Table 1:
Data protection laws, regarding cross-border transfer of personal data, of sub-Saharan African countries ranked by research output in “Public Health, Environment, and Occupational Health”37
| Rank and country | Legal requirements | Legislation | Data export protection classification |
|---|---|---|---|
| South Africa | A responsible party may only transfer personal data outside South Africa if the recipient is subject to a law, binding corporate rules or binding agreement that provides adequate protection; or the data subject consents to the transfer; or the transfer is necessary in terms of the provisions of the Act. |
Section 72 of the Protection of Personal Information Act, 4 of 2013 | Strict |
| Nigeria | Cross-border transfer of personal data is subject to authorisation by the Attorney General or the National Information Technology Development Agency (NITDA) based on an adequate level of protection. In the absence of authorisation by the Attorney General or the NITDA, personal data transfer may only take place if the data subject gives consent, or the data transfer is necessary in terms of the Regulation. |
Reg. 2.11 and 2.12 of the Nigeria Data Protection Regulation, 2019 | Moderate |
| Kenya | Data transfer is allowed only if there is proof of adequate data protection safeguards or consent from the data subject. The data controller or data processor must provide proof of appropriate safeguards to the Data Commissioner. The data transfer must be necessary in terms of the Act. |
Section 25(h) 48 of the Data Protection Act, No. 24 of 2019 (Kenya) | Strict |
| Ethiopia | Cross-border data transfer may only take place subject to an adequate level of data protection in the recipient country. The data controller or data processor must provide proof to the Data Protection Commission of an appropriate level of protection, or the data subject must give consent to the proposed transfer, or the transfer must be necessary, or the transfer must be made from a register and intended to provide information to the public. |
Sections 27–30 of the Draft Proclamation to Provide for Personal Data Protection, 2021 (Ethiopia) | Strict |
| Uganda | The data processor or data controller must ensure that there are adequate measures in place for the protection of personal data, or the data subject must provide consent. | Section 19 of the Data Protection and Privacy Act, 2019 (Uganda) | Strict |