In Banjul Gambia the government has taken a landmark step in safeguarding digital rights by passing the Personal Data Protection and Privacy Act, 2025, its first comprehensive legislation dedicated to protecting personal information in Gambia and is part of the growing trend for every country to create a data privacy law. Approved unanimously by the National Assembly on September 29, 2025, the act awaits presidential assent to become law, marking a pivotal moment for the West African nation as it joins a wave of African countries fortifying privacy amid rapid digital expansion.
The act fills a long-standing gap in Gambia’s legal framework, where privacy was previously enshrined only in the 1997 Constitution but lacked specific enforcement mechanisms for personal data handling. It regulates the collection, processing, storage and sharing of personal data by public and private entities, aiming to prevent misuse, build public trust and foster innovation while aligning with global standards. Civil society groups like Paradigm Initiative hailed the passage as a “historic milestone,” urging President Adama Barrow to sign it swiftly to operationalize protections against data breaches and unauthorized surveillance.
At its core, the act introduces core principles of data protection, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. It defines “personal data” broadly as any information relating to an identified or identifiable natural person, encompassing identifiers like names, biometric details and online behavior. Sensitive personal data, such as health records or political opinions, receives heightened safeguards, requiring explicit consent or legal basis for processing.
Data subjects – individuals whose information is handled – gain robust rights under the law. These include the right to be informed about data usage, access to one’s data, rectification of inaccuracies, erasure (the “right to be forgotten“), restriction of processing, data portability and objection to automated decision-making. Mechanisms for exercising these rights are mandated, with controllers required to respond within one month, extendable under certain conditions. The act also prohibits processing that infringes on privacy without justification, echoing constitutional protections.
Obligations for data controllers and processors are stringent. Controllers, who determine the purposes of processing, must conduct data protection impact assessments for high-risk activities, appoint a data protection officer if necessary and notify breaches to the authority within 72 hours. Processors, acting on controllers’ behalf, must ensure secure handling through contracts outlining responsibilities. Cross-border transfers are restricted to jurisdictions offering adequate protection or via safeguards like standard contractual clauses, preventing data flows to high-risk countries without safeguards.
Enforcement falls to a newly established National Data Protection Commission, an independent authority tasked with oversight, investigations, audits and public education. The commission, potentially building on the Access to Information Commission’s mandate, can issue guidelines, handle complaints and impose administrative fines up to 4 percent of annual global turnover for serious violations – a deterrent modeled on the European Union’s General Data Protection Regulation. Criminal penalties apply for willful breaches, including imprisonment up to five years.
Unique to Gambia’s context, the act addresses local challenges like digital inclusion in rural areas and government data use in public services. It mandates awareness campaigns and capacity-building for small businesses, recognizing the nation’s nascent digital economy. The legislation also integrates with the National Data Policy, promoting open data while ring-fencing personal information.
Compared to other African privacy frameworks, Gambia’s act aligns closely with continental trends but stands out for its timeliness and emphasis on enforcement capacity. South Africa’s Protection of Personal Information Act (POPIA) of 2013, fully effective since 2021, pioneered comprehensive rights and the Information Regulator but faced delays in implementation; Gambia’s quicker rollout could leapfrog such hurdles. Kenya’s Data Protection Act of 2019, enforced by the Office of the Data Protection Commissioner, mirrors Gambia’s subject rights and breach notifications but includes sector-specific codes that Gambia may adopt later.
Nigeria’s Nigeria Data Protection Act of 2023, overseen by the Nigeria Data Protection Commission, shares similarities in fines and cross-border rules but emphasizes economic impacts, fining up to 2 percent of turnover – half Gambia’s cap, potentially making Gambia’s regime more punitive. Unlike Rwanda’s 2021 law, which focuses on AI governance, Gambia’s act prioritizes basic protections, fitting its developmental stage. Overall, with 39 African nations now boasting data laws as of 2025, Gambia’s entry bolsters regional harmonization efforts, such as the African Union’s Malabo Convention, facilitating cross-border trade while upholding human rights.
Advocates note the act’s potential to attract foreign investment by signaling a privacy-mature jurisdiction, but warn of implementation pitfalls without resources. “This law is a shield for Gambians in the digital age, but its strength lies in enforcement,” said a representative from the Ministry of Information. As assent looms, the act positions Gambia as a privacy leader in West Africa, urging neighbors like Sierra Leone to accelerate their drafts.
