Authority Established: National Commission for the Protection of Personal Data (CNDP) - Yet to be established.
Summary: The law is published as part of a broader Digital Code. The law aims to regulate the processing of personal data through automated and partially automated means. Like most data protection laws in the region, the law provides for the rights of data subjects and key obligations of data controllers and processors, including implementing relevant technical and organisational safeguards, appointing a DPO, and obtaining the prior authorisation of the CNDP for high-risk processing, among others. It also provides for the post-mortem rights of data subjects and specifies mechanisms for cross-border data transfer. Additionally, it specifies the sanctions for non-compliance, which could include imprisonment for up to 10 years or an administrative fine of up to 70,000,000 DJF (approximately $ 393,400 USD) or 5% of the company's global turnover.
The data protection and AI governance landscape witnessed some progress in the last two months. Gambia passed its data protection law, and more countries are advancing efforts on their proposed laws. Data Protection Authorities (DPAs) maintained momentum with enforcement actions. A noticeable trend in AI governance is the active move towards regulation, with a few countries deliberating on AI bills.
Some notable updates in the region include:
Regulatory update
New data protection laws are being developed across Africa, with the publication and consultation on new bills.
The Gambia has joined the increasing number of countries with a data protection law, as the Parliament passed the Personal Data Protection and Privacy Bill into law on September 29, 2025. The law provides a framework for governing the processing of personal data within the country. It designates the existing Information Commission as the DPA to oversee its implementation. The law is still awaiting the President's assent.
Mozambique hosted public consultations on its proposed Law. Sierra Leone held a pre-legislative review of the draft Data Protection and Right to Access Information Regulatory Commission Bill, 2025. Ghana is making similar efforts with the publication of the Data Protection Bill, Emerging Technologies Bill, the Data Harmonisation (DH) Bill and the Cybersecurity (Amendment) Bill, which are open to public comments until November 14, 2025. Notably, the Economic Community of West African States (ECOWAS) held a validation workshop on the Anti-Fraud and Protection of Personal Policies. Malawi's DPA has published the draft Data Protection (Data Processors Engagement) Regulations, 2025, draft Guidelines, and a Checklist on Compliance with the Data Protection Act and the draft Guidelines on Personal Data Breach Notifications and Communications, for public comment.
On September 19, 2025, the Nigeria Data Protection Act General Application and Implementation Directive (NDP Act-GAID) officially took effect. The DPA also announced its official ascension as an associate member of the Global Cross-Border Privacy Rules (CBPR) Forum.
Burkina Faso's DPA has approved a new administrative sanction procedure for data controllers and processors. The procedure sets out clear mechanisms for handling complaints, investigations, and breaches, with timelines of up to three months for compliance. Uganda's DPA announced efforts to develop a comprehensive privacy audit and inspection manual, which will serve as a tool for assessing organisational compliance with the data protection law.
Egypt's National Council for AI (NCAI) has adopted an Open Data Policy as a transitional framework for open data governance pending the enactment of the Data Governance Law. Meanwhile, the Democratic Republic of Congo (DRC) has announced efforts to officially adopt the country’s 2030 Digital Strategy, which aims to digitalise public services, strengthen cybersecurity, develop AI and increase digital sovereignty. Additionally, Ethiopia has announced plans to develop its National Data Governance Strategy and conclude its Digital Transformation Strategy.
Botsawana's Non-Bank Financial Institutions Regulatory Authority has published a data protection checklist for Non-Bank Financial Institutions (NBFIs) to guide NBFIs on responsible data collection and consent practices.
From September 15-20, 2025, African DPAs participated in the 47th Global Privacy Assembly (GPA) on the theme “AI in Our Daily Lives: Data and Privacy Issues”. During the assembly, Kenya's DPA won the Global Privacy and Data Protection Award across four categories, including education and enforcement. Eswatini and Uganda’s DPAs were also admitted as observers to the GPA. It was announced that Kenya will host the 49th GPA session in 2027.
On September 10, 2025, Kenya's Ministry of Information, Communication, and Digital Economy hosted a workshop with key stakeholders, marking the initiation of the development of Kenya’s National Data Governance Policy. Through the policy, Kenya will establish a trusted ecosystem for data sharing. It is anticipated that the policy will be completed by January 2026. Additionally, Kenya's DPA engaged in an extensive stakeholder consultation on Kenya’s proposed accession to the Malabo Convention.
The President of Togo's DPA has addressed the representatives of international organisations and foreign companies operating within the country in Togo on the need to comply with the data protection law regarding the processing of personal data during meetings and events. The President mentioned that references to foreign data protection standards should be avoided and attendance logs must include an information notice specifying the purpose of data collection under Togolese law.
In Rwanda, the National Institute of Statistics published the National Data Governance Framework (NDGF), the National Data Classification and Access Guideline (NDCAG), and the National Metadata Management Guideline (NMMG). The regulations provide a framework for data governance in the country.
Enforcement
Kenya's DPA maintained momentum with its enforcement activities. The DPA announced plans to conduct a nationwide inspection targeting the hospitality sector to measure compliance with the Data Protection Act in the sector. Organisations within the sector are required to register with the ODPC as data controllers and processors. The DPA fined an employer for denying an employee’s access request to reference letters issued by her former employer. An individual was fined for unlawfully disclosing a data subject’s personal data. The individual disclosed the details of his dispute to the data subject’s employer without consent.
Malawi's DAP issued a statement discouraging the publication of Malawi National Examinations Board (MANEB) results of candidates on social media without consent, emphasising that the results constitute personal data. Hence, no disclosure or publication of another individual's examination results should be made on social media without the prior consent of the individual.
Uganda's DPA published a decision stating that a data controller’s decision to retain the data in line with regulatory standards did not violate the data subject’s right to erasure.
A Nigerian High Court has awarded ₦20,000,000 (approximately 13,000 USD) as compensation to a data subject against a media house for violating her right to privacy. Similarly, the High Court ruled in favour of a complainant in an action against a commercial bank for privacy violations.
Gabon's DPA conducted compliance inspections on 12 companies following a referral received in March 2025. Preliminary findings revealed that several companies, particularly in the oil sector, were processing personal data without prior declaration to the DPA. Additionally, Eswatini's DPA announced that, as of September 1, 2025, it will initiate enforcement actions against all organisations that have not registered as data controllers and processors.
AI Governance
Angola has published its draft AI Law, which seeks to establish a comprehensive legal framework for AI, protect citizens from AI-related risks, promote the ethical use of AI, and establish mechanisms for monitoring and sanctioning the improper use of AI. The draft law is open for contributions till November 27, 2025. Similarly, in Namibia, the Minister of Information and Communications Technology announced an active move to develop an AI Act aligned with UNESCO’s ethical recommendations and regional frameworks, such as the SADC Model Laws and AU strategies. Additionally, the Parliaments in Nigeria and Kenya are also deliberating on AI bills, signalling an active move towards AI regulation.
On October 14, 2025, Zimbabwe’s Cabinet approved the country’s National AI Strategy 2026–2030. The strategy aims to harness AI’s economic potential while minimising risks and ensuring alignment with the country’s national ICT policies. Similarly, the DRC’s Minister of Digital Economy has officially launched the draft National Digital Plan (PNN2) 2026-2030 and National AI Strategy.
The African Commission on Human and Peoples' Rights (ACHPR) Special Rapporteur on Freedom of Expression joined other international mandate holders in adopting a Joint Declaration on AI, Freedom of Expression and Media Freedom. The Declaration outlines risks, opportunities, and principles for using AI in compliance with human rights law, addressing issues such as content creation, algorithmic bias, and the media's reliance on AI.
Ghana launched the Ghana AI Practitioners’ Guide, while Mauritius Financial Services Commission (FSC) published a Guideline on the Responsible Use of AI in Financial Services. Tanzania has also announced plans to finalise a national guideline for the responsible and effective adoption of AI. Senegal's DPA also published a press statement on the use of AI and the protection of personal data, calling for the ethical use of AI.
Partnership
On October 8, 2025, while attending the Digital Government Africa (DGA) Summit 2025 in Lusaka, representatives from Nigeria's DPA paid a courtesy visit to Zambia’s DPA. The visit aimed to deepen collaboration between the agencies. Discussions focused on regional and global data protection and privacy governance, and both parties agreed to formalise their partnership through a Memorandum of Understanding (MoU)
Sierra Leone's Ministry of Communication, Technology and Innovation (MCTI) signed an MoU with Qhala, a Nairobi-based digital transformation company, to introduce AI into the country’s public sector.
On September 24, 2025, Burkina Faso's DPA and the United Nations High Commissioner for Refugees (UNHCR) held a virtual meeting to strengthen their partnership under their existing agreement, with a focus on joint efforts to enhance personal data protection.
During the 47th GPA, Angola's DPA signed a Memorandum of Understanding (MoU) with Brazil's DPA. The MoU aims to reaffirm the commitment of the two authorities to protect the personal data of citizens. Through the MoU, both countries will collaborate to promote mutual assistance and technical, regulatory and supervisory cooperation in data protection.
Conclusion
In the coming months, we anticipate the conclusion of public consultation on pending data protection bills and more enforcement actions in the region. We also anticipate more proactive efforts towards promoting ethical AI governance in the region.
We would love to hear from you. What are your predictions for the next letter?
-1323.png){kind=logo}
.png)
