A $220 million fine against Meta. A South African regulator processing nearly 2,400 security breach reports in a single year. A new law enacted in Cameroon that makes it the 38th African country to join the continent’s data protection movement. Across Africa’s largest economies, the age of data law as aspirational policy document is ending — and the era of enforcement is beginning.
For years, compliance professionals and foreign investors treated African data protection regimes as background noise: laws existed, but the machinery to act on them did not. That calculus is changing with striking speed. Nigeria has demonstrated a willingness to pursue fines at a scale that commands boardroom attention. South Africa’s Information Regulator has moved from issuing guidance to issuing penalties. Egypt, after a five-year regulatory gap, is now on a countdown to full enforcement. Businesses operating across Africa’s top ten economies need to understand not just that these laws exist — but that they are increasingly being used.
Nigeria Sets the Enforcement Tone
No country on the continent has done more to signal that data protection is a serious commercial risk than Nigeria. The Nigeria Data Protection Act 2023 — enforced by the Nigeria Data Protection Commission — gave the NDPC statutory teeth that its predecessor framework lacked. The Commission has used them. Meta received a $220 million fine, the largest data protection penalty in African history. Multichoice was fined ₦766 million. Fidelity Bank received a ₦555 million penalty. These are not warning letters: they are enforcement actions that rival penalties issued by European regulators against mid-sized entities.
In September 2025, the NDPC issued its General Application and Implementation Directive — a binding instrument that clarifies how the NDPA applies across sectors and establishes procedural expectations for data controllers. The GAID is significant because it closes interpretive gaps that compliance teams had previously exploited to delay action. Nigeria has, in effect, built a regulatory posture that is no longer nascent. It is operational.
South Africa’s Maturing Regime
South Africa was the first major African economy to enact comprehensive data protection legislation aligned to international standards. The Protection of Personal Information Act — enacted in 2013 and brought into full force in 2021 — established the Information Regulator as an independent authority with investigation and enforcement powers. In 2024 and 2025, those powers became visible. The Regulator issued its first-ever administrative fine of R5 million, a symbolic but important milestone. More consequential for operational risk assessments: 2,374 security breach notifications were reported to the Regulator in the 2024/25 period, a figure that reflects both growing compliance awareness and a broadening threat surface.
Amendments passed in 2025 strengthened data subject rights, including provisions around automated decision-making and cross-border transfer safeguards. South Africa’s regime continues to track closely with GDPR principles, making it the most navigable framework for multinationals already compliant with European standards — but the gap between the two is narrowing in ways that require active monitoring rather than passive assumption of equivalence.
Egypt’s Long-Delayed Clock Starts
Egypt enacted Personal Data Protection Law No. 151 in 2020, but the law remained functionally inert for five years while its executive regulations were drafted. Those regulations were finally issued in November 2025, triggering an enforcement commencement date of November 2026. That twelve-month window is not generous. Companies with operations in Egypt — particularly in financial services, telecommunications, and e-commerce — face a compressed timeline to assess data flows, appoint data protection officers, and establish lawful processing grounds under a framework that carries criminal penalties for senior executives.
Law No. 151 draws heavily from GDPR architecture, including requirements for explicit consent, data minimisation principles, and restrictions on cross-border transfers. But its enforcement agency is newer and less resourced than its European counterparts, meaning the initial wave of enforcement is likely to focus on egregious violations and high-profile actors. The lesson from Nigeria is that “newer regulator” does not mean “softer regulator.”
East Africa: Active Regulators, Uneven Capacity
Kenya’s Data Protection Act 2019 has produced the most active enforcement record in East Africa. The Office of the Data Protection Commissioner resolved 7,497 complaints — a volume that reflects genuine public engagement with the framework, not just regulatory activity for its own sake. Zuku, the internet service provider, received a KES 500,000 fine following a complaints investigation. The ODPC has also published sector-specific guidance and is increasingly active on cross-border data transfer questions.
Tanzania’s Personal Data Protection Act 2022 took a harder line on criminal accountability, including penalties of up to ten years’ imprisonment for serious violations. A mandatory registration deadline for data controllers passed in April 2025, meaning entities that failed to register with the Personal Data Protection Commission are now technically in breach. Enforcement infrastructure remains limited, but Tanzania’s criminal penalty structure creates a risk profile that compliance teams cannot ignore simply because the regulator is young.
Ethiopia presents a different challenge. The Personal Data Protection Proclamation No. 1321/2024 introduced a data localization mandate — requiring that certain categories of personal data be stored on servers within Ethiopian territory. This is operationally significant for cloud-dependent businesses and creates genuine infrastructure costs for companies without domestic server capacity. Enforcement mechanisms are not yet fully established, but data localization requirements have a habit of becoming de facto trade barriers even before formal penalties are imposed.
West Africa: A Patchwork in Transition
Ghana’s Act 843, enacted in 2012, remains operative, but the regulatory architecture it created has not kept pace with the scale or sophistication of Ghana’s digital economy. A new Data Protection Bill introduced in 2025 proposes to change that substantially: mandatory 72-hour breach notification, obligatory data protection officers for qualifying organisations, and extraterritorial reach covering foreign entities that process Ghanaian residents’ data. If enacted, Ghana’s framework would move from one of the continent’s older, thinner regimes to one of its more GDPR-aligned.
Côte d’Ivoire’s Law 2013-450 remains active but contains no mandatory breach notification requirement, a gap that the country’s growing fintech sector has not been compelled to address. Angola, whose Law 22/11 dates to 2011, saw its regulator — the APD — fine multiple companies $75,000 each in 2024, with a legislative revision currently in public consultation. Cameroon enacted Law 2024/017, becoming the 38th African nation to join the continental data protection framework, with enforcement commencing in June 2026.
What This Means for Business
Three structural themes run through Africa’s data protection landscape in 2026. First, enforcement is no longer theoretical. Nigeria has proven that African regulators will pursue large penalties against large companies, and that precedent is being watched by regulators in Nairobi, Accra, and Cairo. Second, data localization is emerging as a distinct and underappreciated business risk — Ethiopia has mandated it, and other countries are considering similar provisions in draft legislation. Multinationals that have built their African operations on pan-regional cloud infrastructure without examining data residency requirements face exposure that due diligence processes are only beginning to capture. Third, the GDPR’s influence means that companies with functioning European compliance programmes have a structural head start — but African frameworks are diverging from GDPR in ways that require localisation, not mere transposition. Criminal liability for executives, sector-specific directives, and complaint-driven enforcement models all create obligations that cannot be satisfied by importing a European compliance template unchanged. Businesses operating across Africa’s ten largest economies are no longer managing regulatory risk in a permissive environment. They are operating in one that is maturing fast — and fining accordingly.
UphivaBETAR
Joseph Busari
