![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
The recently adopted General Data Protection Regulation (GDPR) in the European Union has certainly set the highest standards of all data privacy policies across the world. In theory such standards have provided more control to individuals over their personal data. Due to the strengthened third-party obligations in the GDPR for data export to non-European Union countries and fear of loss of foreign investment if such countries fail to provide adequate protection of personal data, the GDPR exerts profound influence on data privacy law reform and practice outside Europe. This article analyses the impact of the GDPR in Africa by using Mauritius as an intrinsic case study. Mauritius is selected in this analysis due to its leading role in the privacy policy reforms in Africa and the internationalisation of its data protection systems. Accordingly, the development of the data protection system in Mauritius from the repealed Data Protection Act 2004 to the current Data Protection Act 2017 is analysed in detail, drawing on the largest body of reported complaints, appeals and judicial decisions so far decided by courts.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes on contributor
Alex B. Makulilo is Professor of Law and Technology at the Open University of Tanzania. He is the Co-Director and Chairperson of the African Law and Technology Institute. His most recent publication African Data Privacy Laws (2016), Springer, is a pioneering work in the field of data privacy in Africa. Professor Makulilo has also published widely journal articles on many aspects of computer law and information technology.
Notes
1 Tiffany Curtiss, ‘Privacy Harmonization and The Developing World: The Impact of The EU’s General Data Protection Regulation on Developing Economies’, Washington Journal of Law, Technology & Arts 12, no. 1 (2016): 97.
2 Viviane Reding, ‘The Upcoming Data Protection Reform for the European Union Viviane Reding’, International Data Privacy Law 1, no. 1 (2011): 4.
3 Ibid.
4 Proposal for General Data Protection Regulation (European Commission, 2012), https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF (accessed May 20, 2020).
5 See the Explanatory Memorandum to the Data Protection Bill (No. XV of 2004) which expressly states that the object of this Bill is to provide for the protection of the privacy rights of individuals in view of the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals.
6 See The parliamentary discussion (Hansard) of 1 June 2004, Mauritius National Assembly, Debate No. 12 of 01.06.04, Public Bills: Data Protection Bill (No. XV of 2004), pp. 77–78.
7 See, e.g. Mauritius National ICT Policy 2007–2011, pp. 1–18, at pp. 7–8.
8 Drudeisha Madhub, ‘Data Protection Implications for Our DNA Bill’, Awareness Workshop on Legal Aspects of the Use of Human DNA, 9.06.2009, http://dataprotection.govmu.org/English/Publications/Pages/Presentation.aspx (accessed May 20, 2020).
9 Mauritius Data Protection Office, First Annual Report of the Data Protection Commissioner February 2009-February 2010, p. 4, http://dataprotection.govmu.org/English/Documents/Publications/annrep150611.pdf (accessed May 20, 2020).
10 Mauritius National ICT Policy 2007–2011, pp. 1–18, at pp. 7–8.
11 Lee A Bygrave, ‘Data Protection Pursuant to the Right to Privacy in Human Rights Treaties’, International Journal of Law and Information Technology 6 (1998): 247–84.
12 Madhewoo v. The State of Mauritius & Another 2015 SCJ 177, https://ionnews.mu/wp-content/uploads/2015/05/Biometric-ID-Card_Madhewoo-vs-State.pdf (accessed May 20, 2020).
13 See, e.g. Universal Declaration of Human Rights 1948 (Article 12); International Covenant on Civil and Political Rights (ICCPR) 1966 (Article 17); Convention on the Rights of the Child 1989 (Article 16); Convention for the Protection of Human Rights and Fundamental Freedoms 1950 (Article 8); and Arab Charter on Human Rights 2004 (Article 21).
14 Kinfe Micheal Yilma and Alebachew Birhanu, ‘Safeguards of Right to Privacy in Ethiopia: A Critique of Laws and Practices’, Journal of Ethiopian Law 26, no. 1 (2013): 106; See also., Kinfe Micheal Yilma, ‘Data Privacy Law and Practice in Ethiopia,’ International Data Privacy Law 5, no. 3 (2015): 180.
15 Nani Jansen Reventlow and Rosa Curling, ‘The Unique Jurisdiction of the African Court on Human and People’s Rights: Protection of Human Rights Beyond the African Charter’, Emory International Law Review 2 (2019): 208.
16 Mauritius, State Report, https://www.achpr.org/states/detail?id=33 (accessed May 20, 2020).
17 African Union, List of countries which have signed, ratified/acceded to the African Union Convention on Cyber Security and Personal Data Protection 2014, https://au.int/sites/default/files/treaties/29560-sl-AFRICAN%20UNION%20CONVENTION%20ON%20CYBER%20SECURITY%20AND%20PERSONAL%20DATA%20PROTECTION.pdf (accessed May 20, 2020).
18 For a critical appraisal of the data protection principles of the Malabo Convention, see Lukman Adebisi Abdulrauf and Charles Manga Fombad, ‘The African Union’s Data Protection Convention 2014: A Possible Cause for Celebration of human rights in Africa?’ Journal of Media Law 8, no. 1 (2016): 67–97.
19 SADC Model Law on Data Protection 2012.
20 SADC Data Protection Model Law, Art 2(1).
21 GDPR, Art 1.
22 Dan Jerker B. Svantesson, ‘Article 3. Territorial Scope’, in The EU General Data Protection Regulation (GDPR): A Commentary, eds. Christopher Kuner, Lee A. Bygrave, Christopher Docksey (Oxford: Oxford University Press, 2020), 95; Dan Jerker B. Svantesson, ‘Extraterritoriality in the Context of Data Privacy Regulation’, Masaryk University Journal of Law and Technology 7, no. 1 (2013): 87–96.
23 See, the GDPR, Part II.
24 Explanatory Memorandum to the First Draft Proposal of the GDPR, p. 8.
25 GDPR, Art. 17.
26 GDPR, Art. 20.
27 GDPR, Art. 35.
28 GDPR, Art. 37.
29 GDPR, Arts. 33 & 34.
30 Graham Greenleaf, Asian Data Privacy Laws, Trade and Human Rights Perspectives (Oxford: Oxford University Press, 2014), 31.
31 GDPR, Recital 105.
32 See, e.g. CRID, University of Namur (Belgium)., ‘Analysis of the adequacy of protection of personal data provided in Mauritius: draft final report, 2010; Alex B. Makulilo, ‘Data Protection Regimes in Africa: Too Far from European ‘Adequacy’ Standard?’ International Data Privacy Law 3, no. 1 (2013): 42–50.
33 Tira Green, ‘Ensuring the Compliance of the Data Protection Legislation and Principles of Mauritius with EU Standards’, Framework Contract Beneficiaries – Lot 07, Letter of Contract No. 2009/ 272357, Final Report, 9 December 2011.
34 Some of the innovations contained in the Protocol are the following: stronger requirements regarding the proportionality and data minimisation principles, and lawfulness of the processing; extension of the types of sensitive data, which will now include genetic and biometric data, trade union membership and ethnic origin; obligation to declare data breaches; greater transparency of data processing; new rights for the persons in an algorithmic decision making context, which are particularly relevant in connection with the development of artificial intelligence; stronger accountability of data controllers; requirement that the “privacy by design” principle is applied; application of the data protection principles to all processing activities, including for national security reasons, with possible exceptions and restrictions subject to the conditions set by the Convention, and in any case with independent and effective review and supervision; clear regime of transborder data flows; reinforced powers and independence of the data protection authorities and enhancing legal basis for international cooperation.
35 See, e.g. Alex B. Makulilo, ‘African Accession to Council of Europe Privacy Convention 108: Moving Towards Stronger Privacy Protection’, Datenschutz und Datensicherheit-DuD 41, no. 6 (2017): 364–7.
36 Republic of Mauritius, Budget Speech 2017-2018, Paragraph 133, http://budget.mof.govmu.org/budget2017-18/2017_18budgetspeech.pdf (accessed May 20, 2020).
37 Art. 57(7) GDPR.
38 Mauritius National Assembly, Debate No. 19 of 08.12.2017, Public Bills: Data Protection Bill (No. XIX of 2017), pp. 58–60.
39 Data Protection Act, s. 3(3).
40 Data Protection Act, s. 3(1) & (2).
41 Data Protection Act, s. 3(4) (a).
42 Data Protection Act, s. 3(4) (b).
43 Data Protection Act, s. 3(5).
44 See Part 2.2(e) of this article for a detailed discussion about the overreaching effect of Article 3(2) of the GDPR.
45 Data Protection Act, s. 44(2).
46 GDPR, Art. 89.
47 GDPR, Article 6 (1) (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose; (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract; (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations); (d) Vital interests: the processing is necessary to protect someone’s life; (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This cannot apply if you are a public authority processing data to perform your official tasks.
48 Waltraut Kotschy, ‘Article 6. Lawfulness of Processing’, in The EU General Data Protection Regulation (GDPR): A Commentary, eds. Christopher Kuner, Lee A. Bygrave, Christopher Docksey (Oxford: Oxford University Press, 2020), 329.
49 CRID, University of Namur (Belgium)., ‘Analysis of the adequacy of protection of personal data provided in Mauritius: draft final report, 2010, pp. 26–7.
50 Kotschy, ‘Article 6’, 335.
51 Data Protection Act, s. 28(1)(b)(viii).
52 Data Protection Act, s. 28(1) (a).
53 Alex B. Makulilo, ‘‘Peel off the Mask’: Enforcement of the Data Protection Act in Mauritius’, Datenschutz und Datensicherheit-DuD 38, no. 12 (2014): 845–9.
54 Eleni Kosta, ‘Article7. Conditions for Consent’, in The EU General Data Protection Regulation (GDPR): A Commentary, eds. Christopher Kuner, Lee A. Bygrave, Christopher Docksey (Oxford: Oxford University Press, 2020), 350.
55 See, e.g. CRID, University of Namur (Belgium)., ‘Analysis of the adequacy of protection of personal data provided in Mauritius: draft final report, 2010.
56 Ludmila Georgieva and Christopher Kuner, ‘Article9. Processing of Special Categories of Personal Data', in The EU General Data Protection (GDPR): A Commentary, eds. Christopher Kuner, Lee A. Bygrave, Christopher Docksey (Oxford: Oxford University Press, 2020), 373.
57 Data Protection Act, s. 29(1)(a).
58 GDPR, Art. 53(2).
59 Mauritius National Assembly, Debate No. 19 of 08.12.2017, Public Bills: Data Protection Bill (No. XIX of 2017), pp. 58–60.
60 Data Protection Act 2017, sec 5(j).
61 Data Protection Act 2017, s. 4(2).
62 Data Protection Act 2004, s. 21.
63 GDPR, Art. 51(3).
64 GDPR, Art. 51(4).
65 Mauritius Data Protection Office, Annual Report of the Data Protection Commissioner January – December 2018, p. 9.
66 Mauritius Data Protection Office., Decisions on Complaints’, http://dataprotection.govmu.org/English/Pages/Decisions-on-Complaints.aspx (accessed May 20, 2020). For a critical analysis of complaints decided by the Commissioner see, Alex B. Makulilo, ‘Mauritius Data Protection Commission: An Analysis of its Early Decisions’, International Data Privacy Law 3, no. 2 (2013): 131–9.
67 Makulilo, supra note 21, p. 848.
68 Ellen O’Brien, ‘Mauritius: Data Protection Bill Should “in principle” Lead to EU Adequacy’, DataGuidance, December 7, 2017, https://www.dataguidance.com/mauritius-data-protection-bill-principle-provide-eu-adequacy/ (accessed May 20, 2020).
69 GDPR, Art. 83.
70 Madhewoo (Appellant) v The State of Mauritius and another (Respondents) (Mauritius), Privy Council Appeal No 0006 of 2016 [2016] UKPC 30, https://www.jcpc.uk/cases/docs/jcpc-2016-0006-judgment.pdf (accessed May 20, 2020). For a critical review of Madhewoo (Appellant) v The State of Mauritius and another (Respondents) (Mauritius), read Roopanand Mahadew, ‘Does the Mauritian Constitution Protect the Right to Privacy? An Insight from Madhewoo v The State of Mauritius’, African Human Rights Law Journal 18, no. 1 (2018): 189–204.
71 GDPR, Art. 45.
72 GDPR, Arts. 46–9.
73 Mauritius Data Protection Office., Decisions on Complaints’, http://dataprotection.govmu.org/English/Pages/Decisions-on-Complaints.aspx (accessed May 20, 2020). The author has presented such decisions of complaints in charts and tables to ease their analysis and discussion.
74 Mauritius Data Protection Office, Annual Report January to December 2018, 10th Edition, p. 9.
75 Alex B. Makulilo, ‘Mauritius Data Protection Commission: An Analysis of its Early Decisions’, International Data Privacy Law 3, no. 2 (2013): 131–9.