Data privacy law and regulation

The journey to the recognition of data privacy rights began with the 1948 Universal Declaration of Human Rights, which recognised the right to privacy as a fundamental human right. On 23rd September 1980, the Organisation of Economic Development (OECD), adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, representing international consensus on safeguards for the collection and management of personal data, particularly in cross – border data transfers. In 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) was adopted by the Council of Europe. Convention 108 was the first legally binding international treaty on data protection, and required parties to take the necessary steps in their domestic legislation to apply the principles it lay down. This clarion call was bolstered through the European Union’s Data Protection Directive (95/46/EC) in 1995, the first of its kind, comprehensive data protection law, laying the foundation for data privacy, not only in the European Union, but also across the globe.

The 2000s era ushered in a new dawn for data privacy, on the backdrop of the 1995 EU directive. For starters, the Asia – Pacific Economic Cooperation (APEC) Privacy Framework setting out voluntary guidelines for cross – border data flows was adopted in 2006, and the African Union’s Convention on Cyber Security and Personal Data Protection, was adopted on 27th June 2014 in Malabo, Equatorial Guinea. In 2016, the European Union passed the EU’s General Data Protection Regulation (GDPR), setting out key principles of data protection. By this time, most African countries had prepared domestic bills on data protection, which were consequently passed into law. These include Kenya’s Data Protection Act 2019, Uganda’s Data Protection and Privacy Act 2019, Tanzania’s Personal Data Protection Act 2022 and Rwanda’s Data Protection and Privacy Law of 2021. The regulatory framework has since seen the establishment of compliance and enforcement offices in the various countries including the Office of the Data Protection Commissioner (ODPC) in Kenya, the Personal Data Protection Office (PDPO) in Uganda, the Personal Data Protection Commission (PDPC) in Tanzania and the National Cyber Security Authority (NCSA) in Rwanda.

 The realm of data privacy boasts several key developments including harmonisation of laws regionally and globally, and incorporation of artificial intelligence to promote more data friendly practices, all geared towards the adoption of robust data privacy practices.