The extra-territorial reach of GDPR means that in practice, many businesses operating internationally will need to adopt European data privacy standards, which are likely to become the default global standards.
In particular, the GDPR introduces new rights in terms of privacy rights, new obligations such as consent requirements, data breach notification, appointment of data processors and new processes. The GDPR is intended to provide much greater harmonisation and protection within the EU in respect of data privacy and security issues, allowing discretion to the States to implement the basic protection and safeguards of the GDPR into their national legislation.
GDPR incorporated into national legislation – The Data Protection Act 2017
In view of the major changes brought by the GDPR, with an extra-territorial reach, the data protection laws in Mauritius were amended to be in line with the GDPR, by virtue of the Data Protection Act 2017 (DPA), effective on the 15th January 2018.
The objective of the DPA was guided by the founding principle enshrined in the GDPR, being the protection and safeguard of privacy rights of individuals insofar as the processing and storage of personal data is concerned. The novel provisions of the DPA ensure lawfulness, fairness and transparency such that individuals are well informed and afforded protection for the confidentiality of their personal data in order to reduce the growing risks of data leaks in an age of ‘e-society’. The threshold requirements for obtaining free and unambiguous consent of individuals, who can withdraw the said consent at any time, reinforce an individual’s privacy rights to prevent any uninformed use of personal data, be it by mere inadvertence.
The major overhaul brought by the DPA is in the form of:
(i) Simplified and structured registration and renewal process of data controllers and processors;
(ii) Implementing a complaints’ mechanism;
(iii) Lawful processing of personal data;
(iv) Consent requirements of data subjects in order to process data;
(v) Extensive rights afforded to data subjects in terms of consent, rights of access, automated individual decision making, right to object to processing of personal data, rectification of incomplete or inaccurate data;
(vi) Safeguards imposed for the transfer of personal data outside the jurisdiction of Mauritius in terms of notification requirements to the Commissioner, limited and selective data transfer in view of specified purpose;
(vii) Improved digital legal landscape to respond to GDPR requirements for adequacy;
(viii) Minimised risk of data breaches and notification requirements of any data breach;
(ix) Wider interpretation of ‘data’ to include biometric and genetic data;
(x) Security of data processing by way of encryption and pseudonymisation of personal data;
(xi) Data Protection Impact Assessment in order to identify and mitigate the data protection risks;
(xii) Offences and penalties imposed for non- compliance with the DPA.
As a major financial hub and attractive offshore jurisdiction for investors, Mauritius was bound to incorporate the GDPR into its domestic laws, the more so to reaffirm its continued commitment in extending the fundamental right of freedom to privacy rights, already enshrined in its Constitution.