Introduction 

The past two months have witnessed interesting developments across the data protection and AI landscape in Africa. Ethiopia passed its draft data protection law, Tanzania officially inaugurated its data protection authority, and Cote d'Ivoire and Senegal issued formal notices for non-compliance with the law. On the AI spectrum, the African Union (AU), Kenya, Nigeria and South Africa commenced discussing AI strategies and plans. Here are some notable updates:

Regulatory update 

• Ethiopia’s House of People's Representatives has passed the Personal Data Protection Bill, which was approved by the Council of Ministers in October 2023. The law provides a comprehensive regulatory framework for personal data protection and establishes a supervisory authority to oversee enforcement. After being gazetted, the law will officially become effective.
• In Tanzania, the President officially inaugurated the Personal Data Protection Commission (PDPC), which was established last year. At the launch, the Director General of the PDPC disclosed that the PDPC has draft guidelines on consent, complaint management, and registration of data controllers and processors. The PDPC also launched a digital system for the registration of DPOs, permits for cross-border data transfers, and a personal data rectification system. Following its establishment, the Commission published a notice on the commencement of registration for public and private entities. The registration period will last for six months, starting from the publication date of the notice on April 10, 2024. 
• The Nigeria Data Protection Act General Application and Implementation Directive (NDP Act GAID) drafting committee, which was constituted last year to develop an implementation framework for the Nigeria Data Protection Act, met to review the draft document. During the meeting, the National Commissioner of the NDPC  indicated that the draft document would soon be published for stakeholder input.
• The Personal Data Protection Authority (APDP) of Benin Republic held its first extraordinary session for 2024. During the session, the APDP commissioners reviewed proposed regulations. The Authority also examined applications for authorisation for international data transfer and other processing activities. 
• The Data Protection and Privacy Office (DPPO) of Rwanda published a Guide on Contractual Provisions for the Processing of Personal Data, which specifies the instances where a Data Processing Agreement (DPA) is required and the mandatory provisions of a DPA. The DPPO also published Standard Contractual Clauses (SCCs) for the transfer of personal data outside Rwanda, making it the first African country to publish SCCs.  Additionally, the DPPO published a complaint lodging guide to assist data subjects with filing complaints with the office.
• Senegal’s Data Protection Commission (CDP) published its quarterly notice for the first quarter of the year, which details its activities during this period. These include issuing authorisation decisions, handling complaints, and issuing a formal notice and warning to two organisations for non-compliance with the data protection law. 

Sanctions and Enforcement 

• Cote d'Ivoire’s data protection authority (ARTCI) issued a formal notice and warning to the Ministry of Technical Education, Vocational Training and Apprenticeship, and Kaydan Group for non-compliance with personal data protection law. The formal notice mandates both entities to rectify shortcomings within 60 days and appoint a data protection officer within seven days of receiving the notice. Failure to do so may result in enforcement actions against them.
• South Africa’s Information Regulator (IR) hosted a media briefing to share updates on its enforcement actions during the 2023/2024 financial year. The IR noted the enforcement notice against the credit reporting agency Transunion for non-compliance and the assessments of compliance by Dischem and the South African Police Service (SAPS) following the enforcement notices issued last year. The IR also announced new investigations for non-compliance with POPIA. 
• In Nigeria, the NDPC has initiated an investigation into a reported data breach at the National Identity Management Commission (NIMC), stemming from unauthorised access to the NIMC database by a private company. Although the NIMC announced that its data was not breached, investigation into the incident is ongoing.
• Kenya's Data Protection Commissioner disclosed the commencement of an extensive investigation targeting over 1,000 entities, including digital lenders, hospitals, telecom companies, and educational institutions, for potential privacy law breaches.

‍

Partnerships & Collaboration

• The African Union (AU) met with the Organisation for Economic Cooperation and Development (OECD) stakeholders at the OECD headquarters in Paris from March 5 - 6, 2024, for the OECD-African Union (AU) Artificial Intelligence (AI) Dialogue to explore ways they could work together on artificial intelligence to, among other things, empower women, implement OECD principles, and design national AI strategies.

• The United States Department of Commerce and the Kenyan Ministry of Information, Communications, and the Digital Economy issued a joint statement on harnessing AI, facilitating cross-border data flow and ensuring digital upskilling between the parties. The parties express their commitment to AI advancement and cross-border data flows through the Global Cross-Border Privacy Rules (CBPR).

AI Governance

• The Department of Communications and Digital Technologies (DCDT) collaborated with Microsoft and the Artificial Intelligence Institute of South Africa to organise the National AI Government Summit, which presented and guided discussions regarding the draft National AI Plan for South Africa. Similarly, FAIR Forward launched the AI maturity assessment framework in South Africa to consider and develop an AI strategy and policy.

• The  Kenya Bureau of Standards (KEBS) hosted a webinar where it led a discussion on the process of developing the draft AI Code of Practice. The draft Code of Practice seeks to assist organisations in developing and using AI systems responsibly. It has been published and is open for public comment until June 13, 2024.
• Cote d'Ivoire’s Data Protection Authority (ARTCI) invited stakeholders to participate in a series of surveys on the challenges of AI and the metaverse. The surveys aimed to assess the effects of these technologies on the digital economy and promote inclusive, ethical and responsible adoption of AI and the metaverse. Last year, it launched a public consultation seeking public contributions to understand emerging technologies.
• Following the conclusion of the National Artificial Intelligence Workshop, which gathered over 120 AI experts to co-create an AI strategy for Nigeria,  the Minister of Communications, Innovations and Digital Economy announced the conclusion of an initial draft of Nigeria’s AI strategy.
• As part of the AU’s efforts to develop a Continental AI Strategy, a series of online consultations with stakeholders were held from April 19 to 25, 2024, to facilitate wide engagement and contribution to the strategy. 

Conclusion

The past two months saw increased AI regulatory efforts across the continent, including Kenya, Nigeria, South Africa and at the continental level, as the AU concluded consultations towards developing the draft continental AI strategy. There was also increased regulatory scrutiny by DPAs. In the coming months, we anticipate updates on Ethiopia’s data protection law, Nigeria’s implementation directive, the outcome of the investigations in Kenya, Nigeria, and South Africa, and the conclusion of discussions on Kenya, Nigeria and South Africa’s AI strategy and plan.

‍