Overview of the Existing Regulations

One of the first regulations on the protection of personal data to emerge on the African continent was in Morocco in 2009, alongside those of Cape Verde and Senegal, among others, and later Benin. At that time, the GDPR (EU General Data Protection Regulation) regime did not exist in Europe, but these countries have since updated their regulations based on the GDPR adopted in 2016 and applicable since May 2018.

In general, there has been a significant acceleration in the field of personal data in Africa over the past five years. An increasing number of countries are adopting regulations, perhaps influenced by the impact that the GDPR had globally, including in China two years ago (PIPL law) and in India last year (DPDPA law).

To date, five African countries (Mauritius, Senegal, Tunisia, Cape Verde and Morocco) have signed and ratified the Council of Europe Convention 108, a major international convention on the protection of personal data. However, no African country is recognised by the European Commission as providing adequate protection according to EU criteria.

Finally, there are a few countries without any specific laws, but they constitute a minority. They are on the path to adopting regulations for the protection of personal data. Cameroon is contemplating a draft law, and the Central African Republic (CAR) also has a draft currently under review.

Another observation regarding Africa is the slow implementation of these regulations. In Algeria, for example, the law dates back to 2018 but only came into effect in August 2023, more than five years later. Similarly, in South Africa, the law dates back to 2013, but came into effect eight years later, in 2021. In Egypt, the enforcement of the law passed two years ago is subject to the adoption of a decree, which has not been published to date.

Pan-African Regulatory Initiatives

There are three very interesting pan-African initiatives. The first dates back to 2010, it is the Additional Act on the Protection of Personal Data, but it only covers the ECOWAS region. The Additional Act has established a framework to guide the various ECOWAS members in adopting national regulations.

The second is a broader initiative of the African Union with its Malabo Convention, dating back to 2014.

The two texts are quite similar, encouraging countries to promote consistent regulations to facilitate the transfer of data within the countries of the relevant group of African countries.

These texts are intended to promote consistency. The example of Europe, which lived with inconsistent regulations for years, shows that it is very challenging for businesses to develop cross-border flows and personal data processing in multiple countries when faced with different regulations in each country.

The last instrument is the model law on data protection developed by the Southern African Development Community (SADC), dating back to 2013 and adopting a slightly different approach. SADC invited its member countries to adopt the proposed model law and implement it into their domestic legal systems, but there has been little follow-up.

The prospects for effective regulation in Africa

It is crucial to move faster towards harmonisation and the coherence of regulations. They are too disparate. Today, no African country has yet achieved recognition of adequate protection by the European Commission. This would likely be a significant advancement for the continent. We know that several countries have submitted requests for recognition, but none have been successful to date. There is also a final challenge, promoting education in the field of personal data. There are many studies on personal data regulation in African countries conducted with foreign firms, which is good. However, the development of university education in personal data protection in Africa would be a tremendous catalyst. We have observed, especially in France, that university master's programmes on data protection have grown significantly over the past five or six years. Producing knowledge on these subjects helps stakeholders better understand the law, comply with it, apply it more effectively, and contribute to its evolution for improvement.