Mauritius is the first country in the southern hemisphere to have recently revamped its data protection legal regime by repealing the previous Data Protection Act 2004 ("DPA 2004") and adopting a new law, namely the Data Protection Act 2017 ("DPA 2017") following the adoption of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") in the European Union.
The DPA 2004 was largely based on the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and free movement of such data, and was supplemented by the Data Protection Regulations 2009.
The DPA 2017 came into force on 15 January 2018. It aims at strengthening the control and personal autonomy of individuals over their personal data in line with current relevant international standards, namely the GDPR. The reform brought to the legal regime of data protection in Mauritius was also made in an effort to simplify an area of law that is sometimes seen by the market as overly cumbersome and complex, the more so given the increasing cross-border nature of activities conducted in or through Mauritius.
In an attempt to protect data subjects, the Mauritian legislator has conferred additional rights on data subjects, and has imposed additional obligations on data controllers. For instance, under the DPA 2017, data subjects now have the right to request a copy of their personal data which is being processed by any data controller free of charge and in an intelligible form. Under the DPA 2004, it was somewhat unclear whether personal data could be transferred to another country not ensuring an adequate level of protection of the personal data even if the data subject has consented to such transfer - a point which has been the subject of frequent discussions with the Data Protection Office in Mauritius ("DPO"). There is now an obligation on data controllers to provide the Data Protection Commissioner evidence that the country to which personal data is being transferred, has adequate safeguards to protect the personal data which is being transferred. Moreover, the DPA 2017 also extends the right of data subjects to request data controllers who have made the personal data of the data subjects public, to take reasonable steps to inform any third party processing the personal data to erase such data. Another novelty in the DPA 2017 is that it is now incumbent upon a data controller to report any breach of personal data to the Data Protection Commissioner without undue delay and where feasible, not later than 72 hours after having become aware of such breach. Another major change brought under the DPA 2017 is that prior to processing the personal data of a child below the age of 16, it is requisite to obtain the consent of the child's parent or guardian.
The effort made by the Mauritian legislator to align the DPA 2017 with the GDPR is laudable. However, the hefty administrative penalties under the GDPR have not been reflected in the DPA 2017. A data controller in breach of the GDPR may be fined an amount equivalent to 4% of its worldwide annual revenue or EUR 20 million whichever is higher. The DPA 2017 provides for criminal sanctions instead of civil sanctions. The maximum penalty under the DPA 2017 has remained unchanged to what was provided under the DPA 2004, which is a maximum of MUR 200,000 (approximately EUR 5,000) and a term of imprisonment not exceeding 5 years. It is still too early to gauge whether the reform brought to the data protection law in Mauritius would act as a sufficient safeguard against potential violations of privacy and personal data of individuals. The DPA 2017 is still being implemented and detailed regulations to supplement the DPA 2017 have not yet been published. The DPO has yet to issue guidelines to facilitate the interpretation, comprehension and practical application of certain provisions of the DPA 2017.
Mauritian companies must not only ensure that they comply with the DPA 2017 but in addition, in some cases, they must determine if their activities trigger the GDPR. Finally, whether it is criminal or civil sanction, the processing of personal data carries with it a reputational risk which data controllers and processors must consider seriously with the assistance of data protection professionals.