Contributors: Dorcas Tsebee, Precious Nwadike, Victoria Adaramola and Ridwan Oloyede

‍

Introduction

In December, 2024, Cameroon's Parliament officially gazetted its Data Protection Law ("the Law"). The enactment of the Law concludes a process that commenced in 2023, and was resumed with the deliberation of the data protection bill in May 2024. The Law establishes a comprehensive legal framework for the processing of personal data in the country. It creates rights for data subjects and introduces robust accountability mechanisms. A key aspect of the Law is the creation of a Personal Data Protection Authority ("the Authority") to oversee compliance and issue necessary regulations for its implementation. This review highlights the key provisions of the law and provides an operationalisation roadmap for data controllers and processors during the 18-month transition period.

‍

‍

Scope of application – Articles 2 & 3

The Law governs the processing of personal data within Cameroon. Unlike some other data protection laws, it does not have extraterritorial applicability, excluding processing activities of data controllers and processors established outside the country processing the data of data subjects in Cameroon. The law also applies in a territory where Cameroonian law applies. The law does not apply to the processing of personal data for solely personal and household activities, literary, artistic, and journalistic purposes, and processing for archival purposes in the interest of the public.

Establishment of the Personal Data Protection Authority - Article 53

The Law provides for the creation of the Data Protection Authority ('the Authority') to oversee its implementation. The Authority will play a pivotal role in operationalising the law by issuing regulations, publishing adequacy decisions for international data transfers, and enforcing overall compliance. Its establishment will be formalised through a presidential decree.

Principles of processing - Articles 6-13 & 15

The Law emphasises fundamental processing principles such as respect for privacy, lawfulness, fairness, purpose limitation, accuracy, storage limitation, confidentiality, and security. The controller and processor must also ensure non-fraudulent processing of personal data.

Processing of minor's  personal data – Articles 9 & 19(2)

The Law provides protections for minors (individuals under 18 years). Processing their data requires parental or guardian consent, where it is the lawful basis. Processing of data for offering services to minors must be adequate, relevant, and limited to what is necessary for that purpose. Legal representatives may object to any processing without consent. Additionally, the prior authorisation of the Autority must be obtained to process the sensitive data of a minor.

Information provision to the data subject - Articles 14 & 21

The Law places an obligation on data controllers to provide comprehensive information to data subjects regarding processing activities. The information must include the purpose of processing, third party recipients, the rights of the data subject, the retention period, and the post-mortem treatment guidelines. The is expected to be done through a privacy notice and other transparency documents.

Prior authorisation of processing – Article 19

The Law mandates that personal data processing be subject to prior authorisation by the Authority. The detailed procedure for obtaining this authorisation will be outlined in future regulations issued by the Authority. An example under the law is the processing of sensitive data if minors.

Data security - Article 22(2) & 27 

The Law requires data controllers and processors to implement relevant technical and organisational measures to ensure the security of personal data. These measures include access management, backing up data, third party verification, and preventing unauthorised access to personal data. Furthermore, controllers are required to submit annual reports on the implementation of these measures, based on a reference framework to be issued by the Authority.

Breach notification - Article 22

The Law requires both data controllers and processors to notify the Authority and affected data subjects in the event of a data breach. Unlike many other data protection laws that place this obligation solely on the data controller, the law holds processors equally accountable. Additionally, the Law does not make a distinction between the type of risk (high risk or risk) that should trigger notification, which may lead to uncertainty.  

Retention periods   - Article 28

The law emphasises compliance with maximum retention periods for personal data, which will be specified in the reference framework to be developed by the Authority. Organisations are expected to align their retention schedules with these timelines.

Record of Processing Activities (RoPA) - Article 29

The Law mandates data controllers and processors to maintain a detailed record of processing activities, either in digital or physical form. The RoPA should indicate the name and contact details of the entity, the purpose of processing, the categories of the recipients of the data, and documents attesting to the existence of relevant safeguards or the authorisation number for the processing.

Data processing agreements - Articles 16, 30 and 31

Controllers must execute contracts with processors, ensuring guarantees of appropriate measures to comply with the Law. These agreements must outline details such as data subject categories, types of data processed, and the rights and obligations of the parties. Additionally, joint controllers are required to execute contracts governing their shared responsibilities

International data transfer - Article 32

Cross-border transfers of personal data are subject to prior authorisation by the Authority. To grant such authorisation, the Authority is expected to consider whether the recipient country has an adequate level of protection, a prior contract is executed with the destination country, in conjunction with the relevant authorities.

Data Protection Impact Assessment (DPIA) - Article 33

Where processing is likely to result in high risk to the data subject, the data controller is required to conduct a  DPIA. The conditions and procedure for carrying out a DPIA are to be specified by the Authority in a subsequent regulation.

Rights of data subjects - Articles 23, 37-44, 46

The Law provides several rights for data subjects, including the right to access, rectification, erasure, data portability, and the ability to object to or restrict processing. It also includes protections against solely automated processing and profiling and post-mortem rights for beneficiaries to update a deceased person’s data under specific conditions. The timeline and procedure for responding to data subject rights requests will be set by regulation.

Post-mortem privacy rights – Article 45

The Law requires the cessation of processing a deceased data subject's data once their death is confirmed. However, processing may continue if required by a legal obligation, for the defence of a legal claim against the controller, or in accordance with the deceased's specific post-mortem instructions. To exercise the rights of a deceased data subject, beneficiaries are allowed to request updates to the deceased’s information, with the associated costs borne by the data controller.

Certification mechanism   - Articles 34 & 35

The Authority is empowered to create a certification mechanism to validate compliance with the Law. Additionally, the procedures for monitoring and controlling compliance with the law by controllers and processors shall be laid down by regulation.

Prohibited processing activities -Articles 48- 51

The Law imposes several prohibitions on data processing to ensure privacy and compliance. It prohibits the processing of sensitive personal data, including information about religious, philosophical, political, or trade union opinions and activities, as well as data on racial or ethnic origin, linguistic or regional background, sex life, genetics, health, and biometrics. Processing financial data without authorisation from the competent authorities is also prohibited, subject to relevant legal conditions. Additionally, it prohibits processing without prior consent from the data subject or authorisation from the Authority. Processing is further prohibited if the Authority has ordered deletion or if it conflicts with public order, interests, or morality.

Sanctions - Articles 54 - 71

The law imposes both civil and criminal liabilities for non-compliance, ensuring accountability. Non-compliance may attract a fine of up to 100,000,000CFA (approximately 156, 865 USD) or a term of imprisonment of up to 10 years.

To ensure compliance with the provisions of the Law before the transition period ends in June 2026, data controllers and processors must take the following actionable steps.

• Obtain authorisation to process data: Data controllers and processors must seek prior authorisation from the Authority before processing personal data. This ensures compliance with the legal framework. While the Authority will publish the procedure for obtaining authorisations, data controllers and processors must document processing activities as part of preparations for the application.
• Develop a functional consent mechanism: The law appears to elevate consent as the sole lawful basis, however, this does not minimise the role of data protection obligations created under other laws that will be subject to legal obligation. Data controllers and processors need to create clear and accessible consent mechanisms that ensure data subjects provide informed, specific, and voluntary consent for data processing. This includes maintaining a system to record consent and providing users with a simple and effective way to withdraw their consent. Controllers must ensure transparency in how consent is obtained and provide detailed information on how data will be used.

Implement safeguards for processing children's data: Data controllers and processors must take additional precautions when processing data related to minors (children under 18 years), including obtaining consent from parents or guardians and verifying the identity of the guardian or parent. Processing must be limited to what is necessary for the specific service offered to the minor. Implementing age verification systems and clear parental consent mechanisms is crucial to safeguard children’s data.

• Implement security measures: Data controllers and processors are required to adopt appropriate technical and organisational measures to protect personal data, such as encryption, access control, regular security assessments, and monitoring. Organisations must assess their current security frameworks, implement necessary improvements, and ensure they are ready to submit annual reports on the state of their security measures to the Authority, as required by the law.
• Conduct a data mapping exercise: Organisations should conduct a comprehensive data mapping exercise to document all personal data processing activities, including their purposes, sources, categories of data, and data subjects, safeguards in place, and any authorisations obtained. This mapping will help organisations develop a RoPA, as mandated by the law.
• Seek authorisation for international data transfers: Any international transfer of personal data must be authorised by the Authority. Therefore, organisations intending to transfer personal data outside Cameroon must obtain prior authorisation.
• Conduct Data Protection Impact Assessments (DPIAs): For processing activities that may pose high risks to data subjects’ rights and freedoms, there is a need to conduct a DPIA. DPIAs should be carried out before processing begins. Further guidance on the activities that may trigger a DPIA will be published by the Authority.
• Adopt a vendor due diligence procedure: Data controllers must implement a due diligence procedure for assessing and ensuring that third-party processors comply with data protection obligations. This includes executing data processing agreements that document the obligations of both parties, outlining safeguards, and ensuring processors follow appropriate data protection measures. It is crucial that controllers verify the data protection practices of all processors before engagement.
• Adopt a procedure for data breach notification: Data controllers and processors must implement clear procedures for notifying the Authority and affected data subjects in case of a data breach. The law requires immediate notification of any breach, regardless of its severity. Organisations should set up a breach response plan that includes a clear protocol for reporting breaches within a reasonable time, ensuring both the DPA and data subjects are informed in a timely manner.

Operationalise data subject rights: Data controllers must ensure that data subjects can easily exercise their rights under the law. Organisations should create systems that streamline these requests, ensuring responses are made within the required timelines and that all requests are processed in accordance with legal obligations.

‍While the Law establishes robust safeguards for personal data, some of its provisions may pose significant compliance challenges for organisations. The reliance on the Authority for multiple authorisations and implementing regulations could lead to delays in operationalising compliance. Further, the creation of the Authority is dependent on a presidential decree, which may stall the issuance of implementing guidelines and authorisations if not created swiftly. Furthermore, the extensive prohibitions on processing sensitive data and financial data may hinder innovation and impose operational difficulties for industries reliant on such data, like the health and financial sector. Finally, the Law seems to elevate consent above other lawful bases for processing like contract, legal obligation, legitimate interest, and others, which are more suitable in certain situations, where consent may not be ideal. This would create operationlisation challenge, but would also not invalidate specific provisions of other laws that creates legal obligation like anti-money laundering and counter-terrorism law.‍

Conclusion

‍While the Law provides a comprehensive framework for data protection in Cameroon, its successful implementation depends on the upcoming guidelines and regulations from the Authority. These include the procedure for authorisations, reference framework for technical and organisational security measures, the conditions for conducting DPIAs, the procedures for authorisation of international data transfers and the adequacy list, timelines and process for handling data subject requests, among others. These regulations will provide further clarity on compliance obligations and help organisations align their practices with the law’s requirements before the end of the 18-month transition period.