This can be seen in the increased involvement of States through the adoption of national legislation that complies with international standards, the gradual establishment of protection authorities or even through the dynamics of cooperation. Thus, in 2016, the first African Forum on Personal Data Protection (FAPDP) was launched in Ouagadougou, followed by the creation of the African Network of Personal Data Protection Authorities (ANPPA). Two years later, in Dakar, the AU published its guidelines on personal data protection for Africa in collaboration with the NGO Internet Society. And in June 2019, Ghana hosted the first International Conference on Data Protection and Privacy in Africa. In view of all these efforts and initiatives, it can be said that Africa is well on its way to taking its rightful place in the global governance of data protection. However, there are still huge challenges and a lot of work to be done. Hence our bimonthly newsletter, which will aim to keep you informed of all the latest news concerning personal data protection in Africa. We wish you a very good reading E-karangé#privacy
The first two months of the year have been quite remarkable, with a lot of activity from the data protection authorities. Here are some of the noticeable trends.
- Nigeria's Federal Executive Council has approved the Data Protection Bill. The bill is expected to be sent to the legislature, which has promised to pass it within a month.
- The government of Namibia has continued public consultations on the data protection bill.
- Tanzania has published two draft regulations on complaint resolution, and registration and data processing. The Tanzanian DPA has not yet been established.
- South Africa’s DPA published a draft procedure for enforcement that is open to public comment. Last year, the DPA established an enforcement committee to resolve and investigate complaints.
- Benin published its National AI strategy, joining a growing number of African countries that have introduced governance frameworks for AI use.
Sanctions and enforcement
- The Moroccan government began the year by announcing that it is investigating TLSContact for processing and transferring data outside of Morocco without its permission.
- The Angolan DPA fined Africell USD 150k for processing subscribers' data without its authorisation. It fined a commercial bank USD 525k for the unauthorised disclosure of employee data last year.
- In Tunisia, the DPA announced that it is investigating 260 public institutions, while in Nigeria, the DPA is investigating over 100 organisations for law violations.
- The South African DPA referred the National Department of Health to the Enforcement Committee for an investigation for violation of the law during the COVID-19 pandemic.
There were also some noteworthy court decisions.
- A Kenyan High Court has ruled that the right to publicity is an individual's exclusive right to market their image, likeness, or person for financial gain.
- The Johannesburg High Court in South Africa decided that ENSAfrica must pay its clients R5.5 million (approximately 303,154 USD) for causing them to become victims of cyber fraud. through its negligence.
- The Nigerian court fined a digital lending company 5 million naira for unsolicited communication.
International data transfer
- Nigeria's DPA met with US officials to discuss the Cross-Border Privacy Rules, and it also announced that it is considering issuing an adequacy decision on Niger.
- The Kenyan DPA also stated that it will publish guidelines on international data transfer that will include a list of countries it considers to have an adequate data protection framework.
- Other African countries that have published an adequacy list include Nigeria, Botswana, Tunisia, and Morocco.
DPAs regulatory agenda for the year
Some African DPAs have shared their regulatory priorities for the coming year.
- Tunisia is increasing transparency around the publication of notices of enforcement and cracking down on processing carried out without authorisation.
- In Nigeria and South Africa, the emphasis is shifting from education to enforcement.
- Morocco and Angola are focusing on improving service quality and amending their establishment laws.
- In Kenya, the DPA stated that it will be publishing relevant guidance notes and sector-specific regulations, as well as raising awareness.
Cooperation and collaboration
African DPAs are strengthening cooperation and collaboration among each other to improve data protection on the continent.
- The DPAs of Ghana and Rwanda signed a memorandum of understanding to strengthen cooperation. Similarly, Rwanda's National Cyber Security Authority (NCSA) and Mozambique's National Institute of Information and Communications Technologies signed a memorandum of understanding (MoU) on cybersecurity and data protection collaboration.
- A similar agreement was also signed by Angolan and Cape Verdean authorities. In Côte d'Ivoire, the ministerial council approved a draft bill to ratify the African Union Convention on Cybersecurity and Personal Data Protection. To be fully implemented, the Convention requires one more country. Kenya and Uganda have also stated their intention to ratify the instrument. The trend demonstrates the continent's commitment to improving data protection.
- The country declared March 30 as its national day for data protection.
Over the next two months, we expect to see more collaborations, sanctions, and regulatory guidance. Egypt is also expected to issue the executive regulation that will lead to the establishment of its data protection authority. We also anticipate progress with proposed laws in the Democratic Republic of Congo, Nigeria, and Namibia.
Looking to learn more about data protection in Africa? Sign up to get our latest updates