Namibia currently lacks comprehensive data protection legislation in line with the constitutional right to privacy and other laws such as the Labour Act and the Financial Intelligence Act, leaving personal data processing unregulated. Namibia’s Data Protection Bill, 2023 (“DPB”) is still in its early legislative steps and must undergo further parliamentary review before it is passed into law. Although the Bill is not yet in force, drawing from the experience of neighbouring countries and other jurisdictions which have active privacy laws, organisations in Namibia must take proactive steps to pre-empt such laws, and as a starting point to examine its implications due to the significant role data protection and digital privacy play currently. The proposed legislation will introduce pivotal changes to our data privacy laws and how organisations operate.
Who does the DPB apply to?
The DPB aims to regulate the processing of personal data, whether automated or manual, as long as the data is organised and accessible by specific criteria. The DPB mandates transparent, fair and lawful data processing, primarily based on individual consent. It imposes certain obligations on controllers, processors and third parties regardless of their location. It applies to data processing activities that concern individuals within Namibia.
As the DPB is not industry-specific and given its wide application, the DPB will have a profound and direct impact on all private and public organisations in Namibia.
Role Players
The DPB creates several new role players including (i) Data Subjects, (ii) Controllers, (iii) Processors and (iv) the Data Protection Supervisor Authority.
Data Subjects are individuals whose data is processed, Controllers are entities deciding data processing purposes and means. Processors are those processing data on behalf of the Controllers, and the Data Protection Supervisory Authority is a new independent body with powers to enforce compliance.
The DPB also, however, makes provision for a “third party”, meaning any person, other than the data subject, the controller, the processor, and anyone who, under the direct authority of the controller or the processor, is authorised to process personal data.
The DPB distinguishes between “personal data”, which can identify an individual (e.g., name, ID number, IP address), and “special categories of personal data”, including sensitive information such as race, political opinions, religious belief, trade union membership, or their criminal records. Processing includes the collection, recording, organising, structuring, storing or preserving, combining, adapting or altering, accessing, retrieving or consulting, transmitting, disclosing or making available, restricting, erasing, or destructing, or the carrying out of logical and/or arithmetical operations on such data. Given the broad description of these definitions, all organisations in one form or another process personal data and fall within the ambit of the DPB.
General Prohibitions on the Processing of Personal Data
The processing of special categories of personal data is generally prohibited unless the individual concerned gives their consent or another exemption applies. The same goes for processing a child’s data. The processing of children's personal information must be performed with sufficient guarantees to ensure that the processing of the child’s data does not adversely affect their individual privacy to a disproportionate extent, or result in the data concerned being made public without the consent of a competent person. In such cases, the onus rests on the controller and/or the third party to prove that consent has been obtained by the data subject or competent person.
General Limitations on the Transborder Flow of Personal Data
The DPB further imposes a limitation on the transborder flow of personal data. The conditions for transferring personal data to another country include ensuring that the recipient is subject to laws or agreements that provide a level of protection similar to Namibian standards, obtaining the data subject's consent, or if the transfer is necessary for the performance of a contract involving the data subject.
Compliance and Enforcement
Non-compliance with the DPB can lead to severe consequences, including fines, imprisonment, or both.
The Data Supervisory Authority (“The Authority”) is authorised to issue compliance assessments to investigate compliance with the DPB. Any person may submit a claim to the Authority, alleging interference with the protection of the personal data of a data subject. The Authority, upon receipt of a complaint, may conduct a full investigation. The Authority may also secure a settlement between the parties concerned, where it appears from the complaint that such settlement and assurance against the repetition of such action is appropriate.
During an investigation, the Authority can apply for a warrant if there are reasonable grounds for suspecting that a controller is processing data unlawfully. The Authority is also empowered to make public any information relating to the personal data management practices of a controller that has been the subject of an assessment if it considers it is in the public interest.
The Authority may also refer a complaint to another regulatory body if the Authority considers that the matter befalls the jurisdiction of another regulatory body.
Conclusion
Overall, the Data Protection Bill, 2023 represents a critical step towards establishing comprehensive data protection in Namibia. By introducing clear guidelines and stringent enforcement mechanisms, the DPB aims to safeguard personal data, ensuring that individuals' privacy is respected and protected in the digital age. As the DPB progresses through the legislative process, its potential to significantly enhance Namibia's data privacy landscape is evident, making it essential for stakeholders to understand and prepare for the forthcoming changes.
The adoption of the DPB presents an opportunity for businesses to build trust, safeguard their reputation and align with global best practices. We encourage organisations to be early adopters of these privacy interventions, including the adoption of policies, training of staff, conducting privacy impact assessments and aligning privacy with cybersecurity, especially as this will assist organisations in protecting their data assets – which have been dubbed the ”new oil”.
--
Read the original publication at ENS
