África y el Cercano Oriente el panorama de privacidad de la región se enfrenta a cambios rápidos y dramáticos Morrison & Foerster

ALERTA DE CLIENTE
África y el Cercano Oriente: el panorama de privacidad de la
región se enfrenta a cambios rápidos y dramáticos
28 enero 2022
Manténgase al día con los últimos conocimientos legales y de la industria, noticias y eventos de MoFo
j
t
A
ÚNETE
La región de África y El Cercano Oriente experimentó un crecimiento explosivo de las normas de privacidad de
datos en 2021, con la promulgación y / o entrada en vigor de ocho nuevas leyes de privacidad de datos: Cabo
Verde (enmendada); Kuwait; Rwanda; Arabia Saudita; Emiratos Árabes Unidos (federal); Emiratos Árabes
Unidos/Abu Dhabi Global Markets (enmendado); Zambia; y Zimbabue. Es probable que este año traiga cambios
aún más dramáticos a esta diversa región del mundo a medida que se promulguen más nuevas leyes y
regulaciones. Si este ritmo se mantiene, esta región, que ya representa más de una cuarta parte (39) de las 140
leyes de privacidad de datos del mundo, pronto tendrá más que Europa y Eurasia combinadas.
Un nuevo desarrollo reciente y preocupante en esta región es la aparición de requisitos de localización de datos en
Kenia, Ruanda y Zambia. Es demasiado pronto para decir cómo se implementarán estas disposiciones y el efecto
práctico que pueden tener en las actividades de procesamiento comercial en estas jurisdicciones, pero la
preocupación es que se pueda alentar a otras jurisdicciones de esta región a seguir su ejemplo.
Estos cambios rápidos y dramáticos en el panorama de la privacidad de la región presentan desafíos para las
empresas que buscan desarrollar un enfoque regional de cumplimiento de la privacidad. En particular, los
reguladores aún no están establecidos en 15 de estas jurisdicciones, y las regulaciones y directrices de
implementación deben emitirse en varias jurisdicciones antes de que se aclare el alcance completo de las
obligaciones de la empresa. Otros factores que complican la falta de uniformidad de las obligaciones jurídicas de
una ley a otra, como las bases jurídicas disponibles para el tratamiento y las transferencias transfronterizas, y la
falta de transparencia con respecto a la aplicación de la normativa.
Como se explica a continuación, Bahrein, Egipto, Kenia, Arabia Saudita, Sudáfrica, Uganda y los Emiratos Árabes
Unidos son países a observar en el próximo año a medida que la implementación y el cumplimiento de estas
nuevas leyes comiencen a tomar forma. Israel, Jordania, Etiopía y Namibia son los países a los que se debe
observar en el próximo año la aparición de leyes nuevas o enmendadas.
Esta alerta analiza algunos de los cambios significativos que han tenido lugar en 2021, identifica posibles nuevas
leyes y regulaciones en 2022 y más allá, y luego revisa los puntos en común y las diferencias entre los regímenes
de privacidad en la región.
Leyes de privacidad recientemente promulgadas y otros
desarrollos
A continuación se proporciona una instantánea de las leyes promulgadas recientemente y los desarrollos
relacionados:
Bahrein. En julio de 2021, el Ministerio de Justicia, Asuntos Islámicos y Waqf de Bahréin emitió para comentarios
públicos ocho proyectos de decisión de conformidad con la Ley de Protección de Datos Personales de Bahrein (Ley
No. 30 de 2018) que entró en vigor el 1 de agosto de 2019. Los proyectos de decisión contienen numerosas
obligaciones nuevas con respecto a la notificación de violación de datos (que impone un requisito de notificación
de 72 horas), la seguridad de los datos, la privacidad desde el diseño, las evaluaciones de impacto de la protección
de datos (EIPD) y la portabilidad de los datos. Se ha establecido una autoridad de protección de datos (DPA), pero
aún no está claro si está en pleno funcionamiento. Esta reciente oleada de actividad sugiere que el país se está
preparando para implementar y hacer cumplir su ley pronto.
h
Egipto. La Ley de Protección de Datos Personales de Egipto, No. 151 de 2020 entró en vigor el 14 de octubre de
2020. Se esperaba que las regulaciones ejecutivas se emitieran en abril de 2021; sin embargo, a principios de
enero de 2022, esas regulaciones aún no se han emitido ni se ha establecido un DPA. Una vez que se emitan esas
regulaciones, las organizaciones tendrán un año para cumplir.
Kenia. En noviembre de 2020 se nombró un comisionado de protección de datos para supervisar la aplicación de
la Ley de Protección de Datos de 2019, que entró en vigor en noviembre de 2019. A principios de 2021, el DPA
emitió una guía sobre las disposiciones de la ley relacionadas con el consentimiento y las DIP. En mayo y junio de
2021, publicó para comentarios públicos un borrador de regulaciones de protección de datos. El reglamento se
publicó en forma definitiva el 14 de enero de 2022 y se espera que entre en vigor el 11 de febrero de 2022, sujeto
a la aprobación de la Asamblea Nacional. Las regulaciones especifican los controladores y procesadores que están
sujetos a los requisitos de registro obligatorios y requieren que se registren en la DPA dentro de los seis meses.
Las regulaciones aclaran aún más las reglas para la notificación de infracciones, las transferencias transfronterizas,
el marketing directo, el consentimiento, las EIPD y la localización de datos. Las disposiciones de localización de
datos requieren que los datos personales procesados con fines de "interés estratégico del estado" se procesen a
través de un servidor y centro de datos ubicados en Kenia, y al menos una copia de esos datos debe almacenarse
en un centro de datos ubicado en Kenia. [1] Además, los controladores que procesan datos personales fuera de
Kenia para otros fines y sufren violaciones de datos o violan la Ley también pueden estar obligados a cumplir con
los requisitos de localización de datos.
El DPA ha estado activo en la promoción de la conciencia y la respuesta a las quejas, lo que sugiere que, al igual
que Bahrein, el DPA está avanzando para implementar y hacer cumplir la ley en breve.
Kuwait. La Autoridad Reguladora de Las Comunicaciones y la Tecnología de la Información de Kuwait (CITRA)
emitió la Resolución 42 de 2021, relativa a las Regulaciones de Protección de la Privacidad de Datos
("Regulaciones"), que entró en vigencia en abril de 2021. El Reglamento aborda la recopilación y el procesamiento
de datos personales y se aplica a un Proveedor de servicios de comunicaciones y tecnología de la información
("Proveedor de servicios") que presta servicios en Kuwait. Dichos servicios pueden incluir el establecimiento de
cualquier tipo de red pública de telecomunicaciones, la operación de un sitio web, una aplicación inteligente o
servicios de computación en la nube, por parte de cualquier persona física o jurídica. El Reglamento se aplica a
todos los proveedores de servicios de los sectores público y privado que recopilan, procesan y almacenan datos
personales utilizando medios automatizados o cualquier otro medio que forme parte de un sistema de
almacenamiento de datos, ya sea que se procesen dentro o fuera de Kuwait, cuando los datos personales se
relacionen con actividades de procesamiento relacionadas con la transmisión de publicidad o material de marketing
o el monitoreo del comportamiento y las tendencias de las personas. Aunque aparentemente de naturaleza
sectorial, el Reglamento en realidad cubre una amplia gama de organizaciones y requiere, entre otras cosas, una
base legal para el procesamiento, la provisión de derechos individuales y la notificación de violaciones de datos a
individuos y CITRA dentro de las 72 horas.
Nigeria. A principios de 2021, la Agencia Nacional de Desarrollo de Tecnología de la Información (NITDA), la
autoridad responsable de la aplicación del Reglamento de Protección de Datos de Nigeria 2019 ("Reglamento"),
emitió la versión final del Marco de Implementación del Reglamento. NITDA describe el marco como una guía para
ayudar a los controladores y procesadores a comprender los controles y medidas que deben implementar para
cumplir con el Reglamento y promover el cumplimiento voluntario. El Marco de Implementación proporciona
aclaraciones importantes con respecto a las obligaciones clave en virtud del Reglamento, como cuándo se debe
nombrar a un DPD, cómo y cuándo se debe obtener el consentimiento de las personas, la necesidad de notificar al
NITDA dentro de las 72 horas en caso de violación de datos y los países que se considera que brindan una
protección adecuada. Como se discutió en la siguiente sección, todavía se están realizando esfuerzos para
desarrollar una ley de protección de datos nueva y más completa, pero el momento para la promulgación de una
ley sigue sin estar claro. Mientras tanto, NITDA está haciendo cumplir activamente este Reglamento. Hasta la
fecha, la NITDA ha impuesto dos grandes multas. En agosto de 2021, NITDA impuso una multa de NGN 10
millones (aproximadamente USD 24,000) en una plataforma de préstamos en línea, por una variedad de
violaciones relacionadas con la provisión de avisos, bases legales inadecuadas para el procesamiento y el
intercambio de datos, no presentar los informes de auditoría requeridos a través de un auditor externo con licencia
y no cooperar con nitda. En 2020, emitió una multa de NGN 5 millones a una empresa nigeriana, en relación con
una violación de datos.
Rwanda. Rwanda enacted Law Nº 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and
Privacy in October 2021. Organizations have until October 2023 to come into compliance. The National Cyber
Security Authority is the regulator responsible for enforcement of the Law. The Law imposes criminal penalties for
violations, as well as administrative penalties for violations ranging from RWF 2 to 5 million, or 1% of the
organization’s global turnover of the preceding financial year. The most noteworthy provisions include
requirements for data localization (organizations must store personal data in Rwanda unless the regulator
authorizes international storage), a 72-hour notification for data breaches, the appointment of a DPO, and a
registration requirement for controllers and processors.
Saudi Arabia. Saudi Arabia enacted a Personal Data Protection Law (PDPL) that goes into effect on March 23,
2022. Controllers have one year from that date to come into compliance with the law. The PDPL applies to any
processing of personal data of individuals that takes place in Saudi Arabia, as well as processing of personal data
of individuals residing in Saudi Arabia by organizations outside of Saudi Arabia. The PDPL imposes a number of
requirements, including with respect to: the provision of a privacy notice; legal bases for processing; Individual
rights (access, correction, and deletion rights); data quality; data security; breach notification; and the
appointment of a DPO. The PDPL also provides for a private right of action. In the event of a law violation, fines up
to SAR 3 million (approx. USD 800,000) and/or imprisonment of up to two years are possible.
South Africa. Although enacted in 2013, South Africa’s Protection of Personal Information Act (POPIA) only
entered into force on July 1, 2020. Organizations were given until July 1, 2021 to comply with the law. The DPA,
which has been operational since 2016, is actively issuing guidance, revising existing regulations, educating and
promoting awareness, and speaking out on selected data privacy issues.
Togo. The Law on Protection of Personal Data went into effect October 2019, with enforcement to began in
October 2020; however, as of December 2021, the DPA had not yet been established.
Uganda. One year after Uganda’s Data Protection and Privacy Act, 2019 (“Act”) entered into force in February
2020, the Ministry of ICT and National Guidance issued the Data Protection and Privacy Regulations, 2021, No. 21
of 2021 (“Regulations”), which implement the Act. The Regulations specify the Individual Rights provisions,
including a requirement to respond to access requests within seven days and comply with correction requests
within 30 days, and require the appointment of a DPO, DPIAs for high risk processing, notification to individuals
about data breaches immediately after the DPA is notified about the breach, and submission of annual reports to
the DPA summarizing all data breaches and the action taken to address such breaches. Both controllers and
processors are subject to registration requirements, and where a controller or processor notifies the individual of
its intention to continue processing personal data for the purpose of direct marketing, the individual may, within 14
days of receiving the notice, request in writing that the DPA review the decision of the controller or processor.
Under the Act, violations are punishable by a fine not exceeding 4.8 million shillings (USD 1,284) or imprisonment
for ten years or both. The Regulations include additional offenses, such as for violations of the registration
requirements and cross-border transfer rules.
Uganda’s Personal Data Protection Office (DPA) announced a grace period up to the end of December 2021 to
allow for relevant organizations and persons to register their collection and processing of personal data with the
DPA. The DPA will begin taking enforcement measures against unregistered organizations and persons once the
registration requirements become effective starting in January 2022.
United Arab Emirates (UAE). In September 2021, the UAE adopted a new federal privacy and data protection
law, Federal Law No. 45 of 2021 on the Protection of Personal Data, that went into effect on January 2, 2022. This
new law now broadly aligns the UAE’s federal data privacy requirements with the EU General Data Protection
Regulation (GDPR) as well as existing data protection laws of the UAE’s two free-market zones, the Dubai
International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM). Executive regulations are to be
issued within six months and companies will have until January 2023 to comply with the law.
This new federal law does not apply to companies registered in the free-market zones or to health data covered by
the Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in Health Fields,
which regulates the use of information and communications technology in the UAE's health industry and
establishes a centralized system to manage health information.
While the federal law mirrors much of the DIFC and ADGM laws, there are some noteworthy differences. In
particular, unlike the DIFC and ADGM laws, the same legal bases for processing personal data under the federal
law apply to the processing of sensitive personal data, and the federal law does not include a legal basis for
processing on the basis of the controller’s legitimate interests. In addition, the breach notification threshold is
lower than under the DIFC and ADGM laws and the cases in which a data protection officer (DPO) must be
appointed also differ.
It should be noted that both the DIFC and ADGM revised their laws in 2020 and 2021 respectively to align them
more closely to the EU GDPR. Both have issued revised sets of standard contractual clauses similar to the EU SCCs
but with some differences.
Zambia. Zambia’s Data Protection Act, No. 3 of 2021 was approved by the legislature in March 2021, but has not
entered into force yet. The Act has some unique and onerous provisions. For example, a legal basis such as
consent, legitimate interests, or contractual necessity is required to process personal data; however, consent is not
a legal basis for the processing of sensitive personal data. Sensitive personal data may only be processed in
limited circumstances, such as where the processing is necessary for the establishment, exercise, or defense of a
legal claim. Furthermore, the Act requires controllers to notify the DPA within 24 hours of any security breach
affecting personal data processed and, like the Rwandan law, requires controllers to process and store personal
data on a server or data center located in Zambia. However, the Minister may prescribe categories of personal data
that may be stored outside Zambia. Both controllers and processors are required to register their processing
activities and appoint a DPO in accordance with guidelines issued by the DPA. The Act provides offenses for certain
violations, including fines ranging from 100 million to 500 million penalty units or two percent of annual turnover
of the preceding financial year, or imprisonment up to five years.
Zimbabwe. Zimbabwe is the most recent country in the region to enact a data privacy law. The Data Protection
Act (“Act”) was enacted on December 3, 2021 but no date is specified for its entry into force or if companies will
have a transition period to comply with the Act. The Act is applicable to public- and private-sector entities and
requires, among other things, notification of data breaches within 24 hours, the appointment of a DPO, and
consent or another limited legal basis to transfer personal data to countries that are not deemed to provide
adequate protection. The Act establishes the Postal and Telecommunications Regulatory Authority of Zimbabwe as
the DPA to implement and enforce the Law. Amendments to Zimbabwe’s Criminal Law Act also are included in the
Act in order to address cybersecurity. The Act stems from the Cyber Security and Data Protection Bill, which, after
a series of public hearings, went through several amendments during the Parliamentary process.
New Laws Expected in 2022 and Beyond
Israel. Forty years after the enactment of Israel’s Protection of Privacy Law, 5741-1981, the Israeli Ministry of
Justice published a bill in early January proposing amendments to the current law that, if enacted, would, among
other things, amend the definitions of key terms in the law such as personal information and sensitive information,
reduce registration requirements, and expand the DPA’s enforcement powers by enabling it to impose financial
penalties. Privacy legislation is expected to be one of the main issues on the 2022 legislative agenda of the
Knesset’s Constitution, Law, and Justice Committee.
Jordan. In late December 2021, the Jordanian Council of Ministers approved a draft law on the protection of
personal data. If enacted, the draft law would, among other things, require legal bases for processing personal
data, provide for individual rights, including the right to be forgotten and data portability, impose breach
notification requirements, restrict cross-border transfers of personal data to countries that provide adequate
protection rules, and establish a Personal Data Protection Board to oversee and enforce the law.
Ethiopia. As part of its National Digital Transformation Strategy initiative, the Ethiopia government, led by the
Ministry of Innovation and Technology, has drafted a Personal Data Protection proclamation (PDP). The PDP, which
provides for the creation of a Data Protection Commission, establishes rules for the collection, use, disclosure, and
cross-border transfer of personal data, and provides individuals with access, correction, erasure, and data
portability rights, reportedly has been submitted to the Council of Ministers for approval.
Namibia. The Ministry of Information and Communication Technology (MICT) is reportedly working on draft data
protection legislation.
Nigeria. There are reports that the Nigerian government has abandoned plans to move forward with its proposed
Data Protection Bill, 2020, which was developed after a lengthy public consultation process and draft new
legislation. If these reports are true, then the prospects for enactment of legislation in 2022 appear to be greatly
diminished. The government’s 2020 bill proposed regulating personal data of individuals and legal entities (both
public and private). It contained extraterritorial provisions to regulate controllers (without regard to their
establishment) that carry out processing of information relating to individuals who reside within or outside Nigeria
and personal data which originates partly or wholly from Nigeria. It also established basic principles and legal
bases (such as legitimate interests, contractual necessity, and consent) for processing of personal data, provided
for individual rights, including erasure and data portability rights, and imposed security requirements, including
specific obligations on data processors. In addition, it included restrictions on cross-border transfers and the
submission of annual audit reports and notification of data breaches within 48 hours. Lastly, it provided for the
establishment of a Data Protection Commission and imposes criminal penalties for law violations.
Characteristics of the Current Regional Landscape: Commonalities
and Differences
The Africa and Near East region now has 39 data privacy laws, representing more than one-quarter of the 140
privacy laws worldwide: Algeria, Angola, Bahrain, Benin, Botswana, Burkina Faso, Cape Verde, Chad, Republic of
the Congo, Côte d’Ivoire, Egypt, Equatorial Guinea, Gabon, Ghana, Guinea, Israel, Kenya, Kuwait, Lesotho,
Madagascar, Mali, Mauritania, Mauritius, Morocco, Niger, Nigeria, Qatar, Rwanda, São Tomé & Principe, Saudi
Arabia, Senegal, Seychelles, South Africa, Togo, Tunisia, Uganda, the United Arab Emirates (federal law and laws
in two free-trade zones, the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market
(ADGM)), Zambia, and Zimbabwe. The laws in the Seychelles, Zambia, and Zimbabwe have not yet entered into
force.
More than half of these laws (22) were enacted (or amended) within the past five years and, of these, 10 were
enacted in the past two years. The newest laws are in Egypt, Kuwait, Rwanda, Saudi Arabia, the United Arab
Emirates (federal), Zambia, and Zimbabwe.
While they share the same core data protection elements, all of these laws have specific rules that differ from each
other and from those in other regions. Thus, implementing data privacy programs to comply with these rules can
be challenging, particularly in those jurisdictions that have yet to establish their data protection authorities (DPAs).
The jurisdictions without established DPAs are: Algeria, Botswana, Republic of the Congo, Egypt, Equatorial
Guinea, Guinea, Lesotho, Madagascar, Mauritania, Saudi Arabia, Seychelles, Togo, UAE (federal), Zambia, and
Zimbabwe.
Scope. Most of the laws in this region apply to processing in-country only. However, at least three have
extraterritorial provisions: Benin, Cape Verde, and Uganda. Both the laws in Benin and Cape Verde extend to
controllers and processors not established in their country that process personal information of people in their
country relating to the offering of goods or services to people in their country or the monitoring of their behavior,
insofar as this behavior takes place in their country. Additionally, the Benin law applies to processing that takes
place in a member state of the Economic Community of West African States (ECOWAS). Uganda’s law applies to
organizations within Uganda that process personal information or organizations outside Uganda that process
personal information relating to Ugandan citizens.
There are also two other laws, in Egypt and Qatar, that may have extraterritorial provisions but further regulatory
clarification is needed.
Cross-border Transfers. While most of the jurisdictions (34) impose restrictions on cross-border transfers of
personal data, there is such a diverse array of rules that it is practically impossible to characterize them in
meaningful ways.
Adequacy. Many of these jurisdictions permit transfers to countries that provide “adequate” protection; however,
only seven have issued their lists of adequate countries. The lists of the seven that have vary widely. For example,
the Côte d’Ivoire and Niger recognize the member states of ECOWAS; Chad recognizes the member states of the
Central African Economic and Monetary Community (CEMAC) and the Economic Community of Central African
States (CEEAC); Lesotho recognizes member states that have transposed the Southern African Development
Community (SADC) data protection requirements; Morocco recognizes the EEA Member States and Canada; and
the UAE/DIFC and ADGM recognize the EEA Member States as well as other jurisdictions recognized by the EU as
providing adequate protection. Nigeria recognizes numerous jurisdictions including the African countries that are
signatories to the Malabo Convention 2014, the United States, the EEA Member States (and the other jurisdictions
recognized by the EU), China, the Philippines, and Singapore.
In order to transfer to an adequate country, eight of these jurisdictions additionally require DPA authorization,
notification, or a DPA license: Benin, Republic of the Congo, Egypt, Guinea, Morocco, Senegal, Togo, and Tunisia.
Adequate Protection Measures. Twenty-two jurisdictions permit cross-border transfers where adequate protection
measures are in place, such as contractual clauses, but in many cases the DPAs must also approve the transfers
and/or contractual clauses. Only a couple of DPAs (in the UAE/DIFC and ADGM free-trade zones) have issued their
own clauses. Alternatively, Israel permits the use of EU Standard Contractual Clauses with minor modifications.
Legal Bases. All but a few laws permit transfers to inadequate countries, provided one of the legal bases specified
in the law applies. However, these legal bases vary widely. Some provide for one or more legal bases such as
consent, contractual necessity, vital interests, and/or a legal claim; some only permit such transfers on the basis
of consent while others limit the use of consent to transfers are that limited and specific. Many laws also require
DPA authorization for such transfers. In contrast, laws in countries such Burkina Faso, Côte d’Ivoire, Guinea, Niger,
and Tunisia do not provide any legal bases other than DPA authorization.
Breach Notification. Half of the laws (20) require notification in the event of a data breach: Benin, Botswana,
Cape Verde, Chad, Republic of the Congo, Egypt, Ghana, Israel, Kenya, Kuwait, Lesotho, Mauritius, Qatar, Rwanda,
Saudi Arabia, South Africa, Uganda, the United Arab Emirates (Federal, DIFC, and ADGM), Zambia, and Zimbabwe.
Seventeen of these 20 jurisdictions require notification to the DPA in the event of any data security breach,
regardless of risk of harm. While some of the laws only require that notice be provided to individuals and/or to the
DPA “as soon as practicable” or “without delay,” more than half require notification to the DPA within 24–72 hours.
Most require that both individuals and the DPA must be notified about a breach.
Legal Bases for Processing. Almost half of the laws (18) do not permit processing on the basis of legitimate
interests. Instead, the laws rely on other legal bases such as consent, contractual necessity, legal requirements, or
vital interests. Only two countries, Israel and Mali, do not expressly require a legal basis for processing. Instead,
they specify that processing for purposes other than those for which the information was provided constitutes a
violation of privacy.
Individual Rights. Access and correction rights must be provided in all countries. More than three-quarters of the
laws (32) provide erasure rights and slightly more than one-quarter (11) provide data portability rights. The
timeframes for responding to individual rights requests also vary widely: 17 countries require responses to rights
requests within 30 days or more; four within 21 days; three within 10–15 days; and two within seven days. Twelve
do not specify a specific time period.
Data Protection Officer (DPO). More than one-third of the jurisdictions (16) require the appointment of a DPO:
Benin, Cape Verde, Republic of the Congo, Egypt, Madagascar, Mali, Mauritius, Nigeria, Rwanda, Saudi Arabia,
South Africa, Tunisia, Uganda, the UAE, Zambia, and Zimbabwe.
Registration. While the trend around the world is to minimize registration requirements, most of the laws in the
region (36) require organizations to register processing activities with a DPA. Eight jurisdictions require both
controllers and processors to register. The countries that do not impose registration requirements are Kuwait,
Nigeria, and Qatar.
Security. Slightly more than half of the countries (18) have either some specific or very detailed security
provisions. The countries with detailed security obligations are Benin, Israel, Senegal, and the UAE/DIFC. Three
countries, Benin, Côte d’Ivoire, and Nigeria, require the submission of security compliance or audit reports
annually to the DPA.
Data Protection Impact Assessments (DPIAs). Slightly more than one-third (15) of the laws require DPIAs for
certain types of processing. DPIAs are required in Benin, Cape Verde, Republic of the Congo, Cote d’Ivoire, Israel,
Kenya, Mauritius, Morocco, Nigeria, Qatar, Rwanda, South Africa, Uganda, UAE, and Zambia.
Data Localization. Three countries, Kenya, Rwanda and Zambia, impose data localization requirements. The
Rwandan law requires controllers and processors to store personal data in Rwanda unless they obtain a valid
registration certificate issued by the DPA that authorizes international storage. The Zambian law, which is not yet
in force, requires controllers to process and store personal data on a server or data center located in Zambia;
however, the law permits the Minister to prescribe categories of personal data that may be stored outside Zambia.
In addition, the Kenyan regulations require personal data processed for the purposes of “strategic interest of the
state” to be processed through a server and data center located in Kenya, and at least one copy of that data must
be stored in a data center located in Kenya. Moreover, controllers that process personal data outside of Kenya for
other purposes and suffer data breaches or violate the law may also be required to comply with the data
localization requirements.
Enforcement. With the enactment and/or entry into force of 10 new or amended laws in the past two years, as
well as the recent issuance of new guidance and regulations in jurisdictions such as Kenya, Qatar, South Africa,
and Uganda, we expect to see regulatory enforcement activity increase in the coming year. However, despite the
fact that 24 jurisdictions have established DPAs, only a few have publicized information on fines imposed. For
example, in 2021, Mali’s DPA imposed a CFA 20 million fine against a company for workplace surveillance
violations and, in 2020, fine of CFA 18 million against a company for unlawful access and collection of personal
data. The Nigerian DPA issued NGN 5 million and 10 million fines in 2020 and 2021 respectively for various
violations of its Regulation. In December 2018, Gabon imposed an XAF 5 million fine against a company for
unlawfully collecting geolocation data from its employees without providing notice to the individuals and without
authorization from the DPA.
[1] Such purposes include: administering of the civil registration and legal identity management systems;
facilitating the conduct of elections for the representation of the people under the Constitution; overseeing any
system for administering public finances by any state organ; running any system designated as a protected
computer system in terms of section 20 of the Computer Misuse and Cybercrime Act, 2018; offering any form of
early childhood education and basic education under the Basic Education Act, 2013; or provision of primary or
secondary health care for a data subject in the country.
PRÁCTICAS
Privacidad + Seguridad de los datos
Cynthia J. Rich
Senior Privacy Advisor
j u