CHAPTER 8
African Regulations

You have little power over what's not yours.

—Zimbabwean proverb

Over the past twenty years, privacy legislation in Africa has been gaining momentum, with half the countries in the continent now having some form of data protection laws either already on the books or about to be enacted. Additionally, the three main regional organizations—the African Union, the Economic Community of West African States (ECOWAS), and the Southern African Development Community (SADC)—have all published or adopted privacy and cybersecurity acts. They are strongly influenced by—you guessed it—the European General Data Protection Regulation.

As with other regions that we examined, so with Africa we will look at the top three African economies by GDP: Nigeria, South Africa, and Egypt. We will also look at the Economic Community of West African States (ECOWAS) privacy framework, since its member states combined are responsible for over $668 billion in GDP.

Economic Community of West African States

The Economic Community of West African States (ECOWAS) has 15 member states: Benin, Burkina Faso, Cabo Verde, Cote d'Ivoire, Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone, and Togo. In 2010 ECOWAS passed the Supplementary Act A/SA.1/01/10 on Personal Data Protection.

Jurisdiction

ECOWAS member countries.

Background

The preamble to the act reads:

Intent and Major Provisions

The main intent of the Act is:

Moreover, the act calls for the establishment of a data protection authority:

The act sets forth several principles guiding the processing of personal data, including the Principle of Consent and Legitimacy, the Principle of Legality and Fairness, the Principle of Purpose, Relevance, and Preservation, the Principle of Accuracy, the Principle of Transparency, the Principle of Confidentiality and Security, and the Principle of Choice of Data Processor.

Of particular interest is Article 34: Prohibition of Direct Prospecting. It reads:

As you can imagine, this places quite a constraint on the poor users that the infamous “Nigerian Prince” can email within ECOWAS, so—no wonder—he has been targeting the American consumers!

In terms of individual rights, the act spells out the following: right to information, right to access, right to object, and the individual's right to rectification and destruction.

PII Definition

The act differentiates between personal and sensitive data as follows:

Inclusion Criteria

Everyone in ECOWAS jurisdictions is covered by the Act.

Exclusions

The Act excludes:

Enforcement Agency

The local (ECOWAS member) Data Protection Authorities.

Penalties

There are no explicit penalties mentioned in the act. However, under “sanctions,” the act mentions that the Data Protection Authority may provisionally or definitively withdraw the authorization of a data processor to operate, and it may issue a fine.

Complete Text

The complete text for the Act can be found at: http://www.tit.comm.ecowas.int/wp-content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf.

Effect

The effect of the act is regional to the West African states, and global for any businesses operating in an ECOWAS member state that has adopted the act by creating their own state-specific privacy laws.

Nigeria

Nigeria has the greatest number of Internet users in Africa: two and a half times the number of the next closest country (Egypt) and almost four times as much as South Africa. Despite this, it has struggled with passage of a data protection law for almost ten years until 2019, when Nigeria's National Information Technology Development Agency issued the 2019 Nigeria Data Protection Regulation.

Jurisdiction

Nigeria, both citizens and residents.

Background

The Nigerian Constitution guarantees the right to privacy in Chapter 4, Article 37, which says: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” This protection, from a legislative perspective, is supported by several laws, the most prominent of which were the National Health Act, the National Identity Management Commission Act, the Credit Reporting Act, the Children's Right Act, and the Cybercrime Act of 2015.

Starting in 2007, the National Information Technology Development Agency (NITDA) was mandated to essentially develop data protection regulations, the result of which is the 2019 Nigeria Data Protection Regulation (NDPR).

Intent and Major Provisions

The NDPR draws heavily from the European Data Protection Regulation. It establishes data processing principles revolving around explicit consent, contractual or legal need, public interest, or critical need.

It also establishes several individual rights including the right to opt-out, the right to access their own data, the right of data transportability among controllers, the right to know how the data is used, the right of data correction and deletion, and the right to file a complaint with NITDA.

The law also requires the establishment of a Data Protection Officer who will be responsible for the data controller's compliance with NDPR.

PII Definition

The NDPR defines personal data as follows:

Note that the definition makes explicit reference to both location data and IP address.

Inclusion Criteria

Anyone dealing with the personal data of Nigerian citizens or residents, even if the citizens in question may not be current Nigeria residents.

Exclusions

There are no exclusions to the law.

Enforcement Agency

National Information Technology Development Agency (NITDA).

Penalties

The law imposes significant penalties (in addition to criminal liabilities) to violators. Specifically:

Complete Text

The link to the complete text for NDPR can be found at: https://nitda.gov.ng/wp-content/uploads/2019/01/Nigeria%20Data%20Protection%20Regulation.pdf.

Effect

The effect of the law is worldwide since it impacts not only businesses doing work in Nigeria and Nigeran citizens and residents but also Nigerian citizens that reside outside of Nigeria.

South Africa

Privacy legislation in South Africa is relatively recent. The Protection of Personal Information Act (PoPIA or PoPI) was passed in 2013, although it took years for it to come into effect (see below).

Jurisdiction

South Africa; all provisions expected to take full effect in 2020.

Background

The South African constitution enshrines privacy as a fundamental right in Article 14:

The Protection of Personal Information Act, with all of its 156 pages, was created to further promote the protection of personal information, to establish processing standards, to establish the office of the Information Regulator, to provide data governance direction, and to regulate the cross-border flow of data.

Intent and Major Provisions

The intent of the act is spelled out in Article 2:

Like most mature privacy laws, PoPI sets conditions for the lawful processing of personal information including accountability, suitability, scope, transparency, and safety. It also outlines in detail the rights of data subjects, listed below (edited for length):

PII Definition

PoPI defines personal information as follows:

Inclusion Criteria

The act explicitly includes both natural and legal persons in South Africa.

Exclusions

The Protection of Personal Information Act has a long list of exclusions, including instances of purely personal activities, de-identified data, national security reasons, anti-terrorism activities, and valid journalistic, literary, or artistic expression.

Enforcement Agency

The Protection of Personal Information Act is enforced by the South African Information Regulator.

Penalties

Violating the Act can result to imprisonment of up to ten years, and fines ranging between 1,000,000 and 10,000,000 Rand (approximately $66,000–$667,000).

Complete Text

The full text for PoPI can be found at: https://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf.

Effect

The effect of PoPI is limited to South Africa and businesses dealing with South African citizens' personal data.

Egypt

Egypt did not have a privacy law until 2017, when the first drafts of the Data Protection (draft) Law were circulated. As of June 2019, following the approval of the Egyptian Cabinet of Ministers, the Egyptian Parliament has passed the law.

Jurisdiction

Egypt.

Background

The Egyptian Data Protection Law is based heavily on the European General Data Protection Regulation, with some notable differences discussed below.

Intent and Major Provisions

Much as in the GDPR, the Egyptian law lists several data protection principles, including data collection principles for specific and legitimate uses, secure data processing, and destruction of the data following its intended use.

The law spells out several individual rights, including the right to be informed, the right to obtain an copy of your data, the right to correct the data, and the right to determine the extent of your data's use by the data controller. An individual has the right to file a complaint with the Personal Data Protection Center. Finally, much like with the GDPR, the law requires the appointment of a Data Protection Officer to ensure compliance with the law.

PII Definition

The law defines personal data almost exactly the same way as the GDPR as:

Similarly, the special data category is defined much in the same way:

Inclusion Criteria

Egyptian citizens and Egyptian residents.

Exclusions

Excluded from the law are data held by individuals for private use, data used in official statistics and legal proceedings, and data in the possession of the government.

Enforcement Agency

The law will be enforced by the newly created Personal Data Protection Center.

Penalties

The fines under the law are less than those imposed by the GDPR but are still significant. They range from imprisonment and fines up to two million Egyptian pounds (about $125,000).

Complete Text

As of this writing there is no online resource that makes the complete text available.

Effect

The effect of the law is regional, limited to Egypt and businesses processing data of Egyptian citizens or Egyptian residents.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.213.87