Law No. 7/17, concerning the Protection of Networks and Information Systems (LPNIS) was recently published in the Official Gazette, which imposes a set of new obligations to several players in the Angola market. Electronic communication undertakings, information society service providers, primary storage service providers, critical infrastructure service providers (e.g., entities responsible for supply chains, health, security and utilities), as well as entities providing critical social functions (financial sector, transportation, Oil&Gas) are now subject to obligations in what concerns information and information systems protection and security, storage of data, data retention for investigation purposes, cooperation with the competent authority and interception of communications, depending on the scope of activity carried out.
Similarly to legislative acts on the security of networks and storage of data within pertaining to electronic communications in force in other countries and/or regions, as is the case in the European Union, this law aims at responding to the new challenges posed by the information society, particularly fostering the protection of the Angolan cyberspace against cyber attacks, which are becoming more frequent, and easing the use of information in the digitalspace for purposes of criminal investigation.
Among the main obligations set out in the LPNIS, we highlight the following:
- The implementation of defence mechanisms and response to incidents, including presenting to the entities responsible for regulating data protection and for fostering information society services a plan for the management of accidents and incidents, as well as fostering the registration of users;
- The storage of data in an electronic communications network and in information society systems, including traffic data, for the maximum period of 6 months;
- Retention of a significant volume of data by publicly available electronic communications operators, which are required to store traffic, location and related data for a period of 12 months (as of conclusion of the relevant communication) solely for purposes of investigation, detection and crime repression. Failure to comply with these obligations may constitute a contravention punishable with fines ranging between a minimum amount of 3,000,000.00 Kz (three million Kwanzas) and a maximum amount of 200.000.000,00 Kz (two hundred million Kwanzas), depending on the specific breach, and the aforementioned thresholds shall be aggravated in the double of whenever the infringement is attributed to a legal person.
The Agency for the Protection of Personal Data is the entity responsible for pursuing contravention proceedings as well as for assessing the respective fines. It should be stressed, however, that this Agency, albeit created by Law nr. 22/11 of 17 June – Personal Data Protection Law-, is not functioning yet. This law also foresees a Computer Incident Monitoring and Response Team, which organization and functioning shall be established in a separate act, not published to date.
IMPACTS OF THE LPNIS
- For a correct implementation and compliance with the LPNIS, entities providing services based upon information networks and systems which activities are comprehended within the scope of such act, shall have to, including but not limited to:
- Implement teams at management level with the task of assessing how the LPNIS may apply to the activity carried out by undertakings
- Implement/review network security measures and incident notification procedures to relevant entities
- Have in place a strategy and an accident and incident management and response plan, in accordance with the parameters to be defined by the relevant authorities, which shall imply coordination of board of directors, legal and business managers of the entities subject to the LPNIS
- Seek to coordinate the adoption of a security strategy with public policies adopted in the near future for
the fostering of security of the cyberspace in Angola