Emergence of Data Protection in Mauritius

Mauritius, a developing island nation, prides itself in being the 6th State and the first African country to ratify Convention 108+ established by the Council of Europe. Although data protection legislation has been in existence for a while, its application has become increasingly relevant over the recent years to keep up with the evolution of digitalisation. In today’s digital age, personal data has become one of the most valuable assets in the world. In tandem, the protection of privacy, a constitutionally protected right, has become an important concern for regulatory bodies and organisations in their approach to handling personal data.

This overview will explore the current data protection laws in effect in Mauritius, highlight the role of the supervisory authority in Mauritius, and discuss emerging trends of data protection in national security, healthcare, and the financial services sector. Lastly, the conclusion will shed light on how Mauritius is responding to technological and societal advancements.

Data Protection Act 2017

General provisions

Mauritius has implemented data protection laws to strengthen the control and personal autonomy of individuals over their personal data, while at the same time ensuring growth and development of the country’s digital economy. The Data Protection Act 2017 (the “Act”) came into effect in 2018, superseding the Data Protection Act 2004, and has been drafted to align with the European Union General Data Protection Regulation (GDPR). Since its enactment, the Act has been amended twice.

The Act provides a robust framework for the collection, storage and use of personal data. Similar to the GDPR, the Act requires the explicit consent of data subjects (ie, individuals whose data is being collected, stored and processed) before collecting and processing their personal data. Controllers and/or processors have the duty to, inter alia, inform the data subject on the reasons for collecting their data and where it is being stored. The Act also provides data subjects with individual rights such as the right to access their personal data, the right to request that inaccurate data be amended, and the right to request that their data be deleted.

Another piece of legislation that plays a crucial role in protecting the privacy of data subjects is the Cybersecurity and Cybercrime Act 2021. Under the Cybersecurity and Cybercrime Act 2021, cybersecurity is defined as “protecting information, equipment, device, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction”. With the increasing use of technological gadgets, cyber-attacks are more likely to occur leading to data breaches and thus the invasion of privacy.

Specific provisions

Differing levels of treatment in data types

The distinction between personal data and special categories of data is of utmost importance as the Act (similar to the GDPR) imposes stricter rules and regulations on the collection, storage and use of special categories of data. Special categories of data are sensitive in nature and include data related to race, ethnic origin, political views, religious or philosophical beliefs, genetic or biometric data, sexual orientation or preferences and any such other data that the Data Protection Commissioner may determine to fit in the definition.

Personal data of a child

The GDPR gives EU member states the flexibility to choose the age limit for the processing of personal data of a child, provided that the child is neither below the age of 13 nor above 16 years old. In Mauritius, there is a general prohibition to process the personal data of a child below the age of 16 years unless consent is given by the child’s parent or guardian. Organisations are required by the Data Protection Office (DPO) to consider the need to protect children and design their systems and processes bearing this in mind.

Cross-border transfer of data

The cross-border transfer of data is a common practice nowadays. The Act sets out clear rules for the transfer of data across foreign jurisdictions. Short of express consent from the data subjects, controllers and/or processors can be granted permission by the Data Protection Commissioner to transfer personal data to another jurisdiction upon satisfying the Data Protection Commissioner that the recipient country has the equivalent or a higher standard of data protection. Exceptions do exist for countries which do not hold adequate levels of protection to initiate cross-border transfers of data. These include, among others, providing standard contractual clauses approved by the DPO.

Although the Act has been drafted in line with the GDPR, Mauritius does not yet feature on the list of the handful of recognised countries who possess adequate protection in transmission of data and, as such, controllers and/or processors still need to seek specific authorisation for such transfers.

Appointment of a Data Protection Officer

Under Section 22(e) of the Act, it is mandatory for a controller to appoint a data protection officer (the “Officer”) who is responsible for data protection compliance issues. The designated Officer, who is the first point of contact for the DPO and for data subjects, can be:

• an existing employee as long as there is no conflict of interest between the duties of the employee and those expected of an Officer;
• a foreigner; or
• an individual or an organisation employed through a service contract.

Although the Officer is responsible in assisting the controller/processor, the said Officer is not personally liable for non-compliance by the controller/processor.

Exceptions

Section 44 of the Act allows for exceptions to certain protected rights provided they constitute a necessary and proportionate justification. These include:

• protection of national security, defence or public security;
• for the purpose of historical, statistical or scientific research;
• protection of judicial independence and judicial proceedings;
• prevention, investigation, detection or prosecution of an offence, including the execution of a penalty;
• an objective of general public interest; and
• protection of a data subject or the rights and freedoms of others.

Data Protection Office

In Mauritius, the DPO is the public body and supervisory authority that regulates data protection. The main objective of the DPO is to protect the privacy rights of individuals with a vision to educate our society on their right to privacy and data protection, especially in this digital age. The DPO ensures that clear procedures are being set up and personal data is being collected, stored and processed in a secure, fair and lawful manner by all registered data controllers and processors. As of date, the DPO has successfully shifted to a computerised system whereby applications for registration of controllers and processors are submitted online, payments for the said applications and complaints are likewise made online, and certificates of registration are electronically issued.

National Security

The relationship between national security and data protection continues to evolve as the global world shifts towards digitisation in various key sectors of government. As it stands, national security involves the collection and storage of an immense amount of personal data of individuals. In an increasingly digital world that influences the daily habits and actions of every generation, protecting personal data and privacy rights is at the forefront of most legislative mandates. In Mauritius, the current data protection legislations provide various levels of protection to its citizens through the Act.

A rather modern provision of the Act is found within Section 34 defined as “Data Protection Impact Assessment” (DPIA). In order to balance privacy interests with the overall national interests of safeguarding the public, the DPIA provides a mechanism to protect personal data and mitigate the risks of potential infringements on the privacy rights of citizens. This ensures that national and public security projects are being effectively implemented while also taking into consideration the potential ramifications of violating the fundamental rights of data subjects.

Specifically, Section 34(2) of the Act requires that a DPIA is carried out under four circumstances when dealing with national security projects and its processing operations and purposes. One of the circumstances that requires a DPIA exists where a systematic and extensive evaluation of personal data based on automated processing may significantly affect the individual and their legal rights. Other circumstances include large-scale systematic monitoring and processing of public areas and special categories of personal data. In addition to a DPIA, the Act further ensures that for any other activity being carried out, the authorisation and/or consultation of the DPO is needed.

Financial Services

In Mauritius, the Financial Services Commission (FSC) regulates the non-banking financial services sector and global business. Through its legislative mandates, the FSC ensures that financial consumers and investors are adequately protected from data breaches. Under the Act, financial institutions must abide by the requirements for a controller handling the collection, processing and transfer of personal data.

With the rise of virtual assets and currency worldwide, Mauritius has developed legislation geared towards the protection of personal data in virtual transactions. At its core, virtual currency requires the digital transferring, processing, storing and trading of information. This poses a risk to users engaged in virtual assets as trading currencies within these transactions are decentralised and unregulated by conventional banks. In response to virtual trading, the requirements under the Act are triggered whenever individuals and their personal data are either directly or indirectly identifiable.

The complexities of virtual assets and the relatively new laws surrounding them expose users to the possibility of data breaches. Since virtual asset transactions occur exclusively on the internet, this adds another layer of difficulty in protecting the personal data of users. While users on virtual currency platforms may remain anonymous when trading, their full transaction history is nonetheless publicly available and accessible from multiple jurisdictions. A data breach may therefore result in the likelihood that a particular user’s personal information, for example their mailing address in relation to purchases, may be released to the public without their consent or knowledge.

Data protection issues in virtual assets span multiple sectors of government. The most alarming issues involve cross-border and multi-jurisdictional virtual transactions where application of a particular jurisdiction’s data protection laws may be challenging to ascertain. As mentioned above, virtual assets operate through a decentralised network in which permanent blockchains are created to record trading history. These blockchains are in large part unalterable by data controllers/processors, whose responsibilities include amending inaccurate data and destroying obsolete personal data.

It is worth mentioning that Mauritius has been quite proactive in ensuring that it meets the latest AI trends in financial technology. The FSC introduced the Robotic and Artificial Intelligence Enabled Advisory Services Licence in 2021. This licence was created for investors and service providers looking to provide advisory services by using AI enabled algorithms which limit the need for a human based workforce. As a result, such types of AI based licences would require application of the Act to protect investors and service providers from data breaches.

Healthcare

During the COVID-19 pandemic, there was an urgent need to collect and process personal data in response to curtailing the spread of COVID-19. Organisations were required to be transparent regarding the measures they were implementing, and to retain, collect and process personal data that was required for the specific purpose of preventing or containing COVID-19, in line with the general requirements of the Act. Special categories of personal data were being collected at airports, medical centres, schools, restaurants, shops and workplaces, among others. As a result, the DPO instantly issued guidelines for the management of health data (classified as special categories of personal data under the Act) to reiterate the fundamental rights to privacy.

Several initiatives are underway to explore the use of AI and modernise the healthcare system in Mauritius. An e-health programme is being developed which captures, stores, manages and transmits data related to the health of individuals in Mauritius, Rodrigues, and elsewhere in Africa. Health data such as diagnosis, reports, scans and hospital records are stored on a cloud service which can be accessed and exchanged by healthcare providers. As initiatives continue to develop and expand to improve healthcare, it is likely that more widespread use of AI in healthcare will be seen in the years to come.

More Investment in Privacy Technologies

As privacy regulations continue to evolve, companies will be expected to invest in privacy technologies to earn consumer trust and ensure compliance with the Act regarding security safeguards when processing personal data. In addition to maintaining appropriate security mechanisms, these companies are expected to update their privacy policies in line with changes in data protection laws. Failure to abide by these requirements results in breaches of the Act.

In most privacy policies, organisations warn data subjects against third-party cookies and hold no liability when third-party cookies store personal data. More can be said on this trend with Google successfully blocking third-party cookies on Google Chrome browser. Advertisers and marketing agencies will be more profitable when investing in direct partnerships with brands and businesses that own the personal data resulting in a gradual shift from third-party data to first-party data.

Surveillance

Mauritius has been actively exploring ways to implement AI in various fields to modernise different sectors in its economy. However, along with its revolutionary technological abilities, AI-oriented technologies pose a real risk to data breaches and security of information.

Mauritius has ensured that the provisions in the Act create a harmonious balance between protecting personal data and surveillance activities. Section 34(2)(c) of the Act stipulates that for processing operations under surveillance activities, ie, “systematic monitoring of a publicly accessible area on a large scale”, a DPIA is required due to a higher risk of human rights violations. Failure to carry out a DPIA is considered a criminal offence.

To promote its reputation as a safe tourist destination, Mauritius has implemented the “Safe City Project” through the installation of high-functioning CCTV surveillance cameras in areas most frequented by tourists. In support of this project, the DPO issued a “Code of Practice” for officers involved in this project to ensure that any activity performed abides by the mandates of the Act, and, more importantly, maintains public confidence. Parallel to this project, private individuals have begun using CCTV surveillance systems and, as a result, the DPO has seen an increase in complaints as to how the use of these surveillance cameras is invading the privacy and security of others, and consequently issued very helpful decisions.

Looking Ahead

Rightly so, data subjects have substantial control over their personal data. However, are they satisfactorily equipped to form a fairly balanced judgment in the exercise of those rights, which may in turn have a direct impact on the phenomenal economic growth which we can reap through no obstacle being unnecessarily placed in the path of digitisation and use of AI? This is probably the aspect where data protection regulators have a fundamental role to educate data subjects on the proper exercise of their rights, and this, without in any way losing sight of the sacrosanct right of an individual to privacy.

Whilst the Mauritian Data Protection Commissioner has consistently laid emphasis on the fact that Mauritius has to keep up with the fast-moving pace at which data is “travelling” across frontiers to win the privacy protection battle, their regular decisions on complaints received by their office seem to be appropriately shaping up local jurisprudence based on the sensitive yet necessary balance of rights of data subjects against public interests. In a mature legal framework with informed exercise of rights by data subjects, the fruits of digital growth need not necessarily be at the expense of privacy of individuals.