The right to privacy is expressly provided in Sections 3 and 9 of the Constitution of Mauritius and Article 22 of the Mauritian Civil Code. In 2004, Mauritius enacted the Data Protection Act 2004, which provided for the protection of the privacy rights of individuals in view of the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals.
Why the need for a new legislation on Data Protection?
The Data Protection Act 2004 no longer fitted Mauritius’ evolving digital context and was therefore repealed and replaced by the Data Protection Act 2017 (the “Act”) which came into force on the 15th of January 2018. The Act aims at strengthening the control and personal autonomy of data subjects over their personal data and for matters related thereto. It seeks to bring Mauritius data protection framework into line with international standards, namely the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The GDPR intends to strengthen and unify data protection for all individuals within the European Union (EU) and addresses the export of personal data outside the EU. It provides for a harmonisation of the data protection regulations throughout the EU, therefore makes it easier for non-European companies to comply with these regulations.
HOW IS GDPR RELEVANT TO MAURITIUS?
The GDPR is of relevance to Mauritius as it has extra-territorial applicability. This means that:
- the GDPR will apply to every data controller/processor1 , regardless of location, that processes EU citizens’ and residents’ personal data;
- the GDPR will apply if the data controller, processor or subject is based in the EU; and
- EU citizens’ personal data will not be transferable to a country that does not have similar regulations as the GDPR. By way of example, not only will the GDPR apply to a EU university collecting personal data of a Mauritian student, but it will also apply to the Mauritian university collecting personal data of a EU citizen or resident wanting to enrol for a course. Unless Mauritius has data protection laws which are similar to the GDPR, the Mauritian university will be unable to collect data of the EU Citizen or resident.
The benefits of aligning the data protection framework with GDPR are mainly to attract foreign investment through the facilitation of businesses working with European countries to transfer data therefrom. The Act enhances the ‘ease of doing business’ requirements and build trust between Europe and Mauritius. Moreover, a stronger and more coherent data protection framework, backed by effective enforcement will allow the digital economy to flourish by putting individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities. Hence, the risks of data breaches will be minimised.
WHAT ARE THE CHANGES BROUGHT IN THE NEW DATA PROTECTION LEGISLATION?
The Act rests on several pillars which are coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers. The major changes brought in the new data protection legislation concern modernising the existing data protection principles and key definitions.
The existing data protection principles have been reviewed and modernised as follows:
Principles Relating to Processing of Personal Data
Every controller or processor shall ensure that personal data is:
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in accordance with the rights of data subjects.
The new underlined parts show that the aim in amending the principles is to provide more transparency and reassurance to the data subjects that their data is being collected for a genuine purpose and limited to what is strictly required. Additionally, one also notes that terms such as “consent” has been reviewed as follows2:
“consent” means any freely given specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him being processed.
The data subject must therefore give an unambiguous consent and the same, must expressly be by a statement or a clear affirmative action. This again gives the data subject greater control over what is given. The controller bears the burden of proof for establishing a data subject’s consent to the processing of his personal data for a specified purpose.
Getting the right consent can help build customer confidence and trust. The contrary will erode trust in an organisation and damage its reputation. The term “personal data” has been broadened and redefined as:
“personal data” means any information relating to a data subject.
Previously, the term “personal data” was provided as:
- data which relate to an individual who can be identified from the data; or
- data or other information, including an opinion forming part of a database, whether or not recorded in a material form, about an individual whose identity is apparent or can reasonably be ascertained from the data, information or opinion.
“Sensitive personal data” was renamed as “special categories of personal data” and includes a major amendment to include biometric3 and genetic data4 .
INTRODUCTION OF NEW CONCEPTS IN THE ACT
The new concepts which one can note in the Act aim at providing better protection to data subjects.
Data Protection Impact Assessments
Where processing operations are likely to result in a high risk to the rights and freedoms of data subjects by virtue of their nature, scope, context and purposes, every controller or processor must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The assessment must, amongst other measures, include an assessment of the risks to the rights and freedoms of data subjects and the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act.
Personal Data Breach and Notification of the Same
A new term called “personal data breach” has been introduced, which can be defined as:
a breach of security leading to the accidental or unlaw ful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; It should be noted that henceforth, in the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner. Where a processor becomes aware of a personal data breach, he must notify the controller without any undue delay.
Additionally, where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller must, after the notification of the breach is made to him, communicate the personal data breach to the data subject without undue delay. Such communication to the data subject must describe in clear language the nature of the personal data breach and set out the information provided for by the controller.
The communication of a personal data breach to the data subject will however not be required where the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach.
Additionally, a data subject is entitled to request a copy of his data from the controller, to object to the processing of his data for marketing purposes, including profiling5, and to request rectification of his data.
The Security Aspects of the Processing of Data
The security attached to the processing of personal data has been made stricter and more rigorous. New modern concepts such as encryption6 and pseudonymisation7 have been included in the Act, one of the main uses of the same applies to the processing of data and therefore provides more security to data subjects.
As such, a controller or processor must, at the time of the determination of the means for processing and at the time of the processing:
(a) Implement appropriate security and organisational measures for
- the prevention of unauthorised access to;
- the alteration of;
- the disclosure of;
- the accidental loss of; and
- the destruction of, the data in his control; and
(b) ensure that the measures provide a level of security appropriate for the harm that might result from
- the unauthorised access to;
- the alteration of;
- the disclosure of;
- the destruction of,
- the data and its accidental loss; and
- the nature of the data concerned.
Appropriate security and organisational measures include:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and
- resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Data Protection Office may also lay down technical standards for such security and organisational measures.
ARE THERE ANY EXEMPTIONS OR RESTRICTIONS?
The concept of lawful processing has been introduced and provides that no person may process personal data unless:
- the data subject consents to the processing for one or more specified purposes;
- the processing is necessary:
- for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
- for compliance with any legal obligation to which the controller is subject;
- in order to protect the vital interests of the data subject or another person;
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- the performance of any task carried out by a public authority;
- the exercise, by any person in the public interest, of any other functions of a public nature;
- for the legitimate interests pursued by the controller or by a third party to whom the data are disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
- for the purpose of historical, statistical or scientific research.
The processing of personal data by an individual in the course of a purely personal or household activity is exempted from the Act. The processing of personal data for the purpose of historical, statistical or scientific research is exempted provided that the security and organisational measures are implemented to protect the rights and freedoms of data subjects involved.