Law: Data protection provisions are included in the Constitution of Malawi ('the Constitution'), in the Electronic Transactions and Cyber Security Act, 2016 ('the Act'), and in the Data Protection Bill, 2021 ('the Bill')

Regulator: Malawi Communications Regulatory Authority ('MACRA')

Summary: There is not currently any general data protection law in Malawi. However, the Constitution provides for the right and sectoral laws include provisions regarding data protection. For instance, the Act provides, among other things, principles governing the processing of personal data, legal bases for the processing activities, data subjects' rights, and security measures that a controller must put in place when processing personal data. On July 2021, MACRA announced that Electronic Transactions and Cyber Security Regulations are being developed, whose purpose would be to outline the role of MACRA, and the obligations of all relevant stakeholders. Although MACRA is the competent authority for the enforcement of the provisions of the Act, the Act also mandates the Government to adopt the necessary regulations in order to establish a legal framework to ensure the confidentiality of personal data. Previously, the Minister of Information and Communications Technology had announced that it was working on a new data protection law to be introduced in the Parliament of Malawi. Accordingly, a draft Data Protection Bill was published for public comment in early 2021. The Bill would repeal the data protection provisions in the Act and designate MACRA as the authority which would regulate personal data protection in Malawi.