-1323.png){kind=logo}
Contributors: Dorcas Tsebee, Oladotun Owoyemi, Victoria Adaramola and Ridwan Oloyede
Introduction
On October 29, 2024, Botswana’s National Assembly passed the Data Protection Act2024 (the new Act), which aims to regulate the processing of personal data in Botswana. The Act repeals the 2018 Data Protection Act (the repealed Act),which has been in transition since 2021. The repealed Act did not come into effect due to the extension of its effective date by several ministerial orders. The new Act strengthens Botswana’s data protection framework by expanding the powers of the Information and Data Protection Commission and imposing additional obligations on data controllers and processors. This article examines the key provisions of the new Act, offers a comparative analysis with the repealed 2018 Act, and recommends compliance measures for organisations.
Key Provisions in the New Act
Scope of application - Section4
The Act applies to the processing of personal data by data controllers and processors established in Botswana, or those based outside Botswana but conducting activities within the country. This includes cases where goods and services are offered to individuals in Botswana or where individuals' behaviours are monitored within Botswana. The Act covers both automated and non-automated processing of personal data in a file or intended to form part of a filing system, but excludes processing for personal use, household activities, and data processing by or on behalf of the state.
Designation of a dataprotection authority - Section 6, 12 & 13
The Act retains the designation of the Information and Data Protection Commission (the Commission) as the national supervisory authority responsible for ensuring effective application and compliance with its provisions. The Commission will monitor and enforce the application of the Act, promote awareness, advise on data protection, handle complaints, and conduct investigations.
Principles of processing -Sections 19 - 25
The Act provides for the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality in the processing of personal data. The Act requires the data controller to be responsible for and be able to demonstrate compliance with the principles of processing.
Processing children’s data -Section 29
The Act adopts the definition of a child under the Children's Act 2009, which is any person who is below the age of 18years. Processing a child's data in relation to the offer of information society services[1] shall only be lawful with the consent of a parent or guardian. However, if the child is 16 years old, they may provide their own consent as prescribed under the law. Considering the available technology, the controller is required to make reasonable efforts to verify that consent is given jointly by the child and the parent or guardian, where the processing relates to the offer of information society services.
Processing sensitive personal data - Section 30 - 31
The Act permits the processing of sensitive personal data on the condition of explicit consent, employment and social protection, vital interests, when the data subject intentionally makes the data public, the establishment or defence of legal claims, public interest, the provision of health or social care, public health purposes, archival for public interest, research or statistics, and for election-related activities.
Additionally, a non-commercial organisation with political, philosophical, religious, or trade union goals may process sensitive personal data of its members and former members as part of its legitimate activities, provided appropriate safeguards are in place. However, this sensitive data cannot be shared with a third party without the written consent of the data subject.
Information provision to the data subject - Section 39 - 41
The Act requires data controllers to provide data subjects with information about the processing activity at the time of collection of their personal data, where the data is collected directly from them. Where the data is collected indirectly, the controller shall disclose the processing information and additional information, such as the type of data collected and the source of collection, to the data subject within a reasonable time, not exceeding one month.
Rights of data subjects -Sections 42 - 49
The Act recognises data subject rights to access, rectification, erasure, restriction of processing, data portability, objection, and protection from decisions based solely on automated processing. The Act also allows data subjects to object to processing for scientific, historical, or statistical purposes on personal grounds, unless the processing is in the public interest.
Data protection by design and default - Section 52
The Act requires data controllers to implement appropriate technical and organisational measures when determining how to process data, considering the technology, costs, and risks to processing. Additionally, data controllers must ensure that, by default, only necessary personal data is processed, limiting the amount of data collected, the scope of processing, and the duration of storage. By default, these measures should also prevent personal data from being accessible to an unlimited number of people without human intervention.
Appointment of are presentative -Section 54
The Act requires data controllers and processors that are not established in Botswana but targeting data subjects in Botswana to designate inwriting a representative in Botswana. However, this requirement does not apply to occasional processing, processing that does not involve sensitive data on a large scale or criminal data, or to public authorities and bodies.
Record of processing activities (RoPA) - Section 60
Like most other African data protection laws, the Act requires data controllers to keep a record of processing activities. Similarly, data processors must maintain a record of processing activities carried out on behalf of a controller. The content of the records for the controller and processors is different. This record shall be provided to the Commission on request.
Data security - Section 62
The Act mandates data controllers and processors to implement appropriate technical and organisational measures to ensure the security of personal data, considering the risks associated with processing. These measures include pseudonymisation, encryption, ensuring ongoing confidentiality and integrity of systems, as well as enabling timely restoration of data after incidents, and regularly testing the effectiveness of security measures.
Breach notification - Section64
Similar to other data protection laws, a data controller is required to notify the Commission of a data breach within 72 hours of becoming aware. The Act also requires data controllers to notify affected data subjects without undue delay if the data breach is likely to affect their rights and freedoms. Where the breach occurs on the part of the data processor, the processor must inform the controller without undue delay upon discovering the breach. Additionally, data controllers are required to maintain a record of data breaches, which should include facts of the breach, its effects, and remedial action taken. This record must be accessible to the Commission to verify compliance.
Data protection impact assessment (DPIA) - Section 65 & 68
The Act requires data controllers to conduct a DPIA where processing will likely result in high risks to the rights and freedoms of data subjects. The Act specifies types of high-risk processing, which include the use of automated processing systems, including profiling, large-scale processing of sensitive data or data related to criminal convictions, and large-scale monitoring of publicly accessible areas. The data controller shall consult the Commission before processing if the DPIA indicates the absence of sufficient measures to mitigate the high risks.
Data Protection Officer -Section 69 - 72
A data controller or processor is mandated to appoint a qualified DPO where it is a public authority (except for courts acting in judicial capacity), engages in large-scale monitoring of individuals, or processes sensitive or criminal conviction data on a large scale. Data controllers and processor who do not belong to this category may designate a DPO provided their details are published in the office premises and the Commission is informed. The person appointed as DPO may be an internal staff member or a contract staff and will serve as the contact point for the Commission when needed. The name and contact details of every designated DPO must be sent to the Commission.
Code of Conduct - Section 73
The Act allows data controllers and data processors, or associations representing them, to develop a code of conduct to ensure compliance with the Act and tailored to the specific needs of micro, small, and medium-sized enterprises. This code will outline the measures for fair and transparent processing, including the legitimate interests of the data controller, procedures for data collection and protection, data breaches notification, transfers of personal data to third countries, and dispute resolution between data controllers and data subjects. After drafting, the code must be submitted to the Commission for approval, which will then register and publish it.
Cross-border transfer of data -Sections 74 - 78
The Act permits data transfer outside Botswana under some conditions, including the retention of a copy of the data within the country, and the transfer meets specific conditions. These conditions include an adequacy decision from the Commission for the receiving country or organisation, or the presence of appropriate safeguards such as legally binding instruments between public authorities, binding corporate rules, standard data protection clauses adopted by the Commission, or approved codes of conduct. Itis noteworthy that the country published a list of 45 countries it considered adequate in 2022, including Kenya and South Africa as the only African countries on the list.
The appropriate safeguards will require specific authorisation from the Commission where they are provided by contractual clauses between the data controller and the recipient in a third country or form a part of an administrative arrangement between public authorities. Where these appropriate safeguards do not exist, data may be transferred with the data subject's consent, for contractual purposes, public interest, establishment of legal claims, to protect vital interests, when transferred from a public register, or for compelling legitimate interests of the data controller.
Analysis of the Amendments to the Repealed Act
● Expansion of territorial application: The amendments introduced by the new Act expand its scope to include extraterritorial application. While the old Act was limited to processing activities conducted within Botswana or where the controller is outside Botswana but using tools located in the country, the new Act extends its applicability to when the controller and processor offer goods or services to data subjects in Botswana or monitor their behaviour within the country.
● Processing children’s data: The repealed Act classified the data of a child as sensitive but does not define who a child is. However, the new Act defines a child as someone under the age of 18, as defined in the Children's Act, and provides that the data of a child can be processed based on consent from a parent or guardian. It also mandates controllers to implement age and consent verification mechanisms. In relation to information society services, the Act defines a child as someone who is 16 years old.
● Sensitive personal data: The old Act classified information related to filiation and financial data as sensitive. However, the new Act no longer categorises these types of information as sensitive. Additionally, while the repealed Act broadly classified biometric data as sensitive, the new Act specifies that biometric data is considered sensitive only when used to uniquely identify a natural person.
● Principles of processing: The repealed Act established principles such as fairness, lawfulness, accuracy, purpose limitation, security, and storage limitation to guide personal data processing. The new Act builds on these by introducing additional principles of accountability, integrity, and confidentiality to strengthen data protection practices.
● Obligations of controllers and processors: The repealed Act did not explicitly outline the technical and organisational measures entities should implement. In contrast, the new Act introduces clear requirements, mandating entities to adopt data protection by design and by default, maintain a Record of Processing Activities (RoPA), and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. It also specifies the implementation of measures such as pseudonymisation, encryption, and mechanisms to ensure the confidentiality, integrity, availability, and resilience of processing systems. Additionally, these measures must undergo regular monitoring and testing to ensure their effectiveness.
● Data processing arrangements: The repealed Act lacked comprehensive provisions to guide the relationship between controllers and processors beyond mandating the parties to ensure compliance with the Act in their engagements. In contrast, the new Act addresses these gaps by providing clear guidance on the roles and responsibilities of controllers, processors, and joint controllers, requiring that these relationships be governed by mutually agreed contractual terms. It also permits processors to subcontract processing activities, provided this is done in compliance with the agreed contractual terms. Furthermore, the new Act allows the Commission to develop standard contractual clauses to facilitate and standardise such arrangements.
● Appointment of DPOs and representatives: The new Act requires entities to appoint a Data Protection Officer (DPO) responsible for overseeing internal compliance with the Act. While both the repealed and new Acts include provisions for appointing data protection representatives, the duties of representatives under the repealed Act closely resemble the responsibilities of a DPO under the new Act and the appointment was not limited to controllers outside Botswana. In contrast, the new Act specifies that representatives are only appointed by controllers and processors operating outside Botswana, reinforcing their role in cross-border compliance.
● Rights of data subjects: The repealed Act granted data subjects rights such as the right to access, be informed, file a complaint, challenge the refusal of access, erasure, and rectification. The new Act expands on these by introducing additional rights, including the right to restrict processing, data portability, and the right not to be subject to automated decision-making. It also establishes clear modalities for exercising these rights, ensuring greater empowerment and protection for data subjects.
● Code of Conduct: The new Act allows data controllers, processors, their representatives, or associations representing them to develop a code of conduct to facilitate compliance with the Act. Once drafted, the code must be submitted to the Commission for review and approval. Upon approval, the Commission will register and publish the code. In contrast, the repealed Act did not include any provisions for the development or use of codes of conduct.
● Data breach notification: Under the repealed Act, data controllers were required to notify the Commission of a data breach without delay, and data processors were also obligated to inform the controller without delay. No specific timelines for notification were provided. The new Act introduces stricter requirements, mandating controllers to notify the Commission of a data breach within 72 hours and to communicate the breach to the affected data subject without undue delay where it will pose high risks to them.
● Cross-border data transfer: The repealed Act prohibited cross-border data transfers but allowed exceptions based on adequacy decisions and some derogations. The new Act expands on this framework by introducing additional transfer mechanisms, including binding corporate rules, standard contractual clauses, binding and enforceable instruments between public authorities, and approved codes of conduct. It also broadens the scope of derogations to include transfers based on the data subject's consent or the controller's legitimate interests. Furthermore, the new Act introduces a soft data localisation requirement, mandating that a copy of the transferred personal data be retained in Botswana during the processing period. To enhance enforcement beyond Botswana’s borders, the Act obligates the Commission to collaborate with relevant stakeholders to develop mechanisms supporting its extraterritorial application.
● Sanctions for non-compliance: The new Act significantly raises the maximum administrative fine for violations from 10,000,000 Pulas (approximately 737,000USD) to 50,000,000 Pulas (approximately 3,685,000 USD), reflecting a more stringent approach to enforcement and compliance.
Operationalising the new law
The amendments to the Act have overarching implications for data controllers and processors both within Botswana and beyond its borders, provided they process the personal data of individuals in Botswana. The changes in the Act align closely with the General Data Protection Regulation (GDPR), broadening the scope of the repealed Act. As a result, the amendments impose additional obligations on data controllers and processors, necessitating the implementation of new measures to achieve compliance. To meet the requirements of the amended Act, an implementation guide is provided below:
● Reassess the law's applicability: Organisations should determine whether the amended Act applies to their processing activities, particularly given its expanded scope and territorial applicability. This reassessment is crucial to identifying whether new compliance obligations apply.
● Operationalise the right against automated decision-making: Data controllers must implement measures to safeguard data subjects' rights and freedoms. These include providing the right to human intervention, allowing data subjects to express their views, and enabling them to contest automated decisions that significantly affect them.
● Understand exceptions for appointing a nin-country representative: While the Act requires appointing a representative for entities outside Botswana, there are exceptions. These include situations where processing is occasional, does not involve large-scale sensitive data, or poses minimal risk to individuals’ rights. When representatives are required, organisations must document the appointment in writing. Unlike the repealed Act, there is no obligation to notify the Commission.
● Maintain a record of processing activities(RoPA): Data controllers and processors must maintain a RoPA tailored to their role in each transaction. The content requirements differ for controllers and processors, so organisations must ensure accuracy based on their responsibilities.
● Adopt a data transfer mechanism: Controllers, processors, and processors and sub-processors must identify the appropriate transfer mechanism and document it.
● Implement security measures: Organisations must establish robust technical and organisational safeguards to protect personal data against breaches, ensuring compliance with the security obligations outlined in the Act. Such measures include encryption, authentication, pseudonymisation, among others.
● Conduct data protection impact assessments(DPIAs): For high-risk processingactivities, such as large-scale sensitive data processing, automated processing,including profiling with legal effects, or systematic public monitoring onlarge scale, a DPIA is mandatory. Where risks cannot be mitigated,organisations must consult the Commission before proceeding.
● Appoint a qualified data protection officer (DPO):A DPO is required for public authorities (excluding courts in their judicial role) or organisations engaged in large-scale monitoring or sensitive data processing. The DPO should have the expertise to guide compliance efforts effectively.
● Implement data protection by design and default: Organisations must embed privacy considerations into their processes and systems from the outset. By default, systems should prioritise data protection, ensuring only necessary data is processed and access is restricted to authorised personnel.
Conclusion
The amendment of Botswana's Data Protection Act represents a significant step forward in strengthening data protection measures. The amended Act introduces additional provisions and obligations for data controllers and processors, enhancing accountability and compliance. Its language has been refined to be clearer and less ambiguous, making it easier to interpret and apply.
[1]“information society services” means any service provided for remuneration, ata distance, by electronic means, and at the request of the person receivingsuch service;“
.png)
