Authored By: Lesedi Wada Lentswe
University of Botswana
ABSTRACT
Data Protection is a new and increasingly important field as every waking moment individuals are giving away their data, through almost every action, from setting appointments with their doctor to residential data in online shopping stores. Every bit of data we leave can be used and abused, particularly if the data is exploited due to data theft or insufficient safeguards in the processing and protection of the data. This article questions the effectiveness of regional data protection regulations compared to individual pieces of national legislation. In this case, this article shall consider the General Data Protection Regulations of the European Union and the Data Protection Act of Botswana. This article shall consider the ramifications of having extraterritorially applicable regulations in comparison to regulations that are only intended to apply territorially, and shall consider ways in which data protection can be more consistent across regions or internationally as the Internet exists as a borderless entity as individuals regularly give away personal data to companies and data controllers outside the borders of their country of origin or residence.
INTRODUCTION
In this article, the concept of data protection shall be explored, comparing the approaches to cross-border data transfers of the Data Protection Act 2018[1] of Botswana and the protections offered under the General Data Protection Regulation 2018[2] of the European Union. The Data Protection Act of Botswana is relatively new and follows in the footsteps of EU regulations, providing protections similar to those provided by the EU. This article hopes to not simply compare the two regulations but to investigate why there are differences in the scope of protections, particularly as this is a constantly evolving field.
Background
Data protection regulations are intended to protect the right to privacy. Privacy in this context refers to the ability of an individual to navigate social relationships by controlling access to information about themselves, and, furthermore, where an individual loses control of information about themselves, this leads to a loss of privacy.[3] The underlying purpose of protecting personal data is to enable individuals to exercise control over their own data that is collected and used by others.[4]
Privacy is protected as a human right under Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which states that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation”.[5] Furthermore, the African Union has adopted a Convention on Cyber Security and Data Protection in 2014 in order to encourage African nations to recognise and implement regulations and Authorities charged with the task of protecting personal data.[6]
Botswana
The Right to Privacy is established in section 9 of the Constitution of Botswana, which provides as follows.
“(1) Except with his or her own consent, no person shall be subjected to the search of his or her person or his or her property or the entry by others on his or her premises.”[7] In interpreting this right, the High Court of Botswana in the case of Motshidiemang v Attorney General and Another posited that “privacy is context-based and must be interpreted in light of the current era and context”.[8] On the surface, section 9 seems to protect a right to privacy limited to protection against the search of an individual or entry by others onto their property; however, the High Court of Botswana has held that these provisions should be given a “broad, generous and purposive interpretation”.[9] Furthermore, the Court of Appeal in Attorney General v Dow ruled that Botswana, as a member of the community of civilised States which have undertaken to abide by certain standards of conduct, unless it is impossible to do otherwise, it would be improper for the courts to construe legislation in a manner which contradicts the international obligations Botswana has undertaken.[10] Therefore, the courts do accept guidance from international law and comparative foreign law regarding what constitutes the individual’s right to privacy.[11]
The Data Protection Act of Botswana (DPA) was enacted to 1. The protection of personal data and the safeguarding of the privacy of individuals concerning their personal data are upheld 2. To institute the Information and Data Protection Commission and 3. To provide for all matters incidental thereto.[12] In line with the DPA, individuals are meant to have Informational Autonomy.[13] relating to access to their data and be able to request the correction or erasure of inaccurate data, and object to data processing for certain purposes.[14] The DPA provides in section 4 that the act shall apply to data controllers processing personal data established in Botswana, as well as those located outside the country but conducting their business activities within Botswana.[15] The Act applies to both automated and non-automated processing of personal data that is part of or meant to form part of a filing system.[16]
Despite the Existence of the SADC model law on Data Protection, most member states have thus far based their data protection regulations on the European Union’s Data Protection Directive, a predecessor of the General Data Protection Regulation. Therefore, it is relevant to consider the EU regulations when examining the Data Protection Act.[17] A desire to attract foreign investment, particularly from Europe, has been instrumental in motivating African States to establish data protection regulations that are harmonised with European regulations, which leaves these states playing a game of catch-up.[18] Unfortunately, this does mean that it is easier for data processors and controllers from the EU to gain access to personal data in SADC than it would be for SADC-based data processors and controllers to gain access to the EU, because they would be required to comply with both their national standards and the stricter EU standards.[19]
European Union
The goal of the General Data Protection Regulation of the EU is “to improve the level of data protection for natural persons whose personal data is processed by automated means, or not, and to increase opportunities for trade and free movement in a single digital market, in particular, by reducing red tape.”[20] The GDPR provides in Article 3 for the territorial scope of application of the Regulation.[21] It applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.[22] It also applies to the processing of personal data of subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to; the offering of goods or services irrespective of whether a payment of the data subject is required to such data subjects in the Union or the monitoring of their behaviour as far as their behaviour takes place within the Union.[23] Lastly, Article 3.3 provides that the Regulation also applies to the processing of data by a controller not established in the Union but instead in a place where Member State Law applies by virtue of Public International Law. This can include applications specified under trade agreements and contracts.[24]
Greater Scope of Application of the GDPR
The GDPR does have a greater scope of application due to the fact that the Regulation was created by the EU for application within the region, as well as extraterritorially, as in instances where the Regulation is deemed applicable by Public International Law and where the data controller is outside the EU processing data of EU citizens.[25] This greater scope of application provides more consistent data protection for citizens of the EU, ensuring that even where individuals move around the EU or data collectors collect data from multiple EU states, the data subjects are able to have consistent coverage of their rights.[26] However, even within the EU, each state does customise the GDPR to some extent.
The Data Protection Act of Botswana, on the other hand, is a piece of national legislation that applies territorially within Botswana as well as to data controllers conducting their activities within the country.[27] Even regionally in SADC, each nation has developed its own standalone legislation, therefore making Consistent data protection across the continent virtually non-existent. South Africa has the Protection of Personal Information Act 2021 (POPIA),[28] and Zimbabwe has the Cybersecurity and Data Protection Act (2021)[29]. In the case of these separate pieces of national legislation, they all protect the data of citizens on a national territorial basis and, in some instances, extraterritorially as well, where data controllers operate within the country. However, the question arises: when data is collected from multiple nations with their own legislation, should the national legislation of the individual apply, or the legislation of the country where the data collector resides? Or perhaps both, but in the event of a data collector suffering a breach in their network, they will have to manage multiple legislative requirements in notifying different Authorities of the breach and ensuring compliance with the differing standards.
Why is The Scope of Application or International Cooperation Important?
Unfortunately, the nature of electronic communication and data collection is borderless, as companies from all over the world collect data in exchange for their services, such as Google and Meta (Facebook, Instagram, WhatsApp).[30] This ‘economic surveillance’ has become commonplace as every online platform asks users to accept “cookies” in order to gain access, and many accept without realising that they are consenting to the platform collecting their data.[31] This collected data is then processed in order to optimise user experience by the online platform, or sold to third-party advertisers, or even collected by state authorities for political or law enforcement purposes.[32] Data subjects consent only once for data collection; however, they have not had control over how their data is used or whether to modify or delete their data profiles.[33] Data protection legislation enables them to do so, and in order to be fully effective, data subjects must be able to exercise control over their entire data profile, territorial jurisdiction, and different regulating authorities must not create unnecessary barriers to the exercise of the rights granted by the legislation.[34]
The question arises whether data controllers should be required to ensure compliance with every single piece of national data protection legislation in the territories where they provide services and collect data. Additionally, will the data subject be responsible for keeping track of every single website, organisation, company, etc. that they give their data to in order to be able to exercise control over their personal data? As previously noted, there are many complex and unique data protection legislations across jurisdictions. To expect every data collector to register as such in each jurisdiction is a gargantuan task, and considering the lack of awareness of data protection legislation within Botswana, as well as outside, these data protection regulations, may set up data collectors for failure despite the many postponements of the deadlines for registration.[35]
Another challenge that has been recognised is that data processed using computer systems is more vulnerable to data manipulation, interception, and erasure of properties that constitute a major concern of computer security, and the criminal law provisions on computer crime.[36] Violations of the data protection regulations may even come from malevolent actors outside the country, which may create an enforcement challenge when there are no data protection regulations in the offender’s country and national legislation has no extraterritorial effect. Furthermore, once data is computerised, it becomes vulnerable to long-term storage as it may be saved on multiple devices across the network. This may mean that even where the data has been deleted or altered, it may not have been done effectively, which may lead to violations of the individual’s rights.[37]
Data that is collected and sold to third parties can be used in ways unimagined by the data subject, for example, in the Cambridge Analytica scandal. Cambridge Analytica was a data analytics firm that worked with Donald Trump’s election team. They gained access to the personal data of millions of Facebook users and used the data to target American voters on a psychological level, manipulating them based on their ideological profiles.[38] Furthermore, Mark Zuckerberg, Meta CEO, has been a regular in the Courts of the US due to lawsuits alleging that the company has been making its platforms more addictive, particularly to minors.[39] This has become a regular practice amongst data collectors, particularly in apps and online stores, making their platforms inescapable, all in a bid to collect more data as it is actually valuable to those willing to pay for it. Considering these cases, how will national legislation be able to bring these multinational digital entities to heel in order to enforce the Act and protect the rights of the people to their personal data?
CONCLUSION
The Author acknowledges that there are more issues at the forefront of the data protection discourse, and many are identified by Manyeke.[40] However, the two important ends of the data protection regulation sandwich are the data subjects and the data controllers, be they individuals or juristic persons, and it is important to make sure that the data subjects are empowered to effectively enforce their rights through the authorities. On the other hand, harmonised data protection regulations would make commercial business sense as it would create a simpler legal foundation of trade and enable data controllers to save resources and avoid controversy and scandal as non-compliance with these regulations does bear hefty fines.[41] Furthermore, considering that many states are replicating the EU regulations, we may coincidentally end up with some degree of harmonisation, however unintentional.[42] But for the sake of setting the record straight, introducing a provision like Article 3(2) of the GDPR within SADC or even the AU, if possible, may bring great benefit by sorting the issue of extraterritoriality within the region and preventing drawn-out debates over which national legislation applies in transnational disputes.[43] Furthermore, a unified front on this matter may even give African States more persuasive power in transnational disputes.
Reference(S):
[1] Data Protection Act 18 of 2024
[2] Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016
[3] Tumelo Keakopa and Olefhile Mosweu, “Data Protection Law in Botswana: Opportunities and Challenges for Records Management” (2020) ESARBICA Journal, Vol. 39, 2020, pp. 65 – 78
[4] C. Lazaro and D. Le Metayer, “Control over Personal Data: True Remedy or Fairy Tale?” (2015) Scripted; A Journal of Law, Technology and Society Vol 12, Issue 1, June
[5] United Nations International Covenant on Civil and Political Rights (ICCPR)
[6] African Union Convention on Cyber Security and Personal Data Protection, adopted 27 June 2014
[7] Constitution of Botswana [Cap. 01], Laws of Botswana
[8] Per Leburu J, in Motshidiemang v Attorney General and Another, MAHGB-000591-16 at paras 107 and 112
[9] B. T. Balule and B. Otlhogile, “Balancing the Right to Privacy and the Public Interest: Surveillance by the State of Private Communications for Law Enforcement in Botswana”, Statute Law Review, 2016, Vol. 37. No. 1, p19-32 cited Ketlhaotswe and others v Debswana Diamond Company (Pty) Ltd. CVHLB-00116—07 (unreported, delivered on 27 September 2012)
[10] Attorney General v Unity Dow 1992 BLR 119 (CA)
[11] Ibid fn 9
[12] Tumelo Keakopa and Olefhile Mosweu, “Data Protection Law in Botswana: Opportunities and Challenges for Records Management” (2020) ESARBICA Journal, Vol. 39, 2020, pp. 65 – 78
at p68
[13] B. T. Balule and B. J. Dambe, “Surveillance within the Law: A Critique of the Legal Framework for Surveillance of Digital Communications by Law Enforcement Authorities in Botswana ”Statute Law Review, 2023, 44, p1-14
[14] M. Manyeke, “Examining the Impediments to Compliance with the Botswana Protection Act at the Botswana Unified Revenue Services (BURS)” Records Management Journal Vol. 36 No. 1, 2026 pp53 – 68
[15] Ibid fn 1 section 4
[16] Ibid fn 1
[17] C. Ferreira, “Harmonisation of Data Protection Regimes in Southern African Development Community: Considering the Influence of the SADC Model Law on Data Protection and the European Union on Data Protection Laws in SADC”, February 2021, Published by the University of Cape Town
[18] Ibid fn 18
[19] Ibid fn 18
[20] Diaz, E. D. “The New European Union General Regulation on Data Protection and the legal consequences for institutions”(2016)
[21] Ibid fn 2 Article 3
[22] Ibid fn 2
[23] Ibid fn 2
[24] Ibid fn 2
[25]C. Ferreira, “Harmonisation of Data Protection Regimes in Southern African Development Community: Considering the Influence of the SADC Model Law on Data Protection and the European Union on Data Protection Laws in SADC”, February 2021, Published by the University of Cape Town
[26] Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) Version 2 12 November 2019
[27] https://misa.org/blog/new-botswana-data-protection-act-progressive-step-to-a-more-secure-digital-environment/ [accessed 31 March 2026]
[28] Protection of Personal Information Act 2021, Act No. 4 of 2013
[29] Cybersecurity and Data Protection Act 2021 Chapter 12:07
[30] A. G. Ferguson, “Your Data Will Be Used Against You: Policing in the Age of Self-Surveillance”(2026), New York University Press.
[31] Ibid fn 30
[32] B. T. Balule and B. J. Dambe, “Surveillance within the Law: A Critique of the Legal Framework for Surveillance of Digital Communications by Law Enforcement Authorities in Botswana” Statute Law Review, 2023, 44, p1-14; A. G. Ferguson, “Your Data Will Be Used Against You: Policing in the Age of Self-Surveillance”(2026) New York University Press,
[33]Ibid fn 30
[34]C. Ferreira, “Harmonisation of Data Protection Regimes in Southern African Development Community: Considering the Influence of the SADC Model Law on Data Protection and the European Union on Data Protection Laws in SADC”, February 2021, Published by the University of Cape Town
[35] M. Manyeke, “Examining the Impediments to Compliance with the Botswana Protection Act at the Botswana Unified Revenue Services (BURS)” Records Management Journal Vol. 36 No. 1, 2026 pp53 – 68
[36] Tumelo Keakopa and Olefhile Mosweu, “Data Protection Law in Botswana: Opportunities and Challenges for Records Management” (2020) ESARBICA Journal, Vol. 39, 2020, pp. 65 – 78 at p. 75
[37] Ibid fn 36
[38] https://www.cbsnews.com/news/meta-youtube-social-media-addiction-lawsuit-verdict/ [accessed 31 March 2026]
[39] https://www.cbsnews.com/news/meta-youtube-social-media-addiction-lawsuit-verdict/ [accessed 31 March 2026]
[40] M. Manyeke, “Examining the Impediments to Compliance with the Botswana Protection Act at the Botswana Unified Revenue Services (BURS).”
[41] Section 51 of the Data Protection Act 2018
[42] C. Ferreira, “Harmonisation of Data Protection Regimes in Southern African Development Community: Considering the Influence of the SADC Model Law on Data Protection and the European Union on Data Protection Laws in SADC”, February 2021, Published by the University of Cape Town
[43] Ibid fn 42
