Several countries across the African continent are swiftly enacting data protection laws. In 2022, we saw a sharp increase in the number of data protection laws in Africa. Any new law creates new compliance obligations, including penalties for non-compliance. That’s why it is essential for organisations that have a presence or customers in Africa to understand what laws apply to them. Many organisations do business (or use the cloud) in many countries, including Africa. This means that they transfer personal information across the borders of various African countries. Personal information is often transferred from an African country to the EU, UK, the US, Australia or elsewhere. It also means personal information is often transferred from the EU, UK, the US, Australia, or elsewhere to an African country. This raises various issues.

  • Can personal information be transferred to a specific country without taking additional steps? Does the country have laws that provide an adequate level of protection?
  • What are the data privacy laws of the African country? Do they restrict personal information from being transferred out of the country once it has gone there?
  • Does the law prohibit (or restrict) a responsible party (or data controller) from using an operator (or data processor) in that African country?
  • Are any requirements imposed on an operator (or data processor)?
  • What are the legal requirements for transferring personal information from that African country?

We have reviewed the data protection laws of many African countries. We can provide you with summaries of them with the relevant source documents. Our report also contains a list of key questions and answers about various topics concerning privacy and data protection for a particular African country.

Why is it important?

  • You will be able to know the specific requirements in each country – the laws in different countries vary, and there are criminal and civil sanctions for violations.
  • Your organisation’s global or regional data protection compliance programme must consider the laws that apply in the countries where they process personal data.

Which African countries?

We have drafted many reports on different countries in Africa and the rest of the world. If you would like a report on the data protection laws for any country, please ask us for a quote.

What is in the report and the matrix?

For each country, we set out:

  1. The law, including its effective date and territoriality
  2. The regulator or authority
  3. The data principles
  4. The legal basis for processing
  5. Specific requirements for processing (if any)
  6. Registration requirements (if any)
  7. The obligations of controllers and processors
  8. Documentation requirements such as doing a record of processing activities (ROPA)
  9. Assessment requirements such as doing data protection impact assessment
  10. Requirements for the lawful transfer of personal data
  11. Breach notification obligations
  12. Direct marketing obligations

The matrix gives you a bird’s eye view of the report for a selection of countries.

How can we help you with the Data Protection Laws of Africa?

We can:

  • Provide you with a high-level overview of specific African countries.
  • Provide you with a report on specific African countries.
  • Provide you with a matrix on the data protection laws for specific African countries.
  • Advise you on using the cloud in these countries.
  • Answer your specific questions about data protection laws for specific African countries.