The Nigerian Competition and Consumer Protection Tribunal on April 25, 2025, imposed a record fine of 220 million dollars on Meta Platforms Inc. and WhatsApp LLC, owners of Facebook, WhatsApp, and Instagram, for unauthorized data transfers, publishing non-compliant privacy policies, and processing data of users established or residing in Nigeria without their consent. Among the notable sanctions by Data Protection Authorities in Africa, there is also the decision of July 18, 2025, by the Ugandan Data Protection Authority (PDPO)., sanctioning Google LLC., for transfer of personal data of Ugandan citizens outside Uganda without demonstrating adequate safeguards or accountability, and failure to appoint and provide the contact details of its designated Data Protection Officer for Uganda, in violation of the legal requirements.
In addition to financial penalties, it’s now imposed on tech giants:
- to register with the Data Protection Authority in the relevant African country,
- to appoint a Data Protection Officer responsible for the African country concerned, and
- to submit proof of compliance of their cross-border data transfer procedures with local laws.
Through the above, the African Data Protection Authorities are sending out a strong signal about the effective implementation of data protection laws in Africa.
In line with the global data protection regulatory trends, Cameroon, pillar of the digital economy in Central Africa, adopted on December 23, 2024, the Law no.2024/017 relating to personal data protection in Cameroon (The data protection law). The data protection law granted companies that, in the course of their operations, use, collect, record, organize, store, adapt, modify, reconcile, block, erase, and transfer personal data, a deadline for aligning their data processing protocols with the legal requirements. This deadline will expire on 23 June 2026.
What data are we talking about? Which sectors process data on a large scale? How can we ensure data compliance? Here are some essential questions for companies that process personal data of data subjects established, residing or in transit in Cameroon.
I Personal data and its market value
In 2024, Alphabet Inc, the parent company of Google Inc, generated 265 billion dollars in advertising revenue, thanks to advertising performance on the Google Search engine and on YouTube. In other words, the more time Internet users spend on the advertising that appears on their screen while browsing, the richer Google becomes.
By fully or partially accepting “cookies” to facilitate access to web pages, by opening and spending time on sponsored content and online advertising content, users generally transmit hundreds of thousands of pieces of data per second to the platform owner, without paying any particular attention. The personal data communicated through search engine queries (browsing history, for example), online purchases, and the publication and sharing of opinions on social networks, tells us a lot about users’ behavior, preferences and consumption habits. Companies pay to have access to this data and to display targeted advertising.
If an Internet user receives dozens of advertisements for car rental on his phone, computer or tablet every time he connects to the Internet, even several weeks after searching for car hire options, it’s because his personal data (email address, IP address, IP geolocation, browsing history) has been sold by Google to the advertisers who send him the advertisements.
However, it is not only on the internet that personal data is communicated by its holders. In exchange for access to their products or services, thousands of companies receive names, dates of birth, marital status, photos, fingerprints, postal addresses, email addresses, telephone numbers, social security numbers, digital identifiers, IP addresses, connection identifiers, bank card numbers, and health data., etc.
In Cameroon now, processing the data belonging to persons established, residing or in transit in Cameroon, for purposes related to the activities of the collecting companies, in disregard of the conditions for obtaining consent, the requirements for bringing data processing protocols into compliance and obtaining prior authorization from the Data Protection Authority where applicable, will be sanctioned after June 23, 2026.
II The data compliance in Companies responsible for data processing
Is designated as the Data controller, any company that collects and processes, directly or through a sub-processor, the personal data of customers, users and staff located in Cameroon, for purposes related to the company’s operations such as:
- For a mobile health application: collection of health data (weight, blood pressure, heart rate) to monitor the user’s progress as part of the personalized medical monitoring program,
- For a telecommunications company: analysis of subscribers’ personal data such as telephone numbers, balance notifications, display of mobile data bandwidth for sale to local advertisers for the purpose of distributing direct marketing SMS messages.
With regard to data processing, the law specifies that this covers all operations of collection, recording, organization, storage, adaptation, retrieval, consultation, dissemination, transmission, alignment, blocking, erasure, or transfer of personal data.
As such, the Data controller who is the one responsible for determining the means for processing personal data in compliance with data protection regulations throughout the duration of the processing of personal data. In other words, if the law requires prior authorization of the Data Protection Authority and compliance with the conditions guaranteeing the exercise of the rights of the data subject for:
- the processing of personal data on the Cameroonian territory; and
- the transfer of personal data to a foreign country or to an international organization,
any failure to meet these obligations could result in significant sanctions for the company.
The most sensitive sectors and categories of company, due to their large-scale data processing, are:
- Public services,
- Public or private services responsible for the distribution of energy and water
- Technology companies (internet-related services and products, telecommunications services, mobile applications),
- Health establishments,
- Financial institutions.
Due to the sensitive nature, the large volumes of data processed or the specific nature of the operations of these companies, compliance with processing procedures is particularly important.
III The main areas of data compliance for companies
The most significant sanctions so far imposed on Data controllers by Data Protection Authorities have generally been against:
- Unauthorized data transfer,
- Transfer of personal data without adequate safeguards and in breach of domestic data transfer requirements,
- Unclear consent mechanisms for data processing,
- Publication of non-compliant privacy policies,
- Failure to comply with consent requirements for targeted advertising,
- Disclosure of personal data of minors without appropriate consent or security measures,
- Significant shortcomings in data protection procedures.
These sanctions are very often imposed following the processing of data of:
- a large number of people (e.g. hundreds of subscribers, customers or users),
- a very large volume or spectrum, or
- covering a large geographical area (town, division, region, state, country).
Data processing operations that meet one or more of the above criteria are categorized as “large-scale data processing”. For companies that routinely carry out this type of data processing, even when it is not required by law, the appointment of a Certified Data Protection Officer (DPO) is strongly recommended.
- Appointment of a certified DPO:
The Data Protection Officer (DPO), the true orchestrator of the company’s data compliance, is appointed in/for the country concerned, on the basis of specialist knowledge of the applicable technology law, the technical and IT aspects of the processing carried out, and data protection practices. He/she must be:
- certified by an approved certification body, and
- aligned with the sensitivity, volume of data processed, and complexity of data processed within the company.
Due to the degree of autonomy required to carry out their duties, the DPO is very often an external specialist. However, as an employee of the company, he/she is only accountable to the highest level of management.
- Audit of files and processing:
As part of his/her initial tasks, the DPO will analyze and map the various data processing operations, as well as the risks associated with these operations. He/she will then draw up the company’s compliance roadmap.
- Compliance Management:
The Data controller or the Sub-processor will ensure that the DPO is involved in all projects involving personal data so that he/she can effectively implement the internal procedures listed in the roadmap (Privacy by Design). From installing a data privacy culture within the team, to drafting internal protocols and contractual documentation, and establishing and maintaining personal data processing policies and registers, the DPO will assert his/her role within the organization delicately but precisely. He/she will also be the point of contact for the people whose data is collected and for the Personal Data Protection Authority, with whom he/she will carry out the obligatory formalities.
With regulations set to be enriched with laws, including the creation and organization of the Data Protection Authority in Cameroon, data, the true “black gold” of the modern digital economy, will once again be proudly talked about.
Authored by Danielle Moukouri from LEX Africa member, D. Moukouri & Partners in Cameroon. https://moukourilaw.com/
Technology Lawyer
Member of the Cameroon Bar – Nigerian Bar –
American Bar Association
Graduate of The Wharton School – University of Pennsylvania (USA)
Certified Data Protection Officer (DPO)
Global Leader in Fintech & Blockchain – Lexology
In charge of elaborating the National Artificial Intelligence Strategy in Cameroon
