Enactment of the Data Protection act 2017

Enactment of the Data Protection Act 2017

Thriving in an era of constant technological and social change, Mauritius enacted the new Data Protection Act 2017 (DPA 2017) by repealing the existing DPA 2004 with view of espousing a world-class regime protecting personal data. This step forward not only cement Mauritius position at the forefront of technological innovation in Africa but also at international arena as the new DPA was designed in such a way that procure our legal framework adequacy with the EU General Data Protection Regulation (EU GDPR) which became enforceable on 25 May 2018.

Mauritius adopted a more stringent approach to privacy, understanding that protection of personal data is a fundamental human right, but which is often subject to vulnerability. The new Act and the GDPR goes hand in hand enhancing the autonomy of individual in controlling their own data and ensuring that privacy rights and entitlements are properly protected, hence, contributing in fostering trust between Europe and Mauritius.

Simultaneously, the new act strikes a balance between Government and economic operators allowing the digital economy to burgeon favorably by minimizing data breaches.  

The DPA and GDPR accentuates on the 'explicit' or 'unambiguous' consent of the data subject. Consent is pivotal prior any transfer of personal data of the data subject. Another new feature of this new act is with respect to the data of a child whereby consent of parent is primordial.

Emphasizing on the rights and limitation of the controller and the processor, the new Act imposes that personal data be processed legitimately and in a manner that do not jeopardize the rights of data subject by reassuring them that their personal data is being collected for a genuine purpose, accurately and limited to what is strictly required.  Moreover, the Act caters for right of erasure/ rectification, right of access which are vested outright to data subject where required.

The DPA 2017 together with the GDPR look forward to fortifying the control and personal autonomy of data subjects over their personal data. The differences between the DPA 2017 and the GDPR is the large administrative penalties. Under the GDP organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts whereas the Act stipulate on conviction of a criminal offence, maximum fines of MUR 200,000 and prison sentences of up to five years.

On a conclusive note, harmonization of the DPA with GDPR eventually promises better business   opportunities within Europe for organization who intend to do business with European states or already running their business in Europe by building regulation supporting relationships via greater data security globally as well as boosting the business’s reputation as secure in the eyes of potential customers.


Introduction of Online Data Capture System

In a rapidly developing financial environment, it is paramount to have consistent and up-to-date data for decision making process. The Mauritius Financial Services Commission (“FSC”) has implement an online platform system known as the Online Data Capture System (“ODCS”) taking into consideration the increasing data requirements. The objective of the ODCS platform is to facilitate the compilation, collection and analysis of financial data.