The Advent of Data Privacy and Protection in Madagascar

Madagascar’s Law No. 2014-038, known as the DP law for short, is a data protection and privacy law that was passed in Madagascar in 2014. The DP law draws large inspiration from the EU’s Data Protection Directive (95/46/EC), the precursor to the EU’s current data privacy law, the General Data Protection Regulation or GDPR. As such, the DP establishes the legal basis upon which personal data may be collected, processed, used, disclosed, and transferred within the country of Madagascar. Moreover, the law also created a legal basis for the establishment of a data protection authority for the purposes of enforcing the law, titled the Commission Malagasy sur l’Informatique et des Libertés or the CMIL for short.

How is personal data defined under Madagascar’s Law No. 2014-038?

Under Madagascar’s DP Law, personal data is defined as “any information relating to a natural person, whereby that person is or can be identified by reference to a name, an identification number or to one or more physical, physiological, psychic, economic, cultural or social elements specific to that person.” Furthermore, the law also defines sensitive personal data to include information relating to racial origin, biometric and genetic information, political opinions, religious beliefs or other convictions, trade union affiliation, and health or sexual life. As is the case with many data privacy laws, both personal data and sensitive personal data may only be processed in accordance with strict requirements under the DP law.

What are the requirements of data controllers and processors under Madagascar’s DP Law?

Under Madagascar’s DP Law, data controllers and processors operating within the country are responsible for adhering to the following principles as it pertains to the collection, processing, and dissemination of personal data:

• Personal data may only be collected or processed for fair, lawful, and explicit purposes.
• The amount of personal data that is collected or processed must be relevant, adequate, and non-excessive in regards to the purpose for which it was collected, processed, and ultimately used.
• All personal data that is collected and processed must be accurate, complete, and current, and any personal data that has been found to be inaccurate or incomplete must be either erased or rectified.
• All personal data that is collected and processed must be kept in a form that allows for applicable data subjects to “be identified only for the requisite period for the purposes for which they are collected or used.”
• “Given the nature of the data and the associated risks, a data controller must take all necessary precautions to ensure the security of personal data.”

What are the rights of data subjects under Madagascar’s DP Law?

Under Madagascar’s DP Law, data subjects within the country to are entitled to the following rights with respect to the protection of their personal data:

• The right to object to the processing of their personal data.
• The right to access their personal data.
• The right to rectify or erase their personal data.
• The right to obtain information concerning the data controllers or processors who have collected or processed their personal data, otherwise known as the right to be informed.

What’s more, data controllers and processors are prohibited from collecting or processing personal data from data subjects, unless this collection or processing of personal data is to be used to fulfill one of the following conditions:

• Compliance with a legal obligation concerning a data controller or processor.
• Protecting a data subject’s life.
• Carrying out a public service.
• Performing or commencing a contract to which the concerned data subject is a party.
• “Realizing of the legitimate interest of the data controller or the data recipient, subject to the interests and fundamental rights and liberties of the concerned individual.”

What are the penalties for violating Madagascar’s DP Law?

Madagascar’s DP is enforced by the Commission Malagasy sur l’Informatique et des Libertés or the CMIL for short. Under the DP law, the processing of personal data requires a prior declaration to the CMIL. However, organizations can be exempt from their requirement if they appoint a data protection officer to oversee their various data processing activities, except in special circumstances. For example, “an extraterritorial transfer to a country that does not provide an adequate level of personal data protection.” Nevertheless, data controllers and processors within Madagascar who fail to comply with the provisions of the DP Law are subject to the following sanctions:

• “Warnings and notices to comply with the obligations defined in the DP Law.”
• A notice of withdrawal of the authorization of a particular data controller or processor.
• “A fine of up to 5% of the last financial year’s pre-tax turnover (not deducted from tax turnover).”

With the passing of the DP Law in 2014, Madagascar effectively guaranteed the data privacy and protection rights of their respective citizens. Although the provisions of the law are somewhat outdated in comparison to the standards of the EU’s General Data Protection Regulation, the DP Law does serve as a legal means by which data subjects in Madagascar can ensure that their personal data remains secure and protected from harm, unauthorized use, illegal access or destruction. In this way, Madagascar has joined the recent trend of African countries that have sought to protect the personal data of their citizens through legislative measures.