This article is authored by Dorcas Tsebee and Victoria Adaramola

‍

‍

‍

Introduction

On March 23, 2023, the Data Protection Act (“DPA” or “the Act”) was enacted and immediately became effective throughout Somalia. It is the country's first comprehensive law on data protection. Like most African data protection laws, the DPA was founded upon the Constitution of the Federal Republic of Somalia, 2012, which provides citizens with privacy rights. The DPA established the Somalia Data Protection Authority (“Authority”) to oversee its implementation. The authority was officially launched in February 2024, although it commenced activities prior to this time. Further to the coming into effect of the Data Protection Act and its mandate under Article 41, the DPA issued the Implementation Regulation, DPA Guidance, and the Alternative Dispute Resolution Procedure to guide the implementation and operationalisation of the provisions of the Act.

Key provisions

Scope of application - Articles 4 and 5

The DPA applies to processing personal data by controllers based or operating in Somalia, specifically when processing occurs within Somalia and involves targeting, monitoring online behaviour, or offering goods and services to individuals in Somalia. The law exempts household purposes, processing carried out for control and prevention of national public health emergencies, the prevention and investigation of crimes by public authorities, national security, and the prevention and defence of a legal claim.

Establishment of a data protection authority - Articles 6, 7, and 13

The Act establishes the Data Protection Authority, which will oversee the implementation of the Act. The authority has the power to issue supplementary regulations, conduct investigations and impose fines. The Authority has the responsibility to register data controllers and data processors of major importance; promote awareness regarding the obligations of data controllers and data processors; accredit, licence, and register data protection compliance organisations; receive complaints about personal data violations; and advise the government on data protection. The Authority was officially launched in February 2024.

Lawful bases for processing - Article 14

The law provides for consent, performance of contract, legal obligation, vital interest, public interest, and legitimate interest as the lawful bases. In addition to these traditional lawful bases, the law includes the defence and exercise of a legal claim, public health and humanitarian emergency, medical care and community welfare, archiving and statistical purposes, and data manifestly made public by the data subject as lawful bases for processing personal data in the country. The additions depart from the conventional lawful bases under most data protection laws.

Third-party risk management - Article 19

It is a requirement under the Act for data controllers to maintain an inventory of all data processors and sub-processors engaged. In addition, they are expected to have a processing agreement in place.

Rights of data subjects - Articles 20-23

The Act recognises data subjects' rights to access, rectification, deletion, withdrawal of consent, objection, and not to be subject to decisions based solely on automated processing. The Act also provides exceptions to the exercise of these rights.

Security of data - Article 24

The Act requires data controllers and processors to implement appropriate security measures to protect against misuse, unauthorised access and disclosure, and alteration.

Data protection impact assessment - Article 29

A Data Protection Impact Assessment (DPIA) is required where the processing carried out by a data controller of major importance will likely result in a high risk to the rights and freedoms of data subjects. A DPIA must be conducted, and its report must be submitted to the data protection authority prior to initiating processing activities. The controller shall consult the authority prior to processing where a DPIA  indicates that processing would result in high risk, irrespective of the mitigating measures adopted.

Appointment of a DPO - Article 34

The Act mandates that data controllers and processors of major importance appoint a data protection officer (DPO) to oversee data protection compliance within an organisation. The DPO has to be a competent professional to offer the services. It also mandates capacity-building for DPOs and staff who process personal data.  The DPO will advise data controllers or processors regarding personal data processing, monitor compliance with the DPA and act as a contact point for the DPA on issues relating to data processing. The DPO can be an employee of the organisation or outsourced to perform the role. The DPA Implementing Framework requires data controllers and processors to appoint a DPO within six months of the commencement of business where the entity is a governmental body, is involved in processing personal data of over 1,000 individuals annually or regularly handles sensitive personal data as part of its core activities.

Annual auditing - DPA Guidance

Auditing the data protection practices of data controllers and processors is an important requirement under the Act. The DPA requires data controllers who process the personal data of more than 1,000 data subjects in a period of six months to submit a soft copy audit report to the Authority. In addition, data controllers who process the personal data of more than 200 data subjects in a period of 12 months are also required to submit a summary of their data protection audit to the Authority. The report must detail the data controller’s data protection practices. Although the text of the law specifies 200 data subjects for processing that occurs within 12 months, it is assumed that this is a typographical error, as other DPAs with similar requirements, like Nigeria, specify 2000.

The Authority is empowered to register and licence DPOs who monitor, audit, conduct training and provide data protection compliance services on its behalf.

‍

Mandatory registration - Article 32

The Act mandates that only data controllers of major importance register with the Authority within six months after qualifying as data controllers of major importance. The Act defines a data controller of major importance as an entity that engages one or more data processors that process the data of a prescribed number of data subjects within Somalia. The DPA Guidance further expands this category to include other classes of data controllers or data processors processing personal data of particular value or significance to Somalia's economy, society or security, as the Data Protection Authority may designate. The registration is renewable annually, and the General Manager will prescribe fees. This requirement is similar to the provisions under the Nigerian data protection law.

Processing of children's data - Article 16

The DPA’s general interpretation describes a child as someone under the age of 18. Thus, the DPA mandates data controllers to obtain consent from a child’s parent or legal representative to process their data. However, consent may not be required where the processing is to protect the vital interest of a child, the processing is for educational, medical, or social care and is done under the supervision of a professional, or it is necessary for court proceedings.

The Act further creates exemptions for the age of consent. It provides that the data controller may rely on consent from a child of 16 years and above, where consent is the lawful basis for processing. In addition, the Authority is free to issue regulations permitting data controllers to obtain consent directly from a child aged 13 or more, which will be valid consent. By implication, the age of consent could be 13 years, depending on the circumstances of each case and pending further regulations from the Authority. It also provides for the use of government-issued IDs for verification purposes.

Breach notification - Article 25 - 27 

Like most data protection laws, data controllers must inform the supervisory authority of a breach that could result in risks to the rights and freedoms of data subjects within 72 hours of becoming aware of the breach. An interesting addition to this provision is the permission to extend the notification period. The controller can extend the 72-hour period to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach. However, the Authority must be notified of this extension within the 72-hour period.

In addition, the DPA requires data controllers to keep a record of all personal data breaches regarding personal data processed by them, including the facts relating to the personal data breach, its effects, and the remedial action taken, in a manner that enables the Authority to verify compliance with the DPA.

Cross-border Transfer of Data - Articles 30 - 31 

The Act restricts data transfer outside Somalia but allows it if the receiving country ensures adequate protection. Transfers are permissible where the recipient is subjected to a law, binding corporate rules, contractual clauses, codes of conduct, certification mechanisms, or similar safeguards that provide sufficient protection. Where these conditions do not exist, data may still be transferred with the data subject's consent, the contract's conclusion and the data subject's vital interest. However, such exceptions are not for regular use and apply only to non-repetitive transfers involving a few data subjects. Data controllers must notify the data protection authority about these transfers made under derogations. Lastly, the data controller must also maintain a record of the adopted transfer mechanisms.

Implementing the DPA

The Data Protection Authority published an Implementation Regulation for the Act in February. The Regulation provides detailed guidance on compliance with the Act. It provides different ways to implement the Act in every organisation processing personal data. This includes creating awareness about the Act and its importance, mapping the data processed by an organisation to identify sources and destinations, evaluating the risk associated with data protection practices, comparing these with the DPA requirements, and developing a compliance roadmap for the organisation.

The Framework further outlines steps to be taken by organisations to comply with the Act fully. These include:

• Audit and analyse the data collected within the organisation. This ensures that data is collected and used appropriately. 
• Inform data subjects about the Act and its provisions, customers' rights, and how their data is processed. This ensures transparency in the organisation’s practices.
• Review privacy notices to account for all processing activities and meet the Act’s requirements.
• Understand the rights of customers as provided under the Act and adopt a procedure to manage these rights effectively within the organisation. Understanding the rights also ensures effective management.
• Re-examine responsibilities as controllers or processors under the Act, especially with respect to marketing campaigns on digital platforms.
• Advertising or other marketing communication should be based on the audience's consent. The withdrawal of consent should also be respected, and organisations must obtain consent in the manner prescribed by the Act.
• Internal compliance with the Act is essential. This involves updating, drafting, or reviewing data protection policies and procedures.
• Appointment of a data protection officer in organisations that are required to do so under the Act. This involves appointing an employee to take up this role or hiring a new one who meets the qualifications.
• Implement mechanisms that facilitate data transfer from one organisation to another seamlessly. This may arise when data subjects seek to exercise their data portability or access rights.
• Plan for data breaches by implementing the necessary technical and organisational measures to ensure data security and adopting procedures for data breach notifications.
• Establish and maintain an internal audit process to regularly assess and evaluate the effectiveness of your data protection measures, identify any vulnerabilities, and ensure compliance with the Act. 
• Take active steps to comply with and eliminate old practices. For example, delete data that is no longer relevant to an identified purpose.

Conclusion

The Act and its implementing documents introduce a comprehensive legal framework that requires businesses processing the personal data of data subjects in Somalia to adopt significant changes in their data protection practices. These changes will necessitate careful planning, resources, and ongoing attention to compliance to meet the requirements under the Act and protect the rights of data subjects. 

‍