Data protection experts have called for urgent harmonisation of fragmented data privacy laws across Africa to address risks linked to artificial intelligence (AI) and cross-border data flows.
The call was made during a webinar on “The State of Data Privacy in 2025: Trends, Challenges, and Best Practices” hosted on Wednesday by Digital Jewels Africa, an afro-centric IT Governance, Risk and Compliance (GRC) Consulting & Capacity Building firm in Africa.
Speaking at the webinar, Oscar Otieno, Kenya’s Deputy Data Protection Commissioner, says conflicting laws stifle innovation.
According to Appiah, “the challenge now is we are focused on the institutions sharing the data, but I don’t think we have placed enough focus on really the person at the centre of open banking, which is the data subject. How can the data subject transparently know what data is being exchanged, and whether or not they have opted in or opted out of some or all that data being exchanged?”
Experts flag lack of harmonisation among data privacy laws in Africa
“Yesterday,” Otieno tells attendees at the webinar, “I attended a conference where one bank was talking about how it has presence across East, Central, maybe in some parts of Southern and Western Africa. You see, this kind of a bank is transferring data across multiple jurisdictions. In all these jurisdictions, you realise that there are different laws… there are still some messes here and there where there are differences. So, the number one thing I would say is there is a lack of harmonisation between these various data protection laws.”
According to Otieno, before continent-wide harmonisation is reached, there has to be talks of “harmonising the laws within our regions.
“Probably we harmonise the laws across the course. We look at it at SADC, we look at it at East Africa level. It is from that point that then we can now start having that conversation of harmonising the Africa laws.”
Nigeria is spearheading collaboration through initiatives like the Network of African Data Protection Authorities (NAPDAC) conference, held in Abuja from May 6–8, 2025.
Dr Tolulope Pius-Fadipe, Head of Research at Nigeria Data Protection Commission (NDPC), says the upcoming event focuses on balancing innovation with privacy in emerging tech.
She reveales that the NDPC will host 30 DBAs [Data Protection Authorities] from all over Africa coming together to discuss the issue of AI and privacy hurdles.
Nigeria’s 2023 Data Protection Act requires all 500,000 data controllers to appoint certified Data Protection Officers (DPOs), but only 5,000 existed initially. Fadipe says the NDPC’s first certification exam in March 2024 qualified 500 professionals. The agency has also planned free public-sector workshops to address the skills gap.
While AI adoption grows, experts flagged consent and bias risks. Francis Appiah, COO of Ghanaian fintech ExpressPay, criticised opaque credit-scoring algorithms.
“We have systems that can check my LinkedIn profile, my Facebook profile, look at my TikTok, if I have one, go across my banking information, have access to my phone number, with all wallets, pass all that information and come up with what I’m going to credit-score,” Appiah says.
“At what point did I give consent to this automated credit scoring system to take all this information? Are data subjects aware of where all their data resides? Are they aware of the different systems that are accessing all this data to come up with these credit scores?”
According to Appiah, “the challenge now is we are focused on the institutions sharing the data, but I don’t think we have placed enough focus on really the person at the centre of open banking, which is the data subject. How can the data subject transparently know what data is being exchanged, and whether or not they have opted in or opted out of some or all that data being exchanged?”
Appiah outlines a framework for mitigating risks: talking about people, processed and technology.
“The weak link,” Appiah adds, “boils down to people: those handling data in the enterprise and the data subjects themselves. Financial institutions are now focusing on platforms to continuously train data subjects, controllers, and processors.”
Processes are the policies to protect and standardise information exchange. Global certifications help companies align with best practices.”
Appiah explains that “on the technology front, institutions have increased investment in securing data, whether at rest or in transit.”
Home