Data Protection in Global South: Key Insights

Data protection laws are expanding across the Global South, but enforcement lags behind. Here's what you need to know:

• By late 2024, 39 African countries had enacted data protection laws, and 34 nations had established regulatory bodies. However, limited funding and government control over these authorities weaken enforcement.
• Cyberattacks surged by 12% in Africa in 2024, with organizations facing an average of 1,900 attacks weekly, showing the urgent need for stronger systems.
• Countries like Nigeria and Kenya are leading enforcement efforts. For example, Nigeria fined Meta $220 million in 2024, while Kenya registered 15,000 data handlers by early 2026.
• Asia has made strides with 24 jurisdictions adopting privacy laws by 2023, including China's strict data localization rules and India's consent-focused legislation. However, national security exemptions remain a concern.
• Cross-border data flows face hurdles in both regions due to inconsistent regulations. Frameworks like Africa's Malabo Convention and Asia's ASEAN initiatives aim to address this but progress is slow.

Key Takeaway: While legal frameworks are growing, enforcement challenges, resource constraints, and regulatory inconsistencies hinder progress. Businesses must understand local practices and prioritize compliance to build trust and avoid penalties.

1. Africa's Data Protection Landscape

Legal Frameworks

Africa is seeing rapid advancements in its data protection laws. By late 2024, 39 out of 55 African countries had enacted such laws, and 34 nations had established Data Protection Authorities (DPAs) to enforce compliance. The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), which came into effect in June 2023, provides a continent-wide framework for protecting personal data. However, the level of adoption differs across regions - 75% of Francophone countries have implemented laws, compared to 73% in Southern Africa and only 54% in East Africa.

While many of these laws are modeled after the EU's GDPR, exemptions for "national security" and "legitimate interest" can create opportunities for unchecked surveillance. A notable example occurred in Kenya in August 2023, when the Office of the Data Protection Commissioner (ODPC) suspended Worldcoin's operations. The company had ignored a cease-and-desist order and continued collecting iris scans from thousands of Kenyans in exchange for cryptocurrency tokens worth approximately Ksh. 7,000. This incident highlighted how foreign companies might exploit weak enforcement mechanisms in some jurisdictions.

Resource Allocation

Despite the progress in legal frameworks, enforcement remains a challenge due to limited financial and structural resources. Many DPAs struggle with funding shortages and lack the personnel and technical expertise needed for thorough audits and investigations. Additionally, their dependence on government ministries for funding often undermines their independence. For instance, Kenya's ODPC operates under the Ministry of Information, while Uganda's Personal Data Protection Office (PDPO) is part of the National Information Technology Authority.

"One must wonder how much independence there can be when your budget is not substantively under your control." - Bridget Andere and Megan Kathure, Access Now

Cross-Border Data Flows

Cross-border data transfers face hurdles due to inconsistent regulations across the continent. While some countries lack specific provisions, others impose strict rules, even for transfers within Africa. To address this, frameworks are increasingly adopting tools like adequacy decisions, Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs). For example, Botswana’s 2022 Order recognizes EU and UK standards as adequate, and Eswatini has relaxed transfer conditions for SADC member states.

The Malabo Convention aims to create uniform standards, but progress has been slow - only 15 countries have ratified it, while 12 others have signed but not ratified. This sluggish adoption complicates operations for businesses working across multiple jurisdictions, especially with the lack of clear regulatory guidance and infrastructure in many areas.

Capacity Building Initiatives

Efforts to strengthen enforcement include institutional support and professional training. Kenya has taken proactive steps by opening regional offices in Mombasa and Nakuru, making compliance services more accessible and raising public awareness about data rights.

Some countries are also issuing sector-specific regulations as DPAs gain experience. For instance, Niger and Rwanda have introduced rules for CCTV surveillance, geolocation tracking, and healthcare data. Kenya has addressed Automated Decision-Making (ADM) systems, requiring data protection impact assessments for high-risk processing activities. These tailored approaches reflect a shift toward addressing specific technological challenges, paving the way for comparisons with regulatory frameworks in other regions like Asia.

sbb-itb-5f36581

2. Asia's Data Protection Landscape

Legal Frameworks

Asia's data protection scene is marked by a rapid evolution in regulations and enforcement practices. By the close of 2023, 24 jurisdictions had enacted privacy laws - showing a 25% increase since 2021, which highlights the region's shifting priorities.

China has taken a security-first approach with its trifecta of laws: the Personal Information Protection Law (PIPL), Data Security Law (DSL), and Cybersecurity Law (CSL). These laws classify and protect sensitive data tied to national security. A high-profile example of enforcement came in July 2022 when the Cyberspace Administration of China (CAC) fined Didi Global RMB 8.026 billion (about $1.19 billion) for violations. Additionally, the company's chairman and president faced personal fines of RMB 1 million ($148,000) each for their roles in mishandling data.

India's Digital Personal Data Protection Act (DPDPA) 2023 emphasizes individual rights while accommodating business growth. It uses a consent-driven model but grants the government broad exemptions for national security and public order. Meanwhile, Indonesia's PDP Law 2022 seeks to build consumer trust and align with the ASEAN framework, signaling a shift toward comprehensive oversight for both public and private entities. In contrast, Singapore's Personal Data Protection Act (PDPA) focuses on business enablement, allowing data processing based on "legitimate interests" without requiring consent. These varied approaches highlight the challenges of balancing regulation with economic and operational realities in the region.

Resource Allocation

Despite the growing number of privacy laws, enforcement strength varies across Asia. Jurisdictions like Singapore, Japan, South Korea, and Hong Kong lead the way, thanks to better resources. However, compliance can strain businesses in countries like China, Vietnam, and Indonesia, where data localization mandates require significant investments in local data infrastructure.

"With time, we see regulators taking a more pragmatic approach and even dialling back some of the requirements, in the face of the economic downturn and the challenges local businesses face in practice to achieve compliance." - Hogan Lovells

Currently, only 11 jurisdictions, including China, Indonesia, the Philippines, and Thailand, mandate the appointment of Data Protection Officers (DPOs). Singapore is set to follow suit, requiring DPO appointments under its 2024 amendments, with a compliance deadline of June 2025. This phased rollout reflects a growing trend of balancing regulatory goals with the practical challenges businesses face.

Cross-Border Data Flows

When it comes to cross-border data transfers, Asia presents a mixed picture. Japan and South Korea stand out, having secured EU adequacy decisions, which allow seamless data exchanges with Europe. Notably, Japan and the EU signed a mutual adequacy agreement in 2019, creating what was then the largest area for safe data transfers.

On the other hand, China, Vietnam, and Indonesia enforce strict data localization rules. For instance, Vietnam's Decree 53/2022 mandates that foreign companies store user data locally for at least 24 months. Similarly, China's PIPL requires security evaluations for Critical Information Infrastructure Operators (CIIOs) and large-scale data handlers before exporting data. However, in March 2024, the CAC eased some restrictions, introducing exemptions to support business-friendly data transfers.

Regional frameworks like the ASEAN Model Contractual Clauses and the APEC Cross-Border Privacy Rules (CBPR) aim to simplify international data transfers by providing standardized safeguards. Additionally, countries like Thailand and Indonesia now recognize mechanisms such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) to facilitate compliance.

Capacity Building Initiatives

To navigate the complex regulatory landscape, many jurisdictions are ramping up capacity-building efforts. For example, Data Protection Impact Assessments (DPIAs) are now mandatory for high-risk processing activities in countries like China, Indonesia, Singapore, and the Philippines.

Breach notification rules are also becoming standard. Indonesia, Thailand, and Vietnam require organizations to notify authorities within 72 hours of a data breach. Singapore enforces strict penalties for breaches, with fines reaching up to 10% of a company’s annual turnover, pushing businesses to prioritize security.

Collaborative projects like the ASEAN Data Management Framework and the ASEAN Digital Masterplan 2025 aim to harmonize regulations across the region. In 2022, Singapore and India signed a Memorandum of Understanding to promote cybersecurity cooperation, capacity building, and information sharing. This partnership underscores the importance of combining strong domestic policies with regional coordination to enhance data protection.

Panel: Data Protection in the Global South

Strengths and Weaknesses

Africa and Asia have developed distinct approaches to data protection, each with its own set of strengths and challenges. For organizations operating across these regions, understanding these differences is key to navigating compliance effectively.

Africa's legislative landscape is expanding rapidly, with countries like Kenya, Nigeria, and South Africa leading efforts to hold global tech platforms and government entities to the same standards. However, a major hurdle lies in the limited independence of many African Data Protection Authorities (DPAs). These agencies often depend on government ministries for funding and resources, leading to strong laws on paper but inconsistent enforcement in practice.

Asia, on the other hand, benefits from its well-established international interoperability standards. For example, Japan's EU GDPR adequacy status and South Korea’s similar recognition make cross-border data flows and trade much smoother. Additionally, Japan’s "3-year cycle evaluation" ensures its Act on the Protection of Personal Information (APPI) stays updated with technological advancements. Despite these strengths, broad national security exemptions remain a shared concern across both regions, limiting the scope of data protection.

Both regions face resource-related challenges. In Africa, underfunded DPAs struggle to enforce laws effectively, and there’s a shortage of skilled data governance professionals to implement reforms. Meanwhile, some Asian countries grapple with strict data localization mandates that complicate compliance. Bridget Andere, Senior Policy Analyst at Access Now, highlights the issue:

"The reality is that whenever we have exemptions like this, and especially exemptions that have to do with national security, it can be a problem in the context in which they exist".

Still, Asian jurisdictions like Singapore, Japan, South Korea, and Hong Kong tend to have better-resourced regulatory bodies, which helps mitigate some of these challenges. However, compliance hurdles remain, especially in countries with rigid data localization requirements.

Here’s a comparison of key aspects between the two regions:

These regional differences emphasize the importance of tailored compliance strategies. Businesses must adopt risk-based, region-wide privacy governance approaches rather than relying solely on meeting minimum national requirements. For companies collecting data through high-converting digital forms, understanding these nuances is essential - not just for compliance, but also for fostering trust with customers.

Conclusion

Africa and Asia’s distinct experiences highlight the Global South’s evolving approach to data protection. By early 2026, most African nations have implemented data protection laws, with numerous Data Protection Authorities (DPAs) now active. The momentum is clear: Kenya’s Office of the Data Protection Commissioner issued over 110 enforcement decisions in 2025, while countries like South Africa and Uganda pursued criminal convictions for data-related crimes.

Emerging economies don’t need to start from scratch to strengthen their data protection frameworks. Regional initiatives, such as the Malabo Convention and the AfCFTA Protocol on Digital Trade, offer a cost-effective way to harmonize regulations while supporting cross-border trade. The concept of regulatory twinning also serves as a practical tool for capacity building.

However, DPA independence remains a key challenge. While legal frameworks are advancing, many DPAs still depend on budgets controlled by the very government ministries they oversee. For DPAs to function effectively, policymakers must ensure they have independent funding and structural autonomy. Introducing mandatory Data Protection Impact Assessments for high-risk activities can also help mitigate risks before they lead to significant breaches.

Organizations operating in these regions must prioritize risk-based privacy governance over a simple compliance checklist. Whether managing digital ID programs, handling health data, or collecting customer information via online forms, understanding local enforcement practices and adopting transparent data processes are crucial for fostering trust and ensuring long-term success.

Recent judicial actions in countries like Egypt, Kenya, and Nigeria - where courts have awarded damages and halted non-compliant programs - reflect a maturing data protection landscape. These developments emphasize the importance of tailored compliance strategies to strengthen governance and build trust across the Global South.

FAQs

Why is enforcement weaker than the laws in many Global South countries?

Enforcing data protection laws in the Global South faces numerous hurdles, including limited institutional capacity, tight resources, and a general lack of awareness about data rights. For example, delays in rolling out laws, such as in Ethiopia, highlight the slow pace of implementation. Similarly, regional agreements like the Malabo Convention often suffer from inconsistent enforcement, undermining their effectiveness.

On top of this, political instability, economic struggles, and weak infrastructure make it even harder to apply these laws in a meaningful way. As a result, many of these regulations exist more as symbolic gestures rather than being actively enforced.

How can my business legally transfer data across African or Asian borders?

To legally transfer data across borders in Africa or Asia, businesses need to navigate a maze of regional and national data protection laws. In Africa, several countries mandate explicit consent or require adequate safeguards for such transfers. Some nations even enforce data localization, meaning businesses must store data within the country’s borders.

In Asia, the landscape includes tools like adequacy decisions, standard contractual clauses, and regional initiatives such as the APEC Cross-Border Privacy Rules (CBPR) system. Adhering to these local laws and frameworks is crucial for ensuring that cross-border data transfers remain lawful and compliant.

What should we do first to reduce breach risk and avoid fines in these regions?

To lower the risk of data breaches and steer clear of fines in the Global South, it’s crucial to implement robust data protection laws that align with global standards like GDPR. Pay particular attention to addressing gaps, such as overly broad exemptions, to ensure the protection of human rights. Additionally, strengthening institutional capacity - such as establishing independent data protection authorities - plays a vital role. These measures not only protect sensitive data but also reduce breach risks and support compliance with regulatory requirements.

Related Blog Posts

• Data Privacy vs. Digital Trade: Key Conflicts
• Global Privacy Laws: Regional Variations Explained
• Study: Tech Barriers to Data Privacy in Emerging Markets
• Developing Economies vs. Data Privacy: A Comparison