Harmonising the GDPR in Mauritius

BLC Robert & Associates | View firm profile

Mauritius is the first country in the southern hemisphere to
have recently revamped its data protection legal regime by repealing the
previous Data Protection Act 2004 ("DPA 2004") and adopting a new law, namely the Data Protection Act 2017 ("DPA
") following the adoption of
the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") in the European Union. 

The DPA 2004 was largely based on the EU Directive 95/46/EC
on the protection of individuals with regard to the processing of personal data
and free movement of such data, and was supplemented by the Data Protection
Regulations 2009.

The DPA 2017 came into force on 15 January 2018. It aims at
strengthening the control and personal autonomy of individuals over their
personal data in line with current relevant international standards, namely the
GDPR. The reform brought to the legal regime of data protection in Mauritius
was also made in an effort to simplify an area of law that is sometimes seen by
the market as overly cumbersome and complex, the more so given the increasing
cross-border nature of activities conducted in or through Mauritius.

In an attempt to protect data subjects, the Mauritian
legislator has conferred additional rights on data subjects, and has imposed
additional obligations on data controllers. For instance, under the DPA 2017, data
subjects now have the right to request a copy of their personal data which is
being processed by any data controller free of charge and in an intelligible form.
Under the DPA 2004, it was somewhat unclear whether personal data could be
transferred to another country not ensuring an adequate level of protection of
the personal data even if the data subject has consented to such transfer – a point
which has been the subject of frequent discussions with the Data Protection Office
in Mauritius (“DPO”). There is now
an obligation on data controllers to provide the Data Protection Commissioner
evidence that the country to which personal data is being transferred, has
adequate safeguards to protect the personal data which is being transferred. Moreover,
the DPA 2017 also extends the right of data subjects to request data
controllers who have made the personal data of the data subjects public, to
take reasonable steps to inform any third party processing the personal data to
erase such data. Another novelty in the DPA 2017 is that it is now incumbent
upon a data controller to report any breach of personal data to the Data
Protection Commissioner without undue delay and where feasible, not later than
72 hours after having become aware of such breach. Another major change brought
under the DPA 2017 is that prior to processing the personal data of a child
below the age of 16, it is requisite to obtain the consent of the child’s parent
or guardian.

The effort made by the Mauritian legislator to align the DPA
2017 with the GDPR is laudable. However, the hefty administrative penalties
under the GDPR have not been reflected in the DPA 2017. A data controller in
breach of the GDPR may be fined an amount equivalent to 4% of its worldwide
annual revenue or EUR 20 million whichever is higher. The DPA 2017 provides for
criminal sanctions instead of civil sanctions. The maximum penalty under the
DPA 2017 has remained unchanged to what was provided under the DPA 2004, which
is a maximum of MUR 200,000 (approximately EUR 5,000) and a term of
imprisonment not exceeding 5 years. It is still too early to gauge whether the
reform brought to the data protection law in Mauritius would act as a
sufficient safeguard against potential violations of privacy and personal data
of individuals. The DPA 2017 is still being implemented and detailed
regulations to supplement the DPA 2017 have not yet been published. The DPO has
yet to issue guidelines to facilitate the interpretation, comprehension and practical
application of certain provisions of the DPA 2017.

Mauritian companies must not only ensure that they comply
with the DPA 2017 but in addition, in some cases, they must determine if their activities
trigger the GDPR. Finally, whether it is criminal or civil sanction, the
processing of personal data carries with it a reputational risk which data
controllers and processors must consider seriously with the assistance of data
protection professionals.

More from BLC Robert & Associates