Mauritius is the first country in the southern hemisphere to

have recently revamped its data protection legal regime by repealing the

previous Data Protection Act 2004 ("DPA 2004") and adopting a new law, namely the Data Protection Act 2017 ("DPA

2017") following the adoption of

the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") in the European Union.

The DPA 2004 was largely based on the EU Directive 95/46/EC

on the protection of individuals with regard to the processing of personal data

and free movement of such data, and was supplemented by the Data Protection

Regulations 2009.

The DPA 2017 came into force on 15 January 2018. It aims at

strengthening the control and personal autonomy of individuals over their

personal data in line with current relevant international standards, namely the

GDPR. The reform brought to the legal regime of data protection in Mauritius

was also made in an effort to simplify an area of law that is sometimes seen by

the market as overly cumbersome and complex, the more so given the increasing

cross-border nature of activities conducted in or through Mauritius.

In an attempt to protect data subjects, the Mauritian

legislator has conferred additional rights on data subjects, and has imposed

additional obligations on data controllers. For instance, under the DPA 2017, data

subjects now have the right to request a copy of their personal data which is

being processed by any data controller free of charge and in an intelligible form.

Under the DPA 2004, it was somewhat unclear whether personal data could be

transferred to another country not ensuring an adequate level of protection of

the personal data even if the data subject has consented to such transfer – a point

which has been the subject of frequent discussions with the Data Protection Office

in Mauritius (“DPO”). There is now

an obligation on data controllers to provide the Data Protection Commissioner

evidence that the country to which personal data is being transferred, has

adequate safeguards to protect the personal data which is being transferred. Moreover,

the DPA 2017 also extends the right of data subjects to request data

controllers who have made the personal data of the data subjects public, to

take reasonable steps to inform any third party processing the personal data to

erase such data. Another novelty in the DPA 2017 is that it is now incumbent

upon a data controller to report any breach of personal data to the Data

Protection Commissioner without undue delay and where feasible, not later than

72 hours after having become aware of such breach. Another major change brought

under the DPA 2017 is that prior to processing the personal data of a child

below the age of 16, it is requisite to obtain the consent of the child’s parent

or guardian.

The effort made by the Mauritian legislator to align the DPA

2017 with the GDPR is laudable. However, the hefty administrative penalties

under the GDPR have not been reflected in the DPA 2017. A data controller in

breach of the GDPR may be fined an amount equivalent to 4% of its worldwide

annual revenue or EUR 20 million whichever is higher. The DPA 2017 provides for

criminal sanctions instead of civil sanctions. The maximum penalty under the

DPA 2017 has remained unchanged to what was provided under the DPA 2004, which

is a maximum of MUR 200,000 (approximately EUR 5,000) and a term of

imprisonment not exceeding 5 years. It is still too early to gauge whether the

reform brought to the data protection law in Mauritius would act as a

sufficient safeguard against potential violations of privacy and personal data

of individuals. The DPA 2017 is still being implemented and detailed

regulations to supplement the DPA 2017 have not yet been published. The DPO has

yet to issue guidelines to facilitate the interpretation, comprehension and practical

application of certain provisions of the DPA 2017.

Mauritian companies must not only ensure that they comply

with the DPA 2017 but in addition, in some cases, they must determine if their activities

trigger the GDPR. Finally, whether it is criminal or civil sanction, the

processing of personal data carries with it a reputational risk which data

controllers and processors must consider seriously with the assistance of data

protection professionals.