Over the past twenty years, privacy legislation in Africa has been gaining momentum; 33 countries in the continent now having some form of data protection laws on the books.
Additionally, the three main regional organizations—the African Union, the Economic Community of West African States (ECOWAS), and the Southern African Development Community (SADC)—have all published or adopted privacy and cybersecurity acts. They are strongly influenced by—you guessed it—the European General Data Protection Regulation (EGDP).
“You have little power over what’s not yours.”
We will look at three of Africa’s largest economies by GDP: Nigeria, South Africa, and Egypt. We will also look at the Economic Community of West African States (ECOWAS) privacy framework, since its member states combined are responsible for over 668 billion dollars in GDP. For more information on emerging regulations in Africa, you might consult the United Nations Conference on Trade and Development.
Economic Community of West African States
The Economic Community of West African States (ECOWAS) has 15 member states: Benin, Burkina Faso, Cabo Verde, Cote d’Ivoire, Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone, and Togo. In 2010 ECOWAS passed the Supplementary Act A/SA.1/01/10 on Personal Data Protection.
ECOWAS member countries.
The preamble to the act reads:
The high contracting parties,
CONSIDERING the important progress made in the area of Information and Communication Technologies (ICT) as well as the Internet which increasingly raises the problem of personal data protection;
CONSCIOUS that a technology such as the Internet, with its facilities of profiling and tracing of individuals, constitutes a favourable vector for gathering and processing personal data;
CONSCIOUS also that the increasing use of Information and Communication Technology (ICT) may be prejudicial to the private and professional life of the users;
NOTING that, notwithstanding the existence of the national legislations relating to the protection of privacy of the citizens in their private and professional life and relating to the guarantee of the free movement of information, it becomes a matter of urgency to fill the legal vacuum generated by the use of internet which is a new instrument of communication.
Intent and Major Provisions
The main intent of the Act is:
Each Member State shall establish a legal framework of protection for privacy of data relating to the collection, processing, transmission, storage, and use of personal data without prejudice to the general interest of the State.
Moreover, the act calls for the establishment of a data protection authority:
1) Within the ECOWAS space, each Member State shall establish Its own data protection Authority. Any State that does not have shall be encouraged to establish one.
2) The data protection Authority shall be an independent administrative Authority responsible for ensuring that personal data is processed in compliance with the provisions of this Supplementary Act.
The act sets forth several principles guiding the processing of personal data, including the Principle of Consent and Legitimacy; the Principle of Legality and Fairness; the Principle of Purpose, Relevance, and Preservation; the Principle of Accuracy; the Principle of Transparency; the Principle of Confidentiality and Security; and the Principle of Choice of Data Processor.
Of particular interest is Article 34: Prohibition of Direct Prospecting. It reads:
Within the ECOWAS space, direct prospecting by whatever means of communication, using personal data in any form of an individual who has not stated his prior consent to receiving such prospecting shall be prohibited.
As you can imagine, this places quite a constraint on the users that the infamous “Nigerian Prince” can email within ECOWAS, so—no wonder—he has been targeting American consumers!
In terms of individual rights, the act spells out the following: right to information, right to access, right to object, and the individual’s right to rectification and destruction.
The act differentiates between personal and sensitive data as follows:
Personal data means any information relating to an identified individual or who may be directly or indirectly identifiable by reference to an identification number or one or several elements related to their physical, physiological. genetic, psychological, cultural, social, or economic identity;
Sensitive data means personal data relating to an individual’s religious, philosophical, political, trade union opinions or activities, to their sexual life, racial origin or health, relating to social measures, proceedings, and criminal or administrative sanctions.
Everyone in ECOWAS jurisdictions is covered by the Act.
The Act excludes:
1) processing of personal data relating to data manifestly made public by the data subject;
2) the data subject has given his written consent, on whatever medium, to such processing, and in line with texts in force;
3) processing of personal data is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent;
4) processing, in particular of genetic data, is necessary for establishing, exercising or defending a legal right;
5) where legal proceedings or a criminal investigation is underway;
6) processing of personal data is necessary for reasons of public interest, in particular for historical, statistical or scientific purposes;
7) for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures adopted at the request of the data subject prior to entering into a contract;
8) the processing is necessary for compliance with any legal or regulatory obligation to which the data controller is subject;
9) the processing is necessary for the implementation of a public interest mission or is carried out by a public authority or is assigned by a public authority to the data controller or to a third party to whom the data is disclosed;
10) the processing is carried out in the course of its legitimate activities by a foundation, an association or any other non-profit making body that exists for political, philosophical, religious, mutual benefit or trade union purposes
The local (ECOWAS member) Data Protection Authorities.
There are no explicit penalties mentioned in the act. However, under “sanctions,” the act mentions that the Data Protection Authority may provisionally or definitively withdraw the authorization of a data processor to operate, and it may issue a fine.
Here is the complete text of the Supplementary Act A/SA.1/01/10 on Personal Data Protection.
The effect of the act is regional to the West African states, and global for any businesses operating in an ECOWAS member state that has adopted the act by creating their own state-specific privacy laws.
Nigeria has the greatest number of Internet users in Africa: two and a half times the number of the next closest country (Egypt) and almost four times as much as South Africa. In 2019, Nigeria’s National Information Technology Development Agency issued the 2019 Nigeria Data Protection Regulation.
Nigeria, both citizens and residents.
The Nigerian Constitution guarantees the right to privacy in Chapter 4, Article 37, which says: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” This protection, from a legislative perspective, is supported by several laws, the most prominent of which were the National Health Act, the National Identity Management Commission Act, the Credit Reporting Act, the Children’s Right Act, and the Cybercrime Act of 2015.
Starting in 2007, the National Information Technology Development Agency (NITDA) was mandated to essentially develop data protection regulations: the result was the 2019 Nigeria Data Protection Regulation (NDPR).
Intent and Major Provisions
The NDPR draws heavily from the European Data Protection Regulation. It establishes data processing principles revolving around explicit consent, contractual or legal need, public interest, or critical need.
It also establishes several individual rights including the right to opt-out, the right to access their own data, the right of data transportability among controllers, the right to know how the data is used, the right of data correction and deletion, and the right to file a complaint with NITDA.
The law also requires the establishment of a Data Protection Officer who will be responsible for the data controller’s compliance with NDPR.
The NDPR defines personal data as follows:
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others.
Note that the definition makes explicit reference to both location data and IP address.
Anyone dealing with the personal data of Nigerian citizens or residents, even if the citizens in question may not be current Nigeria residents.
There are no exclusions to the law.
National Information Technology Development Agency (NITDA)
The law imposes significant penalties (in addition to criminal liabilities) to violators. Specifically:
Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable in addition to any other criminal liability, the following:
- a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater;
- b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater.
Here is the complete text for Nigeria Data Protection Regulation (NDPR).
The effect of the law is worldwide since it impacts not only businesses doing work in Nigeria and Nigerian citizens and residents but also Nigerian citizens that reside outside of Nigeria.
Privacy legislation in South Africa is relatively new. The Protection of Personal Information Act (PoPIA or PoPI) was passed in 2013, although it took years for it to come into effect (see below).
South Africa; all provisions took full effect in 2020.
The South African constitution enshrines privacy as a fundamental right in Article 14.
Everyone has the right to privacy, which includes the right not to have—
(a) their person or home searched;
(b) their property searched;
(c) their possessions seized; or
(d) the privacy of their communications infringed.
The Protection of Personal Information Act, with all of its 156 pages, was created to further promote the protection of personal information, to establish processing standards, to establish the office of the Information Regulator, to provide data governance direction, and to regulate the cross-border flow of data.
Intent and Major Provisions
The intent of the act is spelled out in Article 2. It’s lengthy, so I will just excerpt a piece of it here:
The purpose of this Act is to—
(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
(i) balancing the right to privacy against other rights, particularly the right of access to information; and
(ii) protecting important interests, including the free flow of information within the Republic and across international borders;
(b) regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information
Like most mature privacy laws, PoPI sets conditions for the lawful processing of personal information including accountability, suitability, scope, transparency, and safety. It also outlines in detail the rights of data subjects, listed below (edited for length):
Rights of data subjects
A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information… including the right—
(a) to be notified that—
(i) personal information about him, her or it is being collected…
(ii) his, her or its personal information has been accessed or acquired by an unauthorised person…
(b) to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information…
(c) to request, where necessary, the correction, destruction or deletion of his, her or its personal information…
(d) to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information…
(e) to object to the processing of his, her or its personal information… at any time for purposes of direct marketing…
(f) not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications…
(g) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person…
(h) to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject…
(i) to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.
PoPI defines personal information as follows:
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”
The act explicitly includes both natural and legal persons in South Africa.
The Protection of Personal Information Act has a long list of exclusions, including instances of purely personal activities, de-identified data, national security reasons, anti-terrorism activities, and valid journalistic, literary, or artistic expression.
The Protection of Personal Information Act is enforced by the South African Information Regulator.
Violating the Act can result in imprisonment of up to ten years, and fines ranging between 1,000,000 and 10,000,000 Rand (approximately $58,000–$580,000).
Here is the full text for the Protection of Personal Information Act (PoPIA or PoPI).
The effect of PoPI is limited to South Africa and businesses dealing with South African citizens’ personal data.
Egypt did not have a privacy law until 2017, when the first drafts of the Data Protection Law were circulated. In June 2019, following the approval of the Egyptian Cabinet of Ministers, the Egyptian Parliament passed the law.
The Egyptian Data Protection Law is based heavily on the European General Data Protection Regulation (EGDP), with some notable differences discussed below.
Intent and Major Provisions
Much as in the GDPR, the Egyptian law lists several data protection principles, including data collection principles for specific and legitimate uses, secure data processing, and destruction of the data following its intended use.
The law spells out several individual rights, including the right to be informed, the right to obtain a copy of your data, the right to correct the data, and the right to determine the extent of your data’s use by the data controller. An individual has the right to file a complaint with the Personal Data Protection Center. Finally, much like with the GDPR, the law requires the appointment of a Data Protection Officer to ensure compliance with the law.
The law defines personal data almost exactly the same way as the GDPR as:
any data relating to an identifiable natural person, or is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, voice, picture, an identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.
Similarly, the special data category is defined much in the same way:
data which reveals the mental health, physical health, genetic health, biometric data, financial data, religious beliefs, political opinions, security status relating to the natural person. In all cases, data relating to children are considered sensitive personal data.
Egyptian citizens and Egyptian residents.
Excluded from the law are data held by individuals for private use, data used in official statistics and legal proceedings, and data in the possession of the government.
The law is enforced by the newly created Personal Data Protection Center.
The fines under the law are less than those imposed by the GDPR but are still significant. They range from imprisonment and fines up to two million Egyptian pounds (about $125K U.S.).
As of this writing there is no online resource that makes the complete text of Egypt’s Data Protection Law available in English. However you can find further analysis about the law here.
The effect of the law is regional, limited to Egypt and businesses processing data of Egyptian citizens or Egyptian residents.