Personal Data Protection in Senegal
Personal Data is getting more and more attention all around the world not only for its potential value but also for its functions of identification, which raise at the same time both economic and legal questions. Although a much visible momentum can be observed in Europe in that sense, it would be a mistake thinking that it is not the case elsewhere.
Indeed, data protection is also a big preoccupation in African countries. Though, for this article, we will be focused solely in one country : Senegal.
For the last ten years, a real digital economy has been taking place and growing exponentially in Senegal. Plus, the rate of the usage of digital services and social media is mesmerizing in that country, not to mention the risks regarding cybersecurity and cybercrimes like scams, revenge porn etc. Therefore, it has been very obvious that a Data protection policy was one of the most pressuring legal emergencies for the Senegalese governments in the last years. Thus, that is exactly what has been initiated regarding the situation. So, we will first see what are the norms surrounding data protection in Senegal, then we will talk about the Personal data commission which mission is to make sure that those norms are actually effective.
Personal data regulation in Senegal
Personal data treatment in Senegal is regulated by a Law voted in 2008 (Loi n°2008-12 sur la protection des données à caractère personnel).
The cited Law, in its 2nd article shows a very large scope of what should be considered as personal Data and therefore what should be protected. That move is obviously not isolated. A quick read of the GDPR or any other personal data regulations would lead to noticing that personal data benefits from a very large definition for a maximum of protection. Nevertheless, that does not mean that there are not exceptions and limitations regarding that protection. Indeed, in its article 3, the Law exposes precisely the cases where data protection does not apply.
Also, not only does the law guarantees a very large scope of protection, it compels the companies and persons that are willing to use personal data to do it accordingly to a certain amount of fundamental and procedural obligations. Plus, the law confers at the same time numerous rights and privileges to the data owners so that they can have the control of their processed information. In consequence, it is safe to say that the data protection legislation allows, theoretically, a high degree of protection that has to be implemented by a designated organism : the Commission for the Protection of personal Data (CPD).
The missions of the CPD
First of all, the CPD is expected to ensure that every personal data treatment is done is accordance with legal provisions. That watch mission directed to data processors is then coupled with a mission of education towards people whose personal data are being processed. Therefore, the CPD must raise users’ awareness about the dangers and the threats surrounding the usage of new technology regarding fundamental rights such as the right to privacy. Subsequently, The CPD has also an advice and proposal mission.
Concerning the advice mission, it is expected from the CPD to counsel the persons and organisms that process personal data in order to prevent any violation of the Law. The proposal mission is, as far as it’s concerned, directed to the government. Indeed, the CPD has to expose to the government suggestions that are likely to improve and simplify personal data processing. Moreover, that organization ought to make recommendations in order to make sure that data processing is done in compliance with the Law. Finally, in addition to its cooperation with the judiciary on the authority of its mission of investigation and folder and file instruction, the CPD can also impose monetary penalties and administrative sanctions.