Law 2017-28

Law No. 2017-28 of May 3, 2017 on the Protection of Personal Data (amended by Law No. 2019-71)

Flag of NE
Republic of NigerOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
May 3, 2017
Enacted
May 3, 2017
Enforcing Authority
Haute Autorite de Protection des Donnees a caractere Personnel (HAPDP)
Consent Model
Opt-in
Applies To
All entities collecting, processing, storing, using, or transmitting personal data within Niger

Overview

Niger enacted Law 2017-28 in May 2017 to regulate the collection, processing, and storage of personal data. The law was amended in 2019 by Law No. 2019-71 and established the Haute Autorite de Protection des Donnees a caractere Personnel (HAPDP) as the national supervisory authority. The HAPDP officially began operations in August 2020 and balances enforcement activity with digital awareness-building in Niger's developing digital economy.

What This Means for Your Website

If your website processes personal data from individuals in Niger, you need opt-in consent before any data collection. Processing activities must be declared to or authorized by the HAPDP before they begin. Cross-border data transfers are only permitted to countries providing adequate protection levels. Sensitive personal data categories are subject to heightened safeguards and authorization requirements.

Key Requirements

Organizations must obtain consent and secure prior declaration or authorization from the HAPDP. Penalties are among the steepest in the region, with fines starting at XOF 20 million and reaching XOF 40 million, plus potential imprisonment of 3 to 5 years. The HAPDP can also issue warnings and temporarily or permanently withdraw processing authorizations. Data subjects have rights to information, access, and rectification of their personal data.

How ConsentStack Handles This

ConsentStack geo-detects visitors from Niger and presents an opt-in consent banner before any non-essential processing begins. Consent records are stored with timestamps and preference details for regulatory audits. The platform's consent category configuration helps you map processing activities for HAPDP declarations and demonstrate compliance with cross-border transfer requirements.

Penalties

Monetary fines XOF 20,000,000-40,000,000; 3-5 years imprisonment; warnings; temporary/permanent withdrawal of authorization

Maximum Fine
F CFA 40,000,000 aggregate

Key Requirements

  • Consent required for personal data processing
  • Data subjects have rights to information, access, and rectification
  • Prior declaration or authorization required from HAPDP
  • Cross-border transfers require adequate protection in recipient country
  • Sensitive data subject to enhanced protections

Notable Provisions

  • Among the highest fine floors in West Africa (minimum XOF 20M)
  • Combined criminal and administrative penalties
  • HAPDP launched operations in August 2020, three years after enactment

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does Niger require cookie consent?

Niger's Law 2017-28 does not have specific cookie provisions, but any personal data collected via cookies or tracking technologies requires opt-in consent under the general processing rules.

What are the penalties for data protection violations in Niger?

Fines range from XOF 20 million to XOF 40 million, among the highest floors in West Africa. Criminal penalties include 3-5 years imprisonment. The HAPDP can also withdraw processing authorization.

Who enforces data protection in Niger?

The Haute Autorite de Protection des Donnees a caractere Personnel (HAPDP) is the national supervisory authority. It became operational in August 2020 and handles compliance oversight and enforcement.

When was Niger's data protection law amended?

The original Law 2017-28 was amended in December 2019 by Law No. 2019-71, which strengthened various provisions of the framework.

Stay compliant with Law 2017-28

ConsentStack helps you implement Opt-in consent for Republic of Niger automatically.

Get started free