The Advent of Data Privacy and Protection in Madagascar

The Advent of Data Privacy and Protection in Madagascar

Madagascar’s Law No. 2014-038, known as the DP law for short, is a data protection and privacy law that was passed in Madagascar in 2014. The DP law draws large inspiration from the EU’s Data Protection Directive (95/46/EC), the precursor to the EU’s current data privacy law, the General Data Protection Regulation or GDPR. As such, the DP establishes the legal basis upon which personal data may be collected, processed, used, disclosed, and transferred within the country of Madagascar. Moreover, the law also created a legal basis for the establishment of a data protection authority for the purposes of enforcing the law, titled the Commission Malagasy sur l’Informatique et des Libertés or the CMIL for short.

How is personal data defined under Madagascar’s Law No. 2014-038?

Under Madagascar’s DP Law, personal data is defined as “any information relating to a natural person, whereby that person is or can be identified by reference to a name, an identification number or to one or more physical, physiological, psychic, economic, cultural or social elements specific to that person.” Furthermore, the law also defines sensitive personal data to include information relating to racial origin, biometric and genetic information, political opinions, religious beliefs or other convictions, trade union affiliation, and health or sexual life. As is the case with many data privacy laws, both personal data and sensitive personal data may only be processed in accordance with strict requirements under the DP law.

What are the requirements of data controllers and processors under Madagascar’s DP Law?

Under Madagascar’s DP Law, data controllers and processors operating within the country are responsible for adhering to the following principles as it pertains to the collection, processing, and dissemination of personal data:

What are the rights of data subjects under Madagascar’s DP Law?

Under Madagascar’s DP Law, data subjects within the country to are entitled to the following rights with respect to the protection of their personal data:

What’s more, data controllers and processors are prohibited from collecting or processing personal data from data subjects, unless this collection or processing of personal data is to be used to fulfill one of the following conditions:

What are the penalties for violating Madagascar’s DP Law?

Madagascar’s DP is enforced by the Commission Malagasy sur l’Informatique et des Libertés or the CMIL for short. Under the DP law, the processing of personal data requires a prior declaration to the CMIL. However, organizations can be exempt from their requirement if they appoint a data protection officer to oversee their various data processing activities, except in special circumstances. For example, “an extraterritorial transfer to a country that does not provide an adequate level of personal data protection.” Nevertheless, data controllers and processors within Madagascar who fail to comply with the provisions of the DP Law are subject to the following sanctions:

With the passing of the DP Law in 2014, Madagascar effectively guaranteed the data privacy and protection rights of their respective citizens. Although the provisions of the law are somewhat outdated in comparison to the standards of the EU’s General Data Protection Regulation, the DP Law does serve as a legal means by which data subjects in Madagascar can ensure that their personal data remains secure and protected from harm, unauthorized use, illegal access or destruction. In this way, Madagascar has joined the recent trend of African countries that have sought to protect the personal data of their citizens through legislative measures.

Related Reads