There has been a substantial increase in the use of the Internet across the African continent, aided by ongoing investment into local digital infrastructure, reduction in the associated costs, and improved user access. This has allowed both individuals, and private and public entities, the ability to access, collect, process and/or disseminate personal data more easily, which has spurred a number of African countries to enact comprehensive data protection laws and establish data protection authorities. There is also a growing perception among African countries that there is a need to protect their citizen’s personal data, to regulate how public and private entities use personal data, and to establish data protection authorities tasked with enforcing these laws.

While countries like Kenya, Rwanda and South Africa now have comprehensive data protection laws, which share some elements found in the European Union’s General Data Protection Regulation (“GDPR”), many of the proposed data protection laws have specific rules that are different from those in other countries in Africa. Consequently, technology companies conducting business in Africa will be required to keep abreast of the evolving regulatory landscape as it relates to data protection on the continent.

Recently enacted data protection laws 

  • The Republic of Rwanda’s Law No. 058/2021 relating to the Protection of Personal Data and Privacy (“Data Protection Law”) was enacted and came into effect upon its publication in the Government’s Official Gazette on October 15, 2021. The Data Protection Law gives effect to Article 23 of the Constitution of Rwanda, which guarantees the right to privacy as a fundamental right. The Data Protection Law provides for a transitional period of 2 years from the date of its publication, to allow controllers and processors to comply with local registration procedures and to ensure that their operations and activities adequately comply with the requirements of the Data Protection Law. This is the first law of its kind for Rwanda, introducing principles related to lawfulness, fairness, transparency, purpose limitation and accuracy, as well as the designation of a data protection officer.
  • The Republic of South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) became effective on July 1, 2020. POPIA gives effect to the right to privacy in section 14 of the Constitution of South Africa (Act 108 of 1996). POPIA covers all responsible parties that collect, store, process and/or disseminate personal information as part of their business activities. The Information Regulator (“IR”) is responsible for education, monitoring and enforcing compliance, handling complaints, performing research and facilitating cross-border cooperation. The IR has jurisdiction throughout South Africa. It is independent and subject only to the Constitution and to the law. The IR must be impartial and perform its functions and exercise its powers without fear, favor, or prejudice.
  • The Republic of Kenya’s Data Protection Act, 2019 (“DPA”) was enacted and came into effect on November 2019. The DPA reflects the provisions of Article 31 of the Constitution of Kenya, which provides for the fundamental right to privacy. This is the first law of its kind for Kenya, which provides a regulatory framework for data protection and guidelines on how personally identifiable data can be collected, used, stored or shared. Further, this law establishes the office of the Data Protection Commissioner.
  • In the Federal Republic of Nigeria, section 37 of the Constitution of the Federal Republic of Nigeria gives effect to the right to privacy. The Nigerian Data Protection Regulation (“NDPR”) 2019 is the main data protection statute in Nigeria. The regulatory body responsible for governing the NDPR is the National Information Technology Development Agency (“NITDA”). The NDPR makes provision for (amongst others) the rights of data subjects, obligations for data controllers and data processors, and transfer of data to a foreign territory. Even though other legislation, such as the Cybercrimes (Prohibition, Prevention, etc.) Act (2015) and the National Identity Management Commission Act, 2007 contain provisions relating to data protection,  the NDPR is the starting point for understanding Nigeria’s data protection landscape. 
  • The Republic of Uganda, passed its Data Protection and Privacy Act, 2019 (“Act”) in February 2019, which gives effect to Article 27(2) of the Ugandan Constitution, which provides for the protection of citizens’ rights to privacy.  The Act seeks to protect the privacy of Ugandan citizens’ (“data subjects”) by regulating the access, collection, processing and transfer of data. The Act also empowers data subjects whose personal data has been requested, collected, collated, processed or stored, the power to exercise control over their personal data, including consent to the collection and processing or to request the correction and deletion of personal data. The National Information Technology Authority – Uganda (“NITA-U”) is designated as the national data protection authority and maintains the Register that lists all  institutions, data subjects or public bodies that collect or process personal data.  The Act aligns with a number of international conventions including the Universal Declaration of Human Rights, where Uganda is a signatory. 
  • The Kingdom of Morocco’s Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data (“Law No. 09-08”), is the data protection law that was passed in 2009. Law No. 09-08 gives expression to the constitutional right to privacy founded under Article 24 of the Constitution of Morocco. The law sets out the authorities responsible for data protection, its own territorial scope and the conditions according to which data can be transferred to third countries.
  • The Togolese Republic Law No. 2019-014 relating to the Protection of Personal Data (the “Law”), was published in the Official Gazette in October 2019. The Law regulates the collection, processing, transmission, storage, and use of personal data in Togo and gives effect to the provisions of Article 28 of the Togolese constitution, which enshrines the right of citizen’s rights to privacy, dignity, and respect as regards their image. The Law establishes the Personal Data Protection Authority, an independent administrative authority responsible for ensuring that the processing of personal data is carried out in in accordance with the Law. 
  • The Republic of Ghana’s Data Protection Act, 2012 (“Act 2012”) was passed in May 2012, and gives effect to Article 18(2), which provides for the fundamental right to privacy. Act 2012 establishes the Data Protection Commission (“DPC”), which is tasked with protecting the privacy of data subjects and  personal  The DPC also regulates the processing, collection and transfer of personal data.

The enactment of the above laws has helped African countries align with global best practice on data protection and privacy, and represent a significant change in Africa’s regulatory landscape. Going forward, we can expect to see more African countries enacting and passing data protection laws to lend greater protections to personal data and address emerging cybersecurity threats.

The team at Covington is well placed to advise on these policy and regulatory developments. Please reach out to Witney Schneidman (WSchneidman@cov.com), Dan Cooper (DCooper@cov.com), Mosa Mkhize (MMkhize@cov.com), Sam Jungyun Choi (JChoi@cov.com) or Shivani Naidoo (SNaidoo@cov.com).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Mosa Mkhize Mosa Mkhize

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across…

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across Africa. Mosa does so by leveraging close to two decades of experience in international trade, public policy and government affairs.

Mosa assists clients on a broad range of issues including advocacy, strategic policy, regulatory, and dispute resolution advice in various sectors, including technology, energy and life sciences. In addition to this, Mosa’s capabilities include building strategic relationships and coalitions in support of smart technologies. Furthermore, she is currently working with government officials, private corporations, academia, and the general public on the development of regulations and policies that will bring about an enabling environment for digital transformation and economic growth in Africa.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.