The Promise, Limits of African Data Sovereignty

Jun 6 , 2026
By Samuel W. Ugwumba , Jake O. Effoduh

---

In June 2025, while testifying under oath before a French Senate inquiry, Microsoft France's Director of Public & Legal Affairs admitted that the company "cannot guarantee" the data sovereignty of French customers in the event of a legally justified injunction issued by a US Court.

That is because under the 2018 CLOUD Act, US authorities can order any firm headquartered in the United States to hand over the data it controls, regardless of where it is located or which subsidiary holds it. If France, with its world-leading data-protection regime, cannot guarantee that Big Tech will respect its data sovereignty, what can African countries such as Nigeria, Kenya, and South Africa expect?

This question hangs over the continent as governments adopt AI strategies and regulate data flows. The Nigeria Data Protection Act, enacted in 2023 and implemented in March 2025, has established robust protections that its digital-sovereignty bill, if passed, would further strengthen. Kenya's Data Protection Act of 2019 has turned out to have teeth, with Kenyan courts ordering Worldcoin, the iris-scanning venture co-founded by Sam Altman, to delete the biometric data it had collected from hundreds of thousands of Kenyans and suspending a 2.5 billion-dollar health-data-sharing deal with the US on sovereignty grounds.

These countries are not alone. South Africa, Egypt, Rwanda, Ghana, and Senegal have all taken steps toward digital protection and AI governance. The African Union's Continental Artificial Intelligence Strategy, adopted in July 2024, seeks to create a coherent regional architecture to integrate these national efforts (though it remains largely aspirational).

Instead of reluctantly playing catch-up, African countries are actively pursuing digital self-determination, legislating guardrails for how Africans' data are collected, stored, and used. But no matter how sophisticated their regulations, they face inherent structural barriers.

Perhaps most importantly, the Big Tech giants, like Microsoft, Google, Amazon, and Meta, that control the cloud infrastructure on which the continent's digital life increasingly depends, are US firms with African subsidiaries, hindering enforcement action.

For example, Nigeria's regulatory architecture worked as intended when the Federal Competition & Consumer Protection Commission imposed a 220 million dollars fine on Meta in July 2024 (upheld by a tribunal in April 2025) for violating local consumer and data protection laws. But the fine has gone unpaid. Meta's Nigerian subsidiary could not produce the funds on its own, while the US parent corporation was beyond the reach of Nigerian enforcement authorities. (Meta is allegedly preparing to challenge the fine at the Court of Appeal and has reached an out-of-court settlement with the regulators for a separate penalty.)

Nigerian sovereignty over Meta ends at the boundary between subsidiary and parent, the same boundary that the US CLOUD Act ignores. This has fueled a rush to build sovereign cloud infrastructure. But Kenya's experience shows the limits of architectural workarounds. In 2024, Microsoft and G42 (backed by the United Arab Emirates' sovereign wealth fund), together with the Kenyan government, announced plans to build a one-billion-dollar data centre in the country. It was marketed as part of a "trusted data zone," in which data from other countries would be governed by their respective laws even while stored in Kenya.

But geographic localisation overseen by US companies implies sovereignty in name only. The Kenyan data centre, for example, would run on Microsoft Azure cloud services, and Microsoft has a minority stake in G42 and a seat on the company's board. Other leading firms providing data-centre services on the continent, such as Teraco and MainOne, were founded by African entrepreneurs but are now owned by US firms.

Recognising this, France has built more elaborate workarounds: joint ventures such as Bleu and S3NS, where US firms supply technology rather than holding controlling stakes, that function as French legal entities and form an additional layer between French data and US corporate parents. But, as the French Senate inquiry suggests, they have not fully solved the problem.

This is not a story of African regulatory failure. Nigeria, Kenya, and other African countries have well-designed legislation, and their regulatory bodies have shown a willingness to act, while the AU has forged a strategic vision. The problem is that the current conception of data sovereignty rests on a fallacy. The belief that what matters is where data is stored and which national laws govern it. In fact, the binding constraint is where the corporate parent overseeing data is based, and which government can compel that parent.

With this in mind, African governments should take three steps.

They have to design a continental instrument that prohibits African-registered subsidiaries from transferring data to foreign governments absent a treaty basis, modelled on Article 48 of the European Union's General Data Protection Regulation.

Policymakers should ring-fence the most sensitive categories of African data, such as national identification numbers, banking information, health records, and government communications, on infrastructure built and operated by firms wholly owned by an African parent.

Lastly, the African Continental Free Trade Area, whose digital trade protocols remain under negotiation, should be used to condition Big Tech's access to African markets on compliance with African sovereignty provisions.

None of these steps is easy. Each requires a level of coordination that the continent has yet to achieve. But the alternative is accepting that African data-protection laws will apply only to local firms, platforms, and data brokers. Sovereignty that stops at the boundary of corporate America is not yet sovereignty. It is a promise, and fulfilling it requires structural change.

---

PUBLISHED ON Jun 06,2026 [ VOL 27 , NO 1362]

---

[ssba-buttons]