Population: 15,893,219

Capital: Mogadishu

President: Hassan Sheikh Mohamud

2021 Freedom House Score: 7/100

Data protection law? Yes, data protection authority appointed in 2023

Privacy enshrined in Constitution: Yes, Article 19 of the Provisional Constitution of 2012 provides for the inviolability of the home and other dwellings and prohibits their entry, search, or surveillance without a judicial order.

DPA legislation: Yes, the Data Protection Act, 005, was passed in March 2023.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No

Personal data is defined as any information relating to an individual who can be identified or is identifiable, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.

A data controller must ensure that personal data is processed fairly, in a transparent manner and that at least one of the following requirements are met:

• consent has been given and not revoked by the data subject;
• processing is necessary for the entering into or performance of a
  contract with the data subject;
• processing is necessary for compliance with a legal obligation;
• processing is necessary for the establishment, exercise or defence
  of a legal claim, obtaining legal advice or conduct of a legal
  proceeding;
• processing is authorised by law and carried out by a competent
  public authority;
• processing is necessary in order to save the life of any person;
• processing is carried out for purposes of medical care or
  community welfare;
• processing is necessary to respond to a specific public health or
  humanitarian emergency and it is not reasonably possible to establish
  another legal basis for processing within a
  reasonable period of time;
• processing is necessary for the performance of a task carried out
  in the public interest and in the exercise of official authority vested in the data controller;
• processing is necessary for the purposes of the legitimate interests
  of the data controller or by a third party to which the personal data is
  validly disclosed, except where such interests are overridden by the
  interests of fundamental rights and freedoms of the data subject;
• processing is necessary for archiving purposes in the public
  interest, or for the purpose of historical, statistical or scientific
  research; or
• the data subject has intentionally made such personal data public.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Partial

Notification to data subject in event of data breach: Partial

Timeframe for notification is specified: No

Exceptions exist to breach notifications: Yes

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: No

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Partial

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Partial

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 9

Maximum term length for members of the DPA (years): 8

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

A data controller may not transfer personal data to a country outside the country unless one of the following conditions is met:

• the personal data will be received solely in country/ies that provide an adequate level of protection;
• the recipient is an international organisation whose policies and administrative and technical measures afford an adequate level of protection;
• the recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct, certification mechanism or other measure that affords an adequate level of protection; or
• the transfer meets one of the several criteria in s 31, which include, for example, consent or that the processing is necessary for the entering into or performance of a contract with the data subject.

Provides a right not to be subject to automated decision-making: Yes