Data & Privacy · Cameroon
Data protection & privacy law in Cameroon (2026)
Cameroon shaded by its data & privacy status
Data protection in Cameroon: comprehensive law, under Law No. 2024/017 of 23 December 2024 relating to personal data protection in Cameroon; supplemented by Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercriminality. Supervisory authority: Personal Data Protection Authority (Autorité de protection des données à caractère personnel), mandated by the 2024 law but not yet operationally established as of mid-2026..
Cameroon enacted a comprehensive, GDPR-inspired personal data protection law on 23 December 2024 (Law No. 2024/017), becoming the 38th African country to adopt standalone data-protection legislation. The law introduced a broad set of data-subject rights and controller/processor obligations, with an 18-month compliance grace period expiring 23 June 2026. A dedicated supervisory authority is mandated under the law but had not yet become operational at time of research.
Key points
Law No. 2024/017 was signed on 23 December 2024 and published on the Presidency of the Republic's official portal. It supersedes the fragmented privacy provisions of the 2010 Cybersecurity Law and establishes a standalone, comprehensive personal data protection regime.
The law grants controllers and processors an 18-month transition period from enactment, placing the full-enforcement deadline at 23 June 2026. Organisations are expected to audit and align their data-processing operations before that date.
The law creates the Personal Data Protection Authority (Autorité de protection des données à caractère personnel), responsible for enforcement, authorisations, complaints handling, and cross-border transfer approvals. The authority was not yet operationally established as of mid-2026; ANTIC (National Agency for Information and Communication Technologies) continues to exercise interim oversight over digital/telecom services.
Data subjects hold rights to be informed, access, rectify, erase, restrict, object to, and port their data, mirroring GDPR. Uniquely, heirs may exercise access and update rights on behalf of deceased data subjects at the controller's expense.
Processing of special categories, including health, biometrics, genetics, racial/ethnic origin, religion, political/trade-union opinions, and criminal records, is prohibited without explicit consent or another legal basis. Controllers must conduct Data Protection Impact Assessments, maintain records of processing, and implement appropriate security measures.
Non-compliance can attract fines of up to 1 billion CFA francs (≈ USD 1.6 million) and criminal imprisonment for responsible executives. The law creates personal liability for senior officers of infringing organisations.
Timeline - major decisions & events
Cameroon's first standalone comprehensive data-protection statute was signed into law, establishing data-subject rights (consent, erasure, objection), prohibiting processing of sensitive categories (health, biometric, ethnic, political data), and creating the Personal Data Protection Authority (APC). Controllers and processors have until 23 June 2026 to comply.
Presidency of the Republic of Cameroon ↗The Cameroonian National Assembly voted to adopt Bill No. 2062 on Personal Data Protection, completing the legislative stage before presidential assent. The bill had been under deliberation since the May 2023 draft consultations.
African Law & Business ↗The African Union Convention on Cyber Security and Personal Data Protection (Malabo, 2014) entered into force after Mauritania became the 15th ratifying state. Cameroon had signed but not ratified, meaning it remains a persuasive regional benchmark rather than binding domestic law.
African Union ↗Cameroon's Ministry of Posts and Telecommunications published a draft data-protection law and accompanying implementation decree, opening formal stakeholder consultations and marking the restart of a legislative process that had stalled for years.
Paradigm Initiative ↗President Biya signed the decree formally proclaiming Cameroon's accession to the Council of Europe's Convention on Cybercrime (Budapest Convention), aligning Cameroon's international cooperation obligations on cybercrime and digital evidence with 60+ other states.
Council of Europe – Octopus Community ↗The decree reorganised the National Information and Communication Technology Agency (ANTIC), reaffirming it as the primary authority for ICT security, privacy enforcement, consumer protection, and the national Root Certification Authority, filling the regulatory gap left by the absence of a dedicated data-protection law.
ANTIC (National ICT Agency) ↗The Prime Minister's decree laid down detailed implementation rules for protecting consumers of electronic communications services, including data-retention obligations and confidentiality requirements, supplementing the 2010 electronic-communications law.
DataGuidance ↗Cameroon's foundational cybersecurity statute criminalised unauthorised access, data manipulation, identity theft, and interception of private communications. It imposed a 10-year connection-data retention obligation on operators and assigned ANTIC as national regulator, constituting the first meaningful legal protection for personal data in Cameroon.
Ministry of Posts and Telecommunications (Cameroon) ↗Cameroon - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →