Key Features of Law №2024/017 (On Personal Data Protection in Cameroon)
Author: Rachel Magege
Background
Central Africa is a significant player in the realm of data governance, particularly recognized for the adoption of the African Union Convention on Cybersecurity and Personal Data Protection in Malabo, Equatorial Guinea in 2014. Commonly known as the Malabo Convention, this instrument, adopted by 55 African states, serves as a cornerstone of data protection legislation in Africa.
As a Central African nation and member of the Economic Community of Central African States (ECCAS), the Republic of Cameroon enacted her first comprehensive data protection legislation — Law №2024/017 Relating to Personal Data Protection — on Monday, 23rd December 2024, becoming the 38th African country to adopt such a law. Although Cameroon has not yet ratified the Malabo Convention, Law №2024/017 (herein “the Act”) marks a significant step in the country’s efforts to legally protect personal data.
This article delves into key insights of the Act, shedding light on its core provisions, implications for individuals and businesses handling personal data, the legal rights of data subjects, and the broader impact on data governance in the nation. Readers can expect a clear breakdown of the Act’s scope of personal data, compliance obligations for data handlers, and the role of the regulatory authority. Whether you are a legal professional, business owner, or concerned citizen, this breakdown will equip you with the essential knowledge to navigate Cameroon’s evolving data protection landscape.
Scope of Data Covered
The new Act applies not only to personal data in Cameroon but also where Cameroonian law is implemented under international law or duly ratified international conventions. Under the Definition Section, personal data means:
“information relating to an individual, making it possible to identify him/her directly or indirectly, in particular by reference to any identification number or to one or more factors specific to his or her physical, psychological, genetic, mental, cultural, socioprofessional or economic identity, in particular a name, a photograph, a fingerprint, a postal address, an email address, a telephone number, a social security number, an internal personnel number, a digital identifier, an internet protocol address, a computer connection identifier or a voice recording.”
In addition to protecting the personal data of Cameroonian nationals and residents, the Act also extends its coverage to include individuals transiting through Cameroon. This means that anyone passing through the country — regardless of nationality or length of stay — has their personal data safeguarded under the provisions of this Act.
However, not all personal data is subjected to this Act. Data handled by security and defence authorities in Cameroon is governed separately, by national security and defence legislation. It is also important to note that the Act explicitly prohibits the processing of sensitive categories of information, including data related to religion, philosophy, trade union opinions, political opinions, racial or ethnic origin, linguistic or regional origin, genetics and health biometrics.
Defined Terms
Some definitions of interest in the Act include:
Temporary copies — any data temporarily copied to a dedicated space for a limited period of time or for the operational requirements of the processing software.
Interconnection of files — connection mechanism consisting in linking personal data processed for a specific purpose with other data processed for the same or different purposes or linked by one or more controllers.
Profiling — automated processing of personal data consisting in using it to assess some personal aspects of an individual, in particular his/her health, preferences, location and economic situation.
The Act defines two key parties involved in the collection and processing of personal data — a data controller and sub-processor. A data controller is defined as a natural and/or legal person who collects and processes personal data and determines the means and purpose of such collection and processing, whereas a sub-processor is a natural or legal person that processes personal data on behalf of and under the direction of the controller. These definitions do not include an individual who solely collects data, i.e. a data collector, like in other jurisdictions. Therefore, readers may narrowly interpret that a person who solely collects personal data, even on behalf of the data controller, cannot be considered a controller.
It is also worth knowing that in Section 30 (2) of the Act, a contract must bind the sub-processor to process personal data on behalf of the data controller. Because they are legally bound, a data controller and sub-processor shall be jointly and severally liable in the event of a data breach or unlawful disclosure of personal data without the data subject’s consent.
Rights of a Data Subject
The Act provides for several rights of a data subject, such as the right to erasure, right to object, right to restriction of data processing, and more. Individuals also have the right to data portability, and can have their personal data transferred from one controller to another. However, one cannot request the transfer of personal data when that data is being used to carry out tasks that serve the public interest or are part of the data controller’s official legal powers. For example, an individual may request data portability from a telecom company to another telecom provider but cannot request a government agency that issues national identification to transfer his/her personal data to another organization.
More commendable is the fact that the Act allows a data subject to confirm whether their personal data is being processed or not, and to obtain their personal data from a data controller free of charge. In life and even in death, the Act will continue to protect the rights of a data subject — under Section 45 (3), when a data subject passes away, heirs can request his/her personal data and have it updated at the expense of the data controller.
Although the Act gives individuals rights over their personal data, like the right to consent before their data is processed, there are times when consent is not asked. Section 9(2) of the Act explains that a company or organization can use an individual’s personal data without asking them first, in order to comply with a legally binding obligation. Another situation where consent is not requested is if the data controller needs to process personal data for a public interest task and is overseen by the Personal Data Protection Authority of Cameroon.
The Act has not clearly defined what a legally binding obligation is and waiving the right of consent, even in legally defined situations, carries several potential risks for data subjects:
- Lack of Transparency and Control: Data subjects can lose direct control and awareness over how their personal information is being used. While there might be legal justifications, data subjects may not be directly informed or given the choice. This can lead to a feeling of being spied upon or having their privacy invaded.
- Potential for Misinterpretation or Overreach by Data Controllers: Even with legal obligations or public interest tasks, there remains a risk that while the initial processing might be for a legally binding obligation or public interest task, the collected data could be used for secondary purposes not explicitly covered by the original exception, without the data subject’s knowledge or consent.
- Difficulty in Proving Harm/Misuse: Without a clear “no” from the data subject, it can be more challenging for them to prove that their data was misused or that harm occurred, especially if the processing falls under a broad “public interest” category.
- Vulnerability to Data Breaches: Even if the initial processing is legitimate, the more data that is processed without individual consent and direct oversight, the larger the potential impact of a data breach. The data subject is not aware of the extent of their data being held and thus cannot take proactive measures.
Regulatory Authority
Personal data will be regulated by an independent Personal Data Protection Authority (herein the Authority). The Act makes no mention of the structure of the Authority or length of serving terms; it is expected that the full composition will be formed by the President of Cameroon and communicated in the regulations to come. Notable among the Authority’s specific responsibilities are:
- Producing a personal data benchmark consisting of technical and organization measures for all data controllers and sub-processors in Cameroon. The Authority will also receive annual reports from data controllers regarding the implementation of security measures as contained in this national benchmark;
- Approving certification on all matters pertaining to the processing of personal data;
- Publishing a list of countries with an equivalent level of personal data protection frameworks as Cameroon; and
- The only body to authorize the interconnection and interoperability of files containing sensitive data relating to minors.
Conclusion
Implementation of the Act is underway and its success will hinge on the upcoming guidelines and regulations from the Authority. As Cameroon prepares for its presidential elections in October this year, the relevance of this Act becomes even more pronounced. In an electoral context where personal data can be used to influence public opinion, target voters, or even undermine democratic processes, the enforcement of data privacy safeguards is not just a legal matter, but also a democratic imperative. Ensuring transparency, accountability, and the responsible use of citizens’ data will be essential to maintaining public trust in both digital platforms and the electoral system. The months ahead will test not only the resilience of Cameroon’s institutions but also their commitment to upholding the rights enshrined in this pivotal legislation.
