(Business in Cameroon) - In a context marked by a boom in digitalization, accelerated by the coronavirus pandemic in 2020, there is a legal vacuum concerning personal data protection law in Cameroon, a note recently issued by the Inter-Patronal Grouping of Cameroon (GICAM) reveals. Titled "l’urgence d’un cadre juridique spécifique à la protection des données à caractère personnel au Cameroun" (urgent call for a specific personal data protection legal framework), the note points at the lack of specific texts relating to personal data protection in Cameroon as well as the weaknesses in the current legal framework.

For instance, the note shows, Cameroon has not signed or ratified any international treaty addressing the protection of personal data. Also, the country has no legal framework specifically addressing the protection of personal data nor has it created an independent authority whose mission is to protect and ensure the respect of the laws relating to the collection, processing, and storage of personal data.

The GICAM reckons that some texts address the issue but they do not define what is meant by personal data, the appropriate framework for the collection, processing, transmission, storage, or any other use of such data, let alone the obligations of those responsible for their processing or the rights of persons whose data are collected and the steps they should take in case of unlawful processing.

Risks

As a result of that vacuum, the digitalization boom exposed residents to many risks, the GICAM believes. To illustrate its assertion, it takes the example of the e-tax registration process, the data processed by insurers, and Covid-19 tests processing.  

In the case of the e-tax, the GICAM points out that the registration data of all the Cameroonian taxpayers (including their data) are freely accessible on the tax administration’s website. For the grouping, the information (names, surnames, unique identification number) freely available on that platform exposes nearly two million Cameroonian taxpayers to identity theft since anyone anywhere in the world can access it.

As for the data processed by insurers, GICAM thinks the personal information (name, ID, medical records, etc.) clients entrust to insurers are exposed to hackers all over the world given that due to the lack of a legal framework, insurers take minimal safety precaution measures. Talking of the management of Covid-19 PCR tests, GICAM thinks the personal data protection issue is crucial since it is a medical secrecy case. However, the sensitive data required (namely id card or passport details as well as several personal details) are transmitted through Whatsapp or on mere sheets.

Recommendations

Given these weaknesses, for efficient personal data protection, with the help of all relevant actors (including the civil society), the government should map all the data classified in the category of personal data, the GICAM suggests. Also, Cameroon should create an anonymization system for the collection of confidential personal data and expedite the elaboration of a specific data protection law that complies with international standards.  

In addition, the Group recommends the creation of an independent body whose mission will be to oversee the application of the said law and the punishments required for those accused of violating personal data protection provisions. This body could be an existing institution whose competence base will be extended to the enforcement of personal data protection laws or even a new agency.

The last suggestion is the establishment of regulatory cooperation frameworks between personal data protection authorities in the sub-region as well as a harmonization of the legal data protection framework with those in the Central African sub-region.  

Sylvain Andzongo