Newsletter

Bimonthly Update on Privacy in Africa (January - February 2025)

TH ADMIN
Thursday, March 13, 2025

Introduction

The African data protection landscape saw remarkable progress in 2024, as highlighted during our end-of-year event. By December 2024, 40 countries had enacted data protection laws, and new data protection authorities (DPAs) were established or designated in some countries. As we entered 2025, the momentum continued, with more countries advancing AI governance efforts at national and regional levels.

Here are some notable updates in the first two months of the year:

Regulatory update 

  • Botswana’s Data Protection Act 2024 officially went into force on January 14, 2025. The Act repeals and amends the 2021 Act. It expands the provisions of the old Act by introducing new obligations on data controllers and processors operating in, targeting, or monitoring individuals in Botswana.
  • On January 28, 2025, the Malawi Communications Regulatory Authority (MACRA) was officially launched as the country’s Data Protection Authority, as designated by the Data Protection Act. Although MACRA was already operational, its official launch as the DPA marked the beginning of a new enforcement era for the Act.
  • On February 16, 2025, the African Union Assembly of Heads of States and Governments adopted the eight annexes to the African Continental Free Trade Area (AfCFTA) Protocol on Digital Trade.  This follows the previous adoption of the annexes by the Minister of Justice in December 2024. This milestone officially establishes a clear framework for digital trade across Africa and opens up the protocol for member state ratification.
  • In Chad, the National Agency for Information Security and Electronic Certification (ANSICE) participated in the 22nd ITU Council Working Group meeting on Child Online Protection (CWG-COP) in Geneva from February 10-21, 2024, where, the agency engaged in strategic discussions on enhancing cybersecurity for children and developing a national child online protection strategy.
  • In Zimbabwe, the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) published the Cyber and Data Protection Guideline on Licensing of Data Controllers. The guideline aims to guide data controllers on obtaining a license with POTRAZ and specifies the requirements for the process, in line with the provisions of the Cyber and Data Protection Act. Last year, the authority published draft guidelines on licensing data controllers and DPOs. It is unclear if the new guidelines replace last year's draft.
  • On February 20, 2025, Uganda's Personal Data Protection Office (PDPO), in partnership with the Financial Sector Deepening (FSD) Uganda, launched a Data Protection and Privacy Toolkit to support compliance with the Data Protection and Privacy Act. The toolkit contains practical tools, templates, and step-by-step guidance on the assessment of data protection practices for organisations.
  • On February 7, 2025, MACRA officially launched the Child Online Protection Initiative, which aims to raise awareness about the risks and challenges children face in the digital world and promote safer internet practices for young people.   During the launch, the Minister of Information and Digitalisation mentioned that the ministry is developing regulations that will ensure that children are protected from cyberbullying and online exploitation. Similarly, South Africa's Information Regulator (IR) joined 10 other data protection authorities worldwide in signingjoint statement on a common international approach to age assurance. More countries in the region are leaning towards developing a framework for the protection of children, as observed in Ghana, Nigeria, and Tanzania.
  • On January 10, 2025, Rwanda formalised its accession to the Budapest Convention on Cybercrime and its Additional Protocol, making it the 78th country to accede to the convention. The accession follows reforms initiated by Rwanda’s Ministry of ICT, with support from the Council of Europe’s GLACY-e project, to align domestic laws with international standards. With this, Rwanda joins other African countries, like Mauritius, Morocco, Senegal, South Africa, and Tunisia, that have acceded to the convention.

Enforcement action 

  • In Kenya, the Employment and Labour Relations Court ruled that using information obtained from a company-issued device during disciplinary proceedings does not constitute a violation of employee privacy. Similarly, a Kenyan High Court dismissed a petition challenging the use of a data subject's image without consent, ruling that the data subject should have exhausted all available remedies , including filing the case before the DPA before bringing the case to court. Meanwhile, Kenya's Office of the Data Protection Commissioner (ODPC) fined a company for retaining a data subject's personal data for marketing purposes despite the data subject’s request for erasure. Also, the ODPC fined and issued an enforcement notice against a company for unlawfully processing a data subject’s data for unauthorised purposes.
  • In Uganda, the Ministry of Education banned public publication of students’ examination results and photos, citing data protection and privacy laws violations and its negative impact.  In collaboration with the Data Protection and Privacy Office, the Ministry has now directed schools and examination bodies to devise private and secure ways to communicate results while ensuring compliance with the Data Protection and Privacy Act. However, the court took a different approach in a slightly similar issue in South Africa, where it decided that the publication of the results of students in the specific context did not constitute a violation of privacy, even though the Information Regulator had a contrary opinion about the impact on the students' privacy.
  • South Africa's Information Regulator, in partnership with other law enforcement agencies, announced the investigation of a potential data breach involving the unauthorised sale of the 2024 school leavers examination results in South Africa. The investigation was initiated following several reports that a website was selling examination results. The outcome of the investigation is still anticipated.

AI Governance 

  • In Kenya, the Ministry of Information, Communications and the Digital Economy (MoICT) published Kenya’s draft National AI Strategy for public comment. The draft strategy aims to provide a framework for responsible AI development and deployment in Kenya. Among other things, it proposes the development of a data governance framework to guide responsible data sharing for AI development and the development of a policy framework for AI and emerging technologies with due consideration for AI systems that align with Kenya’s national values and global standards. The final version of the strategy is anticipated in the coming months. Similarly, Kenya launched its guiding principles for AI in February 2025, calling on stakeholders to implement ethical AI principles in AI development and deployment.
  • Zambia officially published its National AI Strategy for 2024-2027, which was launched in October 2024. The strategy aligns with Zambia's 8th National Development Plan, emphasising principles such as ethical and responsible AI, data protection and security, and governance, among others.
  • In Egypt, the National Council for AI published the second edition of the country's National AI Strategy 2025-2030, which builds on the initiative of the first National AI Strategy. It focuses on six pillars, including governance and data, proposing the development of an AI law, the establishment of a data governance framework and a data security framework, the issuance of a detailed guideline for Egypt's AI charter on ethics and responsible AI, as well as the establishment of a centre for responsible AI. Additionally, Egypt launched the Code of Ethics for the Use and Development of AI, which outlines Egypt’s national framework for the ethical development and deployment of AI.
  • From February 10–11, 2025, some African countries participated in the AI Action Summit in France where several resolutions were made. At the Summit, some African countries joined in signing the Statement on Inclusive and Sustainable AI for People and the Planet. To advance the Statement’s priorities, founding members, including Kenya, Nigeria, and Morocco, launched a Public-interest AI Platform and Incubator. They also signed the Charter of Paris for the General Interest of AI and supported the launch of the Current AI partnership for public-good AI, while Kenya and Morocco supported the launch of the Coalition for Environmentally Sustainable AI. Additionally, Senegal and Togo participated in the Paris Peace Forum's Global Coalition to Safeguard Children in the Age of AI.
  • Congo's Minister of Posts, Telecommunications and Digital Economy met with the Chief Digital Officer at the United Nations Development Program (UNDP) to advance discussion on the development of a national AI strategy, following an earlier discussion on the need to develop an AI strategy. The discussion indicated that the Terms of Reference for the strategy have been validated with support from the UNDP’s Congo Office. Similarly, Zimbabwe reaffirmed its commitment to ethical AI development, with its Cabinet directing the creation of a National AI Strategy, which will be informed by the AI Readiness Assessment Methodology (RAM) workshop. Finally, in Cameroon, a local law firm has been selected to collaborate with the Ministry of Posts and Telecommunications in developing the country’s national AI strategy. 
  • Smart Africa, an alliance of 40 African countries, launched the African AI Council, which aims to position Africa as a key player in the global AI economy. The Council, which consists of 15 members, aims to formulate policies, stimulate innovation, and create an environment conducive to AI-driven growth. The Council will be unveiled in April and will submit its one-year strategic plan in July, 2025.
  • In Morocco, the House of Representatives is reviewing the draft law introduced by the opposition Haraki group last year to regulate AI. Spanning 17 articles, the proposed legislation aims to provide a comprehensive regulatory framework for AI in Morocco, with the goal to balance AI risks with benefits.

Partnership

  • From February 18-19, 2025, some African countries participated in the second meeting of the Heads of Data Protection Authorities of the Organisation of Islamic Cooperation (OIC) in Morocco. The meeting builds on the organisation’s first meeting in June 2024, which resulted in the development of a charter for the creation of the Islamic Network of Personal Data Protection Authorities (RIAPDP). The discussion at the meeting focused on the network’s operating procedures. Also, the President of Morocco’s National Commission of Data Protection (CNDP) was appointed the President of the RIAPDP.

Conclusion

In the coming months, we anticipate more action in the area of child online protection following the launch of several initiatives,the publication of Kenya's national AI Strategy, updates on ongoing investigations in South Africa, more enforcement actions, and progress with the discussions on AI governance across the continent. We also expect to see an increase in the participation of African countries in international forums.

Who we are
About us
Privacy Notice
Contact
Services
Privacy and Data Protection
Startup Advisory
Cybersecurity
Regulatory Intelligence
Research and Public Policy
Resources
Insights
Reports
Training
Tech Hive Advisory Africa

We are a technology policy advisory and research firm focusing on the intersection of law, business, and technology.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Copyright ©2025 Tech Hive Advisory Africa