Ushering In a New Dawn for Data Protection: Unpacking the Somalia Data Protection Act of 2023

Introduction

The present wave of technological advancement at the global level has necessitated legislative responses to data protection globally. In the African context, this wave brought about legislative shifts in the approach to data governance evidenced by a 61% adoption rate, as of April 2024, of laws geared towards the protection of data of a country’s citizens, across multiple jurisdictions across the continent. To better understand the wave, it is prudent to note at this point that most states in Africa have been keen on enacting new laws, where such data governance laws were absent, as well as amending old laws, where there were already existing legal frameworks. To enforce these legal regimes, these laws have also established data protection authorities.

Turning to the present case study of the Somalian approach, this jurisdiction in the Horn of Africa had for a long time been deficient in a comprehensive legal-regulatory framework on data governance, a gap which the Somalia Data Protection Act of 2023 fills.¹ This Act came into effect on March 23, 2023, just two days after the Somalian president announced its assent. This blog article canvasses notable advancements this Act has trailblazed in Somalia’s data governance space and draws links between it and select jurisdictions in the Global South, touching on the challenges faced in enforcing this regime.

Novel Features of the Act

The Somalia Data Protection Act has several novel features that cut across the approach taken, from the different categories of data covered to the exemptions of its applicability. To begin with, the approach taken by Somalia towards data protection and data privacy is best captured by inspecting its foundational basis, privacy. The Data Protection Act flows from Article 19 of the Somali Constitution, adopted on 1 August 2012, on the inviolability of the home.² Article 19 (1) of the Constitution protects citizens from arbitrary entry, searches and surveillance of their homes without any reasoned legal backing.³ Moreover, Article 19 (2) enshrines the need for such reasoned legal support, such as a court order, to be read to the occupier(s) of that home before such entry, search or surveillance is conducted.⁴ Taken together, these provisions point towards Somalia’s approach to data protection as preserving the inherent privacy that ought to be maintained against unlawful entry into another person’s home.

The Somalia Data Protection Act further establishes the Somalia Data Protection Authority, at Article 6, to process, protect, and oversee public as well as personal data within Somalia’s territory. Notwithstanding the Act’s inclusion of a novel data category, public data, it is important to note that the Act fails to define the term. Resultantly, this casts uncertainty on the scope of the Somalia Data Protection Authority’s mandate in the categories of protected data under the Act.⁵

Another novel aspect is that the Act’s purview is curtailed in four main instances. Articles 5 (1) to 5 (3) of the Act canvass the exemptions to the Act’s applicability. The first is where the data is intended for personal, recreational, or household purposes.⁶ To better understand this exemption, the European Union (EU) Privacy Handbook notes that these activities lack a professional or commercial connection and may be as common as taking photos at a school event.

The second exemption applies where data controllers, who are domiciled or operating in Somalia, process the personal data of data subjects within Somalia. This is in so far as they are not deemed to be data controllers of major importance at the time of the second anniversary of the Act’s commencement period i.e. 23 March 2025. A data controller differs from a data controller of major importance in that the latter is either domiciled, resident or operating within Somalia.⁷ In contrast, the former may not need to demonstrate such residency or operation in that jurisdiction. Summative, breaches of data protection principles cannot be taken to be in contravention of the Act.

Thirdly, the provisions of the Somalia Data Protection Act cease to apply where the concerned personal data is processed by authorities such as the police during their investigation, detection or execution of criminal penalties, in the control of a national public health emergency or the enforcement of national security.⁸ This ensures that other socioeconomic and civil-political rights are not prejudiced using a narrower approach to the Act’s enforcement. Where the instances mentioned arise, the Act’s data protection principles are substituted with reasonable, proportionate and effective measures to safeguard the fundamental rights and interests of the data subject.⁹

Lastly, there is an exemption of the Act’s applicability where data is taken for journalistic, educational, artistic, or literary expressions that do not contradict the Act’s objects and purpose.¹⁰ This provision allows the derogation of a person’s right to data privacy based on proportionality. For instance, a similar position exists in the Kenyan context through section 52 of the Data Protection Act (No.24 of 2019). This dispels the application of the principles of data processing from data collected and processed for the aforementioned purposes. These principles include lawful processing, minimisation of collection and adopting security safeguards to protect personal data and the Kenyan Data Commissioner is mandated to prepare a code of practice to guide the processing of data for journalistic, literary and artistic purposes. Having seen the Act’s novelties, this piece now turns to a closer look into the Somalia Data Protection Authority.

Concerns on the Independence of the Somalia Data Protection Authority

While Article 6 of the Act provides that the Somalia Data Protection Authority shall be an independent agency,¹¹ it is prudent to note that the Authority does not enjoy absolute independence. In terms of appointment, the Authority is headed by the General Manager, who the Minister proposes, confirmed by the Cabinet, and finally appointed by the President as per Article 13 of the Act.¹²

From an operational standpoint, the Authority is mandated to yield to executive interference from the Minister of Communications and Technology or other government institutions in select instances as per Article 6 (3) of the Act.¹³ While the Act remains silent on the different government institutions that can interfere with the Data Protection Authority, situations that necessitate such subservience include directions from the President and Cabinet, their appointing authority, in the interests of national security, public order, and defence.¹⁴ This creates an even broader scope of persons who can exercise executive influence over the Authority’s operations notwithstanding the above-mentioned appointing authority.

The data governance wave has elicited different approaches to the independence of data protection agencies in Kenya and Nigeria. To begin with, Article 8(3) of the Kenyan Data Protection Act (2019) provides for the independence of the Office of the Data Protection Commissioner (ODPC) in Kenya in the execution of its mandate.¹⁵ The ODPC is mandated to consult the Cabinet Secretary on matters relating to information, communication, and technology when formulating new directorates in the ODPC office, undermining its independence.¹⁶ When removing the Data Commissioner, the Public Service Commission (PSC) recommends such removal from office after submitting their investigations to the Cabinet Secretary.¹⁷

Moreover, the Kenyan ICT Cabinet Secretary is also granted the power to make regulations to provide suitable measures to safeguard a data subject’s rights, freedoms, and legitimate interests.¹⁸ Taken cumulatively, the facts point towards a substantial amount of executive influence, which affects the independence of the Data Protection Commissioner in Kenya. From the Somalian case study, the same is true, seeing the significant level of influence that the President and the Minister have on the management of the operations of the Data Protection Authority.

A similar case also presents itself upon a closer inspection of the Nigeria Data Protection Act (NDPA) (2023), which provides for the Nigeria Data Protection Commission (NDPC) and its Governing Council.¹⁹ Like Somalia, section 7 of the Nigerian data governance regime alludes to the would-be independence of the NDPC. Section 8(1) sets out the NDPC’s leadership structure, which comprises, inter alia, a part-time Chairman but a national commissioner who is responsible for the day-to-day running of the Commission.²⁰ Section 9 of the NDPA empowers the President, on the recommendation of the Minister, to appoint the chairman and non-ex-officio members of the Governing Council.²¹

To further advance the notable executive influence over independence in terms of appointment, the same procedure captured for appointment is true when removing a member of the Governing Council of the NDPC. Notably, section 7 points towards the would-be independence of the Commission. This, as read with the provisions of the NDPA, casts doubts on the Commission’s freedom from executive interference in its operations.

The above instance demonstrates the need for a review of the independence of the Somalian Data Protection Authority to better protect both personal and sensitive personal data from possible executive misuse on the grounds of security or defence by the same executive that appoints to or removes them from office.

Final Remarks

As most African states navigate their data governance journey, Somalia’s Data Protection Act fills a long-existing legal-regulatory gap on matters of data governance. The Act is riddled with salient features that paint a vivid image of the Somalian approach towards data protection, the categories of protected data, and the limits of the Act’s applicability. Moreover, the Act’s exemptions create avenues for legal enforcement, investigations and the promotion of national security. Be that as it may, some concerns about the Somalia Data Protection Authority’s independence persist, given the manifest mechanisms that allow executive interference. This further invites more discussions about the independence of data protection authorities across select jurisdictions in the African Continent.