Data protection is poor for african farmers who use digital services: kenya and ghana cases highlight gaps

Across Africa, agricultural producers are turning to digital solutions to get information about farming methods, market access or financial services. By 2022, there were 666 of these

solutions operating on the continent, the highest number among all low- and medium-income regions. Advances in digital devices, such as smartphones, sensors and satellites, connected through

the internet and combined with big data analytics, enable solution providers to collect and analyse large amounts of farm data. This is data related to the farmer, the farming site,

operations and commercial transactions. This has raised the possibility that service providers or other third parties could use farm data for their own benefit without the knowledge and

consent of farmers. It could even be to the farmers’ disadvantage. So there is a need to strike a balance between safeguarding farm data and using it effectively. African regulators have not

yet responded to the specific challenges of farm data protection. It is a complex issue, at the intersection of different regulatory frameworks: personal data protection laws, contract and

competition laws, and intellectual property rights. As a result, the exchange of data between agricultural producers and companies is often left to the service providers through unregulated

agreements or contracts. PERSONAL DATA PROTECTION Our research focuses on the adoption and impact of digital technologies in African agriculture. We recently reviewed the state of personal

data protection and compliance of digital agricultural services with existing regulations on the continent. We found that relevant laws were being adopted across Africa, but their provisions

were not always in line with African Union standards. Compliance was also limited, highlighting the need for enforcement and awareness. The only regulatory frameworks that protect farm

data, even if not specifically so, are those relating to personal data. African states adopted the African Union Convention on Cyber Security and Personal Data Protection in 2014 as a

guiding framework. The convention has not yet entered into force and only 15 countries had ratified it by July 2024. Our findings show that African governments are recognising the importance

of regulating personal data use. But not all the regulations are stringent enough and enforcement remains a concern. Specifically, we analysed the personal data protection legislation that

had been adopted in 34 African countries by May 2023 and compared its provisions with those set out in the African Union Convention. We also assessed compliance by reviewing the data privacy

policies of 106 digital agricultural services operating in Africa. ------------------------- _ READ MORE: HOW DIGITAL TECHNOLOGIES CAN HELP AFRICA'S SMALLHOLDER FARMERS _

------------------------- NATIONAL LAWS ARE EVOLVING The examples of Kenya and Ghana highlight commonly found gaps in regulations and implementation. The two countries are some of Africa’s

biggest users of digital agricultural services. Ghana was one of the first African countries to adopt personal data protection legislation, in 2012, and is one of the few that have signed

and ratified the AU Convention. Kenya adopted a data protection law in 2019. It has not signed or adopted the AU Convention. Their laws include all the guiding principles of the convention

and protect the same personal rights, as almost all national laws in Africa do. Differences emerge in the details. One provision of particular interest relates to automated decision-making.

Digital agricultural services are increasingly making use of automated data analytics. For instance, mobile phone data are used to assess credit-worthiness of farmers, smart contracts employ

blockchains, and weather data can automatically trigger crop insurance pay-outs. The AU Convention states that no-one should be subject to legally binding decisions based solely on

automated processing of data to evaluate certain personal aspects. The Kenyan law allows for certain exceptions to this. Ghana is even less stringent, allowing automated decision-making

provided that the users are informed. The large majority of African countries either have less stringent provisions about this than the AU Convention or no requirements at all. Another

important area is the international transfer of data. Many digital agricultural service providers operate across countries: data may be collected in one country and processed or used by

third parties in another. The AU Convention allows such transfers, but only if non-member states can show an adequate level of protection or the national authority has explicitly granted

permission for the transfer. The Kenyan legislation generally follows the spirit of the AU Convention, but also elaborates on the details. It allows adequate safeguards to be put in place at

the company rather than the government level. It also introduces specific provisions for sensitive data. The Ghanaian law, on the other hand, does not specifically address international

data transfer. It states that transferred data is subject to the legal requirements of the originating country. ------------------------- _ READ MORE: DIGITAL SOLUTIONS ARE BOOSTING

AGRICULTURE IN KENYA, BUT IT'S TIME TO SCALE UP. HERE'S HOW _ ------------------------- LOW COMPLIANCE HIGHLIGHTS ENFORCEMENT ISSUES Our research shows that among the leading

countries for digital agricultural solutions, Ghana has the highest share of providers that do not make data privacy policies readily available on their websites (17 of 30 reviewed service

providers). But also in Kenya, we found compliance to be low, with just over half of the services not providing a policy on their website. Where policies exist, our review highlights that

most do not protect all users’ rights over their personal data as set out in the national laws. The right of users to object to the processing of their data was most often missing. LOOKING

AHEAD: STRENGTHEN LAWS AND INSTITUTIONS The adequacy of personal data protection laws in Africa needs a closer look. Our research has highlighted some priorities for action. Revisions of

many African laws are needed to bring them in line with the level of protection envisaged in the AU Convention. Ghana’s example highlights the need to update laws in line with rapidly

evolving digital technologies, such as automated decision-making. National enforcement institutions need to be stronger. This requires an independent body with resources to monitor

compliance and the statutory powers to follow up on infringements. There is also a need to regulate the use of farm data not covered by data privacy laws, particularly data generated by

machines or sensors.