I. Global companies have identified Africa as one of the growth areas
Recent developments in the region show that global businesses should focus their attention on data protection developments in Africa. Tech companies, consumer packaged goods manufacturers and retailers have focused on Africa as a growth market for their products and services, as user adoption in the US and EU European flattened.1 As a result, and in the wake of the European Union’s General Data Protection Regulation (“GDPR”), many African countries have responded to the call for data protection laws. Africa is now the largest region with countries that have some sort of data protection law.
And doing business in Africa means the collection of personal information, which increasingly, like in the rest of the world, is becoming regulated. While recent data protection attention has focused on the United States, the European Union, the Asia-Pacific region and Latin America, attention must now be directed to the African continent, which is becoming a burgeoning hot spot for data protection laws and their enforcement. .
II. At least 33 countries in Africa have data protection laws
While recent activity in 2022 is significant, it reflects an overall trend. By the end of 2021, at least 33 African countries had adopted comprehensive data protection laws following the adoption of the GDPR by the EU.2 This represents more than 60% of the countries of the second largest continent in the world (with some 1.3 billion inhabitants). The heightened focus on data in Africa has also been accelerated by the COVID-19 pandemic. For example, South Africa’s information regulator announced that it would begin monitoring the Department of Health’s use and disclosure of COVID-19 information in April 2022.
A. The majority of data protection laws in Africa have data subject rights and enforcement mechanisms similar to those in the rest of the world
Africa’s comprehensive data protection laws share many features that exist in other regimes such as GDPR, China’s Personal Information Protection Act, and California’s Consumer Privacy Act and its successor, the California Privacy Rights Act. For example, regarding the most common rights of data subjects, 33 African countries provide the right of access, 29 provide the right of rectification; 27 provide for the right to object; 21 provide for the right to be forgotten and the right to information; 14 provide the right not to be subject to automated decision-making; 13 provide for the right to restrict marketing; five provide for the right to obtain personal data in an understandable form; and three provide the right to data portability, to lodge complaints, to obtain compensation from data controllers and to withdraw their consent.
In addition to the data subject rights above, around 19 African countries require data controllers to notify the relevant data protection authority, and at least 30 require data controllers to have a lawful basis for processing data. personal data and cross-border transfer.
III. Data protection developments in Africa in 2022 indicate requirements and enforcement are ongoing
A. Kenya requires controllers and processors to register with the Data Protection Commissioner, effective July 14, 2022
Earlier last month, on July 14, 2022, Kenya’s registration requirement for controllers and data processors came into effect.
Companies doing business in Kenya and processing personal information should consult the Office of the Data Protection Commissioner (“ODPC”) guidance note on the registration of data controllers and processors to understand their obligations. .
The Kenyan Data Protection Act, No. 24. of 2019 (the “Act”) provides a legal obligation for all Entities (defined below) that process Personal Data (defined below) to register with the Data Protection Commissioner, subject to thresholds set locally by the Data Protection Commissioner on mandatory registration.3 The Data Protection (Registration of Data Controllers and Processors) Regulations 2021 (the “Regulations”) came into force on 14 July 2022.4
The Regulations define “entities” that are required to register as “[ing] a natural (individual) or legal person, public authority, agency or other body which processes (handles) personal data. The term “Personal Data” is broadly defined to include “any information relating to an identified or identifiable natural person”.
The regulations detail registration requirements, including which entities must register and meet their mandatory registration obligations and which are exempt because they fall below the threshold. On July 13, 2022, the Data Protection Commissioner published guidelines to help entities determine whether they are controllers or processors and understand their mandatory registration obligations.
Data controllers must create an account, pay the required registration fee and submit electronically, via the ODPC website, the online form. The new guidelines require registration of entities that (1) process personal data, (2) have an annual turnover/income of more than 5 million Kenyan shillings and (3) have more than 10 employees.
B On June 15, 2022, the Uganda Data Protection Authority conducted trainings regarding the application of its Data Protection Act
On June 14, 2022, the Uganda Data Protection Authority conducted a training entitled “Data Protection Law Enforcement”. During the training, the Uganda Data Protection Authority provided guidance regarding the application, including:
- Adopt strong governance procedures
- Identification of information to be protected
- Protect information appropriately
- Use of powerful detection systems
- Be ready to react and recover
- Test and refine information defenses
VS Nigeria’s National Information Technology Development Agency (“NITDA”) Partners with Major Credit Card Issuer
On April 15, 2022, NITDA formed a partnership with a major credit card issuer for a joint cybersecurity and data protection training program. NITDA pointed out that the credit card issuer’s virtual academy will provide certificates on cybersecurity courses and “open [a] online course platform where Nigerians can go to learn at their own pace and also get digital certificates. The initiative is part of NITDA’s National Economic Policy and Strategy for a Digital Nigeria, which aims to achieve 95% digital literacy by 2030.
IV. Businesses need to know how data protection laws in African countries differ from regimes such as GDPR
It is important to note that not all African countries follow the GDPR model, which makes a “one size fits all” approach difficult. Many of these countries have adopted different models, so entities processing data will need to adopt different data privacy standards and practices depending on the country and the business activity. The rapid pace of change in digital transformation and regulatory environments in Africa makes it crucial for businesses to have agile and adaptable legal governance frameworks.
|Data Subject Rights and Disabling Privacy||
Algeria, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Mali, Morocco, Niger, Rwanda, South Africa, Togo, Tunisia, Uganda and Zimbabwe
|Data Policies/Fly-Outs (i.e. drop-down menus)||
Cape Verde, Mali and Niger
|Legal Bases/Fly-Outs of Legal Bases (i.e. drop-down menus)||
Benin, Ivory Coast, Mali, Niger, Rwanda, Seychelles, Tunisia and Uganda
|Sensitive personal data||Botswana, Chad, Egypt, Gabon, Ghana, Ivory Coast, Kenya, Lesotho, Mali, Niger, Nigeria, Rwanda, Togo, Uganda, Zambia and Zimbabwe|
|Youth data||Gabon, Ghana, Lesotho, South Africa, Tunisia, Zambia and Zimbabwe|
|Opt-in for data (ads)||Algeria, Ivory Coast, Mauritius and Morocco|
The enactment of the various laws in African countries since the enactment of the GDPR represents a significant change in the regulatory landscape of the region. As more and more African countries continue to adopt data protection laws, data processing entities should continue to monitor the region and seek legal advice on how to properly comply with them.
The authors would like to thank Elias Okwara for his help with this article.
1 Vicky Feng and Jennifer Zabasajja Africa’s tech sector is sprouting unicorns and raking in billionsBloomberg, April 7, 2022, https://www.bloomberg.com/news/articles/2022-04-07/africa-s-tech-sector-is-sprouting-unicorns-and-raking-in-billions.
2 Graham Greenleaf and Bertil Cottier, International and Regional Commitments in African Data Privacy Laws: A comparative analysisComputer Law and Security Review, Volume 44, (2022).
3 Data Protection Commissioner, Guidance Note on Registration of Data Controllers and Data Processors(July 13, 2022), https://www.odpc.go.ke/download/guidance-note-on-registration-of-data-controllers-and-data-processors/
4 ID. to the P. 2.