As a Kenyan working at Securys, I like to keep track of what’s going on in my continent in terms of data protection. On the 18^th December last year, Cameroon caught my eye, as that was the day it joined the ranks of other African countries (39 and counting) that have a data protection law in place. Law No. 2024/017 (relating to personal data protection in Cameroon) embodies the government’s efforts to have one law that would exclusively deal with data protection, align itself with global privacy standards and supersede the fragmented sectoral laws currently in existence.

While this is a step in the right direction, the implementation of this law may prove to be a challenge especially for businesses. This article will address two challenges in particular:

• consent as the main lawful basis for processing, and
• administrative challenges that may be faced by the PDPA.

Unlike its northern neighbour’s (Nigeria) Data Protection Act or Kenya’s Data Protection Act or even the EU GDPR, which all offer multiple lawful bases, the new Cameroon data protection law relies heavily on consent – which should be an explicit, unambiguous, voluntary, free and informed expression of will– except where there is a legal obligation to process personal data, where it’s necessary to preserve the health of an individual, or when it’s for the performance of a task that’s in the public interest.

Sure, it’s great to have an individual’s consent before collecting their personal data, but it is not always practical, especially in the employment context. The power imbalance between an employer and employee makes it difficult for consent to be voluntary and free because an employee is concerned that their decisions will affect their current employment. Imagine you work for a company that is hosting an amazing networking event and, just as you are taking a bite into that mini-sandwich or puff puff, click! That’s the camera man taking a picture. Next thing you see yourself on the company website with the caption, ‘Join us for our next event, we don’t bite!”. Now, this may seem like a funny scenario but, in such a situation, an employee should be informed of the event and the possibility of their picture being taken, be advised of how their image will be used and for how long it will be retained, and be offered the opportunity to accept or refuse such an activity without worrying that this will affect the relationship they have with their employer.

With consent as the main legal basis for processing, its unfortunate partner, consent fatigue, risks rearing its ugly head. Delving further into the employment context, let’s consider company policies - an organisation would have a multitude of them which govern how it is run and how employees should conduct themselves. Jurisdictions such as Kenya, Nigeria and the EU would ordinarily rely on the performance of a contract as their legal basis meaning employment contracts would require employees to abide by the policies of the organisation. Under the Cameroon data protection law, employees would be required to read through and consent to every single policy that their employer has. You can imagine how this could prove to be quite exhausting and even frustrating, especially for the employee who is more interested in developing the skills that got them the job than scouring through and consenting to boring policies.

Law No. 2024/017 requires organisations to inform the Personal Data Protection Authority (PDPA) of the personal data that it processes. While this of itself is not an issue, it is not yet clear how this is to be done and whether this means that an organisation should register with the PDPA and submit records detailing the activities it carries out (commonly known as a record of processing activities). If the latter is the case, the PDPA risks having to review all the documents submitted from the 57,928 companies that currently operate in Cameroon. In a similar vein, if there are no sufficient structures in place in terms of technology, skilled people and other resources, there is a risk that, what may seem at first glance a simple process will escalate into administrative delays for both the organisation and the PDPA.

So, what can be done?

At the time of writing, the Act stated that there would be accompanying Regulations that would provide additional instructions on implementation and enforcement. However, it is not clear when they will be published. I, for one, would be glad to see these provide consent mechanisms that would be easy to implement and understand without overwhelming individuals. For example, in the case of employment, the PDPA may opt to issue guidance on consent in the employment context by stating that employment contracts would not require the consent of an individual. In a similar vein, the PDPA might also clarify those processes that require explicit consent such as using an employee’s photo on a company’s website or social media page. This would help reduce potential friction that may arise in an employment relationship.

Additionally, having a clear approach as to how an organisation should inform the PDPA of the personal data that it processes would ensure that the organisation understands what is required of it, and the PDPA would know what to look out for in order to quickly and efficiently approve processes that comply with the law. Perhaps, the PDPA may opt for a risk-based approach in that only high-risk processing activities - such as the processing of sensitive data - would require detailed scrutiny thus reducing the administrative burden and allowing the regulator room to focus on more significant risks.

Securys has been involved both in advising regulators of countries that have new data protection regimes and in their subsequent implementation. We have seen first-hand how insufficient structures prove to be an obstacle to willing organisations and enthusiastic regulators. I am looking forward to seeing the steps that will be taken to implement Law No. 2024/017 as smoothly as possible.

Watch this space: https://prc.cm/en/multimedia/documents/10271-law-n-2024-017-of-23-12-2024-web