What is AI regulation in Senegal?
AI regulation: countries and regions
Senegal does not yet have a dedicated AI law. Today, AI is regulated mainly through the 2008 personal data protection law, enforced by the Commission de Protection des Donnees Personnelles, or CDP, plus the 2025 New Deal Technologique. In practice, that means AI systems are controlled through data protection duties, declaration or authorisation requirements, limits on solely automated decisions, and rules for sensitive data, biometrics and cross-border transfers.
What this means
If your AI system touches personal data in Senegal, the key legal question is usually not "Is there an AI Act?" but "Which data protection duties are triggered?" Senegal's 2008 law applies to automated and non-automated processing, gives people rights over their data, and places supervisory power in the CDP.
That matters most for AI used in hiring, customer scoring, biometrics, health, public services, fraud checks or any other tool that profiles people. Senegal's newer policy documents are more explicit about AI, but they mostly point forward. The New Deal Technologique says Senegal wants a national ethical and regulatory AI framework; it does not itself create an AI statute.
Regionally, Senegal sits inside wider West African and African governance debates. ECOWAS already has a regional personal data protection act, and the African Union's Continental AI Strategy urges member states to build national AI strategies. For now, though, the binding day-to-day rules for most organisations in Senegal still come from data protection law and sector specific rules, not an AI-only code.
Why it matters
For organisations deploying AI in Senegal, the legal risk is often indirect but still real. A tool may look like a harmless product or procurement choice, but once it uses personal data, biometric identifiers, health information or linked databases, it can trigger CDP filings, transfer checks and user-rights duties. A system that helps decide who gets hired, flagged, scored or denied a service can also raise issues if it is left to run on a solely automated basis.
This also matters because Senegal's digital policy now links AI to sovereignty, interoperability, cyber security, public service modernisation and local control over sensitive data. So AI governance in Senegal is not just a privacy issue. It sits across legal, technical, procurement, security and public policy teams.
How it works
No AI-only statute yet
The official sources reviewed do not show a dedicated, cross-sector AI statute in force in Senegal, nor a separate AI regulator with EU AI Act style powers. The clearest public architecture is still a mix of existing data protection law, CDP oversight, general digital and cyber rules, and policy level AI ambition inside the New Deal Technologique.
That is important because you should not assume Senegal already has a single AI rulebook with risk tiers, model obligations, conformity assessment duties or one-stop AI supervision. At present, the legal baseline is narrower and more practical: what data are used, what people are affected, what formalities are required, and whether the system is making or materially shaping decisions about individuals.
Data protection law does most of the work
Senegal's Law no 2008-12 is broad. It covers collection, treatment, transmission, storage and use of personal data, including processing done with automated means. It also defines sensitive categories, including health and genetic data, and gives people rights to information, access and opposition.
For AI governance, one of the most important rules is the restriction on solely automated decision-making. The law says a decision producing legal effects on a person cannot be taken on the sole basis of automated personal-data processing used to define that person's profile or assess aspects of personality. In other words, Senegal does not ban AI-assisted decision support, but it does place a boundary around fully automated legal-effect decisions.
The same law also controls cross-border transfers. If personal data are sent to a third country, the controller must consider whether there is sufficient protection and must involve the CDP in the process. That matters for overseas hosting, foreign AI vendors, external model providers and multinational group data flows.
The CDP is the authority organisations actually face
The Commission de Protection des Donnees Personnelles is the main institution organisations need to understand. It is an independent administrative authority. Its missions include handling complaints and requests, imposing sanctions for breaches, keeping a public register of processing, and authorising certain cross-border transfers.
Operationally, Senegal uses a declaration and authorisation model. Some processing can proceed after declaration, but higher sensitivity categories move into an authorisation track. The law and the CDP's formalities pages point especially to sensitive data, biometric data, interconnection of files, certain research and health processing, and transfer cases as areas where extra scrutiny applies.
That gives Senegal's AI governance a very practical shape. The first question is often not whether a tool is called "AI", but whether it uses personal data, sensitive data, biometrics, interconnection or foreign transfers in a way that needs declaration, authorisation or both.
The national digital strategy points to future AI governance
Senegal's New Deal Technologique, launched in 2025, is the clearest current policy document for AI. It is a national digital strategy rather than an AI law. The document treats AI as a strategic workstream under digital economic development and says Senegal aims to establish a national AI regulatory and ethical framework, alongside data protection, transparency and digital sovereignty.
The same strategy also treats AI as a cross-cutting part of a broader digital master plan. It links AI to cyber security, interoperability, public service digitalisation, cloud, data infrastructure, computing capacity, training and public sector transformation. It also uses an "approach by risks" in the wider digital architecture.
In practice, that means Senegal has moved beyond generic political enthusiasm for AI. The state has now written AI into an official national strategy. But that strategy is still largely directional. It signals what the government wants to build next, rather than creating directly enforceable AI duties by itself.
Regional and continental context still matters
Senegal's position is also shaped by instruments above the national level. In West Africa, ECOWAS already has a Supplementary Act on Personal Data Protection. At African Union level, the Continental AI Strategy, endorsed in 2024, asks member states to develop and implement national AI strategies and runs on a 2025 to 2030 implementation horizon.
Senegal has also ratified the African Union Convention on Cyber Security and Personal Data Protection, often called the Malabo Convention. That does not create a Senegal-specific AI act, but it reinforces the broader continental pattern: data governance, cyber security and digital rights are already part of the legal backdrop against which AI policy is developing.
So the regional picture is best read as guidance and alignment pressure, not as a substitute for Senegal's own domestic law. For current compliance work, the binding anchor remains Senegal's national data protection regime.
Examples
A biometric access or attendance system is not just a workplace tech upgrade. Under Senegal's data protection framework, biometric processing is a higher sensitivity category that can require CDP authorisation. The CDP's public publications show biometric access control and biometric time-management deliberations in practice. A sensible workflow is to define the exact purpose, minimise the fields collected, prepare the CDP filing, set retention and security rules, and only then deploy.
A health AI or research AI tool sits in an even stricter zone. If a hospital, insurer, research team or health platform wants to use AI on patient data, the organisation needs to treat the project as regulated health-data processing, not just as software procurement. Senegal's law gives special treatment to health data and health research, and the CDP's formalities route this kind of processing into the authorisation track.
A public-sector AI project that links identity, land, payment and service databases has an interconnection problem before it has an AI problem. Senegal's digital strategy pushes unique digital identity, public cloud capability, interoperable state systems and AI-enabled administration. But the data protection law requires interconnection oversight, and the CDP remains central. The practical workflow is therefore governance first: map databases, justify the linkage, set access controls, define legal basis and formalities, and only then move to deployment.
Common misunderstandings
Misconception: Senegal already has a standalone AI Act similar to the EU AI Act. Correction: The public official sources reviewed do not show that. The current legal baseline is mainly data protection law plus digital policy.
Misconception: The CDP regulates every aspect of AI. Correction: The CDP is central where AI uses personal data, but it is not a general AI super-regulator for every technical or sector issue.
Misconception: If an AI vendor is outside Senegal, Senegal's rules stop at the border. Correction: Cross-border transfers are regulated, and foreign hosting or overseas model providers can still trigger Senegal data protection duties.
Misconception: Senegal bans all automated decision-making. Correction: The law is narrower. It restricts decisions with legal effects that are based solely on automated personal-data processing used for profiling or personality assessment.
Misconception: A national strategy is the same thing as binding law. Correction: It is not. The New Deal Technologique is an official policy roadmap, but it does not itself create a full AI statute.
Risks and boundaries
The biggest boundary is simple: Senegal's AI governance is still emerging. The country has a real legal baseline for personal data, and it now has explicit AI policy ambition, but it does not yet appear to have a dedicated AI law in force. That means some questions that are answered directly in other jurisdictions still have to be worked out in Senegal through older data protection rules, contract design, sector rules and regulator practice.
There is also a status boundary around strategy language. Some official messaging refers broadly to a "national AI strategy". Based on the public official materials reviewed, the clearest operative instrument now visible is the New Deal Technologique and its AI strand, not a separate standalone AI statute. That distinction matters because policy ambition should not be mistaken for a currently enforceable AI code.
Another limit is scope. If an AI system does not process personal data, Senegal's data protection law may be less central, although other bodies of law can still matter, including sector regulation, consumer protection, civil liability, media law, intellectual property and cyber rules. Equally, where AI does process personal data, the law does not answer every governance question in modern machine learning. It gives a strong privacy frame, but not a full AI-specific governance architecture.
Finally, this area can still change. New legislation, data protection reform, sector decrees, CDP guidance or implementation steps under the New Deal Technologique could alter the picture.
What to do next
Start with an AI use-case inventory. Identify which systems process personal data, sensitive data, biometrics, health data or linked databases; which rely on overseas vendors or overseas hosting; and which influence decisions about identifiable people.
For the higher-risk uses, run an AI impact assessment together with a Senegal data protection review. Confirm the legal basis, test whether any declaration or CDP authorisation is needed, map data transfers, and build a meaningful human review step wherever a system could affect a person's rights, status or access to a service.
Then tighten procurement and governance. Make sure vendor contracts cover data location, security, deletion, audit support, incident handling and regulator cooperation. Record who owns the decision to deploy, who validates data use, and who can stop or escalate a problematic system.
Finally, monitor change. Senegal's formal AI framework is not settled yet, so governance leads should watch CDP communications, New Deal Technologique implementation, and AU and ECOWAS developments.
FAQs
Does Senegal have a dedicated AI law?
No. The public official sources reviewed point instead to data protection law, CDP oversight and digital policy.
Who is the main regulator for AI issues in Senegal?
There is no single AI regulator identified in the official sources reviewed. Where AI uses personal data, the CDP is the main authority organisations are likely to deal with.
Do we need CDP approval for every AI system?
No. Some processing follows the declaration route, while more sensitive categories such as biometrics, certain health or research uses, interconnections and some transfer cases can require authorisation.
Are fully automated decisions banned in Senegal?
Not across the board. The key restriction is that a decision with legal effects cannot rest only on automated personal-data processing used for profiling or personality assessment.
Can we use an overseas AI vendor or overseas cloud?
Potentially yes, but cross-border transfers are regulated. You should assess transfer conditions early and check whether prior CDP involvement is required.
Is the New Deal Technologique already binding AI law?
No. It is a national digital strategy and policy roadmap. It signals future direction, including a planned national AI regulatory and ethical framework, but it is not the same as an AI statute.
How do AU and ECOWAS instruments affect AI governance in Senegal?
They shape the wider policy environment and regional expectations. Your day-to-day legal duties in Senegal still come mainly from domestic law and sector specific rules.