Bimonthly Update on Privacy in Africa (May - June 2025)  

TH ADMIN
Thursday, July 24, 2025

Country Spotlight: Comoros  

Year of enactment: 2021

Authority Established: N/A

Summary: The law establishes a comprehensive framework for data protection, detailing principles for lawful data processing and outlining the rights of individuals. Operationally, the law imposes specific obligations on data controllers, including the implementation of security measures, maintaining records of processing activities, appointing a Data Protection Officer (DPO) in certain cases, and adhering to strict mechanisms for international data transfers. However, its enforcement mechanism remains theoretical as the National Authority for the Protection of Personal Data has not yet been constituted. You can catch up on the review of the law here.

 

 

Introduction

There have been significant developments in the data protection and AI governance landscape across Africa in the last two months.  More African countries are reviewing existing laws and deliberating on draft data protection laws to align with international standards. On the AI governance front, more countries are making efforts to develop AI regulations and consulting stakeholders on draft strategies.

Here are some notable updates across the region:

Regulatory update

● Djibouti’s parliament officially adopted the country’s digital code. The code aims to accelerate digital transformation within the country. The Code contains the country's data protection law and also addresses other crucial areas, including cybersecurity.

● In Mozambique, the National Institute of Information and Communication Technologies (INTIC) published the first draft of the Personal Data Protection Law for public comments. The draft law provides a framework for processing personal data within the country and establishes the National Data Protection Authority to oversee its implementation.

● Liberia's President has presented a draft data protection law for the country. The bill aims to govern the processing of personal data within the country.

● Ghana’s Ministry of Communications, Digital Technology, and Innovation announced the development of 15 new laws to address key areas, including data protection and cybersecurity.

● Mauritius, in its 2025–2026 budget and digital transformation blueprint, announced reforms to align its data protection law with EU standards.

● Namibia’s Parliament is finalising key bills on AI, data protection, and cybercrime.

● The Democratic Republic of Congo officially deposited its ratification of the Malabo Convention, while Eswatini’s Parliament is deliberating on the adoption of the Malabo and Budapest Conventions.

● Morocco has announced plans to reapply for an adequacy decision under the EU General Data Protection Regulation (GDPR). The country has applied for it in the past but did not receive it. Mauritius has also applied in the past, but was not successful. Meanwhile, Kenya is currently under review for an adequacy decision by the European Commission, as is the UAE.

● In Algeria, the National Authority for the Protection of Personal Data (ANPDP) has published a compliance procedure for data controllers. The procedure outlines the compliance measures that entities processing personal data in the country must follow, including implementing technical and organisational standards to secure data, making formal declarations, and obtaining relevant authorisations.

● The Office of the Data Protection Commissioner (ODPC) has published several draft guidance notes to aid the implementation of the Data Protection Act. The draft guidelines include, Guidance Note on the Processing of Personal Data for Journalistic, Literary and Artistic Purposes, Guidance Note for Processing Biometric Data,   draft Guidance Note on the Processing of Children’s Data, Guidance Note on Processing of Personal Data by Micro, Small, and Medium Enterprises (MSMEs), Guidance Note for the Public Sector, Guidance Note on the Processing of Personal Data for Publication of Recorded Media, Guidance Note on Processing Data for Historical and Statistical Purposes, and the draft Guidance Notice on the Processing of Personal Data for Research Purposes.

● On June 18, 2025, the Personal Data Protection Office (PDPO), in partnership with the National Information Technology Authority-Uganda (NITA-U), under the Uganda Digital Acceleration Project (UDAP-GovNet), held a stakeholder validation workshop to review the draft National Digital Cybersecurity, Data Protection and Privacy Awareness Strategy for inclusivity, practicality, and alignment with national priorities.

● Kenya has updated and published its Cloud Policy, providing guidance on cloud adoption, supporting AI and emerging technologies, and reinforcing cybersecurity and data protection principles, particularly for cross-border data flows.

● Rwanda approved a national data sharing policy, which aims to promote the free flow of data between government entities within a well-governed and secure environment, ensuring the use of data for innovation and the national good.

Enforcement Action

● The High Court of Tanzania has, on appeal, fined two companies for using the image of a data subject for commercial purposes without consent. In Kenya, the High Court has overturned the ODPC’s decision for failing to allow the company to respond to its findings and explore alternative dispute resolution mechanisms before reaching its decision. Whereas, the Ugandan High Court has dismissed an action from a party seeking to access a deceased’s will on the ground that the deceased’s privacy must be considered when access to a will is demanded.

● Kenya's ODPC has announced plans to inspect key sectors, including education, hospitality, and property management, to verify whether organisations implement appropriate measures to safeguard personal data and respect the rights of data subjects. In Tanzania, the Personal Data Protection Commission (PDPC) has issued a circular informing the public of its plans to investigate violations of the data protection law, which have led to privacy breaches in public domains.

● Additionally, Mali's DPA published a list of organisations sanctioned for non-compliance with the data protection law. Additionally, the DPA issued an enforcement notice and imposed a fine against a company for failing to comply with the reporting formalities and obstructing the DPA's inspection.

● In Egypt, the Alexandria Economic Court issued a ruling against a telecommunications company, marking the first prominent judicial application of the Personal Data Protection Law (PDPL) against a company in the telecommunications sector. The decision mandates the company to compensate for violating a customer’s data, stemming from an unauthorised SIM card replacement that led to account takeover and extortion. Although Egypt is yet to issue the executive regulation that will lead to the creation of its DPA, the decision indicates the use of the data protection law in the absence of the regulator's existence.

● The ODPC has issued a fine against a school for disclosing a minor’s data to a third party without obtaining prior parental consent.

● Uganda’s Ministry of Education has banned the public display of candidates’ national examination results, citing concerns over data protection violations and potential psychological harm. As an alternative, the Ministry has directed that exam results be communicated privately via sealed letters or secure digital platforms. Meanwhile, the Nigeria Data Protection Commission (NDPC) is investigating the Joint Admissions and Matriculation Board (JAMB) for a data breach affecting about 380,000 candidates, following a technical error and concerns over possible hacking.

AI Governance

● In Kenya, Members of Parliament (MPs) have called for the urgent regulation of AI to address associated risks and suggested that the Ministry of Information, Communication, and the Digital Economy develop a regulatory framework and ethical guidelines for the implementation of AI. Meanwhile, the Kenya ICT Action Network (KICTANet) has signed a memorandum of understanding (MoU) with two United States-based organisations to develop Kenya’s national AI policy.

● Djibouti’s Ministry of Digital Economy and Innovation (MDENI) has initiated the recruitment of experts to draft its national AI strategy. Similarly, in Tanzania, Jamii Africa convened stakeholders for a consultation on the draft national AI strategy, which is scheduled to be launched in July 2025. Meanwhile, at the Africa AI Summit in Uganda, the Executive Director of the National Information Technology Authority – Uganda (NITA-U) announced plans to develop a national AI strategy and framework in partnership with its Digital Acceleration Project (UDAP) partners.

● Tanzania's Ministry of Information, Communication, and Technology (ICT) has published a draft national AI strategy, which outlines a comprehensive framework for the responsible development and use of AI. The strategy is anchored on five key enablers and proposes the establishment of relevant frameworks that will promote responsible AI deployment, data protection, ethical standards, and inclusive governance.

● Morocco's government has announced plans to rapidly advance AI adoption across its public and private sectors by establishing a dedicated AI and emerging technologies directorate. The country is also drafting an AI framework law, which will outline the fundamental principles, compliance requirements, oversight mechanisms, and ethical safeguards to ensure the responsible deployment of AI technologies within the country.

● In Nigeria, the NDPC has announced its collaboration with private ICT firms to launch regulatory AI sandboxes, creating a safe environment to test AI technologies within existing legal frameworks. Whereas the Lagos State Commissioner of Innovation, Science, and Technology has disclosed the state's plans to release AI guidelines that will provide a guide for developers and organisations on developing and deploying AI systems.

Partnership 

● Algeria’s Minister of Post and Telecommunications and Rwanda's Minister of ICT and Innovation have signed a bilateral agreement to establish a framework for cooperation in emerging technologies, digital transformation, and innovation ecosystems. Also, the Turkish Ambassador to Ghana visited the Ghanaian Data Protection Commission to discuss strengthening their collaboration in data protection, cross-border data transfer, digital rights and governance in AI and emerging technologies.

● On June 2, 2025, South Sudan officially joined the Smart Africa Trust Alliance (SATA), becoming the 17th country to do so. Additionally, at the recently concluded Network of Africa Data Protection Authorities (NADPA-RAPDP) Annual Conference, Tanzania and Somalia also officially joined the network.

● On May 19, 2025, Kenya launched a partnership with the European Union (EU), the German Development Agency (GIZ), and the African Union (AU) to kick-start the development of Kenya’s national data strategy and data policy. This initiative will enable data interoperability across the government and foster the development of AI through the use of high-quality datasets.

Conclusion

In the coming months, we anticipate that Liberia, Mozambique, and Namibia will make progress in enacting their data protection laws. We also anticipate the launch of Nigeria's and Tanzania's national AI strategies, as well as the publication of Lagos State's AI guidelines in Nigeria.

We will be back with your next update soon. Until then, stay tuned!

 

 

Who we are
About us
Privacy Notice
Contact
Services
Privacy and Data Protection
Startup Advisory
Cybersecurity
Regulatory Intelligence
Research and Public Policy
Resources
Insights
Reports
Training
Tech Hive Advisory Africa

We are a technology policy advisory and research firm focusing on the intersection of law, business, and technology.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Copyright ©2025 Tech Hive Advisory Africa