Why African countries are using data protection laws as backdoor to regulate AI

As African countries grapple with the rapid rise of artificial intelligence, many are not turning first to standalone AI laws. Instead, they are using a more familiar and already established tool: data protection legislation.

Rather than waiting for comprehensive AI frameworks, which are often complex and slow to develop, governments across the continent are embedding AI-related rules within existing or revised data protection laws.

Analysts at the Future of Privacy Forum (FPF), a global privacy organisation, describe this approach as a “backdoor” method of AI regulation. A March 2026 FPF report examining seven African countries suggests it is becoming the defining feature of Africa’s second wave of digital policy reform.

Unlike earlier laws that largely mirrored Europe’s General Data Protection Regulation, these newer frameworks are increasingly shaped by local realities, economic priorities, and the specific ways AI is already disrupting African markets—from credit scoring to facial recognition and digital lending.

“Data protection and privacy are just one topic in the broader aspect of governance,” said Mercy King’Ori, who leads FPF Africa from Nairobi. “There is a realisation that current data protection laws really don’t cover all aspects of digital governance.”

That gap is now being filled, not by entirely new legal systems, but by expanding existing ones.

The backdoor in practice

Governments in countries such as  Angola, Mauritius, Kenya, Nigeria, Seychelles, South Africa, and Botswana are revising data protection laws to address AI-driven decision-making, data scraping, algorithmic accountability, and cross-border data flows. The logic is straightforward: AI applications rely on large volumes of personal data, so regulating how that data is collected and used becomes a natural entry point for controlling AI itself.

Angola provides the most explicit example. Rather than drafting a standalone AI law, it is revising its 2011 Personal Data Protection Law to include detailed provisions targeting AI systems, including automated decision-making, credit scoring, and algorithmic transparency.

The revisions also introduce the right for individuals not to be subjected to decisions based solely on automated processing, particularly where those decisions have legal or significant effects. Companies are required to explain the logic behind algorithmic decisions, and individuals are given the ability to challenge such outcomes.

These provisions closely mirror elements of the EU’s AI Act but are embedded within a data protection framework.

Other countries are taking less explicit but equally consequential steps. Nigeria is exploring the regulation of social media platforms and developers within its data protection framework. Kenya, meanwhile, is tightening requirements for data controllers and processors—moves that directly constrain how AI systems operate, even without naming AI in the legislation.

The urgency around AI regulation is not abstract. A July 2025 study published in the Advanced Research Journal, which audited 10 credit-scoring algorithms across Nigeria, Kenya, and South Africa, found consistent bias against women-led SMEs. In Nigeria, for example, one major digital lender used training data that resulted in a 23% lower loan approval rate for women, despite women demonstrating a 17% better repayment record than men.

For policymakers, this is not just a privacy problem. It is an accountability challenge, and data protection law has become the most readily available tool to address it.

The enforcement gap

The frameworks already exist, but enforcement has been uneven. Many of Africa’s first-wave data protection laws—introduced between 2010 and 2018—were criticised for being vague and difficult to enforce, prompting a new round of reforms aimed at tightening definitions, strengthening oversight, and improving compliance.

Botswana illustrates this shift. It first enacted a comprehensive Data Protection Act in 2018, but repealed and replaced it in 2024 with an updated version that introduces clearer rules on regulatory independence and mandates data protection impact assessments.

Kenya’s approach has been more gradual. After first proposing a bill in 2009, the Data Protection Act was passed in 2019 and has since been refined, with amendments introduced in March 2025 and consideration of a dedicated tribunal to handle disputes.

These proposed changes are designed to expand user rights, including the ability to object to decisions made solely by AI or automated systems, transfer personal data between service providers, and extend stronger protections to sensitive data such as political opinions and trade union membership.

King’Ori is candid about where the system still falls short. “What has really been challenged is capacity among regulators,” she said. “The institutional maturity of most of these regulators is still quite young.”

Enforcement is nonetheless picking up.  In July 2025, Nigeria’s National Data Protection Commission (NDPC) fined Multichoice ₦766 million (about $500,000) for unlawful data transfers and intrusive data processing affecting both subscribers and non-subscribers. 

In Kenya, the Office of the Data Protection Commissioner (ODPC) fined Roma School KSh 4.55 million (around $35,000) in September 2023 for publishing images of minors without parental consent, the largest penalty imposed on an educational institution in the country.

The sovereignty question

Underlying many of these reforms is a deeper question: who controls data in the age of AI?

As global tech companies dominate the development of AI systems, African countries are increasingly concerned about data sovereignty, ensuring that local data is governed in ways that align with national interests.

But sovereignty does not necessarily mean isolation.

“It’s not about saying data doesn’t go anywhere,” King’Ori explained. “It’s about identifying certain forms of data that should remain within borders for legal reasons.”

Countries like Algeria are experimenting with data classification systems to manage the balance between national control and cross-border flows. The shift from the original 2018 law to Law No. 25-11, enacted in July 2025, introduced a sophisticated “Data Classification” and “Dual-Regime” transfer framework. This system is designed to uphold Algeria’s strict digital sovereignty while accommodating the requirements of global trade.

At the same time, harmonisation across the continent remains a key priority. The African Union (AU) and the AfCFTA Secretariat, through the AfCFTA Digital Trade Protocol (2024–2026), require member states to align national laws to a common standard within five years of ratification. Complementing this, the AU Data Policy Framework—endorsed in 2022 and updated in 2025–2026—provides a blueprint for building interoperable data systems across African countries.

While regional bodies are pushing for unified frameworks, national interests continue to dominate.

The result is a patchwork of regulations that could complicate cross-border trade under initiatives like the African Continental Free Trade Area (AfCFTA).

What comes next

The backdoor approach has limits. Standalone AI laws are already in motion: Kenya’s Artificial Intelligence Bill was formally introduced in the Senate on February 19, 2026, by Senator Karen Nyamu. South Africa is in active discussion. More are likely to follow.

But data protection remains the primary instrument for now, and not simply by default. Angola’s restrictions on data scraping, Ghana’s proposal to treat personal data as property, and Nigeria’s open-source large language model trained on five low-resource Nigerian languages all point to something more deliberate: African governments are not copying global models. They are testing their own.

“If we were not moving in the right direction, we would be having static laws,” King’Ori said. “But our laws are dynamic.”