East Africa is making remarkable progress in data governance, with ambitious plans to harmonise regulations within the next two years. Countries across the region, like Uganda, Kenya and Rwanda, have already made significant progress in setting up data policies meant to guide the implementation of best practices in their respective countries.
Uganda’s Data Protection and Privacy Act (2019) and Kenya’s Data Protection Act (2019) represent notable milestones in the development of key frameworks designed to safeguard data and promote accountability. Meanwhile, Rwanda has long been a champion of digital transparency and transformation. Through its National Data Revolution Policy (2017) the country has been at the forefront of promoting data use and fostering innovation.
In late February, The East Africa Data Governance Conference – hosted by Amnesty International Kenya and the Open Institute – brought together regulators, civil society organizations, and think tanks to explore and advance data governance across the region. Through expert discussions and panel insights, the conference fostered dialogue on regional data sharing, governance frameworks, and responsible data use, all aimed at driving innovation, sustainable development, and regional integration.
Here are four key insights derived from the discussions on data governance in East Africa at the Conference.
1. Regional cooperation on setting standards requires countries to mobilise resources.
A recurring theme was the need for dedicated resources to establish standardised data governance frameworks across the region. The necessary resources range from coordination mechanisms to technical and legal skills, as well as shared infrastructure. Without adequate investment, efforts to create uniform policies across the region will remain fragmented. This, in turn, would lead to uncoordinated and inconsistent enforcement and fragmented cross-border data flows, which would consequently slow down East Africa’s regional digital transformation.
Experts emphasised the importance of regional cooperation in setting practical and context-driven data standards that facilitate both compliance and innovation. For example, data harmonization in the region could enable seamless data sharing for critical sectors such as trade and health, while also fostering trust in digital services. Achieving this, however, will require governments, development partners, and the private sector to prioritise investment in shared digital infrastructure and promote intentional cross-border data sharing.
2. Cross-border learning opportunities are essential to the success of regional governance frameworks.
Throughout the discussions at the conference, one thing was clear: countries within the region vary widely in their approach. Some, like Somalia, implement data protection laws almost immediately. Others allow a grace period for compliance to be established. While Rwanda, Kenya and Uganda are continental pioneers within the remit of data protection, countries like Burundi, the Democratic Republic of Congo, and South Sudan have no data protection laws at all.
Cross-border harmonization efforts by their very nature cannot succeed in isolation. Countries need to exchange best practices and learn from each other’s experiences in implementing data governance frameworks. For example, Uganda’s Personal Data Protection Office continuously carries out enforcement mechanisms and public engagement strategies to raise awareness about data privacy and protection. Countries with emerging Data Protection Agencies (DPAs), like Somalia and Tanzania, which established their data protection offices just last year in 2024, could greatly benefit from the lessons and learnings from more established DPAs as they continue to build their regulatory capacity.
3. To play their part, people must understand their digital rights and responsibilities.
Even with the rise in data privacy and protection campaigns across the different East African countries, public understanding of data protection remains low. For example, the Kenya and Uganda’s data protection offices both run annual Data Protection Week campaigns to educate citizens, yet awareness in rural areas and among marginalised groups remains very low. Strengthening digital rights awareness among people is crucial to ensuring that they understand their rights and responsibilities in today’s digitizing world. Everyone, particularly the most marginalised, must be empowered to become better custodians of their data, especially when legislation rests on notice and consent.
The root causes of low awareness are multifaceted, ranging from limited access to information in local languages and inadequate outreach strategies that fail to engage rural and marginalised populations. To address this, governments, civil society organizations (CSOs), and the private sector must collaborate on innovative and inclusive awareness campaigns. For example, using mobile platforms and community radio stations can help reach remote areas, while partnerships with local CSOs can ensure that messaging is culturally relevant and accessible. It was notable that Amnesty International Kenya and the Open Institute hosted the East Africa Data governance conference, as CSOs play a critical role in this space, and these two organizations have been instrumental in raising data literacy levels in the region.
4. Sandboxes can be a critical tool to test regulations, collaborate, and establish trust.
Currently, fragmented data laws in the region create regulatory and infrastructure challenges that hinder economic integration. Businesses must navigate complex compliance requirements, including burdensome inter-company data-sharing agreements to offer the same product to different markets within the region, creating bureaucracy that can stifle growth. A common challenge for regulators is striking the right balance between enforcing data protection and allowing innovation to flourish. This challenge presents an opportunity for regulatory bodies to move beyond auditing and play a more formative role in shaping digital economies. Conference speakers highlighted the need for regulatory bodies to educate stakeholders on compliance, offer technical guidance, and develop policies that can adapt to technological advancements. Active collaboration between businesses and policymakers is crucial in creating an environment that encourages innovation, while supporting compliance and public trust, considering that both stakeholders co-create and shape local digital economies.
Regulatory sandboxes can provide a controlled environment to collaborate and proactively test innovations before full-scale implementation. Sandboxes can create a transparent and participatory process where stakeholders can jointly address risks and opportunities, ensuring that regulations are both practical and forward-looking. One panel discussion highlighted key examples such as South Africa’s Intergovernmental Fintech Working Group sandbox, which has shaped regulations on crypto and insurance. Additionally, Kenya’s newly established sandbox is exploring ways to support emerging technologies.
The future of data governance in Africa will depend on balancing innovation and compliance.
East Africa’s data protection landscape remains diverse, with different levels of maturity across countries. As the region works toward harmonisation, stakeholders must navigate political, cultural, and economic complexities to ensure that data governance serves both businesses and citizens.
Harmonised data governance is not just a legal necessity—it’s a pathway to economic integration, digital trust, and a thriving digital economy in East Africa. The journey ahead requires collective action, innovative approaches, and a commitment to prioritizing regional progress.
Through our Africa Data Leadership Initiative (ADLI), we are committed to advancing these conversations and supporting the development of inclusive, forward-looking data governance frameworks across the continent. ADLI’s mission is to ensure that Africa’s digital transformation is both innovative and equitable through peer learning, policy advocacy, and multi-stakeholder collaboration.
