The Africa Privacy Report encapsulates the outcomes of research endeavors conducted by the Lawyers Hub, focusing on the dynamic landscape of privacy and data protection in Africa throughout the year 2023.
Subscribe Now for more digital government insights!
Beyond presenting findings, the report serves as a resource, unraveling trends and significant milestones that contribute to shaping the continent’s approach to data protection. The exploration of these insights aims not only to inform but also to foster the implementation of robust data protection measures and encourage active stakeholder participation in this pivotal domain.
Africa Privacy Report Findings
The report presents the following critical findings into key areas that shaped digital governance and protection of personal information in the continent in 2023:
1. Malabo Convention Enforcement Status
The Malabo Convention achieved ratification by Mauritania, Côte d’Ivoire, and the Central African Republic, marking its official enforcement on June 8, 2023. Adopted on June 27, 2014, this marked a significant milestone, making it the sole binding regional treaty on data protection outside of Europe, after a nine-year journey. The Convention has been ratified by 15 countries, and 12 countries have signed the convention out of the 55 African countries.
During the same period, five countries, namely Tanzania, Nigeria, Algeria, and Mauritius, successfully enacted data protection laws . This progress was also visible in Malawi and Seychelles which laid the foundation for the development of a comprehensive data protection Bill.
2. Data Protection Offices Operationalised
Among the countries mentioned above as having recently enacted data protection laws, Mauritius and Nigeria have since established Data Protection Offices . The Mauritius Data Protection Office operates as a public office under the Ministry of Technology, Communication, and Innovation.
On the other hand, Nigeria’s Data Protection Commission functions as an independent body. Prior to it, data protection compliance in Nigeria was supervised by the Nigeria Data Protection Bureau (NDPB), which was under the jurisdiction of the National Information Technology Development Agency (NITDA).
The NDPB was tasked with overseeing the implementation of the Nigeria Data Protection Regulation (NDPR), a subsidiary legislation of the NITDA Act, 2007 (now replaced by the Nigeria Data Protection Act). Needless to say, the approach to the discourse on the independence and impartiality of data protection authorities in Africa varies significantly among different countries.
Additionally, the commitment to robust compliance mechanisms and the resolution of privacy concerns was evident across the continent. Kenya, for instance, expanded its reach by establishing regional offices in Mombasa and Nakuru, enhancing accessibility to compliance services and data protection awareness creation . Furthermore, Kenya launched its Data Protection Registration System to streamline regulatory processes.
Meanwhile, Senegal took proactive measures by issuing guidance on the processing of biometric data in the workplace and unveiling a National Data Strategy .
These initiatives collectively reflect the dynamic efforts undertaken by African nations to fortify data protection frameworks and address emerging privacy challenges.
3. Significant Data Privacy Fines
Compared to preceding years, the continent experienced a notable surge in enforcement actions targeting privacy violations, as indicated by the actions taken by data protection authorities in various jurisdictions.
Kenya emerged as a frontrunner, with over six significant determinations impacting institutions spanning the lending sector, education, entertainment, digital identity, and digital currencies. Despite issuing the highest number of penalties, the combined monetary value of fines in Kenya (approximately USD $. 124,700) was still less than individual fines imposed in South Africa (USD $. 279,000), Nigeria (USD $. 218,459), and Angola (USD $ 150,000).
Nigeria’s data protection authority imposed fines on Nigerian banks, telecommunications firms and digital lending institutions, albeit without individual names disclosed, for infringements related to data privacy.
South Africa’s Information Regulator (IR) issued the only reported penalty to a public body in the region an infringement notice that imposed a ZAR 5 million (USD 279,000) fine on the Department of Justice and Constitutional Development (DoJ&CD) for violations of the Protection of Personal Information Act (POPIA).
The breaches primarily involved the Department’s failure to renew licenses for critical cybersecurity components, including anti-virus, security information and event management (SIEM), and intrusion detection solutions. In a separate incident, the Information Regulator also issued an enforcement notice to Dis-Chem for POPIA violations stemming from a data breach experienced by one of its vendors on September 6.
Angola’s National Data Protection Authority fined Africell $150 000 for failing to get prior authorisation from the NDPA when they processed their customers’ personal data.
4. Monitoring Digital Lenders Data Practices
Regulators in various jurisdictions within the region were diligent in overseeing the activities of online digital lenders throughout 2023. Kenya, Nigeria, Ghana, and Uganda all saw their regulators release lists of approved and unapproved digital lenders, indicating those licensed or prohibited from operating within each country.
Kenya, taking a cautious stance, approved the least number of digital lenders (32 out of over 400 applications).
Nigeria had 154 approved digital lenders with 40 under conditional approval, Uganda reported 2,132 licensed money lending businesses, and Ghana published a list of 97 digital money lenders barred from operating without proper regulatory licensing.
5. Artificial Intelligence Adoption & Regulation
Several African nations recognized the potential offered by AI; however, the widespread adoption of AI in Africa remains limited, with only a few exceptions such as South Africa, Nigeria, Ethiopia, Kenya, Zimbabwe, Togo, Libya, and Ghana actively embracing AI.
Numerous African countries still face challenges related to essential requirements for technology adoption, including infrastructure, data ecosystems, STEM education, and governance frameworks. Despite these obstacles, notable progress is underway in adopting digital solutions.
Several countries have existing legal frameworks which offer potential avenues for incorporating AI elements such as the enactment of data protection laws across 36 countries.
Countries such as Senegal have in the past introduced National Data Strategies: Rwanda is the latest to have an official National AI Policy, however, the rapid advancement of this technology continues to outpace the scope of most of these laws.
6. Increased Cyberattacks & Ransomware
The global cybersecurity trends revealed a significant increase in cyberattacks, particularly ransomware attacks, with 66% of companies worldwide reporting such incidents, up from 51% in 2020, according to a survey by Sophos. Kaspersky ICS CERT reported that attacks were detected on 32% of Industrial Control System (ICS) computers in Africa.
Drawing from extensive research, this report finds a concerning trend of escalating cyber threats . The documented average of 1158 weekly cyber attacks across various sectors serves as a testament to the persistent challenges faced by organizations in safeguarding digital assets.
Africa witnessed a substantial 12% YoY increase in the average number of weekly attacks per organization, reaching an average of 1900 attacks. Cyberattacks across African countries targeted critical infrastructure, financial institutions, governments, and businesses. The financial sector was the most targeted, with 18% of cyberattacks, followed by telecommunications (13%), government agencies (12%), trade (12%), and industrial sectors (10%).
A lightly edited synopsis of the Africa Privacy Report
Sorry, the comment form is closed at this time.