In this article of Cape Verde amends its data protection legislation, Hogan Lovells’ Aissatou Sylla and Cape Verde’s data protection authority’s José Maria de Pina weigh in on the latest update to the country’s Data Protection Act.
The Data Protection Act of 2001 was recently amended by the Republic of Cape Verde.
With the rise of interconnected files, cross-border data transfers, cloud services, social media, e-commerce, profiling, and artificial intelligence, among other technological trends, and the global reinforcement of privacy rights, the Cape Verdean Parliament deemed it necessary to update the country’s data protection legal framework to align it with international standards and provide individual privacy protection.
The 2001 Data Protection Act was updated in 2013, principally to overhaul the supervisory body, and the Cape Verdean Parliament enacted important modifications to its privacy regulations with this amendment. Based on its five-year experience and observation of international laws such as the 2010 ECOWAS Supplementary Act on A/SA.1/01/10 on Personal Data Protection, the European Union General Data Protection Regulation, 2016 (GDPR), and the Council of Europe Convention for the Protection of Intangible Cultural Heritage, such changes were made to the data protection authority, the Comisso Nacional de Protecço de Dados (CNPD).
Extra territorial applications – Cape Verde amends its data protection legislation
With this change, the 2001 Data Protection Act now applies to controllers who do not have a physical presence in Cape Verde but handle data about people who live there. The amendment has expanded the scope of data protection law to include controllers and processors who process the personal data of data subjects in Cape Verde, where the processing activities are related to providing free or for fee goods or services to such data subjects, and monitoring their behavior, provided that such behavior occurs within the national territory.
In recent years, there has been a movement in Africa to abandon the principle that privacy rules only apply to controllers with a local presence or who employ local means of processing (such as a local server or a local intermediate person), and to adopt an extraterritorial approach, similar to GDPR. The latter ensures that corporations that have no physical presence or servers in the country but process vast amounts of personal data acquired from local residents or citizens must adhere to local privacy regulations. Benin, Egypt, and Kenya have all embraced this strategy in recent years.
Companies without a local presence must also appoint a local representative for service of process and other enforcement purposes, according to the Cape Verdean Amendment.
OPT-IN Consent
The modification changed the definition of consent and added the requirement that consent be expressed in the form of a statement or an unambiguous affirmative action.
This means that consent will have to be given on an opt-in basis wherever consent is the legal basis for processing data.
For example, obtaining consent through a pre-ticked check box indicating “I agree to the conditions of the privacy policy” or “I accept to receive promotional emails” will not be permitted. It’s worth noting, however, that there are some exceptions to the consent requirement, such as where processing is required for the fulfillment of a contract or the pursuit of the controller’s or the third party’s legitimate interests.
The amendment also underscores the need for agreement from people who lack legal capacity. Consent must be given by the guardian or legal representative in the case of minors under the age of 16 and other persons who lack legal capacity.
In the case of cookies, unless another legal basis for processing applies, consent will need to be obtained on an opt-in basis to the extent that they contain personal data and there are no explicit rules or regulations governing them.
SUB-PROCESSOR ENGAGEMENT REQUIRES SPECIFIC PRIOR CONSENT.
The amendment requires processors to acquire consent before engaging a sub-processor, in addition to requiring controllers and processors to enter into a legally negotiated data protection agreement with the required security and confidentiality precautions.
According to Article 28 GDPR, such permission can be either general, with the option to object later, or particular. The amendment is harsher than GDPR in that it stipulates that consent to engage a sub-processor must always be explicit and must come before the sub-processing processor’s activity.
New data subject rights and other changes introduction
A more complete right to erasure, a right to restrict processing, and a right to data portability was also added as part of the amendment. These new rights are very comparable to the GDPR’s counterparts. The compliance deadline is not set in days, but the amendment requires action “immediately.”
The amendment added the requirement to appoint a data protection officer in certain circumstances, such as when the controller or processor’s core activities include processing operations that, by their nature, scope, or purposes, necessitate regular and systematic monitoring of data subjects on a large scale. When a controller is a group of entities, the amendment provides that a single group-wide data protection officer can meet these criteria even if they are not based in Cape Verde. However, the CNPD must be informed of the data protection officer’s contact information.
The amendment also contains a breach reporting requirement, similar to the GDPR requirement, under which controllers must notify the CNPD within 72 hours of becoming aware of a data breach unless the breach is unlikely to result in a risk to natural persons’ rights, freedoms, and guarantees. Unless the breach is unlikely to result in a serious risk to their rights, freedoms, and guarantees, data subjects must be informed “without undue delay” and in clear and straightforward terms. Processors must notify controllers of the breach as soon as possible.
The amendment, like GDPR, covers privacy-by-design, biometric data, profiling, and automated processing protections, and clarifies the definition of data subjects by stating that it includes deceased individuals on whose behalf the estate will be authorized to act (for example. to delete social media accounts).
Furthermore, where a processing activity is likely to result in high risks to an individual’s rights and freedoms, such as profiling or large-scale processing of sensitive data, now renamed “special categories of data,” the amendment imposes the obligation to conduct a data protection impact assessment.
Where do we go from here?
In many ways, the amendment clarifies the 2001 Act. It also increases privacy rules, particularly by widening the scope of data protection law to include e-companies that process data of Cape Verdean citizens remotely and requiring opt-in consent.
The modification does not include a grace period and is effective immediately. As a result, any company doing business in Cape Verde, or having clients or users there, and processing vast amounts of personal data should at the very least assess their processing strategy, as well as the functionality and policies of their platforms.