How the European Union’s General Data Protection Regulations influenced data privacy law in Africa

The European Union’s (EU) General Data Protection Regulations (GDPR) are considered to be a global standard for the protection of personal information. Across Africa, many existing data security and protection laws were modelled on the regulations of the EU’s first data privacy legislation – the EU Data Protection Directive (1995), which preceded the GDPR. Current data protection law in Africa is therefore largely similar to the GDPR, although there are also some significant differences. Businesses with operations in Africa that are already GDPR compliant will find that this is a good first step, with local expertise also essential to ensure compliance with jurisdiction-specific differences in the laws and regulations.

Enid Baaba Dadzie, Senior Associate at Kimathi & Partners in Ghana, notes that Ghana’s Data Protection Act was passed in 2012, ahead of the adoption of the GDPR, so it does not expressly follow the GDPR framework. However, the Act regulates the collection and processing of personal data through similar principles provided in the GDPR. Similarly, Sonal Sejpal, Partner at ALN Kenya | Anjarwalla & Khanna notes the provisions of Kenya’s Data Protection Act, 2019 also correspond to those of the GDPR, but are not identical.

Janet MacKenzie, Partner and Head of the IPTech Practice at Baker McKenzie in Johannesburg says the Protection of Personal Information Act (POPIA) was first prepared as a draft bill in 2009, and was based on the EU Directive, which was replaced by the GDPR in 2018. There are similarities and major differences between POPIA and the GDPR. For example, the GDPR only protects the personal data of natural persons and does not extend its protection to juristic persons, whereas POPIA protects the data of both natural and juristic persons.

Pierre Deprez, an Associate at Nasrollah & Associés Baker McKenzie in Morocco, notes that current data privacy law in Morocco follows the “declarative” framework of the EU Directive n°95/46, which prevailed in Europe before the GDPR was passed.

In Rwanda, both the Law Nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy and the draft Regulation Governing use of Personal data in Rwanda 2019 follow the same framework as the GDPR.

According to Emmanuel Muragijimana, Chief Associate at K-Solutions & Partners in Rwanda, “These legislations have some highlighted similarities, including principles relating to processing of personal data, obligations on the companies and organizations in order to ensure the privacy and protection of personal data, providing data subjects with certain rights, and assigning powers to regulators to ask for demonstrations of accountability or to impose fines in cases of non-compliance.”

Arnold Lule Sekiwano, Partner at Engoru, Mutebi Advocates in Kampala, Uganda, says that privacy law in Uganda is also partially based on the GDPR.

“Uganda’s Data Protection and Privacy Act (2019) (Act) aims to protect the privacy of the individual and of personal data and is, in some limited respects, inspired by the GDPR. The Act also mirrors the UK Data Protection Act, 1998, which revolves around several principles concerning data protection and collection. The Act created the personal data protection office in NITA-U, also an independent body synonymous to the UK’s Information Commissioner’s Office, set up under Chapter 6 of the GDPR. One of the main contrasts of Ugandan privacy law with GDPR is the absence of legitimate interest as a legal basis for processing in the Ugandan Act,” he explains.

Ammar Oozeer, Barrister at Law at BLC Robert & Associates explains that in Mauritius, “the Data Privacy Act (DPA) 2017 is aligned with international standards, namely the GDPR and the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. However, there are certain instances in the DPA 2017 where the provisions are not the same as those contained in the GDPR. For example, the hefty administrative penalties under the GDPR have not been reflected in the DPA 2017, the requirement under the DPA 2017 for controllers and processors to be registered with the Data Protection Office prior to the processing of personal data, and the absence of automatic transfer to countries ensuring an adequate level of protection based on the determination of the Data Protection Office.

He notes further, “The Mauritian legislator has adopted a criminal regime for sanctioning contravention of the DPA 2017. However, if an individual has suffered prejudice as a result of a breach of the DPA 2017 by a controller or processor, for example, following a personal data breach, the individual may claim damages or that breach under the law of tort.”

Ammar explains that to attract foreign investors, in particular, from the EU, it is imperative that African countries have robust data protection legislation because data protection is regarded as a fundamental right in the European Union.

Ijeoma Uju, Partner at Templars in Lagos, Nigeria, says that the Nigerian Data Protection Regulation (NDPR), 2019, is significantly modelled after the GDPR, noting that, “both laws are reasonably similar in terms of rationale and core principles. The NDPR and the GDPR both aim to provide data subjects with a certain level of protection regarding their personal data. The material scope of the laws are consistent, with common definitions and principles on processing of personal data in general.

“For example, the GDPR require data controllers to report a data breach within 72 hours after becoming aware of such breach. The same provision can be found in the NDPR implementation framework. Beyond the similarities, both laws also have notable differences. One major difference is the requirement under the NDPR for the filing of data audit reports on an annual basis if certain processing thresholds are met. Additionally, unlike the NDPR, the GDPR is a more unified framework. Although the NDPR and the Data Protection Bill aim to achieve this goal, Nigeria laws on data protection and privacy are currently not as comprehensive or unified,” she notes.

The GDPR has clearly given African governments a yardstick by which to measure and develop their own privacy laws, as well as giving African organisations an international standard to adopt, and thereby maintain the trust of the international community. However, it is also imperative that local expert advice is sought to ensure compliance with country and region-specific laws.