Since 13 March 2023, the Democratic Republic of Congo (hereinafter DR-Congo) has introduced regulations in the digital field, through Ordinance-Law No. 23/010, which concerns the Digital Code. An important part of this new legislation addresses the crucial issue of personal data protection. These provisions are detailed in Title III of the Digital Code.
The relevance of legislation on the protection of personal data often depends on the supervisory authority associated with it. This supervisory authority plays an essential role in ensuring that the rules established in this area are complied with, with the aim of protecting the individuals concerned. In other words, the strength of this legislation is measured by the power of its supervisory body, guaranteeing effective protection of personal data.
To ensure compliance with these regulations, the Congolese legislator provides for the establishment of a supervisory authority for the protection of personal data, known as the Data Protection Authority or “DPA”. It is important to note that, at the time of writing, this supervisory body has not yet been created. However, we will examine its remit here, as well as its powers to impose sanctions.
The powers of the Data Protection Authority in DR-Congo
The operation of the Congolese Data Protection Authority (DPA) is largely based on its European and African counterparts. Its main mission is to monitor compliance with personal data protection in order to safeguard the privacy of those whose data is hosted in DR-Congo. However, it is unique in that it will also be responsible for monitoring the processing of public data.
This body will have the status of an independent administrative authority, with legal personality and administrative and financial autonomy. Among the powers assigned to it, the most notable include the ability to issue opinions and make recommendations on the processing of personal and public data. The aim is to inform data subjects and data controllers of their rights and obligations.
A distinctive feature of this authority is the declaratory system for processing personal data. In other words, data controllers must submit declarations to this authority before processing certain personal data. This differs from the accountability system, which allows processing to take place without the need for a prior declaration to the supervisory authority .
The DPA also has the power to bring actions before the courts and to conduct investigations in the event of violations of personal and public data. However, all these actions must have a repressive or corrective purpose. Consequently, the DPA is empowered to impose sanctions in the event of non-compliance with the rules relating to personal and public data.
Powers and Sanctions of the Data Protection Authority
The Data Protection Authority can take a number of administrative measures. In particular, it can issue warnings to a data controller. It also has the power to issue a formal notice to cease the breach, and the deadline for compliance may not exceed eight days.
The DPA may also impose financial penalties on a data controller who fails to comply with the data protection provisions of the Digital Code. These penalties may include a payment of between eight million and two hundred million Congolese francs. In the event of a violation resulting in the death or attempted death of one or more persons, a fine equivalent to 5% of its annual turnover may be imposed. In addition, it has the power to issue an injunction to stop the processing of personal data if the breach has endangered national security and safety and/or led to a mass crime or genocide.
Although the data protection supervisory body is not yet operational, its establishment represents a significant step towards establishing a solid regulatory framework. This initiative aims to strike a balance between digital innovation and the protection of individual rights, and will require careful monitoring to assess its impact on the Congolese digital landscape.
By Brozeck KANDOLO, PhD Student.