Bimonthly Update on Privacy in Africa (September-October 2024)

Introduction

The past two months have witnessed notable milestones in data protection and AI governance at regional and national levels. There has been progress with the development of data protection laws, the creation of new authorities, the publication of regulations, and enforcement actions. On the AI governance front, more countries have initiated processes to develop AI strategies and specific laws.

Here are some notable developments across the region:

Regulatory Updates??

• There is a new law on the block. On October 29, 2024, Botswana’s National Assembly enacted a new Data Protection Act, which repeals and amends the 2018 Act.??The Act aims to regulate the processing of personal data and provides for the continuation of the Information and Data Protection Commission (ICDC) as the data protection authority. The Act will come into effect on the date specified by the Minister by an order published in the Government Gazette.
• In Namibia, the Minister of Information, Communication, and Technology announced that the country is finalising its data protection and cybercrime bills. Both bills aim to protect citizens' personal information amid rapid technological advancement. It is anticipated that this move will conclude the draft of the data protection bill.
• Efforts to harmonise data protection frameworks have intensified. On a regional level, the Economic Community of West African States (ECOWAS) published the first draft of its revised Supplementary Data Protection Act for stakeholder input. The draft Act aims to protect the rights and freedoms of individuals regarding the processing of their personal data and establish rules for maintaining a secure and free flow of data within the region. Stakeholder consultations have been held to refine the draft. Similarly, stakeholders from the East African Community (EAC) deliberated on the East Africa Data Governance Policy Framework at the East African Data Protection Exchange, held from October 16–18, 2024. The Framework aims to harmonise data governance practices and support digital integration in the region.
• The number of data protection authorities (DPAs) increased this period. The Democratic Republic of Congo (DRC) designated the Regulatory Authority for Posts, Telecommunications, and Information and Communication Technologies (ARPTIC) as the data protection authority. Similarly,??on October 21, 2024, Togo appointed the President of the Personal Data Protection Authority (IPDCP), marking the commencement of the IPDCP's activities.??Likewise, the Republic of Congo’s Council of Ministers approved the legislation establishing the National Commission for the Protection of Personal Data as the data protection authority.??
• There have been more international commitments to data protection and cybersecurity at global and regional levels. On a global level, Mauritius joined the Global Cross-Border Privacy Rules (CBPR) Forum? as an associate. Seychelles' Cabinet of Ministers approved the necessary steps for the country’s accession to the Budapest Convention on Cybercrime. On a regional level, Sao Tome and Principe ratified the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), while Gabon's Council of Ministers approved the draft law to ratify the Malabo Convention to address digital security challenges within the country.
• On proposed amendments, the Chairperson of??South Africa's Information Regulator (IR) disclosed the IR's intention to propose an amendment to the Protection of Personal Information Act (POPIA) to allow for imposing immediate sanctions on entities and to align the POPIA more closely with the General Data Protection Regulation (GDPR). Similarly, Morocco's data protection authority disclosed ongoing stakeholder engagements to review the data protection law, which will be presented to parliament by 2025. Also, Senegal has commenced the review of its 2008 data protection law to strengthen digital regulation and align the provisions with the GDPR.
• On September 13, 2024, Zimbabwe's Regulations on the Licensing of Data Controllers and Appointment of Data Protection Officers came into force. The regulation establishes the framework for appointing Data Protection Officers (DPOs) and licensing entities that process personal data. To comply, entities are required to register with the authority, appoint DPOs that possess relevant skills, develop data protection policies, conduct regular audits, and ensure the security of their systems. There have been several discussions about the adverse implications of the regulations on entities within its scope.

Enforcement and Sanctions?

• The Nigeria Data Protection Commission (NDPC) has?announced the commencement of an investigation into the processing activities of a digital finance platform. The investigation was triggered by the company's non-compliance with the Data Protection Act through the deployment of "privacy-invading" technologies to facilitate marketing, credit scoring, and other financial solutions.

• Kenya's Office of the Data Protection Commissioner (ODPC) continued its enforcement of the Data Protection Act. Notably, an insurance company was fined for the unauthorised disclosure of a party’s data; a commercial bank was fined for not ensuring the accuracy of its customers' details; a digital lending platform faced a fine for violating a data subject's rights to be informed and to object to unlawful data processing; the ODPC also fined a company for processing a complainant’s data for commercial purposes without obtaining consent; an enforcement notice was issued against the National Health Insurance Fund (NHIF) for failing to rectify inaccurate user information; and a hospital was fined for using an individual’s image without obtaining their consent.
• In Ghana, a Circuit Court issued a fine of 1,900,000 GHC against a ride-hailing company for failing to prevent identity theft. The court ruled that the company’s failure to conduct a thorough identification verification was negligent and violated the Ghana Data Protection Act. The ODPC also fined the same company in June 2024 for violating the access and rectification rights of the complainant and failing to fulfil its obligations under the law.
• The Constitutional Court of South Africa ruled that an individual's right to privacy can outweigh another’s right to freedom of expression, particularly when privacy expectations are reasonable. The court emphasised that assessing privacy rights involves evaluating both the individual's subjective expectation of privacy and whether this expectation is objectively reasonable. Here, despite the claimant initially sharing his information on a social platform, the court found that he maintained a reasonable expectation of privacy. Further dissemination of this information was deemed a privacy violation, as it could lead to potential harassment, underscoring the court's protection of privacy even in cases involving prior public disclosure.
• On September 5, 2024, Mali's Personal Data Protection Authority (APDP) warned against the sharing of personal data, including sensitive personal data, on digital platforms except for journalistic purposes or based on prior authorisation of the APDP. Violations could result in fines of up to $33,300 or criminal prosecution.

Partnerships and Collaboration?

• On October 3, 2024, the National Commissioner of the NDPC and the Privacy Commissioner of Canada (OPCC) signed a memorandum of understanding (MoU) to further strengthen their collaboration. A task team was also set up to discuss other areas of collaboration, including training for the High Commission's staff in Canada.

AI Governance

• On September 30, 2024, the Ministry of Digital Transition and Digitalisation officially launched the process to develop Cote d’Ivoire’s National AI Strategy and National Data Management Strategy.??According to the Minister, the strategies aim to promote the responsible and ethical use of AI and data to drive innovation, research, and economic competitiveness and improve quality of life. The strategies will also address key concerns, including protecting citizens' rights and addressing biases.
• As part of the effort to develop its National AI Policy, the Mauritius Emerging Technology Council called for stakeholders to contribute to the policy. All contributions can be made through a document that will be uploaded on the council's website . Similarly, from September 24-26, 2024, Kenya hosted the National AI Strategy Proceedings to gather stakeholder input on the development of its AI Strategy.
• In Nigeria, the National Artificial Intelligence Regulatory Authority Bill 2024 was presented before the House of Representatives for its first reading. This is the third AI-specific legislation to be presented to the National Assembly in the past two years.

Conclusion

• In the coming months, we anticipate considerable progress with the ECOWAS Supplementary??Data Protection Act, the conclusion of Namibia’s data protection bill, and the progress with the amendment of Senegal’s law and decree on data protection. We also anticipate progress with the ongoing AI governance initiatives in Cote d’Ivoire, Mauritius, Kenya, Nigeria, and South Africa.