General abstract
The theory of cross-fertilization harbours potential for prioritizing and guiding contemporary proposals on reforming the one-size-fits-all approach in GDPR-styled data protection law and practice in Africa.
Introduction
The comparative approach to compliance is inevitable with increased region-specific approaches to data protection worldwide. The goal of comparative data protection law should not be uniformity of data protection law but rather a nuanced approach that allows for mutual learning and adaptation across diverse contexts and unique realities in Africa s.[1] In this context, this blog article explains why the comparative law approach of legal transplant has several infirmities and, therefore, is non-desirable. It suggests the path of cross-fertilization can help overcome these infirmities thereby contributing to achieving two main data governance goals. One is ensuring there is symbiosis of data protection regulations in Europe and Africa that can benefit from their mutual advantages. Second is enabling adjudicators of data protection law to consider African peoples’ lived realities, experiences and contexts when interpreting and applying existing legal frameworks.
Contestations on Legal Transplantation
In comparative law, Alan Watson[2] introduces the concept of legal transplantation. Watson defines the idea as `transferring a legal rule or system from one country or people to another’. In this context, the development of law is autonomous. The development does not mainly consider the political, economic, or social context or the time of the original legal transplant. In the data protection context, Bradford has called the phenomenon of transplant of laws from Europe to other parts of the world, including Africa, the ‘Brussels effect’.[3] This effect occurs when European legislator based in Brussels sets standards in the data protection field which apply beyond Europe through ‘unilateral regulatory globalization’.
The most cited data protection legal instrument whose standards point towards unilateral regulatory globalization is the European General Data Protection Regulation (GDPR). Enacted by the European Union in 2018, GDPR establishes a framework governing personal data collection, storage, and utilization.[4] This regulation grants EU citizens autonomy over their personal information. At the same time, willingly or unwillingly, the EU created a ‘Golden Standard’[5] with the GDPR. Outside of the EU, companies monitoring the user behaviour of EU citizens or offering products or services to EU citizens are obliged to comply with the GDPR. States outside Europe are also adopting legislations that is a ‘protégée of the EU GDPR’.[6] Makulilo summarizes these GDPR-styled Brussels effect as ‘the long arm of the GDPR’ in Africa.[7]
Given its scope, the GDPR adopts the nature of legal transplant, which Watson calls the ‘most fertile source of development’. This approach allows jurisdictions to enhance their legal systems by adopting solutions provided in the GDPR standards, thereby avoiding extensive experimentation.
However, the experience of data controllers and processors in Africa with the GDPR has yet to show the realization of fertility that Watson envisages. Instead, the experience has demonstrated that the GDPR poses challenges due to its ‘take-it-or-leave-it’ approach[8] forcing non-European companies to comply. Practical realities of trade[9] make compliance with GDPR inevitable while adding to compliance costs. Instead, it gives a comparative advantage to multinational technology firms with the resources to adapt and develop strategies for internal organizational frameworks and GDPR-compliant laws.[10] Cumulatively, the phenomenon risks dimming the prospects for African digital economies. Currently, the dimmed hopes are a threat to annual exports from Africa’s digital economy valued at about 14 billion USD.[11] In future, the impacts could multiply and negatively impinge on livelihoods of Africans who increasingly rely on the digitized public and private services. Furthermore, Watson’s views propose a one-size-fits-all approach. The approach neglects the contexts that should inform the data protection laws in African States and instead projects the European context as universally applicable.
It is, therefore, no surprise that Watson’s ‘convenient’ approach to legal transplant has been criticized. Critics argue that contextual origins of law are crucial, as legal systems are embedded in social contexts and shaped by historical paths.[12] Consequently, even when today’s economic, social, and political conditions are similar, legal transplants may only sometimes lead to uniform outcomes. In Africa, the transplant is concerning because of its potential to promote digital authoritarianism, imperialism, and colonialism.[13] that the legal and institutional framework in the African Charter on Human and Peoples’ Rights 1981 eschews and pledges to eradicate.[14] Secondly, GDPR standards lean more towards protecting the rights of individuals. This tendency has shown some incongruence in implementation within Africa, a region whose human rights system also protects peoples’ privacy-related rights. Thirdly, the Europeanization of data regulation is sometimes inimical to the culture and identity of the African people, whose conceptions, realities, and lived experiences may be invisible to designers of new technology. Fourthly, some recent experiences applying GDPR-like standards to complex situations of emerging technologies, such as digital ID and crypto projects, have shown that the GDPR standards need to be revised or reimagined to deliver on the promise of rights-respecting digital technologies in Africa. Lastly, Europeanization potentially preserves and perpetuates existing global power hierarchies that harbour various data injustices.
Various authors have voiced their concerns in the matter. Babalola has recently discussed possible difficulties of applying rules of rules on consent, data protection impact assessment, cross-border transfers, and enforcement in African contexts.[15] Coleman further explains that it could come with challenges relating to the limitation of sanctions.[16]
Possible Solution Through Synergizing Ideas via Cross-fertilization
With these examples, the Europeanization of the protection data regulation in Africa is, without more, not sustainable. The current African Data Policy Framework 2022 and the recent steps explored to develop Digital Compacts should focus on initiatives that adapt the GDPR standards and establish new ones through socio-legal approaches.
The current literature cannot agree more. Makulilo, uses Mauritius case study to demonstrate a concerning GDPR-styled Brussels effect in Africa.[17] Further work on the matter has also yielded several recommendations. Coleman generally proposes a ‘further reflection on the matter’.[18] Gwagwa and Hilliard recommend adopting and implementing Ubuntu principles to do that.[19] For his part, Babalola recommends ‘unlearning from the European precepts’ and some form of ‘localized re-engineering’. Boshe and Goberna develop the discourse further by proposing the legitimacy of data protection laws drawn from societal and cultural acceptance.[20] Boshe and Goberna call for an inclusive approach to law-making that is based on global co-existence.[21]
The onslaught against Watson’s theory is gaining traction. However, it does not seem to deter the growing number of GDPR-styled laws developed across Africa. Therefore, there is a need to tailor the ongoing reform discourse to target the institutions that determine data governance disputes, as a matter of priority.
Since the comparative approaches to data protection law are inevitable, there is need to think about the legal development through the lens of cross-fertilization. Anne-Marie Slaughter first used the term cross-fertilization to describe how courts learn from other legal systems to enrich their understanding on matters placed before them. The author proposes cross-fertilization as a phenomenon where laws speak to each other and not at each other. This way, cross-fertilization enables mutual learning between legal frameworks whose outcomes are necessary when interpreting constitutions and addressing legal issues.[22] When applied to the data protection context, cross-fertilization does not propose replacing the European standards. Instead, it requires reconfiguring of the linear donor-recipient relationship. Instead, it creates an ecology of mutual learning that also respects validity of regional claims and norms.
In the African context, cross-fertilization proposes moving beyond copy-and-paste narratives. Instead, it promotes dialogue and international influence by recognizing the relevance of African values and considering the African human rights system as mature, alive, and enough to learn from.[23] Therefore, utilizing the theory can help advance the discourse by:
- Enabling policymakers and implementors of the data protection laws in designing ways of unlearning from the standards that do not work.
- Creating opportunity for culture and human rights to compare notes and find approaches that find legitimacy in the lived experiences of the people.
- Causing adjudicating bodies to pay particular attention to the contexts in which the data protection law is applied and interpret the rules and evidence according to such context. In such cases, they should be interrogators and innovators. They could interrogate foreign certifications of new technologies and decisions on adequacy of levels of protection. They could also improvise and innovate new legal pathways of compliance based on the contexts of affected individuals or peoples.
Conclusion
The so-called ‘Golden Norm’ in the GDPR may appear fertile based on the theory of legal transplantation. The experiences of African populations and the regional human rights system with the GDPR and GDPR-inspired laws, however, show various facets of the legal ‘infertilities’ of the predominant legal transplant approach. This blog article has proposed the need to prioritize the role of adjudicatory bodies in the reform discourse. It has also identified multiple opportunities for the adjudicatory bodies and other stakeholders to apply the meaning and notion of cross-fertilization especially in creating synergies in legal development.
[1] Nelson Otieno, ‘Role of Epistemic Data Justice in Data Governance for Rural Women in Africa’ <https://cipit.org/role-of-epistemic-data-justice-in-data-governance-for-rural-women-in-africa/>
[2] Alan Watson (1976): Legal Transplants: An Approach to Comparative Law (University of Georgia Press, 1993).
[3] Anu Bradford, ‘The Brussels Effect: How the European Union rules the World (Oxford University Press, 2020).
[4] Cara Mannion, ‘Data imperialism: The GDPR’s disastrous impact on Africa’s E-commerce markets’ (2020) 53 Vand. Journal Transnational Law 685.
[5] Giovanni Buttarelli, ‘The EU GDPR As a Clarion Call for a New Global Digital Gold Standard’ (2016) 6(2) International Data Privacy Law 77-78. Digital gold standard. In: International Data Privacy Law. 6 (2).
[6] Olumide Babalola, ‘The GDPR-Styled Nigeria Data Protection Act 2023 and the Reverberations of a Legal Transplant’ (2024) 3(1) British Journal of Cyber Criminology DOI: https://doi.org/10.36266/BJCC/1O6.
[7] Alex Makulilo, ‘The long arm of GDPR in Africa: Reflection on Data Privacy Law Reform and Practice in Mauritius in The Right to Privacy Revisited, Routledge, 2021(121-150).
[8] Cara Mannion, ‘Data imperialism: The GDPR’s disastrous impact on Africa’s E-commerce markets’ (2020) 53 Vand. Journal Transnational Law 685.
[9] Alex Makulilo, ‘The long arm of GDPR in Africa: Reflection on Data Privacy Law Reform and Practice in Mauritius in The Right to Privacy Revisited, Routledge, 2021(121-150).
[10] Cara Mannion, ‘Data imperialism: The GDPR’s Disastrous Impact on Africa’s E-Commerce Markets’ (2020) 53 Vand. Journal Transnational Law 685.
[11] Dalberg Advisors (2018): GDPR: The Implications for Africa’ https://dalberg.com/our-ideas/gdpr-implications-africa/> accessed on 24 November 2023.
[12] Jonathan Miller, ‘A Typology of Legal Transplants: Using Sociology, Legal History and Argentine Examples to Explain the Transplant Process’ (2003) American Journal of Comparative Law 839-886.
[13] Danielle Coleman, ‘Digital Colonialism: The 21st Century Scramble for Africa through the Extraction and Control of User Data and the Limitations of Data Protection Laws’ (2019) Michigan Journal of Law and Race 417.
[14] African Charter on Human and Peoples’ Rights 1981, preamble, Arts 21, 22.
[15] Olumide Babalola, ‘The GDPR-Styled Nigeria Data Protection Act 2023 and the Reverberations of a Legal Transplant’ (2024) 3(1) British Journal of Cyber Criminology DOI: https://doi.org/10.36266/BJCC/1O6
[16] Danielle Coleman, ‘Digital Colonialism: The 21st Century Scramble for Africa Through the Extraction and Control of User Data and the Limitations of Data Protection Laws’ (2018) 24 Michigan Journal of Race & Law 417, 434.
[17] Alex Makulilo, ‘The long arm of GDPR in Africa: Reflection on Data Privacy Law Reform and Practice in Mauritius in The Right to Privacy Revisited, Routledge, 2021(121-150).
[18] Danielle Coleman, ‘Digital Colonialism: The 21st Century Scramble for Africa Through the Extraction and Control of User Data and the Limitations of Data Protection Laws’ (2018) 24 Michigan Journal of Race & Law 417, 439.
[19] Arthur Gwagwa, Emre Kazim, and Airlie Hilliard, ‘The role of the African value of Ubuntu in global AI inclusion discourse: A normative ethics perspective’ (2022) 3(4) Patterns 1.
[20] Patricia Boshe and Carolina Goberna, ‘Is the Brussels Effect Creating a New Legal Order in Africa, Latin America and Caribbean’ Data, Law and Decolonisation <https://techreg.org/article/view/14317/20850> accessed 19 April 2024.
[21] Ibid.
[22] Anne-Marie Slaughter, ‘A Typology of Transjudicial Communication’ (1994) 29 (1) University of Richmond Law Review 99.
[23] Ibid.
