions into data flows, communications, and digital systems. This makes cybersecurity a central site where questions of power, accountability, and rights converge. Cybersecurity is often framed narrowly as a matter of national security or technical resilience. Yet international standards increasingly recognise that cybersecurity and human rights are interdependent. The UN General Assembly has affirmed that human rights apply fully in cyberspace, while UN processes on responsible state behaviour emphasise respect for international law in securing digital infrastructure. In Africa, cybercrime laws and security frameworks frequently expand surveillance and interception powers without corresponding safeguards. This has produced a growing accountability gap, with disproportionate impacts particularly on journalists, human rights defenders, activists, and communities with limited digital literacy or political power.
Reclaiming Privacy as a Public Value
The expansion of surveillance, cybersecurity measures, AI systems, and data-intensive public infrastructure reveals a common fault line: privacy is too often treated as an obstacle to security, efficiency, or innovation rather than as a condition for legitimate governance. This framing is analytically flawed and normatively problematic. Without privacy safeguards, digital governance systems undermine trust, weaken accountability, and deepen existing inequalities. International Privacy Day should therefore prompt a shift in how privacy is understood and operationalised across the continent. Privacy must move beyond compliance-driven rhetoric and be reclaimed as a public value that is central to democratic governance, social justice, and sustainable development in Africa’s digital future.
Reclaiming privacy in this way requires concrete institutional and policy commitments, including:
- Integrating privacy-by-design principles and human rights impact assessments into DPI, AI, and cybersecurity systems;
- strengthening the independence, capacity, and enforcement powers of data protection authorities, in line with international and regional standards;
- ensuring transparency, legality, and effective oversight of surveillance practices, consistent with with international and regional standards;
- centring the lived experiences of vulnerable and marginalised groups in data governance and digital policy debates; and
- aligning national digital governance frameworks with continental and international human rights obligations.
Conclusion
Africa’s digital future will be shaped by innovation, connectivity, and also governance frameworks, norms, and values that guide data, technology, and power. Privacy therefore sits at the intersection of data protection, AI governance, cybersecurity, and democratic resilience, and serves as a safeguard and a lens through which accountability and human dignity can be realised.
The significance of International Privacy Day lies in the urgent call to Africa to translate its growing body of continental and sub-regional standards into concrete, enforceable protections that constrain abuse, strengthen democratic accountability, and ensure that digital transformation serves the public interest, not the other way around. Only by incorporating privacy as a foundational public value can the continent secure a digital future that is inclusive, equitable, and rights-respecting.
About the Author:
Hlengiwe Dube
is a senior digital rights and policy expert with extensive experience advancing rights-respecting governance for emerging technologies in Africa. She has contributed to continental digital rights norms and led multi-stakeholder initiatives on data protection, digital inclusion, and AI governance. She provides research, policy guidance, and capacity-building on digital rights and governance. She holds an MPhil in Human Rights and Democratisation in Africa.
