Data security and privacy laws develop across Africa
Numerous countries in Africa have developed or implemented data privacy and security laws in their countries in the last few years. With the rapid rise in digitisation as a result of the pandemic, the broad implementation of such laws across the continent has never been more urgent. Countries including Ghana, Kenya, Madagascar, Mauritius, Nigeria, Rwanda, South Africa, Togo, Uganda and Zimbabwe have been implementing new measures to protect and secure the personal information of their citizens.
In Ghana, data protection is regulated under the Data Protection Act, 2012 (DPA) together with Article 18(2) of the 1992 Constitution, which provides citizens with a fundamental right to privacy.
Enid Baaba Dadzie, Senior Associate at Kimathi & Partners in Ghana, says that because data protection is a new area in Ghana, there have not been any recent legal developments. "However, we understand that the regulator in Ghana has been discussing this with regulators in other African countries to consolidate and harmonise data protection laws, and adopt standard data protection laws across the continent. This is due to the emerging discussions on data sovereignty, economization and data localization.
"The regulator in Ghana is also pushing data protection certification as an eligibility criterion for running a business in Ghana, as well as being in discussions with key persons in Ghana to set up a separate data/cyber court that can swiftly handle fast growing data breaches and cyber-crime. Further, the regulator previously published names of persons who were not compliant with the DPA in newspapers, and has recently become more aggressive with enforcement of the DPA," she explains.
In 2019, Kenya passed Kenya's Data Protection Act (DPA), which is the primary legislation governing the collection and processing of personal data in Kenya.
Sonal Sejpal, Partner at ALN Kenya | Anjarwalla & Khanna, explains that the DPA regulates the processing of personal data, provision of rights of data subjects, creation of the obligations of data controllers, and establishes the Office of the Data Protection Commissioner (ODPC). In addition to the DPA and the DPA Regulations, Kenya has also ratified the International Covenant on Civil and Political Rights (ICCPR).
"Last year, Kenya enacted the Data Protection (Civil Registration) Regulations, 2020 (DPA Regulations), which regulate the processing of personal data by civil registration entities, including the registrars of births, adoptions, persons, marriages and deaths, and entities responsible for issuing passports and any document of identity.
Sonal notes that on 16 November 2020, Kenya appointed its first Data Commissioner who heads the ODPC. Under the guidance of the Commissioner, the ODPC oversees the implementation of the DPA and also ensures that data processors and data controllers comply with their obligations under the DPA.
"Under the DPA, the Data Commissioner is empowered to issue guidelines or codes of practice for data controllers, data processors and data protection officers (DPOs). On 24 February 2021, in line with its mandate, the ODPC published the Guidance Notes on Consent and Data Protection Impact Assessment (Guidance Notes) and the Complaints Management Manual (Complaints Manual). Although the Guidance Notes and the draft Complaints Manual have been published on the ODPC’s website, they did not undergo public participation, which is necessary under Kenyan law," she says.
"Additionally, in January 2022, a set of three data protection regulations were gazetted, and are currently in force. These regulations are the Data Protection (General) Regulations, 2021, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. These regulations cater for the procedural aspects of the Kenya Data Protection Act, 2019, and cover a wide spectrum, from the transfer of personal data, to how data subjects’ rights should be provided for, what the thresholds and requirements are for the registration of data controllers and data processors, how complaints relating to infringements and contraventions of the DPA will be handled and how enforcement procedures will be undertaken," Sonal notes.
In Madagascar, the privacy of data is mainly governed by the Law No 2014-038 dated January 9 2015, on personal data protection (Malagasy Data Protection Law).
Raphael Jakoba, Managing Partner of MCI Law Firm in Madagascar, explains, "The Law No 2014-006, amended and completed by Law No 2016-031 on the fight against cybercrime, also provides for provisions relating to the obligations and responsibilities of operators and carriers of telecommunications and electronic communication services, as well as specific incriminations for breaches of information systems. Law No 2016-056 also includes provisions relating to the data protection and retention obligations of electronic money institutions. These laws are in force. However, the Malagasy Data Protection Law and the Law No 2014-006 on the fight against cybercrime do not yet have implementing decrees."
Ammar Oozeer, Barrister at Law at BLC Robert & Associates in Mauritius, says that data security and privacy in the country is governed by the Data Protection Act 2017 (DPA 2017) which is aligned with the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
"In September 2020, Mauritius signed and ratified the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data," Ammar notes.
The Nigeria Data Protection Regulation 2019 (NDPR) is the principal privacy and data protection legislation in Nigeria.
Ijeoma Uju, Partner at Templars law firm in Nigeria, said, "Apart from the NDPR which was issued by the National Information Technology Development Agency (NITDA) in January 2019, in 2020, NITDA released the NDPR Implementation Framework (NDPRIF) to ensure the effective implementation and enforcement of the NDPR. Most recently in 2021, another significant development has been the Lagos State Data Protection Bill, which seeks to promote the protection of information processed by public and private bodies, and establish minimum requirements for the processing and protection of personal information on a state level," she notes.
Emmanuel Muragijimana, Chief Associate at K-Solutions & Partners in Rwanda, explains that in Rwanda, "the draft Law on Data Protection and Privacy 2020 passed through all the parliamentary processes on 12 August 2021 and then underwent translation in the three official languages before submission for presidential assent. The law came into force on 15 October 2021 and is titled Law nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy. The agency responsible to enforce compliance is the National Cyber Security Authority (NCSA)."
In South Africa, the Protection of Personal Information Act, 2013 (POPIA) came into force in July 2021.
According to Janet MacKenzie, Partner and Head of the IPTech Practice at Baker McKenzie in Johannesburg, "POPIA promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.
"Further, the Cybercrimes and Cybersecurity Act, 2020 was signed into law in June 2021 and came into force on 1 December 2021. It brings the country’s cybersecurity legislation in line with global standards," she notes.
"In October 2021, the Information Regulator requested that public comments be submitted on the Amendment of the Regulations Relating to the Protection of Personal Information, 2018( Draft Regulations). The Draft Regulations outline the procedure to be followed in certain circumstances contemplated in POPIA," she says.
Kafui Achille Amekoudi, Avocat at AMKA Law Firm in Togo (Cabinet Me AMEKOUDI), notes that since 29 October 2019, Togo had adopted the law N°2019-014 relating to Personal Data Protection. Further, on 30 July 2021, the national Assembly adopted a bill authorising the ratification of the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention).
In Uganda, the Constitution of Uganda, 1995 as amended, the Data Protection and Privacy Act, No.9 of 2019, and the Data Protection and Privacy Regulations, 2021, govern data privacy and security.
"The Data Protection and Privacy Act, enacted in 2019 (Act), guarantees the protection of privacy of the individual and of personal data by regulating the collection and processing of personal information. The Data Protection and Privacy Regulations, 2021 (Regulations) were published and gazetted in March 2021 by the Minister of Information Communication Technology and National Guidance," explains Arnold Lule Sekiwano, Partner at Engoru, Mutebi Advocates in Uganda.
He notes that the recent passing of enabling Regulations on 12 March 2021 are intended to implement the Act by prescribing for the necessary procedural requirements.
Zimbabwe has made significant progress in the past five years in promulgating laws that deal with data privacy and protection.
"The Cyber and Data Protection Act [Chapter 12:07] was promulgated recently in an effort to address the challenges that have arisen due to technological advancements, " explains Amalia Manuel, Partner at Atherstone & Cook in Zimbabwe.
Amalia adds, "On 21 September 2021, Cabinet also approved the principles of the Electronic Transaction and Commerce Bill. We have not had sight of the principles and await further developments regarding the enactment of this law."