Overview of data protection laws in Africa


 By  Aissatou Sylla , Senior Associate,  Hogan Lovells  Paris and  Alex Ford-Cox, Associate, London

Data protection law has been gaining ground in Africa over the past 20 years. Today, out of 54 countries, 25 have passed data protection laws, the latest countries being Uganda, Nigeria and Egypt. Other countries have introduced data protection bills which are under discussion or waiting to be on the legislative agenda.

Regional legislative framework

On a regional level, some measures have been taken to encourage and support the enactment of data protection laws:

  • In 2010, the Economic Community of West African States (ECOWAS) adopted a Supplementary Act on Personal Data Protection followed, a year later, by a Supplementary Act on Cybercrime. So far, two thirds of the ECOWAS member states have passed data protection laws, except Togo, the Gambia, Guinea Bissau, Sierra Leone and Liberia.
  • In 2013, the Southern African Development Community (SADC) published a Model Data Protection Act. Since then, only two countries have enacted data protection laws. Counting the five SADC member states which already had privacy laws in place, seven out of 16 member states have a data protection legal framework today.
  • In 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection (the Malabo Convention). It is a comprehensive document covering electronic transactions, privacy and cybersecurity. To date, the Malabo Convention has been signed by 14 states and ratified by five countries out of 55 member states (Western Sahara being part of the African Union).

Common features in the laws

Despite the regional organisations’ efforts, the overall legislative framework is not harmonised.

However, some common trends can be found.

For example, in most countries, the consent of the data subject is the default condition for data processing and no references are made to the notion of legitimate interest as a legal basis. Another example is that most statutes have provided for the establishment of a data protection authority reporting to the telecommunications or ICT regulator.

This is not the case in Nigeria where the ICT regulator is directly in charge of data protection.

A final example of similar features is the data controllers’ obligation to notify the regulator of any data processing activities and to seek from the regulator an authorisation to transfer personal data to third countries with a two month maximum processing time.

Some more recent and GDPR-inspired laws, such as the Benin Digital Code and the Nigerian Data Protection Regulation have opted for a more flexible approach, insisting on internal governance, data mapping, audits or the appointment of a data protection officer and not systematically imposing systematic notifications to the regulator.

Need for a harmonised legal framework?

Harmonising the data protection statutory and regulatory framework in Africa is still on the agenda of regional organisations and some states.

In addition to protecting citizens’ privacy, having a harmonised or, at best, a uniform framework is seen as an opportunity to promote the continent’s development by allowing free flow of data within Africa, encouraging data transfers from other continents to Africa and thus boosting the use of African-based datacentres, outsourcing services, blockchain technology, e-government and fintech services.

Some African organisations and countries have also expressed their intent to end the situation of ‘digital colonisation’ which they view as the consequence of having the most politically and strategically sensitive data, such as classified documents, hosted on non-African servers.

To tackle this issue, discussions are being held around data localisation on a continental level to reach data sovereignty.

Privacy and data protection is still a hot topic in Africa and another wave of legislation is to be expected in the next two years.

However, compliance with the existing laws remains a challenge for small to medium businesses, which are not always aware of their legal obligations or which consider that it would be more costly to abide by the privacy rules than to be sanctioned for breach.

Records published by the data protection authorities show that the vast majority of organisations complying with the notification and approval processes with the regulators are multinational businesses headquartered in Europe or America, public services and local giants in banking and telecommunications.

This article first appeared on Hogan Lovells Engage in October 2019.