Data protection & privacy laws in South Sudan (2026)

There is no standalone data-protection statute defining lawful processing, data-subject rights, or controller/processor duties, and no designated supervisory/data-protection authority to enforce compliance.

Article 22 of the Transitional Constitution of the Republic of South Sudan (2011) guarantees the inviolability of private life, protecting against unlawful interference with one's private life, family, home, or correspondence, except as provided by law.

The Right of Access to Information Act, 2013 (No. 65 of 2013) requires public bodies to disclose information but exempts disclosures that would compromise an individual's privacy — a narrow privacy carve-out rather than a data-protection regime.

The Cybercrime and Computer Misuse Bill 2025 was passed unanimously by the Transitional National Legislative Assembly on 25 Nov 2025 and signed by President Salva Kiir (enacted early 2026); it requires service providers to retain subscriber communications, personal and traffic data for 180 days — an obligation criticized as privacy-eroding rather than privacy-protective.

Government officials have stated South Sudan will introduce its first-ever Data Protection Bill in 2026 to address the legal gaps of its growing digital economy; as of May 2026 no such law is in force.

No data-protection authority has been established. The National Communication Authority (NCA) regulates telecoms and issues cybersecurity guidance, but it is not a personal-data supervisory body, and existing privacy provisions lack enforcement mechanisms.