Africa is continuing to strengthen its data protection legal and regulatory framework. To date, thirty six out of fifty four African countries have data protection laws and/or regulations. Sixteen countries have signed the African Union Convention on Cyber Security and Personal Data Protection adopted on 27 June 2014 (“Malabo Convention”) and thirteen countries have ratified it, the latest being Niger.
2022 was a year of consolidation of the existing laws and a year (probably not the last) of unprecedented enforcement.
Below are the latest key developments in data protection laws and an outlook for 2023.
On 4 March 2022, Eswatini’s first piece of legislation on data protection was published in the Government Gazette. The Data Protection Act, 2022 (“Eswatini DP Act”) applies to controllers and processors whether or not domiciled or having their principal place of business in Eswatini, who use automated or non-automated means in Eswatini for forwarding personal data.
The Eswatini DP Act sets out the general principles covered by GDPR and the data protection laws of most African countries, including, amongst others, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. It also lists the legal bases for processing personal data, as follows: (i) explicit consent, which is defined as “any voluntary, specific and informed consent communicated expressly by spoken or written words in terms of which a data subject agrees to the processing of personal information relating to a data subject”, (ii) necessity for the conclusion or performance of a contract to which the data subject is a party, (iii) necessity for compliance with a legal obligation to which the data controller is subject, (iv) necessity to protect the legitimate interests of the data subject, (v) necessity for the proper performance of public law duty by a public body, (vi) necessity for the pursuit of the legitimate interests of the data controller or of a third party to whom the information is supplied. Eswatini follows the East African trend of recognising the controller’s legitimate interest as a legal basis for processing personal data.
Under the Eswatini DP Act, sensitive data includes children’s data and biometric data, amongst others, and it may be processed in limited circumstances.
Data breaches must be reported to the data protection authority and the data subject as soon as reasonably possible after the discovery of the compromise. There are no timeframes enunciated in hours or days.
Under the Eswatini DP Act, data subjects have the right to information and access to their data, the right to object to their data being processed, the right to rectification and the right to erasure.
It is not mandatory to appoint data protection officers.
Eswatini is amongst the few African countries that gave already-existing regulators the power to regulate and enforce data protection. Here, the authority in charge of data protection is the Eswatini Communications Commission, established under the Eswatini Communications Commission Act, 2013. The other countries that have adopted a similar institutional approach are the Ivory Coast, Chad, Zimbabwe, Rwanda and, until 2022, Nigeria.
Data controllers must notify the Communications Commission of their processing activities. Transborder data flows are subject to relaxed conditions where the importing jurisdiction is a Member State of the Southern African Development Community, otherwise known as SADC.
The penalties for not complying with the Eswatini DP Act include a fine of up to 100,000,000 Emalangeni (approx. USD 5,507,000), 5% of the data controller’s annual turnover and/or 10 years’ imprisonment to be served by the head of the data controller if the offender is a juristic person.
The Personal Data Protection Act 2022, Act No. 11 of 2022 (“Tanzania DP Act”) was passed and assented by the President of Tanzania in November 2022. That year also saw the enactment of a revised Electronic Transactions Act and an Electronic and Postal Communications Act.
The Electronic Transactions Act, 2022 covers electronic direct marketing and provides for a soft opt-in consent mechanism on the conditions that (i) the recipient’s contact details and other personal data were collected by the sender in the course of a sale or negotiations for a sale, (ii) the sender only sends promotional messages relating to its similar products and services to the recipient, (iii) the sender had offered the opportunity to opt out and the recipient declined to opt out and (iv) an opportunity to opt-out is provided by the sender to the addressee with every subsequent message. The sanction for not complying with the provisions on direct marketing are a minimum of 1 year’s imprisonment and/or a minimum fine of 10,000,000 shillings (approx. USD 2,277).
The Tanzania DP Act will enter into force on a date to be specified in the Government Gazette. The general data processing principles are covered by GDPR and include lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
The Tanzanian DP Act provides for the following data subject rights: the right to access to personal data, the right to object to processing carried out for commercial advertising purposes, the right not to be subject to automatic decision making under some circumstances, the right to corrections, blocking and erasure of personal data. The transparency requirement is not as extensive as the obligations set out in the laws of most African countries with a privacy regulatory framework.
The regulatory authority instituted under the Tanzania DP Act is the Personal Information Protection Commission (“Commission”). Data controllers and data processors are required to register with the Commission. The registration certificate issued by the Commission, is valid for five years, renewable on application.
The sanctions for not complying with the Tanzania DP Act include an administrative fine of up to 100,000,000 shillings (approx. USD 42,743) . In addition, the Commission may order the payment of damages to the injured data subjects.
Changes in existing laws
On 14 October 2022, Ugandan President, Yoweri Museveni, signed into law the Computer Misuse (Amendment) Act, 2022. The amended Act prohibits the sharing of data relating to a child through a computer without authorisation from parents or guardians. The sentence for not complying with this restriction is a fine of up to 750 currency points and/or 7 years’ imprisonment. The law also prohibits sending unsolicited information, which is defined as “information transmitted to a person using the internet without the person’s consent, but does not include unsolicited commercial communication”. It can be concluded that direct marketing is out of the scope of this definition.
Regulations and Guidance
Algeria legislated on data protection in 2018 with Law No. 18-07 of 25 Ramadhan 1439, corresponding to 10 June 2018 on the Protection of Individuals in the Processing of Personal Data (“Algeria DP Act”). Almost four years later, the chairman and the members of the National Authority for the Protection of Personal Data (“National Authority”) were appointed pursuant to Presidential Regulation No. 22-187 of 17 Chaoual 1443, corresponding to 18 May 2022. The National Authority is now operational.
Although the Algeria DP Act entered into force in 2018, it provides that the one-year compliance grace period commences upon installation of the National Authority. Amongst the compliance obligations to be met by the end of the grace period is the requirement for data controllers to register with the National Authority.
Further to the entry into force, in 2021, of the Botswanan Data Protection Act, 2018, the Government adopted the Transfer of Personal Data Order in July 2022. Pursuant to the Order, the Minister declares that personal data may be transferred to the following jurisdictions: all 27 European Union (“EU”) Member States, the 3 non-EU Member States which are members of the European Economic Area, namely Norway, Iceland and Liechtenstein, and the non-EU Member States which are deemed adequate by the EU Commission, i.e. Andorra, Argentina, Faroe Islands, Guernsey, Israel, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom, Uruguay, and two African countries which are Kenya and South Africa.
Pursuant to its mandate to facilitate conciliation, mediation and negotiation of disputes related to data protection law, the Office of the Data Protection Commissioner (“ODPC”) recently published the Alternative Dispute Resolution Framework & Guidelines to serve as a guide on settling data protection disputes by means of ADR with a view to declutter the ODPC by reducing the number of complaints it receives. The guidelines cover, amongst others, legal and professional advisors in ADR, facilitators, conduct of the parties, management and procedures in ADR sittings, expert evidence and settlement procedures and approvals.
The Malian Data Protection Authority (“APDP”) issued General Rules (i) on CCTV in private locations and at the work place, (ii) on the data processing conditions when carried out by public and private organisations as well as individuals in the context of litigation and decisions issued and (iii) on the processing of geolocation data in vehicles made available to employees.
The Niger data protection authority (“HAPDP”), which became operational in 2021, recently issued a number of rules and orders, including (i) general decision on the guide to the procedure for sanctions in the event of non-compliance with data protection law, (ii) general decision on the exemption from the obligation of prior declaration for CCTV, (iii) general decision on the installation and operation of CCTV in workplaces, (iv) general decision on the conditions for setting up CCTV, (v) order fixing the fees charged for declarations of CCTV, (vi) order determining the characteristics and acquisition fee for the CCTV signage pictogram, (vii) order fixing the fees due to the HAPDP for the issuance of annual authorisations for the data controller categories in the general education and professional and technical training sector (viii) order fixing the fees due to the HAPDP for the issuance of annual authorisations for the categories of data processors who are self-employed, and (ix) order fixing the fees due to the HAPDP for the issuance of annual authorisations for the categories of data processors working in health care.
Rwanda’s supervisory authority, the National Cybersecurity Authority (“NCSA”), issued a number of guidelines on its website, after the enactment of Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy, 2021. The guidelines include: registration of a data protection officer, privacy policies, right to object, right to portability, rectification and erasure, protection of children’s data, key principles for processing personal data, identifying the role as controller or processor and a general FAQ.
The Senegal Data Protection Commission published a general decision on personal data processing in the context of statistics, polls, surveys and marketing studies. The general decision requires evidence of consent, and, in some instances, data retention for no longer than 3 months as well as the obligation to anonymise the personal data. Unlike the Data Protection Act, 2008, the general decision directly imposes obligations on data processors.
More recently, in December 2022, the Data Protection Commission issued a general decision on the processing of personal data for political campaigning, with strengthened data subject protection.
On 7 October 2022, the Information Regulator issued its first Codes of Conduct; one for the Credit Bureau Association and the other for the Banking Association of South Africa. Both associations had applied for the issuance of their codes. The codes came into effect on 5 November 2022.
The Information Regulator also issued guidelines on notification of security compromises. Under those guidelines, the data controller must notify the Information Regulator of security compromises as soon as possible after they occur using a PDF fillable notification form available on the Information Regulator’s website.
The Ugandan Personal Data Protection Office (“PDPO”) issued a registration classification and guidance note for the application for registration and renewal of registration in application of the Data Protection and Privacy Regulations, 2021. The PDPO has made available to data subjects the following forms on its website: (i) Notice of Objection to Collection and Processing of Personal Data, (ii) Application for Renewal of Registration, (iii) Undertaking not to Process or Store Personal Data, (iv) Certificate of Registration, (v) Application for Certified Copy of Extract Entry in Register, (vi) Complaint Concerning Processing Personal Data without Appropriate Security Measures, (vii) Notification of Data Breach, (viii) Request to Confirm Possession of Personal Data, (ix) Complaint Concerning Inaccurate Personal Data in the Possession of a Data Controller, and (x) Complaint Concerning Infringement or Violation of the Act.
The supervisory authority has issued Draft Regulations to the Cybersecurity and Data Protection Act, 2021. The draft regulations cover the following subjects: (i) licensing and registration of data controllers, (ii) data protection officers (iii) processing for legitimate interests, (iv) processing of health data, (v) codes of conduct, (vi) security of data and (vii) breach notification. The draft regulations also include pro forma documents to complete and submit to the supervisory authority.
Algeria legislated on data protection in 2018 with Law No. 18-07 of 25 Ramadhan 1439, corresponding to 10 June 2018 (“Algeria DP Act”), on the Protection of Individuals in the Processing of Personal Data. Almost four years later, the chairman and the members of the National Authority for the Protection of Personal Data (“National Authority”) were appointed pursuant to Presidential Regulation No. 22-187 of 17 Chaoual 1443, corresponding to 18 May 2022. The National Authority is now operational.
Further to the enactment of the Data Protection Act, 2018, which provided for the creation of the Information and Data Protection Commission, decisive moves were made towards the establishment of this institution in 2022 with the appointment of Ms. Kepaletswe Somolekae as the Commissioner. The authority is not yet operational it can be expected to be running by the end of 2023.
Five years after the enactment of the Data Protection Act (Law No. 2017-020 of 22 July 2017) the Mauritanian Government adopted, in February 2022, the Regulation on the Composition, Organisation and Functioning of the Data Protection Authority. A few months later, members of the Data Protection Authority were sworn in, including its chairman, Mr Mohamed Lemine Sidi. The authority is not yet operational but is expected to be in place and running in 2023.
Until 2022, Nigeria’s ICT authority, the National Information Technology Development Agency (“NITDA”) was in charge of data protection, as provided under the Nigeria Data Protection Regulation, 2019 (“NDPR”).
In February 2022, the Nigerian President, Muhammadu Buhari, approved the establishment of the Nigeria Data Protection Bureau (“NDPB”). The NDPB’s role is to focus mainly on data protection and privacy by, amongst other, consolidating the gains of the NDPR and supporting the process for the development and adoption of the first act of parliament governing data protection, as the authority of the NDPR has been disputed, the main argument being that it was issued by a regulator, NITDA, rather than voted by the legislature. The NDPB became operational later in the year and now acts as a data protection authority. It is anticipated that the status of the NDPB as an authority will be confirmed by a data protection statute expected in 2023.
In Rwanda, Law No. 058/2021 of 13 October 2021 relating to the protection of personal data and privacy (“Rwanda DP Act”) confers regulatory and enforcement powers on data protection to the National Cybersecurity Authority (“NCSA”). Sector-specific regulatory authorities (such as the Rwanda Utility Regulatory Authority) may, in conjunction with CSA, put in place regulations governing the protection of personal data and privacy in their sector.
On 31 March 2022, the NCSA officially launched its Data Protection Office. Its stated missions and duties are to ensure protection of personal data and guarantee the privacy of individuals as provided by the Rwanda DP Act, to respond to every legitimate request for an opinion regarding personal data processing, to inform the data subject, the data controller, the data processor and third parties of their rights and obligations, to put in place a register of data controllers and data processors, to investigate complaints relating to the processing of personal data, to receive and consider data subjects’ appeals, to advise on matters relating to the protection of personal data and privacy, and to cooperate with authorities, organisations or entities operating in the protection of personal data and privacy.
The Data Protection Commission of Ghana has urged data controllers to register their processing activities with the it, as is required under the 2012 Data Protection Act. The authority’s executive director has expressed her intent to focus on auditing companies which are already registered. She indicated that the authority had received a dedicated prosecutor and had requested a fast-track court to facilitate prosecution of, amongst others, unregistered controllers. She stressed the fact that business leaders had the responsibility to adequately train their personnel in data management.
The recently instituted Office of Data Protection Commissioner (“ODPC”) has, on several occasions, expressed the importance of actual compliance and the intent to vigorously enforce data protection laws. ODPC has urged controllers and processors to comply with their registration requirements under the 2019 Data Protection Act. This call was echoed and amplified by Kenya’s head of State, President William Ruto, who launched the data protection registration system.
With respect to inquiries, ODPC has launched investigations on forty digital credit providers after complaints were lodged for misuse of personal data.
In addition, ODPC issued a ruling in a data leakage case and, on 3 November 2022, it issued an enforcement notice against Oppo Kenya for processing personal data for marketing purposes without prior consent from the data subject, and failure to co-operate with ODPC.
Prior to that, in October 2022, Aga Khan Hospital was issued an enforcement notice which it complied with.
The APDP conducted audits on Alpha Telecom, the Malian Company for Textile Development and the National Institute of Social and Personal Insurance (INPS) and imposed an enforcement notice on each of those organisations for non-compliance with the 2013 Data Protection Act.
Enforcement efforts have increased with a partnership and collaboration between the Nigeria Data Protection Bureau (“NDPB”) and other government agencies in protecting privacy. For instance, NDPB has collaborated with the Federal Competition and Consumer Protection Commission (“FCCPC”) to address the protection of consumers’ data. This has led to the establishment of a Joint Enforcement Desk for NDPB and the FCCPC.
NDPB has revoked the operating licence of nineteen Data Protection Compliance Organisations (“DPCOs”). DPCOs are organisations, such as consulting firms, audit firms, law firms etc. which apply to the supervisory authority for a licence to provide training, auditing, consulting services throughout the country. DPCOs are expected to verify self-audits prior to submission to the supervisory authority. The nineteen licences were withdrawn after NDPB established that the DPCOs had not demonstrated the expected professionalism and capacity to perform the tasks they were entrusted with.
Further, NDPB has announced that it was investigating over one hundred and ten companies, including financial institutions, a telecommunications company, and consulting companies. The data protection authority has partnered with government agencies and regulators to investigate several lending platforms over their alleged breach of privacy of customers’ data. In June 2022, NDPB commenced investigations into reports of breach data privacy involving two major data controllers in Nigeria, namely, Wema Bank PLC and KC Gaming Networks (Bet Naija).
The Data Protection Commission (“CDP”) has enjoined over twenty three organisations to register their entity and processing activities. Those organisations include, amongst others, Air Sénégal, Freedocteur, the Tax Authority, the Red Cross, and over ten transportation companies using vehicles with embedded cameras.
In under a year, CDP received at least 35 complaints, including against Sonatel (the state-owned telecommunication company) and Brioche Dorée and it conducted 13 onsite audits.
CDP issued an enforcement notice against Sonatel for non-compliance with the direct marketing rules and with the requirement to declare processing activities, and it issued an enforcement notice against SETER, the express train company of the Dakar region for failure to declare its geolocation systems and to meet the transparency requirement.
The Information Regulator has launched or resumed investigations on technology giants. The Information Regulator has also investigated officials of the South African Police Service, and credit bureau TransUnion. The authority’s powers are reinforced with the establishment of the Enforcement Committee launched in July 2022. The Enforcement Committee’s role includes reviewing all matters referred to it by the Information Commissioner and making recommendations on actions to take.
Under two years after the operational establishment of the National Data Protection Office, the authority received over a hundred complaints, twenty seven of which are being processed. Most of the complaints related to direct marketing opt-out mechanisms.
Outlook for 2023
A bill amending the Data Protection Act, 2018 is likely to be adopted. The Data Protection Commissioner has indicated that a few gaps in the law needed to be addressed. The Data Protection Commission can also be expected to be operational in 2023.
Democratic Republic of the Congo (DRC)
DRC’s first Digital Code, covering data protection has been approved in draft form by the Government and the National Assembly (the lower parliamentary house). It remains to be voted by parliament and signed into law. The Digital Code is expected to be enacted in 2023. To date, only Benin has legislated on data protection within the framework of a digital code.
The draft Digital Code, providing a comprehensive framework on data protection, is yet to be adopted by the Government. The approved draft is expected to be available in 2023.
The Executive Regulations to the Data Protection Law, 2020, which were due to be issued within six months from the publication in the Official Gazette, were rescheduled for 2023.
A Data Protection Proclamation was drafted in 2020. Developments are expected in 2023.
The Gambian draft Data Protection Bill was drafted in 2020 and was scheduled to be enacted in late 2021. It is can be expected to be passed into law in 2023.
Six years after the enactment of the Data Protection Act which provides for the creation of an authority, CMIL, discussions and consultations were initiated to set up the authority.
A draft data protection bill was submitted for public comments in February 2021. The legislative process is expected to accelerate in 2023.
The Mauritanian Government has adopted a draft bill authorising the ratification of the 2014 Malabo Convention. To date, thirteen countries have ratified it. Two more ratifications are needed for the treaty to enter into force.
The Ministry of Information and Communication Technology published a draft Data Protection Bill which was open to public comments. Its enactment is expected in the second half of 2023.
The Government of Niger has adopted a draft bill aiming to amend the 2017 Data Protection Act. The main goals of the legislative reform include the objectives (i) to adapt to the latest technological developments, taking into account the impact of the evolution of information and communication technologies on data protection (ii) to align with international best practice (iii) to strengthen the cybersecurity legal framework with respect to data protection in the provision of public and private electronic services and (iv) to promote international cooperation.
Nigeria is about to pass its first legislative act governing data protection. The current Nigeria Data Protection Regulation (NDPR) was adopted by the ICT authority, NITDA, which also acted as the sole data protection authority until the establishment of Nigeria Data Protection Bureau (NDPB).
A draft bill, to be approved by the Executive was drafted to replace the now 16-year-old Data Protection Act, 2008. Once approved, it will need to be voted by Parliament.
A data protection bill was drafted in 2021 and there is a possibility that it will pass into law in 2023.
The Postal Telecommunications Regulatory Authority of Zimbabwe has published the draft Data Protection Regulations 2022 for public comments. The final version of the Regulations is expected to be adopted in 2023.