Your data commission is looking for you

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Your data commission is looking for you

Data protection commissions exist to regulate the data market. They make sure whoever has your data uses it for legitimate reasons and handles it responsibly. They should not leave you exposed on an unsecured server, or sell it to advertisers without your knowledge, or hand it to a government agency. Along the way, they have to generate enough money to stay afloat and justify their existence to whoever funds them. 

That is the core mandate of any data protection commission. And if you were the inaugural commissioner of one of Africa's new data commissions, you would read that brief and think: good brief, well understood — and then get home and ask yourself: who exactly are you supposed to regulate?

Everyone is, to varying degrees, a data processor, including your data rights colleague, whom you might consider forwarding this newsletter to. As a new commissioner of a new commission, you have to define a data processor by some working metrics. Perhaps, by the volume of data being processed, the purpose it is being processed for, and the revenue generated by the entity doing the processing. 

Even then, you are only halfway there. There is no database of all entities that a new data commission can run a "data processor" filter on and get back an exhaustive list. The registry does not exist.

If this is you, you can do what Somalia just did: ask data processors to identify themselves. 

The alternative routes are messier. You could ask your corporate registry for a database, but even they do not track data processing activity. They know a company exists, not what it does with personal information. You could wait for processors to commit some consumer-facing data abuse, hope the affected person knows a data protection commission exists, and file a complaint. 

But that takes time, requires a level of data literacy most people in developing countries do not yet have, and may never happen at all. Complaint-driven enforcement in low-literacy environments is essentially enforcement on pause.

So self-registration becomes, for many African countries with new data laws, a mandatory rite of passage. Most are just entering the market. They have no exhaustive means of knowing who to regulate, so they mandate data processors to register, for a fee. This also solves the funding problem. Registration fees and annual renewal charges, however obliquely titled, give the commission a revenue stream and a rough census of the market it is supposed to police.

This is also policed by holding large corporations like banks responsible for the data faults of their smaller, more obscure vendors, who then require those smaller vendors for their data clearance before conducting business with them. 

In more integrated systems, this is handled differently. The EU's GDPR does not require registration or annual audits. It used to, but scrapped both. Instead, entities are required to maintain internal records of their data processing activities and produce them when the regulator comes knocking. Enforcement is reactive, backed by the threat of serious penalties, and assumes a baseline of institutional capacity on both sides. 

Zimbabwe’s new child digital protection policy

The Zimbabwean cabinet approved a new child online protection policy last week, which, like every other one, is meant to provide a framework to protect children from the risks associated with internet platforms, while ensuring they can still benefit from said platforms.

Zimbabwe is walking into a problem that more resourced governments are still trying to solve. It arrives in the context of a much broader global and continental scramble to figure out what protecting children online actually looks like in the world of AI and backsliding protective measures by tech platforms. 

Australia passed its landmark law in December 2025, banning children under 16 from major social media platforms and placing enforcement responsibility on companies, with fines of up to A$49.5 million for non-compliance. Six months in, 78% of under-16s are still accessing the platforms the law is supposed to keep them off. 57% of parents have tried to enforce the ban; 42% say they find it difficult. Only 31% of under-16s have undergone face-scanning age verification, and half of those passed as over 16.

Africa is not operating in isolation from this. The African Union Executive Council adopted a Child Online Safety and Empowerment Policy in 2024, which gives member states a continental reference point but carries no binding enforcement mechanism. UNICEF and the GSMA launched the Africa Taskforce on Child Online Protection in October 2025, billed as the continent's first coordinated multi-stakeholder platform on the issue. Kenya's Communications Authority issued binding industry guidelines for child online protection in October 2025, creating obligations for ICT companies, mobile operators, and device manufacturers. Nigeria's House of Representatives passed a Child Online Access Protection Bill the same month, establishing a framework for digital safety. The Senate still has to act on it.

What is emerging across the continent is a legislative wave with the known structure of a broad policy framework, multi-stakeholder coordination language, references to the AU policy, and an enforcement gap. Zimbabwe's policy is not an outlier. The questions remain: who will bell the cat?

FEATURES

• In addition to Chinese pressure, a backsliding democracy may explain Zambia’s decision to cancel a major digital rights summit

• Without warrants: Illegal surveillance chokes Nigeria’s civic space

• Locked In: How African data protection laws move from shield to lever

HEADLINES

• South Africa tops Africa for digital fraud rate in 2025

• Somalia launches over 100 New Somali cybersecurity terms

• Burkina Faso: Ouagadougou will host the first edition of the grand data exhibition in Africa (GSDA) in July 2026

• South African Internet company hit by large-scale DDoS attack

• Togo’s SIN, ST DIGITAL to launch private cloud services at Lomé Data Centre

• Does Ghana’s Anti-LGBT bill effectively ban adult websites?

• DSS joins investigation as Nigeria’s Electoral Commission traces voter data leak to insider access

• Mauritius bets on digital transformation to improve welfare system efficiency

• Kenya pushes for stronger cybersecurity in digital economy

• Rabat hosts high-level African cybersecurity leadership program

• Cybercrimes targeting bank customers in Egypt 

• Threat actor published an alleged database belonging to Homzmart, an Egyptian home furnishings and e-commerce marketplace

• A dataset allegedly linked to Algeria’s Ministry of Transport platform is being advertised on a cybercrime forum

ACROSS THE WORLD

• FBI seizes record $8 billion crypto haul in global crackdown on scam networks targeting Americans

• xAI Asks court to strip alleged Grok deepfake nudes victims of anonymity

• Russia claims foreign spy agencies hacked officials' phones

• Spain arrests suspected hacker for publishing personal data of police, prosecutors and cyber officials

• LinkedIn China spying threat prompts warning from US, allies

See you next week.