Newsletter

Bimonthly Update on Privacy in Africa (March and April, 2023)

The last two months have been eventful, with interesting developments on the continent.  Here are some noteworthy updates:

Regulatory updates

  • The Nigeria Data Protection Bill has been passed by the Nigerian Senate after its third reading. The version before the House of Representatives is also expected to go through a similar expedited process. It is anticipated that the president will sign it prior to the end of the current administration on May 29, 2023. The law will now formally establish the data protection authority.
  • The Egyptian government  was expected to issue the executive regulation to implement the data protection law in April 2023. However, this has not been done. In a similar development, a parliamentarian recently filed a briefing request addressed to the Minister of Communications and Information Technology regarding the sale of personal data of subscribers by telecom companies, the delay in issuing the executive regulations, and formally establishing the data protection authority (DPA). The misuse of data that gave  rise to the complaint in the telecommunications sector has been attributed to the absence of a DPA.
  • The National Assembly of the Democratic Republic of the Congo has finally approved the Digital Code, which contains its own data protection law like that of the Republic of Benin. Consequently, the DRC has become the 36th African country with a data protection law. One of the innovations in the new digital code is the mandatory requirement of data localisation for the country.
  • In Djibouti, the Council of Ministers has approved the Digital Code. The Code still requires the approval of the National Assembly to become law, after which Djibouti will join Benin and the DRC as countries whose data protection laws are contained in a digital code. In addition, the approval will bring the number of African countries with a data protection law to 37.
  • In Namibia, the Executive Director of the Ministry of Information and Communications Technology (MICT)  reiterated the government’s commitment towards the enactment of the data protection legislation, which the Ministry of ICT is currently consulting on.
  • The Senegalese government has approved the implementation of the country's first national data strategy to oversee and manage data use.  Last year, Nigeria also launched its national data strategy.
  • In Tanzania, the government issued a notice for the commencement of the Personal Information Protection Act 2023. The new law became effective on May 1, 2023. Although the data protection authority is yet to be established, it is expected that it will be established soon to oversee the enforcement of the law.

Anticipation of the Malabo Convention

  • In the last few months, Cote d'Ivoire, the Democratic Republic of the Congo, and the Gambia have all ratified the Convention, bringing the total number of ratifications to 16, which is above the 15 required for the Convention to finally come into force. It is anticipated that the convention will become effective later in the year. The Convention is expected to strengthen collaboration and the harmonisation of laws on the continent.

International data transfers

  • The National Commissioner of the Nigeria Data Protection Bureau (NDPB) attended the Cross Border Privacy Rules Forum (CBPR) in London, bringing together government officials, regulators, and other privacy experts to discuss global cross-border data transfer issues. With this visit and the discussion with US officials last year on the CBPR, Nigeria may be considering adopting Global Cross Border Privacy Rules for international data transfer.

Sanctions and enforcement

  • In Kenya, the Office of the Data Protection Commissioner (ODPC) issued two penalty notices to Whitepath Company Limited and Regus Kenya for failing to comply with the ODPC's enforcement notice and respond to notifications of complaint and enforcement notice, respectively. The companies have been ordered to pay the sum of five million Kenyan shillings (approximately $37,369) each. Ecological Industries Limited was also issued a notice of enforcement for refusing to cooperate with multiple notifications of complaints against them for unlawfully using a data subject's personal photographs.
  • In Mali, the Personal Data Protection Authority (APDP) has expressed concern over the misuse of social media platforms like TikTok by minors and women. It reminds the public that fundamental rights such as privacy must be respected when using social media platforms. The APDP's concern reflects a regional concern, as a complaint was recently filed against TiTok before the Senegalese DPA to challenge the storage of personal data on foreign servers, contrary to the data protection law.
  • In South Africa, the Information Regulator has concluded its investigation and issued an enforcement notice against the South African Police Services (SAPS) for unlawful disclosure of personal data about a data subject who was a victim of sexual assault on social media. Following the enforcement notice, the SAPS was ordered to immediately notify the affected data subjects of the breach, conduct an internal investigation, and train staff on the provisions of the Protection of Personal Information Act.

Cooperation and collaboration

  • Mauritius and South Africa's DPAs signed a cooperation agreement to collaborate on areas of mutual interest. Similarly, the Beninoise and the Nigerien DPAs signed a cooperation agreement to improve data protection between the two countries. Although there is no evidence to demonstrate the impact of these collaborations yet, their prevalence indicates the willingness of the DPAs to explore their international cooperation mechanisms.

Other updates

  • In Tunisia, the National Authority for the Protection of Personal Data (INPDP) issued a notice informing the public that the authority's decision could be appealed to the Court of Appeal in Tunis.
  • The Data Protection Office of Rwanda has announced that organisations intending to process personal data should register with it to comply with the Personal Data Protection and Privacy Law before the end of the transitional period on October 15, 2023. Similarly, the Ugandan DPA has also reminded controllers and processors to register with it.

Conclusion

In the last two months, we saw DPAs working together, more countries enforcing their data protection laws, and others pushing for their laws to be enacted. In Nigeria, we expect the data protection law to be passed before the end of the legislative cycle in June, and the Malabo Convention, which has received more than the required number of ratifications, may become effective soon. Finally, we anticipate the enactment of the law in Namibia and Djibouti, the establishment of the Tanzanian DPA, and increased sanctions and enforcement in the coming months.