Mobile Virtual Network Operators (MVNOs) are transforming connectivity across Africa by unlocking new markets, bridging coverage gaps, and driving competition without the capital intensity of traditional network ownership. Yet, this very structure introduces one of the continent’s most pressing governance challenges: how to manage privacy and data protection when the customer relationship and the physical network belong to different entities.
In markets where digital trust is fast becoming the currency of competitiveness, privacy is no longer a compliance checklist. For the modern MVNO, it is infrastructure—a structural condition for market entry, investment, and longevity.
Dual custodianship and shared accountability
Every MVNO operates in a complex ecosystem where data ownership and technical control are split.
- The Mobile Network Operator (MNO) owns the core and radio network.
- The MVNO owns the customer relationship, billing systems, and often, marketing data.
This creates a form of dual custodianship, where subscriber information—from call records to location data—flows continuously between parties. Without clearly defined governance and contractual boundaries, these flows risk contravening local and international privacy regimes.
In Africa, where regulators are tightening enforcement and cross-border data transfers are increasingly scrutinised, MVNOs must integrate privacy as a strategic and operational discipline from inception.
Regulatory landscape
GDPR and its global influence
The EU GDPR remains the international benchmark for lawful processing, consent, and accountability. It applies extraterritorially, meaning any MVNO serving or monitoring EU data subjects must comply.
The GDPR defines data-processing roles explicitly:
- The MVNO acts as a controller when it determines how and why customer data is processed (e.g., billing, marketing, analytics).
- The MNO often acts as a processor, handling the technical routing of communications.
- Where both determine purpose and means jointly, article 26 classifies them as joint controllers, requiring a written allocation of responsibilities.
The risk of misclassification is significant. Joint controllers share liability for non-compliance, and penalties can reach up to €20 million or 4% of global turnover.
South Africa’s POPIA
South Africa’s POPIA operationalises GDPR-like principles—lawfulness, minimality, and accountability—within a uniquely African legal context.
For MVNOs, POPIA introduces obligations such as:
- Condition 1 – Accountability: the MVNO must ensure that all processing, even when outsourced to an MNO or MVNE, complies with POPIA’s eight processing conditions.
- Condition 2 – Processing limitation: personal data may only be processed for specific, explicitly defined, and lawful purposes.
- Condition 7 – Security safeguards: operators must secure the integrity of personal information through technical and organisational measures proportionate to the risk.
Where MNOs and MVNOs jointly determine processing, a joint-responsibility agreement under section 72 (cross-border transfers) and section 21 (operators’ obligations) becomes essential. This agreement must explicitly allocate accountability, define breach procedures, and establish how data subjects’ rights will be honoured.
Nigeria’s NDPR: compliance through localisation
Nigeria’s Nigeria Data Protection Regulation (NDPR), issued by NITDA, requires that all data controllers and processors handling Nigerian data subjects’ information register with the Nigeria Data Protection Commission (NDPC) and submit annual audit reports.
MVNOs operating in Nigeria must:
- appoint a Data Protection Compliance Organisation (DPCO);
- ensure data localisation or demonstrate adequate safeguards for cross-border transfers;
- implement data subject consent mechanisms that are explicit, unbundled, and purpose-specific.
Because many Nigerian MVNOs rely on regional MNOs or cloud-hosted MVNEs, compliance often extends to infrastructure transparency, ensuring data centres and API endpoints are either in Nigeria or located in jurisdictions with “adequate” protection.
Kenya’s Data Protection Act (DPA): lawful processing in telecoms
Kenya’s Data Protection Act, 2019 mirrors GDPR principles while adding sectoral nuance through the Office of the Data Protection Commissioner (ODPC).
MVNOs licensed under the Communications Authority of Kenya must ensure that:
- processing is lawful, transparent, and for a legitimate purpose (section 25);
- explicit consent is obtained for marketing or profiling activities;
- data processors (including MNO partners and MVNEs) are contractually bound under section 42 to implement adequate safeguards;
- cross-border transfers are subject to prior authorisation by the ODPC (section 48).
Non-compliance may lead to administrative fines of up to KES 5 million or 1% of annual turnover, reinforcing the growing seriousness with which African regulators are treating telecom privacy.
Integrating privacy by design into MVNO operations
Across these jurisdictions, the common denominator is accountability. MVNOs must integrate privacy directly into their business and network architecture through:
- Secure API integration: ensuring encrypted data interchange between MVNO systems, MNO cores, and third-party MVNEs.
- Real-time consent orchestration: enabling subscribers to view, modify, and revoke consent digitally.
- Lawful cross-border governance: mapping and documenting all data transfers and ensuring contractual adequacy under POPIA, the NDPR, or the GDPR.
- Vendor management: conducting privacy impact assessments on MVNEs, MVNAs, and marketing partners.
- Incident readiness: establishing incident response playbooks consistent with regulatory notification timelines (e.g., POPIA section 22, GDPR article 33).
This holistic integration transforms compliance from reactive policy to proactive risk engineering.
The US layer: CCPA/CPRA and CPNI relevance
Although US privacy frameworks differ conceptually, their requirements increasingly influence global MVNO design.
- The CCPA/CPRA grant consumers opt-out rights and require transparent “Do Not Sell or Share” mechanisms.
- The FCC’s CPNI rules require strict tracking of customer consent before service data may be used for marketing.
African MVNOs partnering with global telecom groups or cloud vendors must account for these frameworks when US citizen data is processed, particularly in cross-border roaming, customer analytics, or OTT service integrations.
Data-sharing boundaries and liability
The data life cycle of an MVNO typically involves multiple actors: the MNO, MVNE, marketing partners, and sometimes analytics or payment providers.
To maintain legal clarity, contracts must:
- classify each entity as controller, joint controller, or processor;
- define security standards, audit rights, and indemnity clauses;
- set explicit breach-notification windows consistent with regional law.
In South Africa, this means aligning with POPIA section 22 (Security Compromises); in Nigeria, NDPR article 4.1(11); and under GDPR, article 33. The guiding principle is universal: no outsourcing of accountability.
eSIM and IoT: the new privacy frontiers
As Africa accelerates toward eSIM adoption and IoT-driven MVNO models, privacy risk multiplies.
- eSIM onboarding collapses identity verification, provisioning, and consent into a single digital moment—demanding airtight cryptographic and consent protocols.
- IoT MVNOs, managing millions of connected devices, must maintain continuous data integrity across borders and vendors.
These innovations position MVNOs not merely as telecom resellers but as data orchestration entities: intermediaries responsible for lawful, secure, and transparent information flows at scale.
From regulation to advantage: privacy as infrastructure
Privacy resilience is now a commercial differentiator. Investors, regulators, and enterprise clients assess MVNO maturity not only by market reach but by compliance posture.
By embedding privacy into the operational fabric—from BSS/OSS integration to partner contracts—MVNOs unlock:
- regulatory agility, enabling faster market licensing;
- cross-border credibility, attracting multinational clients;
- brand equity, where trust becomes measurable value.
In the African digital economy, the operators that design for privacy from day one will not merely comply; they will lead.
Key takeaways
| Focus area | Strategic imperative |
|---|---|
| Data-role clarity | Define controller and processor responsibilities under GDPR, POPIA, NDPR, and Kenya DPA. |
| Privacy by design | Integrate encryption, consent management, and minimisation into BSS/OSS. |
| Third-party risk | Regulate MVNEs, MVNAs, and cloud vendors through binding processor agreements. |
| Cross-border data governance | Align data transfers with local authorisation and adequacy requirements. |
| eSIM and IoT readiness | Embed security, identity verification, and consent in digital provisioning. |
| Trust as advantage | Use transparency and accountability as differentiators in saturated telecom markets. |
How ITLawCo can help
ITLawCo advises telecommunications providers, regulators, and technology ventures on designing and operationalising data protection and governance frameworks that meet global and African standards.
Our team supports:
- MVNO and MNO licensing compliance under POPIA, NDPR, Kenya DPA, and GDPR;
- Privacy-by-design system architecture, from onboarding and consent to incident response;
- Cross-border data-transfer assessments and adequacy documentation;
- Regulator-ready policies, Data Protection Impact Assessments (DPIAs), and joint-controller agreements;
- Strategic workshops for boards, management, and compliance teams on telecom-specific privacy governance.
We help organisations move beyond compliance, building the privacy foundations for sustainable, trusted digital infrastructure.
