Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Cameroon: Ministry requests comments on draft law on data privacy
OneTrust DataGuidance Research confirmed, on June 22, 2023, with Danielle Moukouri of D. Moukouri & Partners, that, on May 30, 2023, the Coordinator of the Digital Transformation Acceleration Project in Cameroon (PATNUC) of the Ministry of Posts and Telecommunication (the Ministry) requested public comments on the draft law relating to the protection of personal data in Cameroon and the draft Decree for the application of the law relating to the protection of personal data. In particular, Danielle highlighted that "the draft law and decree on data privacy in Cameroon have not been submitted to the parliament yet."
Definitions
The draft law provides definitions for terms including 'personal data,' 'biometric data,' 'genetic data,' 'sensitive data,' 'data subject,' 'controller,' 'processor,' 'processing,' 'personal data breach,' and 'standard contractual clauses,' amongst others.
'Sensitive data' under the draft law includes information relating to religious, philosophical, political, trade union opinions and activities, banking transactions, racial or ethnic origin, linguistic or regional origin, sexuality, genetic or biometric data, health data, legal proceedings, and criminal penalties.
Scope
The draft law provides that the following activities are subject to its provisions:
- any processing of personal data of an individual residing in Cameroon, carried out by a data controller established in Cameroon;
- any processing of personal data of an individual residing in Cameroonian territory, carried out by a subcontractor whether or not established in Cameroon, if the controller is established there; and
- processing of the personal data of persons of Cameroonian nationality, carried out in a place where Cameroonian law applies under international law.
Data protection authority
In addition, the draft law outlines the establishment of a National Authority for the Protection of Personal Data (the Data Protection Authority), responsible for protecting the rights and freedoms of natural persons regarding the processing of their personal data.
Obligations
The draft law outlines principles of processing personal data which include purpose limitation, retention limitation, transparency, confidentiality, accessibility, and appropriate technical and organizational measures to guarantee a level of security appropriate to the risk presented by the processing in question.
Likewise, controllers must obtain consent from the data subject, unless the processing is, among other things:
- for the performance of pre-contractual measures taken at the data subject's request;
- necessary to comply with legal obligations of the controller;
- necessary to protect the vital interests of the data subject or another natural person in the event that the data subject is physically or legally unable to give consent;
- necessary for the performance of a task in the public interest;
- necessary for the purpose of legitimate interests pursued by the controller or a third party; and
- where personal data is processed for archival purposes in the public interest, scientific or historical research, statistics, or journalism in compliance with ethical rules, or for purposes of artistic or literary expression.
Further, under the draft law, controllers must appoint a data protection officer (DPO) under specific circumstances.
The draft law also addresses data transfers explicitly, noting that transfers are lawful if the controller or processor of a foreign country or international organization can demonstrate appropriate guarantees and respect for the rights of the data subject. Such guarantees include:
- an adequate level of protection of personal data protection;
- a legally binding and enforceable instrument between authorities or public bodies responsible for personal data processing;
- binding corporate rules (BCRs) adopted by the entity which imports the personal data into a third country; and
- standard contractual clauses approved by the Data Protection Authority that have been signed between the entity that exports personal data from Cameroon and the third party.
Public comments on the consultation can be submitted using the Ministry website here.
You can read the draft law here and the draft Decree here, both only available in French.