News / Legal Brief

Data protection and privacy regulation: A roundup of developments in Africa in 2021

Dec 1,2021

Data protection, cybercrimes and/or cybersecurity laws

The increase in internet penetration in Africa has made it easier to collect, use and share large quantities of personal data; increased the volume and frequency of data theft; and highlighted the importance of data protection and privacy laws.

To date, approximately half of the 54 African countries have enacted data protection, cybercrimes and/or cybersecurity laws, with many expected to follow suit. Organisations doing business in Africa must keep track of the data protection and privacy regulatory developments in multiple countries.

In this round up, we highlight some of the noteworthy developments in data protection and privacy (including cybercrimes and cybersecurity) regulation in various African countries from January to November 2021.

New laws passed in 2021

Rwanda and Zambia passed their data protection laws this year. Zambia’s Data Protection Act, 2021 was published on 24 March 2021 and came into operation on 1 April 2021. Rwanda’s Law No. 058/2021 Relating to the Protection of Personal Data and Privacy was gazetted and came into operation on 15 October 2021.

South Africa and Zambia published cybercrimes laws. South Africa gazetted the Cybercrimes Act, 2020 on 1 June 2021, which will come into operation on a data fixed by the President by proclamation in the Gazette. Zambia published the Cyber Security and Cyber Crimes Act, 2021 on 26 March 2021, which will come into operation on the date appointed by the Minister by statutory instrument.

Laws that became operational in 2021

Botswana and South Africa took steps to operationalise their data protection laws.

In Botswana, the Data Protection Act, 2018 came into effect on 15 October 2021. Any person who processes personal data has 12 months from 15 October 2021 to ensure that their processing of personal data conforms to the provisions of this Act.

In South Africa, the Information Regulator adopted a staggered approach to operationalising the Regulations Relating to the Protection of Personal Information, 2018. In terms of the Commencement Notice published on 26 February 2021, Regulation 5 commenced on 1 March 2021, Regulation 4 on 1 May 2021, and the residual Regulations commenced on 1 July 2021.

The Information Regulator also advised, by notice on 18 June 2021, that it had determined 1 February 2022 to be the date on which responsible persons must comply with the requirement to notify the Information Regulator of processing that is subject to prior authorisation in terms of section 58(2) of the Protection of Personal Information Act, 2013.

New Regulations or Guidelines

Uganda and South Africa took additional steps to implement the data protection laws by passing Regulations and/or Guidelines.

In Uganda, the Data Protection and Privacy Regulations, 2021 were gazetted on 12 March 2021. The Regulations include various provisions necessary for the implementation of the Data Protection and Privacy Act, 2019, such as the additional functions and powers of the Data Protection Office.

In South Africa, the Information Regulator focussed on its duty to provide education. It published a series of guidelines aimed at promoting an understanding of the requirements of the Protection of Personal Information Act, 2013. The guidelines published included the following:

  • Guidelines to Develop Codes of Conduct, on 26 February 2021.
  • Standards for Making and Dealing with Complaints under the Codes of Conduct, and a Checklist to accompany the Guidelines, on 1 March 2021.
  • Guidance Note on applications for Prior Authorisation, an Invitation for applications for Prior Authorisation, as well as the Application Form for Prior Authorisation, on 11 March 2021.
  • Guidance Note on the Registration of Information Officers and Deputy Information Officers and the Application Form for the Registration of Officers, on 1 April 2021.
  • Guidance Note and Application Form on the exemptions from the conditions for lawful processing of personal information in terms of section 37 and 38 of the Protection of Personal Information Act, 2013, on 21 June 2021.
  • Guidance Note on processing of Special Personal Information and application form for authorisation to process Special Personal Information, and Guidance Note on processing of personal information of children and application form for authorisation to process Personal Information of Children, on 28 June 2021.
  • Notice regarding the procedures for Notification of a security comprise on, 22 September 2021.
  • Rules of Procedure relating to the way a complaint must be submitted and handled by the Information Regulator, on 13 October 2021.

Draft laws under consideration

Several draft laws are currently under consideration. Most countries conducted public consultations or workshops during the year to get the public’s comments on these draft laws.

In Eswatini, the Computer Crime and Cybercrime Bill 2020 and Data Protection Bill, 2020 was posted on the Government of Eswatini’s website on 10 May 2021.

In Ethiopia, the Government continued with its consideration of the draft Data Protection Proclamation, 2020, which has been under consideration since April 2020.

On 16 April 2021, Kenya gazetted the Computer Misuse and Cybercrime (Amendment) Bill, 2021, which was read for the first time in Parliament on 9 June 2021. The bill seeks to amend the Computer Misuse and Cybercrimes Act, 2018, which is being challenged at the Court of Appeal for being unconstitutional. The Bill also seeks to, among others, provide for the prohibition against the sharing of pornography through the internet.

In Malawi, the Ministry of Information is leading a Task Force to draft the data protection law for the country. The Data Protection Bill, 2021 was published in February 2021 and public workshops on the Bill were held in March 2021.

In Mauritius, the Cybersecurity and Cybercrime Bill, 2021, which seeks to repeal the  Computer Misuse and Cybercrime Act, 2003, is currently under consideration in Parliament.

In Zimbabwe, the Cyber and Data Protection Bill, 2019 was passed by Parliament in September 2021 and is awaiting presidential assent.

In Kenya, the Ministry of ICT, Innovation and Youth Affairs and Office of the Data Protection Commissioner, through a Taskforce on the development of the Data Protection Regulations, formulated three sets of Draft Regulations to actualize the Data Protection Act, 2019. On 13 April 2021, the Ministry published a Notice calling for comment on the Draft Data Protection (General) Regulations, 2021, Draft Data Protection (Registration of Data Controller and the Draft Data Processors) Regulations, 2021 and the Draft Data Protection (Compliance and Enforcement) Regulations, 2021. The deadline for comments was 27 April 2021 but was extended till 11 May 2021. Virtual public hearings on the three sets of Draft Regulations were held on 27, 28 and 29 April 2021.

The Seychelles Cybercrimes and Other Related Crimes Bill, 2021 underwent its second reading in Parliament on 10 November 2021.

In South Africa, on 15 October 2021, the Information Regulator published an Invitation for public comment on Draft Regulations which propose amendments the Regulations Relating to the Protection of Personal Information, 2018. The deadline for comments was 15 November 2021.

Other noteworthy developments

There were several other noteworthy developments this year.

On 16 June 2021, The Gambia’s Minister of Information disclosed that the bill on data protection would be brought before the national assembly before the end of 2021.

On 23 September 2021, the Ghanaian Minister of Communications and Digitalisation published a Notice on the Designation of Information Infrastructure, which designated the computer systems or computer networks of the listed sectors as critical information infrastructure. 1 October 2021, the Minister launched the Cyber Security Authority, which was established under the Cybersecurity Act 2020 to regulate cybersecurity activities, protect critical information infrastructure, provide for the development of the Computer Emergency Response Team, promote public awareness and education on cybersecurity matters, and provide for related matters in Ghana.

In Kenya, on 26 October, the Office of the Data Protection Commissioner published its Draft Strategic Plan for the 2021 to 2023 financial years and held a stakeholder consultation thereon on 27 October.

In South Africa, the Department of Justice and Constitutional Development (DOJ&CD) experienced a cyber-attack that resulted in breach of personal data held on their IT systems. On 22 September 2021, the Information Regulator, which relies on the IT systems of the DOJ&CD, published a notification of a security compromise in terms of section 22 of the Protection of Personal Information Act, 2013.

The South African Information Regulator has also received a few codes of conduct under the Protection of Personal Information Act, 2013. It published notices on codes of conduct from, among others, the Banking Association of South Africa and the Credit Bureau Association. The Information Regulator invited interested persons to make comments on these codes of conduct.

In January 2021, Niger’s High Authority for the Protection of Personal Data (HAPDP) published a list of data controllers who have appointed personal data protection correspondents and a list of data controllers who have been deemed compliant with Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data.

In Nigeria, the National Information Technology Development Agency (NITDA) issued its first sanction for violation of the Nigerian Data Protection Regulations, 2019. It fined Soko Lending Company Limited NGN 10 million after receiving a series of complaints against the company for, among others, unauthorised disclosures, failure to protect customers’ personal data and failure to carry out the requisite due diligence.

Uganda and Zambia published cyber security strategies. On 4 August 2021, the Ugandan Ministry of ICT and National Guidance published the Draft National Cyber Security Strategy for comment. On 29 September 2021, the Zambia Information and Communications Technology Authority published the National Cybersecurity Policy and Implementation Plan for 2021 to 2025.

Read more about POPIA: A Guide to the Protection of Personal Information Act of South Africa.

by Tebogo Sibidla, Director

Latest News