Methodology

DATA PROTECTION AFRICA

Data Protection Africa maps the state of data protection regulation in Africa by analysing the existence of domestic and international legal commitments in each of the 55 Member States of the Africa Union.

To get started, select a country from the main menu, or browse the home-page map for a big-picture look at data protection across the continent.

This page describes the methodology used to analyse the state of data protection in each country.

How we reached our conclusions

Our researchers looked at 50 different factors to evaluate each country’s legal framework on data protection. These variables were chosen because they represent some of the most important ways in which a data subject’s rights can be protected.

The variables cover seven different areas: (1) Domestic Legal Commitments; (2) International Legal Commitments; (3) Scope of Application; (4) Transparency; (5) Accountability; (6) Participation; and (7) Automated Processing.

See the section below for more detail about each variable.

What we didn’t look at

Our analysis looks only at the existence of laws and the text of those laws or draft Bills, where applicable, at the time of publication. It does not assess actual compliance with the law or whether the provisions have been implemented, other than looking at whether members of the Data Protection Authority (DPA) have been appointed. This is a starting point to understand the gaps and remaining challenges in advancing data protection in Africa.

This analysis also looks only at comprehensive data protection legislation. In other words, we did not evaluate other legislation, such as electronic communications or cybercrimes acts, unless they explicitly reference the protection of personal information or deal substantially with data protection.

Our variables

Domestic Legal Commitments

Enshrined the right to privacy in the Constitution: Does the country’s Constitution protect the right to privacy?

Has DPA legislation: Does the country have comprehensive or dedicated data protection legislation currently in force?

Member(s) of the Data Protection Authority have been appointed: we count only clear evidence of members having been appointed to the office of the Data Protection Authority designated by law or an office having been established. In cases where oversight authority is vested in a pre-existing institution, such as the communications authority, we have marked this as “Yes,” even though is varying evidence of these authorities having actively taken on their data protection responsibilities.
International Legal Commitments

Signed, acceded to, or ratified the ICCPR (1966): Has the country signed, acceded to or ratified the International Covenant on Civil and Political Rights (ICCPR)?

Acceded to the Council of Europe Convention 108 on Personal Data (1981): Has the country acceded to the Council of Europe Convention 108?

Signed or Acceded to Council of Europe Convention 185 on Cybercrime (2001): Has the country signed or acceded to the Council of Europe Convention 185 on Cybercrime?

Signed or ratified the Malabo Convention (2014): Has the country signed or ratified the African Union Convention on Cybersecurity and Personal Data Protection?

Signed the ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS (2010): Has the country signed ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS? This variable is only relevant for ECOWAS Member States but is included for all countries for comparison purposes.

Acceded to Council of Europe Additional Protocol to Convention 108 (Treaty No. 181) (2001): Has the country acceded to the Council of Europe additional Protocol to Convention 108 (Treaty No. 181)?
Scope of Application

Applies to natural persons: Does the scope of the Act include natural persons?

Applies to juristic persons: Are juristic persons protected as data subjects under the Act?

Applies to public entities: Are public bodies, such as government departments, protected as data subjects under the Act?

Domestic/personal purposes exclusion: Does the law provide an explicit exclusion for domestic or personal uses of personal information?

National security exclusion: Does the law provide an explicit exclusion for processing of personal information for the purposes of national security?

Law enforcement exclusion: Does the law explicitly exclude law enforcement agencies from compliance?

Cabinet or Executive Council exclusion: Does the law provide that members of the Cabinet or Executive Council are exempt from compliance? This counts as a “Yes” only if the law explicitly refers to members of the Cabinet or Executive.

Judicial functions exclusion: Does the law explicitly exclude judicial officers and other functionaries of the judiciary from compliance?

Journalistic, literary, or artistic purposes exclusion: Does the law provide an exclusion for the processing of personal information for journalistic, literary or artistic purposes?

Temporary copies exclusion: Does the law explicitly exclude temporary copies of data? For example, Senegal’s Law No. 2008-12 excludes the processing of temporary copies that are made in the course of technical transfer activities and providing access to a digital network for the automatic, intermediate and transient data and the sole purpose of allowing other recipients of the service the best access possible to the transmitted information (Article 3).

Other exclusions: Does the law provide for other exclusions that are significant? For example, some exclude research in health and health data from the provisions of the Act, while others exclude the processing of personal information relating to sex life when carried out by specific organisations.

Broad or vague exclusions: Are there any exclusions listed in the Act which may be deemed overly broad or vague? Such provisions may limit the efficacy of the legislation by providing excessive loopholes for non-compliance. Vague terms, such as “the public interest” or “the State’s economic or financial interests” may be open to abuse and result in diminished and inconsistent application of the law.

Applies to foreign entities: Does the law specify that it applies to processing by entities that are established within or outside the territory but that use processing methods situated in the territory? Some laws do not explicitly include foreign entities, but refer broadly to all processing occurring within the country, which is counted as a “Yes”. Some laws even state that they apply to responsible parties processing personal information outside the country (although this is not what this variable refers to).

Excludes foreign entities that only transit/forward personal data through the country: Does the law exempt foreign entities that do no more than transit or forward personal information through the country?
Transparency

Notification that data is being processed: Does the law provide the data subject with a right to be notified that their personal data is being processed? In some cases, this right is inferred from the combination of a requirement that information be collected directly from data subjects and that data subjects must be informed of certain information at the time of or prior to collection. However, in some cases, there are exceptions when collecting information from sources other than the data subjects themselves, which creates loopholes (in such cases, it is noted as “Partial.”) In some cases, data controllers are only required to notify the Data Protection Authority that data is being processed, which is counted as meeting the requirement.

Notification to DPA in event of a data breach: Does the law require the responsible party to notify the designated Data Protection Authroity if there is an unauthorised breach of the data under their control? Some countries require notification to the DPA but provide exceptions or qualifications for that requirement. In these cases, the country will be marked as “Partial.”

Notification to data subject in event of a data breach: Does the law require the responsible party to notify the data subject if there is an unauthorised breach of the data under their control? Some countries have exceptions under which notification is not required, such as if the responsible party has taken “appropriate safety precautions” or the breach is “unlikely to result in a high risk for data subjects’ rights,” and in those cases we have marked the country as “Partial.”

Specific timeframe for notification is specified: Does the law require the notification to either the DPA or the data subject to be completed within a specific period of time? Many countries provide vague requirements such as “within a reasonably practicable period,” which have been marked as “No.” Countries that require notification “immediately” have been marked as a “Yes.”

Exceptions exist to breach notification requirement: Are there specific exceptions to the requirement to notify either the Data Protection Authority (DPA) or the data subject in the event of a data breach? For example, some countries’ law require notification only in certain circumstances, while others exempt the responsible party from notifying the data subject if it has taken “appropriate security precautions.” Some also give the DPA the authority to decide whether a breach must be reported to the data subject.

Requires a data processing register: Does the law require responsible parties or the DPA to maintain a register of data processing which can be made available to the authority, or occasionally, to any person who requests it? It should be noted that the term “data processing register” is used here to mean a consolidated bundle of information on ongoing processing that is developed and maintained by either the Data Protection Authority or a responsible party. Where countries require the keeping of a register only for some types of processing, or where the requirement is not clear or comprehensive, it is marked as “Partial.”

Register is publicly available: Does the law require that the data processing register be made available to the general public? In some cases, the public may need to pay a fee to access the register, but this is still counted in the affirmative. Where it is not specified whether the public may access the register or not, this is marked “No”.

Provides for terms of service icons: terms of service icons are graphic representations of concepts often included in data protection legislation. They are sometimes used on websites or in digital products to quickly and easily enable users to understand whether the service complies with a concept. Some data protection laws require or regulate the use of terms of service icons.

DPA must submit at least annual report: Does the law require that the data protection authority submits a report on its activities at least once per year, or more regularly? If the law states that a DPA “may” submit a report but does not require it, it has been marked as “No.” If the law does not specify the time frame for which reports must be submitted, it has also been marked as “No.”

DPA report is made public: Is the report submitted by the data protection authority required to be published or accessible to the public?
Accountability

Explicit provision for civil liability: Does the law explicitly provide that data subjects who have experienced a violation may hold a responsible party accountable through civil proceedings? Note that even if the law does not explicitly state this, such mechanisms may still be available.

Establishes/designates a Data Protection Authority to ensure compliance: Does the law appoint or create a Data Protection Authority that is responsible for ensuring enforcement of the law?

DPA is empowered to investigate: Does the law empower members or representatives of the Data Protection Authority to investigate alleged breaches of the law?

DPA is empowered to subpoena or request evidence: Does the law explicitly empower the Data Protection Authority to subpoena or request evidence when investigating alleged breaches?

Law provides for criminal penalties: Does the law directly provide for criminal sanctions for breaches of its provisions?

Law provides for administrative penalties: Does the law explicitly state that fines or other administrative penalties may be levied by the Data Protection Authority?

DPA is independently structured (does not exist within or receive instructions from another public body): Is the Data Protection Authority established as a separate, independent institution? Where a DPA is designated from an existing authority or is situated within or reports to an existing government Ministry/Department, the answer is listed as “No.”

DPA receives funding directly from the state budget/legislative body: Does the law provide for the Data Protection Authority to receive funds from the state budget?

DPA may receive some forms of external funding/own revenue: Is the Data Protection Authority empowered to levy and collect fines or receive forms of external funding (i.e., other than from the state budget)?

Adequate protections against undue removal of DPA head are in place: Does the law provide for reasonable protections against the unilateral or politically-motivated removal of the head of the Data Protection Authority? For example, the law should specify on what grounds a head may be removed. Some countries’ laws even go so far as to explicitly state that a member may not be removed for opinions that they give or acts that they take in implementing their functions.

Number of members in the DPA: How many members are appointed to the Data Protection Authority? In most cases, this refers to board members or an equivalent.

Maximum term length for members of the DPA (years): How long could a member of the Data Protection Authority stay in office? The length is calculated as the maximum term times the number of times the term can be renewed. Where the law does not specify and no regulations exist to provide further clarity, the answer is given as “Unclear.”
Participation

Right of data subject to access a copy of their personal data: Does the law provide that the data subject has the right to request access to a copy of their personal data held by a responsible party?

Right of data subject to request correction of data: Does the law provide that the data subject may request a responsible party to correct their personal data held or processed by the responsible party?

Right of data subject to request deletion of data: Does the law provide that the data subject may request a responsible party to delete their personal data?

Justification required for a request for deletion: Does the law state that there must be a justification for the data subject to request the deletion of their personal information? Many countries, for example, state that the data subject may only request a deletion where the information is incorrect or outdated.

Defines the requirements for consent: Does the law explicitly and clearly define the requirements for consent? For example, does it state that consent must be informed and freely given?

DPA is mandated to participate in policy formulation: Does the law explicitly empower the Data Protection Authority to advise the government or otherwise participate in policy formulation on issues within its purview?
Automated Decision-Making

ALT Advisory is grateful to the Open Government Partnership for inspiration for this project. ALT Advisory worked together with OGP to conduct a detailed review of data protection legislation in 14 OGP member countries in Africa. OGP’s report can be viewed here.