Strengthening Data Protection across East Africa: A knowledge exchange initiative



At its core, data protection revolves around safeguarding the personal information of individuals. By protecting data, we are ultimately safeguarding the well-being of people.

In an era where data is often considered the new oil, safeguarding the privacy and security of individuals’ information has become paramount. As East African governments strive to strike a balance between harnessing the power of data with innovation, a significant collaborative effort is underway. Stakeholders from Kenya, Uganda, Rwanda, and Tanzania, together with regional actors and international partners, joined hands at Strathmore University to enhance data protection in the region.

A Convergence of Minds

The African Union-European Union Digital for Development Hub (AU-EU D4D Hub) project is at the forefront of this endeavor, spearheading activities to strengthen the implementation of data protection laws and frameworks across  Africa. The initiatives are taking the form of training sessions, study visits, knowledge sharing, and comprehensive documentation. Given the dynamic nature of data protection, the topic of cross border data flows becomes ever more pertinent and multiple actors are entering the scene. In addition, data protection offices/authorities in East Africa are at various stages of development and operationalization, going through similar stages and challenges. The importance of knowledge exchange can not be overstated, and all participating institutions welcomed this initiative as exceedingly timely.

The AU-EU D4D Hub project entrusted the implementation of these regional exchanges to Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ), a seasoned expert in this field. GIZ in turn enlisted Strathmore University in Kenya to support the activity. Strathmore University has been at the forefront of carrying out research in the field of technology, intellectual property rights, data protection and data governance, has recently beein involved in the development of the strategic plan of the Office of the Data Protection Commissioner (ODPC)in Kenya, and has developed several training courses on the topica. The collaborative effort aims to bring together stakeholders from across the region and beyond for a series of in-person meetings between September 2023 and March 2024.

Knowledge Exchange in Action

Enhanced Knowledge and Experience Sharing: The meetings serve as a platform for knowledge and experience sharing in the field of data protection law enforcement at the East African regional level.

Improved Information Flow: They aim to improve information flow between various regional stakeholders, offering opportunities for participants to learn about different support programs.

Promoting Ongoing Knowledge Exchange: The meetings are intended to spark interest among other stakeholders to make knowledge exchanges a regular practice.

Empowering Data Protection Authorities

Specifically, the initiative seeks to achieve the following goals:

  1. Capacity Building: It aims to increase the capacities of data protection authorities to enhance compliance and service delivery through peer-to-peer learning and experience sharing.
  2. Peer-to-Peer Connections: The initiative aims to foster peer-to-peer connections between staff of new data protection authorities to boost motivation, knowledge sharing, and cross-border cooperation.
  3. Engaging Stakeholder Groups: It facilitates exchanges with other stakeholder groups such as civil society, academia, the private sector, and other digital economy stakeholders.
  4. Sharing Resources: The initiative encourages the sharing of existing resources, toolkits, and guidelines to avoid duplication of efforts.
  5. Support Programs: It showcases support programs by development partners and improves coordination among them.
  6. Leveraging Networks: The initiative leverages the existing structures and networks in Africa to drive follow up activities.

A Glimpse into the Program

The program for the meetings was developed in consultation with data protection authorities and implementation experts. It aimed at keeping the focus on technical topics and knowledge exchange, steering clear of some of the political forces currently influencing the space. On purpose, no specific policy recommendations were agreed upon, in order to allow for a free sharing of ideas during this first exchange. The goal was very much to build relationships of trust and a platform for further collaboration. Here’s a glimpse of what took place:

First Meeting:

Day 1:

  • Participants from four data protection authorities (DPA)s shared progress and lessons learned (Kenya, Uganda, Tanzania and Nigeria)
  • Representatives from the private sector presented their experiences of operating in East Africa
  • Panel discussions involving other ecosystem stakeholders were held.
  • Social and networking activities fostered collaboration.

Day 2:

  • Support programs by development partners were presented (EU Initiative on Data Governance in Africa, East African Community, East African Communications Organisation, Smart Africa, EU Data Protection Academy, World Bank).
  • A catalog of resources, toolkits, and guidelines relevant to authorities was presented.
  • A study visit to the hosting authority was undertaken where further detailed discussions took place.
  • Time was allocated for bilateral meetings.
  • Social and networking activities continued.

Harvesting the Outcomes

The true value of these meetings lies in the experiences, knowledge, lessons, and information gained by the participants. These outcomes support the process of setting up effective data protection authorities in the region, and to improve their collaboration. Some of the key outcomes include:

  • DPAs could learn from other DPAs and how they handle different challenges. Issues mentioned covered topics like human resources, recruitment, resource mobilization, how to work with the private sector, how to deal with the media, among others.
  • DPAs forged connections with members of other DPAs, which was facilitated by a physical meeting.
  • The private sector was able to present its challenges and engage in a discussion with the DPAs in the region about cross border data flows and compliance.
  • Regional actors were able to get the perspective from the DPAs and hear how best they can support the DPAs.
  • DPAs learned about different support programmes offered by donors and how to benefit from them.
  • The different levels of maturity of the data protection regimes in East Africa was discussed, and how best to support the countries that do not yet have a legislation or an authority.
  • Ideas on how data protection authorities can enhance collaboration and communication in the short term (like MoUs).
  • Discussions around different regimes to facilitate cross-border data flows and at the same time ensuring a high level of protection of personal data in the long term took place, such as standard contractual clauses, adequacy decisions, a regional framework spearheaded by the EAC, harmonization of laws, a certification framework by a third party.

Next steps

Based on the outcomes of the first physical event, the mapping of relevant resources and knowledge products will now continue. The project will make follow ups with the participants to get their feedback and start discussing the key goals for the second physical meeting happening in Q1 2024. 


This article was written by Francis Kabutu.

What’s your story? We’d like to hear it. Contact us via


See more news