Lesotho’s economy and public services increasingly run on data, mobile money, cross-border cloud services, biometrics for SIM and voter registration, and AI-assisted decision-making. Yet the country is still relying on an early-2010s data law and has never stood up the regulator it created on paper. The result: unclear enforcement, weak deterrence for abuses, and growing legal risk for businesses and government alike.
Where the law stands
Lesotho’s Data Protection Act (Act No. 5 of 2012) establishes a Data Protection Commission and sets baseline rules for processing personal information. The regulator doesn’t exist in practice. Multiple trackers and legal commentaries have noted that the Data Protection Commission and its Commissioner have not been appointed, leaving the law without a functioning watchdog.
Why this is a problem? Without an independent authority to issue guidance, register controllers, approve cross-border mechanisms, investigate breaches, and levy administrative remedies, organisations face uncertainty and individuals lack practical avenues for redress.
Is the law itself outdated?
Yes, by global and regional standards. The 2012 framework predates widespread adoption of cloud computing, platform economies, mobile money at scale, pervasive biometrics, and AI-driven profiling. Civil society and policy groups in Lesotho have called out the need to update the Act and build an autonomous, properly resourced Commission to meet today’s risks.
Key gaps compared with modern regimes (GDPR/POPIA-influenced):
- Automated decision-making & AI: No explicit rights around algorithmic decisions or model transparency.
- Biometrics & sensitive data: Limited, dated treatment of high-risk categories.
- Breach response: Processes hinge on notifying a non-existent Commission; practical playbooks are unclear in the vacuum.
- Cross-border data transfers: The SADC-model-inspired rules need modern adequacy tools (standard clauses, binding corporate rules) and regulator oversight to be workable.
No Commissioner”—so is there no enforcement?
Not quite. Courts remain available: recent practitioner guidance stresses that the absence of a Commission does not suspend obligations, and individuals may bring claims with courts empowered to award damages. But relying on litigation alone is slower, costlier, and reactive. No substitute for an expert regulator that can supervise proactively.
Regional alignment and the Malabo Convention
Lesotho signed the African Union’s Malabo Convention (AU Convention on Cyber Security and Personal Data Protection) on 30 November 2023, but has not (yet) ratified it per the AU’s official status list (latest update 8 July 2024). Ratification and domestic alignment would help modernise standards and facilitate trusted cross-border data flows.
What should be done now
- Appoint the Data Protection Commissioner and constitute the Commission – Ensure operational independence, secure funding, and appointment transparency to avoid political capture – Publish a 24-month regulatory roadmap on day one.
- Issue immediate interim guidance (before full law reform) – Breach notification templates and timelines; baseline security measures; rules for processors; pragmatic cross-border transfer steps pending updated clauses; sector notes for finance, health, and telecoms.
- Table a targeted amendment bill to modernise the Act – Add DPIAs, records of processing, data protection officers for higher-risk entities; explicit rights around automated decision-making; strengthened children’s data protections; clear administrative fines and corrective powers; updated international transfer tools aligned to SADC/AU practice.
- Ratify Malabo and align – Use ratification to anchor regional cooperation, cross-border enforcement assistance, and capacity building with peer DPAs.
- Invest in capacity – Create a regulatory sandbox for privacy-preserving innovation; fund training for the bench and bar; launch a national awareness campaign for SMEs and public bodies. Policy analyses in Lesotho emphasise capacity and autonomy as success factors.
What the near future can look like (18–36 months)
- Year 1: Commissioner appointed; starter guidance released; first supervisory audits in finance/telecoms; breach-reporting channel live.
- Year 2: Amendment Act passed; standard contractual clauses issued; sandbox pilots for privacy-preserving fintech/health projects; first administrative penalties (with an appeals track).
- Year 3: Malabo ratified and operational cooperation agreements signed; measurable improvements in breach response times and public trust; clearer compliance pathways for cross-border cloud adoption.
Bottom line for organisations today
Even without a Commission, compliance is not optional. Map your data, implement reasonable security and privacy by design, prepare a breach plan, and document transfer assessments, then you’ll be ready when the regulator finally arrives. Courts can already hold you to account.