Legal updates and opinions
News / News
Further into Africa…Botswana enacts a “new” Data Protection Act. Does this spell a new dawn?
On 29 October 2024, Botswana’s “new” Data Protection Act 18 of 2024 (“the new DPA“) was published in the government gazette and came into effect. Prior to the enactment of the new DPA, a different, less stringent piece of data privacy legislation applied, the Data Protection Act 32 of 2018 (“the old DPA“). The new DPA was published as a result of – and in an attempt to address – various shortcomings and inadequacies of the old DPA.
The new DPA
The new DPA contains various revisions to the old DPA including extending the application of the new DPA to apply to processing activities of data controllers and data processors who are not established in Botswana[1] in circumstances where –
- the activities of an establishment of the data controller or data processor are in Botswana irrespective of whether such processing takes place in Botswana; or
- the processing activities relate to the –
- offering of goods or services to data subjects in Botswana, irrespective of whether payment by a data subject is required; or
- monitoring of data subjects’ behaviour, insofar as the behaviour takes place within Botswana.
Notably, the above application provision of the new DPA mirrors the application or territorial scope provisions of the General Data Protection Regulation 2016/679 (“GDPR“).[2]
The new DPA also extends the application of the new DPA to the State of Botswana (“the State“) and “binds the State“.[3] However, it ought to be noted that although the new DPA “binds the State“, the DPA does not apply to the processing of personal data by or on behalf of the State where the processing –[4]
- involves national security, defence or public safety;
- is for the prevention, investigation or proof of offences, the persecution of offenders or the execution of sentences or security measures;
- is for economic or financial interest, including monetary, budgetary and taxation matters; and
- is for a monitoring, inspection or regulatory function connected with the above.
Consequently, the binding application of the new DPA to the State is internal (or inside) looking meaning that the State must comply with the new DPA insofar as its own operations are concerned subject to the above exceptions. What this means is that the State must implement a data protection governance framework wherein, amongst others, –
- the lawful grounds that the State relies on to process personal data are set out;
- data subjects’ rights are given effect to by the State, particularly the data subject rights of the State’s employees; and
- the data processors that are appointed by the State from time to time are done so in compliance with the new DPA.
The new DPA also contains slightly revised wording and expands (although to a limited degree) on existing data protection principles such as data minimisation, accuracy and storage limitation providing that –
- in relation to data minimisation, personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;[5]
- in relation to data accuracy, personal data must be accurate and, where necessary, kept up to date. The new DPA further provides that a data controller or data processor must take reasonable steps to ensure that personal data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay;[6]
- in relation to storage limitation, a data controller or data processor must ensure that personal data is kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed.[7]
In relation to administrative fines, the new DPA introduces a percentage (%) based fine, notably of worldwide turnover, for certain contraventions and provides that –[8]
- an administrative fine not exceeding P10 000 000, or in the case of an undertaking, not exceeding two per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, shall apply to a contravention of the obligations of the data controller and data processor under sections 29 (conditions applicable to children in relation to information society services) and 52 (data protection by design and by default);
- an administrative fine not exceeding P50 000 000, or in the case of an undertaking, not exceeding four per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, shall apply to a contravention of –
- the basic principles for processing, including conditions for consent;
- the right of data subjects;
- the transfers of personal data to a recipient in a third country or an international organisation;
- any obligations pursuant to law adopted;
- an order or a temporary or definitive restriction on processing or the suspension of data flows by the Information and Data Protection Commission (“Commission“)or failure to provide access; and
- an order by the Commission.
When the new DPA was still in Bill format, the Vice President of Botswana His Honour Slumber Tsogwane (as he then was) said that –[9]
“the Bill ensured effective data protection that helped to prevent misuse of data by both state and non-state actors, including curbing surveillance and ensuring that data was not used for discriminatory practices, thereby protecting citizens’ rights and freedoms.“
Conclusion
In recent years gone by, various African jurisdictions enacted their own data privacy regime. This is a step in the right direction as it reflects a recognition of the importance of data privacy legislation and, importantly, also aligns with the approach adopted by the European Union with the GDPR. Indeed, the data privacy regimes as adopted in these various African countries mirror, to a material degree, the principles contemplated in the GDPR. In particular, countries such as Eswatini, Zambia, South Africa, Zimbabwe, Nigeria, Rwanda, Egypt and others have enacted their own data privacy regimes and, Botswana, by revamping and toughening its data privacy regime, has joined suit.
[1] See section 4(2) of the new DPA.
[2] See Article 3 of the GDPR.
[3] See section 5 of the new DPA.
[4] See section 4(3) of the new DPA.
[5] See section 21 of the new DPA.
[6] See section 22 of the new DPA.
[7] See section 23 of the new DPA.
[8] See section 83 of the new DPA.
[9] Please refer to the news article at https://dailynews.gov.bw/news-detail/81081, accessed on 18 December 2024.
Latest News
Shareholders stuck between a rock and a hard place
Companies Act 71 of 2008 Brief overview of Section 163 Introduction There are instances where the Companies Act 71 of [...]
Who appoints the substitute BRP? A look into the meaning of Section 139(3) of the Companies Act
Section 139(3) of the Companies Act Who has the power to appoint a business rescue practitioner's replacement, in circumstances where [...]
The metaverse and data privacy: Will regulation keep up?
What is the metaverse? On 28 October 2021, Facebook Inc.'s chief executive officer Mark Zuckerberg announced the rebranding of his [...]
The PAIA and POPIA dichotomy: What information are you requesting?
Promotion of Access to Information Act, 2 of 2000 We have received numerous queries from clients seeking advice on attending [...]
Security for costs – A White Elephant? A Chimera? Pie in the sky? …On any basis a Herculean task
Security for costs In the recent case of McHugh N.O. & Others v Wright [5641/2021) [2021] ZAWCHC 205 (19 October [...]
Merger approval without a specific acquiring or target firm
Merger approval The Competition Act 89 of 1998 ("Competition Act") and Commission Rules[1] contain review provisions that establish a mandatory [...]
