By 
By Ariana Issaias (Kenya), Nadine Mather (South Africa) and Joshua Mwamulima (Zambia), Partners at Bowmans
A sure sign that awareness of data protection and privacy laws and rights in Africa is gradually filtering into the public consciousness is that consumers are starting to complain.
RELATED: Africa calls for unified data protection framework at 2025 NADPA-RAPDP Conference
Kenyan consumers appear to be at the forefront of this trend, and at this stage are mainly taking aim at companies using their photographs and images without consent.
A photography studio in Nairobi is feeling the wrath of the regulator, the Office of the Data Protection Commissioner (ODPC), after ignoring the complainant’s repeated requests to take down an image it was using to promote its services on WhatsApp and Instagram. The studio was ordered to erase the offending image and fined KES 50 000 (about USD 4 000) for infringing the complainant’s constitutional right to privacy.
The ODPC has also ruled in favour of students who filed complaints against their educational institutions for using their photographs for marketing purposes, without obtaining express lawful consent.
Interestingly, the High Court of Kenya has made several decisions on data protection matters and the right to privacy on behalf of citizens. In one case, five petitioners successfully challenged the unauthorised use of their graduation photographs in college advertisements, which the court found infringed their rights under the country’s constitution and the Data Protection Act.
Regulators actively seek to raise awareness
It is not only in Kenya that consumers are becoming aware of their rights under data protection and privacy laws. South Africa’s Information Regulator is making a concerted effort to inform ‘data subjects’ about their rights and ensure members of the public know how and where to complain. The regulator has been holding public consultative sessions in eight of South Africa’s nine provinces, often in collaboration with partners such as municipalities, national and provincial government departments, state entities and other regulators.
Africa developments
Public awareness of data privacy and privacy laws is awakening in jurisdictions such as Mauritius, whose Data Protection Authority is taking a novel approach by reaching out specifically to teenagers – whose prolific use of social media arguably makes them vulnerable to their personal information falling into the wrong hands. The regulator has a ‘Teens Corner’ on its website to assist this age group with data protection issues.
Ghana is another African jurisdiction with a fairly developed data protection system and an active regulator. The Data Protection Commission (DPC) has recently become more aggressive in its enforcement of the Data Protection Act and published the names of non-compliant entities in the media.
Zambia is also gearing up for stronger action. Its Data Protection Commissioner was appointed in June 2023 and the Commissioner’s office is now fully operational. Although enforcement is still in the early stages, heightened action is expected around breach reporting and an increase in complaints from data subjects is anticipated. No cases have reached the High Court of Zambia yet, but observers believe it is only a matter of time before the first matter is lodged.
Only Namibia still lags on legislation
In Sub-Saharan Africa broadly, there is a noticeable increase in legislative and regulatory activity around data protection and privacy. In fact, a Bowmans overview of the status of regulations in 12 African countries revealed that only one, Namibia, has yet to enact a data protection framework. Namibia’s draft bill is still in the early stages and at this point, the processing of personal information is largely unregulated.
All in all, the jurisdictions that are ahead of the rest are Ghana, Mauritius and Kenya, with well-developed legislation and active regulators, followed by Nigeria, South Africa, Tanzania and Zambia. Hard on their heels are Botswana, Ethiopia and Malawi, all of which have enacted comprehensive data protection legislation.
As regulators find their feet and flex their powers, the current trickle of consumer complaints in one or two countries is likely to spread and grow. Businesses processing personal information in any African jurisdiction, as well as across borders, should make it a priority to familiarise themselves with the legal requirements of each jurisdiction where they operate.
Bear in mind that while African countries might generally follow the same data protection principles, broadly aligned with internationally accepted data protection principles, they tend to differ in how they enforce compliance. As always in Africa, it is the localised differences that often matter the most.
