When Rest of World published its investigation into Chinese AI surveillance infrastructure across Africa in March 2026, the headline figure was striking enough: eleven African countries have collectively spent more than $2 billion on surveillance systems supplied and largely financed by Chinese firms, primarily Huawei and ZTE. Nigeria alone accounts for $470 million — the continent’s largest national deployment, encompassing the country’s sprawling smart camera network across major cities.
The macro story was important. The regulatory story is more urgent. Of the eleven countries covered in the joint investigation by the Institute of Development Studies and the African Digital Rights Network, not one has laws that adequately govern AI-powered surveillance, establish meaningful citizen redress mechanisms, or impose accountability requirements on the foreign vendors that built and, in some cases, continue to operate these systems. This is not a policy gap waiting to be closed. It is a gap that has been widening while the infrastructure it should govern has been rolled out at scale.
For African businesses — particularly those in telecoms, financial services, and enterprise technology — this gap is not merely a human rights concern. It is a compliance risk with direct commercial implications.
The Infrastructure Precedes the Law
Huawei and ZTE built approximately 70 percent of Africa’s 4G telecommunications infrastructure. The surveillance systems layered on top of that foundation — smart cameras, facial recognition platforms, command-and-control systems, social media monitoring tools — were typically financed through Chinese state-backed loans, with contract terms that condition financing on purchasing Chinese technology and services. This structure creates a dependency that outlasts any individual procurement decision.
The eleven countries in the IDS/ADRN study represent a cross-section of African governance environments. Some — Kenya, Nigeria, South Africa — have modern data protection frameworks. Others — Ethiopia, Zimbabwe, Uganda — are operating with laws that predate the AI surveillance era or lack comprehensive data protection legislation entirely. In no case does the legal framework specifically address AI-powered surveillance as a category of regulated activity.
Kenya enacted its Data Protection Act in 2019, one of the continent’s stronger frameworks, administered by the Office of the Data Protection Commissioner. The Act regulates the processing of personal data, including biometric data collected by surveillance systems. But it does not establish a specific legal basis for state surveillance, does not require algorithmic impact assessments, and does not address the cross-border data transfer implications of systems whose backend infrastructure may be operated or accessible from China.
Nigeria’s Nigeria Data Protection Act (2023) — one of the most recently enacted comprehensive frameworks on the continent — similarly lacks provisions specific to AI surveillance. The National Information Technology Development Agency has produced a draft National AI Policy, but enforcement mechanisms for state-deployed surveillance systems remain unspecified. Nigeria’s $470 million deployment is the largest in the study; its legal framework is among the most recently modernised but still structurally silent on surveillance governance.
South Africa is furthest along the AI regulatory path. The Protection of Personal Information Act (POPIA) has teeth — the Information Regulator has begun enforcement actions — and the Department of Communications and Digital Technologies’ draft National AI Policy is expected to be gazetted for public consultation in March 2026. But POPIA’s framework does not distinguish between commercial and state surveillance, and the AI policy’s multi-regulator approach creates an ambiguity: which body has jurisdiction over a smart camera network deployed in Johannesburg with backend infrastructure maintained in Shenzhen?
The AU’s Missing Framework
The African Union’s Data Policy Framework, adopted in 2022 and updated in 2025–26, sets out guiding principles for data governance across member states. It does not address AI-powered surveillance as a specific domain. The AU’s Artificial Intelligence Continental Strategy — developed through 2023 and 2024 — focuses on AI’s developmental applications: agriculture, healthcare, education. Surveillance governance is absent.
The AU Convention on Cyber Security and Personal Data Protection (the Malabo Convention), adopted in 2014 and in force since 2023, establishes baseline data protection principles but was designed before large-scale AI surveillance was a practical reality for African governments. It addresses surveillance in the context of cybercrime investigation, not systematic urban AI monitoring infrastructure.
Who is pushing for change at the AU level? Civil society organisations including the African Digital Rights Network and Research ICT Africa have been the loudest voices, but they are advocating at advisory rather than decision-making levels. No AU member state has tabled a formal proposal to extend the Data Policy Framework or Malabo Convention to cover AI surveillance specifically. The diplomatic dynamic is complicated by the fact that the countries most invested in Chinese surveillance infrastructure — including several that have used these systems for political monitoring — have little institutional incentive to push for binding oversight frameworks.
The Business Compliance Exposure
For African technology companies operating in surveillance-adjacent sectors, the regulatory vacuum creates a specific category of risk that legal teams are only beginning to price.
Telecoms operators whose networks carry data generated by AI surveillance systems — including facial recognition matches, behavioural analytics, and location data — may be processing personal data without a lawful basis under applicable data protection law. None of the eleven countries in the study has clarified whether network operators bear co-processor liability for surveillance traffic that transits their infrastructure.
Cloud and enterprise software companies offering services to government clients in these jurisdictions face the prospect of retroactive compliance obligations. As data protection regulators — Kenya’s ODPC, Nigeria’s NDPC, South Africa’s Information Regulator — increase enforcement activity in 2026, the question of whether enterprise SaaS providers have adequate data processing agreements with government surveillance operations is live and largely unresolved.
Financial institutions subject to cross-border compliance requirements — particularly those operating under EU GDPR jurisdiction or serving European counterparties — face a dual exposure. If surveillance data collected in their jurisdictions is transferred to Chinese state or quasi-state actors without adequate safeguards, they may face secondary compliance liability under the extraterritorial provisions of European data protection law.
Vendor Accountability: The Unasked Question
Huawei and ZTE are subject to the People’s Republic of China’s National Intelligence Law (2017), which requires organisations and citizens to support, cooperate with, and assist state intelligence activities. The practical implications of that law for Chinese surveillance infrastructure deployed across eleven African countries — including whether backend access to surveillance data can be compelled by Chinese authorities — has not been formally addressed by any African government, regulatory body, or multilateral institution.
No African country has imposed restrictions on Huawei or ZTE comparable to those enacted by the United States, United Kingdom, or European Union. The economic logic is straightforward: Chinese vendors offer financing structures and price points that Western alternatives do not. But the due diligence gap is widening. African regulators who have not assessed the data sovereignty implications of Chinese surveillance contracts are not in a position to manage what they have not measured.
The first-mover opportunity for African regulatory leadership exists at the country level. South Africa’s AI policy process, Kenya’s ODPC enforcement ramp-up, and Nigeria’s NDPC compliance framework are all moving in the right direction. None of them is moving at the speed of the infrastructure they are meant to govern.
What Needs to Happen
The IDS/ADRN study is the most comprehensive mapping of this gap to date, but it is a civil society document. What it cannot do is compel the legal reforms that would give it consequence. Those require three things that are currently absent: AU-level framework language specific to AI surveillance; country-level implementing legislation that closes the loopholes data protection laws leave open; and a transparent audit of the contractual terms under which Chinese vendors accessed, maintain, or can access surveillance system data.
Until that work is done, the $2 billion figure represents not just a procurement statistic but an unaccounted liability — sitting on the balance sheets of governments, on the compliance exposure of businesses, and on the daily lives of the citizens whose data is being collected with no legal basis for how it is held, shared, or deleted.
The infrastructure is built. The law is not.
| Country | Data Protection Framework | AI Surveillance Law | Vendor Accountability Provisions |
|---|---|---|---|
| Nigeria | Nigeria Data Protection Act (2023) | None | None |
| South Africa | POPIA (2020), draft AI policy (2026) | None | None |
| Kenya | Data Protection Act (2019) | None | None |
| Uganda | Data Protection and Privacy Act (2019) | None | None |
| Zimbabwe | Data Protection Act (2021) | None | None |
| Ethiopia | None (draft in development) | None | None |
| Zambia | Data Protection Act (2021) | None | None |
| Tanzania | Personal Data Protection Act (2022) | None | None |
| Rwanda | Law on Personal Data Protection (2021) | None | None |
| Ghana | Data Protection Act (2012) | None | None |
| Cameroon | No comprehensive framework | None | None |
Source: IDS/African Digital Rights Network country analysis; BETAR.africa regulatory mapping, March 2026.
UphivaBETAR
