Newsletter

Bimonthly Update on Privacy in Africa (May - June 2024)

Introduction

In the past two months, significant developments have occurred in the regulation and enforcement of data protection across Africa. Malawi’s data protection law came into force, the draft implementation directive for Nigeria’s Data Protection Act was published, and South Africa published its guidance note on the processing of voters’ data. Regarding AI, the AU continental AI strategy was endorsed, Cameroon and Tanzania are drafting their national AI strategies, and a bill to regulate AI has been submitted to Morocco’s parliament. 

Regulatory updates

  • Malawi’s Data Protection Act officially went into force on June 3, 2024. The Act aims to regulate the processing of personal data by data controllers and processors based in Malawi, processing data in Malawi, or targeting individuals in Malawi for online activities or offerings, regardless of the location. The Act designated the Malawi Communication Regulatory Authority (MACRA) as the data protection authority. The Act provides for the registration of controllers and processors of significant importance, rights of data subjects, the principles of processing, data breach notification, measures for securing data, lawful bases for processing sensitive personal data, and the requirement to submit a Data Protection Impact Assessment report to MACRA prior to processing. MACRA has also published a Personal Data Protection Handbook, which further explains compliance obligations under the Act.
  • In Kenya, the Cabinet Secretary, Ministry of Information, Communications, and the Digital Economy, has disclosed that Kenya has commenced discussions with the European Union (EU) and the United Arab Emirates (UAE) for an adequacy decision to facilitate the free flow of data between the countries.
  • The Nigerian Data Protection Commission (NDPC) has published the General Implementation and Application Directive (GAID), which will guide the practical implementation of the Nigeria Data Protection Act. The GAID introduced new obligations, such as conducting semi-annual data protection audits, expanding the scope of the NDPA, and broader scope triggers for Data Protection Impact Assessments (DPIAs), among others. Following the publication, the NDPC held a validation workshop to gather input from stakeholders on the draft.
  • The African Union (AU) published its Child Online Safety (COS) and Empowerment Policy, which aims to implement children's existing rights in the digital environment and minimise risks to the use of ICTs to harness their benefits. The policy provides a framework for national policymakers and regulators across Africa to ensure that ICT providers respect children’s rights and equip stakeholders with the right skills to ensure children’s safety.
  • The Information Regulator (IR) in South Africa has published a guidance note on processing voters’ personal information and countering misinformation and disinformation during elections. The guidance note aims to guide political parties and independent candidates on the scope, applicability and compliance measures for the Protection of Personal Information Act (POPIA) and to ensure the free flow of accurate information during elections.
  • On May 1, 2024, the Information Regulator in South Africa (IR) launched an eServices portal, which provides tools and resources for compliance with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA). The portal can be used to verify compliance status, register information officers, report security compromises, and submit PAIA annual reports.
  • On May 22, 2024, Togo’s National Cybersecurity Agency (ANCY) announced the publication of its National Cybersecurity Strategy 2024-2028, which details Togo's objectives, priorities, and actions to strengthen digital security and make the country a regional leader in cybersecurity.

Sanctions and Enforcement 

  • Côte d’Ivoire's Data Protection Authority (ARTCI) warned organisations against disproportionately processing employees' biometric data for attendance in violation of data protection law. Similarly, the Personal Data Protection Commission in Tanzania has also issued a warning to all organisations that use surveillance systems on their premises to ensure compliance with data protection laws and regulations.  
  • The Federal High Court of Nigeria (FHC) has upheld the Central Bank of Nigeria's (CBN) regulation directing financial institutions to collect their customers' social media handles as part of their Know-Your-Customer (KYC) obligations, noting that social media handles are public and the regulation does not violate the right to privacy. In another lawsuit, the FHC ruled that using a customer's personal data to open a domiciliary account without consent is a violation of the customer’s right as a data subject and awarded 7.5 million naira in damages.
  • The Council of Ministers in Benin Republic adopted a draft decree establishing fees for all declarative formalities submitted to the Personal Data Protection Authority (APDP). Hence, all entities will be required to pay a fee for all processing declarations, certification applications, and approvals submitted to the APDP.
  • In Kenya, the Office of the Data Protection Commissioner (ODPC) has ruled that a claim for violation of data subject rights will not succeed where the data subject failed to exercise the right directly with the data controller before filing a complaint with the ODPC and that employers must seek further consent from former employees before processing their data after terminating employment. 
  • The Kenyan High Court has ordered a review of the ODPC decision, citing noncompliance with the Data Protection Act. The ODPC failed to provide the statutory 21-day period for the applicant to respond to a complaint, which led to judgment being made against them. 
  • The Senegalese Personal Data Protection Commission (CDP) announced that it did not authorise the ‘Sama Casier Judiciaire,’ a website that claims to facilitate the filing and withdrawal of criminal records within 48 hours. The CDP has noted that it is still awaiting additional documentation from the site's operators to ensure compliance with the data protection law.
  • The Tanzania High Court has ruled that certain provisions of the data protection law are vague and problematic, particularly the sections that provide for “unlawful means” and consent in data processing. The court directed that the sections be amended within a year; otherwise, the provisions would be removed from the law.

Partnerships and collaborations 

  • On June 6, 2024, member states of the Organisation of Islamic Cooperation (OIC), consisting of data protection authorities from Algeria, Mali, Morocco, and others, met to discuss cooperation on data protection within their respective states through the sharing of knowledge and technical expertise in the field of data protection.
  • On June 25, 2024, the Data Protection Authorities of Angola, Brazil, Cape Verde, Portugal, and São Tomé and Príncipe signed the Lisbon Declaration to enhance cooperation and establish the Lusophone Data Protection Network (RLPD). The declaration aims to strengthen parties' ability to protect citizens' interests, rights and freedoms.
  • On June 19, 2024, the data protection authorities of Eswatini and South Africa signed a Memorandum of Understanding (MoU) on data protection. The MoU aims to enhance the regulation and protection of personal data across borders and establish a framework for information sharing and collaboration in areas of mutual interest. 
  • The ninth Network of African Data Protection Authorities (NADPA-RAPDP) Annual General Meeting (AGM) and two-day conference was held in Kenya in May 2024. The event provided African data protection authorities and stakeholders with a platform to formulate strategies to promote regional data governance for Africa’s digital transformation. The NDPC has been nominated to host the 10th edition of the event in 2025. 

AI governance

  • African ICT and Communications Ministers have adopted the Continental Artificial Intelligence (AI) Strategy and African Digital Compact to accelerate Africa’s digital transformation, which are in line with the African Union's Digital Transformation Strategy (2020-2030) and Agenda 2063. The Strategy provides a roadmap for African countries to harness AI’s benefits for sustainable development across multiple sectors. The Compact represents Africa’s commitment to digital transformation as a catalyst for inclusive progress and sustainable development. Both documents will be submitted to the African Union Executive Council in July 2024 for consideration and adoption. On a separate note, earlier in the year, the African Union Development Agency (AUDA-NEPAD) also unveiled a draft Whitepaper and a Roadmap towards the continent's comprehensive AI strategy to foster the regulation and responsible adoption of AI across Africa.
  • The Ministry of Posts and Telecommunications in Cameroon held the first national consultation on artificial intelligence to engage stakeholders in the country’s national AI strategy. Similarly, Tanzania’s Ministry of Information, Communication, and Information Technology is drafting a National AI Strategy and Guidelines to ensure that AI is appropriately leveraged for the country's growth and to maximise the benefits of an AI-driven world. In Morocco, a parliamentary opposition group submitted a bill to regulate AI and address its negative aspects and illegal uses. The bill proposes creating a National Agency for Artificial Intelligence and updating a national AI strategy in line with global developments in the field. At the same time, there is advocacy in South Africa for AI regulation, and there are plans to form an AI Expert Advisory Council to guide the formulation and execution of AI-related policies. Kenya held a stakeholder workshop in May on the development of its National AI and Emerging Technologies Strategy.
  • The AUDA-NEPAD published a whitepaper on AI and the future of work in Africa, which was developed in collaboration with various stakeholders across Africa. The whitepaper analyses key areas such as AI’s impact on macroeconomics, jobs, skills and labour, African workers’ perspectives on generative AI, and Africa-centric AI tools and platforms.
  • The Eastern Africa sub-regional forum on AI, which was held from June 23 to June 24, 2024, addressed AI challenges and opportunities, launching Kenya’s AI Readiness Assessment report as a blueprint for regional development. The forum ended with the adoption of the Nairobi Statement on AI and Emerging Technologies in Eastern Africa, which includes recommendations to develop knowledge, facilitate policy dialogues, strengthen capacities, and expand infrastructure. This marks a significant step towards harnessing AI for sustainable development in Eastern Africa.

Conclusion 

In the coming months, we anticipate that Tanzania will commence the review of its data protection law, more data subjects’ rights enforcement, increased partnerships among countries and a progress report on the adequacy decision between Kenya and the EU. We also look forward to the adoption of the  AU’s Continental AI Strategy and Digital Compact and to receiving updates on the national AI strategies in Nigeria and Tanzania. The outcome of the separate work by AUDA-NEPAD towards the development of a comprehensive AI strategy for the continent is also anticipated.