The rise of data protection laws in Africa has been slow and steady over the past decade. UNCTAD reports that 76% of countries in Africa have enacted privacy and data protection laws. While the rise in mobile penetration rates has contributed to the rapid digitization of the economy in Africa, studies, however, show a limited awareness of data privacy laws. In the wake of increased digital participation, regulatory enforcement is generally lagging, a situation that compromises consumer protection and digital trust.

A number of countries have made steps toward formalizing a privacy and data protection legal framework, though implementation has been gradual. This slow-paced approach is reflective and aligned with the ratification of the African Union Convention on Cyber Security and Personal Data Protection, commonly referred to as the Malabo Convention. The Convention was adopted in 2014 but only entered into force nearly a decade later in 2023. It requires member states to implement a regulatory framework on cybersecurity and personal data protection and aims to create a pan-African legal framework for cybersecurity, personal data protection, and electronic transactions.

One of its main objectives is to harmonize data protection laws, establishing trust and legal certainty as the foundational basis for Africa’s digital economy. The principles in the Convention resonate with the EU GDPR, and the evident alignment of the African laws underscores the important standard-setting role of the EU GDPR.

Additional model laws and data agreements have been developed within the Regional Economic Communities (RECs), which have also shaped the evolution of national laws to varying degrees.

Enforcement realities

While privacy and data protection laws now exist for 41 out of 54 African countries, meaningful enforcement is currently a major challenge. Many African data privacy laws present a moderately regulated environment for businesses, leading to a less demanding regulatory burden. However, this limited enforcement poses a substantial risk to consumer protection. While DPAs are authorized to ensure compliance, key obstacles persist: insufficient regulatory resources, low public awareness, and a lack of independent functionality.

A 2023 study in select African countries highlights the common challenge of limited capacity for enforcement due to financial and technical resource constraints. This buttresses the findings from earlier reports by Internews and Privacy International, which showed that funding constraints in the Global South limit Data Protection Authorities’ (DPAs) capacity for investigations, enforcement, and public awareness campaigns.

For DPAs in Africa, the majority face financial challenges because they do not have independent budgets. Given that the establishment of DPAs in Africa is still in its initial phases, the funding challenge will likely persist, with newly established DPAs typically facing a more acute challenge of underfunding. The need for appropriate funding mechanisms requires serious attention.

In Ghana, for example,  the data privacy law has been in place since 2012, however, underfunding remains a major contributor to the current compliance gap. DPAs across Africa are turning to alternative sources of funding, such as registration and filing fees, enforcement penalties, and forging partnerships. Without appropriate budgets and a reliance on alternative sources to fund their activity, DPAs may be hindered in their ability to carry out their mandates efficiently.

A study assessing the compliance of government departments and Agencies with Nigeria’s Data Protection Regulation identified a lack of awareness as a major barrier to compliance

Limited awareness has been flagged as a key constraint to the implementation of data privacy laws. Addressing this issue requires concerted efforts on the part of all stakeholders, led by the government. This has, however, not been the case. Most African governments have not prioritised data privacy. Consequently, the DPAs tend to limit their function to focus on the registration of data controllers over investigations or mass awareness campaigns. A study assessing the compliance of government departments and Agencies with Nigeria’s Data Protection Regulation identified a lack of awareness as a major barrier to compliance.

The issue with a lack of awareness among citizens is that it limits their ability to enforce their rights, a situation that is prone to exploitation. A study on African agricultural producers who use digital tools to collect large amounts of data has found that awareness of data protection issues among the producers is low.

The issue of independence is one that many countries grapple with in the Global South. The DPAs are somehow connected to executive government arms, or receive funding from the government, while at the same time they are also tasked to ensure government entities and political parties comply with the law. This lack of independence of DPAs has rightfully been flagged as a hindrance to their ability to implement data privacy compliance effectively.

The independence of most African DPAs is compromised by the involvement of the executive arm of government in the appointment of DPA leadership. In most African countries, DPA commissioners serve at the pleasure of the President or the legislature. This excessive government influence limits the DPA’s ability to enforce data protection laws, which is compounded by the lack of an independent budget to carry out enforcement activities effectively. Based on established methods of assessing the independence of DPAs, Kenya has been shown to have an independent DPA, which is independently structured, meaning that it does not exist within or receive instructions from another public body.

The independence of the DPA is a critical piece in ensuring that enforcement mechanisms hold entities accountable for data privacy violations. For most African governments, this circles back to the need to foster a strong political will to implement data privacy.  

Cross-border challenges

Africa’s rapidly evolving e-commerce landscape has been shaped by an unprecedented increase in migration and trade, causing a surge in electronic transactions. Africa’s digital service exports have also grown (from $9 billion in 2005 to $33 billion in 2022), far exceeding the growth rates of more traditional exports. This growth correlates with the increase in internet access across the continent.

The African Continental Free Trade Agreement (AfCFTA) is an ambitious continent-wide free trade agreement aimed at creating a single market to increase intra-African trade, attract investment, and enhance the continent’s competitiveness in global markets. The AfCFTA Protocol on Digital Trade was adopted in February 2024 and presents an opportunity for leveraging the single market to increase seamless cross-border trade. Further rules are under negotiation to implement the Protocol.

One of the objectives of Africa’s Digital Transformation Strategy (2020-2030) is to promote open standards and interoperability for a cross-border trust framework, personal data protection, and privacy. The Strategy calls for harmonisation of policies, legislation, and regulations related to digital networks and services, intra-Africa trade, intra-investment, and capital flows. While the policy and legal framing require harmonization, the progress will likely be slow as countries have varying requirements for cross-border data transfers. In the meantime, the pace at which e-commerce is moving is not likely to slow down. Consequently, the differing approaches may act as a barrier to trade.

CIPESA reports that countries have specified different types of data that cannot be exported without authorization. Kenya has specified all public data. Nigeria requires authorization for all government data, subscriber and consumer data, while Zimbabwe, Malawi, and Tunisia cite “personal information”. Sierra Leone prohibits the cross-border transfer of subscribers’ registration information without approval by the National Telecommunications Commission. Morocco requires companies and organizations operating in sectors of “activity of vital importance” and using data deemed sensitive to host their infrastructure and digital databases locally.

While many African countries are adopting data protection frameworks aligned with international standards, challenges persist in harmonization across jurisdictions.

Emerging tech

The lack of specific provisions for AI and emerging technologies in African data protection laws creates significant risks and challenges for consumers across the continent. While general data protection principles like consent, purpose limitation, and data minimisation offer a foundational safeguard, they fall short when addressing the unique risks posed by emerging technologies such as AI.

The gap in regulation directly impacts African citizens’ interaction with AI-powered systems. Meanwhile, African governments have shown no motivation to regulate emerging technologies such as AI, even as the same governments have adopted the use of AI-powered security technologies, such as facial recognition technology, predictive policing, and surveillance analytics.

Looking forward

The challenges facing Africa in enforcing data privacy compliance are likely to ease as more concerted efforts are made to respond to AI and an increase in electronic transactions. While the regulatory framework is currently fragmented, Africa holds a lot of unleashed potential. As such, implementing EU GDPR-type protections would help organizations stay compliant when dealing with data privacy matters in Africa, as weak enforcement does not necessarily mean low risk.

Given the various elements in the regulatory landscape, the EU GDPR approach would help to stay compliant while pre-empting future regulatory shocks.