More on the Draft Data Protection Bill

Some of our readers may be aware of long-running discussions regarding the implementation of data protection legislation in Namibia. These efforts culminated in the publication of a Draft Data Protection Bill (2022) by the Namibian Ministry of Information and Communication Technology. The latest Bill was published for consultation and public comment in October 2022. However, the 2022 Draft Bill appears to be substantially different to the Final Draft Bill that was circulated for public comment in 2020.

Several concerns have since been raised regarding the 2022 Draft Bill, most of which focused on its likely impact on human rights and the underdeveloped consent provisions contained therein. The Draft Data Protection Bill in Namibia is intended to safeguard individuals’ personal information by setting clear regulations for data collection, storage, and processing. In furtherance of this objective, it mandates responsible and transparent handling of personal data by data controllers and processors. The Bill also grants individuals the right to access their data, request corrections, and seek remedies for misuse. By aligning with international standards, the Bill aims to enhance privacy protection, boost consumer confidence, and support the country’s digital economy.

Some key points to note, at this stage, in respect of Namibia’s current Draft Data Protection Bill:

• Compliance Period: Data controllers will have a one-year period after the Bill’s commencement to comply.
• Scope: The Bill applies to personal data processing activities within and outside Namibia, provided these activities concern individuals within Namibia’s jurisdiction.
• Primary Objectives: The Bill seeks to regulate personal information processing to protect fundamental rights and freedoms, ensure data subject rights, establish a supervisory authority, and outline the responsibilities of data controllers and processors.
• Administrative Fines: There are no specified minimum or maximum limits for administrative fines that may be imposed on controllers by the supervisory authority. The data protection supervisory authority has been mandated to make regulations pertaining to administrative fines. The data protection supervisory authority may consider high administrative fines in an effort to discourage data controllers from contravening the legislation, once in force.
• Regulatory Alignment: Businesses already compliant with GDPR or POPIA will find it relatively straightforward to comply with the Bill once it becomes law.

We will keep you updated on further developments in this regard.