May 29, 2018
Author(s): Kendal H. Tyre
As African countries grapple with the need to further expand and strengthen their economies, the franchise industry in particular has grown in popularity as a medium to achieve the economic stimulus that these African nations seek. Oftentimes, this also means that these nations are working to ensure that their laws and regulations are in line with current global standards to facilitate cross-border business. One area that has become increasingly important in this effort is data privacy and protection. Data privacy and protection considerations could have a huge impact on the budding franchise industry in Africa, specifically considering the recent enactment of the European Union’s (EU) General Data Protection Regulation (GDPR).
Data privacy concerns arise from the intersection of the dissemination of personal information over technological platforms, the societal expectations of privacy and the laws and regulatory frameworks related to privacy and security of that data. The GDPR streamlines the data protection regulatory environment and regulations within the EU. It requires that all businesses protect the personal data and privacy of all EU citizens for transactions that occur within any EU member states. It also addresses the export of personal information outside of the EU. Any companies that store or process personal information about EU citizens who reside within EU states, must comply with the GDPR even if they do not have a business presence within the EU. Currently, of the 54 nations on the African continent, there are seventeen countries (Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia and Zimbabwe) that have a comprehensive personal data protection legislation. A majority of African countries however do not appear to be prepared to put the proper systems in place to comply with EU’s GDPR. Simply put, EU businesses may find it difficult to conduct business with African businesses that do not have adequate security practices in place and/or whose governments do not have the necessary regulatory framework to protect the safety of international data.
Compliance may be costly for some businesses, especially for those companies where a necessary security infrastructure is completely absent. Some companies will potentially be required to hire new personnel such as data protection officers, or have to purchase certain software to assist in data protection. Nevertheless, non-compliance with the GDPR may prove to be even more expensive. A fine up to an amount that is the greater of 10 million Euro or 2% of global annual turnover (revenue) from the prior year may be assessed if it is determined that non-compliance was related to technical measures “such as impact assessments, breach notifications and certifications.” That fine has the potential to double up to an amount that is the greater of 20 million Euro or 4% of global annual turnover in the prior year for the most serious breaches. Serious breach may include non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to organizations that do not provide adequate levels of data protection.
Compliance with data protection laws is not one-sided however. EU businesses that want access to African markets will also have to comply with the data privacy laws that are established in certain nations.
Concerns of data privacy and security arise when franchise businesses collect, store, manage, disclose or use the identifiable information of their customers and employees. Franchisors do not maintain control over their franchisees. However, franchisors often rely on consumer data, employee data and financial records their franchisees provide. The transfer of customer information occurs often in the franchise industry. Imagine, a customer walks into a franchised quick service restaurant in Ethiopia and in order to join a customer loyalty program, provides their name, personal address, e-mail address, and credit card or banking information. The franchisee’s employees will log that customer’s information into its system, a system that sends new membership data to the franchisor’s principal office in London or the United States periodically per a requirement in its franchise agreement with the franchisor. Once the automatic report of new members is provided to the principal office, an exchange of private data has been made. Now imagine that the system in London or the United States is hacked, now all the private information of the Ethiopian customers is put at risk creating an incident that will presumably concern the customers and lead to questions about what when wrong. If the restaurant has no data security or privacy standards and protocols, customers will almost certainly look to their local governments to find recourse.
With this potentially in mind, a number of countries have begun to implement their own data protection and privacy law. In November 2013, the former President of South Africa, Jacob Zuma, signed the Protection of Personal Information Act (POPIA) into law. South African legislators had initial drafts of GDPR during the drafting period of the POPIA, providing such legislators an opportunity to include GDPR-specific concepts into POPIA legislation. There are a few key differences between GDPR and POPIA. In some cases, POPIA is viewed as more extensive and stringent. POPIA is expected to become effective by the end of 2018, so businesses planning on conducting international business within South Africa must ensure their privacy protections are compliant with the Act.
The Southern African Development Community (including Angola, Botswana, Democratic Republic of Congo, Lesotho, Madagascar, Malawi, Mauritius, Mozambique, Namibia, Seychelles, South Africa, Swaziland, United Republic of Tanzania, Zambia and Zimbabwe) also developed a model law on data protection with the financial assistance of the EU. In September 2017, the Economic Community of West African States (“ECOWAS”) (including Benin, Burkina Faso, Cape Verde, Cote d’Ivoire, The Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Sierra Leone, Senegal and Togo) announced that it would partner with the Council of Europe to organize a conference to further support the implementation of domestic legislations concerning cybercrime and cybersecurity. Regulations and partnerships like these assist African nations in need of guidance on implementing their own data protection laws and regulations, but more must be done. Currently, the ECOWAS Data Protection Act obligates member states to establish a legal framework of protection of data privacy relating to the collection, processing, transmission, storage and use of personal data, subject to the general interest of the state. As of 2018, it appears that some movement is being made. For example, the country of Nigeria drafted and proposed the Data Protection Bill 2017 (HB.02), which “seeks to make provisions for the regulation of information relating to individuals.” Nigeria continues to work toward implementing its proposed regulation, specifically tackling core criteria used to assess their current data security, including data quality and proportionality; the security, right of access, rectification and opposition of data; restrictions on onward transfers of personal data; and additional principles in appropriate types of processing, such as those concerning sensitive data, direct marketing and automated processing of data. Nigeria, among others, acknowledge that countries hoping to stimulate their economies through franchising or any business with cross-border implications must be compliant with international standards of data protection to be competitive. While the likelihood that most African countries will be GDPR compliant in the near future is slim, we are witnessing slow, but progressive change.
Ultimately, franchising in Africa is expanding, but not without its challenges. As more African nations realize the economic influence strong franchise systems can have, we should witness newly created and improved franchise laws and regulations that ensure franchise success. Comprehensive data privacy and protection legislations must naturally follow to encourage international expansion. African economies and technological advancements create great opportunity for franchising, which proves itself to be a reliable sector if promoted by African nations appropriately and supported by its legal frameworks.
For more information on franchising in Africa see International Franchising 2016: Legal and Business Considerations, a book edited and co-authored by Kendal H. Tyre, Executive Editor, as well as Diana V. Vilmenay-Hammond and Keri A. McWilliams, Managing Editors, and Pierce Haesung Han and Nia D. Newton, Assistant Editors.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.