Cross-border data sharing for research in Africa: an analysis of the data protection and research ethics requirements in 12 jurisdictions

ABSTRACT

Background

In recent years, there has been a notable uptake in genomic and health-related research activities across the African continent. Similarly, there has been increased introduction of data protection legislation that affects the sharing of personal data, such as health data and genomic data, including for research. Many of these statutes have stricter requirements when sharing personal data across borders. Consequently, the cross-border sharing of health data, that includes genetic data, requires careful navigation of the pertinent data protection legislation, in particular concerning the sharing of such data for research purposes. To help researchers navigate these legal frameworks, 12 African countries were analysed to develop country guides on cross-border data sharing.

Results

Of the 12 African countries that were analysed, 10 have data protection laws in place (Botswana, Ghana, Kenya, Malawi, Nigeria, Rwanda, South Africa, Tanzania, Uganda, and Zimbabwe), while two countries (Cameroon and The Gambia) do not. (At the time of the study, Cameroon did not have a data protection regulation in place. Law No. 2024/017 on the Protection of Personal Data is now in force.) With the exception of Ghana, all countries with data protection statutes had additional requirements to be met when sharing personal data across borders. Consent and adequacy are the most common grounds for justifying the sharing of personal data across borders.

Conclusion

Given the limitations of the current models of consent, consent is not a suitable basis to transfer large quantities of data for research. Adequacy is a common ground, but there are national differences in the implementation of this ground. Researchers must therefore analyse each national legal framework and make decisions on a case-by-case and country-by-country basis.

I. BACKGROUND

In recent years, there has been a notable uptake in genomic and health-related research activities across Africa, driven in part by the collaborative efforts of national and international consortia such as Human Heredity and Health in Africa (H3Africa), Bridging Biobanking and Biomedical Research Across Europe and Africa (B3Africa), the Public Health Alliance for Genomic Epidemiology (PHA4GE), and the recently established Data Science for Health Discovery and Innovation in Africa (DS-I Africa). This research entails collecting, using, and disseminating genomic and other health-related data, with a significant emphasis on cross-border data sharing. While the collaborative sharing of such data is indispensable for advancing scientific knowledge, it also highlights a host of legal and ethical considerations that demand careful attention.¹

Some of these ethico-legal issues relate to the ongoing debates about appropriate consent models for this research. While broad consent enables data to be shared for secondary research purposes more easily, it does not account for the individual preferences of research participants, which may evolve over time,² and there are also concerns that broad consent may not be permitted under some national data protection legislation.³ Static models of consent do not easily provide for these changing preferences. Accordingly, other models of consent, such as dynamic consent, which uses information technology to enable participants to change and update their preferences, have been proposed as alternatives.⁴ There are increasing numbers of examples of the successful use and implementation of dynamic consent in high-income countries (HICs) but, to date, there are a paucity of examples in the African context.⁵

Beyond consent-related issues, there are concerns that the data may be used to stigmatize or discriminate against individuals or their communities.⁶ The use and sharing of health data that includes genetic data must have processes in place to guard against and mitigate such risks. Concerns about the exportation of samples and data for research stem from past exploitative practices, often referred to as ‘parachute research’. This term describes instances where samples and data were collected in low- and middle-income countries (LMICs) without local oversight and the data were subsequently sent to HICs for research purposes.⁷

Most recently, however, the greatest attention has been given to the risk to privacy in the use of health data that includes genetic data.⁸ This heightened awareness and scrutiny is partly due to the introduction of national data protection legislation across the globe that seeks to regulate the processing—including collection, storage, use, and sharing—of personal data, and health data that includes genetic data. Research teams and consortia accessing, using, and sharing health data must now navigate the data protection regulations and consider the impact that these regulations will have on their research.

Similar legislative development in the context of data protection has occurred in Africa. Regionally, there was the introduction by the African Union (AU) of the Malabo Convention (formally known as the African Union Convention on Cyber Security and Personal Data Protection) in 2014 in Malabo, Equatorial Guinea.⁹ The convention’s primary purpose is to establish a legal framework to promote cybersecurity, cybercrime prevention, and the protection of personal data within the African continent. To date, over 30 African countries have introduced data protection legislation. Therefore, the growth of genomic and health-related research comes at a time when data protection legislation is strengthening across the continent. Such legislation comprises general legal frameworks in that they apply to the processing of all personal data, including health data that includes genetic data, in the research context. The legislation sets out the conditions that must be met in the processing of personal data, the rights of data subjects, the responsibilities of the various individuals involved in the processing of personal data, and the security requirements that must be met, among others. Most data protection legislation does, however, have special provisions in place for research. These may include exemptions to some of the strict processing requirements and exemptions to some of the rights provided for data subjects if the processing is for research. In contrast, many legislative frameworks have stricter requirements when processing genetic data. Such legislation generally also has specific requirements that must be met when transferring personal data across borders. Consequently, the cross-border sharing of health data, that includes genetic data, requires the careful analysis of the pertinent data protection legislation, in particular concerning the sharing of such data for research purposes.

The DS-I Africa Initiative was established in 2021 in order to leverage data science technologies to transform biomedical and behavioural research and to develop solutions to improve individual and population health. A key activity of the research involves the sharing of health data that includes genetic data. The DS-I Africa Law project focuses on the legal dimensions of using data science for health discovery and innovation in Africa and aimed to provide scientists with the necessary guidance on how to be legally compliant. The project has a broad jurisdictional scope, involving the law of 12 African nations: Botswana, Cameroon, Ghana, Kenya, Malawi, Nigeria, Rwanda, South Africa, Tanzania, The Gambia, Uganda, and Zimbabwe. These countries were selected based on the criteria of having hosted H3Africa projects in the past, and having available legislation in English. Five critical legal themes were investigated: (i) modes of informed consent to the use of data; (ii) the nature and content of individual and community rights in genomic data; (iii) the use of persons’ geospatial data for public health surveillance; (iv) the cross-border sharing of data; and (v) the use of data as a basis for artificial intelligence (AI). To assist researchers in understanding the impact of national data protection legislation on the cross-border sharing of data, the DS-I Africa Law project sought to develop country guides for 12 jurisdictions on the cross-border sharing of data. This paper reports on the findings of those guides.

The aim of this paper is two-fold: First to present the requirements of each country in the cross-border sharing of data, and second, to offer a comparative analysis of the requirements. This paper will demonstrate that, while on the face of it, there are many similarities in the requirements to be met when sharing data across borders in the 12 countries, the differences are such that there is a lack of a harmonized approach in how health data can be shared across borders for research. This does mean that researchers must navigate the legal requirements of each jurisdiction to identify a suitable legal basis on which it may transfer health data.

This paper begins by outlining the methodology adopted to develop the above country guides. It then discusses how these country guides were analysed. This paper then discusses the key findings, including a comparison of the key features of the applicable data protection legislation, the differing grounds across the 12 jurisdictions through which personal data may be transferred, and the requirements under the national research ethics and research regulatory documents that must be met when transferring personal data across borders for research. Finally, this paper offers some reflections on the implications of these findings in these 12 countries when sharing health data that includes genetic data across borders for research purposes.

II. METHODS

Two authors of this paper (CS & DT) developed a template guide (Appendix A) drawing from the General Data Protection Regulation 2016/679 (GDPR) in the European Union (EU). The GDPR was used as most data protection legislation in Africa are based on the GPDR. In developing the template guide, it was decided to focus on both research ethics regulatory frameworks and data protection to ensure that researchers have a comprehensive overview of the national requirements to be met when sharing health data that includes genetic data across borders.

For the national research ethics frameworks, the template required all applicable national laws, regulations, and guidelines to be stated, followed by detail of all national requirements that must be met in cross-border data sharing. The template then focused on data protection-related issues. Although the purpose of the guides was to provide detailed guidance on the additional requirements for the cross-border sharing of data, the authors considered it important to contextualize this information and provide researchers with basic information on the data protection legislation generally. The template first required details on whether the relevant country had signed or ratified the Malabo Convention that came into force in June 2023. Next, the template set out the details to be filled in as they relate to the application of the national data protection law, the definition of different categories of data, a definition and description of the key individuals, the principles to be met in the processing of personal data, the rights of the data subjects and, finally, the grounds under which personal data can be shared across borders.

Once the template was finalized, training on the use of the template was provided to the research assistants (RAs). The RAs then inputted the relevant data for the 12 countries. CS checked this work and sent back queries and points for clarification. This continued until all issues were addressed. The draft country guides were then sent to the country experts (LA, AA, AG, and PO) for review. Following this, CS reviewed these edits and sent back queries and points for clarification. This continued until all issues had been addressed. Finally, AE reviewed the sections on the application of data protection legislation and made changes where necessary.

On completion of the country guides, CS compared each country guide under the following criteria: Application of data protection law, descriptors of categories of data, descriptors of relevant individuals specified in the data protection law, requirements for the processing of personal data, rights of data subjects, grounds for the cross-border flow of data, and additional requirements from research ethics regulatory frameworks.

Following this, the country guides were compared to identify similarities and differences between each jurisdiction. This information is correct as of September 2024.

II.A. Comparative Analysis

Out of the 12 countries, two countries (Cameroon¹⁰ and The Gambia) have no data protection legislation in place. The remaining 10 countries have a data protection statute in force. As represented in Table 1, two countries (Ghana and Rwanda) have ratified the Malabo Convention, while three other countries (Cameroon, South Africa, and The Gambia) have signed the Malabo Convention.

1. Application of data protection law

In all 10 of the above countries, the data protection legislation applies only to personal data. Notably, Zimbabwe incorporates provisions that extend to non-personal data. While some countries provide additional guidance, the usual approach to determining whether data falls under data protection legislation is whether it meets the definition of personal data.

In South Africa, information is considered personal when it relates to an identified or identifiable person. It is this personal information that data protection law seeks to protect. De-identified data is explicitly excluded from the Protection of Personal Information Act 4 of 2013 (POPIA) and does not concern or apply to de-identified non-personal information. De-identifying information is the process of stripping the data of any information which can be used to identify a data subject. It should not be possible to re-identify the data subject directly or indirectly by manipulating the information or linking it with other information.

Some legislation does mention anonymized and pseudonymized data. In Kenya, although neither Kenya’s Data Protection Act nor its Regulations explicitly exclude anonymized data from the ambit of its provisions, according to the Act, ‘anonymization’ means ‘the removal of personal identifiers from personal data so that the data subject is no longer identifiable’. The Act provides that data must be anonymized to ensure ‘the data subject is no longer identifiable’. Unfortunately, Kenya’s Data Protection Act and the Kenyan Data Protection General Regulations do not contain standards for non-identifiability.

In Rwanda the Law Relating to the Protection of Personal Data and Privacy 2021 does refer to ‘de-identified’ data and ‘pseudonymization’. Pseudonymization is when information is removed from the data so it is not possible to identify an individual, and that information is kept separate through technical and organizational measures. Similar to the GDPR, it is clear that data that has been pseudonymized does fall under the Act. ‘De-identified’ data is mentioned in the Act, but is not defined. Article 57 provides that it is an offence to knowingly, recklessly, or intentionally re-identify data that has been de-identified. It appears from this context that de-identification is a reversible technique.

Tanzania’s Data Protection Act does not refer to anonymized or pseudonymized data, but the Personal Data Protection (Personal Data Collection and Processing) Regulations 2023, refer to both anonymization and pseudonymization, but they are not defined. From the context in which it is used, anonymization is a tool that may be employed by data controllers or data processors to minimize their use or retention of data in an identifiable form where it is not necessary to do so. This aligns with the principles of proportionality, necessity, retention, and storage of personal data. The data controller or data processor must ensure that there is ‘no possibility of re-identification of anonymous personal data’ and that this is properly tested (emphasis added, regulation 30(d)). The inclusion of the phrase ‘no possibility’ and the requirement for this to be tested suggests that for data to be considered anonymized, the anonymization must be proved through testing to be effective and absolute. Although not defined, pseudonymization is referred to as a safety measure that involves ‘storing identification keys separately’ (regulation 28(d)).

In Nigeria, the Data Protection Act (NDPA) applies to personal data but does refer to de-identification and pseudonymization. Data that has been pseudonymized does fall under the NDPA. Although ‘de-identification’ is mentioned in the NDPA, it is not defined. From its context in section 39, de-identification is one of the technical and organizational measures a data controller may use to ensure the security, integrity and confidentiality of the personal data under its control, in order to guard against misuse, or unauthorized disclosure or access, among others.

The Data Protection Act 2024 in Malawi refers to ‘de-identification’ and ‘pseudonymization’. Data that has been pseudonymized remains in the ambit of the Data Protection Act. Although ‘de-identification’ is mentioned in the Act, it is not defined. From its context in section 31(2), de-identification is one of the technical and organizational measures a data controller may use to ensure the security, integrity, and confidentiality of the personal data in its control, in order to guard against misuse, or unauthorized disclosure or access, among others. In the absence of specific guidance and clarity in the alternative on this point, it would seem that data that has been de-identified falls squarely within the ambit of the Act.

2. Defining personal data and sensitive data

Table 2 lists the definitions for personal data and sensitive personal data. Personal data is typically data about a particular person that can identify them. In South Africa, this is referred to as ‘personal information’. Sensitive personal data pertains to information that is particularly sensitive in respect of an individual, such as health or genetic data. This category of data receives special protection under data protection legislation and bills. In South Africa, it is called ‘special personal information’.

In Zimbabwe, there is an additional category of data covered in its Data Protection Act, which is referred to as ‘data’. This is defined as ‘any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data’. This category of data does not appear in any other data protection act.

3. Key role-players in data protection legislation

All the acts allocate rights and duties to roughly the same set of key role-players. These role-players are typically referred to as a ‘data subject’, a ‘data processor’, a ‘data controller’, and a ‘data protection officer’. Table 3 provides the exact definition in each country. Typically, a data subject is the person to whom the personal data relates. A data controller is generally the person who decides what the data will be used for. In the research context, this will be the person deciding on the purpose of the research and how it will be achieved. Legal responsibility generally falls on the Principal Investigator (PI) and the institution as the employer.¹¹

The nomenclature adopted in South Africa differs, although the meaning and roles remain roughly equivalent. In POPIA, the data controller is known as the ‘responsible party’. A data processor is not directly employed by the data controller, but is processing the personal data under the direction of the data controller. In the research context, this may be a consultant. In South Africa, a data processor is known as an operator. A data protection officer (DPO) is a person in an organization who is appointed to advise and promote compliance with the law. In South Africa, this person is known as an Information Officer, and in Botswana the person is called a Data Protection Representative. A DPO is not defined in Nigeria, Malawi, or Rwanda, whereas a DPO is not defined but provided for in Kenya and Uganda.

4. Requirements for the processing of personal data

All countries with data protection acts set out the requirements for the lawful processing of data. As can be seen from Table 4, there are variations on the exact requirements but, typically, they require a lawful basis for the processing of personal data, follow the principles of data minimization, purpose limitation and storage limitations, have requirements on the accuracy of the data and/or data quality, security safeguards, and provide data subjects with rights.

5. Rights of data subjects

All countries with data protection acts provide certain rights for data subjects. As illustrated in Table 5, there are variations in the exact rights that are provided for. All countries provide a right to access and a right to information. In Uganda, the right to information is not explicitly provided for, but the data subject must still be provided with certain information. All countries, with the exception of Botswana and Kenya, provide for rights in relation to automated decision-making and profiling. All countries except for Botswana provide for a right to either object to or to prevent processing.

Some countries provide for certain exceptions to these rights for research. The right to information and the right to access can be derogated from in Botswana if the processing is for research. In Rwanda, an exception is provided for the right to erasure of personal data where the processing is for scientific research. In Zimbabwe and South Africa, the right to information can be exempted from if the personal data has not been collected directly from the data subject and the processing is for research purposes. In Malawi, sensitive personal data may be processed for the purpose of research.

There are no exceptions to data subject rights for research in Ghana, Uganda, Tanzania, and Kenya.

6. Grounds for the cross-border transfer of data for research

Generally, the cross-border transfer of data is not defined in the statues, except in two countries. In Botswana, cross-border flow is defined as ‘the international flow of personal data that can be transmitted by electronic or other forms of transmission, including by satellite’ (section 2 of the Data Protection Act). In Tanzania, cross-border data flow is defined as ‘any international cross-border flows of personal data by means of electronic transmission or other means’.

Ghana has no specific provisions to be met when transferring personal data across borders. Therefore, a researcher who wants to transfer personal data outside Ghana must comply with the general principles and regulations in the Data Protection Act. Therefore, Ghana will not be included in the analysis in the following discussion.

For all other countries, there must be a basis on which to transfer personal data across borders. These conditions must be met in addition to the general requirements set out in the respective legislation, including a lawful basis for processing personal data and processing special personal data. The grounds for transfer can be broadly grouped into (1) adequacy and (2) grounds other than adequacy. We now consider each of these in turn.

i. Adequacy

Each country provides for transfer based on some form of adequate level of protection (hereinafter referred to as adequacy) in the country to which the data controller is sharing the data. There are considerable differences in how adequacy is determined in each country.

In Tanzania, a transfer of personal data to another country may occur where the country has a legal framework that provides for adequate data protection and if one of the following has been established:

• (i) the recipient establishes that the personal data is necessary for the performance of a task carried out in the public interest or for a purpose related to the lawful functions of a data controller (article 31(2)(a)) or,

• (ii) the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject’s legitimate interests might be prejudiced by the transfer or the processing in the recipient country (article 31(2)(b)).

Decisions as to the necessity of the transfer must first be made by the data controller and this must be verified by the recipient. The data controller must also ensure that the recipient processes the personal data for the purposes for which it was transferred.

Where a country does not have a relevant legal framework that provides for an adequate level of protection, the Tanzanian legislation provides that a cross-border transfer of data can still take place if an adequate level of protection is ensured in the country of the recipient and the personal data is transferred solely to permit processing authorized by the controller. An assessment of adequacy is made taking into consideration the following: (i) all the circumstances of the relevant personal data transfer; (ii) the nature of the personal data; (iii) the purpose and duration of the proposed processing; (iv) the recipient’s country; (v) the relevant laws in force in the third country; and (vi) professional rules and security measures are complied with in that recipient’s country.

In Botswana, section 48(1) of the Data Protection Act prohibits the transfer of personal data from Botswana to another country unless the country is listed in the Gazette by the Minister publishing it in an Order (section 48(2)). The cross-border flow of personal data can take place to any country listed without the need for further safeguards. For countries not on the list, the cross-border flow of personal data can only take place if the third country to which the data is transferred provides an adequate level of protection (section 49(1)). This assessment is carried out by the Commissioner, who will determine whether the third country to which the data is being transferred has an adequate level of protection (section 49(2)). This assessment depends on the circumstances of each case, with particular consideration being given to: (i) the nature of the data (section 49(2)(a)); (ii) the purpose and duration of the proposed processing operation (ie the research) (section 49(2)(b)); (iii) the country of origin and country of final destination (section 49(2)(c)); (iv) the rule of law, both general and sectoral, in force in the third country (section 49(2)(d)); and (v) the professional rules and security safeguards which are complied with in that country (section 49(2)(e)).

In Zimbabwe, adequacy is assessed having considered all the circumstances of a data transfer operation. It provides that particular consideration be given to the nature of the data, the purpose and duration of the proposed processing operation, the recipient country, the laws relating to data protection in force in the country, and the professional rules and security measures which are complied with in that country (section 28(2)).

In Nigeria, a transfer based on adequacy can occur when the recipient of the personal data is subject to a law, binding corporate rules (BCR), contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection to personal data in accordance with the Act (section 41(1)). Having selected a mechanism to transfer, the data controller must then assess whether the level of protection afforded by the recipient country is ‘adequate’ for the purposes of this Act (section 41(2)). In considering whether the level of protection is adequate, the data controller or data processor can take into account: (i) the availability of the data subject’s enforceable rights and ability to enforce such rights through administrative and judicial redress; (ii) the availability of any appropriate instrument in place between the Commission and a competent authority in the recipient jurisdiction that guarantees ‘adequate’ data protection; (iii) the access of public authority to personal data; (iv) the existence of an effective data protection law; (v) the existence of an independent and competent data protection or similar supervisory authority; and (vi) the relevant country being bound by international commitments or conventions and by its membership of any multilateral or regional organizations (section 42(2)). Regarding determining the adequacy of the law in the recipient country, the list developed by the National Information Technology Development Agency (NITDA) in the Nigeria Data Protection Regulation 2019 (NDPR) Implementation Framework is applicable. In addition, Nigeria deems any country that has ratified the Malabo Convention as adequate.

Under Malawi’s Data Protection Act, the assessment is similar to Nigeria’s. The Act provides that the recipient of the personal data can be subject to a law, BCR, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data (section 38(1)). The Authority may also decide whether an international organization or a recipient of personal data outside Malawi provides an adequate level of protection of personal data based on comparable adequacy decision made by a competent data protection authority in another country (section 39(3)). The Authority is responsible for this assessment and will take into consideration: (i) the availability of data subject rights and the availability of mechanisms for data subjects to enforce their rights through administrative or judicial processes (section 39(2)(a)); (ii) respect for the rule of law and human rights and freedoms by the country (section 39(2)(b)); (iii) the existence of a legally binding instrument between the Authority and the relevant public authority in the country, addressing elements of adequacy of data protection (section 39(2)(c)); (iv) the prevailing policy on access to personal data by a public authority in the country (section 39(2)(d)); (v) the existence of an effective data protection law in the country (section 39(2)(e)); (vi) the existence of a functionally independent and competent data protection or similar supervisory authority with adequate enforcement powers (section 39(2)(f)); and (vii) international commitment and convention binding on the country, including its membership in a relevant multilateral or regional organization (section 39(2)(g)).

The Act further provides that the Minister may give notice in the Gazette of any country, region, or specified sector in a country or a standard personal data protection contractual clause that it has determined as affording an adequate level of protection (section 39(5)). The Authority may approve BCR, codes of conduct, or certification mechanisms proposed to it by a data controller, where the Authority determines that they have adequate protection (section 40). The Authority may also decide whether an international organization or a recipient of personal data outside Malawi provides an adequate level of protection of personal data based on comparable adequacy decision made by a competent data protection authority in another country (section 39(3)).

South Africa, Uganda, and Rwanda all provide for transfer based on adequacy but have less detailed provisions. In South Africa, POPIA states that there must be an adequate level of protection in the form of a law, BCR, or a binding agreement. In Uganda, the legislation states that the country where the data is processed or stored must have adequate measures in place for the protection of personal data, at least equivalent to the protection provided for by the Act. Rwanda requires a data controller or processor to obtain authorization from the supervisory authority after providing proof that the outside country has appropriate provisions (article 48(1)).

In Kenya, there are eight legal bases on which a transfer can occur, including adequacy. However, the transfer of sensitive personal data is permissible only if the data subject has consented to the transfer and there are appropriate safeguards (section 49(1)). If sensitive personal data can be shared on this ground, the Data Commissioner may request a demonstration of the effectiveness of the security safeguards or the existence of compelling legitimate interests (section 49(2)). To protect the rights and fundamental freedoms of data subjects, the Data Commissioner may prohibit, suspend or subject the transfers to such conditions as may be determined (section 49(3)).

ii. Grounds other than adequacy

Outside of adequacy, the other grounds on which personal data can possibly be transferred are listed in Table 6. Typically, the grounds are: (i) consent; (ii) the transfer is necessary for the performance of a contract between the data subject and the data controller; (iii) vital interests; (iv) legitimate interests; (v) adequate safeguards; (vi) public interest grounds; (vii) transfer from a public register; (viii) benefit to the data subject; and (ix) impossibility to obtain consent.

In addition to these grounds, Rwanda provides additional grounds that include: (x) the transfer is necessary to protect the interest of a data subject or of another person where the data subject is physically or legally unable to give their consent (article 48(3)(e)); and (xi) the transfer is for the performance of international instruments ratified by Rwanda (article 48(3)(g)). Furthermore, the supervisory authority can decide on additional grounds for sharing or transferring personal data to a third party outside Rwanda.

iii. Other requirements

Some countries have additional requirements and provisions for the cross-border sharing of data. Zimbabwe provides that the Authority can lay down categories of processing operations and the circumstances in which data transfer to countries outside Zimbabwe is authorized (section 28(3) of the Data Protection Act). In Rwanda, if a data controller or data processor authorizes a person to access personal data and share or transfer the data to a third party outside Rwanda, they must enter into a written contract with such a person. This contract must set out the respective roles and responsibilities of each party to ensure compliance with the law (article 49). The Supervisory Authority may, by a regulation, determine the form of the contract to be used for transfers of personal data outside Rwanda (article 49). The Supervisory Authority may require the data controller or the data processor to demonstrate their compliance with the provisions of this Article and, in particular, with personal data security safeguards and interests as specified in Article 48(3)(f). In addition, the Supervisory Authority may prohibit or suspend the transfer of personal data outside Rwanda in order to protect the personal rights and freedoms of the data subject (article 49). Furthermore, the storage of personal data outside Rwanda is permitted only if the data controller or the data processor holds a valid registration certificate authorizing them to store personal data outside Rwanda, and which is issued by the Supervisory Authority (article 50).

Tanzania requires that, in addition to a legal basis for cross-border data sharing, section 20 of the Personal Data Protection (Personal Data Collection and Processing) Regulations 2023, provides that a data controller or data processor who intends to transfer personal data outside the country apply for a permit using Form No. 7 set out in the First Schedule to the Regulations. The application must include the following information: (i) particulars of the applicant; (ii) particulars of the recipient; (iii) particulars of the data subject; (iv) the type of personal data to be transferred; (v) the purpose and necessity of transferring personal data; (vi) details of the security of personal data in the country of the recipient; (vii) consent of the data subject; (viii) date and time of sending personal data; and (ix) any other information as may be required by the Commission. In addition, at the time of application, proof must be submitted that the country receiving the personal data has ratified an international agreement that specify details on the protection of personal data; there is an agreement between the Republic and the country receiving the personal data regarding the protection of personal data, or there is a contractual agreement between the person requesting the personal data and the recipient of the personal data who is outside the country. The Commission must consider an application within 14 days, after which time it can reject or approve a permit. An application may be rejected for the following reasons: (i) the transfer of personal data endangers national security; (ii) the Commission is satisfied that there is inadequate protection of personal data in the country of the recipient; (iii) other written laws restrict the transfer of personal data; (iv) the application for the permit to transfer personal data does not meet the requirements of Regulation 20; and (v) other reasonable grounds which the Commission may deem necessary for the public interest. Finally, the permit is issued subject to the following conditions: (i) the personal data must be transferred to the recipient authorized in the permit; (ii) the personal data transferred must be processed for the intended purpose only; (iii) the personal data must not be disclosed or transferred to another recipient without the approval of the Commission; and (iv) the processing of personal data outside the country must not violate the laws of the country.

7. Additional requirements from ethics frameworks

In addition to the requirements as set out in the applicable data protection legislation, additional requirements are set out in national research ethics legislation and/or guidance for the cross-border sharing of data for research. This is in addition to the general research ethics requirements, such as informed consent, research ethics committee oversight, and other requirements. Table 7 sets out the relevant national research ethics legislation and guidance in each country. Table 8 sets out the additional requirements imposed by national research ethics requirements for cross-border data sharing for research.

Six countries (Botswana, Ghana, Kenya, Nigeria, Rwanda, and The Gambia) have no extra requirements outside of the general research ethics requirements that apply to the cross-border sharing of data for research. The remaining six countries have differing requirements that include a material transfer agreement (MTA), designation of a local PI, through to some other official approval being required. South Africa requires a human research ethics committee (NHREC) to approve and sign an MTA. Data is allowed to be shared outside of Malawi only if: (i) there is a justifiable reason to do so; (ii) if the National Health Sciences Research Committee (NHSRC) has reviewed and approved the study; (iii) if the NHSRC has reviewed and approved the MTA; (iv) if the genetic material and information is provided in a form that ensures that participants cannot be identified; and (v) if the research group ensures that privacy and confidentiality are not compromised in holding the material and information. Tanzania requires approval from the National Institute for Medical Research (NIMR) for all research that involves foreign researchers or collaborators, and it is an offence to send samples for human DNA analysis abroad without the permission of the Office of the Regulator of Human DNA Services. The transfer of genetic data outside of Cameroon can take place only if: (i) the data subject has given his or her free, informed, and written consent; (ii) the body in charge of ethics establishes that the research cannot be conducted in Cameroon; and (iii) a national investigator is involved in the research project in question. For other health data, the transfer can occur outside of Cameroon only if: (i) the data subject consents; (ii) there is a written data-sharing agreement; and (iii) a national investigator is involved in the research project in question. Uganda requires a research ethics committee (REC) to approve any cross-border data sharing, the researcher must be a local PI, and an MTA must be signed. Finally, international collaborative research can occur in Kenya only if a Kenyan PI is involved.

III. DISCUSSION

A reading of the cross-country reports demonstrates that there are considerable similarities between countries and that these similarities extend to similarities with the GDPR, Convention 108, and other international standards in data protection. They include similarities in the lawful bases for processing of data, the application of data protection law, key individuals under data protection law, and the rights of data subjects. While there are similarities in the grounds for the lawful basis for transfer of health data outside of each country, with most countries adopting some, if not all, of the lawful grounds provided for under the GDPR, careful analysis demonstrates that any attempts at a harmonized approach to cross border data sharing has failed on the continent, a finding that is unsurprising considering that out of the countries surveyed, only five countries have signed the Malabo Convention and only two countries have ratified it. It is also clear that guidance from national supervisory authorities are required to guide the application of the national legislation to research. Thus, while health data that includes genetic data generally can be shared across borders for research, it currently is a complex, fragmented, and uncertain landscape.

III.A. Meaning of Cross-Border Data-Sharing

First, what is considered to be cross-border data sharing is not always immediately clear, particularly for countries where cross-border data sharing is not defined. This lack of definition makes it complex in an area of data driven research and the increasing use of clouds to store data. The guides do make some attempts to acknowledge and address this point. The country guides state that while the cross-border data-sharing provisions apply when personal data is sent to a data controller in another country, there are other times when it could apply. For example, it could also apply where a researcher outside of the country accesses personal information in the country, or when data is put onto a cloud where the server is not hosted in the country.

It is thus clear that physically transferring data from one country to another does fall under the cross-border data provisions. What is less clear is whether if a researcher is in Country A and is accessing data from Country B through a mechanism that enables them to view the data only and not download, whether that amounts to cross border data sharing. It is also not clear whether if data is held on a server outside of a country, whether that amounts to cross border data sharing. Unlike in the EU where the European Data Protection Board (EDPB) has issued considerable guidance in this space, no supervisory authority from the countries surveyed had issued any guidance on this point. Considering that researchers in many African countries may struggle to secure the necessary infrastructure and resources to store health data in country, this is an issue that needs discussion and clarification as a priority.

III.B. Application of Data Protection Legislation

A second issue is that there is uncertainty about the application of the relevant data protection legislation. In most countries, as under the GDPR, data protection legislation would apply to the processing of personal data. Unlike the GDPR, where the EDPB has issued guidance on a test for anonymization, such guidance is lacking across the countries surveyed and they can only rely on the definition provided on the definition of personal data. Thus, when making an assessment about whether the data is personal, it is unclear whether researchers must consider whether anyone in the world can identify a data subject or whether the individual to whom the researcher is sending the data can identify the data subject.¹² In the absence of direction from all supervisory authorities on this point, the country guides state that it is for the data controller to decide. To guide researchers in making this decision – and to err on the side of caution – the country guides provide the following general points, many of which come from guidance related to anonymization under the GDPR:

• An assessment must be made on a case-by-case basis, considering the particular context.

• The anonymization must be irreversible.

• The assessment is made on the current state of the art. As technology progresses, data that was once deemed anonymous may become personal data and therefore fall under data protection laws.

• Consider all means of identification that a person could use, for example, available datasets.

• Consider objective factors that are reasonably likely to be used, such as technology, resources, and time, to identify.

• You may wish to follow the GDPR test: if an individual cannot be singled out, or identifiers cannot be linked to make a person identifiable, or if it is impossible to infer a link between two pieces of information in a dataset, then the data is anonymous.

• Genetic data is considered sensitive personal data. It not only falls under the data protection laws but has a higher level of protection.

This assessment is even more challenging in the light of the ongoing debate about whether genomic datasets can ever be truly anonymized, particularly as genetic data is an identifier.¹³ Guidance on these issues is needed, particularly for data-driven researchers where data is being linked. Researchers must therefore navigate each regulatory framework to determine the ground under which they can share data. This can be challenging for multi-site and multi-jurisdictional research and needing to identify grounds that may differ in each jurisdiction is likely to be a disincentive for international collaborative research. Considering the considering legal implications of data being considered personal data, guidance is critically needed from supervisory authorities on this point.

III.C. Grounds for Cross Border Data Sharing

Turning to the grounds under which personal data can be transferred across borders for research, across the countries surveyed, the grounds are quite similar to that provided by the GDPR. Despite this, there is a lack of harmonization as there is no one ground that could apply to all countries to enable the legal transfer of health data across borders.

Consent and adequacy are the most common grounds provided for in the legislation that we studied. Consent as a ground for transfer is provided for in each country and, notably, is the only ground under which health data can be transferred in Kenya. For data-driven research methods, obtaining specific consent for a specific data transfer from thousands of participants in many countries may not be feasible. A solution to this, however, could be dynamic consent. Dynamic consent is a consent model that uses digital technologies, such as apps, to enable participants to consent to data use, update their consenting preferences, and received ongoing information about their data use.¹⁴ In the context of cross-border transfers of data that require specific consent to that specific data transfer, dynamic consent would enable the ease of contact with participants to obtain their consent to the data transfer. While dynamic consent could be a solution, its implementation requires investment into infrastructure, including software and security systems, but also the availability of mobile phones, internet connections, and digital literacy. Dynamic consent is also suitable only for prospective data collection.

Adequacy is also a ground under which health data can be shared for research in the majority of countries surveyed, but the test for adequacy differs in each country. Researchers face a legal maze where the criteria for transferring personal data based on adequacy vary significantly from one country to another. Some jurisdictions have developed approved lists of countries deemed adequate, while others require a national authority’s determination or delegate this responsibility to the data controller, sometimes necessitating further validation by supervisory authorities. The failure to secure a harmonized approach to the determination of adequacy will likely result in a lack of coherence in the application of adequacy, which will negatively impact the cross-border sharing of data for researchers. This variability underscores the challenges and uncertainties relating to data sharing across African borders. This compels researchers to meticulously navigate each country’s data protection legislation and, in particular, its cross-border data sharing provisions.

The concept of an African single data market stands out as a strategic solution to these challenges. Supported by the African Union’s initiatives such as the Digital Transformation Strategy for Africa¹⁵ and the AU Data Policy Framework,¹⁶ this idea aims to facilitate seamless data exchange across the continent through legal harmonization. Such harmonization would involve integrating markets, standardizing online payment systems, harmonizing taxation, and easing cross-border trade, thereby simplifying the legal and operational landscape for data sharing.

The African Continental Free Trade Agreement (AfCFTA)¹⁷ presents a unique opportunity to formalize data governance across Africa. The anticipated digital trade protocol to AfCFTA promises to address key areas such as data transfers, data protection, and cybersecurity, establishing a uniform legal framework to govern the exchange of personal data, including health data. Key elements of the draft version of the protocol that is publicly accessible are as follows:¹⁸

• Protection of personal data (Article 21): This provision mandates each State Party to establish a legal framework protecting personal data, which includes health data as a subset. The protocol encourages taking into account principles and guidelines from regional and international bodies. It highlights transparency in how protections are provided, how remedies can be sought, and ensuring compliance for entities involved in digital trade.

• Cross-border data transfers (Article 20): The protocol allows the transfer of data, including personal data, by electronic means across borders for digital trade, subject to specific provisions in an annex. This section introduces restrictions to protect legitimate public policy objectives or essential security interests, indicating sensitivity around data types such as health information.

• Cooperation on data innovation (Article 23): State Parties are encouraged to collaborate on data-sharing projects using regulatory sandboxes. This provision could encompass sharing of health data for research or innovation while considering protections and data-sharing frameworks that maintain privacy and security.

• Establishment of national data protection authorities: Article 21 emphasizes the importance of establishing dedicated bodies to enforce data protection laws, which would be key in managing health data protection.

The digital trade protocol under AfCFTA will mark a significant step forward for health data sharing across Africa. By providing a harmonized legal framework, the protocol will address longstanding challenges in cross-border data governance, offering a more cohesive and secure approach to handling sensitive health data. With provisions that emphasize data protection, facilitate cross-border data transfers, and encourage innovation through regulatory sandboxes, the protocol will lay a strong foundation for multi-country health research, public health initiatives, and advancements in medical innovation. Additionally, the establishment of national data protection authorities will ensure that personal and health data remain safeguarded, fostering greater trust in digital health projects and encouraging collaboration among African nations.

In addition to the broad framework that will be established by the digital trade protocol, we also propose a country-level strategy to facilitate cross-border data sharing. This strategy is based on the practice currently used in Nigeria, where any country that ratifies the Malabo Convention is deemed to provide adequate protection. This is a critical point because the Malabo Convention already incorporates stringent data protection standards, which the draft protocol builds upon. By leveraging this existing regional instrument, countries can quickly establish trust and enable the secure flow of data. This approach not only simplifies the process but also promotes legal certainty and mutual recognition among African states.

Thus, by aligning with the Malabo Convention, African countries can form an African ‘data corridor’¹⁹—a network of nations that mutually recognize each other’s data protection regimes as providing adequate protection. Such a corridor would be especially beneficial for the exchange of health data. It would allow institutions to collaborate more effectively on critical public health issues, genomic research, and health innovations while ensuring compliance with data protection laws. This ‘data corridor’ would act as a catalyst for health research, enabling rapid sharing of medical information, outbreak monitoring, and the development of new treatments across the continent.

IV. CONCLUSIONS

The burgeoning landscape of data protection legislation across Africa, aimed at bolstering the privacy and security of personal data, presents a nuanced challenge for multi-site, data-driven research. As the legal landscape evolves, it creates a mosaic of legal requirements that govern the access to and cross-border transfer of personal data for research purposes. Our comprehensive analysis of data protection frameworks in 12 African countries reveals a fragmented legal approach to cross-border data sharing. Despite the presence of common principles such as adequacy for data transfer, variances in national legislation necessitate that researchers meticulously assess and adapt to each country’s specific legal mandates. This environment demands strategic navigation through diverse legal terrains, emphasizing the need for a harmonized approach to facilitate seamless and responsible data sharing across the continent. This will advance research initiatives while upholding the rights and protections of data subjects.

ACKNOWLEDGEMENTS

We would like to thank the following for their assistance in developing the country reports: Adaji Aishatu, Kousar Ahmed, Laila Muhammed, Judity Murungi, Nelisiwe Ngema, and Thembeka Thusini.

FUNDING

U.S. National Institute of Mental Health and the U.S. National Institutes of Health (award number U01MH127690) under the Harnessing Data Science for Health Discovery and Innovation in Africa (DS-I Africa) program. The content of this article is solely the authors’ responsibility and does not necessarily represent the official views of the U.S. National Institute of Mental Health or the U.S. National Institutes of Health.

AUTHORS’ CONTRIBUTIONS

CS developed the template country guide with DT. CS analysed the country guides, wrote the manuscript and revised the text based on co-authors’ comments.

AE wrote the sections on application of data protection law for each country guide and provided CS with feedback and comments on the draft paper.

LA, AG, and PO reviewed four country guides each and revised sections to ensure that the guides were accurate. All provided feedback and comments on the draft paper.

DT is principal investigator of the entire study and acquired the funding. DT developed the template country guide with CS and provided feedback and comments on the draft paper.

All authors read and approved the final manuscript.

The authors have used OpenAI’s ChatGPT4 to improve the language and readability of this article.

DATA AVAILABILITY

All materials are available in the appendix.

Footnotes