ALERTA DE CLIENTE África y el Cercano Oriente: el panorama de privacidad de la región se enfrenta a cambios rápidos y dramáticos 28 enero 2022 Manténgase al día con los últimos conocimientos legales y de la industria, noticias y eventos de MoFo j t A ÚNETE La región de África y El Cercano Oriente experimentó un crecimiento explosivo de las normas de privacidad de datos en 2021, con la promulgación y / o entrada en vigor de ocho nuevas leyes de privacidad de datos: Cabo Verde (enmendada); Kuwait; Rwanda; Arabia Saudita; Emiratos Árabes Unidos (federal); Emiratos Árabes Unidos/Abu Dhabi Global Markets (enmendado); Zambia; y Zimbabue. Es probable que este año traiga cambios aún más dramáticos a esta diversa región del mundo a medida que se promulguen más nuevas leyes y regulaciones. Si este ritmo se mantiene, esta región, que ya representa más de una cuarta parte (39) de las 140 leyes de privacidad de datos del mundo, pronto tendrá más que Europa y Eurasia combinadas. Un nuevo desarrollo reciente y preocupante en esta región es la aparición de requisitos de localización de datos en Kenia, Ruanda y Zambia. Es demasiado pronto para decir cómo se implementarán estas disposiciones y el efecto práctico que pueden tener en las actividades de procesamiento comercial en estas jurisdicciones, pero la preocupación es que se pueda alentar a otras jurisdicciones de esta región a seguir su ejemplo. Estos cambios rápidos y dramáticos en el panorama de la privacidad de la región presentan desafíos para las empresas que buscan desarrollar un enfoque regional de cumplimiento de la privacidad. En particular, los reguladores aún no están establecidos en 15 de estas jurisdicciones, y las regulaciones y directrices de implementación deben emitirse en varias jurisdicciones antes de que se aclare el alcance completo de las obligaciones de la empresa. Otros factores que complican la falta de uniformidad de las obligaciones jurídicas de una ley a otra, como las bases jurídicas disponibles para el tratamiento y las transferencias transfronterizas, y la falta de transparencia con respecto a la aplicación de la normativa. Como se explica a continuación, Bahrein, Egipto, Kenia, Arabia Saudita, Sudáfrica, Uganda y los Emiratos Árabes Unidos son países a observar en el próximo año a medida que la implementación y el cumplimiento de estas nuevas leyes comiencen a tomar forma. Israel, Jordania, Etiopía y Namibia son los países a los que se debe observar en el próximo año la aparición de leyes nuevas o enmendadas. Esta alerta analiza algunos de los cambios significativos que han tenido lugar en 2021, identifica posibles nuevas leyes y regulaciones en 2022 y más allá, y luego revisa los puntos en común y las diferencias entre los regímenes de privacidad en la región. Leyes de privacidad recientemente promulgadas y otros desarrollos A continuación se proporciona una instantánea de las leyes promulgadas recientemente y los desarrollos relacionados: Bahrein. En julio de 2021, el Ministerio de Justicia, Asuntos Islámicos y Waqf de Bahréin emitió para comentarios públicos ocho proyectos de decisión de conformidad con la Ley de Protección de Datos Personales de Bahrein (Ley No. 30 de 2018) que entró en vigor el 1 de agosto de 2019. Los proyectos de decisión contienen numerosas obligaciones nuevas con respecto a la notificación de violación de datos (que impone un requisito de notificación de 72 horas), la seguridad de los datos, la privacidad desde el diseño, las evaluaciones de impacto de la protección de datos (EIPD) y la portabilidad de los datos. Se ha establecido una autoridad de protección de datos (DPA), pero aún no está claro si está en pleno funcionamiento. Esta reciente oleada de actividad sugiere que el país se está preparando para implementar y hacer cumplir su ley pronto. h Egipto. La Ley de Protección de Datos Personales de Egipto, No. 151 de 2020 entró en vigor el 14 de octubre de 2020. Se esperaba que las regulaciones ejecutivas se emitieran en abril de 2021; sin embargo, a principios de enero de 2022, esas regulaciones aún no se han emitido ni se ha establecido un DPA. Una vez que se emitan esas regulaciones, las organizaciones tendrán un año para cumplir. Kenia. En noviembre de 2020 se nombró un comisionado de protección de datos para supervisar la aplicación de la Ley de Protección de Datos de 2019, que entró en vigor en noviembre de 2019. A principios de 2021, el DPA emitió una guía sobre las disposiciones de la ley relacionadas con el consentimiento y las DIP. En mayo y junio de 2021, publicó para comentarios públicos un borrador de regulaciones de protección de datos. El reglamento se publicó en forma definitiva el 14 de enero de 2022 y se espera que entre en vigor el 11 de febrero de 2022, sujeto a la aprobación de la Asamblea Nacional. Las regulaciones especifican los controladores y procesadores que están sujetos a los requisitos de registro obligatorios y requieren que se registren en la DPA dentro de los seis meses. Las regulaciones aclaran aún más las reglas para la notificación de infracciones, las transferencias transfronterizas, el marketing directo, el consentimiento, las EIPD y la localización de datos. Las disposiciones de localización de datos requieren que los datos personales procesados con fines de "interés estratégico del estado" se procesen a través de un servidor y centro de datos ubicados en Kenia, y al menos una copia de esos datos debe almacenarse en un centro de datos ubicado en Kenia. [1] Además, los controladores que procesan datos personales fuera de Kenia para otros fines y sufren violaciones de datos o violan la Ley también pueden estar obligados a cumplir con los requisitos de localización de datos. El DPA ha estado activo en la promoción de la conciencia y la respuesta a las quejas, lo que sugiere que, al igual que Bahrein, el DPA está avanzando para implementar y hacer cumplir la ley en breve. Kuwait. La Autoridad Reguladora de Las Comunicaciones y la Tecnología de la Información de Kuwait (CITRA) emitió la Resolución 42 de 2021, relativa a las Regulaciones de Protección de la Privacidad de Datos ("Regulaciones"), que entró en vigencia en abril de 2021. El Reglamento aborda la recopilación y el procesamiento de datos personales y se aplica a un Proveedor de servicios de comunicaciones y tecnología de la información ("Proveedor de servicios") que presta servicios en Kuwait. Dichos servicios pueden incluir el establecimiento de cualquier tipo de red pública de telecomunicaciones, la operación de un sitio web, una aplicación inteligente o servicios de computación en la nube, por parte de cualquier persona física o jurídica. El Reglamento se aplica a todos los proveedores de servicios de los sectores público y privado que recopilan, procesan y almacenan datos personales utilizando medios automatizados o cualquier otro medio que forme parte de un sistema de almacenamiento de datos, ya sea que se procesen dentro o fuera de Kuwait, cuando los datos personales se relacionen con actividades de procesamiento relacionadas con la transmisión de publicidad o material de marketing o el monitoreo del comportamiento y las tendencias de las personas. Aunque aparentemente de naturaleza sectorial, el Reglamento en realidad cubre una amplia gama de organizaciones y requiere, entre otras cosas, una base legal para el procesamiento, la provisión de derechos individuales y la notificación de violaciones de datos a individuos y CITRA dentro de las 72 horas. Nigeria. A principios de 2021, la Agencia Nacional de Desarrollo de Tecnología de la Información (NITDA), la autoridad responsable de la aplicación del Reglamento de Protección de Datos de Nigeria 2019 ("Reglamento"), emitió la versión final del Marco de Implementación del Reglamento. NITDA describe el marco como una guía para ayudar a los controladores y procesadores a comprender los controles y medidas que deben implementar para cumplir con el Reglamento y promover el cumplimiento voluntario. El Marco de Implementación proporciona aclaraciones importantes con respecto a las obligaciones clave en virtud del Reglamento, como cuándo se debe nombrar a un DPD, cómo y cuándo se debe obtener el consentimiento de las personas, la necesidad de notificar al NITDA dentro de las 72 horas en caso de violación de datos y los países que se considera que brindan una protección adecuada. Como se discutió en la siguiente sección, todavía se están realizando esfuerzos para desarrollar una ley de protección de datos nueva y más completa, pero el momento para la promulgación de una ley sigue sin estar claro. Mientras tanto, NITDA está haciendo cumplir activamente este Reglamento. Hasta la fecha, la NITDA ha impuesto dos grandes multas. En agosto de 2021, NITDA impuso una multa de NGN 10 millones (aproximadamente USD 24,000) en una plataforma de préstamos en línea, por una variedad de violaciones relacionadas con la provisión de avisos, bases legales inadecuadas para el procesamiento y el intercambio de datos, no presentar los informes de auditoría requeridos a través de un auditor externo con licencia y no cooperar con nitda. En 2020, emitió una multa de NGN 5 millones a una empresa nigeriana, en relación con una violación de datos. Rwanda. Rwanda enacted Law Nº 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy in October 2021. Organizations have until October 2023 to come into compliance. The National Cyber Security Authority is the regulator responsible for enforcement of the Law. The Law imposes criminal penalties for violations, as well as administrative penalties for violations ranging from RWF 2 to 5 million, or 1% of the organization’s global turnover of the preceding financial year. The most noteworthy provisions include requirements for data localization (organizations must store personal data in Rwanda unless the regulator authorizes international storage), a 72-hour notification for data breaches, the appointment of a DPO, and a registration requirement for controllers and processors. Saudi Arabia. Saudi Arabia enacted a Personal Data Protection Law (PDPL) that goes into effect on March 23, 2022. Controllers have one year from that date to come into compliance with the law. The PDPL applies to any processing of personal data of individuals that takes place in Saudi Arabia, as well as processing of personal data of individuals residing in Saudi Arabia by organizations outside of Saudi Arabia. The PDPL imposes a number of requirements, including with respect to: the provision of a privacy notice; legal bases for processing; Individual rights (access, correction, and deletion rights); data quality; data security; breach notification; and the appointment of a DPO. The PDPL also provides for a private right of action. In the event of a law violation, fines up to SAR 3 million (approx. USD 800,000) and/or imprisonment of up to two years are possible. South Africa. Although enacted in 2013, South Africa’s Protection of Personal Information Act (POPIA) only entered into force on July 1, 2020. Organizations were given until July 1, 2021 to comply with the law. The DPA, which has been operational since 2016, is actively issuing guidance, revising existing regulations, educating and promoting awareness, and speaking out on selected data privacy issues. Togo. The Law on Protection of Personal Data went into effect October 2019, with enforcement to began in October 2020; however, as of December 2021, the DPA had not yet been established. Uganda. One year after Uganda’s Data Protection and Privacy Act, 2019 (“Act”) entered into force in February 2020, the Ministry of ICT and National Guidance issued the Data Protection and Privacy Regulations, 2021, No. 21 of 2021 (“Regulations”), which implement the Act. The Regulations specify the Individual Rights provisions, including a requirement to respond to access requests within seven days and comply with correction requests within 30 days, and require the appointment of a DPO, DPIAs for high risk processing, notification to individuals about data breaches immediately after the DPA is notified about the breach, and submission of annual reports to the DPA summarizing all data breaches and the action taken to address such breaches. Both controllers and processors are subject to registration requirements, and where a controller or processor notifies the individual of its intention to continue processing personal data for the purpose of direct marketing, the individual may, within 14 days of receiving the notice, request in writing that the DPA review the decision of the controller or processor. Under the Act, violations are punishable by a fine not exceeding 4.8 million shillings (USD 1,284) or imprisonment for ten years or both. The Regulations include additional offenses, such as for violations of the registration requirements and cross-border transfer rules. Uganda’s Personal Data Protection Office (DPA) announced a grace period up to the end of December 2021 to allow for relevant organizations and persons to register their collection and processing of personal data with the DPA. The DPA will begin taking enforcement measures against unregistered organizations and persons once the registration requirements become effective starting in January 2022. United Arab Emirates (UAE). In September 2021, the UAE adopted a new federal privacy and data protection law, Federal Law No. 45 of 2021 on the Protection of Personal Data, that went into effect on January 2, 2022. This new law now broadly aligns the UAE’s federal data privacy requirements with the EU General Data Protection Regulation (GDPR) as well as existing data protection laws of the UAE’s two free-market zones, the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM). Executive regulations are to be issued within six months and companies will have until January 2023 to comply with the law. This new federal law does not apply to companies registered in the free-market zones or to health data covered by the Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in Health Fields, which regulates the use of information and communications technology in the UAE's health industry and establishes a centralized system to manage health information. While the federal law mirrors much of the DIFC and ADGM laws, there are some noteworthy differences. In particular, unlike the DIFC and ADGM laws, the same legal bases for processing personal data under the federal law apply to the processing of sensitive personal data, and the federal law does not include a legal basis for processing on the basis of the controller’s legitimate interests. In addition, the breach notification threshold is lower than under the DIFC and ADGM laws and the cases in which a data protection officer (DPO) must be appointed also differ. It should be noted that both the DIFC and ADGM revised their laws in 2020 and 2021 respectively to align them more closely to the EU GDPR. Both have issued revised sets of standard contractual clauses similar to the EU SCCs but with some differences. Zambia. Zambia’s Data Protection Act, No. 3 of 2021 was approved by the legislature in March 2021, but has not entered into force yet. The Act has some unique and onerous provisions. For example, a legal basis such as consent, legitimate interests, or contractual necessity is required to process personal data; however, consent is not a legal basis for the processing of sensitive personal data. Sensitive personal data may only be processed in limited circumstances, such as where the processing is necessary for the establishment, exercise, or defense of a legal claim. Furthermore, the Act requires controllers to notify the DPA within 24 hours of any security breach affecting personal data processed and, like the Rwandan law, requires controllers to process and store personal data on a server or data center located in Zambia. However, the Minister may prescribe categories of personal data that may be stored outside Zambia. Both controllers and processors are required to register their processing activities and appoint a DPO in accordance with guidelines issued by the DPA. The Act provides offenses for certain violations, including fines ranging from 100 million to 500 million penalty units or two percent of annual turnover of the preceding financial year, or imprisonment up to five years. Zimbabwe. Zimbabwe is the most recent country in the region to enact a data privacy law. The Data Protection Act (“Act”) was enacted on December 3, 2021 but no date is specified for its entry into force or if companies will have a transition period to comply with the Act. The Act is applicable to public- and private-sector entities and requires, among other things, notification of data breaches within 24 hours, the appointment of a DPO, and consent or another limited legal basis to transfer personal data to countries that are not deemed to provide adequate protection. The Act establishes the Postal and Telecommunications Regulatory Authority of Zimbabwe as the DPA to implement and enforce the Law. Amendments to Zimbabwe’s Criminal Law Act also are included in the Act in order to address cybersecurity. The Act stems from the Cyber Security and Data Protection Bill, which, after a series of public hearings, went through several amendments during the Parliamentary process. New Laws Expected in 2022 and Beyond Israel. Forty years after the enactment of Israel’s Protection of Privacy Law, 5741-1981, the Israeli Ministry of Justice published a bill in early January proposing amendments to the current law that, if enacted, would, among other things, amend the definitions of key terms in the law such as personal information and sensitive information, reduce registration requirements, and expand the DPA’s enforcement powers by enabling it to impose financial penalties. Privacy legislation is expected to be one of the main issues on the 2022 legislative agenda of the Knesset’s Constitution, Law, and Justice Committee. Jordan. In late December 2021, the Jordanian Council of Ministers approved a draft law on the protection of personal data. If enacted, the draft law would, among other things, require legal bases for processing personal data, provide for individual rights, including the right to be forgotten and data portability, impose breach notification requirements, restrict cross-border transfers of personal data to countries that provide adequate protection rules, and establish a Personal Data Protection Board to oversee and enforce the law. Ethiopia. As part of its National Digital Transformation Strategy initiative, the Ethiopia government, led by the Ministry of Innovation and Technology, has drafted a Personal Data Protection proclamation (PDP). The PDP, which provides for the creation of a Data Protection Commission, establishes rules for the collection, use, disclosure, and cross-border transfer of personal data, and provides individuals with access, correction, erasure, and data portability rights, reportedly has been submitted to the Council of Ministers for approval. Namibia. The Ministry of Information and Communication Technology (MICT) is reportedly working on draft data protection legislation. Nigeria. There are reports that the Nigerian government has abandoned plans to move forward with its proposed Data Protection Bill, 2020, which was developed after a lengthy public consultation process and draft new legislation. If these reports are true, then the prospects for enactment of legislation in 2022 appear to be greatly diminished. The government’s 2020 bill proposed regulating personal data of individuals and legal entities (both public and private). It contained extraterritorial provisions to regulate controllers (without regard to their establishment) that carry out processing of information relating to individuals who reside within or outside Nigeria and personal data which originates partly or wholly from Nigeria. It also established basic principles and legal bases (such as legitimate interests, contractual necessity, and consent) for processing of personal data, provided for individual rights, including erasure and data portability rights, and imposed security requirements, including specific obligations on data processors. In addition, it included restrictions on cross-border transfers and the submission of annual audit reports and notification of data breaches within 48 hours. Lastly, it provided for the establishment of a Data Protection Commission and imposes criminal penalties for law violations. Characteristics of the Current Regional Landscape: Commonalities and Differences The Africa and Near East region now has 39 data privacy laws, representing more than one-quarter of the 140 privacy laws worldwide: Algeria, Angola, Bahrain, Benin, Botswana, Burkina Faso, Cape Verde, Chad, Republic of the Congo, Côte d’Ivoire, Egypt, Equatorial Guinea, Gabon, Ghana, Guinea, Israel, Kenya, Kuwait, Lesotho, Madagascar, Mali, Mauritania, Mauritius, Morocco, Niger, Nigeria, Qatar, Rwanda, São Tomé & Principe, Saudi Arabia, Senegal, Seychelles, South Africa, Togo, Tunisia, Uganda, the United Arab Emirates (federal law and laws in two free-trade zones, the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM)), Zambia, and Zimbabwe. The laws in the Seychelles, Zambia, and Zimbabwe have not yet entered into force. More than half of these laws (22) were enacted (or amended) within the past five years and, of these, 10 were enacted in the past two years. The newest laws are in Egypt, Kuwait, Rwanda, Saudi Arabia, the United Arab Emirates (federal), Zambia, and Zimbabwe. While they share the same core data protection elements, all of these laws have specific rules that differ from each other and from those in other regions. Thus, implementing data privacy programs to comply with these rules can be challenging, particularly in those jurisdictions that have yet to establish their data protection authorities (DPAs). The jurisdictions without established DPAs are: Algeria, Botswana, Republic of the Congo, Egypt, Equatorial Guinea, Guinea, Lesotho, Madagascar, Mauritania, Saudi Arabia, Seychelles, Togo, UAE (federal), Zambia, and Zimbabwe. Scope. Most of the laws in this region apply to processing in-country only. However, at least three have extraterritorial provisions: Benin, Cape Verde, and Uganda. Both the laws in Benin and Cape Verde extend to controllers and processors not established in their country that process personal information of people in their country relating to the offering of goods or services to people in their country or the monitoring of their behavior, insofar as this behavior takes place in their country. Additionally, the Benin law applies to processing that takes place in a member state of the Economic Community of West African States (ECOWAS). Uganda’s law applies to organizations within Uganda that process personal information or organizations outside Uganda that process personal information relating to Ugandan citizens. There are also two other laws, in Egypt and Qatar, that may have extraterritorial provisions but further regulatory clarification is needed. Cross-border Transfers. While most of the jurisdictions (34) impose restrictions on cross-border transfers of personal data, there is such a diverse array of rules that it is practically impossible to characterize them in meaningful ways. Adequacy. Many of these jurisdictions permit transfers to countries that provide “adequate” protection; however, only seven have issued their lists of adequate countries. The lists of the seven that have vary widely. For example, the Côte d’Ivoire and Niger recognize the member states of ECOWAS; Chad recognizes the member states of the Central African Economic and Monetary Community (CEMAC) and the Economic Community of Central African States (CEEAC); Lesotho recognizes member states that have transposed the Southern African Development Community (SADC) data protection requirements; Morocco recognizes the EEA Member States and Canada; and the UAE/DIFC and ADGM recognize the EEA Member States as well as other jurisdictions recognized by the EU as providing adequate protection. Nigeria recognizes numerous jurisdictions including the African countries that are signatories to the Malabo Convention 2014, the United States, the EEA Member States (and the other jurisdictions recognized by the EU), China, the Philippines, and Singapore. In order to transfer to an adequate country, eight of these jurisdictions additionally require DPA authorization, notification, or a DPA license: Benin, Republic of the Congo, Egypt, Guinea, Morocco, Senegal, Togo, and Tunisia. Adequate Protection Measures. Twenty-two jurisdictions permit cross-border transfers where adequate protection measures are in place, such as contractual clauses, but in many cases the DPAs must also approve the transfers and/or contractual clauses. Only a couple of DPAs (in the UAE/DIFC and ADGM free-trade zones) have issued their own clauses. Alternatively, Israel permits the use of EU Standard Contractual Clauses with minor modifications. Legal Bases. All but a few laws permit transfers to inadequate countries, provided one of the legal bases specified in the law applies. However, these legal bases vary widely. Some provide for one or more legal bases such as consent, contractual necessity, vital interests, and/or a legal claim; some only permit such transfers on the basis of consent while others limit the use of consent to transfers are that limited and specific. Many laws also require DPA authorization for such transfers. In contrast, laws in countries such Burkina Faso, Côte d’Ivoire, Guinea, Niger, and Tunisia do not provide any legal bases other than DPA authorization. Breach Notification. Half of the laws (20) require notification in the event of a data breach: Benin, Botswana, Cape Verde, Chad, Republic of the Congo, Egypt, Ghana, Israel, Kenya, Kuwait, Lesotho, Mauritius, Qatar, Rwanda, Saudi Arabia, South Africa, Uganda, the United Arab Emirates (Federal, DIFC, and ADGM), Zambia, and Zimbabwe. Seventeen of these 20 jurisdictions require notification to the DPA in the event of any data security breach, regardless of risk of harm. While some of the laws only require that notice be provided to individuals and/or to the DPA “as soon as practicable” or “without delay,” more than half require notification to the DPA within 24–72 hours. Most require that both individuals and the DPA must be notified about a breach. Legal Bases for Processing. Almost half of the laws (18) do not permit processing on the basis of legitimate interests. Instead, the laws rely on other legal bases such as consent, contractual necessity, legal requirements, or vital interests. Only two countries, Israel and Mali, do not expressly require a legal basis for processing. Instead, they specify that processing for purposes other than those for which the information was provided constitutes a violation of privacy. Individual Rights. Access and correction rights must be provided in all countries. More than three-quarters of the laws (32) provide erasure rights and slightly more than one-quarter (11) provide data portability rights. The timeframes for responding to individual rights requests also vary widely: 17 countries require responses to rights requests within 30 days or more; four within 21 days; three within 10–15 days; and two within seven days. Twelve do not specify a specific time period. Data Protection Officer (DPO). More than one-third of the jurisdictions (16) require the appointment of a DPO: Benin, Cape Verde, Republic of the Congo, Egypt, Madagascar, Mali, Mauritius, Nigeria, Rwanda, Saudi Arabia, South Africa, Tunisia, Uganda, the UAE, Zambia, and Zimbabwe. Registration. While the trend around the world is to minimize registration requirements, most of the laws in the region (36) require organizations to register processing activities with a DPA. Eight jurisdictions require both controllers and processors to register. The countries that do not impose registration requirements are Kuwait, Nigeria, and Qatar. Security. Slightly more than half of the countries (18) have either some specific or very detailed security provisions. The countries with detailed security obligations are Benin, Israel, Senegal, and the UAE/DIFC. Three countries, Benin, Côte d’Ivoire, and Nigeria, require the submission of security compliance or audit reports annually to the DPA. Data Protection Impact Assessments (DPIAs). Slightly more than one-third (15) of the laws require DPIAs for certain types of processing. DPIAs are required in Benin, Cape Verde, Republic of the Congo, Cote d’Ivoire, Israel, Kenya, Mauritius, Morocco, Nigeria, Qatar, Rwanda, South Africa, Uganda, UAE, and Zambia. Data Localization. Three countries, Kenya, Rwanda and Zambia, impose data localization requirements. The Rwandan law requires controllers and processors to store personal data in Rwanda unless they obtain a valid registration certificate issued by the DPA that authorizes international storage. The Zambian law, which is not yet in force, requires controllers to process and store personal data on a server or data center located in Zambia; however, the law permits the Minister to prescribe categories of personal data that may be stored outside Zambia. In addition, the Kenyan regulations require personal data processed for the purposes of “strategic interest of the state” to be processed through a server and data center located in Kenya, and at least one copy of that data must be stored in a data center located in Kenya. Moreover, controllers that process personal data outside of Kenya for other purposes and suffer data breaches or violate the law may also be required to comply with the data localization requirements. Enforcement. With the enactment and/or entry into force of 10 new or amended laws in the past two years, as well as the recent issuance of new guidance and regulations in jurisdictions such as Kenya, Qatar, South Africa, and Uganda, we expect to see regulatory enforcement activity increase in the coming year. However, despite the fact that 24 jurisdictions have established DPAs, only a few have publicized information on fines imposed. For example, in 2021, Mali’s DPA imposed a CFA 20 million fine against a company for workplace surveillance violations and, in 2020, fine of CFA 18 million against a company for unlawful access and collection of personal data. The Nigerian DPA issued NGN 5 million and 10 million fines in 2020 and 2021 respectively for various violations of its Regulation. In December 2018, Gabon imposed an XAF 5 million fine against a company for unlawfully collecting geolocation data from its employees without providing notice to the individuals and without authorization from the DPA. [1] Such purposes include: administering of the civil registration and legal identity management systems; facilitating the conduct of elections for the representation of the people under the Constitution; overseeing any system for administering public finances by any state organ; running any system designated as a protected computer system in terms of section 20 of the Computer Misuse and Cybercrime Act, 2018; offering any form of early childhood education and basic education under the Basic Education Act, 2013; or provision of primary or secondary health care for a data subject in the country. PRÁCTICAS Privacidad + Seguridad de los datos Cynthia J. Rich Senior Privacy Advisor j u