Oftentimes good data governance is overlooked – until it fails. When systems don’t talk to each other, when data leaks, or when decisions are made without transparency, it can make people’s lives harder and do real damage. And that’s when trust erodes.
Trust is an essential pillar of any good digital strategy and requires both concerted and ongoing efforts to cultivate and nurture it. The third meeting of the 2025 Africa Data Leadership Initiative cohort was dedicated to exploring the policies, laws, technologies, and institutional safeguards required to build and maintain trustworthy data systems.
To guide the discussion, we invited guest speakers:
- Mercy King’ori, Policy Manager, Global Privacy team at Future Privacy Forum, who gave an analysis on the state of data protection across Africa.
- Rahul Matthan, Partner, and Head of TMT Practice, Trilegal, who explained India’s techno-legal approach India to giving individuals agency over their data.
African Data Protection Authorities are on the frontlines of data governance.
There are currently around 40 data protection laws, and over 35 Data Protection Authorities (DPAs) across the continent. The capacity and functions of the DPAs vary widely from country to country, but they face common challenges and opportunities.
Mercy kicked off the discussion with two recent successes of DPAs, demonstrating their unique power of strategic enforcement. The Nigeria Data Protection Commission – in collaboration with the Federal Competition and Consumer Protection Commission – imposed a $220 million USD fine on Meta after finding evidence of unauthorized data sharing, insufficient user consent mechanisms, and discriminatory practices against Nigerian consumers. Additionally, the ruling mandated corrective actions to ensure that Meta’s business practices comply with Nigerian regulations.
In another headline case, Kenya’s Office of the Data Protection Commissioner ordered cryptocurrency initiative WorldCoin to halt operations in the country after finding that the company failed to comply with Kenyan data privacy laws. WorldCoin is accused of improperly collecting, processing, and transferring sensitive biometric data – iris and facial scans – without conducting a mandatory Data Protection Impact Assessment or securing informed consent from users. Just this week, the High Court issued its ruling declaring WorldCoin’s operation in the country illegal and ordered the company to delete all data collected from Kenyans.
While these two examples demonstrate the power of DPAs in enforcing accountability, Mercy reinforced that DPAs still face significant barriers.
Firstly, strong data protection mechanisms require institutional resources to ensure compliance and enforce restitutions. Resource and budget constraints are therefore a major obstacle for many governments. Another challenge for DPAs depends on where within the government they are housed. Some DPAs may be independent, stand-alone institutions, whereas others might be housed within other ministries, rendering them financially or functionally dependent. This lack of institutional independence can cause political problems and make enforcement difficult.
Finally, the number of amendments and appeals a piece of legislation might face is also a key challenge. Amendments sometimes change the structure of the DPA itself and appeals can call into question its authority or constitutionality. Some of these are welcome – for example, when amending laws to align with new international frameworks such as GDPR. Similarly, as emerging technologies like AI gain prominence, DPAs in many cases become the de facto regulators and thus may require amendments. In either case, amendments and appeals represent lengthy and complicated legal processes that may delay or prevent a DPA from executing its mission.
One major opportunity Mercy highlighted is the room for innovation in harnessing technology to create regulatory tools. For example, South Africa’s Information Regulator recently announced a new requirement for organizations to report data breaches via an online e-Services Portal – a significant shift in how companies must comply with the country’s data protection law. Such digital tools can help make enforcement more efficient and redressal smoother and more accessible.
Data Protection Authorities alone are not enough. A techno-legal approach is another way to create people-centered data economies.
To dive even deeper into this opportunity for innovation, Rahul then gave an overview of how India codified data protection with its Data Empowerment and Protection Architecture.
As Rahul explained, data protection laws and regulators often kick-in after a harm has been committed. With the current volume and velocity of data being generated across every sector, a more agile, pre-emptive approach is necessary. The techno-legal approach embeds digital infrastructure with the legal principles that are enshrined in laws and regulations, creating the appropriate guardrails and boundaries within the digital workflows themselves. In this way, protocols can be “laws” that change behavior and force people to follow the rules. In such a case, the mere act of participation ensures compliance with the law.
So, what legal principles should define good data architecture? Data protection around the world is typically based on a few common principles:
- Consent: giving individuals the power to approve and revoke permissions and access to their data.
- Purpose specification: ensuring a request for access to data includes details on why it is being requested and what it will be used for.
- Data minimization: allowing access to the minimum amount of data necessary to accomplish the task at hand.
- Retention restrictions: limiting the timeframe for which data can be stored and continue to be accessed.
In the case of India’s Data Empowerment and Protection Architecture, these principles have been built into the code of the infrastructure. So, when someone receives a data request, the notice provides all the relevant information on what data is being accessed, why, and for how long. And with the user’s consent, the request can be fulfilled.
This approach also allows for transparency and portability. Users can view, say, a 6-month statement of their own data history from across the entire financial ecosystem. They can provide this data history to institutions when they choose to. For DPAs, this digital infrastructure makes it easy to check digital trails to ensure compliance with retention restrictions and data minimization.
India’s approach to consent-based data sharing is just one example of a way to reduce the enforcement burden on governments and the compliance burden on people and businesses. Read more about how technology-enabled regulations support effective data governance.
In the group discussion, one thing was clear: data governance must be a multi-pronged effort.
The cohort then split into breakout rooms to explore how these learnings could be applied to their specific country contexts. A few common themes emerged:
- Informed, meaningful consent is imperative – but the onus should not be wholly on the individual. Digital service users need to understand how their data is being used, and how they can make decisions. Participants discussed the importance of digital literacy campaigns in ensuring individuals understand when, why, and how their data is being accessed by companies, institutions, or their government. However, people’s stated privacy preferences do not always align with actions. Economic incentives, for example, may particularly sway economically disadvantaged communities (as seen in the Kenya WorldCoin example). The responsibility still lies with data controllers and regulators to protect data and ensure enforcement and compliance.
- Sector-specific institutions form part of a healthy data governance ecosystem. A one-size-fits-all regulatory model often lacks the nuance needed to address the distinct risks and opportunities that different industries face. Sectors such as finance and healthcare – , where data is both highly sensitive and central to service delivery – , require tailored oversight to ensure that data is used ethically, securely, and to the greatest public benefit. Independent regulatory bodies in these sectors play a critical role in balancing innovation with protection, as well as fostering public trust. These targeted governance mechanisms are foundational to a system that works across the complexity of a modern economy.
- Every actor in the data governance ecosystem has a role to play. Regulators and government are important – especially when it comes to defining people’s rights. But they are not the only actors in the data governance ecosystem. Allowing individuals and economies to benefit from data – all while safeguarding people’s rights – is a new and complex challenge that requires innovation. This is where the private sector can play a significant role. While laws take a long time to come into effect, the private sector can produce product features and protocols that are more agile and can adapt quickly when necessary. The example from India demonstrates a successful data governance model whereby the digital infrastructure is built by regulators and operated by the private sector.
Trust-worthy data systems are best buttressed by a whole-of-society approach.
The third session highlighted the success of data protection legislation and authorities and, equally as important, how technology can support enforcement and compliance with such legislation. However, it was clear that no single approach is sufficient to ensure data protection across society.
In the next meeting of the cohort, we will explore the innovative ways data can provide value to society, with presentations from ADLI cohort members from both the private and public sectors. Follow along on LinkedIn.
