Articles

Malawi’s Data Protection Act: Aligning with the New Regulatory Framework

Contributors: Dorcas Tsebee, Oladotun Owoyemi and Victoria Adaramola

Introduction

On June 3, 2024, Malawi’s Data Protection Act (the Act) officially came into force after being gazetted in February 2024. The Act aims to provide a comprehensive regulatory framework for protecting personal data in the country. It designates the Malawi Communications Regulatory Authority (MACRA) as the data protection authority to oversee the law’s implementation. Like many other African data protection laws, the Act aligns with the provisions of Malawi’s Constitution on the right to privacy. Prior to the enactment of the Act, Part IV of the Electronic Transactions and Cyber Security Act largely regulated data protection in the country. Following the coming into force of the Act in June 2024, MACRA published a Data Protection Handbook to guide compliance with the Act. The Handbook summarises key provisions of the Act and compliance obligations.

Key Provisions

Scope of application - Section 3

The Act applies to the processing of personal data by data controllers and processors based in Malawi, processing data in Malawi itself, or targeting individuals in Malawi for online activities or offerings, regardless of the location. This covers both automated and non-automated processing within a filing system but excludes personal use, household activities, and simple data transmission through Malawi.

Designation of data protection authority - Sections 4, 5, and 6

The Act designates the Malawi Communications Regulatory Authority (MACRA) as the data protection authority responsible for implementing its provisions. MACRA will regulate the processing of personal data as prescribed under the Act and oversee its implementation and enforcement. The designated authority also acts as the country’s communication sector regulator, drawing its mandate from the Communications Act of 2016.

Principles of processing - Section 8-13

The Act provides for the principles of lawfulness, transparency, fairness, purpose limitation, data minimisation, accuracy, storage limitation, data integrity, and confidentiality in the processing of personal data. Data controllers and processors are expressly mandated under Section 27 to adhere to these principles.

Lawful bases for processing - Section 8

The Act provides for consent,  performance of a contract, legal obligation, vital interest, public interest, and legitimate interest as lawful bases for processing personal data. Furthermore, the Act identifies additional grounds for data processing beyond the six conventional lawful bases typically outlined in data protection laws. These include authorisation under a written law, the legal mandate of a public authority, and requirements specified by a written law or court order.

Processing sensitive personal data - Section 16

The Act permits the processing of sensitive personal data on the condition of explicit consent, protection of the interest of a data subject, the performance or exercise of a right or obligation of a data controller, processor or data subject under a law, public health, public interest, establishment, exercise or defence of a legal claim, archival for a public interest, research or statistics, data subject intentionally making the data public, and where the data controller or data processor is a not-for-profit organisation with a charitable, educational, literary, artistic, philosophical, religious or trade union as its primary object. Data controllers and processors are required to implement appropriate measures to safeguard the rights and interests of data subjects.

The processing of personal data relating to criminal offences, convictions, or security measures imposed on a data subject is prohibited unless it is authorised under a written law or is done under the control of an official authority.

Processing children’s data - Section 17

The Act defines a child as a person under the age of 18. Where consent is the legal basis for processing the personal data of a child or any other person lacking legal capacity, the data controller or processor is required to obtain consent from a parent or legal guardian. The controller or processor is mandated to implement appropriate mechanisms to verify the age of a child, the mental capacity of persons lacking legal capacity and the identity of the parent or legal guardian.

Rights of data subjects - Section 19-26

The Act recognises data subject rights to access, objection, data portability, erasure or deletion, rectification, restriction of processing, and not to be subject to decisions based solely on automated processing. It also allows for exceptions where the rights of data subjects can be restricted, such as where the processing is for national security, criminal prosecution, national interests, public health, social security, judicial proceedings, prosecution of breach of professional codes, the exercise of regulatory functions by a public authority, protection of the data subject or another person and enforcement of a civil law claim.

Record of processing activities (RoPA) - Section 29

Like most other African data protection laws, Malawi’s law also specifies the obligation for data controllers and processors to maintain a record of each processing activity. This record shall be provided to MACRA for inspection where required.

Data Protection Impact Assessment (DPIA) - Section 30

Data controllers are required to conduct a Data Protection Impact Assessment (DPIA), where processing will likely result in high risks to the rights of data subjects. The Act specifies such high-risk processing, which includes using automated processing systems, profiling, processing sensitive data or data relating to a criminal conviction on a large scale, and monitoring publicly accessible areas on a large scale. The DPIA report shall be submitted to MACRA prior to processing. This requirement is also provided in Somalia’s data protection law and Nigeria’s draft implementation directive. A data controller will be required to review a DPIA where the risk assessed has changed. 

Designation of a Data Protection Officer - Section 33

Where a data controller or processor is a public authority other than a court, its core activities involve large-scale monitoring or processing of sensitive data on a large scale, the Act mandates the appointment of a data protection officer to carry out the duties specified under the Act.

Data security - Section 35

The Act requires data controllers and processors to implement appropriate technical and organisational measures to ensure the security of personal data under their control. These measures include pseudonymisation, encryption, and other means of de-identification. They also include regular testing and evaluation of measures implemented, periodic risk assessments, and policies to ensure the availability and access to personal data where a data breach occurs. 

Breach notification - Sections 36 and 37

A data controller is required to notify MACRA of a data breach within 72 hours of becoming aware of it. Where the breach occurs on the part of the data processor, the processor is obligated to inform the controller within 72 hours of discovering the breach. Data controllers are also required to keep a record of data breaches. The Act also requires data controllers to notify affected data subjects about a data breach that is of high risk to their rights within 72 hours of becoming aware.

Cross-border transfer of data - Section 38-40

The Act restricts the transfer of personal data outside Malawi unless the receiving country is subject to a law. A transfer is also possible under mechanisms like adequacy decisions, binding corporate rules (BCRs), contractual clauses, codes of conduct or certification mechanisms. In addition,  where the transfer is based on the data subject’s consent, performance, a contract or the benefit of the data subject. The controller is also required to keep a record of the basis for international transfers. Where a data controller or processor adopts BCRs, a code of conduct or a certification mechanism for international data transfer, the mechanisms shall each be submitted to MACRA for approval.

Mandatory registration - Sections 41 and 42

The Act provides for mandatory registration by data controllers and processors of significant importance. These are data controllers, or processors, domiciled in Malawi, who process the data of more than 10,000 data subjects in Malawi or process personal data of significance to the economy, society, or security of Malawi. Registration shall be completed through the submission of an application and payment of the prescribed fee. As of the time of this review, the registration process has not commenced, and MACRA has not yet specified the mode of registration.

MACRA will communicate the acceptance or rejection of the data controller's or processor's registration within 14 days. After the acceptance of an entity’s registration, MACRA will issue a certificate, which is subject to renewal. Furthermore, entities are to notify MACRA of any change to the registration details within 90 days of the change. Registration may be cancelled or suspended where there is non-compliance with the provisions of the Act, there is misleading or false information in the registration, or there is non-compliance with the terms and conditions set by the Authority in the registration certificate.

Complaint lodging and compliance orders - Sections 44 and 45

An aggrieved data subject or representative may lodge a complaint with MACRA within 90 days of the action or inaction. MACRA will investigate the complaint, communicate its decision within 30 days of completing the investigation and issue the appropriate compliance order.

Aligning with the new regulatory framework

To help organisations comply with the new law, MACRA released a data protection handbook detailing essential steps for data controllers and processors to follow to comply. These steps include:

  1. Register with the data protection authority: The Act requires data controllers and processors of significant importance to register before processing personal data as such. Consequently, data controllers and processors falling within this category must prepare the necessary documentation and promptly register with the authority once the process begins. Additionally, it is important to renew the certificate when it expires.
  2. Appoint a qualified data protection officer: Businesses that fall within the category of data controllers and processors required to appoint a qualified DPO must promptly do so. The DPO’s job description must specify the duties provided under the Act and additional incidental responsibilities to ensure full compliance with the law by organisations.
  3. Implement data protection principles: The Act mandates strict adherence to the specified data protection principles. To ensure compliance, organisations must put in place measures to operationalise principles such as data minimisation, accuracy, transparency, storage limitation, lawfulness of processing, etc.
  4. Conduct DPIA where necessary and submit the report: Organisations undertaking high-risk processing as provided under the Act must conduct a DPIA and submit the report to the authority before commencing the processing. Where new risks emerge, the DPIA must be reviewed to ensure compliance with the law.
  5. Implement technical and organisational measures: To ensure data security, appropriate technologies and procedures, such as encryption, access controls, and pseudonymisation, must be implemented. Additionally, age and identity verification mechanisms must be adopted for the verifications required for processing children’s data.
  6. Promptly notify personal data breaches: In case of a personal data breach, promptly notify the Authority within 72 hours of becoming aware of the breach and maintain a record of the incident as required by the Act. If the breach poses a high risk to the rights and freedoms of data subjects, organisations must also notify the affected data subjects within 72 hours of becoming aware of the breach. 
  7. Implement safeguards for international data transfers: Ensure that appropriate safeguards are in place to transfer personal data outside Malawi. Document transfer mechanisms and seek approvals from the Authority before adopting BCRs, certification mechanisms and code of conduct.
  8. Execute Data Processing Agreements: Organisations engaging third parties to process personal data must execute a written contract detailing parties' obligations to protect personal data. Additionally, joint data controllers are also required to have an agreement that clearly stipulates their roles and duties in the arrangement.
  9. Operationalise data subject rights: Implement measures for data subjects to exercise their rights under the law, such as providing a contact address for sending complaints and requests or automating the process through technology. 
  10. Maintain a RoPA: Conduct a data mapping exercise to identify all data categories collected by the organisation. The RoPA will be extracted from the data map and will detail the types of personal data collected, processing purposes, data retention periods, international data transfers, and security measures employed.  Developing the RoPA demonstrates accountability and compliance with the Act.

Conclusion

The Data Protection Act establishes a comprehensive framework for data protection in Malawi, requiring data controllers and processors to adapt their practices to meet the new standards. The Act grants a two-year transition period for ordinary data controllers and processors, while those classified as of major importance have only six months to comply, a period that is already in effect. It is crucial to take steps to align with these new provisions promptly to avoid potential sanctions.