A post-event summary update

Background

On December 17, 2024, Tech Hive Advisory, in collaboration with its partners, hosted an event titled “Roundup on Data Protection in Africa 2024: Projections for 2025.” This event brought together stakeholders to discuss significant developments in 2024, emerging trends, and the challenges shaping the continent’s data protection and AI governance landscapes. This event provided a platform for dialogue on these critical issues and shared projections for 2025. This article discusses the outcome of the event and key insights shared by the speakers and moderators.

Introduction

The year 2024 saw remarkable developments in data protection, including the enactment of new laws, the establishment of new authorities, amendments to existing laws, notable enforcement actions, and a surge in discussions around child online protection, cross-border data transfers, and data subject rights. On the AI governance front, a few countries initiated the development of AI-specific legislation or announced plans to do so. Progress was also made in the development of AI strategies and policies, amending existing laws to address AI-related issues, and increasing activities by data protection authorities (DPAs) in this domain. This article provides an overview of the state of data protection and AI governance in Africa, the trends in 2024, challenges, and projections for 2025 based on the discussion during the event

State of Data Protection and AI Governance in Africa  

The data protection and AI governance landscape in Africa witnessed significant advancements in 2024. On the data protection front, several countries introduced new legislation, amended existing laws, and established or designated their DPAs. Cameroon, Ethiopia, and Malawi enacted new data protection laws, while Botswana amended its law. Meanwhile, Congo, Democratic Republic of Congo, Somalia and Togo established their DPAs, and Tanzania officially launched its DPA.

Across the continent, DPAs issued sector-specific guidelines to facilitate compliance. For example, Kenya’s Office of the Data Protection Commissioner (ODPC) released guidance for various sectors, including the health, educational, and digital lending sectors; while South Africa’s Information Regulator (IR) published a guidance notice on direct marketing.

In enforcement, Kenyan DPA imposed more fines and sanctions, while enforcement notices were issued in Eswatini and South Africa. These efforts are driving compliance across various sectors.  Additionally, the year saw increase in DPAs created awareness programs, which has raised the consciousness of data subjects in enforcing their rights. A significant challenge, however, lies in the accessibility of DPAs for individuals seeking to lodge complaints. Kenya is addressing this by establishing county offices to enhance accessibility and administrative effectiveness.

AI governance gained traction across African countries, with proposals for AI-specific regulations emerging in Egypt, Kenya, Morocco, Nigeria, Uganda, and Zimbabwe. Many countries intensified efforts to develop National AI frameworks. For example, Zambia unveiled its AI strategy, while Nigeria released its draft National AI Strategy. South Africa published its AI Policy Framework, and Kenya commenced development of its national AI strategy, to be published in 2025.

On the regional level, the African Union Continental AI Strategy was adopted by the Executive Council and the draft Revised ECOWAS Supplementary Data Protection Act was published for public comments.

Emerging Trends‍

The year saw several increased discussions on emerging issues. Some of these issues include:

1. Cross-Border Data Transfer  

Cross-border data transfer is increasingly recognised as pivotal to technological growth and economic development. In light of this, data protection laws include mechanisms to facilitate such transfers. Countries are working to improve their transfer mechanisms, which has manifested through plans to amend older laws, seeking adequacy decisions, publication of operational documents, and the inclination towards alternative mechanisms. For example, Uganda announced plans to revise its law to introduce more flexible provisions for international data transfers. Kenya has initiated discussions with the European Commission to secure an adequacy decision—a milestone that, if achieved, could significantly benefit the country. Past attempts by Morocco and Mauritius to achieve adequacy status were unsuccessful. Meanwhile, Rwanda has published a module of its Standard Contractual Clauses (SCCs) to support international data transfers.

African countries are also leaning towards adopting the Global Cross-Border Privacy Rules (CBPR). For instance, Seychelles has incorporated CBPR in its data protection law, while Nigeria recently participated in the Global CBPR Forum in Taiwan. Additionally, the joint statement issued by the United States with Kenya and Nigeria may suggest a move towards compliance with these rules. The compliance with the CBPR could become another international data transfer mechanism in some African countries.

2. Child Online Protection  

Child online protection is being addressed through a different approaches. In Rwanda, a ministerial order outlines the obligations of service providers in this area, while Nigeria’s Communications Commission has released a draft child online safety framework. Additionally, Ghana published a child online protection framework, and Tanzania published its Child Protection Amendment Act. DPAs in Mali and Senegal issued directives on handling children’s data and preserving the safety of the online interaction of children. There are expectations that Botswana will publish detailed guidelines soon. Globally, technology companies are adopting privacy-by-design mechanisms and age verification systems to ensure age-appropriate content on their platforms.

3. Enforcement Actions and Data Subject Rights  

DPAs are increasingly focusing on enforcing data protection laws to safeguard data subjects' rights. This has been achieved partly by raising awareness across sectors to ensure organisations understand their obligations  and increasing the scrutiny on the operationalisation of data protection measures in organisations. The issuance of fines and enforcement notices increased during the year. Notably, in Kenya, the DPA issued a record number of and sanctions during the year. The year also saw a good number of court decisions, whether challenging the decision of a DPA like in Nigeria where parts of the mandatory registration requirements were invalidated, or cases against violation of rights and the law. This is evident in the increasing court actions filed in countries like Kenya, Nigeria, and South Africa.

In Botswana, many organisations are still struggling to understand what will be the threshold for compliance under the new Act, and it is expected that a guidance notice will provide more context for organisations in that regard. With the awareness effort of DPAs, data subjects themselves are becoming more informed about their rights and how to enforce them.

4. Regulatory Approach to Emerging Technologies  

With the proliferation of emerging technologies in Africa, DPAs across Africa are making recourse to the provisions of their data protection laws to address compliance on this front. Of the 40 data protection laws in Africa, about 36 make explicit provision for automated decision making. These provisions ensure that individuals are not subjected solely to automated processing and mandate safeguards such as human oversight, risk mitigation, and avenues for appealing automated decisions. Some countries are turning to public consultation to understand the extent of emerging technologies and their impact, as it is the case in Côte d’Ivoire.

Nigeria's DPA is responding to emerging technologies, through the draft Nigeria Data Protection Act - General Application and Implementation Directive (NDAP-GAID), which includes a provision that requires ensuring the adherence to ethical principles in the use of emerging technologies.

Challenges  

Many African countries continue to grapple with challenges in enforcing data protection laws. Data subjects often struggle to understand their rights in a local context, highlighting the need for greater awareness campaigns. Unfortunately, public awareness efforts remain limited due to resource constraints, particularly in rural areas where knowledge gaps are more pronounced. Inadequate regulatory readiness is another challenge. Many regulators struggle to issue timely regulations and guidance for implementing the law. Budgetary limitations further hinder enforcement efforts, capacity building, and the overall efficiency of someDPAs. It has been reported that countries such as Kenya, Mauritius, Nigeria, and South Africa have concerns about insufficient funding. In addition, inadequate expertise among some regulators and businesses has undermined compliance and enforcement capabilities.

Furthermore, small businesses face unique challenges in complying with data protection laws due to financial constraints. Requirements such as registration, data protection audits, operationalising data subject rights, implementing security measures, and processing international data transfers can be burdensome for small businesses with little funding. However, strategies such as a top-down approach to compliance can mitigate these challenges. Training is a key strategy. For instance, small businesses can appoint internal staff as Data Protection Officers (DPOs) and provide them with relevant training.

In relation to AI governance, challenges are also apparent. The rapid adoption of AI technologies has raised enforcement issues for data protection in AI-driven processing. Regulatory authorities face capacity constraints in addressing AI-related risks and determining appropriate regulatory approaches. A potential solution is leveraging existing laws while designing new regulations, such as the clearing house model, which centralises resources to address concerns.

Future Projections  

AI Governance

The AI governance landscape is expected to advance significantly in 2025, with several anticipated developments:

• Progress on draft AI-specific laws in countries like Egypt, Kenya, Morocco, and Nigeria, and the continent may get its first AI-specific legislation.
• Sector-specific interventions and amendments to existing laws to address AI challenges, such as Egypt’s proposed amendments to its Cybercrimes Law to create liability regimes for AI activities, are expected to happen.
• Publication of AI guidelines by DPAs, with several authorities expressing intentions to issue these guidelines.
• Increased consultations with stakeholders to develop regulatory responses for AI governance, and progress with ongoing efforts  like in Côte d’Ivoire.
• Greater collaboration between data protection and competition authorities to address AI governance challenges.
• Increased legislative advocacy for AI-specific laws to increase, as seen in countries such as Ghana, Kenya, Nigeria, Uganda, and Zimbabwe.

Data Protection

Some of the key data protection trends anticipated for 2025 include:

• Development of industry-specific legislation, particularly in sectors handling significant volume of data, such as education, finance, and health.
• Increased voluntary audits by data controllers and processors to enhance compliance.
• Greater collaboration between regulators to strengthen enforcement.
• Publication of additional regulations and guidance to support data controllers and processors in achieving compliance.
• Increased enforcement actions, particularly in Angola, Kenya, Nigeria, and South Africa.
• Increased instances of investigative powers being invoked by DPAs, including physical inspections of processing activities, as seen in countries like Algeria, Côte d’Ivoire, and Eswatini and recently indicated by the Kenyan DPA as an additional enforcement strategy for 2025.
• Continued awareness and training initiatives by DPAs.
• Child online protection will continue to be a focus area in 2025. More countries are expected to provide policy direction.

Conclusion

The event provided a valuable forum for stakeholders to reflect on the year’s key developments and address emerging challenges. While progress has been made in areas such as legislative development, enforcement actions, and AI governance, significant hurdles remain, including regulatory capacity, public awareness, and resource limitations.

Looking ahead to 2025, there is optimism for more robust frameworks, enhanced enforcement mechanisms, and greater collaboration across stakeholders.

Appreciation Note

We appreciate our esteemed speakers, Lebogang George, Ridwan Oloyede, Cherie Oyier, and our moderators, Victoria Adaramola and Dorcas Tsebee, for the invaluable contributions to the event. We also appreciate our event partners, the Tanzania Privacy Professionals Association (TPPA), Privacy Lens Africa (PLA), Africa Privacy & Legal LLP and the Data Privacy and Governance Society Kenya, for the immense support.

You can watch the event recording here.

‍