Data security and privacy laws are growing across Africa


Many countries in Africa have developed or implemented privacy and data security laws in their country over the past few years. With the rapid increase in digitalization following the pandemic, the wide-scale implementation of these laws across the continent has never been more urgent. Countries like Ghana, Kenya, Madagascar, Mauritius, Nigeria, Rwanda, South Africa, Togo, Uganda and Zimbabwe have implemented new measures to protect and secure the personal information of their citizens.

In Ghana, data protection is governed by the Data Protection Act (DPA) 2012 as well as Section 18(2) of the 1992 Constitution, which provides citizens with a fundamental right to privacy.

Enid Baaba Dadzie, Senior Associate at Kimathi & Partners in Ghana, explains that as data protection is a new area in Ghana, there have been no recent legal developments. “However, we understand that the regulator in Ghana has been discussing this with regulators in other African countries to consolidate and harmonize data protection laws and adopt standard data protection laws across the continent. This is due to emerging discussions on data sovereignty, data economization and data localization.

“The regulator in Ghana is also pushing for data protection certification as an eligibility requirement to run a business in Ghana, while also in talks with key people in Ghana to set up a separate data/cyber tribunal. which can quickly handle fast-growing data breaches and cybercrime.Additionally, the regulator has previously published the names of non-compliant DPAs in the newspapers and has recently become more aggressive with the enforcement of DPA,” she explains.

In 2019, Kenya passed the Kenyan Data Protection Act (DPA), which is the main legislation governing the collection and processing of personal data in Kenya.

Sonal Sejpal, partner at ALN Kenya | Anjarwalla & Khanna, explains that the DPA regulates the processing of personal data, provision of data subject rights, creation of data controller obligations and establishes the Office of the Data Protection Commissioner (ODPC). In addition to the DPA and the DPA Regulations, Kenya has also ratified the International Covenant on Civil and Political Rights (ICCPR).

“Last year, Kenya enacted the Data Protection (Civil Registration) Regulations, 2020 (DPA Regulations), which regulates the processing of personal data by civil registration entities, including birth registries, adoptions, persons, marriages and deaths, and the entities responsible for issuing passports and any identity document.

Sonal notes that on November 16, 2020, Kenya appointed its first Data Commissioner who heads the ODPC. Under the direction of the Commissioner, the ODPC oversees the implementation of the DPA and also ensures that data processors and data controllers comply with their obligations under the DPA.

“Under the DPA, the Data Commissioner is empowered to issue guidelines or codes of practice for data controllers, processors and data protection officers (DPOs). On February 24, 2021, in accordance with its mandate, the ODPC published the Guidance Notes on Assessing the Impact of Consent and Data Protection (Guidance Notes) and the Complaints Management Handbook ( Complaints Manual). Although the Guidance Notes and Draft Complaints Handbook have been posted on the ODPC website, they have not been subject to public input, which is required by law. Kenyan,” she said.

“Additionally, in January 2022, a set of three data protection regulations were published and are currently in force. These regulations are the Data Protection (General) Regulations 2021, the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 and the Data Protection (Registration Procedure) Regulations 2021. complaint handling and enforcement). aspects of the Kenyan Data Protection Act 2019 and cover a wide range, from the transfer of personal data to how the rights of data subjects are to be ensured, what are the thresholds and requirements for the registration of data controllers and data processors, how complaints about DPA violations and contraventions will be handled, and how enforcement proceedings will be undertaken,” Sonal notes.

In Madagascar, the confidentiality of data is mainly governed by law n° 2014-038 of January 9, 2015, relating to the protection of personal data (Malagasy law on data protection).

Raphael Jakoba, Managing Partner of MCI Law Firm in Madagascar, explains: “Law No. 2014-006, amended and supplemented by Law No. 2016-031 relating to the fight against cybercrime, also provides for provisions relating to the obligations and responsibilities of operators and carriers of telecommunications and electronic communications services, as well as specific incriminations for breaches of information systems. Law No. 2016-056 also includes provisions relating to the data protection and retention obligations of electronic money institutions. These laws are in force. However, the Malagasy law on data protection and law n° 2014-006 relating to the fight against cybercrime do not yet have implementing decrees.

Ammar Oozeer, a solicitor at BLC Robert & Associates in Mauritius, says that data security and privacy in the country is governed by the Data Protection Act 2017 (DPA 2017) which is aligned with the Convention for the Protection of Personal Data. persons with regard to automated processing. Personal Data (Convention 108).

“In September 2020, Mauritius signed and ratified the Protocol amending the Convention for the protection of individuals with regard to the processing of personal data,” notes Ammar.

The Nigeria Data Protection Regulation 2019 (NDPR) is the main privacy and data protection legislation in Nigeria.

Ijeoma Uju, Partner at Templars Law Firm in Nigeria, said: “In addition to the NDPR which was issued by the National Information Technology Development Agency (NITDA) in January 2019, in 2020 NITDA has published the NDPR Implementation Framework (NDPRIF) to ensure the effective implementation and enforcement of the NDPR. More recently, in 2021, another significant development has been the Lagos State Data Protection Bill, which seeks to promote the protection of information processed by public and private bodies and establishes minimum requirements for processing and protection of personal information at the state level,” she notes.

Emmanuel Muragijimana, Chief Associate at K-Solutions & Partners in Rwanda, explains that in Rwanda, “The Data Protection and Privacy Bill 2020 went through all parliamentary processes on August 12, 2021 and then was translated in the three official languages ​​before being submitted for presidential assent.The law entered into force on October 15, 2021 and is entitled Law nº 058/2021 of 13/10/2021 relating to the protection of personal data and the The agency responsible for enforcing compliance is the National Cyber ​​Security Authority (NCSA).

In South Africa, the Protection of Personal Information Act 2013 (POPIA) came into force in July 2021.

According to Janet MacKenzie, partner and head of the IPTech practice at Baker McKenzie in Johannesburg, “POPIA promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, describes the rights of data subjects , regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify incidents of data breaches, and imposes legal penalties for violations of the law.

“Furthermore, the Cybercrime and Cybersecurity Act 2020 was enacted in June 2021 and came into force on December 1, 2021. It aligns national cybersecurity legislation with global standards,” it notes.

“In October 2021, the Information Regulator requested that public comments be submitted on the Amendment to the Personal Information Protection Regulations, 2018 (Draft Regulations). The draft Regulations outline the procedure to be followed in certain circumstances contemplated in POPIA,” she says.

Kafui Achille Amekoudi, Lawyer at Cabinet AMKA in Togo (Cabinet Me AMEKOUDI), recalls that since October 29, 2019, Togo has adopted Law No. 2019-014 relating to the Protection of Personal Data. In addition, on July 30, 2021, the National Assembly adopted a bill authorizing the ratification of the African Union Convention on Cybersecurity and Personal Data Protection (the Malabo Convention).

In Uganda, the Ugandan Constitution of 1995 as amended, the Data Protection and Privacy Act No. 9 of 2019 and the Data Protection and Privacy Regulations of 2021 govern privacy and data security.

“The Data Protection Act, enacted in 2019 (Law), guarantees the protection of individual privacy and personal data by regulating the collection and processing of personal information. The Data Protection and Privacy Regulations, 2021 (Regulations) was issued and published in the Official Gazette in March 2021 by the Minister for Information and Communication Technology and National Guidance,” says Arnold Lule Sekiwano, Partner at Engoru, Mutebi Advocates in Uganda.

He notes that the recent adoption of the enabling regulations on March 12, 2021 aims to implement the law by prescribing the necessary procedural requirements.

Zimbabwe has made significant progress over the past five years in enacting laws dealing with privacy and data protection.

“The law on cybercomputing and data protection [Chapter 12:07] was enacted recently with the aim of addressing the challenges that have arisen due to advances in technology,” says Amalia Manuel, partner at Atherstone & Cook in Zimbabwe.

Amalia adds: “On September 21, 2021, the Cabinet also approved the Principles of the Electronic Transactions and Commerce Bill. We have not seen the principles and await further developments regarding the enactment of this law.

Follow us on Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to make sure you don’t miss any future updates. Send tips to [email protected]


About Author

Comments are closed.