The pandemic has caused havoc on business and personal lives. It also highlighted the importance of personal data and its vulnerability.
To combat this, governments across the globe have reviewed and modulated their privacy laws and regulations. Including the African governments and legislators.
Data protection in Africa is covered by the African Union Convention on Cybersecurity and Personal Data (2014). It has been ratified by all 55 members of the African Union.
Over the recent years, Internet usage has increased significantly on the African continent. The usage was aided by continued investment in local digital infrastructure and improved user access.
Further, it has enabled individuals, both public and private entities, to more easily access, collect, process, and disseminate personal data. This has prompted several African countries to enact comprehensive data protection laws to keep a check.
African countries like Kenya, Rwanda, and South Africa now have extensive data protection laws. Though they share some elements of the European Union's GDPR, they differ significantly in the African context.
We will dive deep into the recent governing compliance to understand the premise clearly.
New Laws Constitutionalized in 2021
Amidst the battering impact of Covid, Rwanda and Zambia passed their privacy laws this year.
The Zambia Data Protection Act 2021 was legislated on March 24, 2021, and came into force on April 1, 2021.
Rwanda Personal Data Protection and Privacy Law No. 058/2021 was published and came into effect on October 15, 2021.
South Africa and Zambia published cybercrime laws as well.
South Africa legislated the Cyber Crimes Act 2020 on June 1, 2021, which will come into effect on a date set by the President.
Zambia announced the upcoming Cyber Security and Cyber Crime Act 2021 on March 26, 2021. It will come into force on the date set by the Minister by statutory order.
Laws that Came into Force in Recent Times (2019-2021)
Botswana
In Botswana, the Data Protection Act 2018 was implemented on October 15, 2021. Any person who processes personal data is given one full year from October 15, 2021, in order to be able to get things in working order regarding their company’s compliance with GDPR law. Though relatively new in the arena, Botswana shows promising improvement in data privacy laws.
South Africa
In South Africa, the information regulator has taken a phased approach to implement the 2018 Data Protection Regulations. As per the Effectiveness Notice of February 26, 2021, Regulation 5 began on March 1, 2021, Regulation 4 on May 1, 2021, and the Remnant Regulation started on July 1, 2021.
The Republic of South Africa's Personal Information Protection Act 2013 (POPIA) began on July 1, 2020.
POPIA includes all responsible parties collecting, storing, processing, and passing on personal data for their business activities.
The Information Regulatory Authority (IR) is responsible for investigating, monitoring, and enforcing compliance. It also handles complaints, conducts investigations, and facilitates cross-border cooperation. The IR is responsible for all of South Africa. It is independent and subject only to the Constitution and the law. The IR must be impartial, carry out his duties, and exercise his powers without fear, favor, or prejudice.
Rwanda
Law of the Republic of Rwanda No. 058/2021 on the Protection of Personal Data and Privacy (Privacy Law) was enacted on October 15, 2021. This gives effect to Article 23 of the Rwandan Constitution.
It guarantees the right to privacy as a fundamental right. Also, this act provides a window of 2 years as a transition period from its publication to allow controllers and processors to comply with local registration procedures and ensure that everything falls under the purview of the Data Protection Act. It has established principles related to legality, transparency, accuracy, and the appointment of a data protection officer.
Kenya
The Data Protection Act of the Republic of Kenya, 2019 (DPA) was enacted and became effective in November 2019. The DPA reflects the provisions of Article 31 of the Kenyan Constitution, which establishes the fundamental right to privacy.
The Personal Data Protection Act is the first of its kind in Kenya. It provides a comprehensive legal framework for data protection and sets out guidelines on the use of personal information. The act also establishes the Office of the Privacy Commissioner, which has the power to enforce the law.
Nigeria
In the Federal Republic of Nigeria, Section 37 establishes the right to privacy.
NDPR, or The Nigerian Data Protection Regulation 2019, is Nigeria's leading data protection law. The regulator responsible for regulating the NDPR is the National Information Technology Development Agency (NITDA).
The NDPR provides the rights of data subjects, the obligations of data controllers and data processors, and the transfer of data to a foreign territory. Although other laws contain provisions for data protection, the NDPR is the frontrunner in the Nigerian data protection landscape.
Uganda
The Republic of Uganda passed its Data Protection and Privacy Act 2019 in February 2019.
It enacts Article 27(2) of the Constitution of Uganda, which protects citizens' privacy rights. The law aims to protect the privacy of Ugandan citizens by regulating access, collection, processing, and transfer of data.
The National Information Technology Authority – Uganda (NITAU) is the national data protection authority. It maintains the register listing all public institutions, data subjects, or bodies that collect / process personal data. The law is in line with several international conventions, including the Universal Declaration of Human Rights, to which Uganda is a signatory.
Togo
The Law of the Republic of Togo No. 2019014 on the Protection of Personal Data was published in the Official Journal in October 2019.
The law regulates Togo's collection, processing, transmission, storage, and use of personal data. It also implements the provisions of Article 28, which protects the right of citizens to privacy, dignity, and respect for their image. The law establishes the Data Protection Authority as responsible for ensuring that the law carries out the processing of personal data.
Ghana
Ghana, on the contrary, has been ahead of the curve of its' counterparts in cyber compliance. The Data Protection Act 2012 was enacted to protect individual and personal data privacy. In October 2020, the Data Protection Commission introduced new software tools that simplify registration and renewal. The modus operandi was to improve the user experience for data controllers and processors.
Ghana also announced a six-month amnesty period until March 2021. The Republic of Ghana Data Protection Act 2012 enacts Article 18(2), establishing the fundamental right to privacy. The 2012 Act specifies the Data Protection Commission (DPC) is charged with protecting the privacy of data subjects and employees. The DPC also regulates the processing, collection, and transmission of personal data.
Status of Data Protection Legislation in Africa at a Glance
|
Country |
Status of Data Protection Law |
Status of Regulation |
|
Ethiopia |
No data protection law has been implemented yet. |
Draft Personal Data Protection was made public in April 2020. |
|
Kenya |
Data Protection Act, 2019 |
Only in the Provisioning stage. |
|
Namibia |
Data Protection bill was drafted in 2021 |
No progress on regulation yet. |
|
Nigeria |
Data Protection Bill was drafted in August 2020 |
National Data Protection Regulations were issued in January 2019. |
|
South Africa |
POPIA, 2013 |
Enacted and implemented. |
|
Tanzania |
No data protection law has been implemented yet. |
No progress on regulation has been made yet. |
|
Togo |
Data Protection Act, 2019 |
It is in the Provisioning stage. |
|
Uganda |
Data Protection and Privacy Act, 2019 |
Regulations have been issued in 2020. |
Draft Laws That Are Under Scrutiny
- In Eswatini, the Computer Crime and Cybercrime Bill 2020, and the Data Protection Bill 2020 were published on the Eswatini Government website on May 10, 2021.
- The draft Data Protection Proclamation 2020 has been under review in Ethiopia since April 2020.
- On April 16, 2021, Kenya published the 'Computer Misuse and CyberCrime' (Amendment) Bill, 2021, first read in Parliament on June 9, 2021. The draft law also provides for a ban on the sharing of pornography via the Internet.
- In Malawi, the Ministry of Information is leading a working group to draft the country's privacy law. The Data Protection Act 2021 was published in February 2021, and public workshops on the draft law were held in March 2021.
- The Cybersecurity and Cybercrime Bill, 2021, is being considered in Parliament in Mauritius.
- In Zimbabwe, the Cyber and Data Protection Act 2019 was passed by Parliament in September 2021 and is awaiting Presidential approval.
- In Kenya, the Ministry of ICT, Innovation and Youth Affairs and the Office of the Data Protection Commissioner, a working group to develop data protection regulations, formulated three sets of rules to update the Data Protection Act 2019.
- The Seychelles Cybercrime and Related Offenses Bill 2021 passed second reading in Parliament on November 10, 2021, through the Personal Data Protection Regulations, 2018. Till November 15, 2021, the deadline for the comments was set.
Conclusion
The data security laws mentioned above have helped African countries align with global data protection and privacy best practices. It represents a significant shift in Africa's regulatory landscape. In the future, we can expect more African countries to enact privacy laws to ensure better protection of personal and sensitive data.
.jpg)
Gartner and G2 recommends Appknox | See how we can help you with a free Demo!
Raghunandan J
_HighPerformer_HighPerformer.png)
_BestEstimatedROI_Roi.png)
