Scope and definitions 

The bill applies to the processing of personal data in Malawi when a data controller or data processor is domiciled, an ordinary resident, or operating in Malawi. In addition, the bill will apply where the controller or data processor is domiciled, ordinarily resident, or operating outside Malawi and the data processing relates to the:  

• offering of goods or services, irrespective of whether the data subject is required to pay for the goods or services; or  
• monitoring of the behavior of the data subject, as far as the behavior takes place within Malawi. 

The bill will apply whether the processing is wholly or partly by automated means or by means other than automated means, which forms or is intended to form part of a filing system. As an exception, the bill highlights it does not apply to processing by a natural person solely for personal, recreational, or household activities or to the transmission of personal data through Malawi. The bill explains that 'household activity' refers to correspondence, the holding of addresses, social networking, and any other online activity undertaken within the context of a household activity. 

The bill establishes definitions similar to those found in the EU General Data Protection Regulation (GDPR). The bill defines terms including 'data controller,' 'data processor,' 'consent,' 'processing,' 'pseudonymization,' and 'sensitive personal data.' The bill also includes less common terms such as 'data controller of significant importance' and 'data processor of significant importance.' A data controller or data processor of 'significant importance' denotes a data controller or data processor that:  

• is domiciled, ordinarily resident, or ordinarily operates in Malawi; and  
• processes or intends to process the personal data of: 
  • more than 10,000 data subjects who are in Malawi; or 
  • significance to the economy, society, or security of Malawi. 

To be considered a data controller of significant importance or a data processor of significant importance, the data controllers and data processors must register and be approved by the Malawi Communications Regulatory Authority (MACRA). An application must be submitted to MACRA along with the prescribed fee. Within 14 days of receiving an application, MACRA will register the data controller or data processor as the appropriate entity and issue a registration certificate or refuse to do so. In the case of a refusal, the reasons for refusal will be provided in writing. Once registered as a data controller of significant importance or data processor of significant importance, MACRA must be notified of any changes in information provided to MACRA within 90 days of the change. MACRA will maintain a list of all data controllers of significant importance and data processors of significant importance. 

Personal data protection principles 

The bill requires personal data be processed in a lawful, fair, and transparent way. All parties must adhere to processing principles including:  

• only processing data for the specific and legitimate purpose it was collected; 
• ensuring personal data intended to be processed is relevant and limited to what is necessary; 
• ensuring personal data intended to be processed is accurate and up to date; 
• not storing data for longer than necessary; and 
• implementing appropriate technical and organizational measures.  

The bill outlines that processing of personal data shall be considered lawful with the consent of the data subject or, if the data subject is unable to provide consent, another natural person with the ability to do so on their behalf. Processing of data is permitted without consent where the processing is: 

• necessary to perform a contract for which the data subject is a party to or prior to the data subject entering the contract;  
• a legal requirement for the data controller and/or processor;  
• necessary to protect vital interests of the data subject or another natural person;  
• legally authorized and is carried out by a competent public authority in furtherance of its legal mandate;  
• required by law or an order from a court of law; 
• necessary for a task carried out for public interest or in the exercise of the data controller or processor's official authority; or 
• necessary for the purpose of a legitimate interest of the data controller, data processor, or a third party to whom the data is disclosed, unless that interest is overridden by another fundamental right or freedom. 

Sensitive data  

The bill outlines specific provisions related to the processing of sensitive personal data. Without the consent of the data subject, sensitive personal data should not be processed by the data controller or data processor unless the processing is:  

• necessary to protect the interests of the data subject; 
• necessary to perform a right or obligation under law or court order; 
• in the interest of public health; 
• for the public interest; 
• necessary for establishing, exercising, or defending a legal claim, obtaining legal advice, or while conducting a legal proceeding; 
• archiving data for public interest or research or statistical purposes; 
• intentionally made public by the data subject; or 
• carried out by the data controller or data processer which is a non-profit foundation, association, or other body with a charitable, educational, literary, artistic, philosophical, religious, or trade union aim, and the processing is carried out during a legitimate activity to the group's members or another natural person in regular contact with the data controller or data processor. 

The data controller or data processor must implement appropriate measures to safeguard the fundamental rights and interests of the data subject where any of the bases above are utilized for processing sensitive personal data. The bill also provides the Minister with the right to include additional categories of information to be defined as 'sensitive personal data' at a later date. 

Children's data  

Within the bill, a child is defined as someone under the age of 18 years old. Where the data subject is a child (or someone lacking the capacity to exercise rights), a parent or guardian shall exercise rights on the data subject's behalf. The bill also highlights that organizations relying on the consent of a minor or other person lacking capacity should implement appropriate age verification mechanisms or methods to verify mental capacity. 

Criminal offenses and convictions 

A data controller or data processor must not process data that relates to a criminal offense, conviction, or security measures that have been imposed on a data subject, unless the processing has already been authorized by law and provides the necessary safeguards for the data subject, or the processing is being carried out by one of the three branches of Government, local authority, or a committee established by law or another official authority. 

Data subject rights 

The bill establishes an obligation on the data controller to, at the time of collecting data, provide the data subject with information regarding: 

• the identity and contact details of the data controller or their representative;   
• the legal basis for processing data;   
• the purpose for processing data;   
• where possible, the storage period for personal data;   
• the existence of automated decision-making;  
• the right to lodge a complaint with the MACRA; and   
• whether the data controller intends to transfer personal data outside Malawi. 

Where the data controller obtains personal data from anyone else, the data controller must provide that information to the data subject within 14 days of receiving the personal data. 

Pursuant to the bill, the following rights are provided for data subjects:   

• the right to receive confirmation of processing and the right to access personal data; 
• the right to data portability;  
• the right to rectification of personal data;  
• the right to erasure of personal data;  
• the right to restriction of processing of personal data;  
• the right to object to processing under certain circumstances; and 
• the right to not be subject to automated decision-making. 

The rights of a data subject provided under the bill may be restricted where the processing of personal data is for various purposes including: 

• national security; 
• prevention, investigation, detection, or prosecution of a criminal offense or execution of criminal penalties;  
• the pursuit of national economic or financial interest; 
• public health; 
• social security;  
• judicial proceedings; 
• monitoring, inspection, or exercise of a regulatory function by a public authority; 
• prevention, investigation, detection, and prosecution of an ethics breach in a regulated profession;  
• protecting the rights and freedoms of the data subject or another person; or 
• enforcement of a civil law claim. 

Controller and processor obligations 

Data controllers are required to conduct a Data Protection Impact Assessment (DPIA) prior to the processing of personal data that is likely to present a high risk to the rights and/or freedoms of data subjects. More specifically, a DPIA will be required where there is automated processing, sensitive, or criminal personal data, systematic monitoring, or in any other circumstance MACRA publishes by notice in the Malawi Government Gazette. The bill also mentions that the DPIA should be submitted prior to the processing of personal data and a review should be conducted if a change in the risk of processing occurs. 

Both data controllers and data processors must develop and implement technical and organizational measures to ensure compliance and are responsible for maintaining a record of processing activities (ROPA). If requested, data controllers, however, must provide the ROPA to MACRA. The bill also stipulates that data controllers and data processors must appoint a data protection officer (DPO) where data processing is carried out by a public authority, data subjects will be monitored regularly on a large scale, or sensitive personal data will be processed on a large scale. It is the duty of the DPO to advise the data controller and data processor, monitor their compliance, and act as a contact point for the established MACRA, among other things.  

Contracts  

In regard to the relationship between the data controller and data processor, they should enter into an agreement that provides details on data processing including the subject matter and duration, nature and purpose, type of data, categories of data subjects, and the rights and duties of the data controller and data processor. MACRA will maintain the right to prescribe additional matters to be included. In relation to subprocessors, the bill prohibits data processors from engaging another data processor to complete duties covered in the written agreement without the prior written authorization of the data controller. The data controller maintains the right to object to the addition or replacement of the data processor. 

Regarding joint controllers, there must also be a written agreement outlining the role of each controller and assigned duties and the parties will be jointly and severally liable to the data subject whose personal data is being processed per the agreement. Importantly, a summary of the agreement should be provided to the data subject.

Cross-border transfers 

The bill prohibits a data controller or data processor from transferring personal data outside of Malawi unless one of the conditions provided in Section 39(4) of the bill applies or the recipient is subject to the following, which affords an adequate level of data protection:  

• the recipient of the data is subject to a law; 
• binding corporate rule (BCR); 
• personal data protection contractual clause; 
• code of conduct; or 
• certification mechanism.  

Data controllers and data processors must keep a record of the basis for the transfer of personal data from Malawi to another country or an international organization. MACRA is responsible for determining whether recipients of personal data outside Malawi provide adequate levels of protection for personal data. If an adequate level of protection is not granted by MACRA, data can still be transferred in limited circumstances. The bill also allows data controllers to apply to MACRA to grant an adequacy decision. 

Data security 

Within the bill, there are several requirements for both data controllers and data processors as it relates to the security of personal data being processed. In consideration of measures to be implemented, the data controller and data processor should consider several factors, including the:  

• cost of technology;  
• nature, scope, context, and purpose of data processing;  
• likelihood of harm to data subjects if data is lost or misused; and 
• retention period of personal data. 

The bill provides specific technical measures which should be implemented, including:  

• pseudonymization (or another de-identification method); 
• encryption; 
• restoration procedures in the event of physical or technical incidents;  
• completion of regular risk assessments of the system and service;  
• regular testing of the effectiveness of security measures; and 
• regular updates of implemented measures and introduction of new measures when needed. 

Notification of data breach 

Data controllers must notify MACRA within 72 hours of becoming aware of a personal data breach. Where the data processor experiences a personal data breach, the data processor should notify the data controller within 72 hours of becoming aware of the incident. The bill highlights that the data controller must provide: 

• a description of the breach; 
• categories of affected personal data; 
• if possible, the number of affected data subjects; 
• the likely consequences of the breach; 
• measures taken to address the breach; and  
• the contact details of the DPO.  

Where notification involves a disproportionate effort or expense, notification in at least one widely circulated newspaper in addition to any other method of communication appropriate is permitted. If the breach will likely pose a high risk to an affected data subject, the data subject should also be notified within 72 hours. A breach likely to be one of high risk would be based on a determination by the data controller after analyzing the technical and organizational measures implemented to mitigate harm, subsequent measures after the breach, and the nature, scope, and category of affected data. 

Complaints and authority 

MACRA is granted the power to investigate any complaint received from either a data subject or a data subject's parent or legal guardian if the complaint is submitted within 90 days of the action at issue and the complaint is not frivolous. MACRA may also initiate an investigation of its own accord. Within 30 days of completing an investigation, MACRA will communicate the results to the data subject who lodged the complaint and the data controller or data processor at issue. In the event a data controller or data processor has violated the bill, MACRA may issue an appropriate compliance order. 

Enforcement and penalties  

Data protection authority

MACRA is responsible for regulating the processing of personal data. The bill grants MACRA the authority to develop and publish guidelines to promote compliance, encourage the development of relevant technologies, and engage with other authorities to develop approaches for cross-border data transfers. In addition, MACRA will collect and publish relevant information to include data breaches and maintain a register of data controllers and data processors of significant importance. MACRA also has the authority to approve Standard Contractual Clauses (SCCs). 

Penalties 

A compliance order issued by MACRA at the conclusion of an investigation determining that a data controller or processor has violated the bill can include an order requiring the party in violation to pay an administrative penalty not exceeding MWK 20 million (approx. $11,790). If a data controller or data processor fails to comply with a compliance order (apart from an order to pay compensation, an administrative penalty, or an order to make good of profits), it will be liable for a fine of MWK 10 million (approx. $5,910) and two years in prison. If the non-complying party is a legal person, the fine is MWK 50 million (approx. $29,630). 

If a legal person is convicted under the bill, every natural person who is concerned with the management of the legal person who knowingly permitted the offense will be guilty of the same offense as the legal person. This is also applied to data controllers and data processors as the bill states any chief executive officer or manager of the legal person is liable for the offense. 

Closing remarks 

The bill is currently under consideration in the Parliament of Malawi.  

Should the bill pass, data controllers and data processors of significant importance will be required to comply with the bill within six months of it coming into operation. Data controllers and data processors that are domiciled, ordinarily resident, or ordinarily operate in Malawi will be required to comply 24 months after it comes into operation.  

Sakeinah Perry Privacy Analyst
[email protected]