In 2024, the CEO of a West African telecom operator discovers that his subsidiary's consolidated financial data, hosted on a cloud BI platform, is physically stored in a datacenter in Ireland. The national regulator has just adopted a decree requiring the localisation of financial data on national territory. The operator has six months to comply — and must choose between migrating its infrastructure, switching platforms, or negotiating an uncertain exemption.
This scenario is neither hypothetical nor rare. As African organisations accelerate their digital transformation, data sovereignty is becoming a first-order strategic issue — and a technology selection criterion that most decision-makers seriously underestimate.
The question is no longer "do we need the cloud?" but "do we know where our data goes and who can access it?"
The legal framework: a patchwork under construction
The Malabo Convention: continental ambition
Adopted in 2014 by the African Union, the Malabo Convention on Cybersecurity and Personal Data Protection constitutes the first continental framework. It requires signatory states to establish data protection authorities, define rules on the collection and processing of personal data, and regulate cross-border transfers.
The problem: more than ten years after its adoption, the Convention has been ratified by only about fifteen countries. Effective implementation remains uneven. Most states have legislated independently, creating a fragmented regulatory landscape that multi-country organisations must navigate carefully.
National laws: divergent approaches
In Côte d'Ivoire, Law No. 2013-450 on personal data protection and its 2024 implementing decree assign ARTCI the role of regulatory authority. The text requires prior declaration for any personal data processing and regulates transfers to third countries — without, however, explicitly mandating data localisation on Ivorian territory. However, the Information Systems Master Plan (SDSI 2026-2030) mentions digital sovereignty as a strategic priority, suggesting future tightening.
In Senegal, the Data Protection Commission (CDP) enforces a 2008 law that requires prior authorisation for transfers outside the territory. Nigeria, with the Nigeria Data Protection Regulation (NDPR) of 2019 then the Nigeria Data Protection Act of 2023, adopted a stricter framework requiring organisations to demonstrate an "adequate level of protection" in the destination country. Kenya, with its Data Protection Act of 2019, follows similar logic.
Where is your data? The invisible geography of the cloud
Microsoft Azure and Power BI
Microsoft operates two Azure regions in Africa: South Africa North (Johannesburg) and South Africa West (Cape Town), operational since 2019. A Nigeria region has been announced but is not yet fully operational for all services at the time of writing.
In practice, when an Ivorian organisation subscribes to Power BI or Microsoft Fabric, its data is hosted by default in the nearest Azure region with the required capacity — often Europe (Netherlands or Ireland) for francophone tenants. It is technically possible to choose the South Africa region, but this requires explicit tenant configuration and may have implications for latency and cost.
The critical point: the majority of African organisations do not know which Azure region holds their data, because nobody asked the question during tenant provisioning. This is a dormant legal risk.
Five questions every leader must ask
First: in which physical jurisdiction is our data stored? Not "in the cloud" — in which datacenter, in which country, under which legislation?
Second: who can access our data and under what authority? The US Cloud Act of 2018 allows American authorities to request access to data held by US providers, even if physically hosted outside the United States.
Third: what happens if regulations change? If tomorrow your country mandates financial data localisation on its territory, can you migrate your infrastructure in six months?
Fourth: do we have a reversibility plan? If you must change platforms, can you extract your data in an exploitable format? Are semantic models, DAX measures, and reports portable?
Fifth: does our team understand these issues? Data sovereignty is not solely a technical issue. It is a governance matter involving the CIO, legal counsel, CFO and CEO.
Hybrid architectures: pragmatism as doctrine
Faced with this complexity, some organisations opt for hybrid architectures. The principle is straightforward: sensitive data (financial, personal, regulatory) remains on local or regional infrastructure, while aggregated and anonymised analytical data can be processed on the public cloud to benefit from computing power and advanced tools.
Microsoft Fabric, for example, enables this approach through OneLake and data gateway capabilities that connect on-premise data sources to the cloud without physically moving raw data. Aggregation calculations run locally, and only results flow to the cloud dashboard.
What this means for your BI project
If you are launching or relaunching a Business Intelligence project, data sovereignty is no longer a topic "for later." It is a design criterion that influences platform choice, technical architecture, budget, and project governance.
Ignoring this topic means risking a complete rebuild in two years when regulation catches up with your infrastructure. Integrating it from the start means building a system that will still be compliant in five years — regardless of which direction the laws evolve.
Sources and references
This article compiles information from public sources and official cloud platform documentation. It does not constitute legal advice.
Continental framework: African Union — Malabo Convention on Cybersecurity and Personal Data Protection (2014) · AU — Ratification Status (updated 2025).
National legislation: Côte d'Ivoire — Law No. 2013-450 · Senegal — Law No. 2008-12 · Nigeria — Data Protection Act (2023) · Kenya — Data Protection Act (2019).
Cloud infrastructure: Microsoft — Azure Geography Availability (2025) · AWS — Africa (Cape Town) Region · US Congress — Cloud Act (2018).