Review of the Malawi Data Protection Act 2024

Introduction

The Malawi Data Protection Act (MDPA), enacted in February 2024, marks a pivotal step in safeguarding personal data within Malawi.¹ This comprehensive legislation clearly establishes frameworks for data processing and outlines the responsibilities of data processors. It also robustly defines the rights of data subjects. As the digital landscape continues to evolve, the importance of such legislative measures becomes more critical in protecting privacy and personal information. This blog explores the provisions of the MDPA and highlights its similarities with other data protection acts within Africa. Furthermore, it examines how the MDPA incorporates recommendations from the African Union’s Data Policy Framework, showcasing its alignment with broader continental data protection strategies.

Overview of the Malawi Data Protection Act 2024

The MDPA has ten parts each addressing different aspects of data protection. Part I defines the terms and the scope of the Act. Part II establishes the Data Protection Authority and its functions. Part II sets out the principles for lawful data processing. Part IV enumerates the rights of individuals regarding their personal data. Part V details the obligations of Data Controllers and Data Processors. Part VI focuses on measures to protect personal data. Part VII regulates the international transfer of data. Part VIII outlines the registration requirements for significant data handlers. Part IX provides mechanisms for lodging complaints and resolving disputes. Part X details the miscellaneous provisions.

Key Provisions of the MDPA

1. Data Protection Authority

The MDPA designates the Malawi Communications Regulatory Authority as the Data Protection Authority.² This body is responsible for overseeing the implementation and enforcement of the Act, issuing guidelines, promoting awareness, and collaborating with international bodies on data protection issues.³ This diverges from the conventional structure of African Data Protection laws, which typically establish a new entity as the Data Protection Authority, similar to Kenya’s approach.⁴ Instead, it resembles Zambia’s method of setting up the Office of the Data Protection Commissioner under the ministry responsible for communications.⁵ This approach could be an effort to reduce the administrative costs associated with implementing the Act.

2. Principles of Data Processing

Like other African data protection laws, the MDPA mandates that personal data must be processed lawfully, fairly, and transparently.⁶ The collection of data must be for specific, explicit, and legitimate purposes.⁷ The data collected must be adequate, relevant, and limited to what is necessary.⁸ It is also essential that the data processed is accurate and kept up to date. Furthermore, data processing must be conducted in a manner that ensures security.

3. Rights of Data Subjects

The MDPA confers several rights to data subjects akin to other African DPA’s.⁹ Data subjects have the rights to access their personal data,¹⁰ rectify any inaccurate data,¹¹ delete their data under certain conditions, limit how their data is processed,¹² receive their data in a commonly used format and transfer it to another controller,¹³ and to object to data processing in specific situations. This is in line with the AU Data Policy Framework that recommends data subjects rights should be designed and expressly provide effective personal control.¹⁴

4. Obligations of Data Controllers and Processors

Data controllers and processors in Malawi must adhere to the principles outlined in the MDPA, implement technical and organizational measures to ensure data security, maintain records of processing activities, and conduct data protection impact assessments where necessary.¹⁵

5. Data Security and Breach Notification

The MDPA requires data controllers and processors to implement appropriate security measures.¹⁶ In case of a data breach, the authority and affected individuals must be notified within 72 hours, mirroring the GDPR’s stringent breach notification requirements.¹⁷

6. Cross Border Data Flows

Personal data can only be transferred from Malawi to another country or an international organization if certain conditions are met. The recipient of the data must have a data protection law; binding corporate rules; personal data protection contractual clauses; a code of conduct or a certification mechanism.¹⁸ Section 38(1) of the Malawi Data Protection Act plays a pivotal role in regulating cross-border data flows, ensuring that personal data transferred from Malawi to other countries or international organisations receives adequate protection. The Malawi Act stipulates that data can only be transferred to entities where adequate protection measures are established through various mechanisms. These include local laws that match Malawi’s standards, binding corporate rules for intra-group data transfer, contractual clauses that enforce data protection, approved codes of conduct, or certification mechanisms that demonstrate compliance with Malawi’s data protection requirements. Such measures ensure that the recipient’s legal framework provides enforceable rights to data subjects and effective legal remedies.

The Data Protection Authority is responsible for assessing whether a recipient outside Malawi provides adequate data protection.¹⁹ An assessment of adequacy can be initiated either by application from a data controller or by the authority itself.²⁰ When carrying out this assessment, the authority takes into account a variety of crucial factors. These include, the availability of enforceable rights for data subjects and corresponding enforcement mechanisms. The assessment also evaluates the respect for the rule of law, human rights, and freedoms within the jurisdiction. Furthermore, the authority considers any legal agreements between governments that pertain to the adequacy of data protection.²¹ The policies governing public authority access to personal data are scrutinised, alongside the effectiveness of the data protection laws in the recipient country.²² Another significant aspect is whether there is an independent and competent supervisory authority present.²³ Lastly, the authority examines any international commitments and conventions that are binding on the recipient country, ensuring they align with adequate data protection standards.²⁴

Similar to Kenya, a data controller or data processor may only transfer personal data outside of the country if there are appropriate safeguards in the recipient country.²⁵ The data controller or processor must provide proof to the Data Commissioner that appropriate safeguards are in place to ensure the security and protection of the personal data.²⁶

Proof of data transfer must include evidence that the recipient jurisdiction upholds data protection laws comparable to those in Kenya. Furthermore, data transfer is permissible if it is necessary for executing a contract between the data subject and the data controller or processor, or for carrying out pre-contractual measures requested by the data subject.²⁷ Additionally, data transfer may be justified for concluding or executing a contract in the interest of the data subject with another party.²⁸ Moreover, transfers will also be permissible if they are necessary in cases of public interest or for the establishment, exercise, or defence of legal claims.²⁹ Lastly, transfers are allowed for compelling legitimate interests pursued by the data controller or processor, provided that these interests do not override the rights and freedoms of the data subject.³⁰

In summary, while both Kenya and Malawi prioritize the protection of personal data during cross-border transfers, Kenya’s regulations are more detailed in terms of contractual and legal necessities and grant broader authority to the Data Commissioner, including data localization requirements. Malawi focuses extensively on the adequacy of the recipient’s data protection framework and the comprehensive assessment criteria employed by its Data Protection Authority.

Comparison to the African Union Data Policy Framework

The Malawi Data Protection Act shows significant alignment with the African Union Data Framework. Below is a break-down of key areas.

Legislative Scope and Objectives

The AU Framework emphasises protection of personal data as a fundamental right and seeks to establish a harmonised data protection regime across Africa to facilitate cross-border data flows while ensuring adequate protection levels.³¹ The MDPA mirrors with its provisions on rights of the data subjects, that align with broader objectives of the AU Framework aiming to safeguard personal data privacy.³²

Rights of Data Subjects

The AU Framework provides robust rights for data subjects including the right to access, rectification, deletion and objection to processing, mirroring international standards.³³ The MDPA grants comparable rights to data subjects ensuring individuals have control over their personal data which supports the principles laid out in the AU Framework.³⁴

Obligations of Data Controllers and Processors

The AU Framework stipulates clear responsibilities for data controllers and processors, including requirements for data security, including requirements for data security and the need for data impact assessments under certain conditions.³⁵ The MDPA places similar obligations on controllers and processors, requiring them to implement appropriate security measures which is in line with the emphasis on data security and accountability.³⁶

Cross border Data Transfers

The AU Framework allows for cross border transfer of personal data to countries that ensure an adequate level of protection, which is crucial for the free flow of information while protecting data integrity and privacy across borders.³⁷ Similarly, the MDPA includes provisions for cross-border data transfers, requiring an adequate level of protection which must be comparable to the protections offered under the MDPA itself.³⁸

Conclusion

In conclusion, the Malawi Data Protection Act of 2024 represents a significant advancement in safeguarding personal data within Malawi. By establishing a clear framework for data processing, enforcing the rights of data subjects, and outlining stringent obligations for data controllers and processors, the MDPA aligns with global standards and the African Union’s Data Policy Framework. As Malawi navigates its digital transformation, the MDPA ensures robust data protection, fostering trust and security in the handling of personal information.