Data Protection Compliance in Africa

The Malabo Convention entered into force on 8 June 2023, and as of July 2024, has been signed by 21 Member States and applies to 16 Member States that have signed and ratified the Convention. A notable number of African countries have already established and continue to develop their own domestic data protection legislative and regulatory frameworks, while an increasing number are joining the movement. Cape Verde was the first African country to establish a domestic data protection law as early as 2001 with its Law 133-V-2001 on the Protection of Personal Data. Countries also considered as legislative pioneers in this area include Burkina Faso, Mauritius and Tunisia. According to data from Access Now and Data Protection Africa, as of January 2024, 36 out of 54 African countries had enacted their own domestic data protection laws.  Ethiopia is the most recent country to join this growing list, with the official publication in the Federal Negarit Gazette of the Personal Data Protection Proclamation No. 1321/2024, on 24 July 2024.

In Kenya, the Data Protection Act, 2019 (“DPA”), and its subsidiary legislation, like the Data Protection Regulations, 2021, govern the protection, collection and processing of personal data of individuals in the country. The regulatory body responsible for overseeing the implementation of and compliance with the DPA is the Office of the Data Protection Commissioner (“ODPC”). The head of the ODPC is the Data Commissioner and the current Data Commissioner is Ms. Immaculate Kassait.

This article aims to provide insights on the general data protection environment on the continent and ways in which organizations operating in Africa can ensure compliance with data protection laws.

Although laws differ from country to country, there are some common elements that are almost always present in data protection legislation across the globe, and the same is true in Africa. A number of African countries post 2018 relied on the European Union’s General Data Protection Regulation (“GDPR”) as a guide in developing their own domestic data protection laws. Consequently, there are some principles that have become universally known as good international principles and practices when it comes to data protection. They include:

• Lawfulness, fairness and transparency when collecting and processing personal data;
  Purpose limitation, which means that the personal data collected should only be used for the reasons stipulated and no other purposes;
• Data minimization, which requires that only the minimum amount of personal data needed for a specific purpose should be collected;
• Accuracy, requires that personal data collected should correctly reflect the real world situation, which also gives data subjects the right to amend and update their information;
• Storage limitation, requires data controllers (i.e. people who collect personal data) and data processors (i.e. people who process and store personal data) to keep personal data for a specific period of time, after which the data should be destroyed; and
• Cross-border transfer limitation, which aims to limit the amount and type of personal data transferred beyond a country’s borders.

The above principles appear in the GDPR and in many, if not all, African data protection laws. Further, a common requirement is for data controllers and processors to register with the designated data protection regulatory body. In Kenya, registering as a data controller or processor (or as both) is mandatory for all types of entities that meet the statutory threshold of having:

• an annual turnover of above KES 5,000,000 (approximately USD 38,760); and
• 10 or more employees.

While this requirement is common, it does not apply in all African countries. For example, registration of data controllers and data processors only became mandatory in Nigeria in 2023. The Nigeria Data Protection Commission (“NDPC”) issued a directive in June 2023 that ordered all public and private organizations that process personal data to register with the NDPC by December of the same year. Prior to this, registration was not mandatory in Nigeria.

Conversely, while there are several similarities in data protection laws across Africa, there are some countries that have legal requirements that are unique to their jurisdiction. For example, a 2023 World Bank paper titled, “Regulating Digital Data in Africa,” identified Kenya and Benin as novel countries that included more measures in their laws, namely:  data protection by design, which means that ‘entities should consider data protection at the initial design stages of their products and systems and throughout the lifecycle of the data collected, and not as an afterthought’; and data protection by default, which requires ‘incorporating the principle of “data protection by design” by default into data processing activities’. Data protection by design and data protection by default do not feature in some African countries’ laws, such as the South African Protection of Personal Information Act, 2013.

The consequences of non-compliance with data protection regulations can range from warning notices, investigations or can be as severe as hefty penalties, which could lead to significant reputational damage. In addition, non-compliance could result in legal action being taken against an organization, which can be very costly and time-consuming.

Therefore, it is essential for all entities operating within African countries to take active steps to ensure that they comply with the relevant data protection laws in their jurisdiction. Recommended steps organizations should take include:

• Conducting data protection audits and impact assessments on a regular basis to determine the type of personal data collected, the nature and way in which it is processed, and the basis for processing such data;
• Registering with the relevant data protection regulatory body as either a data controller or data processor, or as both, depending on the organization’s role in collecting and processing personal information, to avoid penalties for non-compliance;
• Drafting and implement internal data protection and privacy policies and procedures in line with the relevant laws, and ensuring that employees are aware of such policies and procedures;
• Training employees regularly on the importance of data protection and how to comply with the applicable laws and regulations; and
• Seeking legal advice to confirm compliance with data protection laws and to address any issues that may arise.

As data protection laws in African countries continue to develop and as we see a rise in their enforcement, for example in countries like Kenya, Nigeria and South Africa, it is critical for organizations operating in and across the continent to be aware of the relevant legislative and regulatory framework in their jurisdiction. Organizations should understand their legal obligations and any possible liability for non-compliance under such laws, and take active steps to ensure compliance. By taking active steps to stay compliant and keep abreast with the latest development in data protection laws, organizations can save money and time, exercise international best practice standards in privacy and data protection, and most importantly, avoid unnecessary legal and financial consequences.