Business disputes are becoming more frequent and costly, as organisations grapple with rapidly evolving risks such as digital transformation, increasing accountability around sustainability requirements, supply chain challenges and heightened cybersecurity incidents.
Kylie Slambert, Associate, Dispute Resolution Practice, Baker McKenzie Johannesburg
In Africa, where diverse jurisdictions, legal frameworks and business environments co-exist, the demand for compliance lawyers has surged as regulators double down on enforcement. All businesses operating in Africa must ensure they are not only compliant with local and regional laws but also that they are aware of any extraterritorial legislation that may impact their operations and business outside of their regional headquarters.
Data protection and security
Rapidly evolving digitalisation has highlighted the high value of personal data to businesses around the world while also shining a light on its susceptibility to abuse and attack. Countries in Africa have responded by reviewing their data privacy and protection laws. In South Africa, the Cybercrimes and Cybersecurity Act and the Protection of Personal Information Act are new laws that will bring the country’s data protection and cybersecurity legislation in line with global standards.
Other countries in Africa have implemented similar legislation, but data privacy laws are lacking in many more. Considering the current rapid move to digitally-focused business models, the implementation of these legal protections and guidance in Africa has become urgent.
Data privacy laws, which govern, among other things, data security and breaches, are currently present in less than half of African countries. Regionally, the Southern African Development Community and the Economic Community of West African States have data protection policies in place and the continent is also covered by the Convention of the African Union on Cybersecurity and Personal Data (2014) (Convention).
As of September 2023, 15 of the 55 AU member states had ratified the Convention and deposited their instruments of ratification. South Africa has signed but not ratified the Convention, while neither Kenya nor Nigeria have signed it yet. The last two countries to ratify the convention and deposit their instruments of ratification were Côte d’Ivoire and Mauritania.
Legislation governing the digital economy is essential to protect African citizens in terms of both their digital privacy rights and cybersecurity threats, while at the same time also ensuring that their online freedoms are not threatened. The AU has been encouraging its member states to sign the Convention and implement balanced local legislation that is fully enforceable and respects human rights.
ESG compliance risks
As companies increase their environmental, social, governance (ESG) reporting and statements in response to market and shareholder demands, there has been an increase in legal challenges to a business’s claims and disclosures related to ESG performance. Similarly, inventive theories are being put forward to attack companies for alleged ESG-related performance and operational deficiencies.
There has also been an increase in efforts to hold companies accountable for supplier misconduct. Expanding ESG litigation signals a rising need to carefully manage ESG programmes, performance and statements and to guard against greenwashing at all costs.
Authorities in jurisdictions around the world have been making it clear, green claims on products and services will be under increasing scrutiny going forward. The act of greenwashing is the process of making incorrect and unsubstantiated environmental claims about a product of service. This could include making claims about a product’s carbon footprint, the materials used to make products and where they were sourced, and fair-trade claims, for example.
While South Africa has not yet announced specific greenwashing regulations, consumers are able to lodge greenwashing complaints through the Consumer Protection Act (2008). The Act prohibits the use of false, deceptive, or misleading information during the marketing of goods or services, and provides statutory remedies for enforcement.
Further, the Advertising Regulatory Board also encourages consumers or businesses to let them know about environmental claims and statements that cannot be substantiated so that they may be investigated.
In 2022, the Johannesburg Stock Exchange published new guidance on sustainability and climate disclosure for listed companies. The guidance provides listed companies with international best practice information for environmental, social and governance reporting, so that they may align with rapidly changing global standards around sustainability reporting.
Third party conduct
Areas of interest to law enforcement and other regulatory authorities include the appointment of third parties, whether as agents, distributors, or other general contractors, as well as the integration of newly acquired operations.
Companies that rely on the support of third parties in their regional business operations, whether these third parties are procuring local licenses, rendering services or obtaining and maintaining business, need to be aware that the unlawful conduct of such third parties has become grounds for prosecutions of the companies that appoint them.
Similarly, a failure to integrate newly acquired businesses following mergers and acquisitions also results in significant fines and penalties arising out of the potential non-compliant conduct of new business units.
Sanctions due diligence
Sanctions due diligence has become an absolute necessity in the context of risk assessments carried out either on the appointment of a third party in a high-risk environment, or when establishing or expanding operations in a new jurisdiction.
Organisations operating in Africa should ensure that they can implement coordinated legal advice and have access to sanctions data across multiple jurisdictions, as a lack of compliance with sanctions regimes can incur significant fines or imprisonment.
Multinational companies must ensure they have updated information about sanctions regimes that are currently in force in all jurisdictions in which they operate. As part of their risk assessment, they should ensure that their supply chains are free of sanctioned links, especially if such chains are complex and move through multiple jurisdictions.
Due diligence and risk assessments
While most businesses tend to commence compliance investigations as a reactive measure, businesses should also be proactive in managing their exposure to compliance risk. Conducting ongoing risk assessments is essential in an increasingly high-risk environment. Given the potentially significant damage to a company’s reputation by affiliation, companies should carefully screen their business partners and customer lists.
Further, ensuring full compliance with local regulations is essential for companies operating in Africa. Compliance with local laws, avoiding “fronting” offenses, and conducting targeted risk assessments tailored to the company’s operations are crucial. This includes investigating reports of illegal activities and promptly remediating identified issues.
Businesses operating on the continent should prioritise proactive compliance strategies, thorough due diligence and continuous risk assessments to mitigate disputes and safeguard their reputation. In this evolving environment, compliance lawyers specialising in African jurisdictions play a pivotal role in facilitating legal compliance and dispute resolution for businesses across the continent.