Over the past ten years, African countries have steadily passed laws and adopted regulations on cybersecurity, cybercrime, electronic transactions and data protection. To date, 33 countries have data protection laws and/or regulations.
In 2021 only, three countries, Rwanda, Zambia, Zimbabwe, enacted their first data protection law and one country, Cape Verde, amended its existing legislation. Another country, Burkina Faso, replaced its 2004 Data Protection Act with a new one.
This past year, jurisdictions with a data protection legal framework also adopted and issued regulations and guidance, which is the case for Uganda, Kenya, Senegal, and South Africa.
2021 was also a year where stricter data localisation rules were introduced on the African continent.
Below we will look at the latest key developments in data protection law and we will look ahead at 2022.
On 23 March 2021, Zambia became the 31st African country to have passed a data protection-specific law. That year, Zambia also took a number of legislative measures to regulate Zambia's digital economy. The country ratified the 2014 African Union's Malabo Convention on Cyber Security and Personal Data Protection. It also enacted the Cyber Security and Cyber Crimes Act and the Electronic Communications and Transactions Act on the day the Data Protection Act was assented.
The Electronic Communications and Transactions Act, 2021 repeals and replaces the Electronic Communications and Transactions Act, 2009 which included a few provisions on data protection (Part VII). The Data Protection Act should be read in conjunction with the Electronic Communications and Transactions Act, 2021, especially the provisions relating to direct marketing (Section 65). The cybersecurity provisions of the Cyber Security and Cyber Crimes Act should also be taken into account to put in place the necessary measures to ensure compliance with the confidentiality and security obligations of the Data Protection Act.
The Zambian Data Protection Act provides that personal data may be processed upon receiving opt-in consent from the data subject or where the processing relates to personal data which is manifestly made public by the data subject or where the processing is necessary (i) the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (ii) compliance with a legal obligation to which the data controller is subject; (iii) the protection of the vital interests of the data subject or of another natural person; (iv) the performance of a task carried out in the public interest or in the exercise of an official authority vested in the data controller; or (vi) the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The Zambian Act imposes, amongst others, a recording of processing activities, security and confidentiality measures, data protection impact assessments, the appointment of a data protection officer (DPO), and strict data breach notification, i.e. notification to the Data Protection Commissioner within 24 hours of any security breach affecting personal data. In addition, controllers and processors must register with the Data Protection Commissioner prior to engaging in any data processing activity.
Furthermore, the Zambian Act introduces the role of data auditor who can be licensed by the Data Protection Commissioner and whose functions are to (i) promote adherence to the data protection principles by controllers and processors of data; (ii) ensure that data controllers and data processors implement adequate policies and procedures to regulate the processing of personal data; (iii) enhance public and stakeholder awareness of data protection principles and rights; and (iv) check that data controllers implement adequate safeguards to prevent personal data breaches. The auditors as well as the Data Protection Commissioner, are able to conduct the mandatory annual audit of the controller’s policies and processing activities.
Under the Zambian Data Protection Act, data subjects enjoy the rights to information, access, object, erasure, restriction of processing and portability.
With regard to data transfer, Zambia imposes a strict localisation obligation, namely that controllers must process and store personal data in Zambia. Exceptions to this localisation requirement can be issued by the Minister in charge or in limited instances by the Data Protection Commissioner.
The sanctions for non-compliance with the Zambian Data Protection Act include up to 2% of the controller’s annual turnover, and suspension or cancellation of the right to process personal data.
On 13 October 2021, Rwanda's first data protection legislation, Law No. 058/2021 Relating to the Protection of Personal Data and Privacy was enacted. It entered into force on 15 October 2021.
The Law applies to controllers and processors located in Rwanda, but also to controllers and processors with no local presence, so long as they process the data of individuals located in the country.
The Rwandan Law provides that personal data may be processed on the basis of opt-in consent, contractual necessity, legal obligation, protection of the data subject's vital interest, duty carried out in the public interest or in the course of an official authority, performance of the duties of a public entity, legitimate interest of the data controller or third-party recipient, or research purposes subject to authorisation by the relevant institution.
Some obligations applying to controllers and processors include recording of processing activities, security and confidentiality requirements, data protection impact assessments, the appointment of a data protection officer in some circumstances, a 48-hour data breach notification, and registration with the supervisory authority prior to engaging in any data processing activity.
Under the Rwandan Law, no separate data protection authority is instituted. The supervisory powers are granted to the cybersecurity authority, i.e. the National Cybersecurity Authority (NCSA). Rwanda also has sector-specific regulatory authorities (such as the Rwanda Utility Regulatory Authority in the ICT sector) which are responsible for overseeing sector-specific compliance. The competent authority may, in conjunction with the supervisory authority, put in place other sector-specific regulations governing the protection of personal data and privacy.
The rights of the data subjects include the right to access, erase and rectify their data, as well as the right to object to processing, to restrict processing, to data portability and information. In addition, data subjects also have the right to designate an heir to personal data. Pursuant to this right, even though personal data is not subject to succession, where a deceased data subject had left a will, the heir is given full or restricted rights relating to the processing of the personal data held by the controller or the processor.
The sanctions for non-compliance with the Rwandan Data Protection Act include up to 5% of the annual turnover and cancellation of the right to process personal data.
Check here to find out more on Rwandan data protection law.
Zimbabwe enacted its first data protection legislation in December 2021 with the Data Protection Act No. 05/2021. The Act provides a comprehensive data protection regime, but also significantly amends cybercrime-related law, including the Criminal Code (Codification and Reform) Act and the Interception of Communications Act. The Data Protection Act establishes a Cyber Security and Monitoring of Interceptions of Communications Centre. With regard to data protection itself, it does not create a specific data protection authority, but grants this responsibility to the Postal and Telecommunications Regulatory Authority (POTRAZ), as the Ivory Coast did in 2013.
The territorial scope of the Zimbabwean Act is narrower than the Rwandan, Cape Verdean, Zambian or Burkinabe scope, in that offshore controllers or controllers that are partially (i.e., not permanently) established in Zimbabwe are subject to the Act only to the extent that they use means of processing located in Zimbabwe, except for mere transit purposes.
Under the Data Protection Act, consent is the default basis for processing. By way of exception, personal data can be processed without consent where necessary to (i) prove an offence; (ii) comply with an obligation to which the controller is subject by virtue of a law; (iii) protect the vital interests of the data subject; (iv) perform a task carried out in the public interest, or in the exercise of the official authority vested in the controller, or in a third party to whom the data is disclosed; or (v) promote the legitimate interests of the controller or a third party to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The Act requires controllers to take appropriate technical and organisational measures that are necessary to protect data from negligent or unauthorised destruction, negligent loss, unauthorised alteration or access and any other unauthorised processing of the data. In the event of a data security breach of any kind, controllers have a 24-hour reporting obligation to POTRAZ.
Prior to processing personal data, controllers must notify their intended processing activities with POTRAZ, which may exempt certain categories from notification.
Although appointing a data protection officer (DPO) is not mandatory, the Act specifies that this function can only be carried out by a natural person. Therefore, professional services firms and companies may not offer to act as DPOs under Zimbabwean law. Furthermore, the existence of a DPO must be notified to POTRAZ, which has the power to issue guidelines regarding DPOs’ functions and qualifications.
With regard to international transfers of data, the Data Protection Act provides for an adequacy condition. However, it also requires POTRAZ to lay down the categories of processing operations for which and the circumstances in which international transfers are not authorised. It is thus expected to have further information on the data localisation requirement in the near future.
Changes in existing laws
Cape Verde is the first African country to have legislated on data protection with Law No. 133/V/2001 of 22 January 2001 - General Legal Framework for the Protection of Personal Data of Natural Persons. The data protection legal framework was largely inspired by the Council of Europe Convention 108 of 28 January 1980 (“Convention 108”), and the now repealed Directive No. 95/46/EC of the European Parliament and of the Council of 24 October 1995.
The Law was amended in 2013, mainly in order to change the status of the National Commission of Data Protection, Comissão Nacional de Protecção de Dados, which ceased to be a parliamentary committee and became an external body. Following the amendment, the authority was established and became operational in 2015.
Initially, the 2001 Act applied to controllers based in Cape Verde or using means of processing personal data in Cape Verde. The 2021 Act provides for an extraterritorial scope taking into consideration the location of the data subjects. It covers controllers with no local presence who process the data of persons located in Cape Verde.
The 2021 Amendment has also shifted the consent requirement from opt-out to opt-in consent with “a statement or an unambiguous affirmative act”.
Regarding the controller-processor relationship, the 2021 Amendment introduces the obligation for the processor to obtain prior consent from the controller in order to engage a sub-processor. The amendment is stricter than GDPR as it provides that consent to engage a sub-processor must always be specific and precede the processing activity by the sub-processor.
The 2021 Amendment has also introduced more comprehensive data subject rights, highly similar to the rights set out in GDPR, such as the right to erasure, the right to restrict processing and the right to portability of data, in addition to the already existing rights to access and rectification.
The Amendment has introduced the requirement for controllers to appoint a data protection officer under certain conditions, and to notify the National Commission of Data Protection of data breaches, within 72 hours from becoming aware of the breach, and to the affected data subjects without undue delay where such breach is likely to result in a high risk to their rights, freedoms and guarantees.
The 2021 Amendment has maintained the restrictions on the processing of sensitive data, renamed “special categories of personal data” and has strengthened the protection by adding biometric data and sexual orientation as special categories and prohibiting profiling leading to discrimination against individuals based on special categories of personal data.
The legitimacy of data processing was extended to situations where processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or to ensure a high level of quality and safety of health care and medicinal products or medical devices. It was a solution aligned with Convention 108+ and GDPR.
Check here for more information on Cape Verde.
Burkina Faso enacted its first data protection legislation in 2004 (Act No. 010-2004/AN of 20 April 2004). The 2004 Act provided for the creation of the regulatory authority, the Commission de l'informatique et des libertés (CIL), which became operational in 2007.
The law of 20 April 2004 predates the ECOWAS Supplementary Act No. A/SA.1/01/10 of 16 February 2010 and it was drafted before the global spread of social media and cloud services. As a result, it appeared essential to adapt the legislation to current realities and to the standards adopted by countries internationally, in order, on the one hand, not to hinder data flows and, on the other hand, to guarantee the protection of individuals.
As a consequence, by a regulation adopted on 21 April 2021, a new Act No. 001-2021/AN of 30 March 2021 repealed and replaced the 2004 Act in its entirety.
This new Data Protection Act of 2021 makes fundamental changes that strengthen the protection of the privacy of individuals.
For example, with regard to geographical scope, the Data Protection Act now applies to all data controllers who carry out processing operations arising from Burkina Faso, even if such controllers have no presence in the country and even if they do not use any means of processing on the national territory. The condition of local presence or use of local means of processing was included in the 2004 Law, which meant that many companies located abroad and processing considerable volumes of personal data were arguably not caught by the Burkinabe regulation. Today, these same companies are required to comply with the new law.
In addition, the 2021 Act reinforces security requirements with the obligation, where data is transferred to a third country, to enter into a contract with the data recipient that includes a data return clause and to encrypt the data.
Other notable changes include, amongst others, definitions of terms that were undefined or unused in the 2004 Act, such as “consent”, “sensitive data”, “health data” or “data processor”. In addition, the definition of “data controller” was modified from “the individual or legal entity, private or state-owned, that has the power to order the creation of personal data” to persons “that, alone or jointly with other persons, decide to collect and process personal data and determine the purposes and means of processing”. The definition of “processing” was broadened so as to include “organising, retaining, adapting, modifying, saving” personal data and “encrypting” personal data.
The legal bases for processing have remained fairly unchanged and as such, the legitimate interest of the controller or a third-party recipient is still not recognised as an exception to the consent requirement. Most ECOWAS member states do not provide for this exception, as it does not appear in the ECOWAS Supplementary Act.
The data subject rights, without including the right to portability, have been strengthened to reach international standards. Such right include the right to information, with comprehensive transparency obligations, right to object, right to access, right to rectification, right to erasure and to be forgotten.
It is still mandatory to register with the data protection authority prior to processing personal data and the 2021 Act requires authorisation from the authority prior to processing genetic data, biometric data, criminal conviction data or prior to conducting profiling activities, interconnecting personal data, transferring personal data outside Burkina Faso and processing personal data for historical and statistical purposes serving a public interest.
Under the 2021 Act, the processing of health data is significantly regulated and, as such, the Act introduces a strict data localisation principle with the obligation to host health data in Burkina Faso, unless an exemption is granted by the data protection authority.
The sanctions in the 2021 Act are significantly more dissuasive as they can reach 1% of a company's turnover and 5% in the event of a repeat offence.
Data controllers and processors have one year from the date of entry into force of the law to comply with its requirements.
Regulations and Guidance
After the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) (POPIA) of 19 November 2013 was passed and Proclamation No. R21 of 2020 on the Commencement of Certain Sections of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) was adopted on 1 July 2020, the majority of the operative provisions of POPIA came into effect. As a result, the Information Regulator issued a number of guidance notes in 2021 on different subjects such as the processing of special personal information (28 June 2021), the processing of personal information of children (28 June 2021), exemptions from the conditions for the unlawful processing of personal information, information officers and deputy information officers (1 April 2021), applications for prior authorisation (11 March 2021).
Two years after passing the Data Protection and Privacy Act, the Ugandan Government adopted the Data Protection and Privacy Regulations, 2021 published in the Gazette on 12 March 2021. The Regulations provide for, in further detail, the establishment of the Personal Data Protection Office (PDPO) and describes its functions, powers and internal organisation and management.
The Regulations also set out the obligation for data collectors, controllers and processors to register with PDPO as well as the registration process. They detail the data breach notification requirements, the obligation to appoint a data protection officer and the data subject rights, namely the rights to information, access, objection, rectification, blocking and erasure.
PDPO is now operational and it has issued guidance notes on designating a data protection officer, on lodging complaints, on registration classification and on renewal of registration.
Read more about data protection in Uganda.
On 30 December 2021, the Senegalese Data Protection Commission issued a regulation setting out retention periods applicable to the following categories of data: employee data, video surveillance, logs of entry into and exit from the workplace and private homes, access magnetic passes, vehicle geolocation, commercial and marketing, customer data of banks and insurance companies. The retention periods vary from 6 months to 10 years.
After the promulgation of Kenya’s first Data Protection Act in November 2019, the Office of the Data Protection Commissioner published guidance notes, including on consent, on data protection impact assessment and on the processing of personal data for electoral purposes. Then, in December 2021, the Data Protection (General) Regulations, 2021 were adopted and published. The Regulations provide further details on the many areas covered by the Act, including, data subject rights, use of data for commercial purposes and direct marketing, data retention, data protection policies, contracts between controllers and processors, data localisation, data protection by design or by default, data breach notification, cross-border transfers of data and data protection impact assessments. This Regulation significantly complements the Data Protection Act.
In some jurisdictions data protection authorities became operational in the past 12 months. Other jurisdictions with new data protection laws elected not to create a standalone data protection authority, but to grant supervisory powers to an existing authority, which was the choice made by the Ivory Coast and Nigeria
In Chad, pursuant to the Data Protection Act n° 007/PR/2015 of 10 February 2015 the authority in charge of data protection is the cybersecurity regulator, i.e. the National Agency for Information Security and Electronic Certification (ANSICE). ANSICE was instituted by Law No. 006/PR/2015 enacted on 10 February 2015. After a few years of latency ANSICE became fully operational in late 2020. The agency is now very active in cybersecurity and data protection and it has commenced its data controller registration operations as well as enforcement actions.
The Data Protection Act No. 2017-28 of 3 May 2017 provides for the establishment of the High Data Protection Authority (HAPDP). The board and management of the authority was appointed in late 2019 and, in 2021, HAPDP became fully operational. It is undertaking significant awareness-raising campaigns and capacity building. The authority has also commenced its data controller registration activities.
The Ugandan Data Protection and Privacy Act of 2019 provided the data protection authority would be the Personal Data Protection Office. In 2021, as mentioned above, the Data Protection and Privacy Regulations, 2021 provided further detail about PDPO, including its functions, powers and internal organisation and management and now PDPO is fully operational.
Read more about data protection in Uganda.
The Rwandan Protection of Personal Data and Privacy Law did not create a separate data protection-dedicated authority. Instead it granted supervisory powers to the cybersecurity authority, the National Cybersecurity Authority (NCSA) with the possibility for sector-specific regulatory authorities (such as the Rwanda Utility Regulatory Authority in the ICT sector) to oversee sector-specific compliance and put in place sector-specific regulations governing the protection of personal data and privacy. NCSA was instituted pursuant to Law No. 26/2017 of 31/05/2017 Establishing the National Cyber Security Authority and Determining its Mission, Organisation and Functioning and it is now fully operational.
Although the Data Protection Act provides for the creation of a Cyber Security and Monitoring of Interceptions of Communications Centre, it does not create an autonomous stand-alone data protection authority. The supervisory authority in charge of personal data is the already operational Postal and Telecommunications Regulatory Authority (POTRAZ).
The new Data Protection Act of 30 March 2021 imposes that health data relating to identified or identifiable individuals be hosted in Burkina Faso unless an exception is made by the data protection authority. To date, no general exception to this principle has been issued.
Pursuant to Section 70 of the Zambian Data Protection Act of 24 March 2021, data controllers must process and store personal data on a server or data centre located in Zambia except where the Minister prescribes categories of personal data that may be stored abroad. However, sensitive personal data may not be subject to ministerial exemptions. Further clarification as the existence of further exceptions and the criteria for cross-border transfer are likely to be provided by the Minister and supervisory authority.
There are currently no specific data localisation obligations. However, under the Data Protection Act 2021, the data protection authority, POTRAZ, is required to lay down the categories of processing operations for which and the circumstances in which international transfers is prohibited. It is thus expected to have further information on the data localisation requirement in the near future.
Under the Data Protection Act, No. 24 of 2019 which entered into force on 25 November 2019, the Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be effected through a server or a data centre located in Kenya.
The Data Protection (General) Regulations, 2021 published in December 2021, which complements the Data Protection Act sets out some localisation requirements. Under Section 26 of the Regulations, personal data processed for the purpose of strategic interest of the State must be processed through a server and data centre located in Kenya or at least one serving copy of the data must be stored in a data centre located in Kenya.
The strategic interests referred to in Section 26 include (a) administering of the civil registration and legal identity management systems; (b) facilitating the conduct of elections for the representation of the people under the Constitution; (c) overseeing any system for administering public finances by any state organ; (d) running any system designated as a protected computer; (e) offering any form of early childhood education and basic education; or (f) provision of primary or secondary health care for a data subject in the country.
While the authorities of some jurisdictions focus on raising awareness, in other jurisdictions, the enforcement activities have significantly increased in the past year. Amongst the most active jurisdictions is Mauritius, of which data protection authority mainly responded to data subjects’ claims against locally-based controllers. Nigeria and South Africa have been proactive in their investigations of foreign technology giants. The Nigerian authority issues fines on a regular basis. Enforcement has been identified as a priority in several countries. With regard to controllers who have no local presence and against which imposing fines is challenging, temporarily or permanently blocking the service via the internet service providers has emerged as a suitable solution.
Outlook for 2022
A draft data protection bill was submitted for public comments in February 2021. The legislative process is expected to accelerate in 2022.
A Data Protection Bill was published in 2020. There is a possibility for it to be passed into law in 2022.
The Gambian draft bill was drafted over two years ago and was scheduled to be enacted in late 2021. It is likely to be passed into law in 2022.
A data protection bill was drafted in 2021 and the objective is to pass it into law in 2022.
A Data Protection Proclamation was drafted in 2020. Developments are expected in 2022.
Djibouti is currently drafting its first Digital Code, which intends to comprehensively cover data protection.
Democratic Republic of the Congo (DRC)
Like Djibouti, DRC, of which Telecom Act has just entered into force, is preparing its first Digital Code covering data protection. To date, the only African country with a digital code containing a complete data protection framework is Benin.
A draft bill, to be approved by the Executive was drafted to replace the now 14-year-old Data Protection Act, 2008. Once approved, it will need to be voted by Parliament.
Nigeria might soon pass a legislative act governing data protection. The current Nigeria Data Protection Regulation (NDPR) was adopted by the ICT authority, NITDA, which also acts as the data protection authority. Nigeria now considers enacting a data protection statute (an act of Parliament) and establishing a standalone data protection authority.
The grace period provided in the 2020 Data Protection Law is scheduled to expire in 2022.
The one-year grace period granted to comply with the 2021 Data Protection Act will expire in 2022.
The 2018 Data Protection Act came into operation on 15 October 2021. The one-year grace period provided for in the 2018 Act will thus expire in 2022. The establishment of an operational data protection authority can also be expected in the near future.
The Information Commissioner has published a number of draft documents for public consultation and comments. They include the Protection of Personal Information Act: Amendments to Regulations; the Protection of Personal Information Act: Notice of Code of Conduct; and the Protection of Personal Information Act: Code of Conduct: Credit Bureau Association (CBA).
Therefore, further guidance and regulations are likely to be published in 2022.