Jeevesh Augnoo, Head of the Law Department and Senior Lecturer at Rushmore Business School, Mauritius
Tasneem Khedarun, Senior Lecturer, Law Department, Rushmore Business School, Mauritius, and Fellow of the Advance Academy UK (former Higher Education Academy UK) & Associate Member of the Chartered Institute of Arbitrators
Technology has changed the world tremendously since the start of the millennium (WEF, 2022). Cloud computing (McKinsey, 2022) has changed the way enterprises operate. Advances in Big Data and the Internet of Things as well as the creation of an alternate online universe exponentially powered by Artificial Intelligence, have heralded data as the new commodity. Its value, as with other resources, depends on its integrity, leading to the establishment of data security frameworks. Data Security encompasses many concepts (Lopez, 2013) and can be simplified to the practice of protecting digital information from unauthorised access, corruption, or theft throughout its entire life cycle (IBM, 2022) including best practices such as Data Protection (Oracle, 2023). This paper will read data as personal information.
Data Security in Mauritius
The Ministry of Technology, Communication, and Innovation ensures the safeguard of provisions of the Data Protection Act 2017, which is in conformity with the European Union General Data Protection Regulation. As put forward by the legislator, the Act aims at strengthening the control that citizens have over their personal data and personal information for enhanced protection and security, with the aim of echoing the ambition of the EUGDPR, being the ”strongest privacy and security law in the world”
The Data Protection Office, which falls under the aegis of the Ministry of Technology, Communication, and Innovation has for main aim ensuring that every data subject’s personal data is safe from breach in this rapidly growing digital era. Any breach or complaint received by the Data Protection Office is dealt with utmost professionalism. The process is set out in section 6 of the Data Protection Act.
Moreover, Mauritius was the first African state to adhere to the Budapest Convention and has been involved in the GLACY (Global Action Against Cybercrime) project which aims at enforcing and empowering adhering states to implement, enforce, and apply the law on cybercrime. With the aim of promoting the vision and objectives of the GLACY project, Mauritius, through the Institute for Judicial and Legal Studies (under the aegis of the Supreme Court of Mauritius), hosted a ”Train the Trainer” session in January 2015, which enabled the coaching of law enforcement professionals in Mauritius to identify, handle and deal with cybercrime and data breaches.
Mauritius has also ratified the Malabo Convention which aims at promoting data protection, e-commerce and cybersecurity in the African continent hence putting the continent higher up on the global data security network and the African Continental Free Trade Area. Thus, Mauritius upholds the fundamental right of privacy provided by Chapter II of the Constitution of Mauritius, the supreme law of the State and Mauritius has always upheld the fundamental principles provided for therein as a democratic state whereby the rule of law prevails. The principle of the rule of the law is at the very core of the Mauritian system whereby the law always prevails and nobody is over the law. Hence, the root of any democracy is the protection of the fundamental rights of its citizens, and this is exactly what Mauritius has done by enhancing data security and ratifying the various conventions and legislating the Data Protection Act. The Supreme Court of Mauritius has not heard breach of GDPR cases to date as breach of personal data are heard at first instance by the Data Protection Office and parties have not appealed to the Supreme Court against the decision of the DPO to date.
An overview of other legislative frameworks in the Indian Ocean
As discussed earlier, the ambit of this research is focused on ‘’personal data’’ in terms of data security. The global progressive implementation of the General Data Protection Regulation (GDPR) has impacted data security in many countries, including other jurisdictions in the Indian Ocean. The following paragraphs seek to provide a brief summarized overview of data protection in the region.
In Madagascar, member country of the Indian Ocean Commission, where the right to privacy is protected under the 2010 Constitution (Titre II, Article 13), adopted the new Data Protection laws (Law No 2014-038) on the 16 December 2014, which were promulgated on the 09 January 2015. This piece of legislation (DPL) introduced new definitions in terms of personal data (Chapter II, Article 7), Data Protection Principles of data subjects (Chapter III, Article 14) and their rights (Chapter IV, Articles 22-27) as well as new requirements for Data controllers and processors (Chapter II, Articles 9 &10), with new penalties enforced (Chapter VII, Section I, Article 55 and Section II, Articles 61 – 73) by a newly established authority body, the Commission Malagasy sur L’Informatique et des Libertés (CMIL) as per Chapter 5, Section I, Article 28. This new institution also has the authority to allow the transfer of personal data to jurisdictions offering the same level of data protection as Madagascar (Chapter III, Article 20). This overhaul demonstrated the importance of agencies such as AFAPDP working together with authorities for enhanced impact and aligning the country with other local and international jurisdictions in terms of data security and privacy to make it more attractive for business and investment.
On the other hand, there are no operative laws in the Seychelles as it stands, despite the passing of the Data Protection Act 2002. The privacy of Citizens is protected by Article 20(1)(b) of the Constitution of the Republic of Seychelles, and the comprehensive proposed legislation provided for the establishment of a Data Commissioner, appointed by the President. (Part I, Section 4). As with the law in Madagascar and in Mauritius, it offers new definitions in terms of personal data (Part I, Section 2(7) and Data Protection Principles (Part I, Section 3) as well as the rights of Data Subjects (Part III, Section 28). It also provides for a series of penalties, including prosecution under Part II, Article 26. Contrastingly, there is no definition proposed for Data Controller or Data Processor, with reference being made to “Data User.” (Part I, Section 2(10)). The Act does not legally require the appointment of a Data Protection Officer, and provisions lack enforceability. This can hamper the country’s positioning as a choice destination for organisations which have to abide to GDPR requirements.
In the African continent, Kenya, a COMESA (Common Market for Eastern and Southern Africa) member country since 2000, adopted the Data Protection Act 2019, in line with Article 31 (c) and (d) of the Constitution which confers the right to privacy. It also establishes the office of the Data Commissioner (Part II). The Act follows a similar structure to the Data Protection Act in Mauritius and Madagascar with the relevant sections about Personal Data (Section 2), registration of Data Controllers and Daya Processors (Part III), Data Protection Principles (Part IV) and Transfer of Data to other jurisdictions (Part VI). Some notable features of this Act include the requirement to carry out a Data Protection Impact Assessment (Section 31), its increased territorial scope as it applies to all companies processing personal data of data subjects residing in Kenya, irrespective of the location of the company as well as seeking explicit and retractable consent from data subjects. The penalty system imposed is also more rigorous and established Kenya as a jurisdiction taking data security seriously in a forward-thinking manner.
South Africa, which joined the Southern African Development Community (SADC) in 1994, adopted the Protection of Personal Information Act 2013, commonly referred to as the POPIA, a comprehensive and elaborate piece of legislation which mirrors and adapts requirements and provisions like those of the GDPR. The Act makes provisions for ‘’personal information’’ (Chapter 1, Section 1) rather than ‘’personal data’’. It also establishes a framework for lawful processing of personal information (Chapter 2, Section 4) which is elaborated in Chapter 3 of the Act through a series of Conditions, from Accountability (Condition 1) to Data Subject Participation (Condition 8). It also provides for the rights of data subjects (Chapter 2, Section 5) and the establishment of an Information Regulator for supervisory purposes, such as the requirement for organisations to register their Information Officers (Section 55) and submission of an annual report (Section 32). These provisions provide a robust framework from definitions to penalties, reflecting data protection requirements internationally.
Observations and Conclusion
These above brief discussions of some of the jurisdictional data protection provisions in different countries demonstrate a steady move towards aligning the region’s data protection framework with international standards. With the COMESA pushing for the adoption of the One Network Area for better e-commerce opportunities, a need for more harmonised policies on data protection, as those proposed in terms of digital provisions for the AfCFTA. The SADC Secretariat has already developed a Policy for the Protection of Personal Data with the aim to comply with international best practices. Similar alignments by member states and organisations of the Indian Ocean region will strengthen data security frameworks and offer better protection to personal data, except in cases of national security as provided by provisions in most legislation, including those in the Patriot Act in the United States.
From a local point of view, albeit Mauritius has implemented strict data security laws and has ratified various international conventions to adhere to international standards, the existing frameworks could be further strengthened. For instance, Singapore has recently further amended and strengthened its data security law and one of the measures is that the Personal Data Protection Act (PDPA) is that the amount which an organization may be fined has been increased to 10% of the company’s annual turnover, acting as a true deterrent to prevent data security breaches in Singapore. Similar harsher penalties can assist in increasing the impact of the DPA 2017 in terms of security. As has been noted recently, Meta Ireland was fined €1.2 billion by the Ireland Data Protection Commission for a breach of data information/ transfer of personal information to the United States. The Data Protection Office may be empowered to act similarly. Investing in data security education at various levels could also assist in changing the culture around data security, whether through a review of educational curricula or training at professional level across industries.
As it stands, the DPO has heard 18 cases on alleged breach of personal data between 2011 and 2021. The figures appear to indicate that there seems to be a reluctance from people to report breach of personal data instances to the DPO which may be a challenge to the authorities hence awareness sessions will encourage people to report such breaches. Furthermore, the legislator may wish to implement innovative measures through education to promote the protection of data in the ever-evolving digital age.
This part of the Indian Ocean is becoming more and more geopolitically strategic, acting as a platform between mainland Africa, Asia and Europe. A stronger data security legislative and regulatory (as well as technical) framework will increase cooperation and collaboration between the Indian Ocean countries, in terms of transborder data sharing possibilities and other strategic ways of working together forward.
Charles Telfair Centre is an independent nonpartisan not for profit organisation and does not take specific positions. All views, positions, and conclusions expressed in our publications are solely those of the author(s).