The State of Data Protection Legislation in Africa

Carlos Mureithi / May 31, 2024

Carlos Mureithi is a fellow at Tech Policy Press.

Anne Fehres and Luke Conroy & AI4Media / Better Images of AI / Data is a Mirror of Us / CC-BY 4.0

Data protection laws are gaining traction in Africa, but more work needs to be done to ensure that the laws are implemented in a manner that safeguards people’s rights, says a new policy brief by Access Now, a nonprofit that focuses on digital civil rights.

Driven by the push for digitization of services and programs, African countries are embracing data legislation to protect people in the processing and movement of data.

How many African countries have data protection laws?

So far, thirty-seven out of 54 African countries have enacted data protection laws.

There’s a continental push, too. In 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection, also known as the Malabo Convention, which requires countries to implement domestic laws for personal data protection that comply with the rights-based standards of the convention. By last year, 15 member states had ratified the agreement, giving it the minimum number required to enact it.

But the Access Now policy brief says that as some data protection laws were created to enable digitization programs, such as digital identification and social welfare programs, that has sometimes resulted in lawmakers creating legislative frameworks without adequate planning, eventually causing challenges in implementation.

The report, authored by Bridget Andere and Megan Kathure, explores issues that are critical to ensuring that data laws are implemented to protect people’s rights.

“Harmful” exemptions in data protection laws

The authors say some laws include “harmful” exemptions to protections offered by the laws, with the grounds given for most exemptions being national security or arguments on legitimate interest, often to the benefit of state agencies.

They give the example of Uganda’s Data Protection and Privacy Act, 2019, which has exemptions for collecting data for national security reasons or to avoid compromising law enforcement.

The authors note that such exemptions “can open the door to rights violations and abuse.”

“This jeopardizes peopleʼs right to privacy, which is vital for safeguarding other basic rights, such as the right to free expression, a freedom that is critically important for any functioning democracy,” they write.

They recommend that lawmakers amend data protection laws to provide for specificity on exemptions, “as overboard exemptions have proven time and again to be harmful to the people these laws govern”.

Data protection versus privacy

The authors also warn against conceptualizing data protection laws as privacy laws.

They note that the preamble to Ghana’s Data Protection Act, 2012, for instance, terms it as a law “to establish a Data Protection Commission, to protect the privacy of the individual and personal data by regulating the processing of personal information.”

But the purpose of data protection laws, they say, is “not to provide political cover or theoretical areas of retreat for individuals whose fundamental privacy rights are at risk, but to “protect individuals and groups from the specific risks of data collection and processing, addressing the structural power asymmetry between data controllers – which can include governments – and data subjects.”

Independence of data protection authorities

Another issue that the authors say is critical to ensuring the laws are implemented to protect people’s rights is making data protection authorities (DPAs) independent.

Because of structural issues and policy factors such as budgeting, many DPA’s on the continent aren't fully independent. The report observes that the budgets for most DPAs are controlled by the ministries that they are required to work under.

In Kenya, for example, the budget for the Office of the Data Protection Commissioner is under the Ministry of Information, Communications, and the Digital Economy. In Uganda, the Personal Data Protection Office budget is under the National Information Technology Authority.

“One must wonder how much independence there can be when your budget is not substantively under your control,” the authors write. “When DPAs are not independent, sufficiently resourced, or structured in a robust way, it can make them prey for bad actors seeking to exploit peopleʼs data for profit.”

Nanjira Sambuli, a Nairobi-based policy analyst, said the independence of DPAs is key because part of their job is to issue guidelines and enforce laws and regulations as they apply to governments.

The authors recommend that governments create sustainable models for independent data protection offices by amending laws to remove the control of other government agencies, and by making substantive provisions for the resourcing of DPAs.

They also recommend that more African Union member states ratify the Malabo Convention in order to strengthen accountability across the continent.

Sambuli says how African governments streamline their data protection laws through ratification of and reforming the Malabo Convention will determine how continental ambitions like the African Union Interoperability Framework for Digital ID will work, by minimizing the compliance burden for data collectors and data processors in different countries.


Carlos Mureithi
Carlos Mureithi is a journalist based in Nairobi, Kenya. His reporting interests include unexpected and unconsidered impacts of tech policies and tech adoption on societies. He has written stories on a range of subjects, including Kenya’s plan to implement a national biometric ID program and labor c...