AFRICA BULLETIN

Overview of data protection laws in Africa

 By  Aissatou Sylla , Senior Associate,  Hogan Lovells  Paris and  Alex Ford-Cox, Associate, London


Data protection law has been gaining ground in Africa over the past 20 years. Today, out of 54 countries, 25 have passed data protection laws, the latest countries being Uganda, Nigeria and Egypt. Other countries have introduced data protection bills which are under discussion or waiting to be on the legislative agenda.

Regional legislative framework

On a regional level, some measures have been taken to encourage and support the enactment of data protection laws:

Common features in the laws

Despite the regional organisations’ efforts, the overall legislative framework is not harmonised.

However, some common trends can be found.

For example, in most countries, the consent of the data subject is the default condition for data processing and no references are made to the notion of legitimate interest as a legal basis. Another example is that most statutes have provided for the establishment of a data protection authority reporting to the telecommunications or ICT regulator.

This is not the case in Nigeria where the ICT regulator is directly in charge of data protection.

A final example of similar features is the data controllers’ obligation to notify the regulator of any data processing activities and to seek from the regulator an authorisation to transfer personal data to third countries with a two month maximum processing time.

Some more recent and GDPR-inspired laws, such as the Benin Digital Code and the Nigerian Data Protection Regulation have opted for a more flexible approach, insisting on internal governance, data mapping, audits or the appointment of a data protection officer and not systematically imposing systematic notifications to the regulator.

Need for a harmonised legal framework?

Harmonising the data protection statutory and regulatory framework in Africa is still on the agenda of regional organisations and some states.

In addition to protecting citizens’ privacy, having a harmonised or, at best, a uniform framework is seen as an opportunity to promote the continent’s development by allowing free flow of data within Africa, encouraging data transfers from other continents to Africa and thus boosting the use of African-based datacentres, outsourcing services, blockchain technology, e-government and fintech services.

Some African organisations and countries have also expressed their intent to end the situation of ‘digital colonisation’ which they view as the consequence of having the most politically and strategically sensitive data, such as classified documents, hosted on non-African servers.

To tackle this issue, discussions are being held around data localisation on a continental level to reach data sovereignty.

Privacy and data protection is still a hot topic in Africa and another wave of legislation is to be expected in the next two years.

However, compliance with the existing laws remains a challenge for small to medium businesses, which are not always aware of their legal obligations or which consider that it would be more costly to abide by the privacy rules than to be sanctioned for breach.

Records published by the data protection authorities show that the vast majority of organisations complying with the notification and approval processes with the regulators are multinational businesses headquartered in Europe or America, public services and local giants in banking and telecommunications.

This article first appeared on Hogan Lovells Engage in October 2019.

Exit mobile version