An Independent Data Protection Act: A Critical Part to South Sudan’s Digital Future

By Pricilla Ijur

More than just information, data is power. But in the absence of clear legal safeguards and effective oversight, this data is vulnerable to misuse, abuse, and exploitation. Institutions rely on data to plan, regulate, and deliver services while businesses rely on it to innovate and grow. Citizens, in turn, need their data to be handled responsibly to safeguard their dignity, privacy, and security. Across South Sudan, personal data, including names, phone numbers, locations, financial records, health information, and biometric identifiers is routinely collected by state institutions, telecommunications companies, banks, NGOs, and digital platforms.

In a fragile, post-conflict context, the absence of protection means this data can easily become a tool of surveillance, exclusion, political manipulation, and economic harm.

South Sudan stands at a defining moment in its digital journey. From mobile money and biometric registration to online public services and digital identity systems, data is rapidly becoming the backbone of governance, service delivery, and economic growth. The country’s acceleration towards an inevitable digital future begs the question:

Who protects the personal data of South Sudanese citizens?

Currently, South Sudan lacks a fully operational, independent Data Protection Act and Authority capable of safeguarding personal information. This gap is not merely a technical oversight but a structural risk that undermines trust, human rights, governance, and national development.

Why a Data Protection Act Is Not Optional

A modern Data Protection Act sets the rules of the digital society. It defines how personal data may be collected, processed, stored, and shared. Crucially, it affirms that individuals retain rights over their own information. This includes: the right to be informed, the right to consent, and the right to seek redress when those rights are violated.

For states, strong data protection frameworks signal institutional maturity. They build public trust, reduce systemic abuse, and create the legal certainty needed for digital investment and cross-border cooperation. However, global experience shows that a law without enforcement is little more than a statement of intent.

The Case for Independence

The effectiveness of any data protection framework depends on the independence of its enforcement body. A credible Data Protection Authority must be empowered to:

• Investigate violations across all sectors, including government institutions

• Enforce compliance through sanctions and corrective measures

• Protect whistleblowers and complainants

• Operate free from political influence or institutional pressure

  
  

When institutions that collect and use data are also responsible for regulating themselves, accountability is weakened. Independence is not a procedural detail but the foundation of credibility.

Regional Lessons and Global Standards

South Sudan is not alone in navigating these challenges, but neighbouring countries are many strides ahead in addressing said issues.

In Uganda, the Data Protection and Privacy Act of 2019 established clear rules on consent, data security, and accountability. It created an enforcement office that can investigate complaints and penalize misuse.

https://www.pwc.com/ug/en/press-room/data-protection-privacy.html

In Kenya, the Data Protection Act is enforced by the Office of the Data Protection Commissioner, which has taken action against both private companies and public institutions. In one case, a court suspended an international health agreement due to data privacy concerns, demonstrating that data rights are taken seriously.

https://www.odpc.go.ke

https://www.reuters.com/business/healthcare-pharmaceuticals/kenyan-court-suspends-health-pact-with-us-hear-data-privacy-case-2025-12-11/

These institutions show that data rights can be protected in practice, including in cases involving powerful public and private actors. These experiences prove, therefore, that data protection is no barrier to development, but rather its driver. It is a prerequisite for democratic governance, responsible innovation, and participation in the regional and global digital economy.

The Risks of Delay

Failure to act carries real consequences. Without a well-established, independent, and fully functional data protection regime:

• Citizens lose control of their personal information.

• Vulnerable groups including journalists, activists, and women face heightened exposure to harm.

• Public trust in digital systems deteriorates.

• Investor confidence in the digital economy weakens.

• The state itself becomes exposed to legal, reputational, and security risks.

In such an environment, data serves power rather than the public interest.

Opportunity for South Sudan

The government’s intention to introduce a Data Protection Bill alongside cybercrime and computer misuse legislation is a welcome development. Yet the true measure of success will not lie in the passage of a bill alone. It will depend on whether South Sudan establishes a genuinely independent, well-resourced, and authoritative Data Protection Authority.

This is a national opportunity to embed trust, accountability, and rights into the country’s digital foundations before it is wrought with harmful practices.

Leadership in the Digital Age

For South Sudan, embracing data protection is an act of leadership, one that places people, rights, and accountability at the centre of technological progress. However, progress will not be defined by how quickly states digitise, but by how responsibly they implement agreed upon plans. A strong, independent Data Protection Act is not simply about compliance or regulation. It is about shaping a digital future grounded in dignity, freedom, and justice.

South Sudan should not only focus on accelerating digital transformation but also on protecting personal data. The question is no longer whether, but how soon.