By Mercy King’ori and Ridwan Oloyede
The advent of technology and its implications on fundamental human rights and business practices has seen many countries introduce laws that impact one of the most important rights of our age-the right to privacy. In Africa, as in many other parts of the world, the right to privacy has found expression as a constitutional right and in the growing number of comprehensive data protection laws. There are currently 36 countries with data protection laws, with the first being enacted in Cape Verde in 2001. Many other countries have followed suit, with the most recent bill being from Nigeria. The trend is likely to grow as more countries realise the importance of the right to privacy and data protection for social and economic growth.
For most of these laws, countries have looked to jurisdictions with already established laws for provisions to incorporate into their national laws. A cursory look at most African laws indicates resemblance with the provisions of the now defunct EU Directive of 1995 and more recently, the GDPR in what has come to be referred to as the “Brussels Effect of the GDPR”. As a result of this heavy influence, mostly due to trade considerations, countries that based their laws on the now-defunct EU Directive of 1995 have had to change their laws to reflect new ideas. This was the case with Cape Verde, Benin, and Burkina Faso, who amended their laws, and there are more countries like Senegal, Angola, Botswana, Morocco, and Tunisia that have expressed the intention of amending their laws or are in the process of doing so. In the amended laws, substantial changes were made that expanded the content of the laws. For example, the Cape Verde amendment saw the expansion of the definition of “consent.” But as the content of most laws will show in the next series, having structures that are similar to those in other jurisdictions does not amount to the convergence of the laws of all African countries.
Some notable differences among these laws
In addition to enacting comprehensive data protection legislation, most countries have charged an authority with ensuring compliance with the laws. There are currently 25 data protection authorities (DPAs) in Africa. Burkina Faso was the first to establish an authority in 2007. The question of what model of DPAs to adopt in Africa is one which countries grapple with. Concerning the assignment of the data protection role in Africa, two peculiar trends emerge that provide a nuanced approach into data protection in Africa:
-
- It is not uncommon for a law to be enacted first, followed by the appointment of the authority years later. Algeria and Mauritania, for example, enacted their laws in 2018 and 2017, respectively, but only created the authorities and appointed members in 2022.
-
- There are two models of DPAs that stand out in Africa. For the sake of clarity, we will refer to them as “stand-alone” models and “add-on” models. In the former, a new authority is usually established with the mandate of enforcing data protection, whereas in the latter, the data protection function is added to an already existing authority that may have a function that is closely related to data. Examples of countries with the stand-alone model are Kenya, Tunisia, Morocco, Angola, Gabon among others. Countries that have adopted the add-on model typically assign the data protection mandate to public bodies/authorities in charge of communication, such as Zimbabwe, Chad, Côte d’Ivoire, and Eswatini (the most common approach), or to cybersecurity agencies, such as the National Cyber Security Authority in Rwanda.
Another sub-theme emerging from this trend is Nigeria, where the National Information Technology Development Agency (NITDA), which issued and enforced the Nigeria Data Protection Regulation, 2019 (NDPR), was relieved of its data protection responsibilities by a ministerial directive and presidential approval, resulting in the establishment of the Nigeria Data Protection Bureau (NDPB). However, no formal law created the NDPB, and the NDPR was not amended to confer the NDPB authority or responsibilities. The Data Protection Bill of 2022, if passed, will be the anchor law for the NDPB.
Another intriguing trend is the delegation of regulatory duties to licenced bodies. In Nigeria and Zambia, the laws establish a licencing regime for entities that can conduct audit functions, among other roles that a DPA would typically be in charge of. While the licenced bodies known as Data Protection Compliance Organisations (DPCOs) in Nigeria and data auditors in Zambia are not strictly regulators, the law allows them to perform broad functions such as promoting adherence to the law, ensuring policies and procedures are followed, and raising public awareness. Finally, we anticipate that more countries with laws will establish or designate authorities in the coming years. This is expected in Zambia, Egypt, Togo, and Madagascar.
| Countries with laws and DPAs (Stand Alone) | |
| Countries with laws and DPAs (Add On) | |
| Countries with laws without DPAs |