7 December 2017
DataGuidance confirmed, on 5 December 2017, with Ammar Oozeer, Barrister at BLC Robert & Associates, that the Cabinet of Ministers (‘the Cabinet’) had agreed, on 1 December 2017, to introduce the Data Protection Bill (No. XIX of 2017) (‘the Bill’) to the National Assembly. The Bill seeks to bring Mauritius’ data protection framework into line with international standards, namely the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), by repealing the Data Protection Act 2004 (‘the Act’). Additionally, the Bill aims to simplify the regulatory environment for business in the digital economy and promote the safe transfer of personal data to and from foreign jurisdictions.
Oozeer told Data Guidance, “With the expanded territorial reach of the GDPR, the proposed new data protection regime will surely help to spur growth in the Mauritian ICT/business process outsourcing sector, and generally, facilitate the transfer of personal data from EU-based companies to Mauritian companies. With the new regime, it is expected that the country will attract more business opportunities from EU-based companies in emerging areas such as analytics, Big Data and FinTech. By establishing a regime that will provide a level of data protection equivalent to that ensured within the EU, Mauritius should, in principle, be recognised by the European Commission as a third country that provides an adequate level of protection for the purposes of the GDPR.”
The inclusion of new definitions, such as biometric data, blocking, data matching, genetic data, personal data breach, profiling, and pseudonymisation, as well as the expansion of the definition of consent, demonstrate the efforts of the legislators to bring the Mauritian data protection framework into line with the EU’s. This is further underscored by the addition of provisions regarding current issues, including the threshold for child’s consent, which, as in the GDPR, the Bill sets at 16 years of age.
A financial penalty regime, as provided under the GDPR, would have ensured stricter compliance with data protection law
Oozeer continued, “The Bill makes personal data breach notification mandatory. A personal data breach must, without undue delay and, where feasible, not later than 72 hours after [the data controller] has become aware of the breach, be notified to the Data Protection Commissioner. If the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the data controller must notify them of the breach. As provided under the GDPR, there are exceptions to this obligation. Furthermore, accountability obligations are imposed on data controllers. These include requiring them to conduct an assessment of the impact of high risk processing operations, and to keep records of processing operations. The Data Protection Office will encourage compliance with the new law by laying standards for certification mechanisms, seals and marks. Like under the GDPR, certification is voluntary.”
However, there are differences between the Bill and the GDPR. The large administrative penalties included in the GDPR have not been incorporated into the Bill. Rather, the Bill proposes, on conviction of a criminal offence, maximum fines of MUR 200,000 (approx. €5,020) and prison sentences of up to five years.
Oozeer noted, “It is doubtful that a criminal law regime would greatly assist in ensuring compliance with data protection law. To date, there has been no reported prosecution and/or conviction under the Act, even though a few data controllers have been found to have contravened it. A financial penalty regime, as provided under the GDPR, would have ensured stricter compliance with data protection law.”
The Bill will next be subject to a second reading, at which debates will take place.
Ellen O’Brien | Privacy Analyst