The European Union’s General Data Protection Regulation (GDPR) becomes fully enforceable as from 25th May 2018, following a grace period of two years since its enactment by the EU Parliament in April 2016.
Organizations around the world, especially tech companies, have been announcing updates on their data & privacy policies the past few weeks. Data protection compliance is being taken seriously. GDPR is dubbed as the most important change in data protection in 20 years. The previous regulation of the EU, called the Data Protection Directive, dated 1995; an era where Internet was still trying to penetrate parts of the world, smartphones were inexistent and there was no Google, Facebook or ad-networks as we know now. With the growing development of the Internet the Data Protection Directive was inadequate to bring tech giants to comply with the protection of users personal data.
The hefty fines laid under GDPR makes it a serious regulation that no organization should ignore.
What should companies operating in Mauritius know?
Chapter 1, Article 3, Paragraph 2(a)(b) of the General Data Protection Regulation.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Therefore, even if a company is not located in the EU, if the company offers free or paid goods or services to EU residents or monitor the behavior of EU residents, it must comply with the GDPR.
In a GDPR compliance related discussion on the AFRINIC community mailing list1, Ashok Radhakissoon, the legal advisor2 of AFRINIC mentioned Convention 108 and its role in making GDPR even more binding for companies in Mauritius.
Convention 108 is an European Union treaty3 that deals with the protection of individuals with regard to automatic processing of personal data.
The convention is the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data.
On 17 June 2016, Mauritius acceded4 to the treaty at Strasbourg, France, at an international conference organized by the Council of Europe. Mauritius became the second non-European and the first African country to ratify Convention 108. Accession to Convention 108 is mentioned on page 8 of the annual report5 2016 of the Data Protection Office of Mauritius.
Administrative fines under GDPR
Article 83 Paragraph 4 and 5 impose fines up to €20M or up to 4 % of the total worldwide annual turnover of the preceding financial year (whichever is higher) if a controller, a certification body or a monitoring body fail in their obligations under the regulation.
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
b) the obligations of the certification body pursuant to Articles 42 and 43;
c) the obligations of the monitoring body pursuant to Article 41(4).
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
b) the data subjects’ rights pursuant to Articles 12 to 22;
c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
d) any obligations pursuant to Member State law adopted under Chapter IX;
e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flow by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
Data Protection Act 2017 (Mauritius)
The Data Protection Office is the highest data protection authority in Mauritius. It operates under the aegis of the Ministry of Technology, Communication and Innovation. The office started operations in February 2009 after the Data Protection Act 2004 came into force. The Act was amended in December 2017 and the amendments reflect the same principles as stated in GDPR. The Data Protection Commissioner, Mrs Drudeisha Madhub, heads the DPO operations.
Any person who contravenes the Data Protection Act 2017, on conviction, may be liable to a fine not exceeding Rs 200,000 and to imprisonment term not exceeding 5 years. Penalty is mentioned in Section 43 of the DPA 2017.