Investigations Lack Data Protection Safeguards

The Authority's enforcement powers include police-like investigative capabilities and custody of seized ICT equipment, but the provision contains no explicit data protection safeguards for personal information accessed during investigations. When investigating ICT service providers who hold vast amounts of user data, the Authority can exercise police powers under Act 30 (section 71(3)) and seize equipment containing personal data (section 71(2)), yet the Act establishes no requirements for data minimization, user notification, retention limits, or independent oversight of data handling. This creates significant privacy risks where regulatory investigations could expose sensitive personal information, communications records, and user data without the procedural protections typically required for law enforcement access to such information.