The problem with Africa’s pursuit of digital sovereignty

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

The problem with Africa’s pursuit of digital sovereignty

Algeria is pushing a new draft law that, among other things, would require major digital platforms with over one million monthly users in the country to host user data locally and set up physical offices and legal representation. Algeria is not doing this alone. This whole "our data, our center” push is one of the hottest trends in African digital policy right now. I

Nigeria, through its National Information Technology Development Agency (NITDA), essentially mandated data localization for all government data and all subscriber/consumer data held by telecom companies. Earlier this year, the country asked big tech platforms to commit to local data hosting. Kenya, through its data protection act, establishes a conditional flow regime if enforced, would heavily restrict cross-border data transfers. South Africa’s Protection of Personal Information Act (POPIA) and the draft National Data and Cloud Policy put strict localization requirements, especially for government data and data in regulated sectors. 

Data sovereignty, like most things in law and tech, is both simple and ridiculously complicated. We’ve said it before. Data Sovereignty means that digital data is subject to the laws and governance structures of the nation in which it is collected or generated. It’s the idea that data born in Algeria should be treated like Algerian property, regardless of where it’s physically stored.

Data sovereignty has economic value. Local hosting drives demand for local data centers, IT professionals, and cloud services. Data exported also means lost economic growth. But it’s not about the money. Data sovereignty ensures legal country and protection. If Algerian data is stored in Algeria, Algeria does not need to file a Mutual Legal Assistance Treaty before asking for data during investigations or crackdowns. When data is local, it's explicitly under local privacy laws, which gives regulators more teeth.

But there’s always a catch. Even for major platforms, building or even hosting data in Tier III data centers in every African country is prohibitively expensive. These costs get passed right back to local consumers and businesses, making local digital services more expensive and potentially slowing innovation. More so, the internet is a global village because global platforms move and process data seamlessly across the world. Forcing localization fragments the internet. It will make their services slower, less efficient, and can lead to a less reliable user experience for users. Lastly, while local hosting sounds safer, a single local data center might be a much juicier target for a specialized attacker than one of the thousands of globally distributed servers run by a hyperscaler like AWS or Microsoft. Plus, if the government can easily access the data, what does that mean for free expression or political dissent? It can easily become a tool for surveillance. 

Also, it’s weird how these lines are drawn. Algeria’s proposed cap of one million monthly users is fascinating. This two-tier system is an attempt to be practical and not strangle local innovation, but assert control over the global giants. But this creates an arbitrary line. What happens at 999,999 users? What happens at 1,000,001? You suddenly need to cough up millions for a local data center or risk being shut down. This is perhaps a good incentive to stop growing

Africa, home to about 18% of the world's population, currently holds less than 1% of global data center capacity. The entire continent’s capacity is less than that of many single American or European metro areas.

It is completely unfeasible to expect global platforms to build a gold-plated data center in all 54 African nations. It would be a nightmare of compliance, construction, and cost. In fact, that’s not how it works anywhere in the world. The EU uses Standard Contractual Clauses (SCCs) and the concept of an "adequacy decision" under GDPR. Basically, data can flow freely from the EU to countries the European Commission deems "adequate" or has a pact with (like Canada, Japan, or New Zealand). This makes the flow of data predictable and legal. The EU and the US/UK have specific arrangements, like the recent EU-U.S. Data Privacy Framework (DPF) (and the UK's extension, the "Data Bridge"). This provides a certified mechanism for U.S. companies to self-certify that they meet EU/UK standards, allowing the data to flow. It's also an agreement between governments about data, to ensure standards, sovereignty, and enforcement. 

Africa suffers from a lack of this. If we were the AU or AfCFTA, we would probably consider a data mechanism that says: 

1. If a country has a data protection law that meets a certain AU-standard (like a "continental adequacy" ruling).

2. If a platform hosts its African data in any of the certified, high-capacity data centers in certified African countries (say, South Africa, Nigeria, Kenya, or Egypt).

3. Then, that data can flow freely to any other AU-certified country.

This would easily concentrate power, investment, and expansion, but meh, easier said than done, and also, we’re actually not the AU. 

Blink and you’ll miss it; Huawei’s pivot to cloud and data

The massive, all-encompassing strategic shift by Huawei on the African continent is one of those stories that’s almost invisible until you look at the infrastructure that underpins everything. Huawei is leveraging its pre-existing, overwhelming power in telecom network infrastructure to move aggressively into the digital sovereignty stack, especially cloud, digital identity, and surveillance infrastructure.

Recently, the company signed a massive deal with Absa Group, which is a strategic partnership to implement an innovative Private Cloud Solution across Absa’s Pan-African markets. This is more than just an IT upgrade; it is a fundamental repositioning. It’s Absa’s way of ensuring local data sovereignty and regulatory compliance, and Huawei is supplying the entire physical and virtual foundation to make that happen.

To understand the pivot, you have to rewind 20 years. Huawei became Africa’s telecom forerunner by being the fastest, cheapest, and best-financed option. When Western giants like Ericsson and Nokia were demanding cash upfront, Huawei arrived with massive lines of credit from the China Development Bank and China EXIM Bank. They offered vendor financing that allowed cash-strapped African governments and mobile operators (like early MTN or Safaricom) to buy 3G and 4G equipment with grace periods on repayment. It was an irresistible deal. Huawei built an estimated 50% of Africa's 3G networks and a stunning 70% of its 4G networks. They built the national fiber-optic backbones and e-government platforms for over 20 African countries. This gave them unparalleled physical access to the continent's entire digital nervous system.

Huawei is leveraging its deep entrenchment in the telecom networks to power the next generation of digital infrastructure. They are setting up local cloud regions to directly address the data sovereignty mandates being pushed by countries like Nigeria (which praised Huawei's launch for aiding local compliance). For example, they launched West Africa’s first local cloud in Nigeria and their first North Africa public cloud in Egypt (in partnership with Telecom Egypt). This allows clients like Nigerian fintech giant OPay to reduce transaction latency from 130 milliseconds down to 15 milliseconds—making their platform feel faster than their competitors.

Huawei has been a key vendor in building national communications networks and e-government platforms for numerous nations, providing the fundamental system for everything from national ID verification to tax collection. The most sensitive area is their "Safe City" tech. This involves installing networks of high-tech cameras, data centers, and centralized policing systems. In countries like Uganda and Zambia, reports have documented how this Chinese-supplied infrastructure has been allegedly leveraged for domestic political surveillance and eavesdropping on opposition figures.

Huawei's scale is a double-edged sword. On one side, it accelerates Africa's digital progress; on the other, it introduces a profound, systemic security and political vulnerability. The US and its allies have raised alarms based on China's 2017 National Intelligence Law, which mandates that Chinese organizations "support, cooperate with and collaborate in national intelligence work." This raises the perpetual, if often unproven, specter of a kill switch or backdoor access built into the very hardware of a nation's critical infrastructure.

Huawei equipment has been documented by cybersecurity experts to contain "middleboxes" capable of filtering and manipulating internet traffic. This technology is highly attractive to authoritarian African governments seeking to enforce their own version of cyber sovereignty that includes the Chinese model of state control over the internet. The alleged eavesdropping on Ugandan opposition leader Bobi Wine is a stark example of how infrastructure built for "security" can be repurposed for political repression.

How to do Digital IDs

I think African tech is too obsessed with the idea of leapfrogging. For example, everyone wants a shining, modern Digital Public Infrastructure, starting with a bulletproof Digital ID.

It sounds great on paper (even if it means no more papers). We talk about DPIs a lot here at CybAfrique (and you should definitely watch out for our research with the Center for Financial Inclusion). But the reality of getting those digital IDs to 1.4 billion people scattered across a massive continent is messy.

This mess brings us to Ghana, where the government recently got absolutely fed up and decided to effectively ban a whole class of middlemen.

Digital IDs are ridiculously hard to roll out. If you are Kweku in a remote village in Ghana who needs a Ghana Card (the national ID) to register your SIM, access government services, or open a bank account, you typically have two options: 

Option A: You travel maybe 8 hours, pay transport fees, and wait all day at the regional office of the National Identification Authority (NIA). You deal with a highly trained, background-checked civil servant who operates on a secure, closed network. The process is confidential; the integrity of the data is theoretically preserved.

Option B: You walk to the nearest cyber café, SIM card registration kiosk, or even a local mobile money agent who, for a small fee (or sometimes a large one), offers to "help" you with your registration right there. 

This latter group, the informal network of middlemen, is what are often called Biometric Agencies. It's an umbrella term for a network of SIM registrars, cyber cafés, mobile money operators, and other third-party contractors who, critically, can access the national identity database, or at least a highly privileged client interface, to input or verify citizen data.

The problem is that a fragmented, outsourced network is great for access but terrible for confidentiality and data integrity. Earlier this year, reports surfaced of numerous websites openly advertising the sale of personal data of Nigerians for as little as less than a dollar per record. This data was often pilfered from compromised databases or illegally extracted by low-level agents involved in SIM card registration and other decentralized services. In Kenya, where registration for the Huduma Namba, the proposed digital ID, was also carried out by numerous contracted agents, concerns over the security and training of these casual workers were constant. The sheer volume of hands touching sensitive data increases the risk of both malicious theft and accidental exposure. In Ghana, the catalyst for the government's action is also security and compliance. 

FEATURE

• South African fibre operator Vumatel have ceased new installations and maintenance across key Western Cape townships like Delft and Khayelitsha because the security costs became infinite. Across Africa, threat to telecom infrastructural is ballooning. Read here. 

HEADLINE

• CyberWeek Africa 2025 in Kenya: A meeting with a focus on resilience and compliance

• Two South African townships are so dangerous that operators cannot build fibre networks there

• East Africa bourses grapple with tech costs, cyber risks in retail drive 

• Three Thai women arrested for alleged involvement in Nigerian romance scams

• MTN Nigeria triples capex to ₦757bn as data traffic surges 36%

• Raising awareness about the fight against cybercrime: the first edition of the National Cybercrime Strategy (SNLC) comes to a close in Burkina Faso

• Meta hosts 2-day Abuja summit to fight rising wave of digital crimes in Africa

• Telegram access is restricted in Kenya during the KCSE exams

• SA adds name to universal cybercrime framework

ACROSS THE WORLD

• US govt committee slams Nvidia over shared campus with banned Huawei affiliate — says China has been in Nvidia’s backyard for a decade, literally

IMAGE OF THE WEEK

See you next week.