Introduction 

The data protection and AI governance landscape in Africa witnessed significant changes in the past 2 months. In terms of data protection, regulators expanded enforcement activity and issued guidance clarifying operational obligations, a shift from agenda-setting toward implementation. The AI governance landscape is also shaping up with the introduction of new bills, guidelines and policies to guide AI deployment.

Trend Spotlight: AI Governance

Since the year started, there has been a steep rise in the development of AI policies, guidelines and bills across Africa. The trend was more pronounced in the last two months as governments advanced AI governance frameworks. For instance, Egypt released a suite of instruments setting out a principles-based approach to safe and accountable AI development and deployment: the Generative AI Guidelines, the Guide to National AI Governance Framework, and the Guidelines for Trustworthy and Responsible AI. Ghana and Zimbabwe launched their National AI Strategies. Meanwhile, Kenya opened a consultation on its AI and Emerging Technologies Policy and the AI Bill 2026. South Africa also published the Draft National AI Policy for consultation, but it has been withdrawn due to AI hallucinations. Notably, countries like Mozambique are holding consultations on their AI strategies. 

Data Protection

• Kenya’s Office of the Data Protection Commissioner (ODPC) released four draft guidance notes for public consultation, covering cross-border data transfers, data protection policies, Data Protection Officers, and the transport sector.
• Uganda's Personal Data Protection Office (PDPO)  DPA has released nine draft regulatory documents, including The Data Protection and Privacy (Retention of Personal Data) Regulations, Revised Data Protection and Privacy (Amendment) Regulations 2026, Proposed Exemption from Registration, Guidelines on Lawful Processing, Data Protection Impact Assessment Guidelines, Data Protection and Privacy by Design and Default Guidelines, Data Security Breach Management and Notification Guidelines, The Criteria for Determining Data Collectors, Processors, and Controllers Regulations, and Collaboration Guidelines for Data Protection and Privacy Matters.
• Algeria’s Data Protection Authority (DPA) published guidelines establishing ethical and operational rules for workplace video surveillance, which mandate that employers secure prior authorisation from the DPA before installing cameras and specify a maximum retention period of 1 year for such footage. Similarly, Togo's DPA officially launched an online platform for the declaration of video surveillance and video protection systems.
• In a recent interview, the President of Morocco's DPA explained the DPA’s perspective on data sovereignty, cross-border data transfers, and AI governance, which he construed as a state's capacity to govern data use and preserve its citizens' dignity. On cross-border transfers, he confirmed that Standard Contractual Clauses and Binding Corporate Rules are being integrated into Morocco's framework and that deliberations on a data protection and AI instrument commenced in March 2025.
• On April 16, 2026, the Southern African Development Community (SADC) convened a stakeholder validation on its Data Governance Strategy, which aims to harmonise data protection and cybersecurity frameworks across member states. The strategy will support digital trade, cross-border data flows, and system interoperability within the region.
• Mauritius Data Protection Commissioner announced key initiatives under the government’s Digital Transformation Blueprint, including proposed amendments to the Data Protection Act, the introduction of regulations for Data Protection Officers, and the development of e-privacy regulations for the telecommunications sector.
• On March 5, 2026, the Rwanda DPA convened a consultation workshop on the draft regulation under the Data Protection and Privacy Law.  The session gathered professional perspectives to improve the draft regulations and ensure practical operationalisation within the data protection framework.
• On March 6, 2026, South Africa's Information Regulator (IR) published regulations on the processing of health information that apply directly to employers, insurance companies, medical schemes, and pension funds. Additionally, the IR has also disclosed the ongoing effort to amend the Protection of Personal Information Act (POPIA) and publish the long-awaited guidance on Personal Information Impact Assessments (PIIAs).
• On March 26, 2026, Tanzania’s DPA issued a public notice confirming that the voluntary registration period for data controllers and processors will officially end on April 8, 2026. The Commission outlined five mandatory requirements that all organisations must complete before the deadline, including registering with the PDPC, appointing a DPO, implementing data protection policies and guidelines, and establishing secure systems for processing and submitting quarterly compliance reports as required by law.  
• In Nigeria, the Federal Competition and Consumer Protection Commission (FCCPC) published the draft FCCPC Consumer Protection Regulations and the draft Consumer Protection Regulations Guidance Notes 2026 for public comments. The regulations set the standard for consent to digital services, stating that pre-ticked boxes, bundled consent, or manipulative interface design do not constitute consent. It further restricts the use of algorithmic profiling and automated decision-making that exploit vulnerable consumers, recognising the risks associated with data-driven targeting and behavioural manipulation. The guidance notes, regarding AI-generated and digitally altered content, subject such content to existing prohibitions on false, misleading, and deceptive representations. It prohibits practices such as presenting AI-generated reviews, testimonials, or endorsements as genuine, and requires disclosure for materially altered images, videos, and audio, including deepfakes.  
• The Chadian Senate has adopted a bill that expands the DPA's powers to include cybersecurity, personal data protection, electronic transactions, cybercrime, and the protection of the national information space, while also introducing oversight of video surveillance systems, drones, social networks, digital platforms, and artificial intelligence systems.
• In the Democratic Republic of Congo, the Minister of the Digital Economy launched a National Network of Data Protection Officers. 
• On March 18, 2026, Uganda's National Bureau for NGOs (NGO Bureau) issued a circular reminding all NGOs to register with the Personal Data Protection Office (PDPO). It further directs NGOs with expired PDPO certificates to renew their registration. A similar directive was issued to facilities with an additional requirement to appoint DPOs. 
• Liberia and Somalia have validated their respective National Data Policies. These parallel developments highlight a unified push to build secure, interoperable digital economies that protect national interests while fostering innovation. Meanwhile,  DRC, Madagascar, and Lesotho have ratified the Malabo Convention.

Enforcement Action

• The ODPC continued its enforcement actions by sanctioning non-compliance with the DPA. The ODPC found a microfinance bank liable for unlawfully publishing a former employee's image on its social media platforms without a lawful basis. It imposed a fine on a party for unlawfully processing an individual's personal data. It also issued a determination on unlawful direct marketing, holding that liability for unsolicited promotional messages rested with third-party sales agents rather than the company on whose behalf they acted. Additionally, the Kenyan High Court ruled on a constitutional petition challenging the 20-year retention of an individual’s fingerprints and criminal records for an alleged offence committed when he was a minor. The Court held that the record retention arising from alleged offences committed by a minor violated the individual’s constitutional rights and that the principle that the best interests of the child must prevail. 
• The NDPC issued an advisory, warning data controllers and processors of escalating threats to data security infrastructure, particularly from coordinated cyberattacks targeting financial systems and critical digital infrastructure. This follows a series of data breaches that the NDPC is currently investigating, involving some financial institutions and government institutions. The NDPC also announced that it is investigating the activities of digital loan operators over alleged violations of data protection laws. The NDPC has issued a warning, especially to content creators, stating that willfully capturing images of individuals for social media content constitutes a privacy infringement under the Constitution and the NDPA. 

AI Governance

• On March 24, 2026, the Ghanaian President officially launched the country’s National AI Strategy. The strategy proposes the review and full implementation of existing policies on data protection, open data, and cybersecurity, the dissemination of guidance on trustworthy, safe, secure, and ethical AI practices, among other regulatory reforms. Likewise, Zimbabwe’s President has officially launched the National AI Strategy (2026-2030). The strategy establishes a concrete roadmap for embedding AI into core government processes and national service delivery.
• Kenya is advancing its AI governance efforts as the AI Bill 2026 was introduced in Parliament and opened for public consultation. The bill provides for the establishment of the Office of the Artificial Intelligence Commissioner, introduces a four-tier risk classification system and requires developers to explicitly label all AI-generated content, a critical measure to curb deepfakes during political campaigns. Additionally, a Kenyan Senator has presented a motion in the Senate calling for the development of comprehensive national policies to accelerate the adoption of AI and other emerging technologies in Kenya.
• South Africa’s Cabinet approved the publication of the draft National AI Policy for public comment. The draft policy builds on and incorporates the stakeholder feedback on the previous National AI Policy Framework, which was published for public consultation in 2024. However, the policy has been withdrawn due to AI hallucinations.
• A Kenyan has filed a petition against Safaricom, a telecoms provider, over the large-scale deployment of AI systems. The petition alleges the violations of the constitutional right to privacy, dignity, equality, and fair administrative action in Kenya. 
• Gabon is advancing efforts to amend its Communications Code, with significant consideration for AI. The amendment contains a dedicated AI and synthetic content chapter prohibiting deepfakes that harm human dignity or falsely attribute statements to public figures, with AI-facilitated identity usurpation classified as an aggravating criminal circumstance, and mandating mandatory labelling of all AI-generated content.
• The AU Peace and Security Council convened its 1339th ministerial-level meeting on the theme "Artificial Intelligence: Governance, Peace and Security." The session adopted a communiqué reaffirming Africa's sovereign right to harness AI for peace, security, and development in accordance with international law and African priorities. 
• Mauritius has officially launched its National AI Strategy and FAIR Guidelines, which provide a comprehensive roadmap for the transparent, safe, and effective adoption of AI across priority sectors. Egypt made a similar effort by publishing the National Guidelines for Trustworthy and Responsible AI and the National Generative AI Guidelines.
• Mozambique's Ministry of Communications and Digital Transformation officially launched public consultations to draft the country's upcoming National Digital Transformation and AI Strategies. The Government also hosted a dedicated workshop to gather input from industry stakeholders to shape a comprehensive policy framework governing the deployment of AI and accelerating the development of national digital infrastructure. Burundi follows suit, with a national validation workshop in Bujumbura for its National AI Strategy 2025–2030
• At the conclusion of the 4th EAC Regional Science, Technology and Innovation Conference 2026, a Declaration on AI was adopted, including 15 commitments spanning governance, infrastructure, skills, and sovereignty. 
• On April 1, 2026, Ghana's Data Protection Commission issued its statement as part of the Global Privacy Assembly's Joint Statement on AI-Generated Imagery and the Protection of Privacy, addressing the growing misuse of AI systems to generate non-consensual intimate imagery, defamatory content, and harmful material targeting children and other vulnerable groups. Separately, the NDPC had disclosed that Compliance Audit Reports submitted by data controllers will serve as a metric for assessing compliance with both data protection law and AI-related obligations — effectively extending the audit instrument beyond its original statutory purpose into AI governance.
• In Zambia, the Government has formally classified the misuse of AI-generated content as a national security threat, citing escalating concerns over misinformation ahead of the August 2026 general elections. In response, regulators, notably the Zambia Information and Communications Technology Authority, have intensified enforcement actions, including recent media interventions, while emphasising the broader risks that synthetic content poses to democratic processes.

Partnership

• As Nigeria gears up for its upcoming 2027 elections, the DPA has inaugurated a Joint Working Group with the Independent National Electoral Commission (INEC). The Working Group will focus on embedding data protection principles throughout electoral activities.
• Benin’s DPA recently held a strategic meeting with Senegal's DPA. The engagement focused on fostering regional cooperation, sharing regulatory best practices, and strengthening cross-border data protection frameworks within West Africa.

Conclusion 

In the coming months, we expect the conclusion of all pending consultations on guidelines, bills and guidance notes.

‍