I. Global Companies Have Identified Africa as One of the Areas of Growth
Recent developments in the region reflect that global companies should be focusing attention on data protection developments in Africa. Tech companies, consumer packaged goods manufacturers, and retailers have focused on Africa as a growth market for their products and services as user adoption in the United States and European Union has flattened.1 As a result, and in the wake of the European Union’s General Data Protection Regulation (“GDPR”), many African countries have heeded the call for data protection laws. Africa is now the largest region with countries that have some sort of data protection law.
And doing business in Africa means the collection of personal information, which increasingly, as in the rest of the world, is becoming regulated. While recent attention in data protection has focused on the United States, the European Union, the Asia-Pacific region, and Latin America, focus now needs to be directed toward the African continent, which is becoming a burgeoning hotspot for data protection laws and enforcement.
II. At Least 33 Countries in Africa Have Data Protection Laws
While the recent activity in 2022 is important, it reflects an overall trend. As of the end of 2021, at least 33 African countries have adopted comprehensive data protection laws in the wake of the EU’s adoption of the GDPR.2 This represents over 60 percent of the countries in the second-largest continent in the world (with some 1.3 billion residents). The increased attention to data in Africa has also been accelerated by the COVID-19 pandemic. For example, South Africa’s Information Regulator announced that it would begin monitoring the Department of Health’s use and disclosure of COVID-19 information in April 2022.
A. The Majority of Data Protection Laws in Africa Have Data Subject Rights and Enforcement Mechanisms Similar to the Rest of the World’s
The comprehensive data protection laws in Africa share many features that exist in other regimes such as the GDPR, China’s Personal Information Protection Law, and California’s California Consumer Privacy Protection Act and its successor, the California Privacy Rights Act. For example, with respect to the most common rights of data subjects, 33 African countries provide the right to access, 29 provide the right to rectification; 27 provide the right to object; 21 provide the right to be forgotten and the right to information; 14 provide the right not to be subject to automated decision-making; 13 provide the right to restrict marketing; five provide the right to obtain personal data in an understandable form; and three provide the right to data portability, to submit complaints, to obtain compensation from data controllers, and to withdraw consent.
In addition to the above data subject rights, roughly 19 African countries require data controllers to notify the relevant data protection authority, and at least 30 require data controllers to have a legal basis for processing personal data and cross-border transfer.
III. Data Protection Developments in Africa in 2022 Signal That Requirements and Enforcement Are Underway
A. Kenya Required Data Controllers and Processors to Register with the Data Protection Commissioner, Effective July 14, 2022
Earlier last month, on July 14, 2022, Kenya’s registration requirement for data controllers and processors went into effect.
Companies doing business in Kenya and processing personal information should review the Office of Data Protection Commissioner’s (“ODPC”) Guidance Note on Registration of Data Controllers and Data Processors to understand their obligations.
The Kenyan Data Protection Act, No 24. of 2019 (the “Act”) provides a statutory obligation for all Entities (defined below) that process Personal Data (defined below) to register with the Data Protection Commissioner, subject to the thresholds set in place by the Data Protection Commissioner on mandatory registration.3 The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the “Regulations”) went into effect on July 14, 2022.4
The Regulations define “Entities” that are required to register as “mean[ing] a natural (individual) or legal person, public authority, agency or other body that processes (handles) Personal Data.” The term “Personal Data” is defined broadly to include “any information relating to an identified or identifiable natural person.”
The Regulations detail the registration requirements, including the Entities that must register and meet their mandatory registration obligations and those that are exempt due to being found to be below the threshold. On July 13, 2022, the Data Protection Commissioner issued a guidance to assist Entities in ascertaining if they are data controllers or data processors and understanding their obligations with respect to mandatory registration.
Data controllers must create an account, pay the required registration fee, and electronically submit, through the ODPC’s website, the online form. The new guidance requires registration for Entities that (1) process personal data, (2) have an annual turnover/revenue of more than 5 million Kenyan shillings, and (3) have more than 10 employees.
B. On June 15, 2022, the Uganda Data Protection Authority Held Trainings Regarding Enforcement of Its Data Protection Law
On June 14, 2022, the Uganda Data Protection Authority held a training titled “Enforcement of the Data Protection Act.” In the training, the Ugandan Data Protection Authority provided tips regarding enforcement, including:
C. Nigeria’s National Information Technology Development Agency (“NITDA”) Partners with a Major Credit Card issuer
On April 15, 2022, the NITDA formed a partnership with a major credit card issuer for a joint training program on cybersecurity and data protection. The NITDA highlighted that the credit card issuer’s virtual academy will provide certificates on cybersecurity courses and will “open [a] platform for online courses where Nigerians can go and learn at their own pace and also get digital certificates.” The initiative is part of the NITDA’s National Economy Policy and Strategy for a Digital Nigeria, which has a target of achieving 95 percent digital literacy by 2030.
IV. Companies Need to Know How Data Protection Laws in Countries in Africa Differ from Regimes Such as the GDPR
Importantly, not all African countries follow the GDPR model, making a “one-size-fits-all” approach difficult. Many of these countries have adopted different models, so entities that process data will need to adopt data privacy standards and practices depending on the country and business activity. The rapid pace of change in both the digital transformation and regulatory environments in Africa makes it crucial for businesses to have agile and adaptable legal governance frameworks.
Algeria, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Mali, Morocco, Niger, Rwanda, South Africa, Togo, Tunisia, Uganda and Zimbabwe
Cape Verde, Mali, and Niger
Benin, Ivory Coast, Mali, Niger, Rwanda, Seychelles, Tunisia, and Uganda
Tunisia
The enactment of the various laws in African countries since GDPR’s enactment represents a significant change in the region’s regulatory landscape. As more African countries continue passing data protection laws, entities processing data should continue monitoring the region and seek advice of counsel for proper compliance.
***
The authors want to thank Elias Okwara for his assistance with this article.
1 Vicky Feng & Jennifer Zabasajja, African Tech Sector Is Sprouting Unicorns and Raking in Billions, Bloomberg, April 7, 2022, https://www.bloomberg.com/news/articles/2022-04-07/africa-s-tech-sector-is-sprouting-unicorns-and-raking-in-billions.
2 Graham Greenleaf & Bertil Cottier, International and regional commitments in African data privacy laws: A comparative analysis, Computer Law & Security Review, Volume 44, (2022).
3 Office of the Data Protection Commissioner, Guidance Note on Registration of Data Controllers and Data Processors, (July 13, 2022), https://www.odpc.go.ke/download/guidance-note-on-registration-of-data-controllers-and-data-processors/
4 Id. at p. 2.
Data Protection & Privacy 2023
MB Microtalk: SEC’s Proposed Rules on Cybersecurity Risks and Incident Disclosures
The CAC is Coming: Didi Chuxing Fined a Record-breaking USD 1.2 Billion for Breach of Data Protection Regulations
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively the “Mayer Brown Practices”) and non-legal service providers, which provide consultancy services (the “Mayer Brown Consultancies”). The Mayer Brown Practices and Mayer Brown Consultancies are established in various jurisdictions and may be a legal person or a partnership. Details of the individual Mayer Brown Practices and Mayer Brown Consultancies can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.
Attorney Advertising. Prior results do not guarantee a similar outcome.