Introduction

The past two months have been significant for data protection in Africa. The period saw Algeria’s data protection law go into force, and Seychelles called for public comments on its draft data protection law, Namibia concluded public consultation on its draft data protection law and a series of enforcement actions and collaborations among DPAs. Here are some notable updates:

Regulatory updates

• In Seychelles, The Department of Information and Communications Technology (DICT) sought feedback from the public on the draft data protection bill, which aims to replace the current Data Protection Act that was enacted in 2003. The bill is currently in the "whitepaper" stage.
• Algeria’s data protection law officially comes into force. The National Personal Data Protection Authority (ANPDP) announced the coming into force of the law on August 10, 2023. The personal data protection law was enacted in June 2018 and provided for a one-year period from the date of the establishment of the data protection authority for data controllers to become compliant.
• The government of Madagascar has expressed its intention to finally establish its data protection authority. In July, a meeting was convened with representatives from the Association of Francophone Data Protection Authorities (AFAPDP) to this effect. Despite enacting its data protection law in 2015, Madagascar is still one of the countries in Africa with a data protection law, but without a data protection authority.
• In Namibia, the Ministry of Information and Communication Technology (MICT) concluded consultations on the draft data protection bill, which commenced last year when the law was published. Following the consultations, the MICT held a two-day validation workshop to deliberate on the inputs and feedback from stakeholders gathered through extensive consultations nationwide. After successful validation, the bill will proceed to the Cabinet Committee on Legislation for review before being presented in Parliament.
• In Kenya, the Office of the Data Protection Commissioner (ODPC) commenced stakeholder engagements on the draft guidance notes for the processing of personal data in various sectors, including communications, health, education, and digital credit providers. The ODPC initiated the stakeholder engagement to gain valuable input and suggestions from stakeholders in the relevant sectors on the draft guidance notes.
• The government of Tanzania published the Companies (Retention and Disposal of Company Documents) Regulations, 2023. These regulations require organisations to adhere to specific timeframes for retaining some types of data in line with the Personal Data Protection Act.

Sanctions and enforcement

• In Uganda, the Personal Data Protection Office (PDPO) concluded investigations into the security breach at Uganda Securities Exchange (USE) and its partner, Soft Edge Uganda Limited, which began last year. The Office recommended actions be taken by the companies within three months of issuance.
• In Côte d’Ivoire, the Personal Data Protection Authority (ARTCI) published formal notices and warnings that were issued to about six companies in June for non-compliance with the data protection law. These companies were given 60 days to align their processing activities with the law. Additionally, earlier in the month, ARTCI cautioned the public about certain digital lending app companies due to potential risks to personal data and privacy. These app companies were given 10 days from the notice’s publication to comply with the law.
• In Nigeria, the United Bank for Africa (UBA) was fined 6 million Naira by the Federal High Court for opening and operating an account in a customer's name without authorisation. The court ruled that this act violates the banker-customer relationship and the individual's right to privacy. Additionally, the Federal High Court ruled in favour of the Economic and Financial Crimes Commission (EFCC) in a case presented by a non-governmental organisation, Ikigai Innovation Initiative, regarding the "Eagle Eye" mobile application, stating that the app's societal objective outweighs individual privacy concerns since it does not collect identifying information. Ikigai had sued to challenge the use of tracking technologies disclosing personal data to advertisers and for the absence of a privacy notice describing the processing activities on the app.
• Last month, South Africa’s Information Regulator issued an infringement notice to the Department of Justice and Constitutional Development (DoJ&CD), ordering it to pay an administrative fine of R5 million following its failure to comply with the enforcement notice issued in May. The Regulator issued the enforcement notice following the finding of the contravention of various sections of the Protection of Personal Information Act (POPIA) by the DoJ&CD. In addition, on August 31, 2023, the Information Regulator issued an enforcement notice to Dis-Chem  Pharmacies Ltd. (Dis-Chem) following a finding of contravention of various sections of the Protection of Personal Information Act (POPIA). The company has 31 days to comply with the Regulator’s orders or risk an infringement notice.
• Following concerns about the unlawful processing activities of Worldcoin in Kenya, the government suspended its operations pending investigations. The National Assembly members questioned the National Data Protection Commissioner (ODPC) for registering Worldcoin as a data processor without due diligence, although this is not within its scope of work. Nevertheless, the National Assembly has set up a committee to investigate the operations of Worldcoin. The Committee invites the public to submit memoranda on the terms of reference for the investigation.
• The Enforcement Unit of the Data Protection Commission (DPC) in Ghana announced it has begun enforcing important provisions of the Data Protection Act across the country.

Collaboration and Cooperation

• The Moroccan National Commission for the Protection of Personal Data (CNDP), in collaboration with 11 other global data protection authorities, has jointly issued a letter to global technology companies. This communication shines light on the privacy risks of data scraping and emphasises  the need to safeguard personal data from such practices.
• The High Authority for the Protection of Personal Data (HAPDP) of Niger joined the "Koun3labal" platform of the National Commission for the Control of Personal Data Protection (CNDP) to raise privacy awareness among children and others in Africa.
• In July, the Personal Data Protection Commission (CDP) of Sénégal  and the Personal Data Protection Authority of Mauritania signed a cooperation agreement to exchange knowledge about data protection.

Other updates

• Senegal's National Data Strategy, which was developed by the Ministry of Communication, Telecommunications, and Digital Economy (MCTEN) in partnership with Smart Africa and GIZ, has officially received validation. The strategy emphasises privacy protection, transparency, fairness, and security and is aligned with Senegal's existing data protection regulatory framework. Similarly, Nigeria has officially unveiled its National Data Strategy to boost economic growth, innovation, and inclusivity while prioritising ethical and responsible data usage, protection, and privacy. In addition, Nigeria recently disclosed its plans to develop a National AI Strategy to consolidate the effort of the National Information Technology Development Agency  (NITDA) to co-create a National AI Policy.
• Uganda’s Personal Data Protection Office (PDPO) announced its plans to initiate investigations into the operations of mobile money operators following public complaints regarding the misuse of data. It has been noted that lending companies collect a lot of personal data from borrowers’ phones, which is misused for different purposes, including harassing and blackmailing borrowers and third parties.  
• In Kenya, the ODPC has published a data protection handbook that simplifies compliance obligations for data controllers and processors. The handbook also acts as an awareness tool for data subjects to better understand their rights and the available legal framework to protect their personal data.
• In Nigeria, the Data Protection Commission (NDPC) has mandated all organisations processing personal data to appoint a data protection officer and register with the Commission within six months of the commencement of the Nigeria Data Protection Act. During a sensitisation workshop organised by the Commission, it was disclosed that a registration guideline and online portal for registration will be launched soon, as well as a certification body for privacy professionals in Nigeria. In addition, the Commission has disclosed its intention to develop an implementation framework for the Act and will inaugurate a working committee.

Conclusion

Across Africa, data protection initiatives are gaining traction; by the end of the year, we foresee the establishment of Madagascar's data protection authority, notable advancements in the Seychelles data protection amendment bill, Egypt unveiling its executive regulations for their data protection law, fresh updates on Djibouti's Digital Code, Nigeria introducing registration guidelines for data protection, Rwanda's data protection law becoming operative in October, the enactment of Namibia's data protection law, and imminent sanctions for non-compliant firms in Uganda, Côte d'Ivoire, and South Africa, all reflecting the continent's steadfast commitment to bolstering data protection.

‍