The enactment of data protection legislation across Africa bodes well for the future. The privacy industry has flourished during the last few years. Since the EU General Data Protection Regulation entered into force (following the 1995 Directive, also known as EU Directive 95/46/EC), countries worldwide have passed privacy legislation. From the comprehensive California Consumer Protection Act in the U.S. to Brazil's General Data Protection Law, Canada’s Personal Information Protection and Election Documents Act to laws in Asia, many African countries have also enacted data protection laws. This was illustrated last July with South Africa’s long-awaited Protection of Personal Information Act, which took seven years to complete and enact.
Despite these developments, only half of the 54 African countries have enacted data protection laws. See the table below of African countries with regulations.
| Country | Legislation |
| Angola | Law No. 22/11, June 17, 2011 (passed) |
| Benin | Book V of the Digital Code of the Republic of Benin Protection of Personal Data (passed) and Law No. 2009-09 |
| Botswana | Data Protection Act 2018 (passed) |
| Burkina Faso | Law No. 010-2004/AN (passed but has been revised, and the revision has not passed yet) |
| Cape Verde | Law No. 133, Law No. 41 and Law No. 42 as a supplement (passed) |
| Gabon | Law No. 001/2011 (passed) |
| Ghana | Data Protection Act of 2012 (passed) |
| Ivory Coast | Law No. 2013-450 (in French) (passed) |
| Kenya | Data Protection Act No. 24 of 2019 (passed) |
| Lesotho | Data Protection Act 2011 (passed, not enforced) |
| Madagascar | Law No. 2014-038 (in French) (passed, not enforced) |
| Malawi | Partial Protection via the Electronic Transactions and Cybersecurity Act No. 33 of 2016 (Has some provisions that cover personal data protection) (passed) |
| Mali | Law No. 2013/015 (in French) (passed) |
| Mauritius | Data Protection Act 2017 (passed) |
| Morocco | Law No. 09-08 along with Implementation Decree No. 2-09-165 Data Regulator: CNDP |
| Mozambique | No data protection law but some protections under the Constitution, Civil Code and the Penal Code |
| Niger | Law No. 2017-28 (passed) |
| Nigeria | Nigeria Data Protection Regulation (passed) |
| Rwanda | Partial, via the Information and Communication Technology Law No. 24/2016 (passed) |
| Senegal | Law No. 2008-12 (passed) |
| Seychelles | Data Protection Act of 2003 (not enforced yet) |
| South Africa | Protection of Personal Information Act (passed) |
| Togo | Law No. 2019-014 (in French) (passed) |
| Tunisia | Organic Act No. 2004-63 |
| Uganda | Data Protection and Privacy Act 2019 (passed, not in effect yet) |
| Zambia | Partial via the Electronic Communications and Transactions Act No. 21 of 2009 (not passed yet) |
| Zimbabwe | Cyber Security and Data Protection Bill (not passed yet) |
As reflected in the table, some countries drafted regulations, but they have not passed yet. Others have regulations but are not enforced. Why is that?
There are several reasons why enacting data protection regulations in Africa, in general, and Cameroon, in particular, has not been as swift as in Western countries.
First and foremost, the lack of regulations across the continent underscores the need for resources. There is not enough funding allocated toward government employees training or creating entities within the government that could be responsible for data protection and privacy, in general. For instance, there is no government unit in Cameroon, yet that is solely responsible for data protection or an independent entity dedicated to the enforcement of sanctions.
Cybercafes are quite popular in Africa, as most people do not own a personal computer. This makes it impossible to exercise control over the use of people’s personal data. Further, sensitization of the public requires funding, as well. The fact that the content is quite populated makes that task tedious.
The interesting case of Cameroon
Cameroon is located at the junction of Western and Central Africa. According to United Nations data, Cameroon ranks 52 in the list of countries by population, estimated at 26,545,863 people. That is a lot of people whose information can be potentially collected and that need safeguards.
Like many of its neighbors, it is heavily reliant on cellphones and other electronic devices. A lot of information is collected and shared via cellular phones. At first glance, it may not be obvious, but some data protection safeguards have been put in place. Although there is no comprehensive data protection law, the country has opted for a sectoral approach, like the one we see in the U.S.
First and foremost, the Cameroonian Constitution recognizes the right of privacy and adheres to the principles laid out in the Universal Declaration of Human Rights. In telecommunications, Law No. 2010/012 of 21 December 2010 Relating to Cybersecurity and Cybercriminality in Cameroon has been enacted.
Additionally, several executive orders have been enacted, including the Electronic Communications Law, E-Commerce Law, Consumer Protection Law, Decree No. 2012/1637/PM of 2012 and an ANTIC Decree. In the health and pharma sector, several decrees and the Penal Code cover data protection. Finally, some laws have been enacted by the national legislators and the Central African Economic and Monetary Community in the financial industry. This entity covers six African countries. Furthermore, case law is also a great indicator of where the country is regarding data protection because some companies have been subject to sanctions. All of these regulations must be taken as a whole to see the full picture of data protection coverage.
It is also important to note that the government, particularly the Ministry of Telecommunications, and agencies such as the ANTIC and the ART and organizations like AfricanWits have done a great job launching sensitization efforts. Furthermore, some Cameroon-based attorneys have been very helpful, including Danielle Moukouri-Djengue, a valuable resource in explaining the complete picture of Cameroon's data protection coverage.
It looks like a general data protection regulation might be coming sooner rather than later. There are trailblazers, such as Ivory Coast, Benin, Senegal, Kenya, Ghana and South Africa, that have enacted general data protection laws and are spearheading efforts to sensitize citizens. Other countries will probably follow suit as people become more informed and understand the importance of safeguarding their personal information from corporations whose main goal is to make profits.
Cameroon could follow the lead of Senegal, which has been exemplary in informing the public about the value of data protection. In fact, Senegal put in place an accessible website that features regular reports about the data protection authority's activities.
After all, if individuals in other countries are protected from having their information used for big corporations' egregious profits, there is no reason why Africans, in general, and Cameroonians should not benefit from the same protections. The protection of the citizen's personal information is up to each country, but they could use some help with funding, training and sensitization campaigns to reach that goal. Some competent experts could hit the ground running once resources have been made available by the states.
One might wonder why it is important to sensitize individuals on the importance of protecting their personal data. There are two perspectives at play here.
First, whether one is from Africa or another continent, one should decide how their personal data used, who uses it and why it is used from an individual or a customer's perspective. If one's personal data is to be used by anyone to make a profit, one should be able to give their consent prior to the data being collected.
On the other hand, it is paramount to be aware of data privacy regulations in other countries from an organization or a business perspective if you collect personal data from individuals abroad. The fact is, it is essential to be compliant with those rules for business growth and if the organization would like to avoid being reprimanded, or worst, fined by a government, thus resulting in having its reputation tarnished.
Furthermore, if countries in other continents take steps to safeguard their citizen's personal data, there is no reason why Africans should be left without any safeguard. What you must understand is that personal data is such a valuable commodity for corporations. It would only make sense for individuals to protect it at all costs and, at the very least, have a say on how their personal information is used.
Finally, African countries will increasingly enact or pass data protection regulations, as experts are becoming more and more aware of the issues stemming from unprotected data, namely identity theft, unauthorized use of one's personal data without their knowledge, the negative impact on a company's reputation once subject to sanctions, and so on. More laws will start to be enforced, as well, mainly because some countries already have laws drafted but are still in the process of passing them. The public is increasingly becoming aware of the importance of protecting one's personal data, which is the first step toward a fully protected Africa.
Photo by Andrew Stutesman on Unsplash
