Mauritius: the Data Protection Authority publishes its 2022 annual report
The Data Protection Office (DPO), Mauritius’ data protection authority, is one of the first on the African continent . Created in 2009 and strengthened by the Data Protection Act of 2017, it has several missions and is required to submit an annual report to parliament . Its latest 44-page report, the 14th since its creation in 2009, covers all its activities over the past year, from the basics of the authority’s budget and human resources to the investigation of complaints and international cooperation, not forgetting its prolific awareness-raising activities.
Highlights of the DPO’s activities in 2022
The introduction of a dematerialised platform for data controllers and the public: In 2022, the DPO will have finalised and made available to data controllers and the public a platform called e-DPO. This tool enables users to lodge complaints online, notify data breaches, access the register of data controllers or processors, obtain registration certificates, etc. It has been operational since 7 December 2022.
Investigation of complaints, advisory opinions and data breaches: The DPO received 71 new complaints in 2022. These complaints mainly concerned unauthorised uses of video surveillance (66 cases in total, i.e. 93% of complaints), obstacles to the right of access and unlawful data processing. It handled 36 of these cases, 5 of which were settled out of court. It also received 167 requests for interpretation of the Data Protection Act and 57 notifications of personal data breaches. It is interesting to note that most data breaches are the result of human error (sending data by email to the wrong recipient) and unlawful disclosure. Only 6% of breaches are actually the result of cyber-attacks (including ransomware and phishing).
Raising awareness: The DPO carried out a major awareness-raising campaign in 2022. This included press releases, video awareness campaigns aimed at young people, training for police officers, distribution of CDs (a total of 3,306 were given to data controllers to help them achieve compliance), participation in personal data-related activities in companies, and presentations at universities (The Centre for Human Rights, University of Pretoria).
International cooperation: The DPO has been very active at international level. As a member of several personal data protection networks or privacy networks more generally, she has taken part in conferences and summits organised on topics of interest to her. Taking part in these international activities has been an opportunity for the DPO to exchange views with her peers, share best practice and contribute to the development of the law. At regional level, she worked on the revision of the Southern African Development Community (SADC) model law on data protection. At the international level, the DPO contributed to Mauritius’ responses to questions from the United Nations Special Rapporteur on the right to privacy. It is important to note that the role of the Special Rapporteur is to promote and protect privacy by examining, among other means, national policies and laws on the interception of digital communications and the collection of personal data. In the latest report by Special Rapporteur Ana Brian Nougrères, Mauritius is listed as one of the 18 contributing States . The work undertaken with the European Commission for a decision on Mauritius’s compliance with the GDPR remains, however, the most interesting activity in many respects.
The process of applying for compliance with the European Commission is under attack
The DPO has prepared a report to facilitate the European Commission’s assessment of Mauritius’ adequacy to the RGPD. The aim of the report is to provide an accurate overview of the Mauritian system so that the European Commission can make an objective assessment. Adequacy is one of the conditions for the transfer of personal data from the European Union to a third country. In accordance with the GDPR, data may only be transferred outside the EU under three non-cumulative conditions:
- either the transfer takes place on the basis of an adequacy decision granted by the EU (article 45 of the RGPD);
- the transfer takes place on the basis of appropriate safeguards such as contractual clauses (article 46 of the GDPR) or binding corporate rules (article 47 of the GDPR), etc.; or
- or the transfer takes place by way of derogation for specific situations (Article 49 of the RGPD).
The series of adequacy decisions on transfers to the United States highlights the complexity of this legal regime . At the time of writing, only 15 countries have been deemed adequate by the European Commission. If Mauritius is accepted as an adequate state, it would be the first African state to achieve this status, and it has the arguments to do so. This small southern African state is one of the few African states to have signed the Budapest Convention on Cybercrime, the current and only binding international instrument on cybercrime and data protection issues. For several years now, it has been ranked as the leading African country in terms of cybersecurity, and 17th in the world in the latest Global Cybersecurity Index report . It has a law on the protection of personal data, a proactive authority on the issue and effective legal remedies.
In Africa, Mauritius is a model when it comes to protecting personal data, and its admission as a suitable State would be a fine reward for the efforts it has made. It would only be fair!
By Justin Yao KOUMAKO, PhD Student/Data Protection Officer.