Newsletter

Bimonthly Update on Privacy in Africa - 3 (May and June, 2023)

Introduction

The last two months have been captivating, with riveting developments in data protection across various African countries. The last two months saw data protection laws in Nigeria, Tanzania, and the DRC come into force; a public consultation was launched on Cameroon's draft data protection law; Tanzania established its data protection authority; and there were sanctions issued. Here are some important updates:

Regulatory updates

  • The Nigerian President recently signed the Nigerian Data Protection Bill, 2023, into law. The law established the Nigeria Data Protection Commission (NDPC) to replace the Nigeria Data Protection Bureau (NDPB) as the data protection authority in Nigeria.
  • In Tanzania, the Personal Data Protection Act became effective on May 1, 2023, and the government also published an English version of the law in addition to the publicly available Swahili version. Earlier, the government released the final versions of its regulations on complaint handling and collecting and processing personal data. The regulations guide data subjects, controllers, and processors through the complaint resolution and registration processes. Finally, the data protection authority was formally established to oversee the implementation of the Act.
  • In Cameroon, the Ministry of Posts and Telecommunications launched a public consultation for the revision of the texts of the draft laws in the sector, including the draft law on the protection of personal data in Cameroon and the draft decree implementing the law on the protection of personal data in Cameroon, among other laws. Consequently, the Ministry has also officially published the draft law for public access. 
  • In the Democratic Republic of Congo, the Ministry of Digital officially presented the Digital Code, which contains the country's data protection law. According to the Minister, the law lays the foundation for regulating the digital sector in the DRC, including its application to digital activities and services and protecting computer systems against malicious acts in cyberspace, among others. 
  • In Rwanda, the Data Protection and Privacy Office published a guidance note on personal data inventory tools and a readiness assessment checklist that will assist organisations in mapping the personal data they hold and process to ensure that suitable measures are adopted to protect the data. 

 The Malabo Convention finally comes into force 

  • The African Union Convention on Cyber Security and Personal Data Protection (the "Malabo Convention") has finally come into force following the recent ratification from Mauritania on May 9, 2023, thereby bringing the total number of ratifications to the required 15. Earlier, the Gambia and the DRC announced their ratifications, but their instruments of ratification have yet to be deposited with the African Union. The coming into force of the Convention will strengthen data protection in Africa as it mandates member states to enact comprehensive data protection laws and establish data protection authorities to enforce the law. The Convention will also allow African data protection authorities to deepen collaboration on the continent.

International data transfer

  • Kenya's Data Commissioner was part of a high-level delegation to the European Union (EU), which featured engagements with different stakeholders, including the Directorate-General for Justice and Consumers of the European Commission (DG JUST), where the parties discussed the possibility of Kenya and the EU adopting a mutual adequacy decision since their respective data protection laws are similar and provide for this option. Similarly, Kenya is the only African country listed for priority adequacy consideration by the United Kingdom and recently received an adequacy decision from Botswana.

.

Sanctions and enforcement

  • In South Africa, the Information Regulator issued an enforcement notice to the Department of Justice and Constitutional Development for contravention of various provisions of the Personal Information Act (POPIA) by failing to establish and maintain appropriate safeguards against the risks identified and to regularly verify and update the security safeguards against malware threats, which led to unauthorised access to the network. In addition, earlier in the year, the Information Regulator issued an enforcement notice against the South African Police Service (SAPS) and ordered it to tender a public apology to data breach victims, conduct internal investigations, and train staff. Consequently, the SAPS tendered a public apology to the victims in May.
  • In Côte d'Ivoire, the Data Protection Authority (DPA) has disclosed that it is investigating reports published on social networks relating to alleged news about the recording of communications of users of the ride-hailing application, "Yango," without the prior authorisation of the persons concerned. The DPA has promised to notify the public when the investigation is concluded.
  • In Kenya, the High Court made a determination on its jurisdiction and the role of the Office of the Data Protection Commissioner (OPDC). The court ruled that the role of the ODPC under the Data Protection Act includes receiving and investigating complaints from data subjects over any violation of their privacy rights and that, based on the doctrine of exhaustion, the court will not have jurisdiction over an alleged violation of privacy rights where the complaint has not been before the ODPC. Again, in May 2023, following an appeal from the decision of the ODPC that the applicants were not data subjects and that the documents in question were public documents that contained no personal information,  the High Court of Kenya issued a decision ordering the ODPC to conduct a fresh investigation within 30 days, among other things. Consequently, the ODPC commenced fresh investigations and concluded them in June. In its decision, the ODPC reiterated that the complainants were not data subjects within the meaning of the Data Protection Act and therefore were not entitled to a remedy for breach of privacy rights. In addition, the evidence provided was insufficient to support a privacy violation claim.
  • In Nigeria, the new DPA, the Nigeria Data Protection Commission (NDPC), disclosed that it is investigating some commercial banks and other entities for alleged data breaches. It also added that it is currently investigating over 400 complaints in the digital lending sector. In a similar development, following the issue of the CBN Customer Due Diligence Regulations 2023, the NDPC has said that the directive on the collection of customer’s social media handles by commercial banks as part of enhanced customer due diligence is illegal

Collaboration and Cooperation 

  • The continent keeps witnessing interesting collaborations between DPAs to strengthen the understanding of data protection and adopt best practices. Earlier in the month, the DPA of Angola signed partnership agreements with the DPAs of  Morocco and  São Tomé and Principe to promote data protection awareness and address key privacy issues in their respective countries. The Kenyan DPA hosted the DPAs from Nigeria and Tanzania, who visited to benchmark its operational framework. Kenya also discussed ways to strengthen its existing partnership with the European Union during a stakeholder engagement. 

Other updates

  • In Algeria, Cape Verde, and Cote d'Ivoire, the countries celebrated the 5th, 8th, and 10th anniversaries of the enactment of their laws, respectively. The celebration allowed the data protection authorities to create awareness about data protection in the country. The events also signal the importance attributed to data protection laws by these countries and could inspire countries without a law to become intentional about data protection.

Conclusion

Ultimately, we anticipate enacting laws on personal data protection in Cameroon, Djibouti, Namibia, and Egypt, issuing the executive regulation to implement the data protection law, and more cooperation between the authorities.