Cameroon - Data Protection Overview
1. Governing Texts
The increased use of digital platforms requires the collection and storage of a wide range of personal data. Thus, some websites, commercial companies, public entities, health care establishments, banks, and others often hold valuable information in digital form, on their customers or users. Protecting such data has become a major regulatory and legislative concern in Cameroon.
In Cameroon, legal provisions on data protection are found in several laws. The approach toward regulating data protection is sector specific. However, Cameroon is preparing a privacy bill ('the Bill'), according to the competent services of the Ministry of Posts and Telecommunications. The drafting of the Bill is ongoing. The Bill will govern the collection, processing, transmitting, storage, and use of data.
The applicable laws mostly cover data relating to electronic communications meanwhile some other sectors of activity handle personal data daily.
International Conventions and Regulation
- the Universal Declaration of Human Rights of 10 December 1948; and
- the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
African Union Legislation
- The African Charter on Human and Peoples' Rights of (1 June 1981); and
- The African Union Convention on Cyber Security and Personal Data Protection of (27 June 2014) ('the Malabo Convention'), was signed by Cameroon on 12 August 2021 (In Cameroon the ratification of the Convention is awaited).
The following legislation issued by the Central African Economic and Monetary Community ('CEMAC') is applicable:
- Regulation No. 21/08-UEAC-13-CM-18 of 19 December 2008 on the Harmonisation of Regulations and Regulatory Policies on Electronic Communications in CEMAC Member States ('the Regulation on Harmonisation in CEMAC Member States');
- Directive No. 07/08-UEAC-133-CM-18 of 19 December 2008 on the Legal Framework for the Protection of Users of Electronic Communications Networks and Services within CEMAC (only available in French here);
- Directive No. 09/08-UEAC-133-CM-18 of 19 December 2008 Harmonising the Legal Frameworks of Electronic Communications in the CEMAC Member States (only available in French here);
- Regulation No. 03/16-CEMAC-UMAC-CMAC-CM of 21 December 2016 on Systems, Means and Incidents of Payment (only available in French here) ('the CEMAC Payment Systems Regulation');
- Directive No. 02/19-UEAC-639-CM-18 of 08 April 2019 Harmonising the Protection of Consumers within CEMAC (only available in French here) ('the Directive Harmonising Consumer Protection within CEMAC'); and
- Regulation No. 01/20/CEMAC/UMAC/COBAC of 03 July 2020 on the Protection of Consumers of Banking Products and Services in CEMAC (only available in French here) ('the CEMAC Regulation on Financial Consumer Protection').
- Regulation No. 01/22/CEMAC/UMAC/CM/COSUMAF of July 21, 2022 on the organisation and functioning of the Central African financial market (‘The CEMAC Financial Market Regulation’)
Article 3 of the GDPR on the territorial scope extends its application to Cameroonian entities in any of the cases below:
- the GDPR applies the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not;
- the GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union; and
- the GDPR applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
In the preamble to the Constitution of the Republic of Cameroon, Law No. 96/6 of 18 January 1996 revising the Constitution of 02 June 1972, as amended and supplemented by Law No. 2008/001 of 14 April 2008 ('the Constitution'), it is stated that:
- the people of Cameroon affirm their attachment to the fundamental freedoms enshrined in the Universal Declaration of Human Rights 1945, the Charter of the United Nations 1945, the African Charter on Human and Peoples' Rights 1981, and all duly ratified international conventions relating thereto;
- freedom and security are guaranteed to every individual with due respect for the rights of others and the best interests of the State; and
- privacy of all correspondence is inviolable - no interference may be allowed except as provided in a judicial decision.
Data protection is, therefore, a right enshrined in the Constitution.
In addition, the following national laws are applicable:
- Law No. 2005/007 of 27 July 2005 on the Criminal Procedure Code (only available in French here);
- Law No. 2000/011 of 19 December 2000 on Copyrights and Neighbouring Rights (only available in French here);
- Law No. 2006/018 of 29 December 2006 to Regulate Advertising in Cameroon (only available in French here) ('the Advertising Law');
- Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon (only available in French here) ('the Electronic Communications Law');
- Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon (only available in French here) ('the Cybersecurity Law');
- Law No. 2010/021 of 21 December 2010 Regulating Electronic Commerce in Cameroon (only available in French here) ('the E-Commerce Law');
- Law No. 2011/012 of 06 May 2011 on Consumer Protection in Cameroon (only available in French here) ('the Consumer Protection Law');
- Law No. 2015/006 of 20 April 2015 Amending and Completing Some Provisions of Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon (only available in French here);
- Law No. 2016/007 of 12 July 2016 on the Penal Code in Cameroon (only available in French here) ('the Penal Code');
- Law No. 2020/010 of 20 July 2020 to regulate statistical activity in Cameroon ('the Law on Statistics');
- Law No. 2022/006 of 27 April 2022 Regulating Banking Secrecy in Cameroon ('the Law on Banking Secrecy');
- Law No. 2022/002 of 27 April 2022 Authorising the President of the Republic to Accede to the Budapest Convention on Cybercrime;
- Decree No. 2022/169 of 23 May 2022 to accede to the Budapest Convention on Cybercrime, adopted on 23 November 2001 in Budapest (Hungary);
- Decree No. 2011/1521/PM of 15 July 2011 Laying down the Conditions of Application of Law No. 2010/021 of 21 December 2010 Regulating Electronic Commerce in Cameroon (only available in French here) ('the Regulating Electronic Commerce Decree');
- Decree No. 2012/1641/PM of 14 June 2012 Laying Down the Conditions for Number Portability of Subscribers' Numbers of Operators of Electronic Communications Networks Open to the Public (only available in French here) ('the Number Portability Decree');
- Decree No. 2012/203 of 20 April 2012 on the Organisation and Functioning of the Telecommunications Regulatory Board (only available in French here);
- Decree No. 2013/0399/PM of 27 February 2013 Laying Down the Rules for the Protection of Consumers of Electronic Communications Services (only available in French here) ('the E-Communications Consumer Protection Decree');
- Decree No. 2015/3759 of 3 September 2015 Laying Down the Identification Requirements for Subscribers and Terminal Equipment of Electronic Communication Networks (only available in French here) ('the Identification Requirements Law');
- Decree No. 2017/2580/ PM of 06 April 2017 Setting the Terms and Conditions for the Establishment or Operation of Electronic Communications Networks and Supplies of Electronic Communications Services subject to the Authorisation Regime; and
- Decree No. 2019/150 of 22 March 2019 on the Organisation and Functioning of the National Information and Communication Technology Agency (ANTIC) (only available in French here) ('the ANTIC Decree').
Banking sector and financial market
The following legislation applies:
- the Law on Banking Secrecy;
- the CEMAC Payment Systems Regulation;
- the CEMAC Regulation on Financial Consumer Protection;
- the Central African Banking Commission ('COBAC') Regulation No. R-2016/04 of 08 March 2016 on the Internal Control of Credit Establishments and Financial Holdings (only available in French here);
- Regulation No. 01/CEMAC/UMAC/CM of 11 April 2016 on the Prevention and Suppression of Money Laundering and the Financing of Terrorism and Proliferation in Central Africa (only available in French here) ('the Prevention and Suppression of Money Laundering and Financing of Terrorism Regulation');
- Instruction No. 001/GR/2021 of 09 February 2021 on Defining the Operating Modalities of the Central Payment Incident Unit (only available in French here).
Health and pharmaceuticals sector
In Cameroon, the health sector and the pharmaceutical industry is governed by various laws including:
- the Penal Code
- Law No. 90/36 of 10 August 1990 Organising Medical Practice (only available in French here) ('the Law on Medical Practice');
- Decree No. 83-166 of 12 April 1983 on the Code of Ethics of Medical Doctors (only available in French here) ('the Medical Code of Ethics');
- Law No. 2022/014 of 14 July 2022 relating to medically assisted reproduction in Cameroon ('the medically assisted reproduction law)';
- Decree No. 2013/093 of 03 April 2013 on the organisation of the Ministry of Public Health.
The telecommunications sector encompasses all the aspects of ICT and electronic communications. The relevant laws are:
- the Cybersecurity Law;
- the Electronic Communications Law;
- the E-Commerce Law;
- the Consumer Protection Law;
- the Identification Requirements Law;
- the E-Communications Consumer Protection Decree;
- the ANTIC Decree; and
- the Regulation on Harmonisation in CEMAC Member States.
The main regulator in the banking sector is the COBAC, established by the Convention of 16 October 1990 (only available in French here). COBAC has supervisory competence over credit institutions, monitoring their liquidity and solvency, in addition to noting and sanctioning breaches.
The Financial Market Supervisory Commission ('COSUMAF') was established by the Financial Market Regulation.
Health & pharma
The Doctors Council ensures that the principles of morality and dedication relevant to the practice of a medical doctor are respected and that the rules laid down in the Medical Code of Ethics are complied with.
The main regulator is the National Information and Communication Technology Agency ('ANTIC') established by the ANTIC Decree. Its missions include:
- ensuring the ethical use of ICT, consumer protection, and privacy; and
- regulating, controlling, and monitoring activities relating to the security of information systems and electronic communications networks, as well as electronic certifications.
In addition, the Telecommunications Regulatory Agency ('ART') supervises and regulates the activities of telecommunications operators.
1.3. Case law
In Cameroon, infringements of image rights have led to:
YOMBA Madeleine v. Les Brasseries du Cameroun and the case of Mrs. MFOPA MAMA born NTOUO SABIATOU v. Société NESTLE Cameroun S.A and Société Océan Central Africa SA
In both cases, an individual photo was unlawfully used for advertising purposes without the individual's consent, constituting a violation of the individual's image right.
Mrs. MBOCK Frankline Junior v. Les Films TERRE AFRICAINE and Les Brasseries du Cameroun
In this case, a contract for the use of an individual's image within a specific period of two years was infringed, as the broadcasting of the advertising spot went beyond the agreed term. That constituted a violation of the individual's image rights. The final judgment ruled that mere evidence of the invasion of one's privacy gives rise to compensation and that there is, therefore, no need to establish that the claimant suffered damage.
2. Scope of Application
In Cameroon, data protection laws apply to identifiable natural persons.
National data protection laws apply to facts governed by national laws. The CEMAC laws apply to the facts that they specifically cover.
In Cameroon, the protection of personal data is governed by several national and community laws. As far as electronic communications are concerned, specific laws govern the collection of personal data by operators and of electronic communications networks service providers.
As such, the information covered by these laws is as follows:
- Prohibition to collect sensitive data: Article 28 of the CEMAC Regulation on Financial Consumer Protection provides: '[...] it is prohibited for reporting institutions to collect, store, process or disseminate sensitive consumer data.'
3.1. Main regulator for data protection
An Authority dedicated to data protection has not yet been appointed.
However, the ANTIC ensures, on behalf of the State, the regulation, control, and monitoring of activities related to the security of information systems and electronic communications networks. It also assists in the identification of cybercriminals.
In addition, the ANTIC Cyber Incident Response and Warning Centre ('CIRT') is responsible for preventing cyberattacks. The ANTIC CIRT provides a comprehensive report of the criminal activity to the Judicial Police Authority previously referred to by the victim.
3.2. Main powers, duties and responsibilities
The ANTIC has the power to:
- ensure the ethical use of ICT and the protection of intellectual property, consumers, public morals, and privacy;
- monitor, detect, and provide information on computer risks and the actions of cybercriminals;
- establish material facts in the commission of cybercrime, that can only be revealed through systematic, unannounced, and pluralist checks carried out by professionals in the sector, by judicial police officers, and duly commissioned agents; and
- commit its sworn agents who may, as a result, gain access to premises, land, or means of transport for professional use, request communication of any professional document and take copies of it, and collect information.
4. Key Definitions
Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity (Article 2 of the Directive Harmonising Consumer Protection within CEMAC). Thus, personal data can be considered as the full name, social security number, national identity card number, passport number, account number, date and place of birth, physical address and email, telephone number, bank card number, biometric data such as fingerprints and DNA, etc.
Sensitive data: Religious opinions or activities, political opinions, trade union membership, data concerning sex life, genetic and biometric information, health data are referred to as sensitive data (Article 28 of the CEMAC Regulation on Financial Consumer Protection).
Pseudonymisation: is defined as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Data subject: A data subject is an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity (Article 2 of the Directive Harmonising Consumer Protection within CEMAC).
Data processing: Any operation or set of operations, whether or not carried out by automatic means and applied to personal data, such as the collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, distribution or otherwise making available, alignment or interconnection, blocking, erasure or destruction of personal data (Article 2 of the Directive Harmonising Consumer Protection within CEMAC).
Direct marketing: The sending of any message intended to promote, directly or indirectly, goods, services or the image of a person selling goods or providing services (Article 7(2) of the E-Commerce Law).
Electronic communication: Emission, transmission, or reception of signs, signals, writings, images, or sounds, by electromagnetic means (Article 4(22) of the Cybersecurity Law).
Cybercrime: All offences committed through cyberspace by means other than those usually used, for criminal purpose (Article 4(32) of the Cybersecurity Law).
5. Legal Bases
Consent is a described as a prerequisite in several laws governing the collection and processing of personal data in Cameroon.
Section 44(1) of the Cybersecurity Law provides that it is prohibited for any natural person or legal entity to listen, intercept, store communications and related traffic data, or subject them to any other means of interception or surveillance, without the consent of the users concerned, except where such person is legally authorised to do so.
In addition, Section 3 of the Regulating Electronic Commerce Decree provides that persons engaged in electronic commerce and established in a third country must specify the applicable law and obtain the consent of the recipient of the proposed service.
Moreover, Section 7 of the E-Commerce Law provides that prior consent is necessary for direct marketing using an automatic calling machine, fax or e-mail using, in any form whatsoever, the contact details of a natural or legal person.
Further, Section 60 of the Advertising Law makes it clear that anyone who knowingly causes the dissemination of an advertisement containing references or other declarations emanating from an identified individual, firm, or institution, without the authorisation of the interested parties or their proxies, or without the permission of the authorised party exhibiting the image, first name, surname, or pseudonym of an identifiable individual, shall be liable to the punishment provided under the Penal Code.
Obtaining the consent of the data subject to the processing of personal data for one or more specific purposes, is a key element to assessing the lawfulness of the data processing.
Also, for the processing to remain lawful, data controllers who rely on a third party, the data processor, to process the personal data collected (for cloud storage or analytics software for example), must sign a processing agreement between to ensure the protection of the personal data.
The relevant laws provide for a set of obligations for the data controller, including the following:
- to give the subscriber the possibility to obtain, free of charge, communication of identifying information concerning them and the rectification, clarification, or updating of such information;
- to guarantee the right to confidentiality and respect for correspondence and the right to security of the information on their networks;
- to take appropriate measures to ensure the protection, integrity, and confidentiality of the identification data they hold or process; and
- to take technical measures to protect identification data against accidental or illicit destruction, accidental loss, alteration, dissemination, unauthorised access, interception, even during the transfer of data in their networks.
See section on data subject rights below.
Data processing considered to be in the public interest helps with:
- fraud prevention;
- network and information security; and
- indicating possible criminal acts or threats to public security.
'Legitimate interests' can cover a wide range of interests, whether of the company, third parties, for commercial or for wider societal reasons, like marketing reasons, fraud prevention, intra-group data transfers, and IT security.
Legitimate interests are most appropriate where companies use personal data in a way that the data subject can reasonably expect, and more specifically in compliance with the applicable legal provisions.
From the various laws that apply to data protection, it is established that data protection must be based on various principles, such as:
- the principle of the confidentiality of communications transmitted and data relating to traffic on communication networks;
- the principle of keeping the connection and traffic data for a period not exceeding ten years; and
- the principle that data can be rectified, modified, or updated at any time by the data subject.
7. Controller and Processor Obligations
Based on the extension of the territorial scope of Article 3 of the GDPR, the rules on notification here apply to companies established outside the European Union that process data relating to the activities of EU entities or EU data subjects.
Parties involved in the data processing must make sure they consider the data localisation and data transfer requirements applicable in Cameroon.
As far as electronic communications are concerned, Cameroon law provides that the relevant data must be available in the device/system present on the Cameroonian territory on which it was generated.
In case of judicial proceedings in Cameroon, the data should remain available to the investigators for at most ten years.
For banking institutions, when a licensed CEMAC bank partners with a foreign financial institution, the bank should store the transactional data in their facilities for ten years and make them available for any control at the initiative of the COBAC. Such control can also be extended to the records on data transfers.
Regarding data retention, Section 25(1) of the Cybersecurity Law provides that network operators and electronic communications service providers are required to retain data on connections and traffic for ten years.
Regarding the storage of personal data, Article 10 of the CEMAC Payment Systems Regulation provides that, when opening an account, the customer must provide their personal data.
Article 218 of the CEMAC Payment Systems Regulations adds that the Bank of Central African States ('the Central Bank') shall take all appropriate precautions to prevent the personal data recorded from being distorted, damaged, or accessed by unauthorised third parties.
Furthermore, the CEMAC Regulation on Financial Consumer Protection requires credit institutions to record, collect, process, store, and share consumer personal data in a lawful, fair, and non-fraudulent manner. However, credit institutions are prohibited from collecting, storing, processing, and disseminating sensitive consumer data.
Financial market data must be kept for a specified period of ten years. Persons handling such data have an obligation of confidentiality, and disclosure is subject to prior authorisation by the competent authority. Any offender shall be liable to penalties, including imprisonment, as provided by Article 38 of the Prevention and Suppression of Money Laundering and Financing of Terrorism Regulation.
Health and pharmaceuticals sector
Patient data is stored at several levels. Within each healthcare establishment, patient-doctor communications are privileged and confidential.
The recording and storage of data related to a medically assisted reproduction process is mandatory. In addition, whoever is involved in a medically assisted reproduction process shall be bound by the obligations of confidentiality (Articles 9 and 10 of the medically assisted reproduction law).
Article 16 of the Convention on the Rights of Children provides that no child shall be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence, nor to unlawful attacks upon their honour and reputation. The child is entitled to the protection of the law against such interference or attacks.
The African Charter on the Rights and Welfare of the Child (1990) and national legislation also specifically protect children.
The national legislation includes:
- the Constitution;
- the Civil Code of Cameroon (only available in French here);
- the Penal Code; and
- the Cybersecurity Law.
Sections 80 to 82 of the Cybersecurity Law provide for imprisonment and fine as penalties against any person who commits or attempts to commit an indecent assault on a minor by electronic means. The dissemination of images and information of a sexual nature on minors is also severely punished.
In addition, in his message of 10 February 2023 to celebrate the 57th edition of the National Youth Day, the Head of State announced that a Charter to ensure the protection of children on the Internet in Cameroon is being drafted.
8. Data Subject Rights
Article 4(1) of the E-Communications Consumer Protection Decree provides that a consumer of electronic communications services has, notably, the right to [...] information from the operator or service providers.
Article 30 of the CEMAC Regulation on Financial Consumer Protection provides that where personal data has been collected from the consumer, the reporting institution shall be required to […] communicate to the consumer the purposes of the processing and the identity of the possible receivers of the personal data.
Article 4(2) of the E-Communications Consumer Protection Decree provides that the consumer of electronic communications services] is also entitled to [...] access to electronic communications services, with standards of quality and regularity inherent in its nature, throughout the national territory.
Article 20 of the Identification requirements Law provides that subscribers have the right to obtain, free of charge, the communication of their identification information and require this data to be the rectified, or updated.
Article 30 of the CEMAC Regulation on Financial Consumer Protection provides that where personal data has been collected from the consumer, the reporting institution shall be required to […] communicate to the consumer the purposes of the processing and the identity of the possible receivers of the personal data, [and to] inform the consumer of their right to rectification and erasure.
Article 4(2) of the E-Communications Consumer Protection Decree provides that the consumer of electronic communications services] is also entitled to the right […] to the service provider's responses to his complaints; [and to] compensation for damages arising from the violation of their rights.
Article 2 of the Number Portability Decree requires the operators to preserve the subscriber’s right to maintain the same phone number when he changes the operator.
Article 30 of the CEMAC Regulation on Financial Consumer Protection provides that the reporting institution is required to obtain the prior consent of each consumer before transmitting his data to third parties, except for credit information offices and any person to whom banking secrecy is not enforceable.
In the banking sector, the sanction for a violation of banking secrecy is provided by Article 26 of the Law on Banking Secrecy. Anyone who violates banking secrecy shall be punished by imprisonment for a term of three months to three years and/or a fine of XAF 1 million (approx. €1,520) to 10 million (approx. €15,160). If the offence is committed through the press or a computer network, the penalties shall be doubled.
The Penal Code punishes the offences of insider trading and interference with the financial market.
According to Section 135(1) of the Penal Code, commits insider trading:
- a commercial or industrial company manager, or a natural person, who, by reason of their duties or professions, has insider information on the situation or prospects of the issuer of stocks and shares whose transferrable securities are on the market, and performs or knowingly helps to perform, either directly or indirectly, transactions before public disclosure of such information, with the objective of obtaining an undue profit;
- a natural person who, in the course of their duties or profession, has access to privileged information on the situation or prospects of the issuer of stocks and shares whose transferrable securities are on the market, and who beyond the scope of their ordinary duties of profession, transmits the information to a third party with a view to obtaining an undue profit; and
- a natural person who, in the exercise of their profession or duties, possesses privileged information that is considered confidential, relating to the implementation of a project by the State, regional, and local authority or any other public corporate body, and uses the information to their advantage or that of a third party so as to delay the envisioned project or to include additional costs.
Insider trading shall be punished with imprisonment for a term of six months to two years and with a fine of XAF 1 million (approx. €1,520) to XAF 10 million (approx. €15,160).
Interference with the financial market
According to Section 135(2) of the Penal Code, commits interference with the financial market any natural person or corporate body who:
- rigs the functioning of the market;
- gives undue advantage to persons who would not have had it under normal market conditions
- violates the right to equal information and treatment of investors or their interest;
- allows issuers and investors to engage in practices contrary to their obligations
- habitually provides investment services to third parties without authorisation; and
- carries out negotiations or transactions other than those provided for by the regulations in force on securities listed on the stock market without referring to an investment service provider.
In the above cases, financial market interference shall be punished with fine of XAF 500,000 (approx. €760) to XAF 5 million (approx. €7,600).
Moreover, commits interference with the financial market any natural person or corporate body who knowingly propagates false or deceptive information on the situation or prospects of an issuer whose securities are on the market such as to influence the prices, or interfere or attempt to interfere, in any manner, with the proper functioning of the market. In such cases, financial market intereference shall be punished with imprisonment for six months to two years or with fine of XAF 1 million (approx. €1,520) to XAF 10 million (approx. €15,160) or with both such imprisonment and fine.
Health and pharmaceuticals sector
Article 310 of the Penal Code provides that whoever without permission from the person interested in secrecy reveals any confidential fact which has come to their knowledge or which has been confided to them solely by reason of their profession or duties, shall be punished with imprisonment from three months to three years and a fine from XAF 20,000 (approx. €30) to XAF 200,000 (approx. €300).
In addition, Article 48 of the Law on Medical Practice provides for a reprimand, suspension of activity ranging from three months to one year depending on the seriousness of the fault committed, and removal from the roll of the Doctors Council.
Where an amicable settlement between the concerned parties cannot be reached, the parties should refer to ANTIC. If the decision rendered by ANTIC is not satisfactory, parties can then seek relief before the courts.
Article 61 et seq. of the Cybersecurity Law provides for a number of sanctions in case of data violations. In addition, Article 74 of the Cybersecurity Law provides for a term of imprisonment of one to two years and a fine of XAF 1 million (approx. €1,520) to 5 million (approx. €7,620) to whoever interferes with the privacy of others by fixing, recording, or transmitting, without the consent of the author, electronic data of a private or confidential nature.
In 2019, the Telecommunications Regulatory Board ('ART') sanctioned telecommunications operators in Cameroon for failure to handle the identification process for subscribers and users of terminal equipment in electronic communications networks. On 1 November 2022, the Director General of the ART served a warning through formal notice to the four telecom operators in Cameroon, to improve on the quality of the coverage and performance of their networks.