This week, we continue our series of new data protection developments with the latest from Africa.
Over the past two years, several countries on the continent have implemented laws on personal data protection, or have taken the first steps in this direction. Below you will find a short overview per country of these developments.
Tunisia
In March 2018, a Bill was introduced to amend the 2004 Law on the Protection of Personal Data. The goal of the draft is to become more in line with the GDPR, so as to open more business opportunities with Europe. It provides more independence to the National Personal Data Authority, and gives it more power, namely: being able to issue financial and judiciary sanctions, being able to issue recommendations regarding the protection of personal data, and a consultative power in this domain. The draft also limits custodial sentences to dangerous crimes threatening public security and national defense. Under the Bill, transfer of personal data to a third party cannot be done without the consent of the data subject.
Algeria
The 2018 Algerian law on the Protection of Individuals in the Processing of Personal Data contains provisions which cover most topics expected to be found in a data privacy law: data subject’s consent requirements regarding data processing, the right to modification and erasure, and children’s data protection. Furthermore, the new Law requires that all personal data processing operations first be subject to a declaration to the national authority. This same authority (Autorité National de Protection des Données à Caractère Personnel) is allowed to deliver administrative sanctions in case of a breach. The sanctions regarding processing one’s sensible data are very strict: it can involve not only a monetary fine, but also two to five years of jail. Finally, it may be interesting to know that researchers are allowed to contact a data subject without consent through automatic call, e-mail or similar technology.
Egypt
A brand-new Data Protection law was passed in June 2019. It will protect personal data for Egyptians and EU citizens based in Egypt. It applies to all firms dealing with personal data. The law includes a consent clause, as with most Data Protection laws, both for the collection, processing and disclosure of one’s data. but also for the transfer, storage and preservation of said data. It also provides a definition for sensitive data: data relating to physical/mental health, financial, political, and religious data. Any transfer or sharing of personal data to a foreign country must first obtain a license from the newly created Personal Data Protection Centre.
Kenya
There are currently two separate draft Data Protection Bills currently under consideration in Kenya; one submitted to the Kenyan Parliament, and another to the senate. Not much is known about the status of these bills at this moment in time. The voting on the Bill presented to the Senate was delayed as of July 2019. The two Bills seem to be clashing on clauses that have remained unnamed. Due to the lack of information on this topic, the main element to take out of Kenya’s current legislation state regarding Data Privacy is that it is on its way to develop regulations regarding this topic, and on its way to adopting international standards.
Zambia
In June 2018, the Zambian Cabinet approved the introduction of a Data Protection Bill to Parliament. It applies to both private and public bodies, and has an extraterritorial scope, meaning that this Bill would apply to a personal data controller using processing means located in Zambia (save for if the data is merely in transit through Zambia). It provides for the establishment of an independent Administrative Authority, which will have oversight and control of the law. It will not be able to sanction on breaches itself, but will have the power to conduct inquiries, and submit to court any breach of the Act. The Bill also contains provision on requirements regarding the quality of data, such as adequacy of the data, accuracy, and anonymization. Interestingly enough, the processing of non-sensitive personal data is permitted without consent of the data subject, whereas processing sensitive data requires written consent. Information as to when this Bill is expected to pass is unclear.
Zimbabwe
Laws on Data Protection and on Freedom to Access Information are expected to come in the near future, as the Minister of Information, Publicity, and Broadcasting Services has announced in February of this year that the current Access to Information and Protection of Privacy Act would be repealed to welcome new laws on the topic. The information regarding these laws is, currently, quite scarce.
For a more exhaustive description or clarification of any of the aforementioned legislation, our Data Protection Officers will be happy to answer all of your question through our ESOMAR Plus service, an exclusive consultancy package tailored to help with your compliance needs.