The increased use of digital platforms requires the collection and storage of a wide range of personal data. Thus, some websites, commercial companies, public entities, health care establishments, banks, and others often hold valuable information in digital form, on their customers or users. Protecting such data has become a major regulatory and legislative concern in Cameroon.
1.1. Overview of the privacy/data protection situation
In Cameroon, legal provisions on data protection are found in several laws. As a specific data protection law is still yet to be adopted, it is quite challenging for users to control the use of their data. The applicable laws mostly cover data relating to the electronic communications meanwhile some other sectors of activity handle personal data daily.
1.2. Constitutional provisions
In the preamble to the Constitution of the Republic of Cameroon, Law No. 96/6 of 18 January 1996 revising the Constitution of 02 June 1972, as amended and supplemented by Law No. 2008/001 of 14 April 2008 (‘the Constitution’), it is stated that:
- the people of Cameroon affirm their attachment to the fundamental freedoms enshrined in the Universal Declaration of Human Rights 1945, the Charter of the United Nations 1945, the African Charter on Human and Peoples’ Rights 1981, which are all duly ratified;
- international conventions relating thereto;
- freedom and security are guaranteed to every individual with due respect for the rights of others and the best interests of the State;
- privacy of all correspondence is inviolable – no interference may be allowed except as provided in a judicial decision.
Data protection is, therefore, a right enshrined in the Constitution.
1.3. Other applicable laws (e.g. cybercrime law, privacy of communications)
The following national laws are applicable:
- Law No. 98/014 of 14 July 1998 Regulating Telecommunications in Cameroon;
- Law No. 2005/013 of 29 December 2005 Amending and Supplementing Certain Provisions of Law No. 98/014 of 14 July 1998 Governing Telecommunications in Cameroon;
- Law No. 2000/011 of 19 December 2000 on Copyright and Neighbouring Rights;
- Decree No. 2001/830/PM of 19 September 2001 Defining the Terms and Conditions for Authorising the Operation of Telecommunications Networks (only available in French here);
- Decree No. 2001/831/PM of 19 September 2001 Defining the Terms and Conditions for Authorising the Provision of Telecommunications Services;
- Law No. 2003/004 of 21 April 2003 on Banking Secrecy (only available in French here) (‘the Law on Banking Secrecy’);
- Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon (only available in French here) (‘the Electronic Communications Law’);
- Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon (only available in French here) (‘the Cybersecurity Law’);
- Law No. 2010/021 of 21 December 2010 Regulating Electronic Commerce in Cameroon (only available in French here) (‘the E-Commerce Law’);
- Law No. 2011/012 of 06 May 2011 on Consumer Protection in Cameroon (only available in French here) (‘the Consumer Protection Law’);
- Decree No. 2012/1637/PMof14 June 2012 to Lay Down the Identification Requirements for Subscribers and Terminals (only available in French here);
- Decree No. 2012/1641/pm of 14 June 2012 Laying Down the Conditions for the Portability of Numbers (only available in French here);
- Decree No. 2012/203 of 20 April 2012 on the Organisation and Functioning of the Telecommunications Regulatory Agency (‘ART’) (only available in French here);
- Decree No. 2013/0399/PM of 27 February 2013 Laying Down the Rules for the Protection of Consumers of Electronic Communications Services (only available in French here) (‘the E-Communications Consumer Protection Decree’);
- Law No. 2016/007 of 12 July 2016 on the Penal Code in Cameroon (only available in French here) (‘the Penal Code’); and
- Decree No. 2019/150 of 22 March 2019 on the Organisation and Functioning of the National Information and Communication Technology Agency (ANTIC) (only available in French here) (‘the ANTIC Decree’).
The following legislation issued by the Central African Economic and Monetary Community (‘CEMAC’) is applicable:
- Regulation No. 21/08-UEAC-13-CM-18 of 19 December 2008 on the Harmonisation of Regulations and Regulatory Policies on Electronic Communications in CEMAC Member States (only available in French here);
- Directive No. 07/08-UEAC-133-CM-18 of December 19, 2008 on the Legal Framework for the Protection of Users of Electronic Communications Networks and Services within CEMAC (only available in French here);
- Directive No. 09/08-UEAC-133-CM-18 of 19 December 2008 Harmonising the Legal Frameworks of Electronic Communications in the CEMAC Member States (only available in French here);
- Regulation No. 03/16-CEMAC-UMAC-CMAC-CM of 21 December 2016 on Systems, Means and Incidents of Payment (only available in French here) (‘the CEMAC Payment Systems Regulation’); and
- Directive 02/19-UEAC-639-CM-18 of 22 March 2019 Harmonising the Protection of Consumers within CEMAC (only available in French here) (‘the Directive Harmonising Consumer Protection within CEMAC’).
1.4. Case law
In Cameroon, infringements of image rights have led to:
The landmark case of YOMBA Madeleine v. Les Brasseries du Cameroun and the caseof Mrs. MFOPA MAMA born NTOUO SABIATOU v. Société NESTLE Cameroun S.A and Société Océan Central Africa SA
In both cases, an individual photo was unlawfully used for advertisement purposes without the individual’s consent, constituting the same a violation of his image right.
The case of Mrs. MBOCK Frankline Junior v. Les Films TERRE AFRICAINE and Les Brasseries du Cameroun
In the case, a contract stipulated for the use of an individual’s image within a specific period of two years was violated through the broadcasting of the advertising spot beyond the agree term. This constituted a violation of the individual’s image rights. The final judgment ruled that a mere evidence of the invasion of one’s privacy gives rise to compensation, and that there is therefore no need to establish that a damage was suffered.
1.5. Mention of whether there are any public sector data protection laws
1.6. Possible amendments/draft data protection laws under discussion
Cameroon is preparing a privacy bill (‘the Bill’), according to the competent services of the Ministry of Posts and Telecommunications. The drafting of the Bill is ongoing. The Bill will govern the collection, processing, transmitting, storage, and use of data.
2. SECTORAL LEGISLATION
2.1 FINANCIAL SECTOR
2.1.1. Law: Scope of application/ Key provisions
- The Law on Banking Secrecy
- The CEMAC Payment Systems Regulation
- Law No. 99/015 of 22 December 1999 on the Creation and Organisation of a Financial Market (only available in French here) (‘the Law on Financial Markets’)
2.1.2. Case law
2.1.3. Presence of a regulator, its role/powers
The main regulator in the banking sector is the Central African Banking Commission (‘COBAC’), established by the Convention of 16 October 1990 (only available in French here). COBAC has supervisory competence over credit institutions, monitoring their liquidity and solvency, in addition to noting and sanctioning breaches.
The Financial Market Commission established by the Decree No. 2001/213 of 13 July 2001 is the organisation responsible for the regulation, control, supervision, and proper functioning of the financial market. This means that it ensures the protection of invested savings, provides information to investors, and supervises the provision of investment services.
2.1.4. Key definitions
Personal Data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity (Article 2 of the Directive Harmonising Consumer Protection within CEMAC).
In this sense, personal data can be considered as full name, social security number, national identity card number, passport number, account number, date and place of birth, physical address and email, telephone number, bank card number, biometric data such as fingerprints and DNA, etc.
2.1.5. Data retention
On the storage of personal data, Article 10 (new) of the CEMAC Payment Systems Regulation provides that, while opening an account, the customer must provide their personal data.
Article 218 (new) of the CEMAC Payment Systems Regulation adds that the Bank of Central African States (‘the Central Bank’) shall take all useful precautions to prevent personal data that has been recorded from being distorted, damaged, or accessed by unauthorised third parties.
The retention of financial market data is governed by Article 28 of the Law on Financial Markets. It subjects the members of the specialised department in charge of supervising securities transactions to professional secrecy.
2.1.6. Specific provisions on data breach and data breach notification
In order to prevent data breach, the CEMAC Payment Systems Regulation lays down the following provisions:
- Data collection: The collection of personal data is necessary while opening a bank account (Article 10 (new) of the CEMAC Payment Systems Regulation);
- The obligation to inform: The reporting institution seeking the customer’s consent for the collection of their biometric data must inform the customer that the data will be used exclusively for the centralisation of payment incidents (Article 226 (new) of the CEMAC Payment Systems Regulation);
- Prior authorisation: While opening an account, the institution must, with the consent of the user, collect their data and ensure its accuracy, using their valid ID card or any other approved identification document(Article 226 (new) of the CEMAC Payment Systems Regulation);
- Data protection: Article 218 of the CEMAC Payment Systems Regulation requires the Central Bank to take all useful precautions to prevent personal data that has been recorded from being distorted, damaged, or accessed by unauthorised third parties; and
- Access to data: In order to avoid any data violation, Article 10 (new) of the CEMAC Payment Systems Regulation enables the user to have access to their data and to obtain its modification upon request.
2.1.7. Specific provisions imposing limitations on data transfers
2.1.8. Sanctions and penalties
In the banking sector, the sanction for a violation of banking secrecy is provided by Article 26 of the Law on Banking Secrecy. Anyone who violates banking secrecy shall be punished by imprisonment for a term of three months to three years and/or a fine of XAF 1,000,000 (approx. €1,520) to 10,000,000 (approx. €15,200). If the offence is committed through the press or a computer network, the penalties shall be doubled.
Article 32 of the Law on Financial Markets sanctions any person who fails to provide equal information and equal fair treatment to investors. The sanctions includea fine ranging between XAF 500,000 (approx. € 761) and XAF 5,000,000 (approx. € 7618) or suspension or withdrawal or the approval.
2.2 HEALTH AND PHARMA SECTOR
2.2.1. Law: Scope of application/ Key provisions
In Cameroon, the health sector and the pharmaceutical industry are governed by various laws including:
- the Penal Code;
- Law No. 90/36 of 10 August 1990 Organising Medical Practice (only available in French here) (‘the Law on Medical Practice’);
- Decree No. 83-166 of 12 April 1983 on the Code of Ethics of Medical Doctors (only available in French here) (‘the Medical Code of Ethics’); and
- Decree No. 2002/209 of 19 August 2002 on the Organisation of the Ministry of Public Health (only available in French here).
2.2.2 Case law
2.2.3 Presence of a regulator, its role/powers
The Doctors Council ensures that the principles of morality and dedication relevant to the practice of a medical doctor are respected and that the rules laid down in the Medical Code of Ethics are complied with.
2.2.4. Key definitions
2.2.5. Data retention
Patient data is stored at several levels. Within each healthcare establishment, patient-doctor communications are privileged and confidential.
2.2.6. Specific provisions on data breach and data breach notification
Article 4 of the Law on Medical Practice provides that a physician in service in the administration or in the private sector is subject to professional secrecy, to the code of ethics of the profession adopted by the Doctors Council, as duly approved.
2.2.7. Specific provisions imposing limitations on data transfers
2.2.8. Sanctions and penalties
Article 310 of the Penal Code providesthat whoever without permission from the person interested in secrecy reveals any confidential fact which has come to their knowledge or which has been confided to them solely by reason of their profession or duties, shall be punished with imprisonment from three months to three years and a fine from XAF 20,000 (approx. €30) to XAF 200,000 (approx. €300).
In addition, Article 48 of the Law on Medical Practice provides fora reprimand, suspension of activity ranging from three months to one year depending on the seriousness of the fault committed, and removal from the roll of the Doctors Council.
2.3 TELECOMMUNICATIONS SECTOR
2.3.1. Law: Scope of application/ Key provisions
The telecommunications sector encompasses all the aspects of ICT and electronic communications. The relevant laws are:
- the Cybersecurity Law;
- the Electronic Communications Law;
- the E-Commerce Law;
- the Consumer Protection Law;
- Decree No. 2012/1637/PM of 14 June 2012 on the Methods of Identification of Subscribers and Terminals (only available in French here);
- the E-Communications Consumer Protection Decree; and
- the ANTIC Decree.
2.3.2. Case law
In 2019, the Telecommunications Regulatory Board (‘ART’) sanctioned some telecommunications operators in Cameroon for failure to identify subscribers and terminal equipment in electronic communications networks.
2.3.3. Presence of a regulator, its role/powers
The main regulator is the National Information and Communication Technology Agency (‘ANTIC’) established by the ANTIC Decree. Its missions include:
- ensuring the ethical use of ICT, consumer protection, and privacy; and
- regulating, controlling, and monitoring activities relating to the security of information systems and electronic communications networks, as well as electronic certifications.
In addition, ART supervises and regulates the activities of telecommunications operators.
2.3.4. Key definitions
Electronic Communication: Emission, transmission, or reception of signs, signals, writings, images, or sounds, by electromagnetic means (Article 4(22) of the Cybersecurity Law).
Cybercrime: All offences committed through cyberspace by means other than those usually used, for criminal purpose (Article 4(32) of the Cybersecurity Law).
2.3.5. Data retention
In the telecommunications sector, the personal data of users is kept by the operators of the information systems, and in accordance with the Cybersecurity Law, such operators have the duty to put in place security mechanisms to ensure the protection of data in their networks.
Within the CEMAC zone, the E-Communications Consumer Protection Decree urges operators to guarantee the confidentiality of electronic communications and data on their networks.
2.3.6. Specific provisions on data breach and data breach notification
Article 61 et seq. of the Cybersecurity Law provides for a number of sanctions in case of data violations. In addition, Article 74 of the Cybersecurity Law provides for a term of imprisonment of one to two years and a fine of XAF 1,000,000 (approx. €1,500) to 5,000,000 (approx. €7,600) to whoever interferes with the privacy of others by fixing, recording, or transmitting, without the consent of the author, electronic data of a private or confidential nature.
2.3.7. Specific provisions imposing limitations on data transfers
2.3.8. Sanctions and penalties
Where an amicable settlement between the concerned parties cannot be reached, the parties should refer to ANTIC. If the decision rendered by ANTIC is not satisfactory, parties can then seek relief before the courts.
Article compiled by Danielle Moukouri, Managing Partner at Cameroonian member firm Moukouri Law