Cape Town, South Africa – Specialist Commercial Legal consultancy Caveat Legal has announced a new programme to help African companies comply with the myriad different Data Protection Laws across the multiple jurisdictions on the African continent.
The last two years have seen a massive uptake in data protection laws and regulations in Africa with South Africa, Kenya, Zambia, Zimbabwe, Botswana, and Eswatini all passing laws and/or regulations in this regard. Compliance is mandatory in these countries, however, in Botswana you have until October 2023 to fully comply as that is when the grace period ends. Namibia’s data protection laws are due to come into effect in July 2023.
In addition to the aforementioned countries, Angola, Egypt, Ghana, Mauritius, Uganda, La Reunion (as a French territory, the European Economic Area General Data Protection Regulation (GDPR) applies) have all established data protection laws.
While Nigeria has regulations on data protection, it does not have a principal legislation. A bill was introduced in 2022 which could see a fully-fledged data protection law being implemented. Most other African countries have laws that touch on the protection of personal information but no formal laws yet.
The introduction of robust data protection laws as well as the enforcement of such laws is imperative. Not only for the protection of fundamental rights to privacy, but as it is paramount for African countries to operate in the global economy. There exists the concept of adequacy decisions in many data protection laws. This enables authorities in those countries to grant adequacy decisions to countries which are deemed to have sufficient laws and enforcement in place. Adequacy decisions, in general, allow for easier cross-border transfer of personal information and lower costs to organisations trying to do business globally. Lower costs in the sense that they can have local data centres and do not need to incur legal costs in negotiating data transfer agreements, for example.
“Interestingly the United States is not deemed adequate by the European Economic Area and despite attempts to set up frameworks such as the EU-US Privacy Shield, these attempts have fallen short. What we see, therefore, is many US-headquartered companies with data centres and operations in countries in Europe where European data can be stored,” says Louella Tindale, an attorney at Caveat Legal that specialises in Data Protection Laws.
“While most data protection laws in Africa have similar concepts to the European Union’s GDPR, there are some key areas of difference,” continues Tindale.
Despite the differences, data protection laws across the globe share many similarities. It is, therefore, possible to implement a compliance programme across multiple African jurisdictions, with policies and procedures and training taking the different legal nuances into consideration.
Not only is it possible, but advisable to have a unified approach to data protection compliance across all jurisdictions where a business operates. Tindale invites any business to contact her or any of the specialist attorneys at Caveat Legal to discuss designing and executing a compliance package across multiple jurisdictions to suit specific needs.
For more information or to contact the team, please visit www.caveatlegal.com