Locked In: How African Data Protection Laws Move from Shield to Lever

When Kenya’s High Court suspended a bilateral health agreement with the United States in December 2025, domestic law disrupted a $2.5 billion health cooperation agreement. Kenya’s High Court cited a legal framework, including its Data Protection Act of 2019 and Digital Health Act of 2023, to halt the process. That holding was not an aberration. It reflects the intended operation of a broader legal architecture that more than 40 African countries have constructed over the past decade. In several cases, that architecture now operates without judicial intervention. Ghana and Zimbabwe have each halted negotiations over comparable health data agreements, citing concerns grounded in domestic data governance frameworks. The pattern is consistent: Cross-border data arrangements that do not align with domestic law are increasingly blocked at the threshold.

Africa has a legal lock on its data. Since 2001, beginning with Cabo Verde, more than 40 African countries have enacted data protection laws as binding legal instruments rather than aspirational policy documents. Data protection law sets the legal conditions under which personal data, including health, biometric, and genetic information, is collected, stored, transferred, and used, and establishes the conditions that position data as a regulated economic resource. These laws have created a structural shift in how data is governed. Data that was once treated as a freely extractable resource, available to international partners through financing or diplomatic leverage, is now subject to domestic law. Access is conditional and negotiated within legal systems, not above them.

The implications are direct, as Washington has found in its bilateral health agreements with Kenya, Ghana, Zimbabwe, and Zambia under the Trump administration’s America First Global Health Strategy (AFGHS). Certain countries have validated the continent’s data protection architecture; however, it should now be used not just to block agreements that fall short but also to condition access to data on African governments’ own terms. The AFGHS is America’s new approach to health aid, structured through memoranda outlining the amount of support for funding health care workers, developing data systems, operational support, and partner country co-investment and performance obligations. More than 20 African countries have signed such agreements, all built from the same template and aimed in part at stopping the spread of disease. Achieving that objective depends on epidemiological monitoring and continuous access to health data, including disease surveillance records, electronic health information, genomic sequences, and biological materials. The demand to access this data has led to the conflict with domestic law. The agreements provide for health data sharing with the United States to enable this, yet health data is not like any other data. It is classified globally and in the U.S. as sensitive personal data subject to heightened legal protections.

These restrictions go beyond access. The same provisions that restrict data transfers also govern how data may be further processed and commercialized downstream, giving originating jurisdictions legal authority over value derived from their data long after it is shared. This matters because citizens’ data is considered a national asset with implications for sovereignty and value creation. Nowhere is this more consequential than in artificial intelligence (AI). High-quality health data, including genomic sequences, disease surveillance records, and electronic health information, is a primary input for AI model training and validation. Access to African data at scale is therefore not merely a public health matter. It determines who can build, commercialize, and ultimately control AI systems in health and related sectors. Continental and national regulatory frameworks reflect this strategic dimension. The African Union’s Data Policy Framework, adopted in 2022, characterizes data as a sovereign economic asset and calls for governance mechanisms to ensure value derived from that data is retained within the continent.

Kenya illustrates this further. The Kenya Cloud Policy (2024) requires certain categories of sensitive data to be stored within accredited local infrastructure. The Data Protection (General) Regulations (2021) govern how personal data may be processed, with direct implications for its use in training AI systems. The Kenya Artificial Intelligence Strategy similarly identifies data as a strategic asset. Taken together, these instruments show that data localization is not merely a compliance requirement. It constrains where AI development can occur and on whose terms. The legal architecture governing data access has expanded in ways that directly impact U.S. government programs and private-sector actors operating on the continent. This has brought a bigger question into focus: Who benefits from the data once it is shared?

A central point of contention for countries that have halted health data agreements concerns benefit accrual. The memoranda of understanding do not specify how shared data may be further processed or how value derived from that data, whether scientific or commercial, is to be allocated. This omission creates a material gap. Once data transfers, downstream use is possible, but the terms governing who benefits and under what conditions are undefined. Zimbabwe’s rejection of a $367 million health aid agreement illustrates this dynamic. The government cited the absence of provisions ensuring that it would benefit from medical innovations derived from its own health data. Kenya and Ghana raised similar concerns in their respective negotiations. This silence on downstream value is not a drafting oversight. It is a structural vulnerability, and domestic data protection laws are now being used to close it by bringing downstream use and value allocation within the scope of legal control.

African data protection laws address this issue directly. Zimbabwe’s Cyber and Data Protection Act of 2021 permits further processing of genetic, biometric, and health data only under conditions set by the Data Protection Authority, which may “specify the conditions under which such processing may be carried out.” Ghana’s Data Protection Act of 2012 and Kenya’s Data Protection Act of 2019 contain parallel provisions: Further processing is allowed only where it is compatible with the original purpose of collection, or where separate authorization is obtained. The implication is operational. The originating jurisdiction, not the recipient, sets the terms governing data use. These provisions function as the legal mechanism through which data protection authorities regulate downstream processing and, by extension, the conditions under which data may be commercialized. The problem is not that the law is insufficient. The problem is that agreements are signed as though the law does not exist, except where governments have been willing to invoke it. Kenya’s courts halted implementation precisely on these grounds. Zimbabwe, Ghana, and Zambia rejected or stalled negotiations citing the same domestic frameworks. These are not anomalies. They are the law working as designed.

Zambia’s case illustrates this further. The proposed memorandum of understanding over data sharing provisions and mining concessions for U.S. companies has remained in limbo. On the data question specifically, the government has cited conflicts with domestic data protection law, and the terms themselves are lopsided: The agreement would commit national health data for 25 years in exchange for five years of financial assistance. This asymmetry has drawn scrutiny under Zambia's data governance framework, particularly with purpose limitation and long-term control over sensitive data. Taken together, these cases are African data protection laws discharging precisely the function they were designed for: protecting personal data, regulating its flow, and positioning it as a sovereign economic asset whose terms of access are set domestically. Political agreements do not override data protection laws. A billion-dollar health assistance deal does not either. The law is not moved by the size of the agreement or the names on it.

There is a second-order implication in this landscape. The locked-in effect is not only a compliance constraint for external partners. It also tests whether domestic legal systems can hold under conditions of asymmetric bargaining power. Health data agreements are often negotiated in the context of external financing, where governments face fiscal constraints and pressure to deliver essential services. The risk is not that courts will fail to apply the law, but that political and fiscal pressures will prevent any issues with the agreements from ever reaching the courts.

That risk is evident in the record. The more than 20 African countries that have already signed health data agreements with the United States did so, in many cases, under domestic data protection frameworks containing provisions directly relevant to those deals, yet without corresponding legal challenge. Kenya is the exception rather than the norm. And even Kenya’s lesson is limited: Judicial recourse exists, but it is reactive. Litigation after the fact is not a governance strategy. It underscores a constraint that lies outside the domain of the courts: the conditions under which agreements are negotiated, and the fiscal pressures that determine whether governments are willing to exercise their legal authority at all.

This raises a silent contradiction found in the framing of the AFGHS. The U.S. health aid strategy is designed to help countries transition away from donor dependency toward self-sustaining national health systems. Yet as currently structured, the agreement template positions partner countries primarily as data providers, without clear provisions governing downstream value or how that value can be accrued back to these countries, which are strapped for health financing. This creates a misalignment with the stated objective of self-sufficiency and economic empowerment. The locked-in effect, properly leveraged, can reshape this dynamic. Countries can develop subsidiary agreements that define the terms of cooperation; bring data access, downstream use, and value allocation within enforceable legal frameworks; and tie data access to economic returns that support self-sustaining health systems across the continent.

The data protection architecture was built as a shield but also to position data as a sovereign economic asset. That second purpose should now come to bear. African countries have spent a decade constructing the legal architecture that gives them standing to say no to data arrangements that do not serve their interests. The same legal architecture that enables governments to restrict access can define the terms granting access, including how to allocate value, to whom, and over what time horizon. This is the more consequential shift. Saying no to agreements that leave downstream value undefined is a legally defensible position. Saying yes on terms that convert health data into a self-funding mechanism for national health systems is the more strategically consequential one, for both sides. The Kenya, Zimbabwe, Ghana, and Zambia cases should not be closed doors, but a pathway to reopen negotiations on different terms. The United States requires access to high-quality data to deliver on the AFGHS vision. African countries require both health assistance and pathways to new economic value to move beyond aid dependence. Neither achieves its objectives without the other.

Africa’s data is locked in. The key exists. But it turns only when both sides are prepared to negotiate differently.