At the 2026 NADPA-RAPDP Conference in Abidjan on May 15–16, Nigeria's Data Protection Commission (NDPC) signed two Memorandums of Understanding — one with Morocco's CNDP, one with The Gambia Information Commission — establishing frameworks for mutual legal assistance, information sharing, and cross-border enforcement of data protection laws. NDPC National Commissioner Vincent Olatunji framed the agreements as steps to "strengthen trust, regulatory coordination and investor confidence within Africa's digital economy." The stated targets are concrete: privacy violations in multinational tech cases, cross-border cyber fraud, and oversight of fintech, cloud, and e-commerce platforms operating across multiple African markets.
It is tempting to file this under diplomatic boilerplate. That would be a mistake. These two modest bilateral pacts are a more honest answer to Africa's data-governance problem than the grand continental instrument that was supposed to solve it.
The case for harmonization is real
Start with the strongest version of the regulators' argument, because it is a good one. A fintech in Lagos, a cloud provider in Casablanca, and an e-commerce platform serving Banjul increasingly move the same users' data across the same borders — but each jurisdiction's enforcer can only reach inside its own. A multinational that mishandles Nigerian and Gambian data can stonewall a single regulator with limited investigative reach, then relocate processing to whichever market asks the fewest questions. Without mutual legal assistance and information-sharing channels, "cross-border enforcement" is a contradiction in terms. The platforms are continental; the watchdogs are national. That asymmetry is exactly what bilateral cooperation is built to close, and dismissing it would be strawmanning a genuine gap.
Nigeria has the enforcement record to make the point credible. In a 38-month joint investigation by the Federal Competition and Consumer Protection Commission and the NDPC, a tribunal on April 25, 2025 upheld a $220 million penalty against Meta and WhatsApp for data and consumer-protection violations against Nigerian users (FCCPC). That case showed both Nigeria's willingness to act against the largest platforms and the limits of going it alone — the conduct at issue spanned far more than one country.
Why the continental route stalled
The African Union's answer was supposed to be the Malabo Convention, adopted in 2014 to give the continent a common cybersecurity and personal-data framework. It took until June 8, 2023 to enter into force, after the fifteenth ratification, and as of mid-2024 only sixteen of the AU's 55 member states had ratified it (Malabo Convention). A treaty binding under a third of the continent a decade after adoption is not a harmonization engine; it is a statement of intent. Meanwhile the underlying reality moved fast: more than 35 African countries now have data-protection legislation, up from fewer than 15 a decade ago (Ecofin Agency). The laws multiplied; the connective tissue between regulators did not.
This is where the bilateral approach earns its keep. The Network of African Data Protection Authorities — 19 member authorities working on a harmonized framework (Smart Africa) — provides the forum, but the MoUs do the load-bearing work. Two regulators agreeing on how to share evidence and coordinate cases can be operational in months, not the decade a treaty consumes. It is governance by accretion: build the network link by link, and let working bilateral channels become the template others copy.
Lessons from ASEAN — and a warning
This is the model Southeast Asia chose. ASEAN did not wait for a binding regional privacy treaty; it shipped interoperable, opt-in tools — Model Contractual Clauses and a Data Management Framework — that let data flow across members under predictable terms without forcing identical statutes. The lesson for Nigeria's emerging network is that interoperability beats uniformity. The goal should be making compliant cross-border transfers easier and bad actors easier to pursue — not erecting adequacy walls that wall Africa's own markets off from each other and from global cloud infrastructure that African startups depend on.
That caveat matters because enforcement cooperation cuts both ways. Channels built to chase cyber fraud and platform abuse can, without guardrails, become channels for sharing citizen data between governments with uneven rights records. Civil-society groups have warned repeatedly against normalizing cross-border data access absent strong legal limits (EFF). The proportionate path is narrow and worth holding: scope mutual legal assistance to defined regulatory and fraud cases, require judicial or independent oversight for data sharing, and publish what gets exchanged. Cooperation aimed at platforms is healthy; cooperation that quietly pools surveillance is not.
The bottom line
Nigeria's two MoUs will not by themselves harmonize African data governance. But they point the right direction: bottom-up, interoperable, and fast, rather than top-down, uniform, and stalled. For a continent whose digital single market under the AfCFTA depends on data moving with both freedom and trust, a working bilateral link beats an unratified treaty every time — provided the architects keep the focus on enabling flows and pursuing genuine wrongdoers, not on building new walls or new surveillance pipes.