Bimonthly Update on Privacy in Africa - 5 (September and October 2023)


In the last two months, Africa has seen notable advancements in data protection. Rwanda's data protection law is now effective; Botswana has extended its transition period; Ethiopia has moved forward with its data protection bill; and Djibouti is reviewing its Digital Code. Data protection authorities in Kenya, South Africa, Ghana, and Côte d’Ivoire have also taken enforcement actions.

Regulatory updates

  • The government of Botswana extended the data protection law's effective date to October 13, 2024, which is a period of 12 months from the publication of the extension notice.
  • Djibouti's Digital Code, approved by the Council of Ministers, is set to undergo a comprehensive review as the National Assembly inaugurated a committee to oversee the process. The review is intended to bring the draft law in line with international best practices and address emerging technological issues.
  • In Eswatini, the data protection authority called for public comments on its proposed regulation for data controller and processor registration under the Data Protection Act. The regulation outlines the registration process, threshold criteria, and applicable fees for different types of organisations.
  • In October, the Ethiopian Council of Ministers approved the data protection bill for ratification by Parliament. It is not the country's first attempt to enact a data protection law. Previously, a data protection proclamation had been introduced but did not progress.
  • In Kenya, the President signed the Digital Health Bill into law. The Act aims to leverage technology to improve healthcare delivery, safeguard patient data and foster innovation within the country.
  • The Nigeria Data Protection Commission (NDPC) announced it is investigating some organisations for violations of the data protection law and collaborating with the Federal Competition and Consumer Protection Commission (FCCPC) to investigate one of the organisations whose breach intersects consumer protection.
  • The Nigeria Data Protection Commission inaugurated the Nigeria Data Protection Act General Application and Implementation Directive (NDP Act GAID) drafting Committee responsible for creating an implementation framework for the Act.
  • Rwanda’s Data Protection Law officially came into force after the end of the transition period on October 15, 2023.
  • The Tunisian Federation of Insurance Companies (FTUSA), with the support of Tunisia’s  Personal Data Protection Authority (INPDP), introduced a practical guide on personal data protection in the insurance sector.
  • Kenya’s Senate ICT Committee commenced investigating a supermarket for failing to report a data breach within the statutory 72-hours. The Office of the Data Protection Commissioner (ODPC) also initiated a post-breach audit and inspection to ascertain the supermarket’s liability and impact on data subjects. The outcome of the findings is much anticipated, as is the audit of 40 companies by the ODPC.

Sanctions and enforcement

  • The Ivorian data protection authority issued warnings and formal notices to Yango, Standard Chartered Bank and Quipux Afrique for various violations of the data protection law. The organisations have been directed to ensure compliance with the law.
  • Ghana’s Data Protection Commission (DPC) announced the commencement of enforcement of the data protection law in August. Consequently, in September, representatives from five organisations were arrested for violations of the Data Protection Act. In a separate enforcement action conducted in August, the DPC, in collaboration with the Criminal Investigations Department (CID), apprehended representatives from another three organisations. Additionally, representatives from two other organisations were summoned for interrogation.
  • In Kenya, the ODPC fined three organisations a total of Ksh9,375,000 for violating the privacy rights of data subjects, including minors. On a related note, a lawsuit was filed against a university for using someone’s photograph on social media and other platforms without permission. In addition, the Worldcoin Foundation case was concluded during this period. The Ad-hoc Committee produced a report of its findings and recommendations. On its part, the ODPC issued an enforcement notice to the organisation and its parent company after concluding investigations. Wordcoin’s operations have been suspended in the country pending the implementation of appropriate safeguards.
  • The Supreme Court of Kenya decided that the dignity, rights, and well-being of minors should be preserved in legal proceedings against them. This ruling came after the identities of seven students charged with arson in Murang’a were publicly disclosed. Again, according to a decision by the ODPC, an employer is not vicariously liable for a data breach that resulted from an employee breaking the terms of their employment.
  • In Senegal, the Personal Data Protection Commission (CDP) published its third quarterly report detailing its activities from July to September 2023. Based on the report, the CDP issued four warnings and a formal notice to three organisations for violating the data protection law.
  • In South Africa, the Department of Justice and Constitutional Development is contesting the R5 million fine that the Information Regulator issued earlier this year, citing the impracticality of the implementation timeframe and a lack of evidence for data misuse.

Other updates

  • The World Bank recommended the amendment of Kenya’s Data Protection Act to remove the data localisation requirement and embrace interoperable standards. The recommendation comes when there are ongoing discussions to amend the Data Protection Act.
  • In South Africa, the National Assembly proposed an amendment to the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) to strengthen safeguards. Key aspects of the amendment include enhancing the appointment process for these judges, ensuring lawful data management for intercepted communications, and setting clear guidelines for handling and deleting surveillance data. Additionally, it introduces post-surveillance notification requirements.


Ultimately, we anticipate increased enforcement activities emerging from Côte d’Ivoire, Nigeria, and Uganda and the outcome of pending investigations in Kenya. We expect to see the coming into force of the law in Ethiopia, the Seychelles, Cameroon, and Namibia; the finalisation of the registration regulation in Eswatini; the issuance of Egypt’s executive regulations; and an update to Djibouti’s Digital Code.