Introduction

The African Continental Free Trade Area Agreement (the AfCFTA) is a framework that aims to facilitate African industrialisation and development by shifting the continent’s global trade patterns. It represents a landmark effort to redefine Africa’s trade landscape by creating a unified market for goods and services across the continent. It came into force on 30th May 2019, after the required a number of ratifications were deposited with the African Union (AU) Commission. It currently has fifty four (54) signatories, boasting the largest free trade area globally by membership.

The AfCFTA was introduced to foster a symbiotic relationship among African countries, with the overarching goal of reducing barriers to trade. It endeavours to boost intra-African trade by addressing non-tariff barriers to trade and progressively reducing tariffs. However, in an era increasingly driven by digital commerce, the success of this ambition depends not only on the flow of goods and services but also on the free and secure movement of data.

Data Protection and Cross Border Trade

As trade becomes increasingly digital, cross-border data flows and harmonised data protection frameworks become essential for e-commerce to function securely and seamlessly across jurisdictions. The United Nations Economic Commission for Africa recognised the AfCFTA as the world’s largest free trade area since the formation of the World Trade Organization (WTO). Additionally, in 2016, the United Nations Conference on Trade and Development (UNCTAD) affirmed that data protection is critical to digital trade, citing that poor data governance diminishes customer trust and distorts market dynamics.

However, it is important to recognize that no country is willing to grant another unfettered or unregulated access to its data. Increasingly, data governance has become a source of tension and dispute among sovereign states. While the AfCFTA has enabled the free flow of services and information across borders, critical questions remain as to the safeguards in place to protect that information. For member states to fully harness the benefits of the digital economy in international trade, they must acknowledge that data is a strategic asset and establish robust and effective data protection regimes.

As such, there is a need for continental or regional data protection harmonisation to secure digital trade. By focusing on streamlining trade, including services, investment, intellectual property and digital trade, the AfCFTA aims to facilitate free movement of persons, goods and services crucial for deepening economic integration. This free movement is largely fuelled by data and the cross-border movement of the same. Data protection therefore becomes a key concern.

The Heads of State and Government of the AU in their decisions (Assembly/AU/4(XXXIII) of 10th February 2020 and Ext/Assembly/AU/Decl.1(XII) of 5th January 2021) mandated negotiations for the Protocol, emphasising the importance of safeguarding national data integrity and security. This directive aligns with the broader objective of upholding citizens’ rights to retain control of their personal data. Against this backdrop, the 37th AU Heads of States Summit held in February 2024, adopted the much-anticipated Protocol to the Agreement Establishing the AfCFTA on Digital Trade (the Protocol). The Protocol seeks to facilitate cross-border data flows while addressing privacy concerns and will come into force once the required number of ratifications is deposited in accordance with Article 23 of the AfCFTA. Part IV of the Protocol on data governance encompasses cross-border data transfers, protection of personal data, location of computing facilities (data localisation), and data innovation.

Additionally, under Article 20 of the Protocol, on cross-border data transfers, parties to the Protocol, subject to the relevant Annex, can only allow cross-border transfer of data, including personal data by electronic means, provided the activity is for the conduct of digital trade by a person of a state party. The exception to this is where a state party intends to achieve a legitimate public policy objective or protect essential security interests provided that the measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination, or a disguised restriction on digital trade, and do not impose restrictions on transfers of data greater than are necessary to achieve the objective.

Article 21 also requires state parties to adopt legal frameworks at the national level providing for the protection of personal data of natural persons engaged in digital trade. Article 46 further provides that after the adoption of the Protocol, state parties shall adopt annexes including the Annex on Cross-Border Data Transfers. On 16th February 2025, the Assembly of Heads of State and Government of the AU formally adopted eight (8) annexes to the Protocol including the Annex on Cross-Border Data Transfers, which sets out regulations aimed at facilitating secure and efficient data flows across member states.

Advancing Data Governance

McKinsey, in its report on Africa business growth noted that Africa has over 400 million internet users, with the implication that e-commerce is largely propelled on the continent. One of the projected outcomes of the growth of intra-African trade spurred by the AfCFTA is increased data transfers across member countries.

Data protection harmonisation across member states can propel AfCFTA forward, in turn building consumer and business trust as well as fostering the digital economy. Following the integration of digital technology in trade, the African Heads of State recognized the need to provide data protection and privacy for the parties involved. This move was especially motivated by the fact that while the AfCFTA aimed to facilitate seamless trade across the continent and the free flow of goods, services and information, it failed to address questions as to how the data involved is protected.

Furthermore, the regulatory fragmentation across member states was a major concern, as some member states to the AfCFTA lack data protection laws at the national level to help govern and control how data flows, its security and usage in the region. This left data exchanged across jurisdictions open to misuse, hacks and threats. These issues underscored the imperative for the AfCFTA to include robust data protection measures, either within its core framework or through an annexure, to ensure its effective implementation.

It is important to recognise that no country is willing to grant another unfenered or unregulated access to its data. Increasingly, data governance has become a source of tension and dispute among sovereign states. While the AfCFTA has enabled the free flow of services and information across borders, critical questions remain as to the safeguards in place to protect that information.

In light of the above, the recent adoption of the Annex on Cross-Border Data Transfers within the Protocol marked a transformative step in aligning Africa’s digital economy with modern data governance standards. Recognising the essential role of cross-border data flows in intra-African trade, this development demonstrates the visionary leadership of the AU Heads of State in enabling secure, seamless, and trusted data exchanges across the continent.

This Annex not only complements the AfCFTA’s mission of boosting intra-African trade but also provides a regulatory framework to safeguard personal data and digital trust in the e-commerce ecosystem, in turn standardising cross-border data transfer conditions among member states. It provides for exceptions grounded in legitimate public policy objectives and essential security interests. The Protocol mandates the inclusion of provisions in the Annex addressing acceptable use of data, restrictions on third-party sharing, and applicable regulatory limitations, including data protection safeguards. The Annex now introduces a harmonised set of rules that serve as a common baseline, particularly benefiting jurisdictions that are yet to enact domestic data protection laws, as the Protocol emphasises for member states to establish regulatory frameworks that focus on improving trust in digital transactions.

Recommendations

While the adoption of the Cross-Border Data Transfers Annex is a significant milestone, the effectiveness of its implementation will hinge on a few strategic actions:

i.  Benchmarking with European Legal Architecture

The European Free Trade Agreement (EFTA) provides a robust precedent on integrating data protection frameworks within trade agreements. Annexure XI of the EFTA outlines regulatory approaches to data protection in areas such as electronic communications and information services. The Protocol and its Annexes can draw insights from this model, and borrow useful provisions.

ii. Standardising Cross-border Data Transfer Conditions

The Annex must prescribe detailed safeguards that promote accountability and risk management in data flows. These safeguards include providing proof of availability and effectiveness of appropriate safeguards with respect to security and protection of personal data subject to the transfer. Additionally, data transfers must be grounded on lawful bases such as consent, contractual performance, data subject’s benefit and public interest, among others.

Key Take Away

Data is the backbone of Africa’s evolving digital economy. The adoption of the Cross-Border Data Transfers Annex under the Protocol is more than a regulatory milestone, it is a bold affirmation of Africa’s readiness to lead in the digital trade era. By laying down clear, harmonised standards for data governance, the Agreement addresses one of the most critical enablers of modern commerce: trust.

As implementation unfolds, this Annex could become the backbone of a secure and thriving continental digital market, eventually evolving into a blueprint for global south-led data governance models.