Skip to content
World Watch/Cameroon/Data & Privacy

Data & Privacy · Cameroon

Data protection & privacy law in Cameroon (2026)

Comprehensive lawLaw No. 2024/017 of 23 December 2024 relating to personal data protection in Cameroon; supplemented by Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercriminality. Supervisory authority: Personal Data Protection Authority (Autorité de protection des données à caractère personnel), mandated by the 2024 law but not yet operationally established as of mid-2026.Country index 76 · B+

Cameroon shaded by its data & privacy status

Data protection in Cameroon: comprehensive law, under Law No. 2024/017 of 23 December 2024 relating to personal data protection in Cameroon; supplemented by Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercriminality. Supervisory authority: Personal Data Protection Authority (Autorité de protection des données à caractère personnel), mandated by the 2024 law but not yet operationally established as of mid-2026..

Cameroon enacted a comprehensive, GDPR-inspired personal data protection law on 23 December 2024 (Law No. 2024/017), becoming the 38th African country to adopt standalone data-protection legislation. The law introduced a broad set of data-subject rights and controller/processor obligations, with an 18-month compliance grace period expiring 23 June 2026. A dedicated supervisory authority is mandated under the law but had not yet become operational at time of research.

Key points

Enacted comprehensive law

Law No. 2024/017 was signed on 23 December 2024 and published on the Presidency of the Republic's official portal. It supersedes the fragmented privacy provisions of the 2010 Cybersecurity Law and establishes a standalone, comprehensive personal data protection regime.

Compliance grace period

The law grants controllers and processors an 18-month transition period from enactment, placing the full-enforcement deadline at 23 June 2026. Organisations are expected to audit and align their data-processing operations before that date.

Supervisory authority

The law creates the Personal Data Protection Authority (Autorité de protection des données à caractère personnel), responsible for enforcement, authorisations, complaints handling, and cross-border transfer approvals. The authority was not yet operationally established as of mid-2026; ANTIC (National Agency for Information and Communication Technologies) continues to exercise interim oversight over digital/telecom services.

Data subject rights

Data subjects hold rights to be informed, access, rectify, erase, restrict, object to, and port their data, mirroring GDPR. Uniquely, heirs may exercise access and update rights on behalf of deceased data subjects at the controller's expense.

Sensitive data and controller obligations

Processing of special categories, including health, biometrics, genetics, racial/ethnic origin, religion, political/trade-union opinions, and criminal records, is prohibited without explicit consent or another legal basis. Controllers must conduct Data Protection Impact Assessments, maintain records of processing, and implement appropriate security measures.

Penalties

Non-compliance can attract fines of up to 1 billion CFA francs (≈ USD 1.6 million) and criminal imprisonment for responsible executives. The law creates personal liability for senior officers of infringing organisations.

Timeline - major decisions & events

Dec 23, 2024lawofficial
Law No. 2024/017 on Personal Data Protection enacted

Cameroon's first standalone comprehensive data-protection statute was signed into law, establishing data-subject rights (consent, erasure, objection), prohibiting processing of sensitive categories (health, biometric, ethnic, political data), and creating the Personal Data Protection Authority (APC). Controllers and processors have until 23 June 2026 to comply.

Presidency of the Republic of Cameroon
May 1, 2024law
National Assembly adopts data-protection bill

The Cameroonian National Assembly voted to adopt Bill No. 2062 on Personal Data Protection, completing the legislative stage before presidential assent. The bill had been under deliberation since the May 2023 draft consultations.

African Law & Business
Jun 8, 2023decisionofficial
AU Malabo Convention enters into force

The African Union Convention on Cyber Security and Personal Data Protection (Malabo, 2014) entered into force after Mauritania became the 15th ratifying state. Cameroon had signed but not ratified, meaning it remains a persuasive regional benchmark rather than binding domestic law.

African Union
May 30, 2023guidance
Government publishes draft Data Protection Law and Decree for public consultation

Cameroon's Ministry of Posts and Telecommunications published a draft data-protection law and accompanying implementation decree, opening formal stakeholder consultations and marking the restart of a legislative process that had stalled for years.

Paradigm Initiative
May 23, 2022lawofficial
Decree No. 2022/169, Cameroon accedes to the Budapest Convention on Cybercrime

President Biya signed the decree formally proclaiming Cameroon's accession to the Council of Europe's Convention on Cybercrime (Budapest Convention), aligning Cameroon's international cooperation obligations on cybercrime and digital evidence with 60+ other states.

Council of Europe – Octopus Community
Mar 22, 2019decisionofficial
Decree No. 2019/150 restructures ANTIC

The decree reorganised the National Information and Communication Technology Agency (ANTIC), reaffirming it as the primary authority for ICT security, privacy enforcement, consumer protection, and the national Root Certification Authority, filling the regulatory gap left by the absence of a dedicated data-protection law.

ANTIC (National ICT Agency)
Feb 27, 2013law
Decree No. 2013/0399/PM, Consumer Protection Rules for Electronic Communications

The Prime Minister's decree laid down detailed implementation rules for protecting consumers of electronic communications services, including data-retention obligations and confidentiality requirements, supplementing the 2010 electronic-communications law.

DataGuidance
Dec 21, 2010lawofficial
Law No. 2010/012 on Cybersecurity and Cybercrime, first data-privacy provisions

Cameroon's foundational cybersecurity statute criminalised unauthorised access, data manipulation, identity theft, and interception of private communications. It imposed a 10-year connection-data retention obligation on operators and assigned ANTIC as national regulator, constituting the first meaningful legal protection for personal data in Cameroon.

Ministry of Posts and Telecommunications (Cameroon)

Cameroon - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →