The existing Data protection legislation on which the Mauritian Government has based its growing ICT and BPO sectors which now account for more than 12% of the Mauritius GDP was very much ripe for an overhaul. The Act was largely based on the Directive 95/46/EC of the EU Council of 24 Oct 1995, but had in its Mauritian interpretation a few fundamental flaws.
For example, our legal system operates such that once an Act goes through Parliament and is voted as law, it is still not effective until presidential proclamation is received. And this, can be tweaked in practice. In the present case, the powers of the Data Protection Commissioner were duly curtailed by not proclaiming as law that part of the Act which empowers her to raid premises. Additionally, the Act provides for a mandatory obligation on every person or entity to provide information on request by the Data Protection Commissioner, but since the underlying offence for a breach of Data Protection laws is criminal, the Act wonderfully does away with the right of any citizen to silence guaranteed by our Constitution in criminal matters. In short, the Act may not work for all purposes.
In 2016, Mauritius was the second non-EU State to sign Convention 108 of the EU. The convention is a first of its kind convention which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the trans-frontier flow of data. In the same wake, and to comply with the forthcoming EU General Data Protection Regulations (“GDPR”) expected in 2018, a new Data Protection Bill 2017 was prepared for presentation to Parliament this year.
Two of the essential issues with the GDPR is that it pins responsibility for any processing of EU data subjects to an EU party, even if done abroad, and it will also apply to a non-EU e.g. a Mauritian company, where the activities relate to offering goods or services to EU citizens and monitoring of behaviour that takes place within the EU. GDPR offers fines of up to 4% of annual global turnover or EUR 20 Million maximum fines – whichever is higher! With this higher risk for local companies, there is an added need for awareness and compliance skills than simply passing a new legislation if it remains as misunderstood as the older one.
Unfortunately, three of the issues which arose under the last legislation remain unclear.
Firstly, the new bill has not followed the GDPR on the civil fine aspect, and still maintains a mandatory statutory obligation to provide information to the authorities notwithstanding the underlying criminal offence for breach of provisions of the new Data Protection bill – a position at odds with the Mauritian constitutional right and golden thread of the criminal system in common law countries for a right to silence to any party accused of a criminal offence.
Secondly, the bill also seems to insert provisions whereby public authorities can get away with biometric recording systems, a position which was hotly contested in the past, and in which the Data Commissioner gave her views against the State. It will be interesting to see how this is managed in practice.
Thirdly, the bill does not change the position of Global Business companies, which are regulated by the Financial Services Commission. Since Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU, it will be interesting to see how a Management Company managing a company with a French National as ultimate beneficiary, not required to disclose or maintain any real data connection with the Data Commissioner’s office will manage to tackle the GDPR requirements.
In conclusion, it will be interesting to see to what extent the interests of Mauritius in its growth industry of outsourcing, BPO, ICT determines, if at all, risks of reduced privacy in its financial services industry.
Discover our upcoming seminar on Data Protection in the Financial Sector here.