RATIN

Data protection is poor for African farmers who use digital services: Kenya and Ghana cases highlight gaps

Posted on August, 6, 2024 at 09:54 am


Across Africa, agricultural producers are turning to digital solutions to get information about farming methods, market access or financial services. By 2022, there were 666 of these solutions operating on the continent, the highest number among all low- and medium-income regions.

Advances in digital devices, such as smartphones, sensors and satellites, connected through the internet and combined with big data analytics, enable solution providers to collect and analyse large amounts of farm data. This is data related to the farmer, the farming site, operations and commercial transactions.

This has raised the possibility that service providers or other third parties could use farm data for their own benefit without the knowledge and consent of farmers. It could even be to the farmers’ disadvantage. So there is a need to strike a balance between safeguarding farm data and using it effectively.

African regulators have not yet responded to the specific challenges of farm data protection. It is a complex issue, at the intersection of different regulatory frameworks: personal data protection laws, contract and competition laws, and intellectual property rights. As a result, the exchange of data between agricultural producers and companies is often left to the service providers through unregulated agreements or contracts.

Personal data protection

Our research focuses on the adoption and impact of digital technologies in African agriculture. We recently reviewed the state of personal data protection and compliance of digital agricultural services with existing regulations on the continent.

We found that relevant laws were being adopted across Africa, but their provisions were not always in line with African Union standards. Compliance was also limited, highlighting the need for enforcement and awareness.

The only regulatory frameworks that protect farm data, even if not specifically so, are those relating to personal data. African states adopted the African Union Convention on Cyber Security and Personal Data Protection in 2014 as a guiding framework. The convention has not yet entered into force and only 15 countries had ratified it by July 2024.

Our findings show that African governments are recognising the importance of regulating personal data use. But not all the regulations are stringent enough and enforcement remains a concern.

Specifically, we analysed the personal data protection legislation that had been adopted in 34 African countries by May 2023 and compared its provisions with those set out in the African Union Convention. We also assessed compliance by reviewing the data privacy policies of 106 digital agricultural services operating in Africa.


Read more: How digital technologies can help Africa's smallholder farmers


National laws are evolving

The examples of Kenya and Ghana highlight commonly found gaps in regulations and implementation. The two countries are some of Africa’s biggest users of digital agricultural services.

Ghana was one of the first African countries to adopt personal data protection legislation, in 2012, and is one of the few that have signed and ratified the AU Convention. Kenya adopted a data protection law in 2019. It has not signed or adopted the AU Convention.

Their laws include all the guiding principles of the convention and protect the same personal rights, as almost all national laws in Africa do.

Differences emerge in the details. One provision of particular interest relates to automated decision-making. Digital agricultural services are increasingly making use of automated data analytics. For instance, mobile phone data are used to assess credit-worthiness of farmers, smart contracts employ blockchains, and weather data can automatically trigger crop insurance pay-outs.

The AU Convention states that no-one should be subject to legally binding decisions based solely on automated processing of data to evaluate certain personal aspects. The Kenyan law allows for certain exceptions to this. Ghana is even less stringent, allowing automated decision-making provided that the users are informed. The large majority of African countries either have less stringent provisions about this than the AU Convention or no requirements at all.

Another important area is the international transfer of data. Many digital agricultural service providers operate across countries: data may be collected in one country and processed or used by third parties in another. The AU Convention allows such transfers, but only if non-member states can show an adequate level of protection or the national authority has explicitly granted permission for the transfer.

The Kenyan legislation generally follows the spirit of the AU Convention, but also elaborates on the details. It allows adequate safeguards to be put in place at the company rather than the government level. It also introduces specific provisions for sensitive data. The Ghanaian law, on the other hand, does not specifically address international data transfer. It states that transferred data is subject to the legal requirements of the originating country.


Read more: Digital solutions are boosting agriculture in Kenya, but it's time to scale up. Here's how


Low compliance highlights enforcement issues

Our research shows that among the leading countries for digital agricultural solutions, Ghana has the highest share of providers that do not make data privacy policies readily available on their websites (17 of 30 reviewed service providers). But also in Kenya, we found compliance to be low, with just over half of the services not providing a policy on their website.