What is AI regulation in Burkina Faso?
AI regulation: countries and regions
Burkina Faso has no dedicated AI law publicly identifiable in the official sources reviewed, and no standalone AI regulator is publicly identifiable either. AI is governed mainly through the 2021 personal data protection law, which empowers the Commission de l'informatique et des libertes, plus broader digital policy. That law matters for AI because it covers automated decision making, requires transparency where AI is used, and subjects some predictive, biometric and cross-border processing to prior review or authorisation.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Burkina Faso does not yet have an AI Act in the way some jurisdictions do. The main hard-law layer for AI is the personal data protection law, Loi N 001-2021/AN. It is relevant whenever an AI system uses personal data, supports profiling, handles biometrics, connects multiple files, helps make decisions about people, or sends data abroad. The CIL is the control authority for that law.
That makes Burkina Faso a data protection-led AI jurisdiction at present. The law gives people rights to know and contest the reasoning used against them, says AI-related criteria and data must be indicated where AI is involved, and prevents administrative or private decisions about human behaviour from resting only on automated profiling.
Alongside that legal base, the government is building policy architecture for AI through the ministry responsible for digital transition, its Secretariat permanent de l'innovation et de la veille sur les technologies emergentes du numerique, SPIVTEN, a revised national digital strategy, and the Horizon 2030 digital roadmap. Official sources show active planning for AI governance and capacity building, but not a clearly enacted AI-only framework as at 7 June 2026.
Why it matters
If you build, buy or deploy AI in Burkina Faso, the practical question is usually not "is there an AI Act?" but "what personal data, profiling, biometric, interconnection, public sector, or cross-border transfer rules does this system trigger?" That affects product design, vendor contracts, hosting choices, user notices, human review, challenge rights and launch timing.
The stakes rise quickly for higher-risk uses. Predictive scoring, biometric tools, systems linked to national identity data, health research uses, and foreign cloud hosting can all pull you into prior authorisation or control requirements. So the absence of a dedicated AI Act does not mean a free pass.
How it works
No dedicated AI act yet
Official public materials point to policy work, planning and future regulation, not to an enacted AI-only statute. The ministry has described AI action-plan work, Parliament has discussed AI governance, and the Horizon 2030 roadmap contains an AI-specific chantier. That is meaningful, but it is not the same thing as a dedicated AI law already in force.
The 2021 personal data law does most of the legal work
Loi N 001-2021/AN is the main binding text to start with. It replaced the 2004 data protection law and applies to automated and non-automated personal data processing. It requires proactive information to data subjects, gives rights of access, rectification, opposition and erasure, and includes AI-specific transparency language: when processing uses AI, the criteria and the nature of the personal data supporting that processing must be indicated from the point of collection. The same law also says an administrative or private decision involving an appraisal of human behaviour cannot have as its sole basis automated processing that defines the person's profile or personality.
The law is especially important for AI systems that go beyond ordinary low-risk processing. Prior authorisation by the control authority is required for several categories, including private-sector biometric processing, some health-research uses, interconnection of files, use of a national identification number or similar identifier, transfers to a foreign country, and decision-support processing that appraises human behaviour, defines a profile or personality, or relies on predictive AI techniques.
CIL is the main control authority for personal data
The law creates the CIL as the control authority and describes it as an independent administrative authority with administrative and management autonomy. It has regulatory and sanctioning functions. It can inspect processing, issue recommendations, receive complaints, assist data subjects, warn controllers, and escalate serious infringements. The law also gives it administrative sanction powers, including injunctions, locking certain data, withdrawal of authorisation and fines. Depending on the breach, those fines can reach 100 million CFA francs.
In practice, that makes the CIL the most important institution for AI uses that process personal data. There is no separate AI regulator publicly identified in the official sources reviewed. If your use case is data-heavy, personalised, biometric, predictive or cross-border, CIL-facing compliance should be assumed early.
National digital policy is moving towards AI governance
Burkina Faso's broader digital policy base includes the Strategie nationale de developpement de l'economie numerique, adopted in 2018, and newer Horizon 2030 materials from the ministry. Official ministry materials say the national digital strategy was under revision and that AI was being given a stronger place within it. Official parliamentary material also describes SPIVTEN as coordinating the national AI effort. In August 2025, the ministry opened a national workshop to elaborate a national AI action plan. The Horizon 2030 roadmap includes chantier 11, "L'IA au service de tous les Burkinabe", which presents ambitions such as training local experts, building a sovereign AI ecosystem and supporting AI start-ups.
The important boundary is this: these documents show direction and projected milestones. They do not by themselves create an AI Act. They are best read as policy architecture and government intent.
West African and African Union context shapes direction
Burkina Faso has said it contributed in 2024 to subregional work on data governance and the ethical use of AI. At continental level, the African Union's Continental Artificial Intelligence Strategy, endorsed in July 2024, calls for national approaches that are ethical, responsible and inclusive. That regional context matters for strategy and standard-setting.
For day-to-day compliance, though, the binding anchor remains domestic law. In Burkina Faso today, that means starting with the personal data law, the CIL, and any adjacent public-sector, cyber, telecoms or identification rules that your use case engages.
Examples
A private lender wants to use an AI scoring tool to rank applicants based on repayment-risk signals drawn from personal data. In Burkina Faso, that is not just a product question. If the tool supports a private decision by profiling behaviour or personality, or uses predictive AI for decision support, it falls into the law's prior-authorisation zone. The final decision should not rest only on automated profiling.
A private employer or university wants facial recognition for attendance control. Because the 2021 law subjects private-sector biometric processing to prior authorisation, deployment should not begin on the assumption that normal notice alone is enough. If the tool is linked to other files or official identifiers, the compliance burden becomes heavier.
A SaaS provider wants to run a customer support chatbot or analytics stack from infrastructure outside Burkina Faso using Burkinabe personal data. Before that transfer, the controller must obtain prior authorisation, verify an adequate level of protection, include confidentiality and data reversibility clauses with the foreign counterparty, and implement technical and organisational security measures.
Common misunderstandings
"Burkina Faso already has an AI Act." No. The official sources reviewed show policy work and roadmaps, but not a dedicated AI-only law in force.
"If there is no AI Act, AI is basically unregulated." Not true. The personal data law already reaches many AI deployments, especially profiling, biometrics, interconnection, public-sector processing and foreign transfers.
"Only AI developers need to care." Not true. Buyers, deployers, employers, lenders, schools, public bodies and outsourced vendors can all trigger duties if they use AI with personal data.
"A disclosure notice is enough for automated scoring." Not always. The law also restricts decisions about human behaviour that rest solely on automated profiling and gives people a right to know and contest the reasoning used against them.
"The AU AI strategy automatically becomes Burkina Faso law." No. It shapes policy direction, but domestic obligations still depend on Burkinabe law and institutions.
Risks and boundaries
This is a thin jurisdictional picture, and it is important not to overstate it. I found strong official evidence of AI policy activity, official roadmaps and ministerial statements, but I did not identify a dedicated AI statute, a dedicated AI regulator, or a clearly published standalone national AI strategy that had already been officially validated and published by 7 June 2026.
That means most real compliance analysis still turns on general data protection law and on the facts of the use case. Sector-specific rules may also matter, especially in public administration, telecommunications, cybersecurity, identification systems, access to public information and procurement. The position could change if Burkina Faso validates the projected AI strategy or action plan, or adopts new digital-sector legislation.
What to do next
Start with a use-case inventory, not with AI marketing labels. Identify where your system uses personal data, biometrics, health data, national identifiers, file interconnection, behavioural scoring or foreign hosting. Then decide whether the use sits in the ordinary declaration bucket or in a prior-authorisation bucket.
Build governance into deployment from the start. Give clear notice, document the logic and inputs used, keep a route for challenge and correction, and do not let decisions about human behaviour rest only on automated profiling. Put transfer, confidentiality, reversibility and security terms into vendor contracts. Finally, keep watching ministry and CIL publications, because Burkina Faso's AI policy architecture is still moving.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Burkina Faso have a dedicated AI law?
No dedicated AI law was publicly identifiable in the official sources reviewed. The main binding rules today come from personal data protection law and adjacent digital governance texts.
Who is the main regulator to watch?
For AI uses involving personal data, the main authority is the CIL. I did not identify a standalone AI regulator in official public sources.
When does prior authorisation matter?
It matters for several higher-scrutiny categories, including private-sector biometric processing, some health-research processing, interconnection of files, use of national identifiers, some predictive AI decision-support processing, and foreign data transfers.
Can a company rely only on automated scoring to make decisions about people?
Not where the decision involves an appraisal of human behaviour and rests solely on automated profiling. The law requires more than blind automation.
Does Burkina Faso have a national AI strategy?
Official sources show work on an AI action plan and a Horizon 2030 AI roadmap. I did not identify a clearly published standalone national AI strategy already officially validated and published by 7 June 2026.
Does the CIL only matter for tech companies?
No. Any organisation using AI with personal data may need to deal with the law and, depending on the use case, with the CIL.
What if AI data is hosted abroad?
Cross-border transfer rules apply. Prior authorisation, adequate protection, contractual safeguards, reversibility terms and security controls should all be considered before transfer.