Protecting the data of African agricultural producers: a review of national laws, compliance and perceptions

ABSTRACT With the rapid spread of digital tools that collect large amounts of data from agricultural producers across Africa, there is a growing need to strike a balance between data protection and use. To inform this debate, this article examines the level of and demand for the protection of data collected from African producers. To this end, the article presents a review of national personal data protection laws in Africa and assesses compliance of digital agricultural service providers with these laws. It also offers a first insight into perceptions on personal data protection among African agricultural producers. The analysis shows that data privacy regulations in Africa have been evolving, but several countries have yet to adopt related legislation. Existing laws generally reflect the basic elements of the 2014 African Union Convention on personal data protection, but often fall short on provisions of particular importance to digital service provision. Compliance with national data privacy laws among digital agricultural service providers is limited, highlighting enforcement challenges. Awareness of data protection issues is low among agricultural producers, as is the ability to control access to their data.


Introduction
Digital agricultural solutions 1 are increasingly being used across Africa to offer services to producers, including advisory, marketing and financial services.In 2020, the GSM Association counted 437 such services in Sub-Saharan Africa, primarily offering advice and financial services to their users. 2Advances in digital devices, such as smartphones, sensors or satellites, connected through the so-called Internet of Things and combined with big data analytics are making it possible to collect and analyse large amounts of agricultural data. 3According to the EU Code of Conduct on Agricultural Data Sharing by Contractual Agreement (2018), 4 agricultural data includes, among others, 'livestock and fish data, land and agronomic data, climate data, machine data, financial data and compliance data '. 5 This article focuses specifically on farm-related agricultural data (or farm data), i.e. data related to the farmer, the farming site and operations, and commercial transactions related to the farm.These data can be collected by the farmers themselves, by external data collectors or by data collection devices, such as sensors or cameras.Farm data can be used to improve service provision for agricultural producers, for instance through targeted advice for farmers adapted to their specific context.
Concerns have been raised that in the absence of effective data protection frameworks and safeguards, farm data collected by digital service providers could be used by the providers or other third parties for their own benefit without the knowledge and consent and sometimes to the disadvantage of agricultural producers.Lack of data protection may also hinder uptake of digital solutions if producers do not want to entrust the service providers with their data. 6Thus, to take full advantage of the opportunities offered by digital technologies in agriculture, it will be key to strike a balance between data use and data protection.
The protection of farm data warrants particular attention for a number of reasons.First, farm data protection is a complex issue that stands at the intersection of different regulatory frameworks, i.e. personal data protection laws, contract and competition laws, and intellectual property rights.However, none of these regulatory frameworks currently provide sufficient protection for farm data and many aspects of their application to farm data remain unclear. 7For instance from a legal perspective, the distinction between personal8 and non-personal data, and therefore the scope of applicability of personal data protection laws, is particularly difficult to determine in the case of farm data.9Second, a legal debate remains to be resolved regarding the most appropriate legal framework to govern collection and use of machine or sensor-generated agricultural data (e.g.data on soil moisture content collected by sensors in the field).Machine or sensor-generated agricultural data are generally considered non-personal data and fall outside of personal data protection laws.Therefore, the access and use rights to data are negotiated between stakeholders in bilateral contracts and fairness of the negotiated claims to the data largely rests on market forces and bargaining power. 10hird, from an ethical perspective, where digital applications that rely on farm data to provide advice to farmers are being controlled by large companies that also provide the services, technological farm supplies and inputs that farmers need to put the recommendations into practice, there is a risk of anti-competitive practices and manipulation of market outcomes.
African regulators have not yet responded to the specific challenges associated with farm (and agricultural) data protection.There are no regulations for the protection of farm data nor do related regulations e.g. on personal data protection, include specific provisions for agricultural data.In addition to laws and regulations, data licensing agreements and contracts can be used to govern the relationship between agricultural producers, the digital service providers and affiliated companies.However, there are no legal frameworks in Africa that ensures the fairness of the terms of use in data licensing agreements and contracts.To set common standards for agricultural data licensing contracts and address producers' concerns in sharing their data, voluntary codes of conduct have recently been introduced in the EU and a few industrialised countries, but it is yet to be seen if these voluntary codes of conduct are having the desired effect. 11No such codes have been adopted in the African region.
Thus, the only transparent regulatory frameworks establishing data protection requirements for agricultural data in Africa, even if not specifically so, are those relating to personal data protection. 12National data privacy laws are increasingly being adopted around the world.They started to emerge in Western Europe in the 1970s and 1980s, followed by Latin America and Eastern Europe in the 1990s and early 2000s, and Asia since 2010. 13While African countries were relatively late in the adoption of such laws, it is now the region with the fastest expansion in personal data protection laws, partly driven by the entry into force of the European Union's data protection regulation in 2018.As of May 2023, 34 out of 54 African countries had adopted data protection laws and several of the remaining countries were working on related legislation.
The first regional legal instrument on data protection in Africa was developed by the Economic Community of West African States (ECOWAS) in 2010 for its 15 member states. 14Inspired by the ECOWAS Act, 'The African Union Convention on Cyber Security and Personal Data Protection' (hereafter 'the AU Convention') was adopted at the African Union's Summit in Malabo, Equatorial Guinea in 2014. 15The ECOWAS Data Protection Act and the AU Convention seek to create a harmonised legal framework for personal data protection at the sub-regional and continental level.Due to the high mobility of data and the cross-border activities of many digital service providers, harmonising national regulations is particularly needed.Otherwise, the efforts of individual countries to safeguard their citizens' data can be easily undermined when data is transferred to other states with weaker data protection laws. 16lthough the AU Convention is yet to enter into force, its adoption made Africa only the second region after the European Union to have a regionwide legal instrument for personal data protection. 17However, contrary to the EU regulations, there are no enforcement mechanisms once the Convention has entered into force and a country can withdraw at any time.
Conduct, Voluntary Guidelines and Principles Relevant for Farm Data Sharing (CTA -Technical Centre for Agricultural and Rural Cooperation 2019); Tsan (n 1). 12Licensing agreements or contracts that are signed between digital service providers and users are not publicly available to third parties and therefore cannot be studied easily. 13Graham Greenleaf and Bertil Cottier, Comparing African Data Privacy Laws: International, African and Regional Commitments (University of New South Wales 2020).Increasing trade integration in Africa through the African Common Free Trade Area (AfCTA), which was officially launched in January 2021, will make harmonisation of data protection laws more and more important.Lack of harmonisation also poses challenges for multinational organisations and companies operating on the continent. 18However, the AfCTA does not foresee a similar level of institutional and regulatory harmonisation as the EU.With regard to personal data protection, the AfCTA explicitly allows countries to put in place their own laws as long as they do not contravene the AfCTA (Article 15.c.ii).As a result, the main onus of regulating personal data protection remains with the national regulatory bodies unless additional legally binding and enforceable rules are adopted at the pan-African level.
While the importance of regulating personal data use is increasingly being recognised by African governments, it remains unclear to what extent digital agriculture service providers are complying with such legislation.Little is also known about the level of concern among African producers regarding the protection of their data.Research from industrialised countries shows that concerns among farmers regarding data protection are increasing as agriculture becomes more digitalised. 19In response, some farmers are advocating for greater control over their agriculture data and to address the power disparities and information asymmetries between service providers and farmers.
This article aims to contribute to the existing literature on personal data protection related to farm data by addressing a number of important research gaps.First, it builds on existing reviews of data protection legislation in Africa by adding a systematic comparison with provisions of the AU Convention, relating the level of protection to the level of activity of digital agricultural services providers in the countries, and analysing provisions of particular relevance to digital agriculture in more detail.Second, to assess the effectiveness of the legislation, the article is the first to evaluate compliance of the data privacy policies of digital agricultural service providers in Africa with national legislation.Third, the article is the first to provide initial insights into perceptions among African agricultural producers on data protection and privacy.
The remaining article is structured as follows.Section 2 highlights the key challenges for data governance in smart farming and provides a review of the literature related to personal data protection laws in Africa, compliance by digital agricultural service providers with these laws and perceptions related to data privacy among agricultural producers and users more generally.Section 3 outlines the methodology used in this research.Section 4 presents the analysis of African data protection laws and how they compare to the provisions of the AU Convention.Section 5 reviews data privacy policies of digital agricultural services and assesses compliance with national laws.Section 6 reports on the results of a survey among agricultural producers in Benin, Ethiopia and Ghana.The final section integrates the findings from the three previous sections to draw broader conclusions on personal data protection and digital agriculture in Africa, and identifies areas for further research.

Literature review
2.1.Literature on governance issues related to the protection of agricultural data The digital transformation of food and agriculture is increasingly envisioned as a technological solution that could help address a broad range of societal issues, such as achieving global food security, reducing the environmental impact of agriculture, and enhancing food safety and acceptability through traceability and transparency. 20The collection of farm data and the applications that result from them could play an important role in this regard.For farmers, actionable insights to support decision making can be obtained by analysing their farm data, helping them to better plan and execute farming activities.For agricultural and food value chains, the availability and flow of agricultural data facilitates efficient transactions, cross-border trade and lesscomplex custom processes around agricultural products, allowing smallholder farmers and small enterprises to participate in international trade.For governments and policy makers, the ability to access and process aggregated farm data can also be beneficial in designing, implementing and monitoring of agricultural policies, helping them make data-driven decisions and suitable policy choices for farmers, consumers and other players in the food system. 21s with many technological changes, the digital transformation of the agri-food sector must address a range of socio-ethical challenges.According to a recent literature review, one such socio-ethical challenge centres on the issue of data collection, ownership, access, control and sharing. 22There is currently no specific legislative framework governing the collection, ownership, access, control, and sharing of farm data in any country or continent, including the African continent. 23Therefore, the issue of data collection, ownership, access, control and sharing of farm data is currently a complex topic that stands at the intersection of different regulatory frameworks, i.e. personal data protection laws, contract and competition laws, and intellectual property rights.However, none of these regulatory frameworks provide sufficient protection for farm data and many aspects of their application to farm data remains unclear. 24For the purpose of this article, farm data refers to any data related to the farmer, the farming site, the farming operations and commercial transactions related to the farm, collected by the farmers themselves, external data collectors or data collection devices, such as sensors or cameras.Farm data encompasses both personal data, consistent with Article 1 of the AU convention as 'any information relating to an identified or identifiable natural person by which this person can be identified, directly or indirectly in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity', and non-personal data, i.e. any data other than personal data. 25rom the perspective of farmers as data subjects, the collection, aggregation, and sharing of data is regulated by personal data protection laws. 26Personal data protection legislations create a set of rights that give the data subject some degree of control over their personal data, as well as essential principles relating to data collecting and processing procedures. 27However, to be covered by personal data protection legislations, farm data needs to qualify as personal data by relating to either to an individual farmer or to a group of farmers that are identified or identifiable. 28Therefore, personal farm data can be distinguished from non-personal farm data based on whether the possibility of identification exists or not. 29Farm data, whether localised, imported, or exported, primarily deals with information linked to the farm; therefore, depending on the degree to which this information can be used to identify farmers, the data is either personal or non-personal.Making a clear distinction between personal and non-personal data is, however, not always straightforward.To what extent farm data should be classified as personal and therefore fall under personal data protection laws is not clear-cut and may need to be decided on a case-by-case basis depending on the context and purpose of processing. 31Can farm data, for instance information on crops, soil type, fertilisers, pesticides, water use, and the health and wellbeing of animals collected through either satellite imagery or machines be considered personal data?Although such data might not immediately expose the identities of the farmers, statistical analysis and artificial intelligence (AI) techniques can be used on aggregated data to reveal distinctive patterns for farming practices that can be linked to a particular farm and identify the farmers. 32dditionally, given that anonymized data might still be deanonymized due to the unreliability of anonymization procedures, the lines between personal and non-personal information can become blurred. 33Data aggregation techniques have made it possible to identify previously anonymous data sets, even though identification may not be possible at the time of processing.This has led to a gradual failure of anonymization, where the same piece of data may be more or less easily identifiable. 34ata analytic capabilities have therefore led to an increase in the overall quantity of available data as well as an increase in the amount of data that is personal as the power to connect individuals and data is done more swiftly and in creative ways. 35iven the difficulties in making a clear distinction between personal and non-personal data, legislators might decide to include non-personal data under the ambit of personal data protection legislations.One may also argue for enacting a single law and regulation to oversee all data collected from data subjects and held by any data controller to be simpler because it would eliminate any room for ambiguity regarding anonymization and deanonymization.To avoid confusion and ineffective administration, the non-personal data regulation could be combined with the personal data protection legislations rather than remaining a separate piece of legislation, and both personal and non-personal data could be governed by a single Data Protection Authority (DPA).However, as it stands now, farm data, which is anonymized and does not directly relate to natural persons, is not yet 31 Atik (n 9); Kritikos (n 9). 32 covered by personal data protection laws in Africa and is therefore unregulated. 36oreover, the ownership of datai.e. who has specific rights to data, including the right to use the data and for what purposesis at times unclear with regard to non-personal data collected in the context of smart farming.While farmers believe themselves to be the owners of the data collected from their farms, the intermediaries that process farm data own the computed data. 37Even if agricultural stakeholders generally agree that farmers own the data that is collected on their farms, no specific right corresponding to ownership of data in terms of property over data is included in the laws. 38This raises the question of how farm data should be governed, i.e. who should control and extract value from the data.
Legal contracts and licensing agreements may be used to bring legal clarity, for instance by specifying the ownership of data covered by the contract.However, such a data ownership provision is not sufficient to protect farmers in terms of the rights they get from it.In addition, the terms and conditions specified in the contracts effectively establish the conditions of the use of the data.Thus, data ownership in itself may not address governance issues relating to access, sharing and use of farm data. 39Patents and copyright laws also do not provide protection for farmers' data.Patents for instance only cover the invention of a new process or a machine, while copyrights cover original works of authorship.Farm data is not invented by farmers, nor is it a new process or a machine and nor does it qualify as original works of authorship.Farm data, if legally classified as a trade secret, could be protected under the laws governing intellectual property rights and specifically trade secrets.In this case, farmers could then own their data and only allow other parties to use it through licensing agreements that are governed by contract laws.However, this is not yet the case and hence such laws may not yet provide protection for farm data. 40rom a policy perspective, rather than focusing on the concept of ownership, it might be more practical to focus on the issues that it is meant to address, i.e. to strike a balance in the conditions for sharing, controlling and using farm data. 41In this regard, regulators can either stretch personal data protection laws to cover farm data or introduce a separate non-personal 36 Dagne (n 23). 37van der Burg (n 20). 38Jouanjeani (n 6). 39Jouanjeani (n 6). 40 data protection laws to separately regulate the conditions for sharing, controlling and using farm data and other non-personal data.Alternatively, regulators can formulate guidelines or standard contractual provisions that should be included in data licensing agreements and contracts, either specifically in agriculture or more broadly.Recently, voluntary codes of conduct have been introduced for the agriculture sector in some countries and regions to set common standards for farm data licensing contracts and improve the governance of agricultural data, for instance in the EU, USA, New Zealand and Australia.Several other countries are also examining the development of agricultural data codes of practice.However, it is yet to be seen if these voluntary codes of conduct are having the desired effect and if they would be introduced worldwide to protect farmers from the misuse of their data. 42n the absence of sound regulatory frameworks that govern the access, sharing, and control of farm data, farmers are concerned about their data being used by agricultural technology providers and intermediaries for other purposes aside from advising them, for instance for anti-competitive practices and manipulation of market outcomes.This is especially critical when large companies not only control smart farming applications and the algorithms underlying them to offer recommendations to farmers, but also provide the services, technological farm supplies and inputs that farmers need to put the recommendations into practice.Such concerns highlight the lack of trust that farmers have for digital service providers and data platforms and farmers' concern over the unfair competitive advantage that large companies have with their privileged insights over farmers' data in a specific country or region.43

Literature on the current state of data protection in Africa
Several authors have analysed national data protection laws in Africa. 44All studies point to the need for further improvements in the protection of personal data.At the same time, the AU Convention is seen as an opportunity to raise data privacy protection to an adequate level.None of the studies provide a systematic comparison with the provisions of the AU Convention or assess the regulations from the perspective of digital agricultural service provision, as presented in this article.Given the rapid changes in data protection laws in Africa in the past few years, only the most recent studies are reviewed here in more detail.
The International Bar Association provides the most recent and comprehensive review of African data protection laws. 45The study notes that the African data protection ecosystem is highly influenced by Europe's regulatory approach.Comparing the AU Convention with European regulations, the authors note that the AU Convention was designed along the lines of the EU Data Protection Directive 95/46/EC, which was replaced by the General Data Protection Regulations in 2018.Therefore, the AU Convention may not be a suitable bridge for collaboration with Europe, they conclude.At the national level, the authors find that the African data protection ecosystem is underdeveloped and disparate due to the variety of frameworks and laws in Africa which are at different stages of implementation and cause disagreements around harmonisation, collaboration and cooperation.
Another recent review of national, regional and continental data protection regulations was carried out by Greenleaf and Cottier. 46The authors note that the AU Convention was expected to be a driver for data protection in Africa.However, this anticipation could not yet be fulfilled, as the required number of countries for ratifying the Convention has not been met.Nevertheless, the authors caution that the implementation of uniform data protection rules across Africa is a lengthy process, pointing to the 40 years it took the EU member states to enact uniform data privacy laws.The authors predict that the vast majority of African countries will have adopted related legislation by the end of the 2020s.
No research has been carried out to assess the compliance of digital agricultural service providers with national data protection legislation in Africa.Similarly, no research has been done to study African agricultural producers' perception of the need for and adequacy of data protection.The limited research into perceptions of data protection among African users more generally points to growing concerns, but also perceived opportunities.Anecdotal evidence from East Africa suggests that users are increasingly worried that their data may be misused, but very few people are aware of how to ensure online security and privacy. 47At the same time, however, many said that they interacted more freely via social media than in face-to-face interactions.
One survey among South African internet users found a high level of concern about the protection of personal data among 80 percent of respondents, in particular with regard to data related to their personal identity and 45 IBA (n 44). 46Greenleaf and Cottier (n 13). 47Duncan Kinuthia, Exploring Data Anonymisation and Internet safety in East Africa (Research ICT Africa 2020).
financial and health information. 48In contrast to the study by Kinuthia, 49 for many sharing information online was more problematic than in face-to-face interactions (79 and 57 percent of respondents, respectively).Almost two thirds (62 percent) said that they know their privacy rights, but only 37 percent knew how to lodge a complaint.Many do not feel that the organisations collecting and processing personal data adequately implement legal protection requirements.
A study of mobile phone-based health applications in Tanzania concludes that direct users of the technology may trust it more than their clients. 50pecifically, they find that community health workers felt that smartphone use actually increased data protection compared to paper-based forms while the female clients were more concerned about who has access to these data.
Additional insights relating specifically to agricultural producers can be gained from research into farmers' perception from industrialised countries where extensive data collection and processing is already widespread in the agriculture sector.These findings suggest that farmers are increasingly wary that their data may be used by businesses for commercial gain without adequate compensation for the data providers. 51Reporting findings from Australia, researchers see a lack of trust between the farmers as data providers and the third parties that collect, aggregate and share their data at the root of these concerns. 52

Methodology
The data for the analysis in this study was collected in three ways: (1) an analysis of national laws in Africa that regulate the collection and use of personal data, (2) an analysis of data privacy policies of digital agricultural service providers operating in Africa, including an assessment of their adherence to national legislation, and (3) a survey among African agricultural producers to assess perceptions related to data privacy. 48Adéle Da Veiga, 'An information privacy culture instrument to measure consumer privacy expectations and confidence' ( 2018

National legislation for data protection
First, the status of adoption of national data protection laws in all African countries was assessed (as of May 2023).The legal texts of national laws were collected for all African countries where such laws have entered into force and the provisions of the laws were analysed.To this end, the provisions of national laws were compared with related provisions set out in the AU Convention which thereby served as the reference point for the analysis.The analysis did not assess compliance with the AU Convention since the Convention has not yet entered into force and several of the laws were already in place upon its adoption.Rather, the Convention was treated as a commonly agreed standard that African countries are expected to aim for in the future.Draft legislation was not included in this analysis.
The focus of the analysis was on provisions that are of direct relevance to users of digital agricultural services, in particular as they related to personal data, i.e. the principles governing the processing of personal data (Article 13 of the AU Convention) as well as the users' rights to their personal data (Articles 16-19, 'Data Subjects' Rights').Additional provisions of interest relate to Data Protection Authorities (DPAs), cross-border flow of data and automated data processing.

Data privacy policies of digital agricultural service providers
A list of agricultural digital service providers operating in Africa was compiled using information from the CTA, 53 the GSM Association 54 and web searching.Digital agricultural services were included if.
. they provided a service to producers and use digital technologies in their service provision .they are operating in at least one African country (but not necessarily exclusively in Africa) and are subject to at least one African country's legislation, .they are operating at the time of the review, and .they have their own functioning website.
Using these criteria, a list of 106 digital agricultural services was compiled.For these services, the availability of a service-related privacy policy on the providers' websites was documented (as of September 2021).Privacy policies that only apply to visitors of the websites, but not the digital agricultural service offered by the provider, were not included.Where such a policy was available, compliance with the requirements set out in national 53 Tsan (n 1). 54GSMA (n 2); GSMA, AgriTech Deployment Tracker.Mobile for Development (GSM Association 2021).legislation was assessed.Where service providers operate in more than one African country, their privacy policy was compared with the strictest data protection regulation adopted in the countries of operation.The jurisdiction most commonly used for the purpose of this analysis are Kenya, Nigeria, South Africa and Ghana (Figure 1).
The 106 digital agricultural service providers were disaggregated into four primary use cases which were adapted from GSMA:55 advisory services, financial services, procurement/marketing, and smart farming.Where no primary use case could be identified, the service was classified as 'multiple use cases'.The most common primary use case is digital advisory (31 percent of services), followed by smart farming (24 percent), procurement and marketing (21 percent) and financial services (17 percent) (Figure 2).Eight percent of service provided multiple uses.

Producers' data privacy concerns
Data from a survey was analysed to assess to what extent agriculture producers already take measures to protect their data.Data was collected through in-person surveys from 1,915 respondents in Benin (642), Ethiopia (623) and Ghana (650) in October/November 2019.The data collection was part of a larger survey to assess impacts of youth initiatives in the four countries and the respondents were sampled based on their participation in such initiatives plus a control group.To this end, lists of beneficiaries of four youth initiatives in each country were obtained from which the samples were randomly drawn.Non-beneficiaries were interviewed in the same regions using snowball sampling.As a result, the final sample shows a bias towards men (63 percent of the sample) and an uneven distribution across age groups (majority 25-30 year old).It is therefore not necessarily representative of African producers, but nevertheless gives a first insight.
The characteristics of the sample are presented in Table A1 in the Appendix.The respondents were between 15 and 40 years old.Almost one third (29 percent) were engaged in agriculture as their primary occupation (primarily crop farming, but also livestock and agro-forestry), ranging from 23 percent in Ethiopia to 39 percent in Benin.Across the entire sample, 59 percent of respondents use the internet.Among agricultural producers, that share is lower at 48 percent.The concern about data privacy was assessed by asking internet users a number of questions about the steps they are taking (or not) to inform themselves of their data protection rights or restrict access to their data.The responses were analysed specifically for agricultural producers and compared to answers of non-producers.Correlation analysis is used to assess the influence of individual characteristics (sex, age, education, occupation) on internet use, the decision to seek information about data protection and control access to personal data.

National privacy and data protection legislation in Africa
This section assesses the current state of the personal data protection in Africa by reviewing existing national data protection laws that influence the ownership, access and use of personal data in Africa.Data protection laws that have been adopted are compared with the provisions of the AU Convention.The analysis focuses on Chapter II-Personal Data Protection of the AU Convention which, among other provisions, sets out basic principles governing the processing of personal data, the rights of users (referred to as 'data subjects' in the AU Convention) to their personal data, details of an institutional framework for the protection of personal data, and obligations placed on entities collecting and processing the data (referred to as 'controllers').

Status of national data protection legislation adoption
The personal data protection regulatory landscape in Africa has changed considerably over the last few years.As of May 2023, more than half of the African countries (34 of the 54) have enacted data protection laws (Figure 3 and 4 and Table A2 in the Appendix), including Algeria, Angola, Benin, Botswana, Burkina Faso, Cape Verde, Chad, Republic of the Congo, Côte d'Ivoire, Egypt, Eswatini, Equatorial Guinea, Gabon, Ghana, Guinea, Kenya, Lesotho, Madagascar, Mali, Mauritania, Mauritius, Morocco, Niger, Nigeria, Rwanda, Sao Tome and Principe, Senegal, South Africa, Tanzania,56 Togo, Tunisia, Uganda, Zambia and Zimbabwe.The remaining countries do not yet have dedicated laws in place (Burundi, Cameroon, the Central African Republic, Democratic Republic of the Congo, Comoros, Djibouti, Eritrea, Ethiopia, Gambia, Guinea-Bissau, Liberia, Libya, Malawi, Mozambique, Namibia, the Seychelles, Sierra Leone, Somalia, South Sudan and Sudan).
As of May 2023, 14 countries have ratified the AU Convention, namely Angola, Cape Verde, Côte d'Ivoire, Ghana, Guinea (Conakry), Mauritius, Mozambique, Namibia, Niger, Republic of Congo.Rwanda, Senegal, Togo and Zambia, while 11 countries have signed it, including Benin, Cameroon, Chad, Comoros, Gambia, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome and Principe, South Africa and Tunisia.Of those that ratified the AU Convention, only Mozambique and Namibia have not adopted legislation yet.Among those that signed the Convention, Cameroon, Comoros, Guinea-Bissau and Sierra Leone do not have a data protection legislation in place.
Comparing countries that have enacted data privacy regulations with prevalence of digital agricultural services shows that the countries where such services are most widespread have put personal data protection legislation in place (Figure 3, Table 1).Among the seven countries with 10-19 digital agricultural solutions, data protection legislation is still lacking in Ethiopia and Malawi.

AU Convention
The African Union Convention outlines a set of basic principles governing the processing of personal data (Article 13) which include the principles of.(1) consent and legitimacy of personal data processing (2) lawfulness and fairness of personal data processing (3) purpose, relevance and storage of processed personal data (4) accuracy of personal data (5) transparency of the personal data processing (6) confidentiality and security of personal data.
In addition, the AU Convention established specific principles for the processing of sensitive data (Article 14).Specifically, the Convention prohibits 'any data collection and processing revealing racial, ethnic and regional origin, parental filiation, political opinions, religious or philosophical beliefs, trade union membership, sex life and genetic information or, more generally, data on the state of health of the data subject'.

National legislation
In the large majority of African countries, national data protection laws include provisions covering the principles set out in the AU Convention (Figure 4).In most cases, they are explicitly listed as principles, while in a few cases they are reflected in the provisions.
Principles 3 (purpose, relevance and storage) and 6 (confidentiality and security) are covered by all regulations.Only a few countries do not include one of the remaining principles: . Mali is the only country that does not require consent to be obtained from data subjects (Principle 1). .The regulations of Egypt, Equatorial Guinea and Lesotho do not contain provisions that would require that the collection, recording, processing, storage and transmission of personal data is undertaken lawfully, fairly and non-fraudulently (Principle 2). .Burkina Faso does not require that data collected should be accurate and, where necessary, kept up to date, and that steps must be taken to ensure  that data which are inaccurate or incomplete are erased or rectified (Principle 4).Rather, it puts the onus on data subjects to request corrections to their data if needed.
. Uganda is the only country that does not mandate data controllers to disclose information on personal data (Principle 5). .The regulations of Côte d'Ivoire, Niger and Nigeria do not contain specific provisions governing the processing of sensitive data even though they all define 'sensitive data' within the legislation.
None of these countries have signed or ratified the AU Convention.In the case of Burkina Faso, Côte d'Ivoire, Lesotho and Mali, the regulations were adopted before the Convention, while Egypt, Equatorial Guinea, Niger, Nigeria and Uganda adopted their legislation afterwards.

AU Convention.
The Convention sets out a number of rights that data subjects have in relation to their personal data, namely:

National legislation
Similar to the principles set out in the AU Convention, users' rights to their data are widely reflected in the data protection legislation adopted across Africa (Figure 4).The only exception relates to the right to information which is not included in the Ugandan law (adopted after the AU Convention) and only partially in Gabon (adopted before the AU Convention) where the right of information applies only to health data.In both countries, data subjects can request access to the information but are not automatically provided with the information when their data are collected.Neither country has signed or ratified the Convention.

AU Convention
As shown above, the majority of the national laws cover most of the principles and rights set out in the AU Convention.For these and other provisions of the legislation to be effective, they need to be implemented, monitored and enforced.To this end, the AU Convention requires the establishment of a national personal DPA to ensure that 'the processing of personal data is conducted in accordance with the provisions of this Convention' (Article 11).The Convention also sets out the envisaged functions of the DPA, including granting authorizations for certain data processing and transfer, entertaining complaints, reporting offences to the judicial authority and imposing sanctions on data controllers, among others (Article 12).
While each country is free to determine the composition of the national DPA, the AU Convention provides strict guidance on keeping the DPA independent (Article 11).Members of the DPA must not be members of government or be involved in ICT businesses as executives or shareholders.They should also enjoy full immunity for opinions expressed in connection with their duties and not receive instructions from any other authority.

National legislation
All of the existing data protection laws foresee the establishment of a DPA (Table A2 in the Appendix).Most countries (31) already set out the administrative details.In Equatorial Guinea, Guinea (Conakry) and the Republic of Congo, additional regulations are required before the DPAs can be established, as specified in the law.This has not been done so far even though the laws were already adopted in 2016 (Equatorial Guinea, Guinea Conakry) and 2019 (Republic of Congo).
Among the 31 countries that have already established DPAs in their legislation, 25 have appointed DPAs (as of May 2023).In Tanzania this gap can be explained by the recent nature of the legislation (2023).In the remaining countries (Egypt, Lesotho, Madagascar, Togo, Zambia), the laws were adopted between 2015 and 2021.Without a DPA, the laws cannot be implemented effectively since there is no authority to monitor and enforce the rights.
Moreover, in 12 of the 34 countries with data protection legislation, the DPA is not independent as stipulated in the AU Convention while in two countries the level of independence is unknown since the legislation to establish the DPA is still pending.Instead, the DPA is placed under the authority LAW, INNOVATION AND TECHNOLOGY of a government representative, such as the President, Prime Minister or a Minister (Algeria, Egypt, Nigeria, Rwanda, Tanzania, Uganda and Zambia), it can receive ministerial instructions (Botswana, Ghana), it can be made up of civil servants (Equatorial Guinea), and it can include members that are representatives of ministries (Algeria, Ghana, Tunisia)  or are appointed by the King (Morocco) or President (Tanzania).Among these countries, most (Algeria, Botswana, Ghana, Morocco, Nigeria, Rwanda, Tunisia and Uganda) have appointed their DPA.The lack of independence could seriously undermine the level of protection of personal data in case of government interference.

AU Convention
Many digital service providers operate across countries where data may be collected in one country and processed or used by third parties in another.Such transfers are important e.g. for services that facilitate supply chains management or financial transactions.Regulations that govern the transfer to data across borders is therefore relevant for many providers as well as the users of their services.
The AU Convention sets out restrictions on the international transfer of data (Article 14.6).The data controller is in general prohibited from transferring personal data to a non-Member state of the African Union 'unless such a State ensures an adequate level of protection of the privacy, freedoms and fundamental rights of persons whose data are being or are likely to be processed'.This prohibition does not apply, however, if the data controller has sought permission to transfer the data from the national DPA.

National legislation
The majority of countries (with the exception of Burkina Faso, Côte d'Ivoire and Tunisia) are less restrictive than the AU Convention when regulating the international transfer of data (Table A3 in the Appendix).Among the 34 regulations, 29 include exceptions that allow transfer of data to countries without an adequate level of protection.Nineteen countries also allow transfers of data if an adequate level of protection can be assured among the controllers handling the data.The regulation of Ghana does not include any provisions on international data transfers.
In most cases (28), the exceptions are specified in the legislation, e.g. if the data subject has given consent and/or the transfer is necessary for certain specified reasons (incl.contract execution, public interest or money transfer or if it takes place within a multilateral agreement).The legislation of Niger leaves the nature of the exceptions open, allowing such transfers by decree of the Council of Ministers.The laws of Uganda and Zimbabwe are special cases.The Ugandan law restricts data transfer to countries without adequate protection in line with the AU Convention, but only with regard to data storage and processing of Uganda-based data processors.The Zimbabwean law exempts data transfer 'to allow tasks covered by the competence of the controller to be carried out' from the restrictions.
As noted above, the AU Convention also provides for exceptions to the prohibition of international data transfer if the transfer has been authorised by the DPA.Of the 27 countries that allow for exceptions, only nine require such an authorisation.Another 13 regulations require the DPA to be notified of transfers.Adding authorisation and notification requirements to the law would be an important measure to increase monitoring and compliance.
Another relevant question is who decides the 'adequate level of protection' in the recipient country.In 14 countries, this decision is taken by the DPA.In two countries (Botswanan, Nigeria), the DPA is involved in the decision, but not independently so, thus leaving room for political interference.In Botswana, the decision is taken by the DPA, but the final list of countries is published based on a decision of the Minister.In Nigeria, the Attorney-General is also entitled to decide in addition to the DPA.In Kenya, Mauritius and Rwanda, it is up to the controller to supply proof of adequacy (in Mauritius and Rwanda, authorisation of transfers by the DPA is required).Rather than authorising the transfer, legislation in Eswatini and Tanzania requires the DPA and Minister respectively to decide when a transfer is not authorised.In the remaining 13 countries, the law does not specify how the decision is taken, potentially creating legal uncertainty for controllers.
4.6.Automated data processing 4.6.1.AU Convention.Under Article 14.5 of the AU Convention, a person shall not be subject to a decision which produces legal effects based solely on automated processing of data intended to evaluate certain personal aspects.This provision is particularly interesting in the context of digital agricultural services that are increasingly making use of data analytics for decision making, such as the use of mobile phone and other data to assess credit-worthiness of clients, smart contracts that employ blockchains for automatic contract execution, or analysis of weather data to automatically trigger insurance payouts.

National legislation
The majority of countries (23 of 34) prohibit decision-making based solely on automated processing of personal data if it has legal effects, but only four countries impose a similar level of restriction as the AU Convention while the remaining 18 include certain exceptions, most commonly in cases where the processing is required to conclude or implement contracts or if the processing has been authorised by law or the DPA (Table A4 in the Appendix).Some also permit automated decision making if the data subject has given consent and/or has been informed about the processing.
Among the remaining 12 countries that do not explicitly prohibit automated decision-making, four countries allow decision-making based on automated processing, but require data subjects to be informed and/or have the right to object.Seven laws do not include provisions related specifically to automated processing.Uganda is again a special case, putting the onus on data subjects to request from the controller that decisions are not based on automatic processing.Several laws that allow (Madagascar and Nigeria) or do not cover (Botswana, Chad, Egypt and Equatorial Guinea) decision-making based on automated processing were adopted after the AU Convention was finalised.

Data protection policies of digital agricultural services providers
This section presents the results of a review of 106 providers that offer digitally-enabled agricultural services in Africa to assess whether data privacy policies are publicly available on the providers' website, and whether these policies adhere to the requirements of national legislation with regard to (1) the principles governing the processing of personal data and (2) users' rights to their personal data.
The availability and details of the data privacy policies were analyzed in relation to the requirements of national legislation from the relevant jurisdiction.The analysis shows that the large majority of service providers were operating in countries with legislation in place that they were required to comply with (92 percent).Regarding the Principles governing the procession of personal data, almost all of the relevant laws cover the six principles of the AU Convention (with the exception of Burkina Faso and Uganda).Regarding users' rights to personal data, almost all of the jurisdictions require the protection of the same four rights as the AU Convention (with the exception of Uganda).Given the substantial overlap between the national legislation and the principles and rights set out in the AU Convention, the provisions in the data privacy policies were compared with the provisions in the AU Convention.

Availability of privacy policies
Out of the 106 service providers, 42 providers (40 percent) publish servicerelated data privacy policies on their website (as of September 2021).To assess compliance by digital service providers operating in the top four most common relevant jurisdictions (see Section 3.2), the availability of privacy policies of all services operating in that country was assessed.Most services are operating in Kenya (60), followed by Nigeria (33), Ghana (30) and South Africa (20) (Figure 5).The analysis shows that the availability of privacy policies is particularly low in Ghana (with 62 percent of services not providing a policy).The second highest share is found among service providers operating in Kenya and South Africa (55 percent) while 48 percent of the service providers operating in Nigeria do not make a privacy policy available.
Disaggregating the services by primary use cases also shows that for most use cases, the majority of services within each use case do not provide a policy on their website.This is particularly prevalent among services providing procurement and marketing services as well as services that offer multiple uses.Interestingly, a (small) majority of service providers in smart farming do provide a policy.This may be due to the fact that smart farming services are particularly data intensive and their functionality relies on access to data, including personal data.Thus, the companies depend on their users' willingness to supply the data and would therefore have an incentive to assure data protection (Figure 6).
It was not possible to ascertain whether the 64 service providers for which a data privacy policy could not be found on their websites offer related policies to registered users once they sign up to the services.Nevertheless, it can be said that the privacy policies were not readily available for potential users of the service.An assessment of relevant jurisdictions for these services shows that 92 percent are operating in countries with relevant legislation in place and are therefore required to protect the rights to personal data of their users (exceptions include services with the relevant jurisdiction of Cameroon, Côte d'Ivoire, Ethiopia, Tanzania and Zimbabwe57 ).

Principles governing the processing of personal data
The 42 privacy policies were analysed to determine whether the principles of the AU Convention set out in Article 13 are reflected in the policies.For the purpose of this analysis, Principle 3 of the AU Convention was divided into 'purpose', 'relevance' and 'storage' since these topics are usually dealt with separately in the policies.The Principles assessed therefore include: (1) consent and legitimacy of personal data processing (2) lawfulness and fairness of personal data processing (3) purpose and relevance of processed personal data (4) storage of processed personal data (5) accuracy of personal data (6) transparency of the personal data processing (7) confidentiality and security of personal data Out of the 42 data privacy policies that are publicly available, most cover five or six of the principles set out in the AU Convention (21 percent each) while 14 percent cover all of the principles (Figure 7).Of the seven principles assessed, the principle of transparency, which requires organisations to make any information relating to the processing of personal data easily accessible and clear, is most frequently covered by the privacy policies (93 percent of policies), followed by the principle of confidentiality and security of personal data processing (86 percent) (Figure 8).The principle of consent and legitimacy of personal data processing and the principle that require data collection and processing to be limited to data adequate and relevant for processing for a specific purpose, were also found to be common principles adhered to by 69 and 76 percent of the 42 privacy policies respectively.The principles that were least  frequently stated in the privacy policies relate to accuracy, lawfulness and fairness of data processing, and storage of data (52, 40 and 36 percent respectively).

Rights to personal data
As regards users' rights to their personal data, most of the policies include three or four rights of data subjects established by the AU Convention (24 and 36 percent respectively) while 14 percent did not cover any of those rights (Figure 9).
The most common right protected in the policies is the right to obtain information regarding the data collected and processed, the purpose of processing the data, and the transfer of data to third parties (86 percent pf the privacy policies; Figure 10).A closer look at the type of information  covered shows, however, that among those policies that include the right to obtain information, only 17 percent refer to all types of information listed in the AU Convention, while the rest only cover some types of information.A sizeable number of the privacy policies also provided users with access to their personal data that is collected and processed by the organisation and the right to rectify and erase the data (62 and 67 percent of policies respectively).In contrast, the users' right to object to the processing of their data is least frequently covered by the privacy policies (36 percent).

Agricultural producers and data protection
This section presents findings from a survey in Ethiopia, Ghana and Benin to assess the level of interest among agricultural producers to obtain information about data protection and the extent to which they are already taking steps to protect their personal data.The majority of data is likely to be shared via internet-based applications.The section therefore begins by assessing the prevalence of internet use and characteristics of internet users.The subsequent analysis then focuses especially on internet users who would have access to data privacy policies via apps or websites.Responses of agricultural producers are compared with those of internet users who do not work in agricultural production.

Internet use
A sizeable share of agricultural producers (48 percent) use the internet, although less than those who do not engage in agriculture as their primary occupation (63 percent) (Figure 11).Internet use is significantly lower among agricultural producers than among those who do not engage in agriculture (Table A5 in the Annex).Frequency of use is comparable between the two groups, however.Two thirds of agricultural producers use the internet once or several times per day.However, differences can be observed across countries.In Ghana and Ethiopia, internet use is less widespread among agricultural producers (19 and 23 percentage points lower respectively) and less frequent.In contrast, in Benin, the share of internet users (82 percent of agricultural producers) and the frequency of use is higher than non-agricultural users.These differences may be due to the high level of education among agricultural producers, among whom 63 percent have completed tertiary education compared to 46 percent among non-agricultural users.In the other two countries, tertiary education is less prevalent among producers than non-producers.
A clear gender bias in internet use can be observed.Among agricultural producers, only 21 percent of women use the internet (compared to 60 percent of men), a considerably smaller share than non-agricultural users among whom 45 percent of women (and 75 percent of men) use the internet.As a result, the sample of female internet users engaged in agriculture is very small (N = 36) which does not allow for gender-disaggregated analysis.
The survey responses also show that internet use consistently increases with level of education, from just 1 percent of agricultural producers without any formal education who use the internet (compared to 10 percent among non-agricultural users) to 88 percent of those with tertiary education (86 percent among non-agricultural users).The correlation analysis results also indicate a positive correlation between internet use and education level.
Internet use is particularly low among youth producers (Figure 12).Specifically, Internet use was lowest among 15-24-year-old agricultural producers (24 percent), considerably lower that non-agricultural users (57 percent).This could be due to the fact that the share of agricultural producers with tertiary education in this age group is considerable lower (13 percent) than among non-agricultural users (33 percent).For the remaining age brackets, the share of internet users ranged between 51 and 55 percent among agricultural producers (64-68 percent among non-agricultural users), with the highest share observed among the 36-40 year olds.
The mobile phone is likely to be the main channel to access the internet, given that 98 percent of agricultural producers who use the internet own a phone, followed by laptops (14 percent).Hardly any agricultural producers own a desktop computer or tablet.Social media are driving internet use; almost all internet users also use social media (99 percent of agricultural producers and non-agricultural users).In the last 12 months, how often have you been using the internet?.Source: Authors' own elaboration.

Seeking information about data protection
To find out whether respondents are actively seeking information about the use and security of their personal data, they were asked whether they have read privacy policies before providing personal data and/or have checked whether the sites through which they send personal data are secure (e.g. using httpssites, a safety logo or certificate).A third of agricultural producers do one of the two or both (compared to 39 percent of non-agricultural users).Specifically, just over a third of agricultural producers (34 percent) have read privacy policy statements in the last 12 months (compared to 42 percent non-agricultural users) and 22 percent have checked whether the website is secure (compared 29 percent non-agricultural users) (Figure 13).According to the correlation analysis results, agricultural producers are significantly more likely to seek information about the use and security of their personal data than non-agricultural users.
The level of education also significantly influences the likelihood to seek information about data protection (Table A5 in the Annex).Thus, while 28 percent of producers with secondary education seek such information, this share increases to 37 percent among producers with tertiary education. 58anguage constraints are also relevant.The share of respondents who read the policy is particularly low among agricultural producers who cannot read or write in English and French (15 percent).Younger respondents appear more interested in data protection issues; a third of 25-34 year olds seek information compared to 17 percent among 35-40 year olds. 59gure Share of internet users by age group and country.Source: Authors' own elaboration.
A closer look at the data shows differences between countries (Figure 13).Interest in data privacy policies was most prevalent in Ethiopia where almost two thirds of surveyed agricultural producers state that they read privacy policies.Just over a third of agricultural producers in Benin and only 19 percent in Ghana say they do so.The share of agricultural producers in Ethiopia who check website security is also higher than in the other countries, but not considerably so.

Controlling access to personal data
To assess whether users actively protect their personal data, they were asked whether they had restricted access to information about their geographical location, their profile or content on social networking sites, or personal data for advertising purposes.
The analysis shows that 39 percent of agricultural producers (44 percent of non-agricultural users) take steps to control access to their personal data (Figure 14).Almost half of those (49 percent) only restrict access to one type of data, while 31 percent restrict to two and 20 percent restrict to three types of data.The share of agricultural producers who control access to at least one type of information increases with the level of education, from 33 percent with secondary to 45 percent with tertiary education.Younger producers (i.e.) more commonly restrict access to their personal data (39 percent of 25-35 years old) than older producers (28 percent of 36-40 year olds).
Across the entire sample, results are fairly consistent across the three types of personal data and differences between agricultural producers and respondents not engaged in agriculture are not substantial.Around or less than a quarter restricted access to the different kinds of information.Restricting access to social networking profiles or content is most common (23 percent of agricultural producers).The largest differences between agricultural and non-agricultural users are related to geographical information and information shared on social networks.
Differences across countries can again be observed.Mirroring findings from the previous section, the largest share of agricultural producers to take measures to control access is found in Ethiopia (52 percent), followed by Benin (42 percent) and Ghana (28 percent).Countries also differ by the type of data most commonly restricted.While Ethiopian users more frequently restrict access to data on social networks or related to their location, users in Benin (and less prominently so in Ghana) are more concerned about access to personal data for advertising purposes.

Discussion and conclusion
While personal data protection legislation is evolving across Africa, 22 countries still do not have dedicated laws in place despite the adoption of a continent-wide Convention in 2014 and the entry into force of the EU General Data Protection Regulation in 2018.Even in some of the African countries that have ratified or signed the AU Convention, personal data protection laws are still forthcoming.While in some of these countries, adoption of related laws in only a question of time, others appear to be stalling.
Table 2 summarises the results of the comparison between the provisions of the national laws with equivalent provisions in the AU Convention.Only Côte d'Ivoire is in line with all of the Convention's provisions in the six areas assessed in this article while Uganda is the only country that diverges from the Convention in all areas.The spirit of the AU Convention is widely reflected, with its principles and rights covered by almost all of the laws.Shortcomings are found in the institutional framework needed to monitor and enforce laws which could greatly diminishes their effectiveness.Many countries have not appointed DPAs.Importantly, in several countries the DPA is not independent as set out in the AU Convention, thus leaving room for political interference.The main gaps in the laws are found with regard to international data transfer and automated processing where the law in the large majority of countries is less stringent than the AU Convention.
Where personal data protection laws exist, compliance with the legislation among digital agricultural service providers is low, highlighting a lack of enforcement.The majority of providers do not make a privacy policy readily available on their website even though they are required by law to provide users with information about data collection, storage and use.Where privacy policies are available, the large majority do not comply with all of the principles or protect all users' rights over their personal data set out in the national legislation.Compliance was highest among providers of smart farming solutions, although only slightly.
In the absence of data protection laws and regulatory frameworks that sufficiently safeguard farm data, the economics of data may further weaken the bargaining position of farmers.Generally, there is a risk that the so called 'big data divide'which refers to the divide between the large corporations that decide on the data to be collected, possess the algorithms to process large volumes of data and the expertise to interpret them, and those that do not have these capacitiescould shift the power distribution within the network of stakeholders around farms.As a result, a few large corporations could end up monopolising the sector, thereby increasing dependencies by the farmers on their services.Concerns have also been raised that personal and commercially sensitive data collected by corporations about a farm, its inhabitants and activities could be used in price discrimination and manipulation of farmer behaviour and market outcomes for the benefit of the corporations.
Despite these risks, awareness of data privacy issues among agricultural producers appears limited.Across the three countries studied, only about a third of producers surveyed actively seek information by reading the privacy policy.A slightly larger share, but still the minority do take steps to protect their personal data.Younger people and producers with a higher level of education appear to be more aware of data protection issues and better able to control access to their data.English and French language barriers are another important constraint.This suggests that the low shares may be due to a lack of knowledge and skills rather than primarily a lack of interest.Therefore, farmers may not be demanding the protection of their data not because they are not concerned about sharing their data but rather due to their lack of awareness of the need for data protection.
The case of Ghana exemplifies the triple challenges related to legal protection, enforcement and awareness.Ghana is one of the leading countries for digital agricultural services in Africa.The country was one of the early adopters of data protection legislation (2012) and one of the few that has signed and ratified the AU Convention.However, the current law does not follow the AU Convention in several respects, including less restrictive provisions on automated processing of data and none on international data transfers.The latter two provisions would not have been as relevant at the time of adoption when digital technologies were less advanced, highlighting the need to continuously update data protection laws in light of rapid technological changes.Thus, revisions of the Ghanaian law are needed to bring it in line with the AU Convention and adapt it to the new digital realities.Enforcement of the law is also a concern.Among the leading countries for digital agricultural solutions, Ghana has the highest share of providers that do not comply with national data protection legislation.The independence of the DPA is also not assured, potentially weakening its enforcement capabilities.At the same time, producers from Ghana appear least interested in data privacy issues among the three countries surveyed, in particular compared to Ethiopian producers where personal data protection legislation is yet to be adopted.Ghanaian producers may trust providers more with their data because of the legislation in place that they have to comply with, while in Ethiopia, data protection is the responsibility of the individual provider.Given the low compliance among digital service providers, producers should be encouraged to check the available data protection measures even where regulations are in place.
This article has a number of limitations that point to areas for future research.Due to the biased sample, the survey data offers only a preliminary insight into producers' perceptions of data protection issues.More in-depth analyses would be needed to better understand awareness of and interest in personal data protection as well as obstacles that prevent producers from taking measures to control access to their data.In addition, the article does not address the question of how to ensure that producers benefit from the use of their personal data by third parties.Further research into innovative ways to compensate producers for the use of their personal data would be required to address this question.
Finally, the article assesses only personal data protection legislation as a means to protect producers' data.The question arises whether such laws are sufficient to protect all types of farm-level data. 60With the growth of the Internet of Things and big data analytics, the use of devices for data collection will become increasingly common, e.g.where digital agricultural service providers use soil or moisture sensors, GPS or satellites to collect producer-related data.There is a need to clarify the scope of laws with regard to different types of agricultural data to ensure that measures are in place to protect producers' data, including through additional data protection tools regulated through national legislation where needed.

Figure 1 .
Figure 1.Jurisdiction for digital service providers used for the analysis.* Burkina Faso, Cameroon, Egypt, Ethiopia, Ivory Coast, Mali, Niger, Senegal, Tanzania, Uganda and Zimbabwe.Source: Authors' own elaboration (as of September 2021).

Figure 2 .
Figure 2. Digital agriculture service providers by primary use case.Source: Authors' own elaboration (as of September 2021).

Figure 4 .
Figure 4. AU Convention principles and rights reflected in national legislation.Source: Authors' own elaboration.As of May 2023.

Figure 5 .
Figure 5. Digital services with and without privacy policies by country of operation (share).Source: Authors' own elaboration (as of September 2021).

Figure 6 .
Figure 6.Digital services with and without privacy policies by primary use case.Source: Authors' own elaboration (as of September 2021).

Figure
Figure Number principles covered by data privacy policies.Source: Authors' own elaboration (as of September 2021).

Figure 8 .
Figure 8. Coverage of core data protection principles by policies of digital agricultural service providers in Africa.Source: Authors' own elaboration (as of September 2021).

Figure
Figure Number rights covered by the privacy policies.Source: Authors' own elaboration (as of September 2021).

Figure 10 .
Figure 10.Coverage of rights of data subjects in privacy policies of digital agricultural service providers in Africa.Source: Authors' own elaboration (as of September 2021).

Figure 11 .
Figure 11.Frequency of internet use by country and agricultural profession.Question: In the last 12 months, how often have you been using the internet?.Source: Authors' own elaboration.

Figure 13 .
Figure13.Internet users who seek information about data protection by country and agricultural profession.Source: Authors' own elaboration.

Table 1 .
Status of legislation and prevalence of digital agricultural services.

Table 2 .
Summary of the comparison between national data protection laws and the AU Convention.means that the national laws are in line with the provisions of the AU Convention.It is important to note that the summary only shows the results for a selected number of provisions related to specific topics, not the entire laws.Source: Authors' own elaboration (as of May 2023).

Table A2 .
Legal provisions on data protection authorities.