NIGERIA

Nigeria Data Protection Commission (NDPC) investigates Optasia’s data processing activities

The NDPC is investigating Optasia, a leading Fintech services provider, following concerns about non-compliant data processing practices. The investigation primarily focuses on Optasia’s utilization of privacy-invasive technologies for marketing, credit scoring, and other financial services, which pose potential privacy risks. The NDPC emphasized the significance of data controllers and processors ensuring that their third-party partners are duly registered with the Commission to uphold data security and safeguard Nigeria’s data sovereignty. The company deployed privacy-invading technologies to process personal data for marketing, credit scoring, and other financial services. This was discovered during routine regulatory oversight of data controllers and data processors of major importance. All data controllers and processors of significant importance who rely on subprocessors are required to be registered with the NDPC per Nigerian law. 

Nigeria collaborates with Google to launch AI Fund.

On the 10^th of September 2024, Nigeria’s Minister of Communications, Innovation, and Digital Economy, Dr. Bosun Tijani, officially announced the establishment of a hundred-million-naira AI Fund in partnership with Google Africa. The fund aims to support Nigerian startups harnessing AI to develop groundbreaking solutions. The National Center for Artificial Intelligence and Robotics (NCAIR) will oversee the fund. This initiative marks a crucial stride towards leveraging forthcoming technologies to foster local innovation, address indigenous challenges, foster economic growth, and contribute to the global technology landscape. The minister stressed that by nurturing Indigenous startups, the government invests strategically in their success and the future of Nigeria’s digital economy.

“Beware of identity theft” – Nigeria Data Protection Commission advises organizations

The Nigeria Data Protection Commission (NDPC) has formally advised data subjects and organizations concerning the risks associated with identity theft. The Commission highlighted that the operational challenges stemming from these data breaches extend significantly beyond immediate financial repercussions. This situation calls for the urgent implementation of effective strategies to combat the increasing prevalence of identity theft, as emphasized by the nation’s data protection authority. NDPC further stated that data breaches can lead to the loss of sensitive information, immediate costs like legal fees and fines, and long-term damage such as loss of customer trust. To mitigate these risks, the NDPC recommended regular monitoring of financial accounts, adopting data protection policies, using identity theft protection services, enabling two-factor authentication, creating strong passwords, and staying vigilant against phishing scams.

Nigeria to sanction Starlink over unauthorized price increments

The Nigerian Communications Commission (NCC) has announced its intention to impose sanctions on Starlink for unilaterally raising its subscription fees and hardware prices without prior approval. The NCC emphasized that the price adjustments were made without the necessary approval despite the pendency of Starlink’s request for the approval of its proposed price increment. The Commission cautioned that enforcement measures will be implemented to uphold regulatory stability within the telecommunications industry.

Huawei is set to open a cloud region in Nigeria by the end of October 2024

Huawei Technologies is set to inaugurate a new data center in Nigeria to comply with the nation’s data storage regulations. Scheduled to commence operations on the 31^st of October 2024, the facility aims to assist local enterprises in adhering to Nigeria’s Data Protection Regulation (NDPR) by housing user data within the country, thereby addressing compliance concerns and minimizing latency. While AWS and Microsoft Azure have pre-existing data centers in Nigeria, Huawei’s forthcoming center is poised to deliver localized support and integrate with its established infrastructure in South Africa and Ireland. Moreover, in an April announcement, Huawei Cloud committed to backing 100 Nigerian startups by providing cloud credits valued at up to $150,000 over the next two years.

Nigeria to train 5000 data protection officers

The Federal Ministry of Youth Development in Nigeria has partnered with the Nigeria Data Protection Commission (NDPC) to facilitate the training of 5,000 young Nigerians as data protection specialists. This collaborative initiative forms part of an overarching strategy to engender over 10,000 data management positions nationwide. The NDPC underscored the escalating demand for data protection officers, noting that each data controller necessitates such a role. Furthermore, the NDPC has agreed with the Institute of Information Management to officially certify local data protection specialists, aiming to enhance domestic expertise and mitigate reliance on foreign training while concurrently ensuring global recognition of the certification.

AI Initiative Gets 1.5m USD Funding

The Nigeria AI Collective, a new initiative dedicated to advancing AI in Nigeria, has secured 1.5 million USD in funding from the global philanthropic group Luminate. The announcement was made by Dr. Bosun Tijani, Nigeria’s Minister of Communications, Innovation, and Digital Economy. Created under the National Centre for Artificial Intelligence and Robotics (NCAIR) office, the initiative aims to position Nigeria as a leader in AI development by promoting ethical AI, fostering collaboration across sectors, and driving innovation to support Nigeria’s economic growth. This aligns with Nigeria’s National AI Strategy, which was developed with input from over 120 local experts. Key organizations such as Lagos Business School, Data Science Nigeria, and the Centre for Journalism Innovation and Development will oversee the initiative’s research, training, entrepreneurship, and governance efforts.

MOROCCO

Morocco’s Data Protection Authority held its first Atlantic Inter-Network Meeting of Personal Data Protection Authorities

The National Commission for the Control of Personal Data Protection (CNDP) held the inaugural Atlantic Inter-Network meeting of data protection authorities. The conference’s primary objective was to develop a framework that facilitates the exchange of experiences relating to safeguarding personal data among the participating networks. The inaugural Atlantic Inter-Network Meeting of Personal Data Protection Authorities was held in Rabat, Morocco, on the 25^th and 26^th of September 2024, with delegates from diverse regional and international networks in attendance. These delegates included the European Data Protection Board, the European Commission, the African Union, etc. Discussions among participants focused on common challenges and opportunities in personal data protection, particularly regarding neurodata, digital identity for public services, AI, and deepfakes. The group also explored potential avenues for collaborative efforts.

Morocco Establishes Tech Trades Complex

Morocco has launched a new Tech Trades Complex in the city of Lahraouyine as part of its Digital Morocco 2030 initiative. The complex will provide training in software development, digital marketing, AI, cyber-security, and more, aiming to prepare young Moroccans for the job market. The initiative is a broader plan to create 240,000 tech jobs by 2030 and add $10.36 billion to the GDP. The country also aims to launch 3,000 tech start-ups, focusing on AI, blockchain, and cloud services. This follows Oracle’s investment in Morocco, which includes setting up two Cloud Regions and hiring 1,000 IT specialists.

ALGERIA

The National Authority for the Protection of Personal Data provides government officials with training on electronic authentication

On the 3^rd of September 2024, the National Authority for the Protection of Personal Data organized a training session to raise awareness and provide training. The training aimed to address the concerns of both public and private organizations regarding compliance with the provisions of Law No 18-07 of 10 June 2018 on the protection of natural persons in personal data processing, which pertains to the protection of individuals’ data. As a result of the training, participants pledged to uphold and enhance their data protection efforts in line with Law 18-07 requirements, utilizing the dedicated digital portal for this purpose.

Ordinary monthly meeting of the Personal Data Protection Authority

The Personal Data Protection Authority (DPA) convened its monthly meeting, presided over by its President and attended by members of the DPA and the Government Commissioner for Digital Affairs on the 2nd of October 2024. The agenda included approval of the minutes from the June 2024 meeting, discussion of complaint No. 002-2024, adoption of the draft deliberation on empowering DPA agents, adoption of the draft deliberation on the whistleblowing system, review of responses from ministerial departments on Data Protection Law compliance, and miscellaneous issues. The DPA members approved the agenda and the minutes from the June 2024 meeting.

Mauritanian Data Protection Authority pays official visit to Algerian counterpart

On the 6^th of October 2024, the President of the Personal Data Protection Authority (DPA) of Mauritania, led by members and executives, made a four-day official visit to the National Authority for the Protection of Personal Data (ANPDP). The visit aims to foster bilateral cooperation through training and the exchange of expertise.

GABON

The Authority for the Protection of Personal Data and Privacy holds a Hearing on Data Privacy Breach at the National Stock Exchange Agency

The Authority for the Protection of Personal Data and Privacy (APDPVP) recently conducted a hearing with the Director General of the Gabonese National Stock Exchange Agency (ANBG) to address the unauthorized release of personal data belonging to a group of agents, members of the ANBG. Despite the issuance of an internal memo by the ANBG, suspending several staff members on the 29^th of February 2024, their details were leaked the following day. The Director General of ANBG underscored the imperative of elucidating communication protocols to forestall future breaches. Additionally, the APDPVP commissioners took the opportunity to educate ANBG agents on their responsibilities, especially concerning data protection. Furthermore, the Director General announced that the ANBG intends to formally register its code of ethics with the APDPVP to also conform to applicable standards.

The National Center for the Development of Informatics (CENADI Cameroon) delegation attended a Libreville training to study Gabonese personal data and privacy

A delegation from the National Center for the Development of Informatics (CENADI), led by the head of the Studies and Projects Division, recently visited Libreville to learn from Gabon’s experience in personal data and privacy protection. Their visit included a seminar organized by the Authority for the Protection of Personal Data and Privacy (APDPVP), highlighting Gabon’s leadership in this field within the sub-region.

Cameroon has been actively pursuing the development of its data protection legislation since 2020. However, the country necessitates not only enacting a comprehensive law but also establishing a dedicated regulatory authority to effectively oversee data protection practices. Collaborating with more experienced nations like Gabon to advance their efforts is emphasized. The seminar provided the CENADI delegation with essential knowledge on data protection, focusing on Gabon’s legal framework and the role of the APDPVP. The vice president of CENADI stressed the importance of having both a law and authority, along with international recognition, as demonstrated by Gabon’s affiliations with regional and international organizations.

KENYA

Deputy Data Commissioner Advocates for Data Protection in Innovation at the International Association of Science Parks (IASP) World Conference

At the 41^st IASP World Conference, held on the 26^th of September, 2024, the Kenyan Deputy Data Commissioner stressed the importance of integrating data protection principles into innovation. She emphasized that regulatory compliance goes beyond simply aligning innovation with ethical standards; it requires ensuring that innovations contribute to the betterment of society while minimizing potential harm.

Data Commissioner Urges Balance of Security, Privacy, and Digital Transformation

During the Smart Government 2024 Summit, held on the 3rd of October 2024, the Kenyan Data Commissioner underscored the importance of striking a balance between security, privacy, and digital transformation as societies integrate technology. She urged ICT stakeholders to prioritize individual rights, including timely reporting of data breaches, and to ensure lawful data processing through comprehensive risk assessments. The Commissioner also highlighted data sharing as a significant privacy concern and announced initiatives to establish a data-sharing code for easier access to government services.

While acknowledging the increasing compliance efforts, she urged policymakers to carefully consider emerging technologies’ ethical implications and encourage public discussion on data security and privacy. Additionally, the Deputy Data Commissioner emphasized the significance of data sovereignty in cloud services, state control over data, and mutual agreements between countries on policies, laws, and safeguards to build trust.

Kenya’s Data Protection and Governance Society (DPGSK) released its second privacy professional survey report

DPGSK has published its second survey report concerning the state of the profession of privacy in Kenya. As a prominent organization operating under the Society Act in Kenya, DPGSK is dedicated to cultivating a dynamic community of data privacy and governance professionals nationwide. The report examines numerous facets of the data privacy and governance profession, illuminating respondents’ educational backgrounds, industry affiliations, and years of experience. It further addresses the challenges encountered by professionals in this field and offers well-considered recommendations for resolving these issues.

Acknowledging the critical role that professionals play in ensuring compliance across multiple economic sectors, DPGSK conducted a comprehensive survey involving various stakeholders. The purpose of this survey was to provide an in-depth analysis of the current landscape, concentrating on the roles, skills, aspirations, and trends that influence the work of these professionals.

Kenyan Data Protection Commissioner orders Umba Microfinance Bank to delete data

The Kenyan Data Protection Commissioner has ordered Umba Microfinance Bank to delete the personal data of data subjects it acquired from a public Facebook page. The Bank had been sending marketing communications to the data subject without a justifiable legal basis. The Bank relied on Section 28(b) of the Kenyan Data Protection Act, which permits data collection when individuals have intentionally made their information public. However, the data commissioner determined that utilizing publicly available data for marketing purposes without explicit consent is inappropriate. Consequently, the bank was directed to erase the complainant’s personal data from its records/ database within 14 days and to cease all direct marketing communications.

SOUTH AFRICA

South African regulatory authorities aim to streamline their efforts to minimize redundancy and enhance efficiency

South Africa has established the Information, Communication Technologies, and Media Regulators Forum to foster collaboration among vital regulatory bodies, the Independent Communications Authority of South Africa (ICASA), the Film and Publication Board, and the Information Regulator.

The forum is designed to enhance coordination, minimize redundancy, and institute more effective regulations in response to the increasing convergence of the ICT and media sectors. Its focal points include sharing best practices, addressing online harm, heightening public awareness, and harmonizing enforcement endeavors. The forum functions as a cooperative platform despite needing more formal authority or the capacity to issue binding recommendations. Membership is accessible to additional regulatory entities in the digital economy, while non-member organizations can participate as observers.

South Africa Releases National AI Policy Framework

The National AI Plan, launched in April, initiated a significant dialogue regarding artificial intelligence (AI) policy. In August 2024, the AI Policy Framework was unveiled, representing a substantial advancement in the integration of AI technologies. This framework aims to drive economic growth and enhance societal well-being, thus establishing a foundational structure for the National AI Policy.

Despite the Department of Communications and Digital Technologies (DCDT) not publicly endorsing this initiative, details regarding the AI Policy Framework—outlining the intended regulatory measures for AI—are accessible through various media channels. This policy transcends local initiatives, aligning with global standards concerning trustworthy AI, fairness, and data governance. This alignment is crucial for addressing the distinct challenges and opportunities across multiple sectors.

The policy employs the “Futures Triangle Approach,” which assesses three critical factors: the present state of AI technology, national development goals, and historical challenges. By considering these elements, the policy equips South Africa to effectively navigate the complexities associated with AI, thereby forming robust strategies for its application.

Moreover, the framework emphasizes transparency by systematically detailing policy creation, implementation, and evaluation processes. It delineates four phases in the policy lifecycle: formulation, adoption, implementation, and monitoring. The framework is situated within the initial phase, soliciting input from scientists, academics, industry professionals, and the general public. Encompassing twelve fundamental principles, the framework is designed to guide the policy’s objectives, addressing areas such as talent development, digital infrastructure, ethical AI practices, data protection, safety, transparency, fairness, and the alignment of AI initiatives with cultural values. These principles collectively foster a comprehensive approach to developing and utilizing AI in South Africa.

The Information Regulator of South Africa media briefing on the Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA)

The Information Regulator of South Africa recently conducted a media briefing to address matters related to the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA). These two frameworks are essential for ensuring transparency, facilitating access to information, and protecting personal data within the country.

PAIA aims to enhance transparency by allowing the public to access information held by both public and private entities. In contrast, POPIA concentrates on the protection of personal data and the upholding of privacy rights.

During the briefing, the Information Regulator provided updates on ongoing cases and discussed their efforts to enforce compliance with these statutes. The Information Regulator noted a rising number of complaints and investigations concerning potential violations of both PAIA and POPIA. They underscored the significance of these laws amid escalating concerns regarding data privacy, particularly in the context of advancing digital technologies and artificial intelligence.

Additionally, the briefing emphasized the necessity for both public and private organizations to adhere to these laws’ stipulations and implement appropriate systems for managing and safeguarding personal data. The Information Regulator reaffirmed its commitment to holding entities accountable for violations and ensuring that individuals’ rights to information access and privacy are consistently respected. The briefing highlighted the critical role that PAIA and POPIA play in preserving public trust and safeguarding personal data in South Africa. A progress report was presented regarding the extent of consultations that the information regulator has conducted with key stakeholders within the sector.

CAMEROON

Cameroon seeks to be Africa’s digital Economy Leader

Cameroon aims to position itself as a leader in Africa’s digital economy by enhancing its statistical system. During a forum in Yaoundé on the 8^th of October 2024, the Minister of Posts and Telecommunications highlighted the country’s rapidly expanding digital sector, driven by infrastructure investments and increasing ICT adoption. However, accurately capturing digital statistics has proven challenging due to diverse stakeholders, evolving technologies, and limited resources.

The forum convened nearly 300 participants to address these challenges and develop an action plan to strengthen the national statistical system. The Minister emphasized the critical role of reliable digital statistics in informed decision-making and effective planning. Furthermore, the Director General of the National Institute of Statistics underscored the importance of harnessing new data sources, such as big data and AI, to comprehensively capture the digital economy’s scope.

EGYPT

Oman Data Park signs 450M USD MoU for Egypt data center

Intro Technology, an Egyptian conglomerate Intro Holdings subsidiary, has entered a Memorandum of Understanding (MoU) with Oman Data Park (ODP) to establish a 450 million USD data center within Egypt’s Suez Canal Economic Zone. This strategic alliance represents the first collaboration between the two entities, with the shared objective of delivering cloud solutions and IoT services and facilitating digital transformation across Africa and the Middle East.

The Kemet Data Centre will undergo development in two phases, spanning 80,000 square meters. It will provide robust, cost-efficient cloud infrastructure with heightened data processing capabilities and minimal latency. Furthermore, the facility will integrate solar energy solutions to reduce environmental impact. The CEO of ODP underscored the significance of this partnership in fostering regional growth and innovation, specifically in meeting the escalating demand for digital services.

ZIMBABWE

Zimbabwe Releases Data Protection Regulation

The safeguarding of personal data and the regulation of online activities are critical for ensuring privacy and fostering trust in technology. On the 13^th of September 2024, Zimbabwe enacted Statutory Instrument (SI) 155 of 2024, on the Cyber and Data Protection Licensing Regulations. This legislation defines the guidelines for appointing Data Protection Officers (DPOs). Further, it enhances the nation’s data protection and cyber-security framework, building upon the Cyber and Data Protection Act [Chapter 12:07], which became effective on the 11^th of March 2022.

The primary aim of Statutory Instrument (SI) 155 of 2024 is to establish a clear and systematic framework for licensing organizations engaged in cyber and data protection activities. The regulations set essential standards for handling and securing personal data, ensuring compliance with current data protection laws. These regulations apply to all Zimbabwe organizations that manage personal data, including businesses, government agencies, financial institutions, banks, pension funds, and universities. Additionally, they stipulate the licensing requirements for data protection service providers and delineate the responsibilities associated with the role of Data Protection Officers. Organizations offering data protection services—such as data processing, storage, or cyber-security—must obtain a license from the Data Protection Authority to demonstrate that they meet requisite standards and operate within a regulated environment. The Data Protection Authority is responsible for overseeing the licensing process. Organizations seeking a license must submit comprehensive applications with detailed information regarding their data protection practices, security measures, and compliance systems.

Upon obtaining a license, these organizations must adhere to specific standards, which may include implementing robust data protection policies, conducting regular audits, and ensuring secure data processing systems. Adopting best practices in managing personal data is imperative, particularly considering the rising incidence of data breaches.

ANGOLA

APD requests clarification from META on the wave of cloning of WhatsApp accounts

In light of the increasing prevalence of account cloning incidents on WhatsApp, the Data Protection Agency (DPA) in Angola has sought clarification from Meta, WhatsApp’s parent company, to safeguard user privacy. Meta has acknowledged the receipt of complaints from Angolan users whose accounts have been compromised and has committed to assisting the DPA and affected users in addressing these challenges.

To bolster account security, Meta recommends that users examine the devices linked to their WhatsApp accounts within the settings to identify unauthorized access. Users must not share their “two-step verification” PIN or registration code with friends or family members. Users should remain vigilant when receiving unexpected emails or text messages requesting a PIN or registration code change. Links contained within such messages should not be clicked, as they may constitute phishing attempts. Activating this feature provides an additional layer of security and facilitates account recovery if users forget their PIN.

META clarified that WhatsApp cannot deactivate accounts or remotely remove devices associated with an account. Furthermore, WhatsApp cannot provide insight into who accessed an account or the time and location of such access. Users will be notified if they attempt to register an account using their phone number. The DPA encourages users to report any security-related incidents to the appropriate criminal investigation authorities and to inform META through the app’s help center. The DPA, tasked with protecting personal data, has committed to ongoing collaboration with META to ensure the privacy and security of WhatsApp users.