Emerging issues for Data Protection Authorities in Southern Africa
Continuing and emerging issues for Data Protection Authorities in the Southern African Development Community
Data protection has gained global importance, for various reasons. Data has
been viewed as the new oil, though it is not oil, as it is non-rivalrous, and
replenished unlike oil. Data has been seen as driver of economic growth, with
its economic value estimated in billions, causing countries to rush towards a
digital economy. Data has again been viewed as part of a fundamental right to
privacy, though it is not the same as the right to privacy and albeit deserving
protection as violations of personal data results in economic, social, emotional
and discriminatory harms. This report does not debate or distinguish the value
or importance of data but focuses on the increased efforts to protect data
privacy within the Southern African Development Community (SADC) region,
as a political and economic bloc.
This report contributes to the growing literature on data protection authorities (DPA) in Africa, focusing on countries in
the Southern African Development Community (SADC). For purpose of this
report only Eswatini, Zimbabwe, Botswana, Zambia, Lesotho, South Africa and
Mauritius are referenced and reviewed.
As technology evolves, new challenges emerge, that data protection
authorities are not sufficiently designed to resolve or address, and therefore
their independence becomes irrelevant or insufficient, as the pressing matters
are not entirely about independence, but technical, political and administrative.
There are several challenges for data protection, and data protection
authorities; these are automated data processing; cross border data transfers;
handling of sensitive data including health related data from COVID-19;
surveillance and smart cities; and data breaches. The report highlights some of
the pressing needs for DPAs including financial support, administrative issues,
and enforcement of decisions. The enforcement of data protection laws is
dependent on the existence of a functioning data protection authority whether
as a single institution or several institutions that might have shared mandates.
While the absence of independent data protection authorities capable of
enforcing data protection is usually the main issue of concern, there are other
emerging aspects weakening the capacities of data protection authorities to
advance data privacy and data protection as a fundamental right. This report
makes further assertions that while independence of the data protection
authority is essential, it cannot be the only issue undermining the effective
protection of data privacy in the SADC region. The report makes specific
recommendations to data protection authorities; legislature and civil society.