Articles

Bimonthly Update on Privacy in Africa (January & February 2026)

TH ADMIN
Monday, March 23, 2026

Introduction 

The data protection and AI governance landscape began in 2026 on a high note. There is a new data protection law in Burundi, new guidelines in Egypt, efforts to amend existing laws in Mauritius and Tunisia, and a new Data Protection Authority (DPA) in the Republic of Congo.  Several DPAs, especially in Kenya, Nigeria and Tanzania, are ramping up on enforcement actions. Meanwhile, Djibouti, Ghana, Kenya, Mauritius, Morocco and Zimbabwe are advancing their AI governance efforts.  

Trend Spotlight: What privacy professionals should pay attention to

African DPAs are kicking off 2026 with a strong move towards enforcement. Basically, they are choosing not to spare the rod of sanctions, demanding that organisations tighten their data protection governance practices. With over 110 decisions in 2025, Kenya’s DPA has begun 2026 with a firm stance against any data protection violation. Nigeria’s DPA has launched an enforcement drive in the educational sector, demanding that tertiary institutions provide proof of compliance within 21 days. Tanzania may tow the same path as the DPA has set April 8 as the deadline to comply with the registration requirement. Eswatini has also set a deadline of March 31 for the submission of all data maps, failure of which may attract sanctions. 

Some notable updates include:

Regulatory Update

  • On January 15, 2026, Burundi’s National Assembly adopted the Data Protection Law to govern the processing of personal data in the country. With this, Africa now boasts about 45 data protection laws.  New laws may emerge during the year; we expect the completion or progress in the legislative cycle for the laws in Liberia, Libya, Mozambique, Namibia, Sierra Leone, South Sudan, and Sudan  
  • The Republic of Congo has officially inaugurated the National Personal Data Protection Commission as its DPA. The inaugural follows the appointment of the Commission’s leadership under a decree issued on December 31, 2025.
  • Mauritius officially launched the National Data Strategy (2025–2029), which sets out a framework for the governance, sharing, and use of data across the country. Simultaneously, the Cabinet has also initiated an effort to amend the Data Protection Act 2017. Meanwhile, Tunisia is making a similar effort by introducing a 123-article data protection bill to update the country's existing law. 
  • To aid compliance with the data protection law and executive regulations, Egypt's Personal Data Protection Centre published guidelines on Data Subject Consent, Lawful Bases of Processing, Electronic Direct Marketing, Data Protection Officer, Data Protection Officer Categories, Data Users, Data Protection Principles, Record of Processing Activities (ROPA), Licenses and Permits, and Privacy Notice. It also released the reporting template for notifying the Centre and data subjects of data breaches, as well as a RoPA template.  
  • Eswatini's DPA  has published the Guidelines on Conducting a Data Mapping Exercise and issued a directive requiring data controllers and processors to conduct a mandatory data mapping exercise by March 31, 2026, using the data mapping template. Submissions are to be made to dataprotection@esccom.org.sz. 
  • Algeria has gazetted the National Data Governance Framework, a public tool that includes a unified mechanism for organising, managing, and exchanging data among public institutions.
  • The  Gabonese government has announced plans to ratify the Malabo Convention, a move that signals a possible update to the existing law. The DPA also announced stricter oversight and fines in the banking, telecommunications, and healthcare sectors. 
  • Kenya's Department for ICT and Digital Economy convened a validation workshop on the National Data Governance Policy. The policy proposes establishing a National Data Governance and Emerging Technologies Council to oversee implementation, enforce standards, and guide the development of a trusted national data ecosystem.
  • Ghana's DPA has announced a new fee schedule that took effect on February 2, 2026. The new fee schedule introduces a structure based on the size of the organisation for services such as registrations, compliance-related sanctions, and training services.
  • Nigeria's DPA has released a communique highlighting the key recommendations from the National Privacy Summit held during Privacy Week 2026. The recommendations include establishing a legal framework for high-impact AI, creating regulatory sandboxes for emerging technologies, strengthening legal clarity on international data flows, and taking actions to sanction non-compliance. 
  • On February 18, 2026, South Africa's DPA convened a stakeholder consultation to discuss a draft code of conduct for the processing of personal information at gated access points. 
  • On February 12, 2026, the Southern African Development Community (SADC) member states convened a brief session to discuss establishing the SADC Data Protection Authorities bloc and developing an annual strategy to collectively enhance participation in international engagements.
  • Zimbabwe's DPA has launched the Privacy Responsibility Challenge, calling on organisations to show how they are strengthening data governance, embedding privacy by design, tightening security controls and empowering teams to act as trusted custodians of personal data.
  • Mozambique's DPA has introduced a digital platform that enables citizens to report personal data breaches, illicit content, and cyber incidents online. The country also published the Cloud Computing Regulations, which establish a legal framework for governing the provision, registration, licensing, contracting, hosting, and operation of cloud-computing services. 

Enforcement Action 

  • Nigeria’s DPA has begun the year with a clear stance on non-compliance with the NDPA. The DPA is investigating an e-commerce platform, following concerns about online surveillance, accountability, data minimisation requirements, transparency, duty of care, and cross-border data transfers. It has also commenced a sector-wide investigation into tertiary institutions over alleged breaches of the NDPA, demanding that affected institutions show proof of compliance within 21 days. The High Court is towing the same line, imposing a ₦2,300,000 fine on a commercial bank for violating a customer's privacy. The bank processed the customer’s data for the automated loan recovery process without adequate verification. 
  • Kenya's DPA has issued an enforcement notice against a school for the inappropriate and commercial usage of minors’ data without consent. It imposed a fine on a hospital for unlawfully processing personal data and fined a school for unlawfully disclosing a minor’s examination results in a national newspaper without parental consent. Additionally, the DPA also confirmed the deletion of the personal data collected by Worldcoin, following a court ruling that the collection of biometric data from Kenyan citizens is unconstitutional and violates the Data Protection Act. Interestingly, a Kenyan court has ruled that while the DPA is empowered to determine complaints and issue administrative fines, it lacks jurisdiction to determine constitutional violations or to grant constitutional remedies.
  • Tanzania’s Minister of Communications and Information Technology has issued a directive to all data controllers and processors to register with the DPA before April 8, 2026. Following this announcement, the Minister has instructed the PDPC to begin preparations for comprehensive compliance audits, which will commence immediately after the deadline.  
  • Algeria's DPA has issued a decision establishing clear guidelines for handling employee and candidate drug test results. The DPA noted that test results indicating only "positive" or "negative" without additional medical details are standard health data rather than sensitive data. Hence, employers do not need to secure prior authorisation to process these records when verifying legal employment conditions. 
  • South Africa's DPA has initiated a proactive compliance-monitoring exercise, issuing formal notices that compel organisations to demonstrate compliance with the Protection of Personal Information Act (POPIA). Selected entities must submit a comprehensive electronic compliance report, including Legitimate Interest Assessments, within a strict 14-day window. The regulator has also warned that physical premise inspections may follow these initial reports.
  • Mauritius DPA has published a communiqué reminding the public that sharing photographs, videos, or identifying information on social media without valid consent constitutes unlawful processing, which may result in a criminal conviction or fines of up to 200,000 rupees (approximately 4,310 USD).

AI Governance 

  • Zimbabwe has published its National AI Strategy (2026–2030). The strategy proposes the enactment of a National AI Act, the development of national AI technical standards, the establishment of a National AI Regulatory Sandbox, the adoption of an Ubuntu-based AI ethics framework, and the introduction of mandatory ethical impact assessments for high-risk AI projects. In addition, the strategy calls for the establishment of statutory bodies to oversee AI deployment, including a National AI Council, an AI Strategy Implementation Office, a Parliamentary Standing Committee on AI and emerging technologies. Meanwhile, Mauritius has approved the adoption of its National AI Strategy, supported by a FAIR (Fair, Accountable, Inclusive, and Responsible) guideline that provides practical guidance for the responsible adoption, development, and use of AI across sectors. 
  • Ghana's Cabinet has officially approved the National AI Strategy, which will be launched by the President in the coming weeks. The strategy aims to cultivate local AI capabilities while embedding fairness, transparency, and accountability into the deployment of automated systems. Additionally, the country is simultaneously advancing an Emerging Technologies Law alongside a new data protection bill.
  • On February 23, 2026, the Global Privacy Assembly’s International Enforcement Cooperation Working Group (IEWG) issued a joint statement addressing the severe privacy risks associated with AI-generated imagery. Participating countries expressed urgent concern over AI systems that generate realistic, non-consensual imagery depicting identifiable individuals. To combat these risks, the coalition demands that tech companies build robust safeguards directly into their AI models, ensure meaningful transparency, and deploy targeted protections for children and vulnerable groups. The statement was signed by heads of the DPAs in 61 countries, including Burkina Faso, Cabo Verde, Ghana, Kenya, Mauritius, and Nigeria.
  • From February 18-19, 2026, Malawi held a validation workshop to validate the draft National Digital Transformation Strategy and the draft National AI Strategy.  The workshop gathered stakeholder feedback on the draft strategies, assessed their feasibility and alignment with key national frameworks. 
  • On February 3, 2025, Benin officially launched its long-term national roadmap, “Vision Benin 2060 Alafia, a World of Splendours”, which places digital technology at the centre of the country’s socio-economic transformation strategy. 
  • Morocco has announced plans to officially unveil the National AI Roadmap, “Morocco AI 2030”. The country has also endorsed the “Pathways to Action” declaration at the Summit on Responsible AI in the Military Domain (REAIM) in Spain, joining 34 other countries in committing to practical measures for the safe governance of military AI.
  • On February 12, 2026, the East African Science and Technology Commission (EASTECO), with support from the German Government, held national stakeholder consultations in Tanzania on the development of the EAC Regional AI Strategy. The consultations aimed to gather national-level insights, validate emerging findings, and build consensus on priority areas, governance frameworks, and capacity needs to inform a harmonised and inclusive EAC Regional AI Strategy. 
  • Kenya has officially launched its AI and Emerging Technologies Technical Committee, which will develop the country’s first National Policy on AI and Emerging Technologies. The committee hopes to finalise the policy by June 2026, with substantial drafts ready by March 2026. Meanwhile, the Kenyan High Court has certified an urgent petition demanding that the government create and publish a comprehensive National AI Policy Framework to address the unregulated use of AI. 
  • Djibouti has begun the formal process to develop its National AI Strategy.  The effort is led by the Ministry of Digital Economy and Innovation, which conducted a nationwide assessment and a multi-stakeholder workshop to identify key priorities for the strategy, including improving data governance, fostering innovation, and gradually integrating AI into public policy. 
  • In Nigeria, Lagos State launched the Lagos Generative AI Assessment Platform. The platform allows developers, institutions, and organisations to assess their AI systems using the STANDARD Framework (System, Transparency, Algorithms, Norms, Data, Accountability, Risk, and Deployment) to measure governance readiness, identify gaps, and align with global best practices.
  • The Children of the Digital Age Zimbabwe (CODAZIM) have called for stronger policies to protect children from digital harms, especially those perpetuated through AI systems. The call highlights the steep rise in international incidents involving AI systems generating non-consensual and sexualised imagery, noting that generative AI systems must anticipate misuse, not merely respond after harm occurs.
  • South Africa is moving to finalise its AI policy in the 2026/2027 financial year. The country has announced that its Economic Cluster Ministerial Council will deliberate on the policy in March, after which it will be presented to the cabinet. Upon the conclusion of the cabinet’s deliberations, the policy will be published in the national gazette and will be open to public comment for 60 days. 

Partnership 

  • Senegal's DPA received a delegation from its Mauritanian counterpart for a strategic study visit aimed at strengthening sub-regional cooperation. The sessions focused on sharing Senegal's operational experience to support the Mauritanian authority's development in complaint handling, control missions, and the legal frameworks necessary for effective data supervision.
  • On February 4, 2026, the Nigeria Data Protection Commission (NDPC) signed a memorandum of understanding (MoU) with the Nigerian Communications Commission (NCC) to enhance data protection within the telecommunications industry.
  • On February 8, 2026, Morocco's DPA and Portugal's DPA signed an MoU to strengthen bilateral cooperation by exchanging information and technical expertise on emerging data protection challenges, including AI, deepfake technology, and digital violence. 

Conclusion

In the coming months, we anticipate more enforcement actions and AI governance developments on the continent

We would love to hear from you. What are your predictions for the next newsletter? 

Who we are
About us
Privacy Notice
Contact
Services
Emerging Technologies
Privacy and Data Protection
Startup Advisory
Cybersecurity
Regulatory Intelligence
Research and Public Policy
Resources
Knowledge Hub
Reports
Training
Tech Hive Advisory Africa

We are a technology policy advisory and research organisation focusing on the intersection of law, business, and technology.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Copyright ©2025 Tech Hive Advisory Africa