Welcome again to another edition of our Data Protection and Privacy Knowledge Management Series. We have spent the last seven weeks examining Nigeria’s data protection framework and its evolving directives. In this article, we take a step back to look across the African continent; how other jurisdictions have structured their data protection regimes, and the practical challenges of implementation.
1. South Africa: A Mature Framework with Active Enforcement
South Africa’s Protection of Personal Information Act 2013 (POPIA) remains one of the most comprehensive and operational data protection laws on the continent. The POPIA had a commencement date of July 2020 and one year compliance grace period. It came fully into force in July 2021 and is enforced by the Information Regulator of South Africa. The Regulator has broad powers to investigate complaints, issue enforcement notices, and impose fines.
In recent years, it has opened investigations into large-scale data breaches and issued compliance orders to organisations in the private and public sectors — a clear sign that enforcement is active and maturing (POPIA, 2013; Information Regulator SA, 2023).
POPIA’s structure and principles are similar to the GDPR , covering key areas such as lawful processing, security safeguards, data subject rights, and cross-border transfers. Its challenge remains awareness and compliance across small and medium-sized enterprises, which form the backbone of the South African economy.
2. Kenya: Growing Compliance Culture and a Strong Regulator
Kenya’s Data Protection Act, 2019 established a comprehensive framework aligned with international standards. The Office of the Data Protection Commissioner (ODPC) is responsible for enforcement and has issued key regulations, including the Data Protection (General) Regulations, 2021, Registration of Data Controllers and Processors Regulations, 2021, and the Complaints Handling and Enforcement Procedures, 2021.
The ODPC has also released a Data Protection Handbook and DPIA guidance to help businesses comply (ODPC, 2022). Under the Act, data controllers and processors must register with the ODPC and are required to notify the regulator and affected individuals of personal data breaches (Kenya DPA 2019, ss. 18–24).
Practical compliance challenges in Kenya include limited technical expertise and high costs of implementing security safeguards. However, Kenya’s regulatory approach has been proactive and transparent, with the ODPC frequently engaging in awareness and stakeholder education.
3. Ghana: Building Capacity within an Established Legal Framework
Ghana was one of the early adopters of data protection legislation in Africa. Its Data Protection Act, 2012 (Act 843) predates both Kenya’s and Nigeria’s frameworks. The Data Protection Commission (DPC Ghana) oversees implementation, registration, and enforcement.
Under the Act, all data controllers and processors operating in Ghana must register with the DPC and ensure fair, lawful, and secure processing of personal data (Ghana DPA, ss. 18–21). While the legislative structure is strong, the DPC continues to face capacity constraints and funding challenges that affect its ability to conduct widespread enforcement. Nevertheless, the Commission has launched annual awareness programmes and registration drives to improve compliance rates across industries.
4. The Continental Picture: The Malabo Convention and the African Union Data Policy Framework
At the continental level, the African Union Convention on Cyber Security and Personal Data Protection (commonly called the Malabo Convention) serves as Africa’s first treaty dedicated to cybersecurity and personal data protection. Adopted in 2014, it aims to create a harmonised standard for African Union member states and to promote cooperation between national authorities (AU, 2014).
However, while many AU member countries have signed the Convention, fewer have ratified it, and practical implementation is slow. Despite this, the Malabo Convention remains a symbolic foundation for regional harmonisation efforts and has inspired several national laws, including Nigeria’s NDPA 2023 and Kenya’s DPA 2019.
Complementing the Convention is the African Union Data Policy Framework (2022), which sets out continental priorities for data governance, cross-border data flows, and responsible data innovation. The Framework encourages interoperability among AU member country laws, sustainable digital economies, and regional cooperation among supervisory authorities.
5. Common Challenges Across Africa
While progress across Africa is encouraging, several shared challenges persist:
– Enforcement Gaps: Many regulators, though legally empowered, struggle with funding and personnel limitations that delay investigations or hinder continuous oversight.
– Low Public Awareness: Data protection remains a niche topic for most data subjects. Awareness campaigns have not yet matched the scale of technological adoption.
– Harmonisation Difficulties: With over 30 national data protection laws now in force, aligning rules on cross-border transfers, adequacy, and jurisdiction remains a continental challenge.
– Digital Divide: The uneven distribution of digital literacy and infrastructure means some regions and sectors lag behind in both compliance and enforcement.
6. The Road Ahead
African regulators are increasingly engaging through platforms like the Network of African Data Protection Authorities (NADPA) to share best practices and build consistency in enforcement. The long-term goal is to establish harmonised mechanisms that facilitate safe data flows across the continent while respecting national sovereignty and innovation.
As Nigeria moves ahead with its NDPA 2023 and GAID 2025, the continent can look to cross-border regulatory dialogue as a pathway to balanced, sustainable digital development.
Short Test
Which South African authority enforces the POPIA?
a) The Ministry of Justice
b) The Information Regulator
c) The Data Protection Commissioner
d) The Constitutional Court
Under Kenya’s Data Protection Act, who is responsible for issuing compliance regulations?
a) The ICT Authority
b) The Office of the Data Protection Commissioner
c) The Communications Authority
d) The Ministry of Technology
True or False: Ghana’s Data Protection Commission does not require data controllers to register.
What is the name of the African Union treaty focused on data protection and cybersecurity?
a) Addis Ababa Protocol
b) Malabo Convention
c) Nairobi Accord
d) Kigali Framework
Which AU policy document seeks to harmonise data governance across African countries?
a) AU Digital Strategy 2020
b) AU Data Policy Framework
c) African Continental Free Data Agreement
d) ECOWAS Cyber Policy