In 2015, only 5 African countries had comprehensive data protection legislation. By May 2026, that number has reached 36. Africa is experiencing a data protection legislative wave of historic proportions.
But these 36 laws are not the same law. They are 36 different interpretations of what data protection means, how it should be enforced, and how it interacts with other regulatory obligations.
The Five Divergences That Matter
1. DPA Independence
Most African DPAs meet the GDPR standard of independence — Kenya's ODPC, Nigeria's NDPC, South Africa's Information Regulator. But Zimbabwe vested data protection authority in POTRAZ (the telecoms regulator), raising serious independence concerns. The DRC has no DPA at all.
2. Breach Notification Timelines
Kenya, Nigeria, Rwanda, and Zimbabwe require 72-hour notification. Tanzania requires 48 hours — tighter than the GDPR. South Africa requires "as soon as reasonably possible" with no fixed deadline. Ghana has no mandatory breach notification at all.
3. Cross-Border Transfer Mechanisms
South Africa and Mauritius recognise adequacy determinations, BCRs, and SCCs. Nigeria has a "whitelist" approach. Egypt requires Cabinet-level approval. Tanzania requires registration of transfers. No African country has issued a formal adequacy determination of another African country.
4. Penalty Regimes
Nigeria: up to 2% of annual revenue. South Africa: ZAR 10 million and/or 10 years imprisonment. Zimbabwe: approximately USD 500. The DRC: nothing.