Data protection is poor for African farmers who use digital services: Kenya and Ghana cases highlight gaps

Across Africa, agricultural producers are turning to digital solutions to get information about farming methods, market access or financial services. By 2022, there were 666 of these solutions operating on the continent, the highest number among all low- and medium-income regions.

Advances in digital devices, such as smartphones, sensors and satellites, connected through the internet and combined with big data analytics, enable solution providers to collect and analyse large amounts of farm data. This is data related to the farmer, the farming site, operations and commercial transactions.

This has raised the possibility that service providers or other third parties could use farm data for their own benefit without the knowledge and consent of farmers. It could even be to the farmers’ disadvantage. So there is a need to strike a balance between safeguarding farm data and using it effectively.

African regulators have not yet responded to the specific challenges of farm data protection. It is a complex issue, at the intersection of different regulatory frameworks: personal data protection laws, contract and competition laws, and intellectual property rights. As a result, the exchange of data between agricultural producers and companies is often left to the service providers through unregulated agreements or contracts.

Personal data protection

Our research focuses on the adoption and impact of digital technologies in African agriculture. We recently reviewed the state of personal data protection and compliance of digital agricultural services with existing regulations on the continent.

We found that relevant laws were being adopted across Africa, but their provisions were not always in line with African Union standards. Compliance was also limited, highlighting the need for enforcement and awareness.

The only regulatory frameworks that protect farm data, even if not specifically so, are those relating to personal data. African states adopted the African Union Convention on Cyber Security and Personal Data Protection in 2014 as a guiding framework. The convention has not yet entered into force and only 15 countries had ratified it by July 2024.

Our findings show that African governments are recognising the importance of regulating personal data use. But not all the regulations are stringent enough and enforcement remains a concern.

Specifically, we analysed the personal data protection legislation that had been adopted in 34 African countries by May 2023 and compared its provisions with those set out in the African Union Convention. We also assessed compliance by reviewing the data privacy policies of 106 digital agricultural services operating in Africa.

National laws are evolving

The examples of Kenya and Ghana highlight commonly found gaps in regulations and implementation. The two countries are some of Africa’s biggest users of digital agricultural services.

Ghana was one of the first African countries to adopt personal data protection legislation, in 2012, and is one of the few that have signed and ratified the AU Convention. Kenya adopted a data protection law in 2019. It has not signed or adopted the AU Convention.

Their laws include all the guiding principles of the convention and protect the same personal rights, as almost all national laws in Africa do.

Differences emerge in the details. One provision of particular interest relates to automated decision-making. Digital agricultural services are increasingly making use of automated data analytics. For instance, mobile phone data are used to assess credit-worthiness of farmers, smart contracts employ blockchains, and weather data can automatically trigger crop insurance pay-outs.

The AU Convention states that no-one should be subject to legally binding decisions based solely on automated processing of data to evaluate certain personal aspects. The Kenyan law allows for certain exceptions to this. Ghana is even less stringent, allowing automated decision-making provided that the users are informed. The large majority of African countries either have less stringent provisions about this than the AU Convention or no requirements at all.

Another important area is the international transfer of data. Many digital agricultural service providers operate across countries: data may be collected in one country and processed or used by third parties in another. The AU Convention allows such transfers, but only if non-member states can show an adequate level of protection or the national authority has explicitly granted permission for the transfer.

The Kenyan legislation generally follows the spirit of the AU Convention, but also elaborates on the details. It allows adequate safeguards to be put in place at the company rather than the government level. It also introduces specific provisions for sensitive data. The Ghanaian law, on the other hand, does not specifically address international data transfer. It states that transferred data is subject to the legal requirements of the originating country.

Low compliance highlights enforcement issues

Our research shows that among the leading countries for digital agricultural solutions, Ghana has the highest share of providers that do not make data privacy policies readily available on their websites (17 of 30 reviewed service providers). But also in Kenya, we found compliance to be low, with just over half of the services not providing a policy on their website.

Where policies exist, our review highlights that most do not protect all users’ rights over their personal data as set out in the national laws. The right of users to object to the processing of their data was most often missing.

Looking ahead: strengthen laws and institutions

The adequacy of personal data protection laws in Africa needs a closer look. Our research has highlighted some priorities for action.

Revisions of many African laws are needed to bring them in line with the level of protection envisaged in the AU Convention.

Ghana’s example highlights the need to update laws in line with rapidly evolving digital technologies, such as automated decision-making.

National enforcement institutions need to be stronger. This requires an independent body with resources to monitor compliance and the statutory powers to follow up on infringements.

There is also a need to regulate the use of farm data not covered by data privacy laws, particularly data generated by machines or sensors.