By Jimmy Kainja |

Three years after announcing plans to draft a bill on data protection in response to the changing media and technological landscape, the government of Malawi issued a call for public comments on the Data Protection and Privacy Bill, 2021. The proposed legislation is a welcome step in addressing policy and practice gaps in privacy and data protection in the southern African country. 

According to the Ministry of Information, with increased digitalisation, personal data collection, processing and storage by public and private sector institutions is on the rise, which warrants greater protection through a dedicated law. As such, the draft bill seeks to “provide a comprehensive legislative framework for the protection and security of personal data, consolidate data protection provisions currently found in various Acts of Parliament, and protect the privacy of individuals without hampering social and economic development in Malawi.” 

Section 21 of Malawi’s Constitution provides that every person shall have the right to personal privacy, which shall include the right not to be subject to (a) searches of his or her person, home or property; (b) the seizure of private possessions; or (c) interference with private communications, including mail and all forms of telecommunications. The bill aims to actualise the constitutional provisions and would apply to “processing of personal data wholly or partly by automated means”. 

Under clause 5, exemptions apply to the processing of personal data “to the extent it is carried out by one or more individuals solely for personal, recreational or household purposes.” Further, exceptions apply to the processing of personal data carried out by unspecified “competent authorities” for purposes of law enforcement, promotion of public health or prevention or control of an epidemic, national security and credit reference bureau business. Without a clear definition of what constitutes legitimate purposes under the various exemptions, data subjects may be subject to violation of privacy. 

On a positive note, under Part III, the bill sets out various principles governing processing of personal data. Among these are fairness and transparency; prohibition of processing of sensitive personal data; obtaining consent prior to processing the data of a minor (below 18 years); burden of proof for establishing consent being borne by the data controller; provision of all the necessary information to the data subject prior to data collection; collection based on legitimate purpose, minimisation, limited retention and accuracy; and conduct of a data protection impact assessment prior to processing.  

The rights of a data subject outlined under Part IV include correction and deletion, withdrawal of consent, objection to procession, refusal of automated decision making, and data portability. Under data portability, the bill provides for cross-border data transfers, with  clause 34 stipulating that data transfers to another country or international organisation are restricted to a recipient “subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection”.

According to clause 35, protection is deemed adequate “if it upholds principles that are substantially similar to the conditions for processing of the personal data” provided for under the Malawian bill. Among others, adequacy of protection takes into account the availability of enforceable data subject rights; the ability of data subjects to enforce their rights through administrative or judicial redress, and the rule of law generally; the existence of an effective data protection law; the existence and functioning of an independent, competent data protection or similar supervisory authority with adequate enforcement powers; and international commitments and conventions binding on the relevant country or international organisation and its membership of any multilateral or regional organisations. 

In the absence of adequate protections, cross-border data transfers may only happen if the data subject is informed of the possible risks and consents, if the transfer is necessary for the performance of a contract, or if the transfer is for the benefit of the data subject. 

The penalty for failure to comply with the provisions of the bill or enforcement orders are a fine of 5,000,000 Kwacha (USD 6,200 ) and imprisonment for two years (clause 42). Meanwhile, the penalty for an offence in contravention of regulations issued pursuant to the bill is also a fine of 5,000,000 Kwacha  (USD 6,200) and imprisonment for up to five years. 

The bill empowers the country’s telecommunications regulator, the Malawi Communications Regulatory Authority (MACRA), to oversee the implementation of the data protection law. However, MACRA’s proposed mandate raises concerns about autonomy, given that the Authority is reportedly subject to political interference. Also, MACRA has a history of failing to implement aspects of its core mandate, such as evidenced by telecommunications operator compliance with universal service provision obligations

Another cause for concern is the  National Registration and Identification System (NRIS), which is being used for biometric data collection and its processing has been centralised in Malawi since 2017. The NRIS is linked to voter registration, revenue collection, immigration, SIM card registration, banking, as well as financial inclusion and development programmes. This has made it ever more crucial to have strong regulations to protect personal data privacy. Starting March 2021, the system has been used to support the Covid-19 vaccine rollout. The NRIS has been described as having been rolled out at “breakneck speed”, without due regard for human rights. This has been largely attributed to primary focus on social-economic issues, as opposed to digital rights. 

The move to enact a data protection law in Malawi, in consultation with the public and stakeholders, is commendable. However, certain provisions such as those relating to exemptions have the potential to undermine privacy and should be revised. Revisions to the bill should also take into account penalties commiserate with offences, and provide for establishment of a truly independent oversight body.  

It is also hoped that the data protection bill is passed swiftly and not take decades in the pipeline as was the case with the Access to Information law, whose proposals were first tabled in 1999, only to be passed in 2016, enacted in 2017 and operationalised in 2020.