DIGITAL AFRICA: A CONTINENT ON THE RISE

 This map of Africa, prepared by Lexing South Africa, shows you which countries have a data protection law or bill.

© Michalsons 1989 – 2024. All rights reserved.

LISA EMMA–IWUOHA

ZWAKELE MBANJWA

WANDILE MPISI

JOHN GILES

southafrica@lexing.network

For many years, Belgium has enjoyed a special relationship with a number of African countries, in particular the Democratic Republic of Congo and Rwanda.

Bilateral relations between Belgium and Rwanda are multifaceted. There is an ongoing dialogue between the two countries, as well as economic cooperation, which allows for investments, knowledge transfer, etc. (1)

A large amount of personal data is therefore transferred between Belgium and Rwanda. It is therefore appropriate to examine how these data transfers work in practice.

In Europe, the processing of personal data has been strictly regulated for about thirty years, and even more so since the entry into force of the GDPR.

In Africa, such processing has also been regulated, especially since the adoption of the African Union Convention on Cybersecurity and the Protection of Personal Data in Malabo on 27 June 2014.

More specifically, Rwanda has transposed this Convention into the Law of 13 October 2021 on the Protection of Personal Data and Privacy (2). This law entered into force on 15 October 2021 and all data controllers/sub-processors must comply with it as of 15 October 2023.

It should be noted that this law, like the GDPR, is exported outside the borders of Rwanda. It applies to data controllers, processors or third parties who are neither established nor resident in Rwanda, but who process the personal data of data subjects resident in Rwanda.

In general, the law contains rights and obligations comparable to those of the GDPR. However, in some respects, this law is more demanding than the GDPR itself.

Specifically, with regard to data transfers, Rwanda is not recognised as a country providing an adequate level of protection under Article 46 of the GDPR. However, this article provides other ways to carry out a data transfer: the controller or processor must provide appropriate safeguards and data subjects must have enforceable rights and effective legal remedies.

These appropriate safeguards can be provided, in particular, by standard data protection clauses made available by the European Commission, binding corporate rules, a code of conduct, etc.

The Data Protection Law of Rwanda imposes the following requirements on the transfer of personal data to a third country:

• The controller or processor may carry out such transfer in a number of cases listed in the law, including with the consent of the data subject or with the authorisation of the supervisory authority, after providing appropriate safeguards. In this regard, the supervisory authority may issue a regulation specifying another reason for the disclosure and transfer of personal data outside Rwanda to a third party;
• The controller or processor who authorises a person to obtain, share and transfer personal data to a third party outside Rwanda shall also enter into a written contract with that person defining the roles and responsibilities of each party to ensure compliance with the provisions of the Law. The Supervisory Authority may, by regulation, specify the format of the contract to be used for the transfer of personal data outside Rwanda;
• The controller or processor shall store personal data in Rwanda. However, storage outside Rwanda is permitted if the controller or processor holds a certificate of registration issued by the supervisory authority expressly authorising it to do so.

Controllers and processors should therefore be aware of these different obligations when transferring data between Belgium and Rwanda in the future.

(1) https://www.rwandainbelgium.gov.rw/1/le-rwanda-en-belgique.

(2) Law n° 058/2021 of 13 October 2021, available at: https://cyber.gov.rw/index.php?eID=dumpFile&t=f&f=229&token=742569646abebc43d1ad81e3d3bee2f4f11f9639.

ELENA CAES

belgium@lexing.network

Introduction

Egypt is a milestone country either in Africa or the Middle East; hence any law issued in Egypt has its own reflections on many Arab and African countries. This result arises from the fact that Egyptian law makers have played a prominent role in law making processes in many Arab and African countries.

Data is protected under many laws in Egypt, starting from the penal code of 1936 in article n. 309 II that imposed a one year imprisonment on any person who violated the personal privacy of the others without permission; this includes recording or transferring any conversations that occurred in a private place or phone calls recordings as well as taking photos of others in private places without permission. (1)

Anti-Cyber-Crime Act 2018

 In 2018, the Egyptian parliament has issued law n. 175/2018 for “Anti-cyber-crimes”, this law has defined data as “Everything that can be constructed, stored, processed, re-created, transferred, shared or copied by any IT method, like numbers, codes, letters, symbols, signs, photos, voices and all other similar things”. (2)

In articles 25 and 26 of the previous law, there is a big punishment on either individuals and corporations, who violate privacy of the others, use the data of the others in any porn content or endangering life or honor of the others.

Personal Data Protection Act 2020

In 2020, the Egyptian parliament has issued the law of “Personal Data Protection” n. 151/2020, which defined personal data as “Any data related to a defined natural person or someone who can be defined directly or indirectly through analysing or connecting data or any other data like names, voices, photos, IDs, electronic IDs, or any data that can define the psychiatric, economic, cultural, social or health identity of a person”.

This law also has imposed punishments on violating personal data protection without a permission either from the owner of the data or from state competent authorities. (3)

Moving forward

In conclusion, today, in the world of data, data is fully connected with lives of persons and their security as well as their bank accounts. Moreover, data protection is highly connected with practicing public rights and freedom safely.

Thus, to guarantee that data is fully protected, we have to assure the level of rule of law in the concerned country as well as judiciary independence. It was said laws are ink on paper if they are not effectively and efficiently applied.

(1) The Penal Code Act of 1936

(2) The Anti Cyber-Crime Act of 2018

(3) The Personal Data Protection Act of 2020

MOHAMED HASSANEIN

egypt@lexing.network

By law dated 18 February 2009, referenced under no. 09-08, Morocco adopted a legal framework governing the protection of personal data, including all functions, uses or implications that may arise from the processing of personal data, through the establishment of mechanisms for the protection of personal data, through the introduction of mechanisms for identifying the nature of the data, limiting processing to the declared purpose.

However, the fact remains that the fact remains that the systems put in place are being challenged by the constant and accelerating evolution of the digital world:

The provisions of Law 09-08 are based on the following principles:

A) Definition of personal data and rights granted to data subjects

i) Personal data

Personal data includes any information of any kind, regardless of medium, including sound and image, relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to a specific feature of that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

The data collected includes that which requires prior authorization before it is collected by the parties involved, given its sensitive nature, or which is subject to such prior formality by legal provision. This includes data revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject, or data relating to the data subject’s health, including genetic data.

It should be noted that there are obvious exceptions to this principle, in particular for processing carried out by an association or any other non-profit-making group of a religious, philosophical, political, trade union, cultural or sporting nature.

ii) Rights granted to data subjects

Data subjects whose data are processed have the right to be informed at the time of collection, for exercising the rights granted by the legal provisions in force, namely the right of access, the right of rectification and the right to object:

• right to information: the right to information translates into an obligation, prior to the collection of data, to inform the data subject of the necessary information to identify the data controller and the mechanisms put in place to exercise the rights granted by law in respect of his or her data. However, this right is subject to a limitation relating to information concerning the national security of the State, or information for statistical, journalistic or artistic purposes.
• right of access: The data subject has the right to obtain, at reasonable intervals, without delay and free of charge, confirmation of the purpose of the processing and of the mechanisms used for the automated processing of the data.
• right to rectification: The data subject, providing proof of identity, has the right to obtain from the controller the updating, rectification, erasure or blocking of personal data the processing of which does not comply with the law, in particular because of the incomplete or inaccurate nature of such data;
• right to object: the data subject has the right to object, on legitimate grounds, to data relating, that is being processed. The data subject shall have the right to object, free of charge, to data relating to him or her being used for the purposes of canvassing, in particular commercial canvassing, by the current controller or the controller of a subsequent processing operation.

Contrary to the provisions of the GDPR, Moroccan law clearly and expressly prohibits direct prospecting, whether by means of an automatic device, a call, a fax or an e-mail, or by any means employing technology of the same kind which uses, in any form whatsoever, the contact details of a natural person who has not expressed his or her prior consent to receiving direct canvassing by this means.

It should be noted that the right to digital oblivion, known as the “right to erasure“, as provided for in Article 17 of the RGPD, does not appear as a right granted to the data subject. Under Moroccan law, the deletion of data must be automatically limited by the retention period, depending on the declared or authorized purpose of the data controller

B) Procedures to be obtained from the control body

Personal data may only be processed once the express and unambiguous consent of the person concerned has been obtained for the planned operation.

Processing is conditioned by the purpose directly linked to the duties of the data controller.

It is understood that exceptio probat regulam in casibus non exceptisi, Moroccan law, does not require express consent in the following cases.

• a) compliance with a legal obligation to which the data subject or data controller is subject;
• b) the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the data subject’s request (e.g. employment contract);
• c) to safeguard the vital interests of the data subject, if he or she is physically or legally incapable of giving consent;
• d) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or the third party to whom the data is disclosed; or
• e) the fulfilment of a legitimate interest pursued by the controller or by the recipient, provided that the interests or fundamental rights and freedoms of the data subject are not thereby prejudiced.

Any party collecting the data is responsible for it. They must follow a specific procedure depending on the nature of the data collected. Prior authorization is required for sensitive data, otherwise a simple prior declaration is sufficient.

Prior authorization is required in the following cases:

• sensitive data;
• where data processing is essential for the performance of the legal or statutory duties of the data controller

It is also required in the event of data being transferred to a foreign country that does not have the level of security required by the controlling entity. To this end, the CNDP (National Data Protection Commission) has issued deliberation no. 236-2015, listing the countries that meet Moroccan legal requirements.

It should be noted that the retention period must be proportional to the purpose for which the data is collected. The purpose is determined by the duties of the data controller and the latter’s processing needs

C) The actors, their role and their limits

The collection and processing of data involves a number of parties, each with their own functions, powers and limitations. These include:

• the data subject: when data is collected, the person’s consent remains an indispensable condition. Unlike the RGPD, which only requires consent to be obtained, consent is still required, without which the CNDP’s declaration or authorization procedures would be rejected.
• the data controller: As defined by law, the data controller is the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It follows from this definition that responsibility for the processing is assumed by the person who collects and processes the data, either directly or through an intermediary, by virtue of a sub-processing contract. The choice of processor is subject to the condition that the latter provides sufficient guarantees with regard to the technical and organizational security measures relating to the processing envisaged.
• the National Data Protection Commission: the Commission Nationale de Protection des Données Personnelles (CNDP) is the official body responsible for ensuring respect for privacy and protecting citizens’ personal data. In addition to its supervisory and control role, it has the following attributions:
  • authorization and supervision: the CNDP authorizes the processing of sensitive data and supervises compliance.
  • receipt of complaints: It receives and processes complaints from citizens on the protection of their personal data.
  • consultations and opinions: The Commission may be consulted by public or private authorities for opinions on the protection of personal data, which are reflected in its deliberations;
  • international cooperation: The CNDP cooperates with international organizations to harmonize data protection standards
• As a control consequence, it has the power to issue pecuniary sanctions previously fixed by law, ranging from 10,000 MAD to 300,000 MAD depending on the nature of the non-compliance and its seriousness.
• The penalties are increased to prison sentences depending on the offence committed. In this case, the CNDP prepares a report of the violation and transmits it to the prosecutor.
• A draft amendment to the law, in particular the composition of the commission and its powers, was presented in February 2023, in order to provide the commission with a more efficient mechanism and broader powers with the aim of giving it a more independent and more representative status.

Moving forward

Although Morocco has a legal arsenal that makes it possible to guarantee a certain level of personal data security, there are a number of aspects that need to be brought into line with European resolutions on the matter.

As regards the actors, Moroccan law does not provide for specific roles as is the case for data management professionals and officers (such as DPOs – Data Protection Officers) as defined by the GDPR.

In addition, the law must continuously adapt to rapid technological developments. Emerging technologies, such as the Internet of Things (IoT), artificial intelligence (AI) and big data, pose new data protection challenges that may not be fully covered by current legislation.

Moreover, the rights granted to data subjects under Moroccan law are not as comprehensive as those under the GDPR, and are still limited to access, rectification or objection.

In particular, there is no right to restrict processing, and no provision provides a remedy in case the controller fails to comply with the stated purpose, thus preventing him or her from restricting the processing of the data

AMAL AZAROUR

morocco@lexing.network

Nigeria’s data protection landscape is evolving, marked by the significant legislative update with the enactment of the Nigeria Data Protection Act (NDPA) (1) in June 2023. This Act applies concurrently with the earlier Nigeria Data Protection Regulation (NDPR) of 2019, providing a more robust framework for data protection in Nigeria. The NDPA enhances data protection rights and establishes the Nigerian Data Protection Commission (NDPC) to oversee data protection enforcement under the NDPA and NDPR.

Scope of the law

The NDPA and NDPR apply to the processing of personal data of individuals residing in Nigeria, regardless of the location of the data controller. This includes both automated and manual data processing by public and private organisations.

 Other laws

In addition to the NDPA, several other laws and regulations complement Nigeria’s data protection framework:

• The Credit Reporting Act 2017: The Credit Reporting Act 2017 provides a legal framework for credit reporting, licensing and regulation of credit bureaux in Nigeria. In protecting the credit information (2) of a data subject, the Credit Reporting Act provides, for example, that a credit bureau shall not include information relating to race, ethnicity, religion or political affiliation either in its data format or in the credit report or any other report or feedback that it provides to credit information users (3). A credit information user (4) is obligated by the Credit Reporting Act to protect the integrity and confidentiality of information obtained on the data subject (5).
• Cybercrimes Act (2015): Addresses cybercrimes and includes provisions for data privacy and lawful interception.
• Freedom of Information Act 2011 (FoIA): Provides a statutory right of access to information in the custody of a public institution. However, a public institution is authorized by the FoIA to deny an application for the disclosure of information that contains personal information (6).
• The National Identity Management Commission Act 2007 (the NIMC Act): The NIMC Act established the national identity database and the National Identity Management Commission (NIMC) charged with responsibilities of maintaining the national database, the registration of individuals and issuance of general multipurpose identity cards. The NIMC Act protects access to information contained in the national identity database.
• The Nigerian Communications Act 2003 (NCA): The NCA applies only to the communications sector and to holders of a communications license. In protecting the personal information of users of telecommunications services, section 106 of the NCA requires that the individual consumer code prepared by holders of a communications license for the approval of the Commission must amongst other things include model procedures for the protection of customer information.

Key principles

The NDPA upholds core principles aligned with global data protection standards:

• Lawfulness, fairness, and transparency: Personal data processing must be legal, fair, and transparent.
• Purpose limitation: Data should be collected for specified, explicit, and legitimate purposes.
• Data minimization: Only the necessary data for stated purposes should be collected.
• Accuracy: Personal data must be accurate and kept up-to-date.
• Storage limitation: Data should be retained only as long as necessary.
• Integrity and confidentiality: Data processing must ensure appropriate security against unauthorized access, unlawful processing, accidental loss, destruction, or damage.
• Accountability: Data controllers are responsible for demonstrating compliance with these principles.

Registration and compliance

Organisations determined by the NDPC to be data controllers or data processors of major importance to be registered and have an appointed data protection officer (DPO). In addition, under the NDPR, which was preserved by the NDPA, data controllers and processors are required to file the audit report on an annual basis Only licensed Data Protection Compliance Organisations (DPCOs) can aid in ensuring ongoing compliance by registering data controllers/processors and filing the audit report on their behalf.

Cross-border data transfers

The NDPA regulates the transfer of personal data outside Nigeria, allowing transfers only to countries that provide an adequate level of protection as determined by the NDPC (7). In the absence of adequate protection, transfers can occur with the data subject’s consent or under specific conditions, such as contractual necessity, public interest, legal claims, or vital interests. The National Assembly must approve the adoption of any international data transfer standards.

Penalties

The NDPC can impose significant fines and other enforcement actions for violations of the NDPA. Fines for data controllers of major importance can reach up to ₦10 million or 2% of annual gross revenue, whichever is higher. For other data controllers, fines can be up to ₦2 million or 2% of annual gross revenue, whichever is higher.

National authority

The NDPC, established under the NDPA, is the primary authority overseeing data protection. The NDPC’s responsibilities include:

• Ensuring compliance with the NDPA.
• Promoting data protection awareness.
• Enforcing data protection laws.
• Issuing penalties for non-compliance.

Sector-specific regulators, like the Central Bank of Nigeria (CBN) for financial data and the Nigerian Communications Commission (NCC) for telecommunications data, also play roles in enforcing data protection within their sectors.

Moving forward

Nigeria’s data protection landscape is solidifying with the NDPA, which strengthens individual rights and establishes a dedicated enforcement body. This act underscores Nigeria’s commitment to protecting the privacy of its citizens in the digital age, balancing the free flow of information with the safeguarding of personal data. By understanding and adhering to these key aspects of Nigeria’s data protection framework, organizations can navigate the legal requirements, protect individuals’ rights, and build trust with their Nigerian customers and partners

CHUKWUYERE IZUOGU

nigeria@lexing.network

Introduction

South Africa enacted the Protection of Personal Information Act (POPIA) in July 2020, with a one-year grace period for compliance ending in July 2021. The law stems from the constitutional right to privacy that everyone is afforded. The Infor-mation Regulator is the independent body established to enforce the POPIA.

Scope of the law

The South African POPIA applies to the processing of personal information by re-sponsible parties, including individuals or legal entities within South Africa. It also applies to those outside the country who process the personal information of South African citizens.

Key principles of POPIA

• Accountability. The responsible party must be accountable for complying with POPIA’s requirements. This includes appointing an information officer.
• Processing limitation. Personal information must be processed lawfully, with the minimum amount of information necessary for a specific purpose related to the responsible party’s activity.
• Purpose specification. The purpose for collecting, using, and retaining personal information must be specific, explicitly defined, and legitimate.
• Further processing limitation. Further processing of personal information must be compatible with the original purpose of collection.
• Information quality. Personal information must be accurate, complete, and up-to-date.
• The responsible party must be transparent about how it collects, uses, and discloses personal information. Individuals must be informed when their data is collected.
• Security safeguards. The responsible party must implement appropriate security measures to protect personal information from loss, unauthorised access, damage, destruction, or disclosure.
• Data subject participation. Individuals have the right to access and rectify their personal information, object to processing, and request its deletion in certain circumstances.

Registration of information officers

All public and private bodies processing personal information must register their Information Officers with the Information Regulator. The deadline for registration was initially set for 31 March 2021 but has been extended to 1 February 2022.

Cross-border data transfers

The transfer of personal information outside of South Africa is permitted, but with stringent conditions. The recipient country must have adequate data protection laws in place, or the data subject must provide consent for the transfer. Alternative-ly, the transfer must be necessary for the performance of a contract or in the public interest.

Moving forward

Compliance with POPIA is crucial for operating in the South African market. After registering Information Officers, it is strongly advisable to maintain compliance momentum by implementing post-registration measures such as Data Protection Policies, Data Retention Policies, conducting Data Protection Impact Assessments (DPIAs), and other compliance measures.

(1) The Protection of Personal Information Act 4 of 2013. Available at: https://popia.co.za/

WANDILE MPISI

southafrica@lexing.network