A New Legal Basis for Data Processing in Mali
Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data is a data protection law that was passed in Mali in 2013. In accordance with the recently passed Law No. 2019-056 of 5 December 2019 on the Repression of Cybercrime or the Cybercrime Law for short, Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data is the foremost means by which the personal data and privacy of Malian citizens are legally protected. To this end, Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data establishes the legal basis by which personal data may be collected or processed within Mali. Furthermore, the law also established the Malian data protection authority or APDP for the purposes of enforcing the law.
What is the scope and application of Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data?
The personal scope of Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data
applies to all collection or processing of personal data that is conducted by “state, local authorities, entities having legal personality, natural persons and private legal entities”. Alternatively, the territorial scope of the law applies to all personal data that is collected and processed within the country of Mali, as well as other areas in which Malian law applies, while the material scope of the law applies to all processing of personal data, with the following exceptions:
- The collection and processing of personal data is carried out strictly in the context of personal or domestic activities, except in circumstances in which said personal data is intended for systematic communication or transfer to third parties for the purposes of dissemination.
- “temporary copies made within the framework of the technical activities of transmission and supply of access to a digital network, with a view to the automatic, intermediate, and transient storage of data and for the sole purpose of allowing other recipients of the service the best possible access to the information transmitted”.
What are the obligations of data controllers and processors within Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data?
Under Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data, data collectors and processors operating within Mali are charged with the following obligations and responsibilities:
- Guarantee that all collection and processing of personal data is done in respect of the fundamental rights and freedom of Malian citizens.
- Ensuring that the confidentiality and security of all personal data that has been collected or processed is upheld at all times.
- Implementing appropriate technical and security measures to ensure that personal data in their possession is not damaged, distorted, or accessed by third parties without proper authorization.
- Notifying the Malian data protection authority or APDP concerning the purposes for which they intend to collect and process personal data. However, “data processors of public entities do not have to notify the APDP provided that they sign an agreement with the authority”.
- Ensuring that the personal data of Malian citizens is only transferred to other nations that also guarantee a similar level of protection and privacy in accordance with the fundamental rights of citizens within said nations.
- Ensuring that personal data that has been found to be false, inaccurate, incorrect, outdated, or ambiguous is deleted within 30 days of the point in which an applicable data subject makes such a request.
- Ensuring that special care is taken when collecting or processing special categories of personal data, such as personal data pertaining to criminal offenses or convictions.
What are the rights of Malian citizens under Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data?
Under Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data, Malian citizens as afforded the following data protection and personal privacy rights:
- The right to be informed– Data subjects have the right to be informed of the collection and processing of their personal data, including the identity of a particular data controller or processor, as well as the purposes for which their personal data will be collected or processed, among other details.
- The right to access– Data subjects have the right to request that a data controller or processor grant them access to personal data pertaining to them.
- The right to rectification– “data subjects have a right to amend and/or erase information, both directly and indirectly”.
- The right to object or opt-out– “data subjects have the right to object to the processing if they have legitimate reasons, unless the processing is based on a legal obligation”.
What are the penalties for violating Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data?
Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data is enforced by the Malian data protection authority or APDP. As such, the APDP has the authority to impose a variety of monetary penalties and criminal sanctions against data controllers and processors who fail to adhere to the principles of the law. These punishments include:
- A warning to data controllers and processors who fail to comply with the provisions of the law.
- A formal notice to the data controller or processor who has been to be at fault.
- A formal injunction demanding that a particular data controller or processor stop collecting or processing personal data.
- The withdrawal of approval.
- Monetary fines ranging from XOF 2.5 million ($4,334) to XOF 20 million ($34,668).
- Various terms of imprisonment.
While Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data does not provide many rights to Malian citizens that have become commonplace in many other privacy policies that have been passed around the world in recent years, the law nevertheless provides data protection for data subjects within Mali. As such, Law No. 2013-015 of 21, May 2013 on the Protection of Personal Data is one of the many comprehensive data privacy laws that have been passed in the continent of Africa in the past decade, including Egypt’s Data Protection Law and Togo’s Protection of Personal Data law. Through the passing of such laws, the web of data protection that exists within African countries continues to grow stronger.