🇧🇼
Botswana

Applicability of Botswana's Data Protection Act

Botswana's Data Protection Act 18 of 2024, which came into effect on January 14, 2025, establishes a comprehensive framework for data protection in the country. This legislation aligns Botswana's data protection regulations more closely with international standards such as the GDPR, particularly in terms of its territorial scope.

Establishment of the Controller in Botswana

The primary criterion for territorial applicability is the establishment of the data controller within Botswana. The Act applies to:

  1. Data processing activities carried out by controllers established in Botswana, regardless of where the actual processing takes place.
  2. Processing of personal data entered in a file by or for a data controller in Botswana.

Use of Equipment Within Jurisdiction

The Act extends its reach to controllers not established in Botswana but using equipment located within the country for data processing. Specifically, it applies to:

  • Data controllers outside Botswana using automated or non-automated means situated in Botswana, unless those means are used only to transmit personal data.

Expanded Territorial Scope

The Act significantly broadens its territorial reach by including:

  1. Activities Related to Botswana: The Act applies where the activities of an establishment of the data controller or data processor are in Botswana, irrespective of whether the processing occurs within the country.
  2. Offering Goods or Services: It covers processing activities related to offering goods or services to data subjects in Botswana, regardless of whether payment is required.
  3. Monitoring Behavior: The Act applies to the monitoring of data subjects' behavior, insofar as that behavior takes place within Botswana.

Binding on the State

The DPA explicitly states that it binds the State of Botswana, although certain exceptions exist for state activities related to national security, defense, public safety, and law enforcement.

Exceptions and Exemptions

  1. Personal or Household Activities: The Act does not apply to processing by a natural person in the course of purely personal or household activities.
  2. State Activities: Certain state activities, including those involving national security, defense, public safety, and law enforcement, are exempt from the Act's application.

Implications and Compliance Requirements

The expanded territorial scope of Botswana's Data Protection Act has significant implications:

  1. Local Businesses: All businesses established in Botswana must comply, regardless of where they process data.
  2. Foreign Companies: Companies without a physical presence in Botswana may fall under the Act's jurisdiction if they offer goods or services to or monitor the behavior of data subjects in Botswana.
  3. Cross-Border Data Transfers: The Act introduces stricter regulations for transferring personal data outside Botswana, including maintaining a copy of the data within the country.
  4. Appointment of Representatives: Controllers and processors operating outside Botswana but falling under the Act's scope may need to appoint representatives within the country.
  5. Enhanced Penalties: Non-compliance can result in significant fines of up to 50,000,000 Pulas (approximately 3,685,000 USD), reflecting a more stringent approach to enforcement.

The territorial scope of Botswana's Data Protection Act aims to ensure that individuals' data rights are protected regardless of where the data controller or processor is located, as long as their activities significantly impact or target individuals within Botswana. Companies operating globally, especially those dealing with Botswanan customers or data subjects, will need to carefully assess their data processing activities to ensure compliance with this legislation.

Material Applicability Factors

Botswana's Data Protection Act contains several material applicability factors that determine its scope:

  1. Personal and Domestic Use Exemption
  2. National Security and Law Enforcement Exemption
  3. Government and Public Agency Exemption
  4. Sectoral Exceptions Regulated by Other Laws
  5. Filing System Criterion
  6. Automated Means Criterion

Personal and Domestic Use Exemption

The Data Protection Act explicitly excludes the processing of personal data for purely personal or household activities from its scope.

National Security and Law Enforcement Exemption

The Act provides a broad exemption for data processing activities related to national security, defense, public safety, and law enforcement.

Government and Public Agency Exemption

The Act extends the exemption to other state functions, including economic and financial interests and regulatory activities.

Sectoral Exceptions Regulated by Other Laws

The Act recognizes that certain sectors may have their own data protection standards established in specific legislation.

Filing System Criterion

The Act applies to non-automated processing of personal data under certain conditions, specifically when it forms part of a filing system or is intended to form part of a filing system.

Automated Means Criterion

The Act applies to data processing carried out by automated means.

These material applicability factors work in conjunction with the territorial scope to define the comprehensive applicability of Botswana's Data Protection Act. They ensure that the Act covers a wide range of data processing activities while also providing necessary exemptions for personal use, state functions, and sectors with existing regulatory frameworks.



🇧🇼

Botswana

Judicial Proceedings and Court Records Exemption 👮🏼 National Security and Law Enforcement Exemption🏛️ Government and Public Agency Exemption⚖️ Sectoral Exceptions Regulated by Other Laws

globe_book Resources (5)

link MISA Botswanalink University of Botswana - Department of Information and Technologylink Botswana Parliamentlink Government of Botswanalink Information and Data Protection Commission (IDPC)

Groups Consultants: (0)