I. Global Companies Have Identified Africa as One of the Areas of Growth
Recent developments in the region reflect that global companies should be focusing attention on data protection developments in Africa. Tech companies, consumer packaged goods manufacturers, and retailers have focused on Africa as a growth market for their products and services as user adoption in the United States and European Union has flattened.1 As a result, and in the wake of the European Union’s General Data Protection Regulation (“GDPR”), many African countries have heeded the call for data protection laws. Africa is now the largest region with countries that have some sort of data protection law.
And doing business in Africa means the collection of personal information, which increasingly, as in the rest of the world, is becoming regulated. While recent attention in data protection has focused on the United States, the European Union, the Asia-Pacific region, and Latin America, focus now needs to be directed toward the African continent, which is becoming a burgeoning hotspot for data protection laws and enforcement.
II. At Least 33 Countries in Africa Have Data Protection Laws
While the recent activity in 2022 is important, it reflects an overall trend. As of the end of 2021, at least 33 African countries have adopted comprehensive data protection laws in the wake of the EU’s adoption of the GDPR.2 This represents over 60 percent of the countries in the second-largest continent in the world (with some 1.3 billion residents). The increased attention to data in Africa has also been accelerated by the COVID-19 pandemic. For example, South Africa’s Information Regulator announced that it would begin monitoring the Department of Health’s use and disclosure of COVID-19 information in April 2022.
A. The Majority of Data Protection Laws in Africa Have Data Subject Rights and Enforcement Mechanisms Similar to the Rest of the World’s
The comprehensive data protection laws in Africa share many features that exist in other regimes such as the GDPR, China’s Personal Information Protection Law, and California’s California Consumer Privacy Protection Act and its successor, the California Privacy Rights Act. For example, with respect to the most common rights of data subjects, 33 African countries provide the right to access, 29 provide the right to rectification; 27 provide the right to object; 21 provide the right to be forgotten and the right to information; 14 provide the right not to be subject to automated decision-making; 13 provide the right to restrict marketing; five provide the right to obtain personal data in an understandable form; and three provide the right to data portability, to submit complaints, to obtain compensation from data controllers, and to withdraw consent.
In addition to the above data subject rights, roughly 19 African countries require data controllers to notify the relevant data protection authority, and at least 30 require data controllers to have a legal basis for processing personal data and cross-border transfer.
III. Data Protection Developments in Africa in 2022 Signal That Requirements and Enforcement Are Underway
A. Kenya Required Data Controllers and Processors to Register with the Data Protection Commissioner, Effective July 14, 2022
Earlier last month, on July 14, 2022, Kenya’s registration requirement for data controllers and processors went into effect.
Companies doing business in Kenya and processing personal information should review the Office of Data Protection Commissioner’s (“ODPC”) Guidance Note on Registration of Data Controllers and Data Processors to understand their obligations.
The Kenyan Data Protection Act, No 24. of 2019 (the “Act”) provides a statutory obligation for all Entities (defined below) that process Personal Data (defined below) to register with the Data Protection Commissioner, subject to the thresholds set in place by the Data Protection Commissioner on mandatory registration.3 The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the “Regulations”) went into effect on July 14, 2022.4
The Regulations define “Entities” that are required to register as “mean[ing] a natural (individual) or legal person, public authority, agency or other body that processes (handles) Personal Data.” The term “Personal Data” is defined broadly to include “any information relating to an identified or identifiable natural person.”
The Regulations detail the registration requirements, including the Entities that must register and meet their mandatory registration obligations and those that are exempt due to being found to be below the threshold. On July 13, 2022, the Data Protection Commissioner issued a guidance to assist Entities in ascertaining if they are data controllers or data processors and understanding their obligations with respect to mandatory registration.
Data controllers must create an account, pay the required registration fee, and electronically submit, through the ODPC’s website, the online form. The new guidance requires registration for Entities that (1) process personal data, (2) have an annual turnover/revenue of more than 5 million Kenyan shillings, and (3) have more than 10 employees.
B. On June 15, 2022, the Uganda Data Protection Authority Held Trainings Regarding Enforcement of Its Data Protection Law
On June 14, 2022, the Uganda Data Protection Authority held a training titled “Enforcement of the Data Protection Act.” In the training, the Ugandan Data Protection Authority provided tips regarding enforcement, including:
- Adopting strong governance procedures
- Identifying the information that needs protection
- Protecting the information appropriately
- Using strong detection systems
- Being ready to respond and recover
- Testing and refining information defenses
C. Nigeria’s National Information Technology Development Agency (“NITDA”) Partners with a Major Credit Card issuer
On April 15, 2022, the NITDA formed a partnership with a major credit card issuer for a joint training program on cybersecurity and data protection. The NITDA highlighted that the credit card issuer’s virtual academy will provide certificates on cybersecurity courses and will “open [a] platform for online courses where Nigerians can go and learn at their own pace and also get digital certificates.” The initiative is part of the NITDA’s National Economy Policy and Strategy for a Digital Nigeria, which has a target of achieving 95 percent digital literacy by 2030.
IV. Companies Need to Know How Data Protection Laws in Countries in Africa Differ from Regimes Such as the GDPR
Importantly, not all African countries follow the GDPR model, making a “one-size-fits-all” approach difficult. Many of these countries have adopted different models, so entities that process data will need to adopt data privacy standards and practices depending on the country and business activity. The rapid pace of change in both the digital transformation and regulatory environments in Africa makes it crucial for businesses to have agile and adaptable legal governance frameworks.
|Data Privacy Regulation||Different or More Stringent Requirements Than the GDPR|
|Data Subject Rights and Privacy Opt-Outs||
Algeria, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Mali, Morocco, Niger, Rwanda, South Africa, Togo, Tunisia, Uganda and Zimbabwe
|Data Policies/Fly-Outs (i.e. drop-down menus)||
Cape Verde, Mali, and Niger
|Legal Bases/Legal Bases Fly-Outs (i.e. drop-down menus)||
Benin, Ivory Coast, Mali, Niger, Rwanda, Seychelles, Tunisia, and Uganda
|Sensitive Personal Data||Botswana, Chad, Egypt, Gabon, Ghana, Ivory Coast, Kenya, Lesotho, Mali, Niger, Nigeria, Rwanda, Togo, Uganda, Zambia and Zimbabwe|
|Youth Data||Gabon, Ghana, Lesotho, South Africa, Tunisia, Zambia and Zimbabwe|
|Data-In (Ads) Opt-In||Algeria, Ivory Coast, Mauritius and Morocco|
The enactment of the various laws in African countries since GDPR’s enactment represents a significant change in the region’s regulatory landscape. As more African countries continue passing data protection laws, entities processing data should continue monitoring the region and seek advice of counsel for proper compliance.
The authors want to thank Elias Okwara for his assistance with this article.
1 Vicky Feng & Jennifer Zabasajja, African Tech Sector Is Sprouting Unicorns and Raking in Billions, Bloomberg, April 7, 2022, https://www.bloomberg.com/news/articles/2022-04-07/africa-s-tech-sector-is-sprouting-unicorns-and-raking-in-billions.
3 Office of the Data Protection Commissioner, Guidance Note on Registration of Data Controllers and Data Processors, (July 13, 2022), https://www.odpc.go.ke/download/guidance-note-on-registration-of-data-controllers-and-data-processors/