It is reported that the Botswana Communication Regulatory Authority (BOCRA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

According to Sections 189 and 190 of the Companies Act 2007, a company limited by shares must keep accounting records, including invoices relating to the sale and supply of goods, at its registered office or such other place in Botswana as the company's board shall determine.

Section 74 of Botswana’s Data Protection Act provides that personal data may be transferred to foreign jurisdictions, provided that a copy is retained within Botswana for the entire duration of its processing. This obligation applies irrespective of the legal basis for the transfer, including adequacy decisions, appropriate safeguards, or specific derogations. The requirement to maintain a local copy is absolute and admits no exceptions.
The 2024 Act repealed the Data Protection Act 2018, which did not contain this obligation.

Sections 74–78 of the Data Protection Act 2024 allow for the transfer of personal data outside Botswana only when a copy is kept in the country and when certain conditions are fulfilled. These conditions include an adequacy decision issued by the Commission regarding the recipient country or organisation, or the implementation of appropriate safeguards. Such safeguards may take the form of legally binding agreements between public authorities, binding corporate rules, standard data protection clauses adopted by the Commission, or approved codes of conduct.
The 2024 Act repealed the Data Protection Act 2018, which, under Sections 48 and 49, generally prohibited cross-border data transfers, except where adequacy decisions or certain derogations applied.

Botswana has not joined any free trade agreement committing to open transfers of cross-border data flows.

Act No. 18 of 2024 establishes a comprehensive data protection framework in Botswana, repealing and re-enacting the Data Protection Act of 2018 with substantial amendments. While the 2018 Act regulated data controllers and processors, emphasised consent, and introduced data subject rights alongside restrictions on direct marketing, sensitive data, and cross-border transfers, the 2024 Act expands its scope to include both automated and non-automated processing. It introduces specific provisions for handling sensitive personal data and imposes additional conditions for lawful processing, such as data minimisation, accuracy, storage limitation, and accountability. In addtion, it mandates Data Protection Impact Assessments (DPIAs), the appointment of Data Protection Officers (DPOs), and stricter penalties for non-compliance. Although the Act broadly aligns with the EU General Data Protection Regulation (GDPR), it diverges by introducing custodial sentences of three to twelve years for particular offences.

Clause 15.5 of the Service and Application License terms and conditions states that all accounts and records of the licensee providing electronic communication services under the Communications Regulatory Authority Act (No. 19 of 2012) must be kept in secure locations and formats to ensure their preservation. Performance-related data must be retained for at least one year, and all financial records must be retained for at least five years.

Section 69 of Botswana’s Data Protection Act provides that a data controller or data processor is required to appoint a data protection officer (DPO) in circumstances where the processing of personal data is carried out by a public authority or body, excluding courts acting in their judicial capacity; where the core activities of the controller or processor involve processing operations which, by their nature, scope and purpose, necessitate regular and systematic monitoring of data subjects on a large scale; or where such core activities consist of large-scale processing of sensitive personal data or personal data relating to criminal convictions and offences.
In addition, Section 65 of the Act stipulates that where a type of processing employs new technologies and, considering its nature, scope, context and purpose, is likely to pose a high risk to the rights and freedoms of natural persons, the data controller must conduct a data protection impact assessment (DPIA) prior to initiating such processing. A DPIA is specifically required in cases involving systematic and extensive evaluation of personal characteristics based on automated processing, including profiling, where such processing results in decisions that produce legal effects or significantly affect the individual; where sensitive personal data or data relating to criminal convictions and offences is processed on a large scale; or where large-scale systematic monitoring of publicly accessible areas is undertaken

Pursuant to Section 14.d of the 2024 Data Protection Act, the Commission is vested with the authority to obtain from data controllers and data processors access to all personal data, as well as any information deemed necessary for the fulfilment of its statutory functions. Such access does not require the issuance of a court order. The 2024 Act repealed the 2018 Data Protection Act, which contained a comparable provision under Section 10.

It is reported that a basic legal framework on intermediary liability for copyright infringement is absent in Botswana's law and jurisprudence. Despite Part VIII of the Electronic Communications and Transactions Act protects information service providers from any civil or criminal liability with respect to third-party material stored or transmitted on their platforms if they did not contribute to the material, according to Art. 39 of the Act, nothing in the Act shall affect any liability of the service provider under the Copyright and Neighbouring Rights Act in respect of the infringement of copyright in any work or other subject matter in which copyright subsists.

Part VIII of the Electronic Communications and Transactions Act protects information services providers from any civil or criminal liability with respect to third-party material stored or transmitted on their platforms if they did not contribute to the material. It is also expected that the information service providers should expeditiously remove or disable access to the infringing content upon receiving a take-down notice.

It is reported that there is an obligation for passive infrastructure sharing in Botswana to deliver telecom services to end users. Moreover, passive infrastructure sharing is practised in the mobile and fixed sectors based on commercial agreements.

It is reported that Botswana imposes identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card, or a passport in case of foreigners, to activate a new prepaid SIM card. According to Art. 6 of the Botswana Communications Regulatory Authority Act, the Board of the Botswana Communications Regulatory Authority is responsible for regulating SIM card registration.

The Botswana Telecommunications Corporation Limited (BTCL) is a telecommunications company formerly a government parastatal. Clause 6.2 of the Constitution of the BTCL states that no shares shall be issued to foreigners. Therefore, foreigners cannot own shares in this telecommunications company, which is also Botswana's only listed telecommunications company.

In accordance with Section 81 of the Public Procurement Act, primary contractors, whether domestic or foreign, may be required to engage citizen subcontractors as part of their bid submission or during the execution of a bid award. Additionally, Regulation 86 of the Public Procurement Regulations stipulates that when a primary contractor enters into a contractual arrangement with a citizen subcontractor under Section 81 of the Act, a margin of preference shall be applied to the evaluated tender price. Furthermore, Section 97 of the Public Procurement Regulations specifies that when a procuring entity considers subcontracting feasible, it should facilitate this to enhance the skills and contracting capacity of fully citizen-owned micro, small, and medium enterprises. In such cases, the primary contractor is required to subcontract a portion of the total value of works, services, or supplies to a citizen, citizen contractor, or local contractor.
The Public Procurement Act repealed the Public Procurement and Asset Disposal Act, which contained a similar measure in Section 76.