Newsletter

Bimonthly Update on Privacy in Africa - 6 (November and December 2023)

Introduction

The past two months saw significant development as the year closed. Malawi passed a data protection Bill, which is currently awaiting presidential assent. Ethiopia called for public comments on its data protection Bill, while Mauritius published a draft guide on protecting personal data in the financial sector. Here are some notable updates: 

Regulatory updates

  • After receiving approval during the 25th regular session of the Council of Ministers, Ethiopia's first Personal Data Protection Bill has been released for public comment. The bill will establish a data protection commission and define obligations for data controllers and processors.
  • On November 28, 2023, the Eswatini Data Protection Authority (EDPA) published guidelines on appointing Data Protection Officers (DPO). These guidelines mandate data controllers and processors to appoint qualified, independent DPOs and require DPO registration with the EDPA.
  • On December 7, 2023, the Parliament of Malawi passed the Data Protection Bill. The bill seeks to regulate personal data processing in line with global principles and mandates the registration of significant data controllers and processors, mirroring India’s and Nigeria's provisions. Currently, the bill is awaiting the president's assent.
  • The Mauritius Data Protection Office has published a draft guide on the protection of personal data in the financial sector. The guide outlines best practices and provides insights on data protection for institutions in the financial sector and will be launched in January 2024.
  • On November 17, 2023, the Nigeria Data Protection Commission (NDPC) issued a guidance notice on data protection compliance audit returns. On December 12, the commission launched its Data Protection Strategic Roadmap and Action Plan (NDP-SRAP) for 2023-2027. In addition, the CEO of the NDPC introduced a Code of Conduct for Data Protection Compliance Organisations (DPCOs), signalling an upcoming implementation drive. The commission also announced its readiness to launch a registration portal and publish an implementation directive for the Act in January 2024.
  • The Republic of Tanzania has appointed members to the Personal Data Protection Commission Board following the recent appointment of the board’s chairman and vice-chairman.

Sanctions and enforcement

  • On December 20, 2023, the Data Protection Agency (APD) in Angola disclosed that eleven (11) companies are under scrutiny for potential violations of data protection laws. The ongoing investigations will determine whether a fine will be imposed.
  • The data protection authority in Cote d’Ivoire issued a warning to a clinic for violations of the data protection law, instructing it to comply within 60 days of receipt of the notice. On a related note, it also published the outcome of its investigation into the ride-hailing company Yango LL.C., directing the deactivation of the phone conversation recording feature and deletion of customer audio recordings. The authority also published decisions approving personal data processing by eleven other companies.
  • In Kenya, the High Court has decided that unauthorised surveillance of a spouse's private conversations violates the right to privacy, contradicting the constitution. The court recognises each individual is independent with guaranteed rights and freedoms. Additionally, the High Court suspended the implementation of new digital IDs, urging the government to refrain from registering individuals or issuing Maisha Namba Cards due to the lack of a data protection impact assessment required by the Data Protection Act. The case is scheduled for mention before the court.
  • The Office of the Data Protection Commissioner (ODPC) in Kenya announced it is investigating 38 digital money lenders following over 700 complaints about unethical practices during the year. The commissioner has emphasised the need for digital money lenders to obtain the ODPC's data protection registration certificate to be licensed by the Central Bank of Kenya. 
  • The Federal High Court in Nigeria invalidated the Adequacy Whitelist under the Nigeria Data Protection Regulation Implementation Framework, criticising the inclusion of countries lacking proper data protection mechanisms. It also declared invalid the inclusion of standard contractual clauses and binding corporate rules as a transfer mechanism when it was not initially contained under the Nigeria Data Protection Regulation (NDPR). The court further directed the regulator to reassess the list. 

Other updates

  • At the AI safety summit hosted by the UK government, Kenya, Nigeria, and Rwanda signed the Bletchley Declaration, endorsing the responsible use of artificial intelligence. 
  • The Ghana Data Protection Commission (DPC) issued an end-of-year statement emphasising the significance of registering with the commission, renewing registration licenses, and displaying certificates for registered data controllers. The Cyber Security Authority (CSA) also reminded cybersecurity providers, establishments, and professionals that the deadline for licensing and accreditation is December 31, 2023.
  • The Malawi Communications Regulatory Authority (MACRA) is leading the review of the Electronic Transactions and Cybersecurity Act to address enforcement challenges and align it with international standards. As part of this effort, MACRA has introduced the draft Cybercrimes Bill and invited public comments until December 4, 2023. 
  • On November 22, 2023, the Control of Usage of Artificial Intelligence Technology in Nigeria Bill was introduced at the House of Representatives for its first reading. This bill aims to regulate AI use, following a similar bill introduced in October titled the National AI and Robotics Sciences Bill, which has reached the second reading stage.
  • The South African National Assembly passed an amendment to the Regulation of Interception of Communication and Provision of Communication-Related Information Amendment Bill (RICA Bill). The original bill was deemed unconstitutional due to insufficient privacy safeguards. The amendment introduces stringent measures to manage data obtained through communication interception legally and seeks to strengthen protections for privacy rights.

Conclusion

Looking ahead to 2024, we anticipate a focus on AI regulation, increased enforcement by DPAs, the creation of new authorities, and other significant strides in shaping data protection as a cornerstone of Africa's digital socio-economic development.