The evolution of data protection has seen different legal regimes categorise data subjects into groups, particularly based on their competence. Children, for instance, are one such category of data subjects whose competence, based on their needs and capacities, has seen them benefit from special protections under most data protection laws. The United States of America Child Online Privacy Protection Act (COPPA) was one of the specific laws that sought to move away from age-generic provisions, spurring a raft of data protection laws that delineate special protections for this category of data subjects. African laws are no exception.
Numerous African data protection laws provide special protections before and during the processing of children’s data, including limitations on processing. Where a data subject falls under the category of a “child,” controllers and processors typically have additional obligations, such as stipulating conditions for relying on consent where it is the legal basis and exemptions to process children’s data without consent under certain circumstances. Other obligations include implementing age-verification mechanisms using available technology and providing clear, accessible information about their privacy practices concerning children. Other obligations include implementing age-verification mechanisms using available technology and providing clear, accessible information about their privacy practices concerning children. This requirement is available in several countries, such as Nigeria. Additionally, in South Africa, prior authorisation from the Information Regulator is required for the transfer of children’s personal data outside the country. These additional obligations are imposed on organisations to ensure the safety of children.
However, introducing special protections for children is only one step. A foundational step towards ensuring that these measures are effectively implemented is defining a child. To this end, this blog examines the data protection laws of African countries, looking into the definition of a child under these laws, highlighting categories of children based on their age, and demonstrating the implications of such differentiation.
Before examining the varying classifications, it is important to note that some countries, such as Botswana, Nigeria, and Tanzania, include provisions aimed at protecting children but do not explicitly define who a child is. Instead, they defer to other laws, such as the Children’s Act, for this definition. In contrast, countries like Zambia define the term based on its meaning in the Constitution, while Côte d’Ivoire relies on the definition provided in its Criminal Code.
Some countries have defined a child as someone below 18, replicating the age of majority in most African countries such as Malawi, Lesotho, Somalia, South Africa, Zimbabwe, and Seychelles. In other countries such as Ethiopia, Mauritius, and Rwanda, a child is defined as someone below 16 years.
Conceptions of childhood and, consequently, their capacities vary across different age groups, necessitating differing protections. Benin and Congo are such countries. Both countries differentiate between a child below 16 years and an adolescent who is 16 years or above, albeit with some nuance. For instance, in Congo, a data subject below 16 years can provide consent jointly with the minor and the person with parental authority. Data subjects aged 16 and above can provide consent without seeking parental approval.
As stated earlier, the concept of a child and the ensuing legal capacity is crucial to ensure they enjoy the special legal protections commensurate with their vulnerability. The importance becomes more visible as children navigate online space, where they share their data and where robust informational privacy protections are necessary.
- Article 3.1 NDPR and Article 5.5 NDPR Implementation Framework
- Section 57(1)(d) South Africa
- Section 2 Botswana Protection Act
- Section 65 Nigeria Data Protection Act
- Section 3 Tanzania Personal Data Protection Act
- Section 2, Zambia Data Protection Act 2021
- Article 1 Côte d’Ivoire Data Protection Act
- Section 2 Malawi Data Protection Act 2024
- Section 2 Lesotho Data Protection Act 2011
- Article 2(5) Somalia Data Protection Act 2023
- Section 1, Protection of Personal Information Act, 2013
- Section 3 Zimbabwe Data Protection Act, 2021
- Section 23 Seychelles Data Protection Act 2023
- Article 2 Ethiopia Personal Data Protection Proclamation 2024. Ethiopia adopts the term “minor” in place of “child”
- Section 30 Mauritius Data Protection Act 2017
- Article 9 Law on the Protection of Personal Data and Privacy
- Article 446 Digital Code
- Article 62 Congo Personal Data Protection Law