Although laws differ from country to country, there are some common elements that are almost always present in data protection legislation across the globe, and the same is true in Africa. A number of African countries post 2018 relied on the European Union’s General Data Protection Regulation (“GDPR”) as a guide in developing their own domestic data protection laws. Consequently, there are some principles that have become universally known as good international principles and practices when it comes to data protection. They include:
- Lawfulness, fairness and transparency when collecting and processing personal data;
Purpose limitation, which means that the personal data collected should only be used for the reasons stipulated and no other purposes;
- Data minimization, which requires that only the minimum amount of personal data needed for a specific purpose should be collected;
- Accuracy, requires that personal data collected should correctly reflect the real world situation, which also gives data subjects the right to amend and update their information;
- Storage limitation, requires data controllers (i.e. people who collect personal data) and data processors (i.e. people who process and store personal data) to keep personal data for a specific period of time, after which the data should be destroyed; and
- Cross-border transfer limitation, which aims to limit the amount and type of personal data transferred beyond a country’s borders.
The above principles appear in the GDPR and in many, if not all, African data protection laws. Further, a common requirement is for data controllers and processors to register with the designated data protection regulatory body. In Kenya, registering as a data controller or processor (or as both) is mandatory for all types of entities that meet the statutory threshold of having:
- an annual turnover of above KES 5,000,000 (approximately USD 38,760); and
- 10 or more employees.
While this requirement is common, it does not apply in all African countries. For example, registration of data controllers and data processors only became mandatory in Nigeria in 2023. The Nigeria Data Protection Commission (“NDPC”) issued a directive in June 2023 that ordered all public and private organizations that process personal data to register with the NDPC by December of the same year. Prior to this, registration was not mandatory in Nigeria.
Conversely, while there are several similarities in data protection laws across Africa, there are some countries that have legal requirements that are unique to their jurisdiction. For example, a 2023 World Bank paper titled, “Regulating Digital Data in Africa,” identified Kenya and Benin as novel countries that included more measures in their laws, namely: data protection by design, which means that ‘entities should consider data protection at the initial design stages of their products and systems and throughout the lifecycle of the data collected, and not as an afterthought’; and data protection by default, which requires ‘incorporating the principle of “data protection by design” by default into data processing activities’. Data protection by design and data protection by default do not feature in some African countries’ laws, such as the South African Protection of Personal Information Act, 2013.