Over the past twenty years, privacy legislation in Africa has been gaining momentum, with half the countries in the continent now having some form of data protection laws either already on the books or about to be enacted. Additionally, the three main regional organizations—the African Union, the Economic Community of West African States (ECOWAS), and the Southern African Development Community (SADC)—have all published or adopted privacy and cybersecurity acts. They are strongly influenced by—you guessed it—the European General Data Protection Regulation.
As with other regions that we examined, so with Africa we will look at the top three African economies by GDP: Nigeria, South Africa, and Egypt. We will also look at the Economic Community of West African States (ECOWAS) privacy framework, since its member states combined are responsible for over $668 billion in GDP.
Economic Community of West African States
The Economic Community of West African States (ECOWAS) has 15 member states: Benin, Burkina Faso, Cabo Verde, Cote d'Ivoire, Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone, and Togo. In 2010 ECOWAS passed the Supplementary Act A/SA.1/01/10 on Personal Data Protection.
Jurisdiction
ECOWAS member countries.
Background
The preamble to the act reads:
Intent and Major Provisions
The main intent of the Act is:
Moreover, the act calls for the establishment of a data protection authority:
The act sets forth several principles guiding the processing of personal data, including the Principle of Consent and Legitimacy, the Principle of Legality and Fairness, the Principle of Purpose, Relevance, and Preservation, the Principle of Accuracy, the Principle of Transparency, the Principle of Confidentiality and Security, and the Principle of Choice of Data Processor.
Of particular interest is Article 34: Prohibition of Direct Prospecting. It reads:
As you can imagine, this places quite a constraint on the poor users that the infamous “Nigerian Prince” can email within ECOWAS, so—no wonder—he has been targeting the American consumers!
In terms of individual rights, the act spells out the following: right to information, right to access, right to object, and the individual's right to rectification and destruction.
PII Definition
The act differentiates between personal and sensitive data as follows:
Inclusion Criteria
Everyone in ECOWAS jurisdictions is covered by the Act.
Exclusions
The Act excludes:
Enforcement Agency
The local (ECOWAS member) Data Protection Authorities.
Penalties
There are no explicit penalties mentioned in the act. However, under “sanctions,” the act mentions that the Data Protection Authority may provisionally or definitively withdraw the authorization of a data processor to operate, and it may issue a fine.
The effect of the act is regional to the West African states, and global for any businesses operating in an ECOWAS member state that has adopted the act by creating their own state-specific privacy laws.
Nigeria
Nigeria has the greatest number of Internet users in Africa: two and a half times the number of the next closest country (Egypt) and almost four times as much as South Africa. Despite this, it has struggled with passage of a data protection law for almost ten years until 2019, when Nigeria's National Information Technology Development Agency issued the 2019 Nigeria Data Protection Regulation.
Jurisdiction
Nigeria, both citizens and residents.
Background
The Nigerian Constitution guarantees the right to privacy in Chapter 4, Article 37, which says: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” This protection, from a legislative perspective, is supported by several laws, the most prominent of which were the National Health Act, the National Identity Management Commission Act, the Credit Reporting Act, the Children's Right Act, and the Cybercrime Act of 2015.
Starting in 2007, the National Information Technology Development Agency (NITDA) was mandated to essentially develop data protection regulations, the result of which is the 2019 Nigeria Data Protection Regulation (NDPR).
Intent and Major Provisions
The NDPR draws heavily from the European Data Protection Regulation. It establishes data processing principles revolving around explicit consent, contractual or legal need, public interest, or critical need.
It also establishes several individual rights including the right to opt-out, the right to access their own data, the right of data transportability among controllers, the right to know how the data is used, the right of data correction and deletion, and the right to file a complaint with NITDA.
The law also requires the establishment of a Data Protection Officer who will be responsible for the data controller's compliance with NDPR.
PII Definition
The NDPR defines personal data as follows:
Note that the definition makes explicit reference to both location data and IP address.
Inclusion Criteria
Anyone dealing with the personal data of Nigerian citizens or residents, even if the citizens in question may not be current Nigeria residents.
Exclusions
There are no exclusions to the law.
Enforcement Agency
National Information Technology Development Agency (NITDA).
Penalties
The law imposes significant penalties (in addition to criminal liabilities) to violators. Specifically:
The effect of the law is worldwide since it impacts not only businesses doing work in Nigeria and Nigeran citizens and residents but also Nigerian citizens that reside outside of Nigeria.
South Africa
Privacy legislation in South Africa is relatively recent. The Protection of Personal Information Act (PoPIA or PoPI) was passed in 2013, although it took years for it to come into effect (see below).
Jurisdiction
South Africa; all provisions expected to take full effect in 2020.
Background
The South African constitution enshrines privacy as a fundamental right in Article 14:
The Protection of Personal Information Act, with all of its 156 pages, was created to further promote the protection of personal information, to establish processing standards, to establish the office of the Information Regulator, to provide data governance direction, and to regulate the cross-border flow of data.
Intent and Major Provisions
The intent of the act is spelled out in Article 2:
Like most mature privacy laws, PoPI sets conditions for the lawful processing of personal information including accountability, suitability, scope, transparency, and safety. It also outlines in detail the rights of data subjects, listed below (edited for length):
PII Definition
PoPI defines personal information as follows:
Inclusion Criteria
The act explicitly includes both natural and legal persons in South Africa.
Exclusions
The Protection of Personal Information Act has a long list of exclusions, including instances of purely personal activities, de-identified data, national security reasons, anti-terrorism activities, and valid journalistic, literary, or artistic expression.
Enforcement Agency
The Protection of Personal Information Act is enforced by the South African Information Regulator.
Penalties
Violating the Act can result to imprisonment of up to ten years, and fines ranging between 1,000,000 and 10,000,000 Rand (approximately $66,000–$667,000).
The effect of PoPI is limited to South Africa and businesses dealing with South African citizens' personal data.
Egypt
Egypt did not have a privacy law until 2017, when the first drafts of the Data Protection (draft) Law were circulated. As of June 2019, following the approval of the Egyptian Cabinet of Ministers, the Egyptian Parliament has passed the law.
Jurisdiction
Egypt.
Background
The Egyptian Data Protection Law is based heavily on the European General Data Protection Regulation, with some notable differences discussed below.
Intent and Major Provisions
Much as in the GDPR, the Egyptian law lists several data protection principles, including data collection principles for specific and legitimate uses, secure data processing, and destruction of the data following its intended use.
The law spells out several individual rights, including the right to be informed, the right to obtain an copy of your data, the right to correct the data, and the right to determine the extent of your data's use by the data controller. An individual has the right to file a complaint with the Personal Data Protection Center. Finally, much like with the GDPR, the law requires the appointment of a Data Protection Officer to ensure compliance with the law.
PII Definition
The law defines personal data almost exactly the same way as the GDPR as:
Similarly, the special data category is defined much in the same way:
Inclusion Criteria
Egyptian citizens and Egyptian residents.
Exclusions
Excluded from the law are data held by individuals for private use, data used in official statistics and legal proceedings, and data in the possession of the government.
Enforcement Agency
The law will be enforced by the newly created Personal Data Protection Center.
Penalties
The fines under the law are less than those imposed by the GDPR but are still significant. They range from imprisonment and fines up to two million Egyptian pounds (about $125,000).
Complete Text
As of this writing there is no online resource that makes the complete text available.
Effect
The effect of the law is regional, limited to Egypt and businesses processing data of Egyptian citizens or Egyptian residents.