close
close

Cases in Kenya and Ghana expose gaps

Posted on by darion

Across Africa, agricultural producers are turning to digital solutions to obtain information about farming methods, market access or financial services. By 2022, the continent had 666 such solutions, the highest number of any low- and middle-income region.

Advances in digital devices such as smartphones, sensors and satellites, connected via the internet and combined with big data analytics, are enabling solution providers to collect and analyze large amounts of farm data. This includes data about the farmer, the business site, operations and commercial transactions.

This has raised the possibility that service providers or other third parties may use farm data for their own benefit without the knowledge or consent of farmers. This may even be detrimental to farmers. There is therefore a need to find a balance between protecting farm data and using it effectively.

African regulators have yet to address the specific challenges of protecting agricultural data. This is a complex issue, at the intersection of different regulatory frameworks: data protection laws, contract and competition laws, and intellectual property rights. As a result, data exchange between agricultural producers and companies is often left to service providers through unregulated agreements or contracts.

Personal data protection

Our research focuses on the adoption and impact of digital technologies in African agriculture. We recently reviewed the state of data protection and compliance of digital agricultural services with existing regulations on the continent.

We found that relevant laws were being passed across Africa, but their provisions were not always in line with African Union standards. Compliance was also limited, underscoring the need for enforcement and awareness.

The only regulatory framework that protects farm data, even if it is not specifically protected, is that for personal data. African countries adopted the African Union Convention on Cybersecurity and Personal Data Protection in 2014 as a guiding framework. The convention has not yet entered into force, and as of July 2024, only 15 countries had ratified it.

Our findings show that African governments recognise the importance of regulating the use of personal data. However, not all regulations are rigorous enough and enforcement remains a concern.

More specifically, we analyzed the data protection laws that had been adopted in 34 African countries by May 2023 and compared their provisions with those of the African Union Convention. We also assessed compliance by reviewing the data privacy policies of 106 digital agriculture services operating in Africa.


Read more: How Digital Technologies Can Help Smallholder Farmers in Africa

National law is evolving

The examples of Kenya and Ghana highlight common gaps in regulation and implementation. These two countries are among the largest users of digital agricultural services in Africa.

Ghana was one of the first African countries to adopt a personal data protection law in 2012 and is one of the few to have signed and ratified the AU Convention. Kenya adopted a data protection law in 2019. It has not signed or adopted the AU Convention.

Their laws incorporate all the guiding principles of the Convention and protect the same personal rights as almost all national laws in Africa.

The differences come in the details. One particularly interesting provision concerns automated decision-making. Digital agricultural services are increasingly using automated data analysis. For example, mobile phone data is being used to assess farmers’ creditworthiness, smart contracts use blockchains, and weather data can automatically trigger crop insurance payments.

The AU Convention states that no one should be subject to legally binding decisions based solely on automated processing of data to assess certain personal aspects. Kenyan law allows for some exceptions to this principle. Ghana is even less strict, allowing automated decision-making provided users are informed. The vast majority of African countries have either less stringent laws on this matter than the AU Convention, or no requirements at all.

Another important area is the international transfer of data. Many digital agriculture service providers operate in different countries: data can be collected in one country and processed or used by third parties in another. The AU Convention allows such transfers, but only if non-member countries can demonstrate an adequate level of protection or a national authority has expressly authorised the transfer.

Kenyan legislation generally follows the spirit of the AU Convention, but also elaborates on the details. It allows for appropriate safeguards to be introduced at the company level, rather than at the government level. It also introduces detailed provisions regarding sensitive data. On the other hand, Ghanaian law does not specifically address international data transfers. It provides that transferred data is subject to the legal requirements of the country of origin.


Read more: Digital solutions are boosting Kenya’s agriculture, but it’s time to scale up. Here’s how

Low compliance levels highlight enforcement issues

Our research shows that among the leading countries in digital agriculture solutions, Ghana has the highest percentage of providers that do not provide data privacy policies on their websites (17 out of 30 service providers reviewed). But in Kenya, we also found that compliance is low, with just over half of services not providing policies on their websites.

Where policies exist, our analysis highlights that most of them do not protect the rights of all users to their personal data, in accordance with national laws. The right of users to object to the processing of their data was most often non-existent.

Looking to the Future: Strengthen Laws and Institutions

The adequacy of data protection laws in Africa requires a closer look. Our research has identified some priorities for action.

To ensure the level of protection provided for in the AU Convention, many African laws need to be amended.

The example of Ghana shows how important it is to adapt regulations to rapidly developing digital technologies, such as automated decision-making.

National enforcement agencies need to be stronger. This requires an independent body with resources to monitor compliance and statutory powers to track violations.

There is also a need to regulate the use of agricultural data not covered by data protection regulations, in particular data generated by machines or sensors.