Introduction

The data protection and AI governance landscape witnessed some progress in the last two months.  There has been progress with the amendment of a data protection implementing regulation and law, the formal establishment of a new authority, and enforcement actions. On the AI governance front, more countries advanced their AI governance effort by launching their national AI strategies, deliberating on AI-specific regulations, and conducting AI readiness assessments.

Here are some notable updates across the region:

Regulatory update

● On March 17, 2025, Angola published a draft review of its Personal Data Protection Act, which aims to update the existing Personal Data Protection Act. The proposed revision will impose new obligations on data controllers and processors, like obtaining parental consent when processing children's data, a 72-hour data breach notification period, and provides the requirement for processing personal data when using AI systems. It also provides for additional rights, including the right to data portability, restriction of processing, among others.

● In South Africa, the Information Regulator (IR) published the amendment to the Regulation Relating to the Protection of Personal Information 2018 in the official gazette, officially bringing it into force. The amendment aims to clarify certain provisions of the regulation and aid its implementation. It allows for the exercise of the right to object, erasure, and rectification, specifying a 30-day timeline for treating such requests. It mandates consent for direct marketing conducted through unsolicited electronic communication, specifies the procedure for handling complaints, and allows for the payment of administrative fines in instalments.

● New Data Protection Authorities (DPAs) were formally established. On March 28, 2025, Togo officially launched the Personal Data Protection Authority (IPDCP) as its data protection authority. Likewise, the Republic of the Congo published the law establishing the National Commission for the Protection of Personal Data (CNPD) in the official gazette. The law outlines the CNDP's functions, its composition, powers, and administration.

● The Nigeria Data Protection Commission (NDPC) published the Nigeria Data Protection Act General Application and Implementation Directive (NDP Act-GAID), which provides a guide on implementing the NDPA. The GAID repeals the Nigeria Data Protection Regulation (NDPR) and its implementation framework. Meanwhile, a proposed bill to amend the Nigeria Data Protection Act (NDPA) to require social media platforms to establish physical offices in Nigeria scaled its second reading in the Senate, and has been referred to the Senate Committee on ICT and Cybersecurity for further deliberations.

● From April 23-24, 2025, Cabo Verde hosted an international conference to discuss the development of the country’s first national data strategy, which will provide a framework for harnessing data to strengthen the economy, promote inclusion, and ensure the ethical use of data in AI development. The government has also disclosed plans to build an open and secure data ecosystem that promotes data governance and integrates new technological initiatives, including AI.

● Tanzania commenced deliberation on the proposed Personal Data Protection (Fees) Regulations, which set out the official fee structure for various personal data protection services rendered by the Personal Data Protection Commission (PDPC) under the Personal Data Protection Act.

● On March 5, 2025, the Information Regulator (IR) held a stakeholder engagement session to discuss its Annual Performance Plan for the 2025-2026 financial year. During the session, the IR disclosed its plans to increase awareness, conduct compliance assessments, issue relevant codes of conduct and guidelines to aid the enforcement of the Protection of Personal Information Act (POPIA). The IR also issued a circular directing all organisations to report all data breaches through its portal or website rather than by email from April 1, 2025.

● In Morocco, the National Commission for the Control of Personal Data Protection (CNDP) issued a circular stating its intention to initiate deliberations with stakeholders to discuss the provisions and guarantees necessary to protect privacy in the context of video surveillance. The outcome of this deliberation will guide the CNDP in developing a framework for protecting the right to privacy, legitimate public interest, and maintaining compliance when using video surveillance.

● Several Data Protection Authorities (DPAs) announced the commencement of registration for data controllers and processors. In Zambia, the newly operational Office of the Data Protection Commissioner (ODPC) announced the commencement of the registration process and published the terms and conditions and guidelines for the registration. Mauritius’ DPA also called on all entities processing personal data to register in compliance with the Data Protection Act, and published an advisory on the process. Similarly, Malawi’s DPA  informed all Data Controllers and Processors of Significant Importance (DCPSI) of the commencement of registration with the authority within 6 months.

Enforcement action

● In Kenya, the Office of the Data Protection Commissioner (ODPC) continued its enforcement action. The ODPC  issued a fine against a company for using a data subject and his relative’s images for commercial purposes without obtaining consent. Another company was fined for failing to honour a data subject's request for erasure. The ODPC issued a fine against a digital lender for sending unsolicited messages to a data subject without obtaining consent as part of a loan recovery process. Additionally, a company was fined for using a data subject's pictures without consent.

● In Nigeria, the High Court dismissed a data subject’s claim that two companies failed to comply with the principle of data minimisation and processed his data without consent. The court ruled that the data collected was necessary to facilitate the data subjects’ transactions. Additionally, during a media conference, the National Commissioner of the NDPC disclosed that the NDPC launched an investigation into two multinational companies for privacy violations.

● In Uganda, the Director of a digital lending platform was imprisoned over the company’s failure to register with the Personal Data Protection Office and for processing a data subject’s data without consent.

AI Governance

● From April 3-4, 2025, African countries participated in the inaugural Global AI Summit on Africa in Kigali, Rwanda. During the summit, African officials adopted the Africa Declaration on AI, which seeks to leverage AI to drive innovation and foster sustainable and responsible deployment of AI technologies across Africa. Additionally, Smart Africa held its 20th Steering Committee Meeting and launched the Africa AI Council.

● On March 27, 2025, Kenya officially launched its national AI Strategy, which seeks to establish a framework for AI usage and adoption in Kenya. Similarly, Côte d'Ivoire unveiled its National AI and Data Governance Strategy. The strategy proposes the establishment of a National Committee for AI and Data Governance, an AI hub with a startup incubator, and a "Safe AI" label to ensure ethical AI development. Additionally, the data governance strategy will aid in securing and optimising data use.

● In Nigeria, the National Human Rights Commission (NHRC) disclosed plans to engage technology companies to prevent potential harm to human rights when using AI systems. This demonstrates how existing regulatory bodies can address AI risks within their current mandates, reducing the need for AI-specific regulators.

● In April, Ghana's Ministry of Communication, Digital Technology, and Innovation hosted consultation sessions on Ghana’s national AI strategy. This follows a previous announcement by the ICT Minister that the government would review the existing AI strategy and update it. Likewise, South Africa’s Department of Communications and Digital Technologies (DCDT) announced that it will commence the review of public input on the national AI policy framework in April.

● The African Union’s (AU) African Commission on Human and Peoples’ Rights (ACHPR) opened the draft study on human and peoples’ rights and AI, robotics, and other new and emerging technologies in Africa for public comment. The draft study aims to assess the impact of emerging technologies on human and people's rights across Africa.

● From April 3-4, 2025, the Namibia's Ministry of Education, Innovation, Youth, Sports, Arts and Culture (MEIYSAC), in partnership with the National Commission for UNESCO and the National Commission on Research Science Technology (NCRST), held the AI readiness validation workshop to finalise the country’s AI Readiness Assessment Report (RAM). Similarly, Zimbabwe's Ministry of ICT, in partnership with UNESCO Regional Office for Southern Africa, convened a similar workshop to finalise Zimbabwe’s AI RAM report.

● During the Mobile World Conference, Uganda's Permanent Secretary of the Ministry of ICT and National Guidance announced the ongoing deliberation on AI governance, with the government making consulting stakeholders on the development of an AI policy and a model that aligns with national needs. An AI governance guideline is expected by the end of 2025.

Partnership

● In March and April, Kenya's ODPC had a data protection knowledge exchange and twinning program with the Belgian Data Protection Authority (DPA), sponsored by the EU and German Corporation for International Cooperation (GIZ). Through the program, both authorities to shared insights, compared best practices, and explore current trends in the implementation and operationalisation of data protection laws.

● On April 23, 2025, Rwanda signed a trilateral memorandum of understanding (MoU) with the Centres for the Fourth Industrial Revolution (C4IR) of the United Arab Emirates (UAE) and Malaysia to collaborate on AI. This partnership aims to foster collaboration among the parties in the aspects of developing governance frameworks, skills development, and technological innovation, with a focus on ethical, inclusive, and sustainable methodologies.

● On April 16, 2025, representatives of Smart Africa paid a courtesy visit to Ghana’s Data Protection Commission (DPC). The visit aimed to strengthen the existing collaboration between the institutions and discuss possible collaboration on reviewing Ghana’s Data Protection Act, exercising data portability, and capacity building.

Conclusion

In the coming months, we anticipate the conclusion of the deliberations on the national AI strategy in Ghana and Tanzania, progress with the AI policy framework in South Africa, and the formal launch of Nigeria's AI Strategy. We also expect that Angola will wrap up the review of its data protection law, and Gambia will make progress with the enactment of the Data Protection Law.

Stay informed on African AI governance and data protection. We will be back with your next update soon!