Introduction

Over the past two months, more African countries achieved significant milestones in Artificial Intelligence (AI) governance and data protection regulation. Mauritania published its National AI Strategy, while Nigeria and South Africa released their draft National AI Strategy and Policy Framework respectively, and the African Union adopted the African Continental AI Strategy. Ethiopia enacted its data protection law, which has come into force, and Botswana’s Parliament commenced deliberations on its data protection bill. Some notable updates are discussed below:

Regulatory Updates

• The Ethiopia Data Protection Act has officially come into force following its publication in the Federal Negarit Gazette on July 24, 2024. The Act designates the Ethiopian Communications Authority as the regulatory authority, provides for extraterritorial application, data localisation, and prohibits the transfer of sensitive personal data outside Ethiopia without prior approval. It also provides for the obligations of data controllers, including registration, appointing a Data Protection Officer (DPO), conducting Data Protection Impact Assessments (DPIA), and maintaining a record of processing activities, among others.
• On July 26, 2024, Botswana published its Data Protection Bill, which seeks to repeal the existing Data Protection Act that was expected to become effective in October 2024. The Bill, which has progressed to the committee stage in parliament, introduces significant amendments to the Act, including clarifying the independence and powers of the Information and Data Protection Commission, extending the Act's extraterritorial application, providing additional rights for data subjects, and requiring the appointment of an in-country representative where the data controller is established outside Botswana, among other changes.
• Benin’s Authority for the Protection of Personal Data (APDP) published a decision on the certification of Data Protection Officers (DPO) by the authority. The decision requires DPOs to have specialised skills in data protection practice and training in information technology. It outlines the required documentation for DPO certification. Upon taking a certification exam prepared by the APDP, candidates will be issued a certificate, which is renewable every two years. 
• On July 29, 2024, Cote d’Ivoire finalised its accession to the Budapest Convention on Cybercrime, concluding a process that started on June 30, 2022. The Budapest Convention aims to enhance international cooperation and mutual assistance in investigations, data access, and retention. Under the convention, member states are required to establish a national contact point for facilitating technical advice, data retention, evidence collection, and coordinating its actions with other government services.

Enforcement and Sanctions

• Data subject rights remain a priority in the region. The Tanzania High Court has upheld a trial court’s decision and awarded compensation to a data subject for the unauthorised publication of his video footage for commercial purposes. 
• Similarly, the Kenyan Office of the Data Protection Commissioner (ODPC) has issued several fines following observed violations of the law. It fined a ride-hailing company for violating the complainant’s access and rectification rights under the Data Protection Act and for failing to fulfil its obligations as a data controller.  Likewise, in another complaint, the ODPC awarded compensation in favour of a complainant whose photograph was used for commercial purposes without explicit consent. However, the ODPC has refused compensation regarding the use of a publicly available image of a minor whose identity was blurred out, holding that privacy was not violated. Furthermore, a pharmacy was fined for unauthorised disclosure of medical diagnosis to a non-medical personnel.  The ODPC decided that the pharmacy's action violates the provisions of the Act that require the processing of medical data only by healthcare personnel and individuals bound by professional secrecy. Finally, the ODPC fined a loan company and recommended its directors for prosecution for obstructing the ODPC’s scheduled investigation into the company’s practices, which amounts to obstruction of justice.
• In Angola, the data protection authority fined two organisations about 110,000 USD for failing to implement appropriate technical and organisational measures to protect the personal data of customers and employees against cyberattacks. 
• In a suit challenging the jurisdiction of a Scottish Court to decide on employment matters relating to Kenyan employees, the Employment and Labour Relations Court in Kenya ruled that disclosing Kenyan employees' medical data as evidence before a foreign court amounts to international transfer of sensitive data, which requires prior authorisation of the ODPC and proof of appropriate measures to ensure data security.
• The Nigerian Data Protection Commission (NDPC) fined a commercial bank N555,800,000 fine for processing data through cookies and a mobile application in violation of the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDPA). However, the bank has disputed the allegation of non-compliance, emphasising that its internal investigation contradicts the NDPC’s findings and took necessary actions to address the Commission's concerns. 

Partnerships and Collaborations 

• Nigeria’s Ministry of Communications, Innovation and Digital Economy and the United States Department of Commerce have issued a joint statement on harnessing AI, facilitating data flows and enhancing digital upskilling. The partnership focuses on three main areas, including data protection, cross-border data transfers, and AI and digital upskilling. Regarding data protection, the parties intend to collaborate with the Nigeria Data Protection Commission (NDPC) to promote best practices and facilitate cross-border data flows. The parties will also work together to develop AI governance policies.  
• On July 17, 2024, a delegation from the Benin Personal Data Protection Authority (APDP) visited the Moroccan National Commission for the Control of Personal Data Protection (CNDP) to exchange experiences and expertise, review their earlier agreement of 2022, and consider areas of future partnership.
• On August 22, 2024, delegates from Somalia’s Data Protection Authority visited the Turkish Personal Data Protection Authority (KVKK) to discuss a possible collaboration between the two authorities. The meeting served as an avenue to discuss the foundations of data protection, share best practices, and explore potential areas of collaboration between the two authorities. The authority also partnered with a private organisation to build capacity for its staff.

AI Governance 

• South Africa’s Department of Communications and Digital Technologies has published the draft National AI Policy Framework, laying the foundation for developing a national AI policy for the country. The framework aims to guide the responsible and ethical development, deployment and use of AI across all sectors to propel economic growth. 
• Mauritania published the National AI Strategy 2025-2029. The strategy aims to position the country and focuses on key priorities, including developing human resources, fostering research and innovation, promoting regional and international cooperation, ensuring effective data governance, developing relevant technical infrastructure and advocating the ethical use of technology through adopting policies that are compliant with data protection, intellectual property and enhancing cooperation.
• The Zambian Minister of Technology and Science announced that the National AI Strategy will be launched on October 24, 2024, the country's independence day. The Zambian government developed the Strategy in collaboration with the Finnish government and the Tony Blair Institute, and it is expected to drive economic growth and efficiency across all sectors of the country. Meanwhile, Nigeria released the draft version of its National AI Strategy, which stakeholders and AI experts developed in April 2024. The Strategy focuses on five key pillars, which include infrastructure development, building and sustaining a world-class AI ecosystem, accelerating AI adoption and sector transformation, developing an AI governance framework and ensuring responsible and ethical development of AI. To ensure responsible and ethical AI development, the Strategy proposes creating a National AI Ethics Commission, developing ethics principles, and developing an AI ethics assessment framework. 
• On the continental level, the African Union Executive Council endorsed the Continental AI Strategy and African Digital Compact, published on August 9, 2024. The Continental AI Strategy calls for unified national approaches among AU Member States to navigate the complexities of AI-driven change, aiming to strengthen regional and global cooperation and position Africa as a leader in inclusive and responsible AI development. The Digital Compact aims to harness the transformative power of digital technologies to drive sustainable development, foster innovation, and ensure digital inclusivity across Africa. The Compact is committed to building a digitally empowered Africa where technology fuels economic growth, societal well-being, and a prosperous future for everyone.

Conclusion 

In the months ahead, we anticipate progress with  Botswana’s data protection bill, publication of Zambia’s AI Strategy, finalisation of Nigeria’s draft AI Strategy and progress with AI Strategy developments in Kenya and Tanzania. Additionally, we expect more enforcement actions from data protection authorities in Kenya, South Africa, Uganda and Nigeria. We anticipate that African countries will commence efforts to implement the AU AI Strategy and that more countries will publish their AI strategies following the strategy’s recommendations for member states.

‍