The Gambia is transiting into a digital economy. Necessary infrastructures are in place amidst a technology-neutral license regime with highly developed banking sector with modern infrastructure, such as online and mobile banking. It is expected that online and mobile applications will be rapidly developed even further to offer solutions to local needs and demand that can become relevant in the whole region. Services/business will rely more and more on automated data processing and the usage of social media platforms, online services will probably further expand.

Unfortunately, as has been the trend throughout the world, the development of information and communication technologies has been going hand in hand with the rise of cybercrime and cyber-related crimes in the country. These are to be considered a threat to fundamental rights, including the right to private life. On the other hand, providing protection to individuals in the digital age, while ensuring an uninterrupted flow of data across borders, is seen as a crucial factor for the inclusive growth of the country.
Recent developments in the ICT and other sectors in Gambia have led to the recognition of privacy as a fundamental human right, making protection of personal data a key pillar for human dignity.
In 2019, the government of the Gambia adopted the Data Protection and Privacy Policy (the Policy), prepared also in consultation with the Council of Europe, setting the foundations of institutional and legal framework for data protection and privacy.

Building on the already made progress, the Government of the Gambia started to prepare a modern data protection legal framework, which could allow the country to also consider accession to Convention 108+ of the Council of Europe. To this extent, the Ministry of Information & Communication Infrastructure has been leading the legislative drafting initiative since 2020. With the support of the Global Action on Cybercrime Extended (GLACY+) Project, joint initiative of the Council of Europe and the European Union and Data Protection Unit of the Council of Europe, in December 2020 the process of drafting the first data protection bill of the Gambia was finalized. The respective bill later on followed the national legislative process.
While in preparation to table the Bill to the Parliament, the Gambian authorities are seeking to understand how to better set up the new data protection authority and also to regulate on short term (before the authority is fully functional) the supervision of the data protection regime by an existing entity (e.g. the case of Gambia Competition and Consumer Protection Commission – GCCPC). One option contemplated by the Gambian authorities is to incorporate the Data Protection and Privacy Agency mandates with the Access to Information Commission as one entity. This is following the Ghanaian model (Data Protection Agency with Right To Information Commission).

Council of Europe’s support is requested in reviewing the national existing and envisaged legal framework to understand if the envisaged option (i.e., incorporation of the Data Protection and Privacy Agency with the Access to Information Commission as one entity) to establish whether this is necessary or not (feasibility) while taking into context is ensuring still compliance with the international standards in terms of roles, responsibilities, and functions of the data protection authority, including its independence and avoidance of conflict of functions of both entities or avoiding excessive powers to one entity beyond reasonable doubt.
In December 2021, the Gambian Ministry of Information & Communication Infrastructure reached back to Council of Europe seeking for support in reviewing the national existing and envisaged legal framework to understand if the envisaged option (i.e., incorporation of the Data Protection and Privacy Agency with the Right to Information Commission as one entity) is ensuring still compliance with the international standards in terms of roles, responsibilities and functions of the data protection authority, including its independence and avoidance of conflict of functions.

This activity is carried out under result 1.3.7 of the GLACY+ project that consists in “review and provide advice on the strengthening of legislation on emerging cybercrime threats and issues”.
The Council of Europe will contract two international experts, who will undertake producing a desk study in coordination with members of the subcommittee mandated to evaluate the options regarding the data protection authority. The Subcommittee is comprising the representatives of:

•    Ministry of Information & Communication Infrastructure
•    Competition and Consumer Protection Commission (GCCPC)
•    Gambia Cybersecurity Alliance (GCSA)
•    Gambia Bar Association
•    Financial Intelligence Unit (FIU)
•    Gambia Police Force (GPF)

The desk study will scrutinize the two legal frameworks (Data Protection and Privacy Bill and Right Access to information Act) and suggest recommendations to the Gambian subcommittee with respect to the feasibility of merging the two authorities.

Additionally, the desk study will include examples of various models of setting up and functioning of data protection authorities and right to access authorities, with emphasis on the Ghanaian model that the Gambia would be interested to adopt, commenting on whether it is the necessary possibility for the Gambia to adopt such model, considering the national legal framework.

In the second phase, the Council of Europe will organize one validation workshop with the Gambian counterparts including stakeholders from public, private and civil society, led by the international experts in charge of the desk study, expected to provide feedback with respect to the proposals and recommendations of the international experts. The representatives of the Ministry of Information & Communication Infrastructure will contact the necessary institutions and organisations and communicate the confirmed list of participants for the workshop. 

It is expected that by the end of this activity the Gambian counterparts will receive recommendations on how to better structure and place in the overall administrative national chart including a Validated Report - the soon to be set up data protection authority. This final step will allow the tabling of the data protection bill with the Parliament in March 2022.

A desk study by international experts that will examine the two legal frameworks (the Data Protection and Privacy Act and the Right of Access to Information Act) and make recommendations to the Gambian subcommittee on the feasibility of merging the two authorities. This desk study will also include examples of various models of setting up and operating data protection authorities and right of access authorities, with a focus on the Ghanaian model which The Gambia would be interested in adopting, commenting on the necessary feasibility of The Gambia adopting this model, given the national legal framework.

  • On 8 February 2022, to supplement the desk study, a workshop was organised with representatives of supervisory authorities from countries having the different models: France, Germany, Tunisia. Support to the Gambia in setting up supervisory authorities
  • On 22 February 2022, a validation workshop enabled representatives from governmental bodies, ministries, public and private sector and civil society of the Gambia to discuss with the Council of Europe’s experts the recommendations and conclusions of a desk analysis on options to set up a Data Protection and Privacy Agency as a stand-alone body or of a body merged with the Access to Information Commission, as well as examples of models of setting up and functioning of authorities from various countries. Further steps towards a data protection authority in the Gambia