The last two years have seen a massive uptake in data protection laws and regulations in Africa with South Africa, Kenya, Zambia, Zimbabwe, Botswana, and Swaziland all passing laws and/or regulations in this regard. Compliance is mandatory in these countries, however, in Botswana you have until October 2023 to fully comply as that is when the grace period ends. The data protection law in Namibia is due to come into effect in July 2023.
In addition to the above, Angola, Egypt, Ghana, Mauritius, Uganda, and La Reunion (as a French territory, the European Economic Area General Data Protection Regulation (GDPR) applies) have all established data protection laws.
While Nigeria has regulations on data protection, it does not have a principal legislation. A bill was introduced in 2022 which would see a fully-fledged data protection law being implemented. Most other African countries have laws that touch on the protection of personal information but no formal laws yet.
The introduction of robust data protection laws as well as the enforcement of such laws is imperative. Not only for the protection of fundamental rights to privacy but as it is paramount for African countries to operate in the global economy. There exists the concept of adequacy decisions in many data protection laws. This enables authorities in those countries to grant adequacy decisions to countries that are deemed to have sufficient laws and enforcement in place. Adequacy decisions, in general, allow for easier cross-border transfer of personal information and lower costs to organizations trying to do business globally. Lower costs in the sense that they can have local data centers and do not need to incur legal costs in negotiating data transfer agreements, for example. Interestingly the United States is not deemed adequate by the European Economic Area and despite attempts to set up frameworks such as the EU-US Privacy Shield, these attempts have fallen short. What we see, therefore, is many US-headquartered companies with data centers and operations in countries in Europe where European data can be stored.
While most data protection laws in Africa have similar concepts to the GDPR, there are some key areas of difference, both to the GDPR and amongst the different African countries. These generally include:
- Cross-border transfers – differences are usually around instances when a transfer is allowed.
- Sensitive or special personal information – differences occur in what constitutes sensitive or special personal information and the basis on which such information can be processed. Also, in some countries consent of the data subject or possibly of the regulator is required prior to transferring special or sensitive personal information cross-border.
- Registration requirements – differences arise in the application procedure, what information needs to be submitted, whether it is the organisation or whether a data protection officer needs to be registered, or both.
- Penalties and enforcement – different penalties apply for contraventions as well as on what basis penalties can be levied. Regulators also have different enforcement rights and the process also differs.
While there are some differences, there are several similarities between data protection laws globally. It is, therefore, possible to implement a compliance program across multiple African jurisdictions, with policies, procedures, and training taking the different legal nuances into consideration. Not only is it possible but it is also advisable to have a unified approach to your data protection compliance across all jurisdictions where you operate. Our lawyers at Caveat have significant experience in designing and executing compliance programs across multiple jurisdictions. We also offer packages which you can view on our website here.
Louella has a BA LLB (University of Cape Town) as well as a Certificate in Competition Law (University of the Witwatersrand). She was admitted as an attorney in 2010 after completing her articles at Werksmans Attorneys. In 2012, Louella relocated to the United Kingdom where she worked for two multi-nationals as in-house legal counsel – LSE listed hotel group PPHE Hotel Group (Park Plaza and art’otel) and FTSE 100 travel group TUI Travel. In 2017, Louella returned to South Africa and joined Caveat Legal focusing on data protection law.