Privacy Legislation and personal data law in Mauritius
The Data Protection Act 2017 is a data protection and privacy law that was passed in Mauritius in 2017. As has been with case with many privacy laws that have been passed in recent years, the Data Protection Act 2017 was drafted in a manner that would align that law with the European Union’s General Data Protection Regulation or GDPR. Moreover, the Data Protection Act 2017 also aligns with the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data or the modernized Convention 108 for short. However, there are certain provisions within the Data Protection Act 2017 that differ from European data privacy standards. As such, the Data Protection Act 2017 establishes the requirements for the collection and processing of personal data in Mauritius.
How are data controllers and processors defined under the law?
Under the Data Protection Act 2017, data controllers are defined as a “person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision-making power with respect to the processing”. On the contrary, a data processor is defined as “Any information relating to a data subject”. Furthermore, thE Data Protection Act 2017 defines personal data rather broadly to mean any “information relating to a data subject”. Additionally, the law defines sensitive personal data to mean “personal data which are sensitive in nature, for example, the racial or ethnic origin of the data subject or the genetic data or biometric data uniquely identifying the data subject”.
In terms of the scope and applicability of the Data Protection Act 2017, the personal scope of the law applies to all data controllers and processors who are established within Mauritius and process data within the country. While the law does not have any territorial jurisdiction as it relates to foreign countries and nations, individuals, or entities who are not physically located with Mauritius but still make use of equipment the country must also comply with the law unless this equipment is used strictly for the purposes of transit. As it relates to the material scope of the law, all processing of personal data, whether said processing is done through automated or non-automated means, must be conducted in accordance with the provisions and regulations set forth by the Data Protection Act 2017.
What are the obligations of data controllers and processors under The Data Protection Act 2017?
As The Data Protection Act, 2017 was drafted to align with the provisions of the EU’s GDPR law, the Act establishes various principles in relation to the safeguarding of personal data. These principles include:
- Lawfulness, fairness, and transparency– Personal data is only permitted to be collected for legitimate purposes and must be processed in accordance with the principles of fairness and transparency.
- Purpose limitation– Personal data may only be collected for specific purposes and may not be processed for any reason that is incompatible with these purposes.
- Data minimization– Personal data that is processed must be limited to what is necessary with respect to the purposes for which it was collected. Personal data may not be held for any period of time longer than is needed to fulfill these purposes.
- Accuracy– Personal data must be accurate and kept up to date where necessary, and data controllers and processors must take adequate steps to ensure that any inaccurate data is rectified or erased, without undue delay.
- Storage limitation– Personal data may not be kept for any longer than is needed to fulfill the purposes for which it was processed.
- Security– Data controllers and processors must implement appropriate security measures to ensure personal data is protected from unauthorized or misuse.
- Accountability– Data controllers and processors must take accountability for all personal data in their possession through the adoption of policies and the development and implementation of security measures.
What are the rights of data subjects under the Data Protection Act 2017?
Under the Data Protection Act 2017, data subjects within Mauritius are entitled to the following data protection and privacy rights:
- The right to be informed– Data controllers and processors are responsible for informing data subjects concerning the specific categories of personal data that are to be processed, as well as the purpose for this processing.
- The right to access– Data subjects have the right to request access to personal data that a data controller or processor may hold concerning them, free of charge.
- The right to rectification– Data subjects have the right to request that a data controller or processor rectify inaccurate data pertaining to them.
- The right to erasure– Data subjects have the right to request that a data controller or processor erase inaccurate data pertaining to them.
- The right to object or opt-out– Data subjects have the right to object or opt-out out of the collection or processing of their personal data, at any time during the process, unless a data controller or processor has “compelling legitimate grounds for the processing which override the data subject’s interests, or the processing is required for the establishment, exercise or defense of a legal claim”.
- The right not to be subject to automated decision making– Data subjects have the right not to be subject to data processing decisions made solely on the basis of automated processing, including profiling.
In terms of the enforcement of the law, the Data Protection Act 2017, the law is enforced by the Mauritanian Data Protection Commissioner or DPC for short. As such, the DPC has the authority to impose the following fines and penalties as it relates to non-compliance with the law:
- A fine of up to 50,000 rupees ($670) and a term of imprisonment of up to two years for failing to comply with or provide documents to the DPC.
- A fine of up to 50,000 rupees ($670) and a term of imprisonment of up to two years for failing to comply with an enforcement decision made by the DPC.
- A fine of up to 100,000 rupees ($1,341) and a term of imprisonment of up to five years for providing false information to the DPC.
- A fine of up to 100,000 rupees ($1,341) and a term of imprisonment of up to five years for processing personal data in a manner that is in breach of the law.
Though Mauritius is a small island nation with a population of fewer than two million people, the country has passed data protection legislation that puts them on par with many larger countries around the world. As such, the Data Protection Act 2017 is the primary means by which the collection, processing, and dissemination of personal data are governed within the country. In passing such legislation, Mauritius is one of the many countries in the world that have drawn great influence from the EU’s GDPR law. More importantly, Mauritian citizens cant rest assured that their personal data will be protected when they disclose it to data controllers and processors.