A STARTUP GUIDE TO DATA PROTECTION AND REGULATORY COMPLIANCE IN CAMEROON AND NIGERIA

  1. Introduction

Data protection in Africa has grown tremendously over the last 10 years as more countries adopt laws to safeguard personal information, promote digital trust, and regulate how organizations process personal data. While each country has its own legal framework, many African Laws are influenced by International Standards such as the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) and the General Data Protection Regulation (GDPR).

The Malabo Convention adopted in 2014 by the African Union, provides a Regional Framework for Data Protection, Cybersecurity and Electronic Transactions. The Convention aims to strengthen trust in Africa’s digital ecosystem while supporting innovation, protecting individuals’ personal data, and improving resilience against cyber threats. It encourages African countries to establish national Data Protection Laws although not ratified by all countries.

2. Recent Trends in Data Protection

On 25 April 2025, the Nigerian Competition and Consumer Protection Tribunal upheld a US$220 million fine against Meta Platforms Inc. and WhatsApp LLC for violating Nigeria’s Data Protection and Consumer Protection Laws. The Tribunal found that the Companies had unlawfully transferred users’ personal data, published privacy policies that did not comply with Nigerian law and processed the personal data of users in Nigeria without obtaining valid consent.

On 18 July 2025, Uganda’s Personal Data Protection Office (PDPO) sanctioned Google LLC for unlawfully transferring the personal data of Ugandan citizens outside the country without demonstrating adequate safeguards or accountability measures. The PDPO also found that Google failed to appoint and disclose the contact details of a designated Data Protection Officer for Uganda, as required under the Country’s Data Protection Law.

  • Data Protection in Cameroon

In Cameroon, Data Protection is governed primarily by Law N°. 2024/017 of 23 December 2024 relating to Protection of Personal Data. This Law establishes a comprehensive legal framework for collecting, using, storing, and transferring personal data and significantly expands earlier protections that were contained in Law N°. 2010/012 of 21December 2010 on Cybersecurity and Cybercrime in Cameroon.

  • Data Protection in Nigeria

On the flip side, Data Protection in Nigeria is primarily governed by the Nigeria Data Protection Act 2023 (NDPA), which came into force on 12 June 2023. The Act establishes a comprehensive legal framework for protecting the process of personal data of individuals in Nigeria, including certain organizations located outside Nigeria if they process the personal data of Nigerians. The Act also created the Nigeria Data Protection Commission (NDPC) as the country’s independent Data Protection Regulator supporting Nigeria’s digital economy through trusted data governance.

Both Laws thus seeks to:

-Protect individuals’ privacy and personal data;

– Regulate how organizations collect, use, store, and share personal data;

-Promote responsible and secure data processing;

-Provide remedies when data protection rights are violated.

-Process data lawfully and fairly;

-Obtain valid consent where required;

-Collect only data necessary for specified purposes;

-Ensure data accuracy;

-Retain personal data only as long as necessary.

3. Data Protection Regulatory frameworks in Cameroon

The Data Protection regime in Cameroon is governed by the following laws and regulations:

-Law N°. 2024/017 of 23 December 2024 on the Protection of Personal Data

-Law N°2010/013 of 21 December 2010 governing Electronic Communications in Cameroon

-Law N°. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon

-Law N°. 2016/007 of 12 July 2016 on the Criminal Code

-Law N° 2010/021 of 21 December 2010 on Electronic Commerce in Cameroon

-Framework Law N°.  2011/012 of 06 May 2011 on Consumer Protection in Cameroon

-Decree N° 2011/1521/PM of 11 June 2011 laying down the implementing provisions of Law N° 2010/021 of 21 December 2010 on Electronic Commerce in Cameroon

-Decree N°. 2019/150 of 22 March 2019 on the Organisation and Functioning of the National Information and Communication Technology Agency (ANTIC)

-Regulation N°. 03/16-CEMAC-UMAC-CMAC-CM of 21 December 2016 on Systems, Means and Incidents of Payment

-Law N°. 2023/009 of 25 July 2023 on the Charter for the Protection of Children Online in Cameroon

4. Data Protection Regulatory frameworks in Nigeria

The Data Protection regime in Nigeria is governed by the following laws and regulations:

-The Constitution of the Federal Republic of Nigeria, 1999 as amended

-The Nigeria Data Protection Act 2023 (Nigeria’s principal Data Protection Law)

5. Data Retention Period

  • In Nigeria

The key rule under Nigerian Law is that personal data must not be retained longer than necessary. While the Nigeria Data Protection Authority (NDPA) itself does not prescribe universal retention periods, the General Application and Implementation Directive (GAID) 2025 provides that, where no specific legal retention period exists, personal data should generally be retained for no more than six months after the original processing purpose has been fulfilled, unless there is a lawful reason to keep it longer.

  • In Cameroon

Section 25(1) of Law N°. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon provides that, network operators and electronic communication service providers are required to retain data for a period of 10 years.

6. Rights of data subjects

Individuals generally have rights to:

-Be informed about the collection and use of their personal data;

-Access their personal data;

-Request correction of inaccurate information;

-Object to certain processing activities.

– Request deletion or restriction of processing in situations provided by law.

-Seek remedies where their rights have been violated.

7. Data Protection Obligations for Organizations

Businesses, government bodies, NGOs, and other organizations handling personal data should generally:

-Identify a lawful basis for processing personal data;

-Obtain explicit consent where required;

-Maintain records of processing activities;

-Implement appropriate cybersecurity safeguards;

-Notify or obtain authorization from the competent authority where required by the law;

-Ensure that third parties processing data on their behalf also comply with legal requirements;

-Establish internal privacy and information security policies.

8. Data Compliance in Cameroon

Although there is no obligation as to the appointment of a Data Protection Officer (DPO) or Data Controller, DPO’s are usually recommended for compliance purposes. Some examples include:

  • Companies operating in Health or Digital Health Applications

Companies collecting and processing, directly or through a sub-processor, the personal data of customers, users and staff located in Cameroon, for purposes related to the Company’s operations. These data include but not limited to weight, blood pressure, heart rate, health history and health reports.

  • Telecommunications companies:

Companies analysing or accessing the personal data of subscribers such as telephone numbers, balance notifications, display of mobile data bandwidth for sale to local advertisers for the purpose of distributing direct marketing SMS messages.

Companies and their DPO’s should also consider conducting Data Protection Impact Assessments (DPIAs) when processing activities that may pose high risks to data subjects’ rights and freedoms.

9. Cross-Border Data Transfer in Nigeria

Under the NDPA, a Data Controller or Processor may not transfer personal data outside Nigeria unless the transfer complies with the conditions set out in the Act and the General Application and Implementation Directive (GAID). The objective is to ensure that individuals’ personal data continues to receive an adequate level of protection after it leaves Nigeria.

However, The GAID identifies three principal mechanisms for lawful cross-border data transfers:

Adequacy Decision by the NDPC. The Commission may determine that another country provides an adequate level of data protection by considering whether the country has enforceable data protection laws.

Cross-Border Data Transfer Instrument (CBDTI): Where no adequacy decision exists, transfers may occur using a Cross-Border Data Transfer Instrument (CBDTI) approved by the NDPC. Examples of appropriate safeguards include:

a)Standard contractual clauses approved by the NDPC;

b)Binding corporate rules for multinational groups;

c)Approved codes of conduct;

d)Approved data certification mechanisms.

Other Lawful Reasons

The NDPA also permits transfers in specific situations, including where:

a)The data subject has given explicit, informed consent after being informed of the potential risks;

b)The transfer is necessary for the performance or negotiation of a contract involving the data subject;

c)The transfer is necessary for important reasons of public interest;

d)The transfer is necessary to establish, exercise, or defend legal claims;

e)The transfer is solely for the benefit of the data subject where consent cannot reasonably be obtained.

9. Cross-Border Data Transfer in Cameroon

    • Adequate Level of Protection

    The destination country must provide an adequate level of protection for personal data. This assessment considers whether the receiving country’s legal framework effectively protects individuals’ privacy and data protection rights.

    • International Legal Instrument

    The transfer may be permitted where there is an applicable legal instrument or international agreement between Cameroon and the destination country that governs the protection of personal data.

    • Binding Security Rules

    The foreign recipient should be subject to binding security and data protection rules that ensure an appropriate level of protection for the transferred data. These may include internal corporate rules or other enforceable safeguards.

    • Standard Contractual Clauses

    The exporter and importer of the personal data may enter into standard contractual clauses published or approved by the Personal Data Protection Authority. These contractual commitments help ensure that the transferred data remains protected after leaving Cameroon.

    11. The role of OL & PARTNERS in Data Protection

      Our team of data protection experts assist and advice on the following:

      -Advising on Data Protection Compliance by interpreting and applying data protection laws and regulations;

      -Developing, reviewing and drafting compliant privacy policies such as Data Processing Agreements (DPAs); Data Sharing Agreements; Cross-border data Transfer Agreements; Employee privacy notices and consent forms; Vendor and cloud service contracts with data protection clauses.

      – Supporting Data Governance by advising on data retention and deletion policies and establishing data governance frameworks;

      -Responding to Data Breaches by advising on legal obligations following a personal data breach.

      Leave a Reply

      Your email address will not be published. Required fields are marked *