Africa emerges as hot spot for new data protection laws as privacy regulation becomes global norm

The march toward a planet where data protection laws are nearly universal continues as the world approaches the milestone of 160 nations that have data protection or privacy laws in place. No continent, however, has seen more data protection growth in recent years than Africa.

Nearly three quarters of the world’s nations either have a law in place or are considering privacy legislation, up from about two-thirds three years ago, according to United Nations data. Graham Greenleaf, a professor at the University of New South Wales in Australia who is an expert on the global development of data-protection law, this year put the total number of countries with a data protection law at 157.

The UN says that 61 percent —  at least 33 of Africa’s 54 countries — had a privacy or data protection law in place at the beginning of this year. That's up from 50 percent in early 2020, representing a significant expansion of data protection for the continent’s 1.3 billion people. While that's a significantly lower share than in Europe, where data protection law verges on becoming universal thanks to the General Data Protection Regulation, Africa is now within hailing distance of the percentage of countries in the Americas with data protection laws, and it is slightly ahead of Asia, according to the newest UN data.

Expansion of laws

“In the last two years, we’ve seen an explosion of data privacy laws around the world,” said Dominque Shelton Leipzig, a partner at law firm Mayer Brown in Los Angeles. “A lot of that activity is happening in Africa.”

Many of the new comprehensive privacy laws being adopted by African nations include features found in the GDPR, the California Consumer Privacy Act and the California Privacy Rights Act that will replace it in 2023, and in China’s Personal Information Protection Law, said Shelton Leipzig, who co-authored a recent study by Mayer Brown on the expansion of data protection laws in Africa.

The Mayer Brown study found that 33 African countries now provide the right to access personal data collected by a company; 29 national data protection laws provide a right to rectification of that data; 27 provide the right to object; 21 provide the right to be forgotten; and 14 provide the right not to be subject to automated decision-making.

Given the potential growth in audience among the more than one billion people who live in Africa, companies need to be aware of those data protection laws as they enter the African market and other areas of the developing world, Shelton Leipzig said. “Now more than ever this is becoming a strategic business issue,” she told MLex.

In 2019, MLex reported that there were about 136 countries that had passed comprehensive national privacy laws.

UNCTAD data

By February 2020, 66 percent of the world’s nations had a data-protection and privacy law, up from 55 percent in 2015, the United Nations Conference on Trade and Development reported based on a newly released global survey of cyberlaw it conducts once every two years.

UNCTAD’s most current data, for the start of this year, says 71 percent of the world’s countries have some sort of privacy or data protection law in place. That includes 98 percent of 45 countries in Europe, 74 percent of 35 countries in the Americas, and 57 percent of 60 countries in the Asia-Pacific region. Another 9 percent of the world’s countries have draft legislation under consideration, meaning those numbers are likely to grow.

Those numbers don’t include some of the most important developments in global data protection in 2022, such as Indonesia’s new data protection bill signed into law last month by President Joko Widodo, which is based heavily on the GDPR. India last week released its latest, long-awaited proposal for overhauling the data-privacy regulatory landscape of the world’s largest democracy, and the US Congress made its first substantive progress toward passing a comprehensive national privacy law this year, though its chances of passage are scant in the near term.

Africa laws

An exact, objective census of the world’s privacy laws is difficult because there are different definitions for what qualifies as a privacy or data security law, and sometimes even for what constitutes a country. But everyone agrees that Africa is a hot region for data protection regulatory growth.

In 2021 alone, Rwanda, Zambia, and Zimbabwe enacted their first data protection laws, while Cape Verde amended its existing legislation. Burkina Faso, meanwhile, replaced its 2004 Data Protection Act with an updated data protection law, according to Hogan Lovells, another law firm that is tracking data protection developments in Africa.

“GDPR certainly has an influence on the new laws, and the EU as well as other financing organizations, such as the World Bank, clearly push for GDPR-like laws to be adopted in Africa,” Aissatou Sylla, a Hogan Lovells partner in Paris, told MLex. “In Africa, in general, you will find very ambitious and protective laws, unlike in the US, but little to no enforcement, although this is beginning to change.”

There are exceptions. South Africa, Nigeria and Kenya are actively enforcing their data protection laws, Sylla said. In some countries, such as Mali and Gabon, politics was an issue as lawmakers decided to pass data protection laws before presidential elections as a safeguard against their governments’ use of data to ensure re-election of the incumbent, she said.

Global convention

Greenleaf said the expansion of data protection laws in Africa has global significance.

“Africa is playing a significant role in the conversion of data protection Convention 108 from a European into a global Convention,” he noted in a 2020 study, referring to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, commonly known as “Convention 108.” It was the first binding international treaty addressing the need to protect personal data.

In an academic paper published in March, Greenleaf set the number of countries with data privacy laws at 157, an addition of 12 countries since the start of 2021. "As has become familiar, most of these laws are influenced substantially by the EU’s GDPR, but with many variations in such implementations," he wrote. Three of those 12 countries were in Africa: Rwanda, Zambia, and Zimbabwe.

Since then, the additions of Indonesia in Asia and the Kingdom of Eswatini, formerly named Swaziland, in Africa have pushed Greenleaf’s total to 159 nations with data privacy laws or regulations.

Shelton Leipzig, the Mayer Brown lawyer, said the regulatory takeaway is that before companies begin to deploy their servers in Africa or elsewhere in the developing world, they should consider data protection rules first.

“It’s a very good first step to ensure, and a question which every CEO and board member needs to ask, as we’re entering into [Africa and other developing markets]: Have we ensured that we’ve incorporated these data protection laws into our compliance program?” she said.