Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Malawi: Parliament introduces bill on data protection

On December 7, 2023, the Parliament of Malawi introduced Bill No. 22 for the Data Protection Act, 2023. In particular, the bill seeks to provide a comprehensive legal framework for the regulation of personal data in compliance with internationally accepted principles of data protection.

What is the scope of the bill? 

The bill would apply to the processing of personal data:

  • in Malawi by a data controller or processor domiciled, ordinarily resident or operating in Malawi;
  • of a data subject who is within Malawi, by a data controller or data processor who is domiciled, ordinarily resident, or operating outside Malawi, and the data processing relates to the:
    • offering of goods or services, irrespective of whether the data subject is required to pay for the goods or services; or
    • monitoring of the behavior of the data subject, as far as the behavior takes place within Malawi; and
  • the processing of personal data in Malawi, whether wholly or partly by automated means or by other means other than automated means, which forms or is intended to form part of a filing system.

What are the key provisions of the bill?

The bill provides, among other things, key definitions, data processing principles, data subject rights, obligations of controllers and processors, breach notification requirements, and provisions on cross-border transfers. Additionally, the bill would designate the Malawi Communications Regulatory Authority as the data protection authority.

Notably, the bill would require the registration of data controllers and processors of significant importance. Further, the bill would exempt data controllers and processors who are not of significant importance from complying with the bill, for a period of 24 months from the date the bill comes into operation. Data controllers and processors of significant importance in operation at the time the bill comes into effect would be required to comply with the bill within six months from the date of its coming into force.

You can read the bill here.

Feedback