Out of Africa (and the Near East): Privacy Rules Come at Rapid Pace

Countries in Africa and the Near East have been enacting data privacy laws at a dizzying pace over the past several years, far exceeding the pace in other regions of the world such as Asia and the Americas.[1] In the past decade, 24 laws were enacted in this region; 14 of these were just in the past five years. In comparison, 13 new laws in Asia and 21 in the Americas were enacted in this same 10-year period. All indications are that the region’s privacy rules will continue to grow at a rapid pace into 2021 and beyond. Enforcement is also likely to increase in the region as more countries establish their data protection authorities and these privacy regimes begin to mature.

This region has some very distinct characteristics that set it apart from other regions of the world, particularly with respect to cross-border transfer and registration requirements. Contrary to the trend around the world to minimize registration requirements, most of the laws in this region require organizations to register processing activities with a data protection authority (DPA). Moreover, with its diverse array of the cross-border rules, this region’s data privacy landscape is akin to the Wild West.

The explosion of new and disparate laws in this region in such a relatively short period of time, coupled with the fact that almost one-third of these jurisdictions have not yet established their DPAs, makes it challenging for companies to develop their regional privacy compliance approaches, let alone integrate them into their global compliance programs. Nonetheless, it is important to take these differences into account when developing privacy compliance programs. This alert discusses some of the commonalities and differences among the privacy regimes in the region and identifies the jurisdictions that are likely to enact new or amended laws in the next few years

Characteristics of the Current Regional Landscape: Commonalities and Differences

Thirty-four jurisdictions in the region now have comprehensive privacy laws.[2] More than two-thirds of these laws (24) were enacted within the past decade and, of these, 14 were enacted in the past five years. The newest laws are in the Republic of the Congo, Egypt, Kenya, Nigeria, Togo, and Uganda. In addition, the existing laws in Benin, Mauritius, and the UAE (DIFC and ADGM) were amended within the past three years.

While they share the same core data protection elements, all of these laws have specific rules that are very different from each other and from those in other regions. However, implementing data privacy programs to comply with these rules can be challenging, particularly in those jurisdictions that have yet to establish their DPAs.[3]

Scope. Most of the laws in this region apply to processing in-country only. However, three have extraterritorial provisions: Benin, Qatar, and Uganda. Benin’s law applies to processing by controllers or processors in Benin, whether or not the processing takes place in or outside Benin. It also applies to controllers and processors not established in Benin that process personal information of people in Benin where these processing activities relate to:

• the offering of goods or services to people in Benin, whether or not whether or not they are required to pay;
• the monitoring of behavior of individuals, insofar as this behavior takes place in Benin; or
• processing that takes place in a member state of the Economic Community of West African States (ECOWAS).

Qatar’s law applies to processing by controllers, processors, and website operators and Uganda’s law applies to organizations within Uganda that process personal information or organizations outside Uganda that process personal information relating to Ugandan citizens.

Cross-Border Transfers. While most of the jurisdictions (31) impose restrictions on cross-border transfers for personal data, there is such a diverse array of rules that it is practically impossible to characterize them in meaningful ways.[4]

Adequacy. Twenty-nine of these 31 countries permit transfers to countries that provide adequate protection; however, most (24) have not issued their lists of adequate countries. Of the five that have, their lists vary widely. For example, the Côte d’Ivoire recognizes the member states of ECOWAS[5]; Chad recognizes the member states of the Central African Economic and Monetary Community (CEMAC) and the Economic Community of Central African States (CEEAC)[6]; Lesotho recognizes member states that have transposed the Southern African Development Community (SADC) data protection requirements[7]; Morocco recognizes the EEA Member States and Canada; and the UAE/DIFC and ADGM recognize the EEA Member States as well as other jurisdictions recognized by the EU as providing adequate protection.

In order to transfer to an adequate country, eight of these 29 countries additionally require DPA authorization, notification, or a DPA license: Benin, Republic of the Congo, Egypt, Guinea, Morocco, Senegal, Togo, and Tunisia. Two of these countries, the Republic of the Congo and Togo, have not yet established DPAs.

Adequate Protection Measures. Twenty-two of the 29 countries permit transfers where adequate protection measures are in place, such as contractual clauses, but in many cases the DPAs must also approve the transfers and/or contractual clauses. Only a couple of DPAs (in the UAE/DIFC and ADGM free trade zones) have issued their own clauses. Alternatively, Israel permits the use of EU Standard Contractual Clauses with minor modifications.

Legal Bases. All but a few laws permit transfers to inadequate countries provided one of the legal bases specified in the law applies. However, these legal bases vary widely. Some provide for one or more legal bases such as consent, contractual necessity, vital interests, and/or a legal claim; some only permit such transfers on the basis of consent while others limit the use of consent to transfers are that limited and specific. Many laws also require DPA authorization for such transfers. In contrast, laws in countries such Burkina Faso, Côte d’Ivoire, Guinea, Niger, and Tunisia do not provide any legal bases other than DPA authorization.

Breach Notification. More than one-third of the laws (14) require notification in the event of a data breach.[8] Five of the jurisdictions do not require notice to be given to individuals and/or the DPA where there is no risk of harm from the breach. The other nine jurisdictions require notification to the DPA in the event of any data security breach. While many of the laws only require that notice be provided to individuals and/or to the DPA “as soon as practicable” or “without delay,” others (Republic of the Congo, Egypt, Mauritius, and the UAE/ADGM) require notification to the DPA within 72 hours. Most require that both individuals and the DPA must be notified about a breach.

Legal Bases for Processing. Almost half of the laws (16) do not permit processing on the basis of legitimate interests. Instead, the laws rely on other legal bases such as consent, contractual necessity, legal requirements, or vital interests. Only two countries, Israel and Mali, do not expressly require a legal basis for processing. Instead, they specify that processing for purposes other than those for which the information was provided constitutes a violation of privacy.

Individual Rights. Access and correction rights must be provided in all countries. More than two-thirds of the laws (24) provide erasure rights and one-quarter (8) provide data portability rights. The timeframes for responding to individual rights requests also vary widely: 12 countries require responses to rights requests within 30 days or more; two within 21 days; eight within 10-15 days; and one within six days. Ten do not specify a specific time period.

Data Protection Officer (DPO). More than one-quarter of the jurisdictions (10) require the appointment of a DPO: Benin, Republic of the Congo, Egypt, Madagascar, Mauritius, Nigeria, South Africa, Tunisia, Uganda, and the UAE/DIFC.

Registration. While the trend around the world is to minimize registration requirements, most of the laws in the region (31) require organizations to register processing activities with a DPA. The countries that do not impose registration requirements are the Republic of the Congo, Nigeria, and Qatar.

Security. Slightly more than half of the countries (18) have either some specific or very detailed security provisions. The countries with detailed security obligations are Benin, Israel, Senegal, and the UAE/DIFC. Three countries, Benin, Côte d’Ivoire, and Nigeria require the submission of security compliance or audit reports annually to the DPA.

Data Protection Impact Assessments (DPIAs). Most laws in the region do not require organizations to carry out DPIAs. DPIAs are required only in Benin, Republic of the Congo, Israel, Kenya, Mauritius, South Africa, and the UAE/DIFC.

Enforcement. With the entry into force of several new laws in the past two years and the recent establishment of DPAs in Kenya and Uganda with more likely to follow in the coming year or so, enforcement activity in the region is likely to increase. The DPAs in Benin, Ghana, Israel, Mali, Mauritius, Morocco, Senegal, and Tunisia have been the most active; the DPAs in Nigeria and South Africa are also likely to join that list soon. In the past year, the Nigerian DPA began issuing non-compliance notices to organizations that failed to submit their required data protection audits. In South Africa, the DPA has been established for a couple of years but enforcement of the data privacy law does not begin until July 1, 2021.

Recently Enacted Privacy Laws

The following provides a brief snapshot of recently enacted laws:

Bahrain.Bahrain’s Personal Data Protection Law, Law No. 30 of 2018, entered into effect on August 1, 2019. The DPA is not yet established; however, the Ministry of Justice has temporarily assumed its functions and powers until an independent authority is allocated a budget and a board of directors is established.

Republic of the Congo.Law No. 29-2019 on protection of personal data went into effect in November 2019; compliance by private sector organizations was required by November 2020. The DPA is not yet established.

Egypt. The Personal Data Protection Law, No. 151 of 2020 entered into force on October 14, 2020; compliance is required one year after executive regulations are issued. Those regulations are expected to be issued by April 14, 2021. A DPA has not yet been established.

Kenya. The Data Protection Act, 2019 went into effect in November 2019; however, the data protection commissioner was only recently appointed in November 2020.

Nigeria. The Data Protection Regulation 2019 (“Regulation”) was issued by the National Information Technology Development Agency (NITDA) in January 2019. NITDA subsequently issued a draft Data Protection Implementation Framework for the Regulation which it encouraged companies to use as a compliance guide until a final text is issued. The final text has yet to be issued in final form. In the meantime, as discussed below, efforts are now underway to develop a new and more comprehensive data protection law.

South Africa.Although it was enacted in 2013, South Africa’s Protection of Personal Information Act only entered into force on July 1, 2020. Organizations have been given until July 1, 2021 to comply with the law. The DPA has been operational since 2016.

Togo. The Law on Protection of Personal Data went into effect October 2019 with enforcement to began in October 2020; however, the DPA is not yet established.

Uganda.Uganda’s Data Protection and Privacy Act, 2019 was enacted in February 2019 and entered into force in February 2020. However, the necessary implementing regulations have not yet been issued. The Ministry of ICT and National Guidance released for public comment Draft Data Protection and Privacy Regulations 2020 (“Draft Regulations”) which address, among other things, the provisions pertaining to the registration, security breach notification, and DPO requirements. The law provides for the creation of a data protection office within the National Information Technology Authority; however, there is no indication at this time that this office has been established.

UAE/DIFC. A new data protection law, DIFC Law No. 5 of 2020, took effect on July 1, 2020, replacing the 2007 DIFC data protection law. In response to the pandemic, the government announced that businesses subject to the law would be given a three-month grace period, until October 1, 2020, to come into compliance with the law. While the law generally follows the EU’s General Data Protection Regulation, there are some notable differences in provisions regarding, for example, consent, individual rights, registration, and security breach notification.

New Laws Expected in 2021 and Beyond

Anticipated Amendments to Existing Laws

Israel. Almost 40 years after the enactment of Israel’s Protection of Privacy Law, 5741-1981, the Israeli Ministry of Justice announced in 2020 its plans to update the law to take into account new technological developments. It held a consultation in December 2020 to solicit input from the public on the ways in which the law should be amended. In addition, efforts to improve and update the DPA’s supervisory and enforcement capabilities have been underway since 2018.

Developments in Countries with No Privacy Laws

In the next couple of years, we expect to see more new laws enacted, possibly in Jordan, Namibia, Nigeria, Saudi Arabia, and Zimbabwe:

Jordan. The Ministry of Digital Economy and Entrepreneurship submitted its draft data protection bill to the Council of Ministers and, in January 2020, the bill was published on the Bureau of Legislation and Opinion website. If enacted, the bill would, among other things, establish general data protection principles, require legal bases for processing personal data, provide for individual rights, including the right to be forgotten and data portability, impose 72-hour breach notification requirements, and restrict cross-border transfers of personal data to countries that provide adequate protection rules. The DPA would be established within the Ministry of Digital Economy and Entrepreneurship.

Namibia. The Ministry of Information and Communication Technology (MICT) is reportedly working on draft data protection legislation. In February 2020, the Ministry participated in a workshop on drafting data protection legislation co-sponsored by the Council of Europe.

Nigeria. The Nigerian government has drafted data protection legislation, the Data Protection Bill, 2020, which is expected to be introduced in the National Assembly. Unlike virtually all other laws enacted around the world, this proposed law would regulate personal data of individuals and legal entities (both public and private). Moreover, it would apply to processing by controllers established in Nigeria, controllers not established in Nigeria that use equipment in Nigeria to process personal data, as well as controllers (without regard to their establishment) that carry out processing of information relating to individuals who reside within or outside Nigeria and personal data which originates partly or wholly from Nigeria. Like other laws, this legislation establishes basic principles and legal bases (such as legitimate interests, contractual necessity, and consent) for processing of personal data, provides for individual rights, including erasure and data portability rights, and imposes security requirements including specific obligations on data processors. In addition, it imposes restrictions on cross-border transfers and requires the submission of annual audit reports and notification of data breaches within 48 hours. Lastly, it provides for the establishment of a Data Protection Commission and imposes criminal penalties for law violations.

Saudi Arabia. Saudi Arabia’s National Data Management Office (NDMO), the entity responsible for data governance in the Kingdom, has recently issued National Data Governance Interim Regulations (“Interim Regulations”) but their legal status (whether they are mandatory regulations or voluntary guidance) remains unclear. The Interim Regulations address areas such as data classification, data sharing, and data privacy, in anticipation of further rules or legislation in this area. The data privacy-related provisions, among other things, impose data localization requirements that require controllers to store and process personal data within the country unless the controllers obtain written prior approval from the regulatory authorities, and require consent to process personal data in most instances and notifications of data breaches within 72 hours.

Zimbabwe. The Cyber Security and Data Protection Bill is currently pending in Parliament. There were public hearings and a consultation on the proposed legislation last year and the legislature is expected to proceed with legislation in 2021. The bill has been controversial, largely with respect to provisions that would criminalize certain forms of online speech and activity. Critics have charged that these provisions would undermine the freedom of expression and freedom of the media. With respect to the data protection-related provisions, the bill establishes general rules for the processing of personal data, including sensitive data such as genetic, biometric, and health data, and would impose notice, consent, and breach notification requirements.

This has been republished in Pratt's Privacy & Cybersecurity Law Report.

[1] See our client alerts on the privacy laws in Asia and the Americas.

[2] These jurisdictions are Algeria, Angola, Bahrain, Benin, Botswana, Burkina Faso, Cape Verde, Chad, Republic of the Congo, Côte d’Ivoire, Egypt, Equatorial Guinea, Gabon, Ghana, Guinea, Israel, Kenya, Lesotho, Madagascar, Mali, Mauritania, Mauritius, Morocco, Niger, Nigeria, Qatar, São Tomé & Principe, Senegal, Seychelles, South Africa, Togo, Tunisia, Uganda, and the United Arab Emirates (in two free trade zones – the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM)). The Mauritanian law has not yet entered into force. An implementing decree must be issued in order to bring the law into force. In addition, the law in Seychelles is not in force.

[3] The jurisdictions are Algeria, Bahrain, Botswana, Republic of the Congo, Egypt, Equatorial Guinea, Lesotho, Madagascar, Mauritania, and Togo.

[4] The laws in Ghana, Qatar, and Seychelles do not restrict cross-border transfers of personal data.

[5] The ECOWAS member states are Benin, Burkina Faso, Cape Verde, Côte d’Ivoire, The Gambia, Ghana, Guinea, Guinea Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone, and Togo.

[6] The six members of CEMAC are Gabon, Cameroon, the Central African Republic (CAR), Chad, the Republic of the Congo, and Equatorial Guinea. The ten members of CEEAC are Angola, Burundi, Cameroon, Central African Republic, Chad, Republic of the Congo, Democratic Republic of the Congo, Gabon, Equatorial Guinea, and São Tomé & Principe.

[7] The SADC Member States are Angola, Botswana, Comoros, Democratic Republic of Congo, Eswatini, Lesotho, Madagascar, Malawi, Mauritius, Mozambique, Namibia, Seychelles, South Africa, Tanzania, Zambia, and Zimbabwe.

[8] Benin, Botwana, Chad, Republic of the Congo, Egypt, Ghana, Israel, Kenya, Lesotho, Mauritius, Qatar, South Africa, Uganda, and the United Arab Emirates (DIFC and ADGM).