TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Slowly but surely, data protection regulations expand throughout Africa Related reading: After 7-year wait, South Africa's Data Protection Act enters into force



The enactment of data protection legislation across Africa bodes well for the future. The privacy industry has flourished during the last few years. Since the EU General Data Protection Regulation entered into force (following the 1995 Directive, also known as EU Directive 95/46/EC), countries worldwide have passed privacy legislation. From the comprehensive California Consumer Protection Act in the U.S. to Brazil's General Data Protection Law, Canada’s Personal Information Protection and Election Documents Act to laws in Asia, many African countries have also enacted data protection laws. This was illustrated last July with South Africa’s long-awaited Protection of Personal Information Act, which took seven years to complete and enact.

Despite these developments, only half of the 54 African countries have enacted data protection laws. See the table below of African countries with regulations.

Country Legislation
Angola Law No. 22/11, June 17, 2011 (passed)
Benin Book V of the Digital Code of the Republic of Benin Protection of Personal Data (passed) and Law No. 2009-09
Botswana Data Protection Act 2018 (passed)
Burkina Faso Law No. 010-2004/AN (passed but has been revised, and the revision has not passed yet)
Cape Verde Law No. 133, Law No. 41 and Law No. 42 as a supplement (passed)
Gabon Law No. 001/2011 (passed)
Ghana Data Protection Act of 2012 (passed)
Ivory Coast Law No. 2013-450 (in French) (passed)
Kenya Data Protection Act No. 24 of 2019 (passed)
Lesotho Data Protection Act 2011 (passed, not enforced)
Madagascar Law No. 2014-038 (in French) (passed, not enforced)
Malawi Partial Protection via the Electronic Transactions and Cybersecurity Act No. 33 of 2016 (Has some provisions that cover personal data protection) (passed)
Mali Law No. 2013/015 (in French) (passed)
Mauritius Data Protection Act 2017 (passed)
Morocco Law No. 09-08 along with Implementation Decree No. 2-09-165
Data Regulator: CNDP
Mozambique No data protection law but some protections under the Constitution, Civil Code and the Penal Code
Niger Law No. 2017-28 (passed)
Nigeria Nigeria Data Protection Regulation (passed)
Rwanda Partial, via the Information and Communication Technology Law No. 24/2016 (passed)
Senegal Law No. 2008-12 (passed)
Seychelles Data Protection Act of 2003 (not enforced yet)
South Africa Protection of Personal Information Act (passed)
Togo Law No. 2019-014 (in French) (passed)
Tunisia Organic Act No. 2004-63
Uganda Data Protection and Privacy Act 2019 (passed, not in effect yet)
Zambia Partial via the Electronic Communications and Transactions Act No. 21 of 2009 (not passed yet)
Zimbabwe Cyber Security and Data Protection Bill (not passed yet)

As reflected in the table, some countries drafted regulations, but they have not passed yet. Others have regulations but are not enforced. Why is that?

There are several reasons why enacting data protection regulations in Africa, in general, and Cameroon, in particular, has not been as swift as in Western countries.

First and foremost, the lack of regulations across the continent underscores the need for resources. There is not enough funding allocated toward government employees training or creating entities within the government that could be responsible for data protection and privacy, in general. For instance, there is no government unit in Cameroon, yet that is solely responsible for data protection or an independent entity dedicated to the enforcement of sanctions.

Cybercafes are quite popular in Africa, as most people do not own a personal computer. This makes it impossible to exercise control over the use of people’s personal data. Further, sensitization of the public requires funding, as well. The fact that the content is quite populated makes that task tedious.

The interesting case of Cameroon

Cameroon is located at the junction of Western and Central Africa. According to United Nations data, Cameroon ranks 52 in the list of countries by population, estimated at 26,545,863 people. That is a lot of people whose information can be potentially collected and that need safeguards.

Like many of its neighbors, it is heavily reliant on cellphones and other electronic devices. A lot of information is collected and shared via cellular phones. At first glance, it may not be obvious, but some data protection safeguards have been put in place. Although there is no comprehensive data protection law, the country has opted for a sectoral approach, like the one we see in the U.S.

First and foremost, the Cameroonian Constitution recognizes the right of privacy and adheres to the principles laid out in the Universal Declaration of Human Rights. In telecommunications, Law No. 2010/012 of 21 December 2010 Relating to Cybersecurity and Cybercriminality in Cameroon has been enacted.

Additionally, several executive orders have been enacted, including the Electronic Communications Law, E-Commerce Law, Consumer Protection Law, Decree No. 2012/1637/PM of 2012 and an ANTIC Decree. In the health and pharma sector, several decrees and the Penal Code cover data protection. Finally, some laws have been enacted by the national legislators and the Central African Economic and Monetary Community in the financial industry. This entity covers six African countries. Furthermore, case law is also a great indicator of where the country is regarding data protection because some companies have been subject to sanctions. All of these regulations must be taken as a whole to see the full picture of data protection coverage.

It is also important to note that the government, particularly the Ministry of Telecommunications, and agencies such as the ANTIC and the ART and organizations like AfricanWits have done a great job launching sensitization efforts. Furthermore, some Cameroon-based attorneys have been very helpful, including Danielle Moukouri-Djengue, a valuable resource in explaining the complete picture of Cameroon's data protection coverage.

It looks like a general data protection regulation might be coming sooner rather than later. There are trailblazers, such as Ivory Coast, Benin, Senegal, Kenya, Ghana and South Africa, that have enacted general data protection laws and are spearheading efforts to sensitize citizens. Other countries will probably follow suit as people become more informed and understand the importance of safeguarding their personal information from corporations whose main goal is to make profits.

Cameroon could follow the lead of Senegal, which has been exemplary in informing the public about the value of data protection. In fact, Senegal put in place an accessible website that features regular reports about the data protection authority's activities.

After all, if individuals in other countries are protected from having their information used for big corporations' egregious profits, there is no reason why Africans, in general, and Cameroonians should not benefit from the same protections. The protection of the citizen's personal information is up to each country, but they could use some help with funding, training and sensitization campaigns to reach that goal. Some competent experts could hit the ground running once resources have been made available by the states.

One might wonder why it is important to sensitize individuals on the importance of protecting their personal data. There are two perspectives at play here.

First, whether one is from Africa or another continent, one should decide how their personal data used, who uses it and why it is used from an individual or a customer's perspective. If one's personal data is to be used by anyone to make a profit, one should be able to give their consent prior to the data being collected.

On the other hand, it is paramount to be aware of data privacy regulations in other countries from an organization or a business perspective if you collect personal data from individuals abroad. The fact is, it is essential to be compliant with those rules for business growth and if the organization would like to avoid being reprimanded, or worst, fined by a government, thus resulting in having its reputation tarnished.

Furthermore, if countries in other continents take steps to safeguard their citizen's personal data, there is no reason why Africans should be left without any safeguard. What you must understand is that personal data is such a valuable commodity for corporations. It would only make sense for individuals to protect it at all costs and, at the very least, have a say on how their personal information is used.

Finally, African countries will increasingly enact or pass data protection regulations, as experts are becoming more and more aware of the issues stemming from unprotected data, namely identity theft, unauthorized use of one's personal data without their knowledge, the negative impact on a company's reputation once subject to sanctions, and so on. More laws will start to be enforced, as well, mainly because some countries already have laws drafted but are still in the process of passing them. The public is increasingly becoming aware of the importance of protecting one's personal data, which is the first step toward a fully protected Africa.

Photo by Andrew Stutesman on Unsplash

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment BYAD Amine • Apr 5, 2021
    Thanks for the focus on oour continent Cathy.
    Actually 33 countries in Africa have enacted comprehensive data protection laws (so 8 more to add to the list on the article) : Algeria, Comores, Congo, Egypt, Mauritania, Ouganda, Sao Tome & Principe & Chad. 
    21 more to go, hoping to see an effective African GDPR soon !
  • comment Graham Rogoff • Apr 6, 2021
    This news certainly is positive, however many of the African states have passed privacy laws but have not yet appointed data regulators or enforced the laws, some with no defined implementation dates i.e. Botswana.  Is it possible to indicate in the table of countries above which states have implemented their passed laws and which are pending?
  • comment Cathy-Eitel Nzume • Apr 8, 2021
    Hello Amine and Graham, thank you for your comments. Amine, you are correct, there are 7 countries that do not appear in the table. Uganda is included in the table. The table was meant as a representation of the progress made in Africa thus far, and the article was simply drafted to share my views with fellow privacy professionals. In addition, it was published recently, but was actually written some time ago. The links to the laws for those 7 countries were not confirmed at the time of drafting, therefore could not be added. I wanted to make sure I include only the laws that could easily be found by everyone. 
    Graham, that is correct, some countries have not passed the law yet. In the table, for some countries, you can see in brackets "not passed" or "not in effect". As for indicating which law has not been implemented yet for all the states, that is certainly a wonderful idea for another article!
    Thank you both!
  • comment Cathy-Eitel Nzume • Apr 8, 2021
    Amine, as for an African GDPR, I certainly share your opinion! It would be a great step for Africa!
  • comment ASSOUA Cauffi Silvère • Apr 22, 2021
    Salut Caty, très belle analyse. j'ai constaté que le Nigeria considère encore la Côte d'Ivoire comme un pays non adéquat, là ou  ils  viennent à peine de légiférer.
  • comment Cathy-Eitel Nzume • Sep 19, 2021
    @Sylvere, merci infiniment! C’est dommage que le Nigeria considère la Côte d’Ivoire comme étant un pays inadéquat. Sais-tu quels arguments ils avancent pour justifier cela? Ça m’intéresse qu’on en parle.