Africa and the Near East: The Region’s Privacy Landscape Facing Rapid and Dramatic Changes
Africa and the Near East: The Region’s Privacy Landscape Facing Rapid and Dramatic Changes
The Africa and Near East region experienced explosive growth of data privacy rules in 2021, with the enactment and/or entry into force of eight new data privacy laws: Cape Verde (amended); Kuwait; Rwanda; Saudi Arabia; United Arab Emirates (federal); United Arab Emirates/Abu Dhabi Global Markets (amended); Zambia; and Zimbabwe. This year is likely to bring even more dramatic changes to this diverse region of the world as more new laws and regulations are enacted. If this pace keeps up, this region, which already accounts for more than one-quarter (39) of the world’s 140 data privacy laws, will soon have more than Europe and Eurasia combined.
A recent and troubling new development in this region is the emergence of data localization requirements in Kenya, Rwanda, and Zambia. It is too early to tell how these provisions will be implemented and the practical effect they may have on business processing activities in these jurisdictions, but the concern is that other jurisdictions in this region may be encouraged to follow their lead.
These rapid and dramatic changes in the region’s privacy landscape present challenges for companies seeking to develop a regional privacy compliance approach. In particular, regulators are not yet established in 15 of these jurisdictions, and implementing regulations and guidance must be issued in several jurisdictions before the full scope of company obligations become clear. Further complicating factors are the lack of uniformity of the legal obligations from one law to another, such as the legal bases available for processing and cross-border transfers, and the lack of transparency with regard to regulatory enforcement.
As explained below, Bahrain, Egypt, Kenya, Saudi Arabia, South Africa, Uganda, and the United Arab Emirates are countries to watch in the coming year as implementation and enforcement of these new laws begin to take shape. Israel, Jordan, Ethiopia, and Namibia are the countries to watch in the coming year for the emergence of new or amended laws.
This alert discusses some of the significant changes that have taken place in 2021, identifies possible new laws and regulations in 2022 and beyond, and then reviews the commonalities and differences among the privacy regimes in the region.
The following provides a snapshot of recently enacted laws and related developments:
Bahrain. In July 2021, the Bahraini Ministry of Justice, Islamic Affairs and Waqf issued for public comments eight draft decisions pursuant to Bahrain’s Personal Data Protection Law (Law No. 30 of 2018) which entered into effect on August 1, 2019. The draft decisions contain numerous new obligations with respect to data breach notification (imposing a 72-hour notice requirement), data security, privacy by design, data protection impact assessments (DPIAs), and data portability. A data protection authority (DPA) has been established but it is unclear if it is fully operational yet. This recent flurry of activity suggests that the country is gearing up to implement and enforce its law soon.
Egypt. Egypt’s Personal Data Protection Law, No. 151 of 2020 entered into force on October 14, 2020. Executive regulations were expected to be issued in April 2021; however, as of early January 2022, those regulations have not been issued yet nor has a DPA been established. Once those regulations are issued, organizations will have one year to comply.
Kenya. A data protection commissioner was appointed in November 2020 to oversee enforcement of the Data Protection Act, 2019 that went into effect in November 2019. In early 2021, the DPA issued guidance on the law’s provisions pertaining to consent and DPIAs. In May and June 2021, it released for public comment draft data protection regulations. The regulations were published in final form on January 14, 2022 and are expected to take effect on February 11, 2022, subject to approval by the National Assembly. The regulations specify the controllers and processors that are subject to mandatory registration requirements and require them to register with the DPA within six months. The regulations further clarify the rules for breach notification, cross-border transfers, direct marketing, consent, DPIAs, and data localization. The data localization provisions require personal data processed for the purposes of “strategic interest of the state” to be processed through a server and data center located in Kenya, and at least one copy of that data must be stored in a data center located in Kenya. Moreover, controllers that process personal data outside of Kenya for other purposes and suffer data breaches or violate the Act may also be required to comply with the data localization requirements.
The DPA has been active in promoting awareness and responding to complaints, which suggests that, like Bahrain, the DPA is moving forward to implement and enforce the law shortly.
Kuwait. Kuwait’s Communications and Information Technology Regulatory Authority (CITRA) issued Resolution 42 of 2021, Concerning Data Privacy Protection Regulations (“Regulations”), which became effective in April 2021. The Regulations address the collection and processing of personal data and apply to a Communications and Information Technology Service Provider (“Service Provider”) that provides services in Kuwait. Such services can include the establishment of any kind of public telecommunications network, operation of a website, smart application, or cloud computing services, by any natural or legal person. The Regulations apply to all public- and private-sector Service Providers that collect, process, and store personal data using automated means or any other means that are part of a data storage system, whether processed inside or outside Kuwait, when the personal data relate to processing activities linked to transmission of advertising or marketing material or monitoring the behavior and tendencies of individuals. Although seemingly sectoral in nature, the Regulation actually covers a wide array of organizations and requires, among other things, a legal basis for processing, provision of Individual Rights, and notification of data breaches to individuals and CITRA within 72 hours.
Nigeria. In early 2021, the National Information Technology Development Agency (NITDA), the authority responsible for enforcement of Nigeria’s Data Protection Regulation 2019 (“Regulation”), issued the final version of the Implementation Framework for the Regulation. NITDA describes the framework as a guide to help controllers and processors understand the controls and measures they must implement in order to comply with the Regulation, and to promote voluntary compliance. The Implementation Framework provides important clarifications regarding key obligations under the Regulation, such as when a DPO must be appointed, how and when consent must be obtained from individuals, the need to notify the NITDA within 72 hours in the event of a data breach, and the countries that are deemed to provide adequate protection. As discussed in the next section, efforts are still underway to develop a new and more comprehensive data protection law but the timing for enactment of a law remains unclear. In the meantime, NITDA is actively enforcing this Regulation. To date, the NITDA has imposed two large fines. In August 2021, NITDA imposed a NGN 10 million fine (approximately USD 24,000) on an online lending platform, for a variety of violations regarding provision of notice, inadequate legal bases for processing and sharing of data, failure to submit the required audit reports through a licensed third-party auditor, and failure to cooperate with the NITDA. In 2020, it issued a NGN 5 million fine to a Nigerian company, in connection with a data breach.
Rwanda. Rwanda enacted Law Nº 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy in October 2021. Organizations have until October 2023 to come into compliance. The National Cyber Security Authority is the regulator responsible for enforcement of the Law. The Law imposes criminal penalties for violations, as well as administrative penalties for violations ranging from RWF 2 to 5 million, or 1% of the organization’s global turnover of the preceding financial year. The most noteworthy provisions include requirements for data localization (organizations must store personal data in Rwanda unless the regulator authorizes international storage), a 72-hour notification for data breaches, the appointment of a DPO, and a registration requirement for controllers and processors.
Saudi Arabia. Saudi Arabia enacted a Personal Data Protection Law (PDPL) that goes into effect on March 23, 2022. Controllers have one year from that date to come into compliance with the law. The PDPL applies to any processing of personal data of individuals that takes place in Saudi Arabia, as well as processing of personal data of individuals residing in Saudi Arabia by organizations outside of Saudi Arabia. The PDPL imposes a number of requirements, including with respect to: the provision of a privacy notice; legal bases for processing; Individual rights (access, correction, and deletion rights); data quality; data security; breach notification; and the appointment of a DPO. The PDPL also provides for a private right of action. In the event of a law violation, fines up to SAR 3 million (approx. USD 800,000) and/or imprisonment of up to two years are possible.
South Africa. Although enacted in 2013, South Africa’s Protection of Personal Information Act (POPIA) only entered into force on July 1, 2020. Organizations were given until July 1, 2021 to comply with the law. The DPA, which has been operational since 2016, is actively issuing guidance, revising existing regulations, educating and promoting awareness, and speaking out on selected data privacy issues.
Togo. The Law on Protection of Personal Data went into effect October 2019, with enforcement to began in October 2020; however, as of December 2021, the DPA had not yet been established.
Uganda. One year after Uganda’s Data Protection and Privacy Act, 2019 (“Act”) entered into force in February 2020, the Ministry of ICT and National Guidance issued the Data Protection and Privacy Regulations, 2021, No. 21 of 2021 (“Regulations”), which implement the Act. The Regulations specify the Individual Rights provisions, including a requirement to respond to access requests within seven days and comply with correction requests within 30 days, and require the appointment of a DPO, DPIAs for high risk processing, notification to individuals about data breaches immediately after the DPA is notified about the breach, and submission of annual reports to the DPA summarizing all data breaches and the action taken to address such breaches. Both controllers and processors are subject to registration requirements, and where a controller or processor notifies the individual of its intention to continue processing personal data for the purpose of direct marketing, the individual may, within 14 days of receiving the notice, request in writing that the DPA review the decision of the controller or processor. Under the Act, violations are punishable by a fine not exceeding 4.8 million shillings (USD 1,284) or imprisonment for ten years or both. The Regulations include additional offenses, such as for violations of the registration requirements and cross-border transfer rules.
Uganda’s Personal Data Protection Office (DPA) announced a grace period up to the end of December 2021 to allow for relevant organizations and persons to register their collection and processing of personal data with the DPA. The DPA will begin taking enforcement measures against unregistered organizations and persons once the registration requirements become effective starting in January 2022.
United Arab Emirates (UAE). In September 2021, the UAE adopted a new federal privacy and data protection law, Federal Law No. 45 of 2021 on the Protection of Personal Data, that went into effect on January 2, 2022. This new law now broadly aligns the UAE’s federal data privacy requirements with the EU General Data Protection Regulation (GDPR) as well as existing data protection laws of the UAE’s two free-market zones, the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM). Executive regulations are to be issued within six months and companies will have until January 2023 to comply with the law.
This new federal law does not apply to companies registered in the free-market zones or to health data covered by the Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in Health Fields, which regulates the use of information and communications technology in the UAE's health industry and establishes a centralized system to manage health information.
While the federal law mirrors much of the DIFC and ADGM laws, there are some noteworthy differences. In particular, unlike the DIFC and ADGM laws, the same legal bases for processing personal data under the federal law apply to the processing of sensitive personal data, and the federal law does not include a legal basis for processing on the basis of the controller’s legitimate interests. In addition, the breach notification threshold is lower than under the DIFC and ADGM laws and the cases in which a data protection officer (DPO) must be appointed also differ.
It should be noted that both the DIFC and ADGM revised their laws in 2020 and 2021 respectively to align them more closely to the EU GDPR. Both have issued revised sets of standard contractual clauses similar to the EU SCCs but with some differences.
Zambia. Zambia’s Data Protection Act, No. 3 of 2021 was approved by the legislature in March 2021, but has not entered into force yet. The Act has some unique and onerous provisions. For example, a legal basis such as consent, legitimate interests, or contractual necessity is required to process personal data; however, consent is not a legal basis for the processing of sensitive personal data. Sensitive personal data may only be processed in limited circumstances, such as where the processing is necessary for the establishment, exercise, or defense of a legal claim. Furthermore, the Act requires controllers to notify the DPA within 24 hours of any security breach affecting personal data processed and, like the Rwandan law, requires controllers to process and store personal data on a server or data center located in Zambia. However, the Minister may prescribe categories of personal data that may be stored outside Zambia. Both controllers and processors are required to register their processing activities and appoint a DPO in accordance with guidelines issued by the DPA. The Act provides offenses for certain violations, including fines ranging from 100 million to 500 million penalty units or two percent of annual turnover of the preceding financial year, or imprisonment up to five years.
Zimbabwe. Zimbabwe is the most recent country in the region to enact a data privacy law. The Data Protection Act (“Act”) was enacted on December 3, 2021 but no date is specified for its entry into force or if companies will have a transition period to comply with the Act. The Act is applicable to public- and private-sector entities and requires, among other things, notification of data breaches within 24 hours, the appointment of a DPO, and consent or another limited legal basis to transfer personal data to countries that are not deemed to provide adequate protection. The Act establishes the Postal and Telecommunications Regulatory Authority of Zimbabwe as the DPA to implement and enforce the Law. Amendments to Zimbabwe’s Criminal Law Act also are included in the Act in order to address cybersecurity. The Act stems from the Cyber Security and Data Protection Bill, which, after a series of public hearings, went through several amendments during the Parliamentary process.
New Laws Expected in 2022 and Beyond
Israel. Forty years after the enactment of Israel’s Protection of Privacy Law, 5741-1981, the Israeli Ministry of Justice published a bill in early January proposing amendments to the current law that, if enacted, would, among other things, amend the definitions of key terms in the law such as personal information and sensitive information, reduce registration requirements, and expand the DPA’s enforcement powers by enabling it to impose financial penalties. Privacy legislation is expected to be one of the main issues on the 2022 legislative agenda of the Knesset’s Constitution, Law, and Justice Committee.
Jordan. In late December 2021, the Jordanian Council of Ministers approved a draft law on the protection of personal data. If enacted, the draft law would, among other things, require legal bases for processing personal data, provide for individual rights, including the right to be forgotten and data portability, impose breach notification requirements, restrict cross-border transfers of personal data to countries that provide adequate protection rules, and establish a Personal Data Protection Board to oversee and enforce the law.
Ethiopia. As part of its National Digital Transformation Strategy initiative, the Ethiopia government, led by the Ministry of Innovation and Technology, has drafted a Personal Data Protection proclamation (PDP). The PDP, which provides for the creation of a Data Protection Commission, establishes rules for the collection, use, disclosure, and cross-border transfer of personal data, and provides individuals with access, correction, erasure, and data portability rights, reportedly has been submitted to the Council of Ministers for approval.
Namibia. The Ministry of Information and Communication Technology (MICT) is reportedly working on draft data protection legislation.
Nigeria. There are reports that the Nigerian government has abandoned plans to move forward with its proposed Data Protection Bill, 2020, which was developed after a lengthy public consultation process and draft new legislation. If these reports are true, then the prospects for enactment of legislation in 2022 appear to be greatly diminished. The government’s 2020 bill proposed regulating personal data of individuals and legal entities (both public and private). It contained extraterritorial provisions to regulate controllers (without regard to their establishment) that carry out processing of information relating to individuals who reside within or outside Nigeria and personal data which originates partly or wholly from Nigeria. It also established basic principles and legal bases (such as legitimate interests, contractual necessity, and consent) for processing of personal data, provided for individual rights, including erasure and data portability rights, and imposed security requirements, including specific obligations on data processors. In addition, it included restrictions on cross-border transfers and the submission of annual audit reports and notification of data breaches within 48 hours. Lastly, it provided for the establishment of a Data Protection Commission and imposes criminal penalties for law violations.
The Africa and Near East region now has 39 data privacy laws, representing more than one-quarter of the 140 privacy laws worldwide: Algeria, Angola, Bahrain, Benin, Botswana, Burkina Faso, Cape Verde, Chad, Republic of the Congo, Côte d’Ivoire, Egypt, Equatorial Guinea, Gabon, Ghana, Guinea, Israel, Kenya, Kuwait, Lesotho, Madagascar, Mali, Mauritania, Mauritius, Morocco, Niger, Nigeria, Qatar, Rwanda, São Tomé & Principe, Saudi Arabia, Senegal, Seychelles, South Africa, Togo, Tunisia, Uganda, the United Arab Emirates (federal law and laws in two free-trade zones, the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM)), Zambia, and Zimbabwe. The laws in the Seychelles, Zambia, and Zimbabwe have not yet entered into force.
More than half of these laws (22) were enacted (or amended) within the past five years and, of these, 10 were enacted in the past two years. The newest laws are in Egypt, Kuwait, Rwanda, Saudi Arabia, the United Arab Emirates (federal), Zambia, and Zimbabwe.
While they share the same core data protection elements, all of these laws have specific rules that differ from each other and from those in other regions. Thus, implementing data privacy programs to comply with these rules can be challenging, particularly in those jurisdictions that have yet to establish their data protection authorities (DPAs). The jurisdictions without established DPAs are: Algeria, Botswana, Republic of the Congo, Egypt, Equatorial Guinea, Guinea, Lesotho, Madagascar, Mauritania, Saudi Arabia, Seychelles, Togo, UAE (federal), Zambia, and Zimbabwe.
Scope. Most of the laws in this region apply to processing in-country only. However, at least three have extraterritorial provisions: Benin, Cape Verde, and Uganda. Both the laws in Benin and Cape Verde extend to controllers and processors not established in their country that process personal information of people in their country relating to the offering of goods or services to people in their country or the monitoring of their behavior, insofar as this behavior takes place in their country. Additionally, the Benin law applies to processing that takes place in a member state of the Economic Community of West African States (ECOWAS). Uganda’s law applies to organizations within Uganda that process personal information or organizations outside Uganda that process personal information relating to Ugandan citizens.
There are also two other laws, in Egypt and Qatar, that may have extraterritorial provisions but further regulatory clarification is needed.
Cross-border Transfers. While most of the jurisdictions (34) impose restrictions on cross-border transfers of personal data, there is such a diverse array of rules that it is practically impossible to characterize them in meaningful ways.
Adequacy. Many of these jurisdictions permit transfers to countries that provide “adequate” protection; however, only seven have issued their lists of adequate countries. The lists of the seven that have vary widely. For example, the Côte d’Ivoire and Niger recognize the member states of ECOWAS; Chad recognizes the member states of the Central African Economic and Monetary Community (CEMAC) and the Economic Community of Central African States (CEEAC); Lesotho recognizes member states that have transposed the Southern African Development Community (SADC) data protection requirements; Morocco recognizes the EEA Member States and Canada; and the UAE/DIFC and ADGM recognize the EEA Member States as well as other jurisdictions recognized by the EU as providing adequate protection. Nigeria recognizes numerous jurisdictions including the African countries that are signatories to the Malabo Convention 2014, the United States, the EEA Member States (and the other jurisdictions recognized by the EU), China, the Philippines, and Singapore.
In order to transfer to an adequate country, eight of these jurisdictions additionally require DPA authorization, notification, or a DPA license: Benin, Republic of the Congo, Egypt, Guinea, Morocco, Senegal, Togo, and Tunisia.
Adequate Protection Measures. Twenty-two jurisdictions permit cross-border transfers where adequate protection measures are in place, such as contractual clauses, but in many cases the DPAs must also approve the transfers and/or contractual clauses. Only a couple of DPAs (in the UAE/DIFC and ADGM free-trade zones) have issued their own clauses. Alternatively, Israel permits the use of EU Standard Contractual Clauses with minor modifications.
Legal Bases. All but a few laws permit transfers to inadequate countries, provided one of the legal bases specified in the law applies. However, these legal bases vary widely. Some provide for one or more legal bases such as consent, contractual necessity, vital interests, and/or a legal claim; some only permit such transfers on the basis of consent while others limit the use of consent to transfers are that limited and specific. Many laws also require DPA authorization for such transfers. In contrast, laws in countries such Burkina Faso, Côte d’Ivoire, Guinea, Niger, and Tunisia do not provide any legal bases other than DPA authorization.
Breach Notification. Half of the laws (20) require notification in the event of a data breach: Benin, Botswana, Cape Verde, Chad, Republic of the Congo, Egypt, Ghana, Israel, Kenya, Kuwait, Lesotho, Mauritius, Qatar, Rwanda, Saudi Arabia, South Africa, Uganda, the United Arab Emirates (Federal, DIFC, and ADGM), Zambia, and Zimbabwe. Seventeen of these 20 jurisdictions require notification to the DPA in the event of any data security breach, regardless of risk of harm. While some of the laws only require that notice be provided to individuals and/or to the DPA “as soon as practicable” or “without delay,” more than half require notification to the DPA within 24–72 hours. Most require that both individuals and the DPA must be notified about a breach.
Legal Bases for Processing. Almost half of the laws (18) do not permit processing on the basis of legitimate interests. Instead, the laws rely on other legal bases such as consent, contractual necessity, legal requirements, or vital interests. Only two countries, Israel and Mali, do not expressly require a legal basis for processing. Instead, they specify that processing for purposes other than those for which the information was provided constitutes a violation of privacy.
Individual Rights. Access and correction rights must be provided in all countries. More than three-quarters of the laws (32) provide erasure rights and slightly more than one-quarter (11) provide data portability rights. The timeframes for responding to individual rights requests also vary widely: 17 countries require responses to rights requests within 30 days or more; four within 21 days; three within 10–15 days; and two within seven days. Twelve do not specify a specific time period.
Data Protection Officer (DPO). More than one-third of the jurisdictions (16) require the appointment of a DPO: Benin, Cape Verde, Republic of the Congo, Egypt, Madagascar, Mali, Mauritius, Nigeria, Rwanda, Saudi Arabia, South Africa, Tunisia, Uganda, the UAE, Zambia, and Zimbabwe.
Registration. While the trend around the world is to minimize registration requirements, most of the laws in the region (36) require organizations to register processing activities with a DPA. Eight jurisdictions require both controllers and processors to register. The countries that do not impose registration requirements are Kuwait, Nigeria, and Qatar.
Security. Slightly more than half of the countries (18) have either some specific or very detailed security provisions. The countries with detailed security obligations are Benin, Israel, Senegal, and the UAE/DIFC. Three countries, Benin, Côte d’Ivoire, and Nigeria, require the submission of security compliance or audit reports annually to the DPA.
Data Protection Impact Assessments (DPIAs). Slightly more than one-third (15) of the laws require DPIAs for certain types of processing. DPIAs are required in Benin, Cape Verde, Republic of the Congo, Cote d’Ivoire, Israel, Kenya, Mauritius, Morocco, Nigeria, Qatar, Rwanda, South Africa, Uganda, UAE, and Zambia.
Data Localization. Three countries, Kenya, Rwanda and Zambia, impose data localization requirements. The Rwandan law requires controllers and processors to store personal data in Rwanda unless they obtain a valid registration certificate issued by the DPA that authorizes international storage. The Zambian law, which is not yet in force, requires controllers to process and store personal data on a server or data center located in Zambia; however, the law permits the Minister to prescribe categories of personal data that may be stored outside Zambia. In addition, the Kenyan regulations require personal data processed for the purposes of “strategic interest of the state” to be processed through a server and data center located in Kenya, and at least one copy of that data must be stored in a data center located in Kenya. Moreover, controllers that process personal data outside of Kenya for other purposes and suffer data breaches or violate the law may also be required to comply with the data localization requirements.
Enforcement. With the enactment and/or entry into force of 10 new or amended laws in the past two years, as well as the recent issuance of new guidance and regulations in jurisdictions such as Kenya, Qatar, South Africa, and Uganda, we expect to see regulatory enforcement activity increase in the coming year. However, despite the fact that 24 jurisdictions have established DPAs, only a few have publicized information on fines imposed. For example, in 2021, Mali’s DPA imposed a CFA 20 million fine against a company for workplace surveillance violations and, in 2020, fine of CFA 18 million against a company for unlawful access and collection of personal data. The Nigerian DPA issued NGN 5 million and 10 million fines in 2020 and 2021 respectively for various violations of its Regulation. In December 2018, Gabon imposed an XAF 5 million fine against a company for unlawfully collecting geolocation data from its employees without providing notice to the individuals and without authorization from the DPA.
 Such purposes include: administering of the civil registration and legal identity management systems; facilitating the conduct of elections for the representation of the people under the Constitution; overseeing any system for administering public finances by any state organ; running any system designated as a protected computer system in terms of section 20 of the Computer Misuse and Cybercrime Act, 2018; offering any form of early childhood education and basic education under the Basic Education Act, 2013; or provision of primary or secondary health care for a data subject in the country.