Newsletter

Bimonthly Update on Privacy in Africa (November - December 2024)

Monday, January 20, 2025

Introduction

As the year wraps up, more notable developments were recorded in the aspect of data protection and AI governance. Cameroon enacted its data protection law, while the parliaments in Nigeria and Zambia are deliberating on bills to amend their data protection and cybersecurity laws, respectively. On AI governance , Cote d'Ivoire is consulting stakeholders on its National AI Strategy.  

Regulatory Updates

  • On December 23, 2024, Cameroon’s parliament passed the Data Protection Bill into law, officially making it the 40th data protection law in Africa. The law aims to regulate the processing of personal data and safeguard the rights of data subjects within the country. The law provides for the establishment of the Personal Data Protection Authority, which will oversee its implementation. All controllers and processors have 18 months from the date of publication to comply with the law.
  • On December 22, 2024, the Ministers of Justice adopted eight draft annexes to the African Continental Free Trade Area (AfCFTA) Protocol on Digital Trade during the 10th Session of the Specialised Technical Committee (STC) on Justice and Legal Affairs. The annexes, which include the one on cross-border data transfer, will be considered for adoption by Heads of State and Government at the AU Summit in February 2025.
  • On December 24, 2024, the East African Community (EAC) Secretariat hosted a Regional Workshop for Data Experts on Cross-Border Data Flows under the Eastern Africa Regional Digital Integration Project (EARDIP). The workshop was a platform to discuss the development of a regional cross-border data exchange mechanism that aligns with international best practices. During the workshop, it was resolved to form a Technical Working Group (TWG), which will develop draft principles for cross-border data flows, oversee a pilot program, and guide the development of the EAC Data Protection and Privacy Act.
  • In Egypt, the Ministry of Communications and Information Technology (MCIT) announced the upcoming launch of the Personal Data Protection Centre. The Centre will focus on safeguarding privacy, ensuring fair treatment of data subjects, and enhancing public awareness of data rights while reinforcing the enforcement of the country’s data protection law.
  • In Nigeria, there is a proposed amendment to the Nigeria Data Protection Act (NDPA). The bill will make it mandatory for social media platforms to establish physical offices in Nigeria and proposes an operational ban for non-compliance. Also, the Nigeria Data Protection Commission (NDPC)  announced that it will begin enforcing violations against the NDPA in 2025.
  • Burkina Faso’s Information Technology and Civil Liberties Commission (CIL) has advanced data protection compliance through key resolutions adopted at its 10th and 11th Ordinary Sessions. At the 10th Session, the CIL  adopted a resolution on Direct Marketing, which seeks to regulate solicitations made to a person or an organisation. During the 11th session, the CIL adopted a resolution on the communication of personal data to third parties, which sets out the conditions and principles that must be adhered to when sharing personal data.
  • Zambia's parliament commenced deliberation on a Cybersecurity Bill, which aims to repeal the Cyber Security and Cyber Crimes Act of 2021. The bill establishes the Zambia Cybersecurity Agency and provides a framework for cybersecurity compliance within the country.
  • There is an increase in the participation of African countries in global data protection and cybersecurity forums. Uganda’s Personal Data Protection Office (PDPO) became a member of the the Global Privacy Assembly (GPA), while Chad’s National Agency for Computer Security and Electronic Certification (ANSICE) officially joined the Global Forum on Cyber Expertise (GFCE). Additionally, Nigeria’s National Data Protection Commission (NDPC) participated in the 2024 Global Cross-Border Privacy Rules (CBPR) Forum.
  • Kenya's Office of the Data Protection Commissioner (ODPC) published the draft Data Protection (Conduct of Compliance Audit) Regulations and Data Sharing Code for public comments. The Regulations provide a framework for conducting data protection audits and accrediting auditors, while the Code provides a framework for responsible and ethical data sharing practices. Likewise, the Digital Health Agency introduced the Digital Health (Health Information Management) Regulations to allow easy access to health data.
  • In South Africa, the  Information Regulator (IR) issued the Guidance Note on Direct Marketing, which aims to provide clarity on compliance with the POPIA when carrying out direct marketing practices. Likewise, the Department of Trade, Industry and Competition (DTIC) published the amendment to the Consumer Protection Act, which aims to promote consumer privacy in direct marketing.

Enforcement actions

  • In Nigeria, the Federal High Court declared certain provisions of the NDPC’s Guidance Notice on the Registration of Data Controllers and Processors of Major Importance (DCPMI) to be null and void for lack of clarity and directed the NDPC to specify entities that do not qualify as DCPMI as contemplated by section 48 of the NDPA. Additionally, the Court of Appeal fined a telecommunications company 15 million naira for breaching a party’s privacy through unsolicited messages and caller tunes. Similarly, a State High Court imposed a fine on a commercial bank for sending unsolicited messages to a customer despite the customer’s explicit objection.
  • The Eswatini Data Protection Authority (EDPA) announced its intention to conduct an audit that will identify entities that have failed to register as data controllers or processors, a requirement under the Data Protection Act.
  • The ODPC continued its enforcement of the Data Protection Act. It issued an enforcement notice against an organisation and its employee for failing to report the unauthorised disclosure of a party's data within the statutory period. It issued an enforcement notice against a digital lending company for violating the data subject’s right to be informed. A ride-hiling company was fined for the unauthorised disclosure of a party’s data and for failing to properly address the data subject’s right request. Likewise, a bank was fined for sending misleading loan statement notifications to a third party, despite the customer’s formal request to remove the third party as an alternate contact. The ODPC also imposed a fine of on three companies in a consolidated complaint for unauthorised data processing, privacy violations, and disregard for an individual’s right to access their employment records.
  • A Kenyan High Court dismissed an action from a company requesting a judicial review of the ODPC’s fine against the company. The ODPC initially fined the company for sending unsolicited messages to three individuals without prior consent. In dismissing the action, the court ruled that the ODPC’s decision qualifies as an administrative decision, which requires the parties to exhaust all existing remedies before filing for a judicial review.
  • The South African Information Regulator issued an enforcement notice against the Department of  Basic Education (DBE) for non-compliance with the POPIA. The notice directs the DBE to stop publishing the 2024 matriculation results in newspapers within 31 days and instead provide them through a secure, POPIA-compliant platform. Going forward, the DBE is required to obtain explicit consent from adult students or guardians for minors and implement a consent management system within 90 days.

AI Governance

  • In Egypt, the House of Representatives commenced deliberation on proposed amendments to the Cybercrime Law to establish a framework for regulating AI-related crimes and civil and criminal liability for the activities of robots. Additionally, the National Council for Artificial Intelligence (NCAI) convened to review the implementation plan of the Egyptian Charter for Responsible AI, the creation of a responsible AI centre and the draft AI law. Also, during the AI and Digital Transformation Summit, the Minister for Communications and Information Technology announced that the country will soon launch the second phase of the National AI Strategy (2025-2030).
  • In Uganda, the Director of E-Government Services at the National Information Technology Authority, Uganda (NITA-U), disclosed the country’s plans to review its Data Privacy and Protection Law 2019 and develop AI-focused legislation, which will include an AI Act, an AI policy, and a comprehensive strategy that will regulate the use of AI to curb the spread of misinformation across digital platforms.
  • On December 13, 2024, the Ministry of Digital Transition and Digitalisation officially presented Côte d’Ivoire’s National Strategy for Artificial Intelligence (AI) and Data Governance to partners and stakeholders for deliberation. The strategy aims to harness AI for socio-economic development through a collaborative approach involving key stakeholders from both the public and private sectors.

Conclusion

In the coming months, we anticipate progress on pending bills in the parliaments in Nigeria and Zambia. We also anticipate more enforcement actions and completion of draft regulations.

 

 

Who we are
About us
Privacy Notice
Contact
Services
Privacy and Data Protection
Startup Advisory
Cybersecurity
Regulatory Intelligence
Research and Public Policy
Resources
Insights
Reports
Training
Tech Hive Advisory Africa

We are a technology policy advisory and research firm focusing on the intersection of law, business, and technology.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Copyright ©2025 Tech Hive Advisory Africa