The Data Protection Act 18 of 2024, published on 29 October 2024 following presidential assent, marks a significant advancement in Botswana’s data privacy landscape.
The new Act came into effect on 14 January 2025.
The Act replaces the repealed Data Protection Act 32 of 2018, which officially came into force in 2021, but had to be updated after facing criticism for inadequately addressing emerging data protection challenges,
This updated legislation strengthens Botswana’s regulatory framework by expanding the powers of the Information and Data Protection Commission and imposing stricter obligations on data controllers and processors.
It introduces enhanced safeguards for personal data, covering its collection, processing, storage, and use, while setting legal standards to ensure accountability.
Key Provisions:
- Territorial and material scope: Section 4
The Act applies to the processing of personal data by data controllers and processors established in Botswana and those located outside the country but conducting activities within its borders. This includes scenarios where goods or services are offered to individuals in Botswana or where individuals’ behaviour is monitored within the country.
The scope of the Act encompasses both automated and non-automated processing of personal data that is part of or intended to form part of, a filing system. However, it excludes processing carried out for personal or household activities and data processing conducted by or on behalf of the state.
The new Act builds upon the foundational principles of the repealed Act and introduces additional principles of accountability, integrity, and confidentiality. These enhancements align the legislation more closely with international best practices.
- The Data Protection Authority: Section 6, 8, 12 & 13
The Information and Data Protection Commission remains the designated national authority responsible for overseeing the implementation and enforcement of the Act. The Commission’s responsibilities include monitoring and enforcing the Act, promoting data protection awareness, providing guidance, handling complaints, and conducting investigations.
Having commissioners to a data protection commission appointed by the president upon the advice of a minister is problematic. It can raise concerns regarding perceived or potential conflicts of interest that may undermine the Act’s guarantee of operational independence.
A merit-based appointment process should accommodate or include public scrutiny and involve parliament (parliamentary oversight) to enhance public trust.
- The issue of consent: Section 27 and 29
Consent must be freely given, specific, informed and unambiguous. Personal data must be collected with the individual’s consent. The processing of a child’s data in connection with the provision of information society services is permitted only with the consent of a parent or guardian.
Regarding children and the provision of information society services (services offered electronically for remuneration, at the recipient’s request), children aged 16 and older may consent to the processing of personal data in relation to information society services in a manner prescribed by the law.
When obtaining consent from children aged 16 for processing their data in connection with information society services, data controllers must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility, taking into account available technological means.
The repealed Act did not define who a child is. The new one defines a child as someone under the age of 18 as per the Children’s Act. It provides that the data of a child can be processed based on the consent of a parent or guardian.
- Biometric data: Section 30
The Act defines this as personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person. Examples include facial images or dactyloscopy data (the analysis and classification of patterns observed in individual fingerprints). Section 30 of the Act prohibits the processing of personal data to uniquely identify an individual, with specific exemptions outlined in the legislation.
Under the repealed Act, biometric data was broadly classified as sensitive. The new Act refines this classification, specifying that biometric data is deemed sensitive only when it uniquely identifies a natural person.
- Data Subject Rights: Sections 42 -49
Individuals have the right to access their personal data, request correction or deletion of inaccurate or outdated data, and object to data processing in certain situations. The Act also safeguards individuals from decisions made solely through automated processing. Additionally, it permits data subjects to object to the processing of their data for scientific, historical, or statistical purposes based on personal grounds unless such processing serves the public interest.
The new Act expanded the rights of data subjects and established modalities for the exercising of these rights, strengthening the protection of data subjects.
- Obligations of Data Controllers and Processors: Sections 51 – 57
Data must be processed lawfully, fairly, and transparently, ensuring that it is collected for specific, legitimate purposes and used only for those purposes. The controller–processor relationship, including the processors’ responsibilities, must be governed by a binding contract between both parties.
Appropriate security measures should also be implemented to protect data from unauthorised access, loss, or breaches. Such measures include, pseudonymisation, encryption, ensuring ongoing confidentiality and integrity of systems, as well as enabling timely restoration of data after incidents, and regularly testing the effectiveness of security measures.
The previous Act lacked specific requirements for data protection measures. In contrast, the new Act mandates implementing robust data protection measures by design and default. This signifies a significant shift towards proactive data protection practices.
- Notification of Data breach: Section 64
Controllers have a 72-hour window to notify the Commissioner upon discovering a breach. Furthermore, affected individuals must be informed without undue delay if the breach poses a significant risk to their rights and freedoms. Data processors are also obligated to promptly inform the controller of any breaches they discover. It also lists cases wherein the notification to the data subject is not mandatory.
The Act further requires data controllers to maintain detailed records of all breaches, encompassing the breach’s nature, its potential impact, and the remedial actions taken. These records must be made accessible to the Commission for compliance verification.
The previous legislation lacked specific timelines for data breach notifications. The new Act introduces more stringent requirements in this regard.
- Data Transfers: Section 74 – 78
The transfer of personal data outside Botswana is generally restricted unless the recipient country or entity provides adequate data protection. The Act permits such transfers under specific conditions, including maintaining a copy of the data within Botswana, and the transfer meets specific conditions.
These conditions include the Commission’s decision on the receiving country or organisation’s adequacy or the presence of appropriate safeguards, such as legally binding instruments between public authorities, binding corporate rules, standard data protection clauses adopted by the Commission, or approved codes of conduct.
Where appropriate safeguards rely on contractual clauses between the data controller and a recipient in a third country or on inter-governmental agreements, specific authorisation from the Commission is required.
Without such safeguards, data transfers may be permitted under specific circumstances, such as for contractual purposes, public interest, establishment of legal claims, to protect vital interests, when transferred from a public register, or for compelling legitimate interests of the data controller.
The new Act enhances the framework for cross-border data transfers by expanding the scope of permissible derogations. These now include transfers grounded in the data subject’s explicit consent or justified by the data controller’s legitimate interests. Additionally, the Act emphasises the importance of collaboration with relevant stakeholders to ensure robust and effective implementation.
- Enforcement and Penalties: Section 82 – 84
Non-compliance may result in fines, imprisonment, or both, depending on the severity of the violation. Fines can reach up to BWP50,000,000 based on the company’s annual turnover.
The new Act significantly raises the maximum administrative fine for violations.
Conclusion
The new Act is a monumentally progressive step towards a more secure and transparent digital environment in Botswana. By expanding the powers of the Information and Data Protection Commission, strengthening individual rights, and imposing stricter obligations on data controllers, the Act provides a robust framework for safeguarding personal data in the digital age.
It establishes robust rights for individuals regarding their personal information and enforces more substantial penalties for non-compliance. The Act’s emphasis on accountability, transparency, and individual rights aligns with international best practices in data protection.
However, successful implementation will require intense awareness among the public, businesses, and government agencies about the Act’s provisions and obligations.
Furthermore, the Act’s continuous monitoring, evaluation, and adaptation will be crucial to address emerging challenges and ensure its effectiveness in the evolving digital landscape.
By fostering a data protection culture and promoting responsible data handling practices, Botswana can build a more secure and trustworthy digital society that benefits individuals and the nation.
Joint MISA Regional & MISA Botswana Analysis of the new Botswana Data Protection Act
