Introduction

Botswana enacted its new Data Protection Act on 29 October 2024,¹ repealing the 2018 Data Protection Act.² The repealed Act never came into effect because its effective date was extended by several Ministerial Orders.³ The 2018 Act did not apply to the state or data controllers outside Botswana. It also had gaps such as the lack of obligations for the government to comply in certain situations, and the absence of provisions for personal or household data processing.⁴ The 2024 Data Protection Act was enacted to address these shortcomings. The new Act provides more detailed provisions for obligations of data controllers, data processors, and sub processors, regulates the processing of children’s data, and expands the powers and duties of the Data Protection Commissioner.

The 2024 Act introduces key structural reforms and operational enhancements to address contemporary data protection challenges. It creates specialised divisions in the Information and Data Protection Commission like the Data Protection Division and the Access to Information Division, which were absent in the previous Act. Additionally, it introduces fixed terms and age limits for commissioners and mandates complete independence of the Information and Data Protection Commission. The 2024 Act also expanded powers of the Commission, granting new authorities for search, seizure and detention and introducing advisory roles to guide data controllers more effectively.

In addition, the 2024 Act provides detailed regulations on the processing of personal data, especially concerning the validity of consent in contractual or service-related contexts and adds specific protections for children’s data. Moreover, it sets stringent timelines for data breach notifications and mandates Data Protection Impact Assessments for high-risk processing activities. These changes, along with the new requirement for organisations to appoint data protection officers under certain conditions, enhance the governance and compliance frameworks, aiming to bolster trust in data handlers and ensure rigorous protection of privacy rights in Botswana.

The following analysis explores various aspects of the two Acts, including structural reforms, powers of the Information and Data Protection Commission, processing activities, data controllers and processors, data protection impact assessment and the role of Data Protection Officers. By highlighting these aspects, the article aims to provide a comprehensive understanding of how the 2024 Act builds upon and diverges from its 2018 predecessor.

Salient Comparable Provisions in the 2018 and 2024 Data Protection Acts

1. Powers of the Information and Data Protection Commission

The 2024 Act is similar to the 2018 Act regarding the powers of the Commission. However, the 2024 Act grants additional powers of search, seizure, and detention.⁵ Section 15 of the 2024 Act provides that an officer duly authorised by the Commissioner may enter any premises to conduct a search and seize any item during the investigation, on condition that there is written consent from the owner/person in charge of the premises or the authorised officer has a search warrant. The officer must always present an identity card issued by the Commission⁶.

Additionally, the 2024 Act confers the Commission with advisory powers that were previously absent. The Commission has the authority to advise data controllers by a prior consultation procedure, approve draft codes of conduct, develop and issue standard contractual terms and adopt standard data protection clauses, authorise administrative arrangements, and approve binding corporate rules.⁷ The newly granted advisory powers allow the Commission to respond to data protection issues and to guide and shape policies and practices proactively. Through the prior consultation procedure, the Commission can ensure that data handling strategies are aligned with the best practices and legal requirements from the initial stages of data processing. Approval of draft codes of conduct and development of standard contractual terms will provide clear guidelines for data controllers and processors to comply with the law. The advisory power to approve binding corporate rules represents a move towards harmonising data protection practices with international standards. This alignment enhances the global credibility of Botswana’s data protection framework.

2. Structural Reforms and Operational Autonomy

The 2018 Act established limited roles, specifying only a Commissioner and a Deputy Commissioner without distinct operational divisions.⁸ In contrast, the 2024 Act introduces a more structured approach by dividing the commission into two main divisions: the Data Protection Division and the Access to Information Division.⁹ The former is responsible for data protection, and the latter is responsible for access to information. Additionally, it allows for the creation of further divisions as deemed necessary to ensure the proper performance of the functions of the Commission.¹⁰

The 2024 Act introduces specific terms and an age limit for Commissioners, setting a five-year renewable term that expires when a Commissioner reaches the age of 60—a provision not found in the 2018 Act.¹¹ Additionally, the 2024 Act explicitly mandates that the Commissioner, Deputy Commissioner, and all commission officers operate with complete independence.¹²

In line with these reforms, the 2024 Act establishes a more structured organisational framework to address specific regulatory challenges, improve operational efficiency, and strengthen the independence of the Commission.

3. Processing of Personal Data

Under Section 16 (b) of the 2018 Act, personal data may be processed if it is necessary for the performance of a contract involving the data subject.¹³ The 2024 Act elaborates on this. It clarifies that consent for processing personal data, when not necessary for the fulfilment of the contract or service, shall be deemed invalid even if it has been given freely.¹⁴ This aims to prevent data subjects from being coerced into providing unnecessary personal data to access a service or complete a contract. The addition ensures that data controllers/processors do not rely on consent to process personal data that is not necessary for the performance of a contract or service.

The 2018 Act had no provision regulating personal data concerning children, but the 2024 Act gives express provisions on the legality of the processing of personal data related to children. Section 29 of the 2024 Act details the conditions under which personal data of a child can be lawfully processed when it pertains to the offering of information society services.¹⁵ ‘Information Society Services’ refers to services that are provided over the internet or another electronic network, including online retailers, social media platforms, and various types of internet-based applications. The objective is to keep children’s data safe on digital spaces. The primary requirement is that such processing is only permissible if consent is obtained from either the parent or a person holding parental responsibilities under the Children’s Act. The section further provides that a child aged 16 can consent in the manner prescribed by law. Additionally, data controllers must use reasonable efforts, considering the available technology, to ensure that the child and the parent or person with parental duties jointly consent to processing the child’s data.¹⁶ This requirement emphasises the importance of dual consent in protecting children’s personal data in the digital environment, ensuring that both the child and the parent or guardian agree to the data processing activities.

4. Legal Restrictions

The 2024 Act introduces a new section, Part IX titled “Legal Restrictions,” which acknowledges that specific laws may impose limitations on the rights and obligations related to the processing of personal data.¹⁷ However, it stipulates that any such restrictions must be aligned with fundamental rights and freedoms and must be necessary and proportionate within the framework of a democratic society.¹⁸ The limits must safeguard interests such as national security, public defence, public interest and other specified areas.¹⁹ This part strongly emphasises balancing the need for data security and public safety. It stipulates that any restriction on data handling must be both necessary and proportionate reflecting a legal justification that is acceptable in democratic societies which value both security and freedoms. It further ensures that the principles of data protection are not easily overridden by other legislative measures.

5. Data Protection Impact Assessment and Prior Consultation

The 2024 Act introduces a new part on Data Protection Impact Assessment (DPIA) and Prior Consultation.²⁰ A DPIA is required for processing of data involving new technologies likely to result in a high risk to individual rights and freedoms.²¹ This includes processing sensitive personal data or data related to criminal convictions and offenses on a large scale, as well as systematic monitoring of publicly accessible areas.²² The DPIA must evaluate the nature, scope, context, and purpose of the processing activities. The goal of the DPIA is to assess and mitigate potential impacts on privacy and data protection before any processing begins. Additionally, a single DPIA may encompass multiple processing activities if they present similar high risks.²³ The Commissioner under the Act is tasked with creating a list of processing activities that require Data Protection Impact Assessment.²⁴

Prior consultation occurs when data controllers engage with the relevant data protection authority before starting any data processing activities that a data protection impact assessment has identified as potentially high-risk.²⁵ This proactive measure ensures that any concerns about privacy and data protection are addressed, and appropriate safeguards are implemented to protect individual rights. The provisions are a proactive approach to risk management in data processing activities by mitigating potential data breaches and privacy issues before they occur.

6. Data Protection Officer

The 2024 Act introduces specific provisions governing data protection officers, a change from the repealed law. Under Section 69(1), it is now mandatory for data controllers and processors to appoint a data protection officer in certain circumstances. For instance, this requirement applies when a public authority executes the processing, or the core activities involve regular and systematic monitoring of data subjects. It is also necessary when these activities include the processing of sensitive personal data on a large scale, or personal data pertaining to criminal convictions and offences.

The role of a data protection officer is multifaceted.²⁶ They are responsible for informing and advising the data controller or processor and their staff about their legal obligations under the Act. Additionally, they monitor compliance to ensure that the organisation adheres to data protection laws.²⁷ As a contact point, they liaise with the data protection authorities on processing-related matters and prior consultations.²⁸ These duties are essential for ensuring that organisations process personal data responsibly and under legal and regulatory standards, thereby protecting the rights of individuals.

To summarise the distinction, Data Protection Officers oversee compliance and function as intermediaries with regulators, while Data Controllers decide how and why data is processed, and Data Processors handle data according to the Controller’s directives.

7. Data Controllers, Data Processors and Sub Data Processors

Both acts mandate that Data Controllers strictly adhere to data protection principles and maintain adequate technical and organisational safeguards when processing personal data. The 2024 Act goes further to provide that a Data Controller may abide by approved codes of conduct to show that they comply with the provisions of the Act.²⁹ Precautions exercised by data processing activities must be extended to managing the volume of data collected, how much it is processed, and how long and accessible the data remains.³⁰ Importantly, these measures should guarantee that personal data cannot be accessed without human oversight indefinitely by an unspecified number of people.³¹

The 2024 Act also envisions situations where there are more than two data controllers and specifies that they must designate a contact point for a data subject and outline each of their respective responsibilities in a written arrangement that is shared with the data subject.³²

Data controllers that are foreign but process data of data subjects in Botswana must appoint a representative in Botswana in writing.³³ The representative must be based in Botswana if the processed personal data relates to offering of goods or services to data subjects or for monitoring their behaviour.³⁴ The representative should be the contact point for both the controller or processor and for the supervisory authorities and data subjects regarding all issues related to data processing, ensuring compliance with the Act.³⁵ Designating a representative does not exempt the controller or processor from legal actions that can be initiated either against them or the representative.³⁶

Data controllers may engage data processors but only if they choose a data processor who can provide adequate guarantees to implement the necessary technical and organisational measures.³⁷ Such data processors are prohibited from engaging another processor (sub-processor) without obtaining prior written authorisation from the data controller.³⁸ If the data processor has general authorisation to engage sub-processors, they must inform the data controller of any changes regarding the addition or replacement of these sub-processors. This allows the data controller to object to changes concerning their personal data processing.³⁹

The 2024 Act expounds on the limits of data processing by requiring that data processors operate under a binding contract or law.⁴⁰ The contract must detail the subject matter and duration of the data processing; nature and purpose of processing; type of personal data and categories of data subjects and obligations and rights of the data controller.⁴¹ The provisions of the contract or law must specify that the data processor only processes personal data based on documented instructions from the data controller, including transfers of data to third countries or international organizations; confidentiality must be ensured by only allowing authorized personnel to process data; only allow authorised personnel to process data; implement all measures required for data security as specified in the legal framework; assist the data controller in complying with all obligations; and provide the data controller with all necessary information to demonstrate compliance and facilitate audits and inspections.⁴²

Standard Contractual Clauses (SCCs) may form part or all of a contract between a data controller and a data processor, which must be in writing, including electronic form.⁴³ However, if a data processor independently determines the purpose and means of processing in violation of the contractual or legal requirements that govern their role, they shall be considered a data controller for that processing.⁴⁴ This reclassification subjects the processor to the liabilities associated with the processing decisions made.

8. Data Breaches

The 2024 Act elaborates further on the conditions for notifying data breaches. The Act places a time limit which is seventy-two (72) hours to contact the Commissioner.⁴⁵ Previously, there were no specified time limits. ⁴⁶

The notification of the data breach must describe the nature of the personal data breach with details such as the categories and approximate number of data subjects and data records. The notification should also provide the name and contact details of the data protection officer or another contact point; describe the likely consequences of the personal data breach and outline the measures taken or proposed to be taken by the data controller to address the breach.⁴⁷

Additionally, the 2024 Act details when personal data breaches must be communicated directly to a data subject. This communication must be done if the data breach is likely to result in a high risk to the rights and freedoms of natural persons.⁴⁸ The communication should include the same type of information as required in the notification to the Commissioner.

The direct communication to the data subject is not required if the data controller has implemented appropriate technical and organizational measures and those measures were applied to the data affected by the breach, if the data controller has taken subsequent measures to ensure that the high risk to data subjects’ rights and freedoms is no longer likely to materialise and if it would involve disproportionate effort to communicate the breach.⁴⁹ The Commissioner can require the data controller to notify the data subject depending on the likelihood of the data breach being high risk.⁵⁰

Conclusion

The 2024 Act provides a more comprehensive and encompassing regulation of personal data, expounding and adding new provisions not found in the repealed law. By establishing clearer guidelines, stricter controls, and comprehensive responsibilities for data protection officers, the 2024 Act aims to fortify trust in data processors and controllers, ensuring that personal data is managed with the utmost care and respect for privacy.

Image used was generated with AI tool DALL-E