Innovations in fintech attract scepticism and jubilation in equal measure. Jubilation because fintech has revolutionised provision of and access to financial services; there is deepening of financial inclusion and the cost of financial transactions has arguably reduced through the adoption of technology. Scepticism is brought about by fintech’s real, imagined, and potential challenges. Cybersecurity threats, unreliable/unstable technology, threats to privacy and threats of algorithm bias and discrimination to mention but a few. The threat to privacy and data protection has in the recent past necessitated legislative reforms around the world on how application of technology, any public or private operations for that matter make an incursion into an individual’s fundamental rights and freedoms. The discussion below focuses on the threat to the right to privacy and data protection.
31 African countries have enacted data protection laws; many of which are said to borrow heavily from the text of the European General Data Protection Regulation (GDPR) that came into operation in 2018. The EU GDPR demands an overhaul of how public and private enterprises process personal data. The overhaul includes restructuring that ensures organisational and technical measures to comply with the GDPR. Under the GDPR, processing of personal data is to be done for clearly set out legitimate purposes, taking into consideration an individual’s data protection rights and paying attention to universal principles of data protection. Breach of the GDPR attracts stiff financial and administrative penalties.
Data protection principles include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability when processing an individual’s personal data. An individual’s data protection rights include a right to information, right of access, right of erasure, restriction in processing, right of rectification, right of data portability, and right not to be subjected to decisions solely based on automatic decision making. The EU being one of the largest trading partners for African States has been on a mission to ensure that countries around the world adopt the GDPR model in the hope that these countries will be beneficiaries of an ‘adequacy decision’ from the EU which in effect would ensure unfettered data flows.
Recently, China, arguably Africa’s biggest trading partner, has enacted the Personal Information Protection Law (PIPL). Several States in the US have also set out data protection laws. It is apparent that enacting data protection laws is gaining notoriety across the globe. Nonetheless, it is the GDPR that is somewhat being used as the ‘gold standard’.
Borrowing from the EU is however not reflected in the implementation of these laws in African countries. While the EU has a robust common approach to data protection regulation, African countries are disjointed in how they wish these laws implemented. For example, some countries have data protection authorities while some don’t, and even some with data protection authorities do not provide for adequate independence or funding to them. This is not to say that all EU data protection authorities are well funded but they at the very least enjoy some measure of independence. Another example of a disjointed African approach is South Africa requiring the registration of information officers/data protection officers with the regulator, while in Kenya an institution only needs to publish contact details of the data protection officer on their website and communicate the details to the regulator. The Kenyan law assumes that all institutions have a website.
A disjointed approach towards regulation of data protection in the continent poses great challenges in the regulation of personal data protection in all sectors both public and private. It is disadvantageous for business and crucially provides a weak protection mechanism for individuals around the continent who must contend with the different regulatory frameworks in different countries. The cost of doing business escalates and the speed of innovation slows down as businesses seek to comply with different regulatory frameworks on the same issue. To illustrate, an innovation in fintech would have to be tweaked depending on the regulatory regime it needs to comply with. Were a common continental regulatory framework in place, the interoperability of these laws would be somewhat seamless and ease the cost of doing business.
While challenges relating to data protection regulation may cut across different sectors, the discussion below delves into the financial sector generally, the challenges faced in the industry and proposals to overcome them. What is instructive from the onset is that a common continental approach towards data protection may not be forthcoming anytime soon.
One challenge is the lack of public education and awareness on privacy and data protection rights. While data protection authorities have a primary role to ensure that the citizenry are well educated on their privacy rights, these authorities lack the resources and technical know-how to execute countrywide public education schemes. Often, institutions would have to borrow a leaf from the EU GDPR compliance mechanism to decide how to comply with data protection regulations within their home countries. In view of the need for interoperability of data protection laws, it is instructive that data protection authorities provide a step-by-step framework for full compliance with data protection regulations. However, the focus should also be in making certain that a large portion of the population is well versed with their privacy and data protection rights. This is especially crucial in the financial sector where ignorant customers fall prey to cybersecurity and financial fraud scams.
Two, another challenge to the financial sector is that with the enactment of data protection laws, banks must contend with multiple regulators. To illustrate, in Kenya, while the Data Protection Act, 2019 provides for protection of the right to privacy of a data subject or the bank customer in this case, the Central Bank of Kenya Prudential Guidelines for Institutions Licensed Under the Banking Act provides that “directors, chief executive officers and management must take precaution to protect the confidentiality of customer information and transactions”. Thus, the question arises whether breach of confidentiality of a customer’s information would be handled by both the Central Bank and the Office of the Data Protection Commissioner or one of them.
Secondly, on multiple regulators, the question arises on the collaboration or lack thereof between data protection authorities and competition authorities. Where processing of personal information/data is a cause for unfair business practices, would both the data protection regulator and competition authority be involved? What about during merger and acquisition processes where data protection impact assessments ought to be carried out, what would be the roles of the two regulators? These are questions that are not addressed by any of the data protection statutory frameworks around the continent.
Thirdly is the need for formulation of industry specific guidelines. Different data protection laws around the continent empower the data protection authorities to work with different sectors to craft data protection guidelines that would be specific to a sector. For example, data protection guidelines for the financial industry and guidelines for fintech innovations. Sector/industry specific guidelines pay attention to the nuanced approaches each sector adopts when processing personal data.
The fourth challenge is how to deal with international data transfers. Without a uniform approach to data protection regulation across the continent, institutions wishing to engage in transfer of personal data across jurisdictions are faced with different regulatory frameworks. This also creates a risk of being cited for being in violation of data protection laws when carrying out international data transfers. No African country is yet to issue an ‘adequacy decision’ in favour of another African state to ensure free flow of personal data. Also, are institutions using standard contractual clauses or binding corporate rules in the absence of ‘adequacy decisions’?
The fifth challenge is how to deal with different vendors across the continent and more specifically cloud service providers. Africa is yet to have the capacity to adequately host cloud services exclusively within the continent. This means that institutions have to mostly rely on public cloud services that may as a matter of fact not be compliant to country specific data protection laws, a potential legal risk to these institutions. Hence, this is both an infrastructure and legal issue.
Lastly, many institutions are facing the challenge of insurers within the continent being hesitant to insure against data protection risk. For one, insurers indicate that they do not understand the risk to ably carry out an actuarial audit. Two, the insurers themselves may not be compliant with data protection regulations.
While this article’s aim was not to provide concrete solutions to challenges in data protection regulation around the continent, it does raise pertinent issues on the need for a common approach. As we await this common approach, fintech providers and the financial industry should ensure that they are well versed with data protection laws in the countries they operate and have put in place organisational and technical measures to comply with the said laws.
