- DIS to gain access to personal and sensitive data abroad
- No public consultation on proposed Law
- Data controllers given 12 months to comply with new legislation
- Citizens given right to demand information
- Citizens can sue for unauthorised use of data
- Bill does not contain “Right to be Forgotten”
- Act fails to address EU legislation
Civil rights groups have spoken out against data legislation that removes the right of individuals to be protected against unreasonable searches and seizures
The Data Privacy Bill is finally before parliament and is expected to pass this session. As the first piece of legislation of its kind in Botswana, the Bill which was brought forward by the Minister of Defence, Security and Justice Shaw Kgathi seeks to protect the rights of individuals against the non-consensual use of their private data and personal information and, once it becomes law will confer the right on individuals to sue data controllers for damages due to intrusions and misuse of individuals’ data. The Data protection law is however marked by inadequate protection measures and diluted by provisions that exempt government and other state players from the proposed legislation.
The Data Privacy Bill, once law, will not protect data subjects, the normal day to day users from one of the most privacy intrusive legislations in existence, the Financial Intelligence Act amendment which provides that should any conflicts between financial intelligence laws and any other law arise the former will supersede all other legislation.
The true extent and scope of the protections conferred on individuals by the Bill, as with all innovative legislation, will only be fully appreciated once the courts have been called upon to pass judgement on the extent of privacy rights and their protection. Notably however Government Departments, Ministries and the National Assembly will be exempt from the proposed legislation and the State will also be exempt in respect of processing personal and sensitive data on the grounds that it requires such data for reasons of national security, defence and public safety and the prevention, investigation or establishing proof of criminal offences. The exclusion of protection of an individual’s data rights due to national security, defence and public safety have been widely condemned in similar legislation in other jurisdictions, where they are seen to be overbroad, allowing the State to obtain and process personal and sensitive information for political control and undemocratic purposes.
Civil rights groups, including the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), Amnesty International, and Human Rights Watch have spoken out against data legislation the removes the right of individuals to be protected against unreasonable searches and seizures. The Civil rights groups argue that governments may enter into data rights sharing agreements with foreign countries and bypass national courts and affected users would not be notified if such transfer of information takes place. Human rights groups have expressed their fear that governments would not adequately review requests from foreign countries for their citizens data stored on servers in the U.S. and elsewhere, potentially allowing such data to be used in bad faith in those countries.
Meeting the compliance requirements imposed by American national security policy, the proposed Bill provides that government agencies, such as intelligence services and financial intelligence units can share personal and sensitive information with 3rd party countries without them having in place laws that require intelligence agencies to follow due process through courts of law. The US national security policy requires that governments enter into executive agreements with the US and have legislation in place that allows state agencies to circumvent national data protection laws with 3rd party states. Botswana has previously signed a similar international agreement with the United States, exempting members of the US government from falling under the jurisdiction of the International Criminal Court. Government has not yet entered into an executive agreement with the United States Government on the exemptions of data protection rights. It is expected to do so once the legislation is passed by parliament and assented to by the president.
The Data Protection Bill establishes an individual’s right to data privacy and creates a legal framework for the enforcement and protection of their rights. To meet its objectives, the Bill proposes the establishment of a Commission comprising of a Commissioner and Deputy Commissioner both of whom shall be appointed by the Minister. The Commissioner shall appoint such other officers as may be necessary for the fulfilment of its functions.
Though the commission is required to deal with and establish an important constitutionally protected right, the right to privacy, the Bill fails to meet the requirement of the Paris Principles on human rights institutions. The United Nations Paris Principles require that human rights institutions have a broad mandate, based on universal human rights norms and standards; Autonomy from Government; Independence guaranteed by statute or Constitution; Pluralism; Adequate resources; and Adequate powers of investigation. The Botswana Government is a signatory to the Paris Principles.
Companies will be required to provide their identities and places of residence/business to data subjects and must additionally provide sufficient information as to whom will have access to the information, the purpose for which the data will be used, and they must notably allow the data subject the right to object to the use of their personal data.
Data subjects will have the right to demand from data controllers and processors whether they have information pertaining to them, the nature of the information and receive a communication of their personal data within a reasonable period of time. Importantly the data subject challenge the nature of the data relating to them. While the Bill proposes that incorrect information may be corrected removed it does not go so far as to establish a right to be forgotten.
In enforcing its objectives, the commission has the authority to impose fines ranging from P20 thousand and 1-year imprisonment for incorrect information capturing, to P1million and a potential 12-year imprisonment for possession of unauthorised sensitive information by a data controller.
The proposed Bill prohibits any person, which includes companies and individuals from processing “Sensitive Personal Data” without the express consent of the data subject. The protection embraces sensitive data as information which reveals an individual’s racial or ethnic origins; political opinions; religious or philosophical beliefs; membership of Trade Unions; physical or mental health conditions; sexual life; filiations and personal financial information.
The Data Privacy Bill is being introduced as government’s response to growing international trends in regulation and the protection of data privacy laws that impose substantial penalties on companies that allow unauthorised use of individuals private data. The Bill further seeks to make Botswana compliant with American legislation so as to enjoy the benefits that data sharing brings to the shadowy world of counter espionage.
To protect the local economy and local data companies from international penalties and further to advance its own counter espionage capabilities, government has been compelled to introduce its own data protection legislation. Among the most anticipated international regulations are the European Union General Data Protection Regulation (GDPR) and the American Clarifying Lawful Overseas Use of Data Act or CLOUD Act. Under the former legislation the European Union (EU) can impose fines on non-compliant companies that process EU citizen’s and resident’s data of up to Euro 20 million (approximately P245 million) or 4% of a company’s total global revenue. The fines extend to companies in Botswana that fall outside the EU but nevertheless deal with EU citizen’s and resident’s personal data.
Under the American CLOUD Act, only countries that have legislated to provide for the sharing of transborder personal data will be entitled to obtain personal data from American corporate entities and their subsidiaries.
The need for data privacy protection came to prominence after revelations of The Facebook–Cambridge Analytica data scandal that involved the collection of personally identifiable information of over 87 million Facebook users. The data was used to influence voter opinion on behalf of politicians who hired them in the United States and Kenya.
The scandal raised the level of public discussion on ethical standards for social media companies, political consulting organizations, and politicians.
READ PART 2 ON NEXT WEEK EDITION