African E-commerce Awakening

E-commerce in Africa has increased, with the market size amounting to US$ 277.1 billion in 2023. The fast-growing market size, estimated at 3.2 billion users in 2029, is mainly driven by enhanced consumer shopping experiences due to catered consumer preference and choice, increasing number of internet users, and access and affordability of mobile phones. Businesses can access and reach new markets and reduce operational costs while conveniently affording consumers a wide selection of goods and services at lower prices. E-commerce allows women, the youth, and other marginalized groups to actively participate in economic growth as the playing field is fairer.

With global revenue projected to reach US$ 3,178 billion in 2024, e-commerce is disrupting and revolutionizing the trade industry. In Africa, the growth is attributed mainly to the young demographic and the widespread use and adoption of mobile phones. While the growth has been phenomenal, data privacy has undoubtedly become a primary concern among consumers due to the widespread cybersecurity attacks and fraud.

The risks associated with the availability of vast amounts of data have become profound in recent years, opening up a Pandora’s box of privacy issues. Businesses have veered off from the initial intended use and are now profiting from selling personal data. Governments tend to misuse data from businesses on grounds of investigation and national security further exposing consumers to vulnerabilities such as fraud and identity theft.

Safeguarding Information

Tanzania participates in EAC meeting on personal data protection commissions. Photo | PDPC

The regulation, use, and protection of sensitive information such as personal identification details, financial information, medical records, and online activity have given rise to the enactment of laws across the continent. However, while the African Union Convention on Cyber Security and Personal Data Protection was developed in 2014, it is yet to be ratified. The East Africa Community (EAC) adopted its Cyber laws in 2008 while the Economic Community of West African States (ECOWAS) developed a 2010 Supplementary Act on Personal Data. With digitalization around e-commerce expected to expedite cross-border trade exchanges, there is an urgent need for regulatory sanity in safeguarding data and private information.

Recently, the Africa Continental Free Trade Area (AfCFTA) finalized the digital Trade Protocol aimed at establishing harmonized rules, common standards, and principles for digital trade. It provides for cross-border transfer of data with exceptions being made to legitimate public policy objectives. Africa’s lack of harmonized and simplified laws has seen conflicting interests arising among businesses and consumers impacting cross-border e-commerce. Stringent data protection laws restrict businesses from accessing new markets while the lack of personal data protection leads to consumer mistrust and reduced confidence in e-commerce. Striking a balance between these overriding interests is critical in promoting and safeguarding e-commerce within Africa.

“Data protection laws should include a comprehensive provision detailing timelines for retaining consumer data and disposing of the data in case of inactive use.”

Fragmented legal and regulatory landscape

African countries are evidently at different stages in formulating and adopting data protection laws. As of 2024, 36 nations have a data protection regulatory framework although some lack enforcement criteria due to a lack of necessary agencies. As of 2020, 15 countries out of the 32 countries that had data protection frameworks lacked data protection enforcement Authorities in addition to diverging national approaches.

Some regulatory frameworks in certain countries restrict cross-border data flows through data localization provisions. In Nigeria, for instance, the protection of personal data is prioritized. In Kenya and South Africa, cross-border data flow is permitted only upon fulfilling specific requirements. The Kenyan Data Protection Act, of 2019 expressly espouses the conditions that must be met to transfer data internationally.

An inclusive and collaborative approach

To build online consumer trust, businesses must adopt practices and develop internal policies that safeguard consumer data. The modes through which they collect data should be transparent. Rejection options on websites should be included to ensure consumers have control over the data that is being collected and processed. The intended use of that data should be communicated to consumers while penalties should be imposed for businesses and organizations that depart from the original intended use.

Policies and legislation should contain provisions that regulate data retention practices. Data protection laws should include a comprehensive provision detailing timelines for retaining consumer data and disposing of the data in case of inactive use. It is crucial that organizations comprehensively stipulate the safeguards they have put in place to ensure consumer data protection during the retention period. Best practices such as notifying users of the timelines within which their data will be retained should be embraced as they allow consumers to make informed decisions by analyzing the potential risks associated with keeping that data.

Data protection safeguards within organizations should be stipulated and enforced. Businesses should ensure that their data is encrypted to minimize risks of breach. Businesses’ collation and retention of minimal data reduces risks of fraud and cyber security attacks associated with large-scale data storage. Security measures such as regular patching for updated and secure software, testing systems against unknown exploits, enabling multi-factor authentication, notifying users when security settings have changed, and empowering users against using default passwords should be adopted by businesses online.

Data localization in some regulatory frameworks could be a hindrance to trade among African countries. The high compliance, safety, and security costs associated with storing data locally affect small and medium-sized companies with minimal resources. Foreign Direct Investment is also discouraged under regional trade blocs such as ECOWAS, COMESA, EAC, and AfCFTA due to the strict compliance requirements. As such, data sharing and interoperability should be enshrined in the competition protocols within regional trade blocs. Competition Authorities should ensure also a harmonized and binding framework that enhances the right to data access, portability, and fair and reasonable usage. This is essential in promoting competition, quality goods and services, fairness, and market access for small and medium-sized firms. The frameworks should however ensure that consent is acquired from data subjects.

A collaborative approach allows a dynamic and adaptive regulatory model that caters to different interests equally. Data regimes that don’t support trade could stifle the economic growth of a country exacerbating poverty, unemployment, and inequality At the same time, a model that allows the open flow of data could impose risks to a country’s security affecting its economy. A robust e-commerce market in Africa can be thus realized when data exploitation for commercial use is in tandem with consumer personal data protection.