One of the defining themes that emerged from the Connected Africa Summit 2026 was the growing centrality of trust within Africa’s digital transformation agenda. The discussions reflected a clear evolution in the continent’s digital policy discourse, moving beyond traditional concerns of access and connectivity towards more fundamental questions of governance, accountability, and confidence in digital systems.

Across multiple sessions, policymakers, regulators, and industry players grappled with a shared set of questions. Should policy and regulatory frameworks be harmonised across jurisdictions? How does data privacy differ between contexts such as Nairobi, Kenya and Kampala, Uganda? Are there sufficient cybersecurity safeguards in place to protect shared digital assets and systems? Should data be centralised within a single system, and where should critical data infrastructure and data centres be located?

During one of the sessions on digital identity systems, the government quipped: “The Government knows your face, here is why you should trust it. While the politics of regulating morality remain broad and complex, this platform will focus more narrowly on the evolution of technology and digital policy.

A few years ago, discussions were largely centred on enabling access and expanding connectivity. Over time, however, these have shifted towards a more fundamental concern: how trust is built and sustained in systems that are increasingly data-intensive, interconnected, and interdependent.

In the current phase, where interconnection has become the norm, trust has taken on a structural and geopolitical dimension. It now extends to questions of where data is stored, who governs it, how it is used to train models, and whether cross-border systems can be relied upon. Issues such as data sovereignty, digital identity systems, and cybersecurity resilience have elevated trust from a supporting consideration to a central pillar of policy design.

In the African context, and as reflected at the Summit, this evolution is particularly evident. Without seeking to resolve every dimension of the debate, discussions increasingly converged around cross-border data flows. This theme generated some of the most intense exchanges between industry players and governments, while also signalling the direction of travel for the continent’s emerging digital policy agenda.

Trusting Data Across Borders: The Core Tension

Within the broader discourse on trust, the tension between data localisation (and, more broadly, digital sovereignty) and cross-border data flows has emerged as a central fault line in most discussions. For proponents of localisation and stronger sovereignty models, data processing is inseparable from strategic national interests. This is especially true in sensitive domains such as identity systems, electoral infrastructure, public finance management, and healthcare, where confidence in how data is stored, accessed, and governed is closely tied to institutional legitimacy.

The rationale for localisation in these contexts is grounded in three key trust considerations. First, it is seen as strengthening national security by reducing exposure to foreign surveillance, extraterritorial legal reach, and external access risks. Second, it reinforces regulatory trust by ensuring that domestic authorities retain effective oversight and enforcement authority over critical datasets. Third, it supports economic trust objectives by anchoring digital infrastructure locally and retaining value creation within the domestic economy.

From a risk perspective, cross-border data flows can introduce trust deficits if not properly governed. Data moving across jurisdictions may face heightened exposure to cyber threats, including breaches and ransomware attacks. There are also concerns around transparency and purpose limitation, where data may be reused beyond its original intent without sufficient user awareness or consent. In cross-border environments, individuals may experience reduced visibility and control over how their data is processed, while divergent legal regimes can create uneven levels of protection. Enforcement complexity further compounds these challenges, particularly where data is processed outside domestic regulatory reach, limiting the effectiveness of national oversight mechanisms.

At the same time, regulatory approaches increasingly recognise that cross-border data flows are essential to sustaining trust in the modern digital economy. They enable organisations to operate across multiple jurisdictions, improve efficiency by accessing global cloud infrastructure, and support innovation in data-intensive sectors such as artificial intelligence. They also facilitate international cooperation in areas such as cybersecurity response and law enforcement coordination, which are themselves critical to maintaining trust in digital ecosystems.

Finding Trust in a Complex Environment

Against this backdrop, there is growing recognition that neither unrestricted openness nor rigid localisation fully reflects the realities of today’s interconnected digital systems. The African Union’s Data Policy Framework offers a useful reference point, setting out three broad models for governing cross-border personal data flows. The first is an open transfer regime, which allows relatively free movement of data across borders with minimal prior approval, relying on industry standards and voluntary safeguards. The second is a conditional transfers regime, which permits cross-border flows subject to defined safeguards that seek to balance openness with protection. The third is a limited transfer model, which prioritises national security and public interest considerations, often through localisation or mandatory in-country storage requirements.

At the core of this framework is the principle of adequate protection, under which cross-border transfers of personal data are generally permitted only where the receiving jurisdiction ensures a comparable level of protection. The emphasis is therefore not on restricting data flows but on ensuring that protection standards accompany the data across jurisdictions, supported by structured safeguards and cooperation mechanisms.

In practice, most African jurisdictions that have enacted data protection laws have gravitated towards conditional transfer models rather than strict localisation or fully open regimes. South Africa, under the Protection of Personal Information Act, permits cross-border transfers where there is either adequate protection in the receiving jurisdiction or appropriate safeguards in place. Kenya follows a broadly similar risk-based approach under its own data protection framework. In both cases, data flows are permitted but subject to conditions intended to ensure accountability, even where enforcement capacity and compliance certainty vary in practice.

Singapore provides another instructive example. Under its Personal Data Protection Act, organisations are required to ensure that any overseas recipient of personal data provides a standard of protection comparable to that required domestically, effectively embedding an adequacy obligation at the organisational level so that safeguards remain attached to the data regardless of location.

Across these examples, a clear pattern emerges. Trust is increasingly operationalised through adequacy-based regimes, where cross-border data flows are permitted only where equivalent standards of protection can be demonstrated.

Alongside this, emerging concepts such as data embassies, conceived as diplomatic extensions of national data environments, and regional data centres, proposed as shared infrastructure solutions in capacity-constrained contexts, point to evolving hybrid approaches. These were posited as viable pathways for solving trust.

The Summit underscored that Africa’s digital transformation is entering a more mature phase, where infrastructure expansion alone is no longer sufficient without corresponding attention to trust. As digital systems become more embedded in everyday life, the credibility of technology solutions will increasingly determine the pace and legitimacy of digital growth.