VENDREDI 18 FÉVRIER 2022 BIZWEEK ÉDITION 382 the data. Other notable changes include, amongst others, definitions of terms that were undefined or unused in the 2004 Act, such as «consent», «sensitive data», «health data» or «data processor». In addition, the definition of «data controller» was modified from «the individual or legal entity, private or stateowned, that has the power to order the creation of personal data» to persons «that, alone or jointly with other persons, decide to collect and process personal data and determine the purposes and means of processing». The definition of «processing» was broadened so as to include «organising, retaining, adapting, modifying, saving» personal data and «encrypting» personal data. South Africa After the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) (PO- PIA) of 19 November 2013 was passed and Proclamation No. R21 of 2020 on the Commencement of Certain Sections of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) was adopted on 1 July 2020, the majority of the operative provisions of POPIA came into effect. As a result, the Information Regulator issued a number of guidance notes in 2021 on different subjects such as the processing of special personal information (28 June 2021), the processing of personal information of children (28 June 2021), exemptions from the conditions for the unlawful processing of personal information, information officers and deputy information officers (1 April 2021), applications for prior authorisation (11 March 2021). Uganda Two years after passing the Data Protection and Privacy Act, the Ugandan Government adopted the Data Protection and Privacy Regulations, 2021 published in the Gazette on 12 March 2021. The Regulations provide for, in further detail, the establishment of the Personal Data Protection Office (PDPO) and describes its functions, powers and internal organisation and management. The Regulations also set out the obligation for data collectors, controllers and processors to register with PDPO as wellas the registration process. They detail the data breach notification requirements, the obligation to appoint a data protection officer and the data subject rights, namely the rights to information, access, objection, rectification, blocking and erasure. PDPO is now operational and it has issued guidance notes on designating a data protection officer, on lodging complaints, on registration classification and on renewal of registration. Senegal On 30 December 2021, the Senegalese Data Protection Commission issued a regulation setting out retention periods applicable to the following categories of data : employee data, video surveillance, logs of entry into and exit from the workplace and private homes, access magnetic passes, vehicle geolocation, commercial and marketing, customer data of banks and insurance companies. The retention periods vary from 6 months to 10 years. After the promulgation of Kenya’s first Data Protection Act in November 2019, the Office of the Data Protection Commissioner published guidance notes, including on consent, on data protection impact assessment and on the processing of personal data for electoral purposes. Then, in December 2021, the Data Protection (General) Regulations, 2021 were adopted and published. The Regulations provide further details on the many areas covered by the Act, including, data subject rights, use of data for commercial purposes and direct marketing, data retention, data protection policies, contracts between controllers and processors, data localisation, data protection by design or by default, data breach notification, cross-border transfers of data and data protection impact assessments. This Regulation significantly complements the Data Protection Act. Supervisory authorities In some jurisdictions data protection authorities became operational in the past 12 months. Other jurisdictions with new data protection laws elected not to create a standalone data protection authority, but to grant supervisory powers to an existing authority, which was the choice made by the Ivory Coast and Nigeria Chad In Chad, pursuant to the Data Protection Act n°007/PR/2015 of 10 February 2015 the authority in charge of data protection is the cybersecurity regulator,i.e. the National Agency for Information Security and Electronic Certification (ANSICE). ANSICE was instituted by Law No. 006/PR/2015 enacted on 10 February 2015. After a few years of latency ANSICE became fully operational in late 2020. The agency is now very active in cybersecurity and data protection and it has commenced its data controller registration operations as wellas enforcement actions. Niger The Data Protection Act No. 2017-28 of 3 May 2017 provides for the establishment of the High Data Protection Authority (HAP- DP). The board and management of the authority was appointed in late 2019 and, in 2021, HAPDP became fully operational. It is undertaking significant awareness-raising campaigns and capacity building. The authority has also commenced its data controller registration activities. Uganda LA TOUR The Ugandan Data Protection and Privacy Act of 2019 provided the data protection authority would be the Personal Data Protection Office. In 2021, as mentioned above, the Data Protection and Privacy Regulations, 2021 provided further detail about PDPO, including its functions, powers and internal organisation and management and now PDPO is fully operational. Rwanda The Rwandan Protection of Personal Data and Privacy Law did not create a separate data protection-dedicated authority. Instead it granted supervisory powers to the cybersecurity authority, the National Cybersecurity Authority (NCSA) with the possibility for sector-specific regulatory authorities (such as the Rwanda Utility Regulatory Authority in the ICT sector) to oversee sector-specific compliance and put in place sector-specific regulations governing the protection of personal data and privacy. NCSA was instituted pursuant to Law No. 26/2017 of 31/05/2017 Establishing the National Cyber Security Authority and Determining its Mission, Organisation and Functioning and it is now fully operational. Zimbabwe Although the Data Protection Act provides for the creation of a Cyber Security and Monitoring of Interceptions of Communications Centre, it does not create an autonomous stand-alone data protection authority. The supervisory authority in charge of personal data is the already operational Postal and Telecommunications Regulatory Authority (POTRAZ). Burkina Faso The new Data Protection Act of 30 March 2021 imposes that health data relating to identified or identifiable individuals be hosted in Burkina Faso unless an exception is made by the data protection authority. To date, no general exception to this principle has been issued. Zambia Pursuant to Section 70 of the Zambian Data Protection Act of 24 March 2021, data controllers must process and store personal data on a server or data centre located in Zambia except where the Minister prescribes categories of personal data that may be stored abroad. However, sensitive personal data may not be subject to ministerial exemptions. Further clarification as the existence of further exceptions and the criteria for cross-border transfer are likely to be provided by the Minister and supervisory authority. Zimbabwe There are currently no specific data localisation obligations. However, under the Data Protection Act 2021, the data protection authority, POTRAZ, is required to lay down the categories of processing operations for which and the circumstances in which international transfers is prohibited. It is thus expected to have further information on the data localisation requirement in the near future. Kenya Under the Data Protection Act, No. 24 of 2019 which entered into force on 25 November 2019, the Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be effected through a server or a data centre located in Kenya. The Data Protection (General) Regulations, 2021 published in December 2021, which complements the Data Protection Act sets out some localisation requirements. Under Section 26 of the Regulations, personal data processed for the purpose of strategic interest of the State must be processed through a server and data centre located in Kenya or at least one serving copy of the data must be stored in a data centre located in Kenya. The strategic interests referred to in Section 26 include (a) administering of the civil registration and legal identity management systems ; (b) facilitating the conduct of elections for the representation of the people under the Constitution ; (c) overseeing any system for administering public finances by any state organ ; (d) running any system designated as a protected computer ; (e) offering any formof early childhood education and basic education ; or (f) provision of primary or secondary health care for a data subject in the country. While the authorities of some jurisdictions focus on raising awareness, in other jurisdictions, the enforcement activities have significantly increased in the past year. Amongst the most active jurisdictions is Mauritius, of which data protection authority mainly responded to data subjects’claims against locally-based controllers. Nigeria and South Africa have been proactive in their investigations of foreign technology giants. The Nigerian authority issues fines on a regular basis. Enforcement has been identified as a priority in several countries. With regard to controllers who have no local presence and against which imposing fines is challenging, temporarily or permanently blocking the service via the internet service providers has emerged as a suitable solution. [Source : Hogan Lovells, an American-British law firmco-headquartered in London and Washington, D.C, 01 February 2022] 6