Data protection & privacy laws in Cameroon (2026)

Law No. 2024/017 was signed on 23 December 2024 and published on the Presidency of the Republic's official portal. It supersedes the fragmented privacy provisions of the 2010 Cybersecurity Law and establishes a standalone, comprehensive personal data protection regime.

The law grants controllers and processors an 18-month transition period from enactment, placing the full-enforcement deadline at 23 June 2026. Organisations are expected to audit and align their data-processing operations before that date.

The law creates the Personal Data Protection Authority (Autorité de protection des données à caractère personnel), responsible for enforcement, authorisations, complaints handling, and cross-border transfer approvals. The authority was not yet operationally established as of mid-2026; ANTIC (National Agency for Information and Communication Technologies) continues to exercise interim oversight over digital/telecom services.

Data subjects hold rights to be informed, access, rectify, erase, restrict, object to, and port their data — mirroring GDPR. Uniquely, heirs may exercise access and update rights on behalf of deceased data subjects at the controller's expense.

Processing of special categories — including health, biometrics, genetics, racial/ethnic origin, religion, political/trade-union opinions, and criminal records — is prohibited without explicit consent or another legal basis. Controllers must conduct Data Protection Impact Assessments, maintain records of processing, and implement appropriate security measures.

Non-compliance can attract fines of up to 1 billion CFA francs (≈ USD 1.6 million) and criminal imprisonment for responsible executives. The law creates personal liability for senior officers of infringing organisations.