Understanding cameroon’s law on personal data protection: Toward a legal framework for digital rights
21 mai 2025
Introduction
In a context marked by digital transformation and growing concerns about privacy and information misuse, Cameroon has introduced a comprehensive Draft Law on the Protection of Personal Data. This legal framework aims to align national legislation with international standards, notably the GDPR, African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), and UN human rights instruments.
This blog article provides a structured overview of the draft law, highlights its key principles, mechanisms, rights, and enforcement strategies, and situates its importance in the broader African digital rights landscape.
I. Scope and Applicability
The draft law applies to both automated and non-automated processing of personal data contained in or intended to be part of a file. It covers individuals and organizations—both public and private—within and outside Cameroon, provided the data subjects are Cameroonian nationals or residents. Exemptions are narrowly defined, limited to private/domestic use or temporary technical copies.
Notably, it enshrines a territorial reach similar to the GDPR: foreign entities processing the data of Cameroonians must comply if their activities target individuals in Cameroon.
II. Definitions and Key Concepts
A notable strength of the draft law lies in its clarity of definitions. It outlines key concepts such as:
Personal data: any information identifying a person directly or indirectly.
Sensitive data: data on religion, health, sex life, ethnicity, etc.
Profiling, biometric/genetic data, pseudonymization, consent: All receive precise, protective definitions.
Processing: Broadly construed to cover collection, storage, use, dissemination, deletion, etc.
III. Principles of Personal Data Processing
At the heart of Cameroon’s draft legislation lies a strong commitment to the foundational principles that govern responsible data processing. These principles reflect international best practices—particularly those of the GDPR and the African Union's Malabo Convention—and aim to balance innovation with the protection of individual rights. Let’s explore each in more depth:
1. Lawfulness and Fairness
The draft law mandates that all processing of personal data must be grounded in a legitimate legal basis. This includes obtaining freely given, specific, informed, and unambiguous consent from the data subject, or relying on other justifications such as contractual necessity, legal obligation, vital interests, or public interest. Fairness requires that individuals are not misled or harmed through deceptive or covert practices. For instance, collecting personal data under the pretext of service provision, but using it for commercial profiling without consent, would violate this principle.
2. Purpose Limitation and Data Minimization
Organizations are required to collect personal data only for explicit, legitimate, and clearly stated purposes, and only the data that is strictly necessary to fulfill those purposes. This prevents the over-collection and repurposing of data—such as using school enrollment data for political campaigning—unless a new, lawful basis is obtained. It encourages entities to define, limit, and document the scope of their data use, thereby reinforcing trust and accountability.
3. Accuracy and Storage Limitation
The law obliges data controllers to ensure that personal data remains accurate, complete, and up-to-date. Individuals must be able to request correction or deletion of outdated or incorrect data. Moreover, data should not be retained longer than necessary, depending on the purpose for which it was collected. For example, employment application data should be deleted within a reasonable time if the candidate is not hired, unless consent for retention has been obtained.
4. Integrity and Confidentiality
Data security is a legal obligation under the draft framework. Controllers must implement technical and organizational measures to protect data against unauthorized access, alteration, loss, or disclosure. This includes encryption, access controls, and regular risk assessments. Failure to secure data—such as exposing medical records or financial information through weak IT systems—could result in severe administrative and criminal sanctions under the law.
5. Transparency
Transparency is critical to empowering data subjects. The law requires that individuals be informed—in clear and accessible language—about how their data is collected, used, stored, and shared. This includes the identity of the controller, the legal basis for processing, the purposes of collection, recipients of the data, and their rights. Privacy notices must be concise and user-friendly, especially when data is collected online or via mobile platforms.
6. Special Provisions for Children’s Data
Recognizing the vulnerability of minors in the digital age, the draft law introduces heightened protections for children's personal data. Processing a child’s data will generally require verifiable parental or guardian consent, and the establishment of age thresholds below which consent is invalid without adult authorization. These provisions align with global standards on child online safety and are essential in educational, health, and entertainment platforms that interact with youth.
Together, these principles establish a rights-based, ethically grounded foundation for Cameroon’s data protection regime. By enforcing these norms, the draft law not only builds trust in digital systems but also ensures that technological progress respects the dignity, autonomy, and privacy of all Cameroonian citizens.
IV. Legal Bases for Data Processing
Under Cameroon’s forthcoming data protection framework, processing personal data is not permitted by default—it must be justified by one of several legally recognized bases. This ensures that individuals' rights are not arbitrarily infringed and that organizations bear the burden of demonstrating the legitimacy of any data handling activities. The draft law clearly enumerates these conditions of lawfulness, drawing inspiration from the GDPR while adapting them to Cameroon’s constitutional and institutional context.
1. Consent
The cornerstone of lawful processing is consent, which must be freely given, specific, informed, and unambiguous. This means that consent cannot be obtained through pre-ticked boxes, vague language, or coercive terms. Data subjects must clearly understand what they are agreeing to—such as how their data will be used, for what purposes, and by whom—and must be able to withdraw their consent just as easily. For example, if a mobile app collects geolocation data for navigation, it cannot later use that data for targeted advertising without additional, explicit consent.
2. Contractual Necessity
Personal data may also be processed if it is necessary for the performance of a contract to which the data subject is party, or for steps taken at the individual’s request prior to entering into a contract. For instance, a telecommunications provider may lawfully process a customer’s billing information to provide and maintain service delivery.
3. Legal Obligation
Processing is permitted when necessary to comply with a legal obligation imposed on the data controller. This might include obligations under tax laws, labor regulations, or public health reporting duties. However, the controller must ensure that the data collected is strictly limited to what the law requires and is not used for other purposes.
4. Vital Interests
Where processing is necessary to protect the vital interests of the data subject or another person, it may proceed without consent. This condition applies mostly to emergencies—such as sharing medical information with paramedics during an accident—or humanitarian scenarios involving threats to life or safety.
5. Public Task or Authority
If processing is required for the performance of a task carried out in the public interest or in the exercise of official authority, it is considered lawful. This is especially relevant for government agencies, law enforcement bodies, or public service institutions engaged in functions like issuing national IDs, conducting censuses, or delivering welfare programs.
6. Legitimate Interests (Excluding Public Authorities)
Private organizations may process data under the “legitimate interest” basis, provided their interests do not override the rights and freedoms of the data subject. This might include preventing fraud, securing IT systems, or even limited forms of marketing—if appropriately justified and documented. However, this ground cannot be invoked by public authorities when acting in the scope of their official functions, in order to maintain accountability and public trust.
Special Rules for Sensitive Data
The draft law introduces stricter safeguards for sensitive personal data, which includes information on health, ethnicity, religion, political opinions, biometric and genetic data, and sexual orientation. As a general rule, explicit consent is required to process such data, meaning that the data subject must clearly agree in writing or through a validated digital mechanism. However, exceptions to this requirement exist in limited contexts, such as:
Where processing is necessary for medical diagnosis, healthcare delivery, or public health protection;
Where the data is needed to establish, exercise, or defend legal claims;
When processing is justified by substantial public interest and appropriate safeguards are in place.
These distinctions ensure that the more sensitive the data, the higher the threshold for legitimacy and protection. By outlining specific legal bases, Cameroon’s draft law enhances legal certainty for data controllers and processors, while reinforcing the constitutional rights of individuals to privacy, dignity, and information self-determination.
V. Data Subject Rights
At the core of any effective data protection regime lies the recognition of individual rights—rights that ensure people retain control over their personal information. Cameroon’s draft law enshrines a broad and modern catalog of data subject rights, many of which mirror internationally recognized standards such as the GDPR and the Malabo Convention. These rights empower Cameroonians to be active participants in the digital economy, rather than passive subjects of data collection. Each right serves a distinct purpose and collectively forms the foundation of informational self-determination.
1. Right of Access, Rectification, and Erasure (“Right to be Forgotten”)
Every individual has the right to obtain confirmation from a data controller as to whether their personal data is being processed, and to receive a copy of such data in an intelligible format. This includes details about the purposes of processing, categories of data, recipients, and retention periods. If the data is inaccurate or incomplete, the individual has the right to request its correction without undue delay. More notably, the law introduces the right to erasure—popularly known as the “right to be forgotten.” This allows individuals to demand the deletion of their data in specific circumstances, such as when the data is no longer needed, consent is withdrawn, or processing was unlawful. For example, a user who deletes their account on a social media platform may also request that their associated data be removed from the platform’s servers.
2. Right to Object to Processing, Including for Direct Marketing and Profiling
Data subjects can object at any time to the processing of their personal data, especially when it is based on legitimate interest or used for direct marketing purposes. In such cases, the data controller must immediately cease the relevant processing unless compelling legitimate grounds can be demonstrated. Additionally, individuals have the right to object to the use of their data in automated decision-making or profiling, particularly when such processes may lead to legal consequences or significantly affect them—such as automated loan approvals or job candidate filtering. This ensures that individuals do not fall victim to opaque algorithms or discriminatory models.
3. Right to Data Portability
A progressive addition to the draft law is the right to data portability, which allows individuals to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. This right facilitates consumer autonomy and encourages competition among service providers by making it easier to switch between digital services—such as moving medical records from one hospital to another, or transferring user data between messaging apps.
4. Right to Restriction of Processing
In certain situations, individuals may request the limitation of data processing, meaning that their personal data is only stored but not actively used. This can occur, for example, while a request for rectification is being verified, or when the individual contests the lawfulness of processing. This safeguard ensures that potentially inaccurate or disputed data is not acted upon until the matter is resolved.
5. Post-Mortem Rights and Directives
In a unique provision reflecting growing awareness of digital legacies, the draft law allows individuals to issue post-mortem directives concerning their personal data. This means a person can decide in advance whether their data (e.g., social media profiles, medical history, or email accounts) should be deleted, anonymized, or preserved after their death, and who has the authority to manage it. This provision fills a critical gap in digital governance and responds to the increasing relevance of personal data even after life ends.
6. Protection Against Fully Automated Decision-Making
The draft explicitly prohibits decisions based solely on automated processing, including profiling, unless certain safeguards are met. Where such decisions are permitted—e.g., for performance of a contract or authorized by law—data subjects must be granted the right to human intervention, the ability to express their point of view, and to contest the decision. This principle reaffirms the importance of human oversight in algorithmic governance, particularly in sensitive areas such as credit scoring, law enforcement, or social assistance.
Together, these rights constitute a comprehensive framework for individual data autonomy, equipping Cameroonian citizens with the tools to assert control over their personal information. The effective implementation of these rights will require public awareness campaigns, user-friendly complaint mechanisms, and institutional support, especially in rural and underserved communities. Nonetheless, their inclusion in the draft law marks a major leap forward for digital rights and the democratization of data governance in Central Africa.
VI. Data Transfers and Interconnection
Transfers to foreign countries are restricted unless the destination ensures adequate protection, assessed by the Authority. Mechanisms include:
Standard contractual clauses
Binding corporate rules
Public interest exemptions
All interconnections between data files require legal authorization and technical safeguards.
VII. Obligations of Data Controllers and Processors
Under Cameroon’s draft data protection law, data controllers—those who determine the purposes and means of personal data processing—carry a legal duty to uphold transparency, security, and accountability. One of their foremost obligations is to inform data subjects at the point of collection, providing clear, accessible information about the identity of the controller, the purpose and legal basis for processing, the recipients of the data, the duration of storage, and the individual’s rights. Beyond transparency, controllers must ensure the confidentiality and integrity of personal data by implementing appropriate technical and organizational measures—ranging from encryption and access controls to staff training and cybersecurity protocols. They are also required to maintain a comprehensive data processing registry, documenting the types of data processed, retention periods, and safeguards in place. This registry is essential for internal accountability and for facilitating audits or inspections by the supervisory authority.
Controllers engaged in high-risk activities—such as large-scale profiling, biometric processing, or data transfers across borders—must conduct Data Protection Impact Assessments (DPIAs) to evaluate and mitigate potential harms. In certain contexts (e.g., large-scale public sector processing or sensitive health data), they are obligated to appoint a Data Protection Officer (DPO) with expertise in privacy laws and independence from operational decision-making. Furthermore, in the event of a data breach that poses a risk to individuals’ rights and freedoms, controllers are required to notify the Data Protection Authority within 72 hours and, in some cases, inform affected individuals directly. Importantly, they must embed privacy by design and by default into their systems, meaning data protection principles must be considered from the earliest stages of development, not added as an afterthought. Meanwhile, data processors—entities that process data on behalf of controllers—are bound by legally enforceable contracts that specify responsibilities, security measures, and restrictions on sub-processing. The law establishes shared liability between controllers and processors, ensuring that both parties are accountable in the event of non-compliance or data mishandling.
In conclusion, controllers must:
Inform data subjects at collection
Ensure data security and confidentiality
Maintain a data processing registry
Conduct impact assessments for high-risk processing
Appoint a Data Protection Officer (DPO) under certain conditions
Report data breaches within 72 hours
Implement privacy by design and by default
Processors are bound by contracts and share liability.
VIII. The Data Protection Authority (DPA)
A new independent authority will be established, under the Prime Minister’s authority. Its roles include:
Supervising compliance
Approving certifications and standard clauses
Handling complaints and breaches
Imposing administrative sanctions (up to 4% of turnover)
Issuing guidance and participating in international cooperation
Its composition, functioning, independence, and transparency are detailed to ensure credibility.
IX. Enforcement and Sanctions
The draft law provides for:
Administrative penalties: Fines, suspensions, injunctions, warnings
Judicial recourse: Available for data subjects
Criminal sanctions: Up to 5 years imprisonment and fines up to 80 million FCFA for serious violations (e.g., unlawful processing, security breaches, ignoring objections)
Conclusion: A Milestone for Digital Rights in Cameroon
Cameroon’s draft data protection law reflects a thoughtful alignment with global norms while addressing national needs. Its emphasis on fundamental rights, institutional oversight, and clear obligations signals a significant step toward digital sovereignty and public trust.
Once adopted, it will require strong institutional capacity building, public awareness, and cross-sector collaboration to succeed. Nonetheless, it represents a foundational leap forward in establishing a rights-based digital governance model for Cameroon and potentially for the broader Central African region.
Sources:
Law on the Protection of Personal Data in Cameroon (2024)
GDPR, Malabo Convention, UN ICCPR
Comparative frameworks: Senegal, Côte d’Ivoire, Nigeria, South Africa
African Declaration on Internet Rights and Freedoms
