Introduction

The African data protection landscape witnessed significant developments in 2023. This has been exhaustively discussed in our Roundup on Data Protection in Africa Report for 2023. At the end of the year, 37 countries had data protection laws, and 29 had established or designated a data protection authority (DPA) to enforce these laws. 

The new year began with renewed enthusiasm for the enforcement of data protection laws by DPAs in the region, stressing the need for compliance with the laws. Here are some notable updates in the first two months of the year:

Regulatory updates

• Following the law’s coming into force in 2023, Somalia's Data Protection Authority (DPA) published comprehensive guidance on the Act and implementation guidelines to aid organisations in complying with it. Additionally, the DPA published an ADR procedure for data protection disputes for its complaint resolution mechanism. The DPA was officially launched in February 2024.
• As the year began, data controllers were reminded of their annual obligations. The DPAs in Côte d'Ivoire and Uganda issued notifications to all data controllers, reminding them to submit their annual compliance reports to the respective DPAs by March 31 and March 20, 2024, respectively. Similarly, in Nigeria, the filing of annual compliance audit reports commenced following the publication of a guidance notice last year, and the NDPC directed all data controllers and processors of major importance to register before June 31, 2024. Meanwhile, countries like Kenya, Rwanda, and Uganda continued to remind data controllers and processors to register with the respective DPAs.
• After its public consultation on the proposed registration guidelines last year, the Eswatini Data Protection Authority released final guidelines for registering data controllers and processors, similar to Nigeria’s new guidance notice on registration, with deadlines for September 30, 2024, and June 30, 2024, respectively. 
• Following the conclusion of engagements on the draft guidance notes for different sectors last year, Kenya’s Office of the Data Protection Commissioner (ODPC) released guidance notes for the education, communication, digital credit providers, and health sectors to aid comprehension and compliance with data protection laws by these sectors. 
• Rwanda’s Data Protection and Privacy Office (DPPO) released guidelines covering several key areas, such as Data Protection Impact Assessments (DPIAs), the appointment of Data Protection Officers (DPOs), the process for lodging complaints, and application forms for authorisation to transfer and store personal data outside Rwanda. These guidelines provide detailed instructions on each topic and offer guidance on compliance with the data protection law.

International commitments

• Benin and Nigeria made significant progress with international commitments this year. The parliament in Benin has approved the ratification of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), adopted in 2014, to address various issues relating to data security and protection on the African continent. Similarly, Nigeria finally signed the Convention.
• During the 37th African Union Assembly Summit, 45 member states of the African Union voted to adopt the African Continental Free Trade Area Agreement (AfCFTA) Protocol on Digital Trade, which aims to foster a favourable environment for digital commerce across Africa. The Protocol addresses a wide range of digital trade issues, including emerging technology, data protection and privacy, online safety and security, and data governance, among others.

Investigations, sanctions and enforcement

• DPAs commenced assessments of compliance with the data protection laws by entities processing personal data.  South Africa’s Information Regulator assessed compliance with the data protection law in the banking sector. Similarly, Algeria also announced the commencement of its first assessment of compliance in a province.
• In Nigeria, the NDPC announced the investigation of 17 violations across various sectors, including finance, technology, education, consulting, lottery, gaming services, and logistics. The Commission disclosed that it received over 1,000 complaints of data infractions and has verified 50 cases. Earlier this year, the NDPC announced the investigation of some companies for potential violations of the NDPA. The outcome of these investigations is anticipated in the following months.
• South Africa’s Information Regulator issued its first enforcement notice to an organisation for sending unsolicited direct marketing messages to a data subject without consent. The organisation has been ordered to cease sending such messages immediately, obtain consent appropriately, and comply with specified directives within 90 days. The Regulator also restated its intention to release a notice on direct marketing and unsolicited emails.

Partnerships

• Morocco’s National Commission for the Control of Personal Data Protection (CNDP) and the Commission for Access to Information Rights (CDAI), along with the School of Economic Warfare-Campus of Rabat (EGE), signed a convention on the Regulation of Ethical Use of Technologies (REUT). The convention aims to develop approaches to tackling deep fakes and fake news that could undermine respect for privacy and transparency, particularly on the internet and social networks

Other updates

• The ODPC in Kenya will host the Annual General Meeting and Conference of the Network of African Data Protection Authorities (NADPA) in Nairobi from May 7 to 9, 2024. 
• On January 19, 2024, the Tanzania Board of the Personal Data Protection Commission was officially inaugurated.
• Egypt held a roundtable discussion regarding its proposed AI Act, which aims to be inclusive and reflect the country's aspirations. The discussion involved AI experts committed to producing a groundbreaking Act that meets the country's needs. 
• The National Assembly of Zimbabwe has proposed the establishment of a committee to steer the country towards the positive use of artificial intelligence (AI). This proposal is based on AI's trend and significance in the fourth industrial revolution and its potential to influence economic development and digital economies worldwide.
• The African Union Development Agency (AUDA-NEPAD) unveiled a draft Whitepaper and a Roadmap for the continent's comprehensive AI strategy. The strategy aims to foster the regulation and responsible adoption of Artificial Intelligence (AI) across Africa.

Conclusion

Over the next two months, we anticipate increased regulatory guidance, law enactment and enforcement, and a heightened focus on AI regulations. We look forward to the outcome of investigations in Uganda, South Africa, and Nigeria and expect full-scale operations from DPAs in Somalia and Tanzania. 

Catch up on our 2023 roundup on data protection in Africa events in French and English.