African states tighten laws on data privacy and protection

Data protection regulations

Internet Society, a non-profit advocacy organisation, estimates that more than 17 African countries have enacted comprehensive personal data protection legislation

Photo credit: Shutterstock

What you need to know:

  • African governments and stakeholders continue to develop models that uphold data privacy and protection to facilitate safe internet use.

With nearly 600 million people across Africa using the internet today, African countries are increasingly recognising the need to legislate and invest in, data and privacy protection. 

Internet Society, a non-profit advocacy organisation, estimates that more than 17 African countries have enacted comprehensive personal data protection legislation.

Additionally, according to the United Nations Conference on Trade and Development, 33 countries had some form of legislation that guaranteed data and privacy protection as of 2021.

Speaking at the 2023 Global Data Privacy Week in Abuja, Nigeria's Minister of Communications and Digital Economy, Isa Pantami, said the Nigeria Data Protection Bureau (NDPB) had invested extensively in personnel to grow capacity.  

"The NDPB has created many jobs that the value as at today amounts to N5.5 billion ($12 million)," he said. 

Between 2019 and 2022, nearly 10 African countries enacted laws reaffirming data and privacy protection.

In November 2022, Tanzania became the latest African country to pass the Personal Data Protection Law and subsequently established its Data Protection Commission.

Botswana, South Africa, Kenya, Rwanda, Nigeria, Uganda, Togo and Ghana have been front-runners in legislating pro-data and privacy protection policies.

Beyond efforts at the individual country's levels, regional economic blocs have policies that safeguard data and privacy protection.

The Southern African Development Community (SADC) modelled the SADC Model Law on Data Protection in 2010, which it adopted in 2013.

ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection (2010) and EAC Framework for Cyber laws (2008) are some regional bloc-level policies targeting data and privacy protection.

Despite the developments in legislation, Brandon Muller, Kaspersky tech expert and consultant African region, highlights the many areas African countries can improve on, especially in averting industrial cybersecurity.

According to Muller, 40% of industrial control system (ICS) computers globally were attacked with malware in 2022, with Kaspersky projecting 47% of the cases occurred in Africa.

Industrial control systems involving manufacturing, processing, product handling, production and distribution are the basis of economic growth.

Kaspersky lists Ethiopia (62%), Algeria (59%), and Burundi (57%) as having experienced the highest number of malware attacks on their industrial control systems last year.

Others listed include Rwanda (46%), Kenya (41%), Nigeria and Zimbabwe (40%), Ghana (39%), Zambia (38%) and South Africa and Uganda (36%).

However, these countries are actively improving efforts to elevate their data protection systems.

Ethiopia is currently in the advanced stages of legislating the Data Protection Proclamation, which will establish a Personal Data Protection Commission.

Algeria's Law No. 18-07 was recently passed and established the legal framework for collecting, processing, using, and disclosing personal data concerning data processing activities.

With some listed countries recording relatively high vulnerability rates, more laws and policies are needed to ensure safe digital browsing.

Muller outlines the significance of anti-malware systems and practising safe practices as it will ensure long-term safety.

"One infected USB drive or a single spear-phishing email is all it takes for cyber criminals to bridge the air gap and penetrate an isolated ICS network," Muller notes.

While some malware sources remain complex, especially in advanced systems, Muller explains that "human error still plays a significant role in compromising ICS systems."

However, Africa is broadly trying to confine itself to the framework set out in the African Union Convention on Cyber Security and Personal Data Protection.

African Union and Internet Security, in a 2018 report dubbed "Personal Data Protection Guidelines for Africa", recommend creating trust, privacy, and responsible use of personal data, commitment and actions by individual governments and multi-sectorial approaches.