Privacy Regulations in Sub-Saharan Africa

41 privacy and data protection laws across Sub-Saharan Africa

POPIA
South Africa
Flag of ZA
Opt-in

Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.

NDPA
Nigeria
Flag of NG
Opt-in

One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.

Ghana Act 843
Ghana
Flag of GH
Opt-in

Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.

Kenya DPA 2019
Republic of Kenya
Flag of KE
Opt-in

Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.

Ivory Coast Law 2013-450
Ivory Coast
Flag of CI
Opt-in

Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Tanzania PDPA 2022
United Republic of Tanzania
Flag of TZ
Opt-in

Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.

Uganda DPPA 2019
Republic of Uganda
Flag of UG
Opt-in

Uganda's Data Protection and Privacy Act 2019 establishes the PDPO as an independent office under NITA-U. It prohibits processing personal data without prior consent and mandates accountability, lawful collection, data minimization, and purpose limitation. Criminal penalties of up to 10 years imprisonment make it one of the strictest enforcement regimes in East Africa.

Lei 22/11
Angola
Flag of AO
Opt-in

Angola's data protection law establishing the APD as an increasingly active supervisory authority. The APD fined five companies in June-July 2024, signaling growing enforcement. Express consent is required before processing, and all activities must be notified to the APD. Penalties are unusually dollar-denominated, with criminal and civil liability in addition to administrative fines.

Malabo Convention
African Union member states
Flag of AOFlag of BJFlag of TD+12
Opt-inSupranational

Continental framework treaty bundling data protection, cybercrime, cybersecurity, and e-commerce. Does not directly regulate websites but sets minimum standards for national laws. Took 9 years to reach the 15-ratification threshold. South Africa notably has not ratified.

Senegal Law 2008-12
Senegal
Flag of SN
Opt-in

Senegal's data protection law has among the harshest criminal penalties in West Africa — up to 7 years imprisonment. The CDP can provisionally withdraw authorization for 3 months, becoming permanent if non-compliance persists. Prior declaration to the CDP is required before processing.

DPA 2021
Zambia
Flag of ZM
Opt-in

Zambia's comprehensive data protection law establishing the Office of the Data Protection Commissioner. Enforcement formally began in March 2025 after a transition period. The law mandates registration of data controllers and licensing of data auditors, with a two-tier penalty structure distinguishing corporate entities from individuals. The 2% annual turnover cap applies to corporate penalties.

CDPA 2021
Zimbabwe
Flag of ZW
Opt-in

Zimbabwe's combined cybersecurity and data protection legislation establishing POTRAZ as the data protection authority. Requires data controller licensing and written consent for sensitive data. Notable for a strict 24-hour breach notification requirement and 10-15 years imprisonment for serious violations. All data controllers must obtain a license from POTRAZ before processing.

Digital Code Title III
Democratic Republic of the Congo
Flag of CD
Opt-in

Data protection provisions embedded within the DRC's comprehensive Digital Code enacted in March 2023. The framework covers digital activities, cybersecurity, electronic transactions, and data protection. Consent is required for processing, but enforcement is limited as the designated data protection authority has not yet been established. Multiple institutional bodies were created for different aspects of digital governance.

Rwanda Law 058/2021
Republic of Rwanda
Flag of RW
Opt-in

Rwanda's GDPR-style data protection law features extraterritorial reach and global turnover-based penalties enforced by the NCSA. It requires clear and unambiguous consent before data collection and imposes strict data localization requiring storage within Rwanda unless an NCSA certificate is obtained. A 48-hour breach notification window is faster than GDPR's 72-hour standard.

Ethiopia Proclamation 1321/2024
Federal Democratic Republic of Ethiopia
Flag of ET
Opt-in

Ethiopia's first comprehensive data protection law carries some of Africa's harshest criminal penalties, including up to 10 years for selling personal data. Enforced by the Ethiopian Communications Authority, it mandates strict data localization with servers in Ethiopia and requires consent for all processing. The 4% global turnover penalty for institutions mirrors GDPR levels.

Mauritius DPA 2017
Republic of Mauritius
Flag of MU
Opt-in

Mauritius's modernized data protection law replaces the earlier 2004 Act and aligns with GDPR standards. It features an unusual enforcement model where courts impose penalties rather than the Data Protection Office directly. Mandatory registration with the DPO is required before processing begins. As a CoE Convention 108 member, Mauritius signals alignment with European data protection standards.

DPA 2018
Botswana
Flag of BW
Opt-in

Botswana's first data protection legislation focused solely on personal data protection. Establishes the Data Protection Commission with broad enforcement powers. Consent is required before processing, and data controllers must inform data subjects of their rights before collection. Notable for a 12-year maximum imprisonment penalty among the highest in Africa.

Law 2010/012
Cameroon
Flag of CM
Opt-in

Cameroon originally regulated data protection through its 2010 cybersecurity law, then enacted a comprehensive standalone law in December 2024. The 2024 law is stricter than many jurisdictions with no legitimate interest basis for processing. Pre-ticked boxes, opt-out mechanisms, and bundled consent are explicitly prohibited, making consent banners essential for all non-essential data processing.

ECOWAS Data Protection Act
ECOWAS member states
Flag of BJFlag of BFFlag of CV+12
Opt-inSupranational

The first binding sub-regional data protection framework in Africa, strongly influenced by the EU Data Protection Directive. Requires member states to enact national laws and establish supervisory authorities. About two-thirds have enacted implementing legislation. Currently being revised to align with modern standards.

Law 2017-28
Republic of Niger
Flag of NE
Opt-in

Niger's data protection framework was enacted in 2017 and amended in 2019, with the HAPDP supervisory authority launching operations in August 2020. The law sets some of the highest minimum fines in West Africa at XOF 20 million and combines administrative sanctions with criminal penalties including imprisonment for serious violations.

Law 29-2019
Republic of the Congo
Flag of CG
Opt-in

Republic of Congo's data protection law establishing a framework for personal data processing with fines up to XOF 100 million. The designated Data Protection Commission (CPDCP) has not yet been formally established, rendering enforcement non-existent. The law includes modern provisions such as DPO requirements and mandatory impact assessments for high-risk processing.

DPA 2024
Malawi
Flag of MW
Opt-in

Malawi's first comprehensive data protection legislation, designating MACRA as the supervisory authority. Establishes fundamental data protection principles aligned with international standards including 72-hour breach notification and mandatory DPO appointment for large-scale processing. Consent is the primary legal basis, with mandatory registration for significant data controllers.

Code du Numerique
Republic of Benin
Flag of BJ
Opt-in

Benin's data protection rules are embedded within the broader Digital Code rather than enacted as standalone legislation. Book V of the Code du Numerique establishes the APDP as supervisory authority and requires prior declaration before processing personal data. The law was strengthened by a 2021 amendment and features escalating penalties reaching 5% of revenue for repeat offenders.

DPA 2022
Eswatini
Flag of SZ
Opt-in

Eswatini's first data protection legislation carrying some of the highest criminal penalties in Africa. ESCCOM serves as the regulatory authority with a two-tier penalty structure: administrative penalties of E5M or 2% turnover, and criminal penalties of E100M or 5% turnover plus up to 10 years imprisonment. Enforcement begins from September 2025.

Law 001/2011
Gabon
Flag of GA
Opt-in

Gabon's data protection law establishing the CNPDCP as a supervisory authority with broad enforcement powers including suspension of processing activities. Prior notification to the CNPDCP is required before processing begins. The graduated enforcement approach escalates from public warnings to formal notices, suspension, and then fines up to XOF 100 million.

DPA 2011
Lesotho
Flag of LS
Opt-in

One of the earlier data protection laws in Southern Africa, but severely limited by the fact that the Data Protection Commission has never been appointed. Consent is required for processing on paper, but enforcement is effectively non-existent. The Commission also lacks power to impose fines when appointed, relying on a courts-only enforcement model.

Act 001-2021
Burkina Faso
Flag of BF
Opt-in

Burkina Faso's comprehensive data protection law replaced the earlier 2004 framework and established the CIL as the supervisory authority. The law mandates consent for personal data processing and imposes turnover-based penalties with escalation for repeat offenders. Notably, the legislation does not address cookies or tracking technologies.

Law 007/PR/2015
Chad
Flag of TD
Opt-in

Chad's data protection law with dual administrative and criminal enforcement through ANSICE. Consent is required for all personal data processing, with graduated administrative sanctions escalating from warnings to processing bans before monetary penalties. The fine ceiling of XAF 10 million is relatively modest compared to regional peers, supplemented by criminal sanctions of up to 1 year imprisonment.

Madagascar Law 2014-038
Republic of Madagascar
Flag of MG
Opt-in

Madagascar's data protection law establishes the CMIL as the supervisory authority, though it was only operationalized in December 2023, nine years after the law's enactment. Consent or a valid legal basis is required for processing. The 5% turnover penalty cap is among the highest in Africa. Cross-border transfers are restricted to countries with adequate protection.

PDPP Act 2025
Republic of The Gambia
Flag of GM
Opt-in

The Gambia's first comprehensive data protection law is notable for its GDPR-style 4% global turnover penalty and departure from the typical African requirement of prior registration before processing. The law criminalizes selling personal data with up to 10 years imprisonment and requires 72-hour breach notification to the Information Commission.

Law 133/V
Republic of Cabo Verde
Flag of CV
Opt-in

Cape Verde enacted Africa's first comprehensive data protection law in 2001, making it a pioneer on the continent. The law has been significantly modernized through amendments in 2013 and 2021, with the latter introducing GDPR-aligned rights such as data portability and erasure, plus extraterritorial scope covering foreign controllers processing Cape Verdean residents' data.

Seychelles DPA 2023
Republic of Seychelles
Flag of SC
Opt-in

Seychelles' modern data protection law replaces the unenforced 2003 Act and designates the Information Commission as the enforcement authority with audit and investigation powers. It requires consent for processing, mandatory DPIAs for high-risk activities, and prompt breach notification. An 18-month transitional compliance period runs until June 2025.

Djibouti Digital Code 2025
Republic of Djibouti
Flag of DJ
Opt-in

Djibouti's first comprehensive data protection framework is part of a broader 156-article Digital Code. It establishes a modern GDPR-style regime with privacy by design requirements, data minimization by default, and 72-hour breach notification. The designated supervisory authority, CNDP, has not yet been established. Penalties reach up to 10 years imprisonment or 5% of turnover.

Comoros Data Protection Law 2021
Union of the Comoros
Flag of KM
Opt-in

The Comoros enacted a comprehensive data protection law in 2021 with broad territorial scope covering foreign entities, but it remains effectively unenforced due to the absence of an operational supervisory authority. Consent is required on paper, with 72-hour breach notification aligning with GDPR standards. Practical compliance demands are minimal given the enforcement gap.

Law 2019-014
Togolese Republic
Flag of TG
Opt-in

Togo's 2019 data protection law provides a comprehensive framework covering collection, processing, storage, and transmission of personal data. However, enforcement remains effectively non-existent because the designated supervisory authority, the IPDCP, has not yet been established despite being mandated by the law.

Law 2017-020
Islamic Republic of Mauritania
Flag of MR
Opt-in

Mauritania's data protection framework established the APD as the national supervisory authority and holds historical significance as the 15th country to ratify the Malabo Convention, triggering its continental entry into force in June 2023. The law requires consent for processing and mandates breach notification to both the APD and affected individuals.

Law 1/2016
Equatorial Guinea
Flag of GQ
Opt-in

Equatorial Guinea's data protection law establishing a framework for personal data processing. The designated Governing Body has not become operational, severely limiting enforcement. Consent is required on paper, but the lack of an operational authority means there is no practical enforcement mechanism. The law is among the least-documented frameworks in Central Africa.

Law 03/2016
Sao Tome and Principe
Flag of ST
Opt-in

Sao Tome and Principe's data protection law modeled on EU Directive 95/46/EC. The ANPDP is relatively active compared to many Central African peers. Data controllers must notify the ANPDP at least 8 days before processing begins. Separate penalty tiers apply for individuals (STN 50M-120M) and legal entities (STN 250M-500M), with criminal liability for intentional violations.

Law 2016/037
Republic of Guinea
Flag of GN
Opt-in

Guinea's combined cybersecurity and data protection law is enforced by the CNIL and carries some of the harshest criminal penalties in West Africa, with up to 7 years imprisonment for sensitive data violations. The law requires explicit prior consent for all personal data processing and mandates separate authorization from competent authorities for sensitive data categories.

Law 2013-015
Republic of Mali
Flag of ML
Opt-in

Mali's data protection law established the APDP as the supervisory authority, though it was formally launched three years later in 2016. The law requires consent-based processing and mandates confidentiality safeguards for all personal data. Enforcement follows a graduated approach from warnings through to monetary sanctions.

Law 24.001
Central African Republic
Flag of CF
Opt-in

The Central African Republic's first data protection law, enacted in January 2024 with a mandate to establish a DPA within 12 months. The authority missed its January 2025 deadline. The 5% turnover penalty is among the highest in Central Africa. Consent is required for processing, with stricter protections for sensitive data categories. The Ministry of Digital Economy serves as interim overseer.