Namibia: An overview of the draft Data Protection Bill
Namibia's Ministry of Information and Communication Technology ('MICT') recently published Namibia's draft Data Protection Bill 2022 ('the Bill'). To ensure public participation, the MICT has conducted regional consultations with members of the public. Further, members of the public were invited to submit their inputs and comments to the Bill until 30 November 2022. The Bill is still in the early legislative steps and will have to go through parliamentary processes before it is passed into law.
Melody Musoni, an independent privacy professional, discusses the key provisions of the Bill, highlighting topics, such as data processing principles, data subject rights, and cross-border data transfers.
The Bill provides two definitions for persons responsible for processing personal data. The first definition is that of a 'controller' and the second one is that of a 'responsible party'.
The Bill defines a controller as a natural or legal person or public body that, alone or jointly with others, has decision-making powers determining the purposes and means of processing of personal data. The Bill defines responsible party as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of, and means for, processing personal information. It is not clear why the definition for responsible party is included in the Bill. The term is only used twice in Section 5 of the Bill under the functions of the data protection supervisory authority.
When one considers the striking similarities between Sections 40(1)(c) and (h) of South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') and Section 5(1)(a) and (g) of the Bill, it may be a fair assessment that the term 'responsible party' was borrowed from POPIA.
The Bill, once passed into law, will become Namibia's law on data protection. Controllers will have one year grace period after the commencement of the Bill to comply (Section 75 of the Bill). The Bill applies to the processing of personal data done within and outside of Namibia where the processing relates to individuals within the jurisdiction of Namibia (Section 2(4) of the Bill). This means that businesses, organisations, and entities operating outside Namibia (for example cloud service providers) may be subject to the Bill if they are processing personal data of people in Namibia. As such they need to understand their obligations as set out under the Bill.
The objective of the Bill is to provide for the regulation of the processing of personal information, including:
- protecting fundamental rights and freedoms;
- providing for the rights of data subjects;
- establishing a data protection supervisory authority;
- establishing obligations of data controllers and processors; and
- providing for applicable codes of conduct.
Controllers need to identify and know the legal bases they are relying on to process personal data in terms of the Bill (Section 20(3) of the Bill). A controller can process personal data by relying on the consent of the data subject. Lawful processing may also take place if it is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party. Thirdly, a controller can process personal data to comply with a legal obligation. Legitimate interests of the data subject, the controller, or a third party to whom the data is supplied can be other lawful bases to rely on when processing personal data. Finally, personal data may be processed if processing is carried out for archiving purposes in the public interest, or for scientific, historical research, or statistical purposes subject to appropriate safeguards for the rights and freedoms of data subjects.
It might be a while before the Bill is passed into law, but organisations and entities need to start changing their business processes, systems, and culture to align with the processing requirements under the Bill.
Data processing principles
Part 3 of the Bill sets out the following obligations of controllers and processors when processing personal data:
- Personal data must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject (Section 20 (1) of the Bill).
- Personal data must be processed if it is adequate, relevant, and not excessive (Aection 20(2) of the Bill).
- Personal data must be collected directly from the data subject, except as otherwise specified (Section 21 of the Bill).
- Personal data must be collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the controller (Section 22 of the Bill). Any further processing of personal data must be compatible with the purpose of collection (Section 24 of the Bill).
- Personal data must be complete, accurate, not misleading, and updated where necessary (Section 25 of the Bill).
- Records of personal data must not be retained any longer than is necessary for achieving the purpose for which the personal data was collected. If a controller is no longer authorised to retain a record, they must destroy, delete, or de-identify the record (Section 23 of the Bill).
- A controller must take reasonably practical steps to notify the data subject about the personal data being collected, the purpose for collection, whether or not the supply of the personal data by the data subject is voluntary or mandatory, the consequences or failure to provide the personal data, and any particular law authorising or requiring the collection of the data (Section 26 of the Bill).
- A controller must take appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal data in their possession (Section 27 of the Bill). A controller must ensure that these same measures are adopted by a data processor or third party processing personal data for the controller (Section 29 of the Bill).
- A data processor or third party who processes personal data on behalf of the controller or a processor must process such personal data only with the knowledge or authorisation of the controller or processor, treat personal data as confidential, and not disclose it unless required by law or in the course of the proper performance of their duties. The data processor or third party must also notify the controller if personal data has been accessed or acquired by any unauthorised person (Section 28 of the Bill).
- A controller must notify the data protection supervisory authority or a data subject if there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by any unauthorised person (Section 30 of the Bill).
- Special categories of personal data, such as religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric data, or criminal behaviour of a data subject shall only be processed under specific circumstances (Section 34 of the Bill).
Oversight and enforcement
Part 2 of the Bill provides for the establishment of a data protection supervisory. The data protection supervisory authority shall be independent and subject only to the Constitution of the Republic of Namibia ('the Constitution') and the law; it must be impartial, perform its functions without fear, favour, or prejudice, and exercise its powers and perform its functions in accordance with the Bill once it is passed into an Act. The data protection supervisory authority shall have jurisdiction across Namibia (Section 3 of the Bill). The data protection supervisory authority shall have a board responsible for the policy, management, and control of its affairs (Section 6 of the Bill). The board shall be composed of not more than five members, including the chairperson and vice-chairperson of the board (Section 7 of the Bill).
The data protection supervisory authority is responsible for:
- handling any complaints regarding the interference with the protection of personal data of a data subject (Section 5(1)(b) of the Bill);
- monitoring and enforcing compliance by public and private bodies (Section 5(1)(c) of the Bill);
- issuing codes of conduct (Section 5(1)(e) of the Bill); and
- facilitating cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation (Section 5(1)(f) of the Bill).
The Bill also contains administrative sanctions for the unlawful processing of personal data. There are no criminal sanctions imposed under the Bill. A controller or processor who unlawfully processes personal data in contravention of Section 20 of the Bill commits an offence and is liable to pay a fine to the data protection supervisory authority (Section 20(8) of the Bill). A controller, processor, or third party who obtains personal data in contravention of the requirements for processing special categories of personal data commits an offence and is liable to a fine to the data protection supervisory authority (Section 34(2) of the Bill). Failure to comply with the codes of conduct is an offence and the controller, or person acting under the authority of a controller, is liable to pay a fine to the data protection supervisory authority (Section 52 of the Bill). The data protection supervisory authority shall make regulations on matters incidental to the imposition of administrative fines (Section 73(2)(l) of the Bill).
Rights of data subjects
Data subjects have the right:
- to withdraw consent (Section 20(5) of the Bill);
- to object to the processing of personal data (Section 20(6) of the Bill);
- of access to personal data (Section 31 of the Bill);
- to rectify personal data (Section 32 of the Bill); and
- to lodge a complaint with the data protection supervisory authority (Section 26(1)(h) of the Bill).
Cross-border data transfers
Part 6 of the Bill deals with transborder flows of personal data. To lawfully transfer personal data from Namibia to a third party in a foreign country, the controller must rely on any one of the five lawful bases.
The transfer may take place if:
- the recipient is subject to a law, Binding Corporate Rules ('BCRs'), or binding agreements which provide an adequate level of protection that effectively upholds principles for the reasonable processing of personal data that is substantially similar to the conditions for lawful processing of personal data and includes provisions that are substantially similar to Section 53 of the Bill when the recipient further transfers the data to a third party in another foreign country (Section 53(1)(a) of the Bill);
- the data subject consents to the transfer (Section 53(1)(b) of the Bill);
- the transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken in response to a request by the data subject (Section 53(1)(c) of the Bill);
- the transfer is necessary for the conclusion of performance of a contract concluded in the interest of the data subject between the controller and the processor or a third party (Section 53(1)(d) of the Bill); or
- the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it (Section 53(1)(e) of the Bill).
Discussion and recommendations
Clear remedies for data subjects
The Bill is commended for its inclusion and promotion of the rights of data subjects, such as the right to lodge a complaint with the data protection supervisory authority. However, it is not clear which remedies are available to a data subject once the data protection supervisory authority has found a controller to be lawfully processing personal data. The Bill specifies that the controller can pay a fine to the data protection supervisory authority, but it is not clear whether the same or a court can award a payment of damages as compensation to the loss suffered by a data subject.
Clear guidelines on administrative fines
The Bill does not have any minimum or maximum cap on administrative fines which may be imposed on a controller by the data protection supervisory authority. It is up to the data protection supervisory authority to make regulations on matters incidental to the imposition of administrative fines (Section 73(2)(l) of the Bill). It is recommended that the data protection supervisory authority should consider higher administrative fines for non-compliance. Such high fines can potentially discourage businesses from lawfully processing personal data.
Appointment of a DPO
There are certain data protection provisions which have been omitted in the Bill. For example, the Bill does not provide for the appointment of a data protection officer ('DPO'). Considering the similarities between the Bill and POPIA, it is not clear why the drafters of the Bill omitted the appointment of a DPO.
Under POPIA, every responsible party must have an information officer who is responsible for encouraging compliance with the conditions for lawful processing of personal information, dealing with requests made to the body and working with the Information Regulator ('the Regulator') (Section 55 off POPIA). A DPO plays an important role in an organisation in ensuring compliance with data protection laws.
Similarly, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') requires the appointment of a DPO under certain circumstances:
- where processing is carried out by a public authority or body;
- where core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects; or
- where the core activities of the controller or processor consist of processing on a large scale of special categories of data (Article 37 of the GDPR).
It is recommended that, as the Bill undergoes revision, provisions on the appointment of a DPO and their roles and responsibilities (such as assisting with data subject access requests) should be included.
Journalistic purposes to be included on the list of exclusions
Journalists, and the processing of personal data for journalistic purposes, are not specifically exempted or excluded under the Bill. The Bill excludes processing activities carried out for purely personal or household purposes (Section 2(5) of the Bill), national security, defence, public safety, important economic and financial interests of the State, the impartiality and independence of the judiciary of Namibia, the prevention, investigation, and prosecution of criminal offences, the execution of criminal penalties, other essential objectives of general public interest, or the protection of the data subject or the rights and fundamental freedoms of others (Section 43 of the Bill). It is not clear whether journalistic purposes fall under 'other essential objectives of general public interest'.
Preparation of the budget of the data protection supervisory authority
Considering South Africa's experience in operationalising its POPIA, there are potential operational challenges which may be faced by Namibia's data protection supervisory authority. The data protection supervisory authority will obtain funds from money appropriated by Parliament, money raised as fees and interest on unpaid fees in respect of services rendered by the data protection supervisory authority in the performance of its functions, levies imposed on controllers and such persons acting under the authority of the controller, money vesting in, or accruing to, the data protection supervisory authority from any other source or interest derived from the investment of funds of the data protection supervisory authority (Section 14 of the Bill). If there are insufficient funds, the data protection supervisory authority may be derailed in carrying out its functions and hiring qualified staff members. It is pertinent that the Namibian Government start considering the budget for the data protection supervisory authority in advance as it will take additional time before the data protection supervisory authority can start generating its own income through fees.
The Bill has great potential to provide for the protection of personal data of citizens and residents of Namibia. When compared to other data protection laws, the Bill does not impose onerous obligations on the controllers or processors, such as requiring them to be registered with the data protection supervisory authority, to pay registration and annual renewal fees, appoint DPOs, or have a DPA who is resident within the country. Businesses which are compliant with the GDPR or POPIA will find it relatively easier to comply with the Bill once it becomes an Act. The Bill is also commended for its promotion for cross-border sharing of data. It remains to be seen whether the data protection supervisory authority will impose high administrative fines for non-compliance. Navigating compliance under the Bill is going to be relatively easier for persons doing business, or seeking to do business, in Namibia.
Melody Musoni Independent Privacy Professional