‍Country Spotlight: Central African Republic

Year of enactment: 2024

Authority Established: N/A

Summary: The law establishes a comprehensive data protection framework that applies to data processing activities with an effect in the country, regardless of where the controller is based. The law imposes significant obligations on organisations, such as implementing robust security measures, obtaining prior consent for direct marketing, and appointing a resident Data Protection Officer (DPO). It provides individuals with a full suite of rights and outlines a tiered regime for international data transfers, featuring specific rules for the CEMAC and ECCAS economic blocs. The framework is backed by robust sanctions, including administrative fines of up to 5% of the company's turnover and criminal penalties. A key operational challenge remains: the data protection authority is yet to be established, with the government missing the January 2025 deadline for its creation.

Catch up on the review of the law here.

Introduction

There have been significant developments in the data protection and AI governance landscape across Africa in the last two months. Madagascar established its Data Protection Authority (DPA) , Algeria's amended data protection law took effect, and there was an uptick in enforcement and partnership efforts. On the AI governance front, Namibia launched the drafting of its national AI strategy, and more countries are making efforts to develop their strategies.

Data Protection: New Laws and Strategic Moves 

● Madagascar has officially established and appointed board members for the Malagasy Commission for Information Technology and Liberties (CMIL), as its DPA, officially increasing the number of DPAs in Africa to 35.

● On July 24, 2025, Algeria published its amended data protection law, which imposes new obligations on data controllers and processors. Notably, the amendment specifies a 5-day data breach notification, allows for cross-border data transfer and allows for restrictions on data subjects' rights to protect the fundamental rights, freedoms, and legitimate interests of the data subject.

● The Nigeria Data Protection (Amendment) Bill has been introduced into Parliament for deliberation. The bill seeks to enhance the accountability of application developers, regulate third-party data sharing, and strengthen the enforcement powers of the Nigeria Data Protection Commission (NDPC). The bill is the second legislative proposal seeking to amend the Nigeria Data Protection Act this year; a previous version wanted to see global companies registered locally. Meanwhile, the Speaker of Gambia's Parliament has announced the ongoing deliberation on the Personal Data Protection and Cybercrime Bill.

● On August 18, 2025, Somalia's DPA  launched its five-year strategic plan. The plan provides a guide on the DPA’s efforts on data protection governance, legal enforcement, public awareness, and national and international partnerships. Similarly, in Kenya, the Office of the Data Protection Commissioner (ODPC) published its 2025-2029 Strategic Plan. Under the plan, the ODPC seeks to ratify the Malabo Convention, issue guidance on cross-border data transfers, and pursue adequacy decisions from the EU and UAE, finalise and issue a data sharing code, register foreign entities and review the Data Protection Act and its regulations.

● Ghana's Minister for Communication, Digital Technology and Innovations (MCDTI) officially swore in a new governing board of the Data Protection Commission (DPC). The Board will develop a national data governance framework to support Ghana’s digital economy and AI strategies.

● In Mozambique, from July 28 - August 1, 2025, the United Nations Economic Commission for Africa (ECA) hosted stakeholder consultations and a capacity-building workshop for public and private sector stakeholders. The expected outcomes from the workshop included a blueprint for Mozambique's digital and data governance landscape and a national data governance framework.

● Togo's Personal Data Protection Authority (IPDCP) announced the official launch of the declaration and authorisation process for video surveillance and protection systems in line with the data protection law. Following this, any image-based data processing in public or private spaces must be declared with the IPDCP, with specific cases requiring prior authorisation as contained in the data protection law.  

Enforcement: Regulators Are Taking Actions

• The NDPC issued a fine of ₦766,242,500 (approximately 510,157) against an organisation for violating the NDPA. The NDPC’s investigations found the company’s processing activities in violation the privacy of Nigerians and "unlawful" cross-border data transfers. Additionally, the NDPC issued a compliance notice to some organisations, requesting the organisations to provide, within 21 days, evidence of annual audit filing, registration with the NDPC, appointment of a DPO, and a summary of technical and organisational measures for safeguarding personal data.
• In Burkina Faso, the Ministry of Territorial Administration and Mobility (MTAM) suspended an international NGO for collecting sensitive personal data without prior authorisation. Whereas, the DPA issued a circular warning against the dissemination of personal data on social media platforms without consent, stating that further violations may attract a fine of up to 20,000,000 CFA (approximately 37, 757 USD).
• In Kenya, the High Court dismissed a petition, citing the data subject's failure to exhaust the available remedies. The High Court also ruled that International Mobile Equipment Identity (IMEI) numbers qualify as personal data when connected to an individual and a network. The judgment halts the government's plan that will require the mandatory registration of IMEI numbers in a centralised database. Meanwhile, the Employment and Labour Relations Court upheld an employee’s dismissal for violating the privacy rights of his colleagues by secretly recording them at work without consent.
• Mali's DPA imposed a fine of 5,000,000 CFA (approximately 8,968) on a company for obstructing an on-site inspection related to an illegally installed video surveillance system.
• In South Africa, the DPA  launched an investigation into complaints alleging a company's violation of the data protection law, following concerns raised by users about the lawfulness of the company's processing activities and the misuse of personal data.
• In Gabon, the DPA  conducted  a compliance inspection to assess a company's compliance with the data protection laws. The findings from the inspection will inform future decisions, including possible sanctions or corrective measures, reinforcing the authority’s commitment to safeguarding privacy and promoting compliance.
• Uganda's DPA has issued a decision against a tech company, directing the company to register with the DPA and submit evidence of its compliance framework for cross-border data transfers within 30 days. Additionally, the PDPO secured its first criminal conviction against the Director of a loan company for failure to register, for processing data without consent or lawful justification and for data misuse.
• In Tanzania, the DPA issued a fine of 20,000,000 TZS (approximately 8,130 USD) against a company for publishing the pictures and videos of a data subject on its social media account without obtaining consent.

AI Governance: Growth on the Continent

● On August 22, 2025, Namibia officially inaugurated its AI Technical Advisory Committee to develop its National AI Strategy. The committee held its inaugural meeting, outlining key priorities, including education, capacity building, and job creation. This development follows the publication of the country’s AI readiness report developed in partnership with UNESCO. Meanwhile, Zimbabwe has secured a partnership with UNESCO to develop its national AI strategy.

● On July 7, 2025, Cameroon unveiled the National AI Strategy during the second edition of the National Consultations on AI. The strategy proposes the establishment of the Cameroonian AI Authority, a Presidential Council on AI, drafting a framework law that addresses ethical considerations and inter-ministerial coordination mechanisms, and the development of an Open Data policy.

● The Pan African Parliament (PAP) hosted the first Africa Digital Parliamentary Summit, which concluded with the adoption of the Lusaka Declaration. The declaration calls for robust, Africa-led governance frameworks to ensure responsible development and application of AI, alongside advancements in digital health, smart manufacturing, and data protection. It recommends that parliamentarians support AI and data protection regulatory frameworks in line with the AU Agenda 2063 and advocate for the domestication of the Malabo Convention.

● Zambia hosted the National AI in Education Policy Workshop, which was a platform for stakeholders to develop a national policy that will guide the ethical, inclusive, and effective use of generative AI in the education system.

● Malawi's DPA and Kenya's ODPC have announced plans to institute a regulatory sandbox to encourage the deployment of emerging technologies and promote innovation.

● During the Eswatini Economic Update 2025, Eswatini’s Minister of ICT announced that the country is developing key legislation on AI, robotics, cybersecurity, and e-commerce, among others. This is part of the country’s effort to maintain governance over its digital landscape.

● On August 7, 2025, South Africa officially launched the national AI stakeholder forum. The forum aims to serve as a platform for ongoing collaboration between stakeholders, forming a foundation for South Africa’s broader digital economy master plan and AI policy framework.

● Ghana has announced plans to establish the Emerging Technologies Council (ETC) under a new legislative framework. The ETC will oversee a broad spectrum of technologies beyond AI, with specialised divisions to adapt swiftly to emerging innovations. The Minister also announced the Ministry’s plans to introduce 15 new laws, notably the Emerging Technologies Act.

● Smart Africa has launched a comprehensive Model AI Policy Framework to guide African countries that have not developed national AI strategies by providing a template that can be adopted to suit their local context while maintaining consistency with continental and international standards.

● The BRICS countries, including Egypt, Ethiopia, and South Africa, have released a joint statement on the global governance of AI. The statement aims to promote inclusive, equitable, and human-centred AI development, prioritising countries in the Global South.

● During its inaugural National AI Summit, Morocco signed a Memorandum of Understanding (MoU) with Current AI, officially becoming a founding member of the organisation. At the Summit, the Minister Delegate for the Digital Transition emphasised that Morocco is developing a draft framework to address AI deployment risks, providing for principles such as the right to explanation, traceability of algorithmic decisions, and the primacy of human conscience.

Partnership & Collaboration

● The Presidents of the DPAs of the Alliance of Sahel States (AES) held a virtual meeting to validate the roadmap for the implementation of the cooperation agreement signed in April 2025. Through the roadmap, members commit to strengthening their collaboration in harmonising data protection frameworks and conducting joint awareness initiatives, among others.

● In Benin, the Autonomous National Electoral Commission (CENA) signed an MoU with the DPA to establish a framework for processing and protecting personal data during the upcoming electoral process. This partnership aims to ensure transparency, legal compliance, and the safeguarding of citizens’ fundamental rights throughout the electoral cycle.

● The Kenyan DPA hosted a high-level benchmarking session with Somalia’s DPA to enhance institutional structures, advance data protection initiatives, and promote stronger regional cooperation. Likewise, the Ugandan DPA visited the Nigerian DPA to observe and gain insights into their operational framework, aiming to adopt the best practices for Uganda. Togo's DPA also visited Burkina Faso's CIL to strengthen their collaboration.

● The Kenyan DPA held a strategic meeting with the Common Market for Eastern and Southern Africa (COMESA) and the Competition Authority of Kenya (CAK) to explore opportunities for international collaboration in promoting data protection compliance across various jurisdictions.

Conclusion

The message from the last two months is clear: data protection is maturing from policy to practice across Africa. We can certainly expect enforcement actions and cross-border partnerships to intensify in the coming months.

Which of these developments do you believe will have the most significant impact on doing business in Africa?