The recent emergence of Mauritius (an island country in the Indian Ocean, which is located off the eastern coast of Africa) as the most digitally prepared of all African countries is quite remarkable. Featured on the African Digital Preparedness Index, developed by the Centre for the study of the Economies of Africa (CSEA), this emergence teaches a strikingly instructive lesson that the geographical size of a country is never a determining factor for its capability to develop an effective data governance framework. As one of the smallest countries in the African continent, Mauritius has maintained its pride of place as one of the best domestic digital markets, not only in Africa but also in the world. In the cyberspace, Mauritius’ compliance with international standards has been so impressive that it is being cited by the Council of Europe as one of the best local digital economies which other nations of the world can emulate. It distinguishes itself as maintaining an innovative data policy regime by strategically incorporating the EU's General Data Protection Regulation (GDPR) in its national data protection legislation in a way that makes the regional legislation adaptable to its local context. Also, as a financial hub and onshore jurisdiction to foreign investors, Mauritius has an inimitably effective mechanism for managing cross-border data flows.
*The Dialogue on Data Development (DDD) Team of the Centre for the Study of the Economies of Africa (CSEA), in its bid to inquire into Mauritius’ data governance status and the approach adopted by the country towards integrating its data governance efforts with those of the regional institutions, like the African Union (AU), to have a central data governance framework in the African continent, engaged Mrs. Drudeisha Madhub in a conversation. Mrs. Madhub is currently the Data Protection Commissioner for Mauritius. In this conversation with the DDD team,Mrs. Madhub sheds light on a number of strategies, like the digital transformation and digital preparedness strategies, devised by Mauritius’ Data Protection Authority to put the country on Africa’s digital map. Excerpts.
What does data governance really entail?
Data governance relates to everything about the use and re-use of data in general. It can be any information. It’s not only personal information. It can be non-personal information. It can be industrial. It can be any piece of information in the public sector as well. And this is what we call data. Data governance implies the various rules and principles, which govern how the data is being used or the uses to which the data will be put. So, this is basically data governance.
Why does Africa need data governance in this era of fast-rising global digitalisation?
First of all, as you know, data is global. Data, as we say, is ‘the new oil’ for the world. So, if this is the case, it is not only in the African continent that data governance is needed. All the regions of the world are being influenced by the need for a data governance framework to be able to make effective use of data nationally and internationally. This is why the focus on data governance has become imperative for the African continent as well. Then, why Africa?
Given the size of Africa as a continent, we need to be careful with how we interpret data governance in Africa. This is because the African context is different from, let’s say, the Asian Pacific or the European context in terms of economic development, literacy, digital literacy, critical infrastructure, etc. And all these elements influence the African continent in a different way from how they influence other continents. So, what I’m trying to say is that there is disparity across continents. And there is disparity as well within Africa in terms of countries. That basically impacts how we view data governance. If we are speaking of data governance from an African perspective, we will be looking up to the high standards to follow in the national context. And, if we want to look at data governance for a specific country, that may be different from how we look at it from the perspective of the African context generally.
That is why I think the AU is doing a great job in having a regional data policy framework that they have already adopted since 2021. Coming up, however, is the implementation plan, that is, how it is going to be developed in Africa. But as I have said, this is the lofty heights that we are trying to attain. Without having the right infrastructure, political commitment and private sector initiative as well, it will be highly difficult for specific countries to adopt these principles if these challenges are not tackled at the national level. We can’t be confident to say we are digitally prepared to achieve all the principles in the data policy framework.
What informed Mauritius’ decision to incorporate the EU’s General Data Protection Regulation (GDPR) principles into its domestic data protection and privacy laws?
In Mauritius, we have an economic market for investors from Europe, which operates in Mauritius’ companies and multinationals. So, economically speaking, it was a very broad idea for us to correlate with data protection principles in Europe in order to be recognised by the EU as an adequate country. It is in view of this that our second data protection act, enacted in January 2018 is mainly inspired by the EU’s GDPR principles. It has been customised to be adaptable to the local context. We have taken from the EU’s GDPR but essentially, we believe in the important principles and we have incorporated them in our legislation, along with other criteria.
There are significant differences in terms of penalties in our data protection act from what the GDPR contains. The idea is to have a smooth economic relationship with the EU. But our relationship is entirely not only from the economic perspective but also from the human rights perspective. If you look around the world right now, the EU’s GDPR, together with Convention 108, appears more credible, organised and disciplined as an instrument. At the UN level, we barely have anything as such, which will inspire the drafting of data protection laws in a specific country. So, our decision was purely from the policy and the human rights perspectives, and this has given much importance to privacy. Notwithstanding, as I mentioned earlier, there are differences which are not applicable to the Mauritius context, and these are not incorporated in our legislation.
How will you assess the impact of this amendment's implementation since it went into effect in 2018?
Since 2018, the law has been very well applied in Mauritius. I would explain how we work; by conducting investigations. After an investigation is carried out, I, in my capacity as Commissioner, give a decision which is like a judgment. And when we recommend a prosecution on a criminal level, people have the right to make an appeal against the decision made by the Commissioner. We have had judgments, even in the Supreme Court where privacy has been debated and some of the elements of my decisions have been reproduced and argued upon. We have cases in Mauritius, which relate to data protection and privacy. This is why the data protection act is well alive. We register practically all data controllers and processors in Mauritius. And again, if there is no compliance with the Law, we issue them with enforcement notices, that is, they have to enforce the laws. We do this on a large-scale basis. We collaborate with the police in terms of enquiry and prosecution. The matter is serious.
With all these, I don’t see why the laws won’t be implemented, although it might take some time in some areas. We do certification of data protection track assessment; we give notification of breaches by controllers and processors; we do registration; we give updates on compliance level; we also do security checks and inspections. So, these and many others are basically what we focus on here. It’s a very lively situation here.
Has the government really enjoyed cooperation from the public and the private sectors in terms of compliance?
Yes! There are more controllers and processors in the private sector, compared with what we have in the public sector. But we collaborate with everyone. We work with everyone that is concerned. I personally do so many citizen sensitisation campaigns now. I can tell you about the media/press activities that we undertake on a regular basis. We train data protection officers regularly. So, basically, we’ve been able to travel quite a long journey since 2009. Notwithstanding, we still have so much to be done. You see, compliance from controllers and processors is a very long process. We can’t say that, in any country, as soon as a law is implemented, you will get success. There are issues with implementation. We have administration sanctioning. It happens. But the quantity is usually bare. It can happen in one case which can trigger compliance by other people. However, quantity isn’t what is material here. What matters is the quality of the work you do, much of which I have been leveraging in our operations.
Given Mauritius’ strategic position as an offshore jurisdiction to foreign investors, how does it manage cross-country differences and intentions in respect of cross-border data flow?
If you look at our Data Protection Act, we have a critical section that pays attention to personal data. And this section is almost identical to what is contained in the EU’s GDPR. The idea is that we allow cross-border data flows. As a rule, there is no need for counties’ authorisation from the Commissioner. Our legislation allows cross-border data flow to happen. However, as you know, there are exceptions in terms of public interest, legitimate interest, vital interest, law provision, obligations, concerns and others which can prevent a data controller or processor from transferring data abroad. But the issue is that we actually retain the supervisory power in the data protection office in terms of, for instance, a dispute on transfers and someone comes to me with a query or complaint and it is proven that there was no appropriate safeguard during the transfer, we can decide against this.
However, we have a device for ensuring effective cross-border data flows but the legal recommendations are not easily understood most times. We often advise companies to come for authorisation. Although in law, they are not required to come to us. This is when they satisfy our conditionalities and extant laws. If, however, there is a dispute such that they fall under any of the afore-mentioned exceptions, they will be deemed to have breached the data protection law. But there are many who have transferred data without seeking authorisation from us.
What innovative efforts has the country been able to make to boost the global digital space? And what lessons do other African countries have to learn from such initiative?
In the competitive edge, Mauritius has always tried to be the first in all areas, even in the IT sector as well. We have what we call a digital transformation strategy, as you have at the African Union level, which outlines the main actions that Mauritius has undertaken or will undertake in the coming five years as well. It has a national action plan for which it has made ICT one of its economic sectors. We also have digital preparedness as a strategy. In fact, there are many nascent strategies in the digital arena. If you go to the Ministry of Communication and ICT website, you will see all these national strategies which Mauritius has devised to make it number one in the context of African digital preparedness.
Also, just recently, we have modernised the panoply of laws to guide ICT. We have cybercrime and cyber security legislation for 2021. This law aligns with The Budapest Convention on cybercrime. Also, our data protection laws align with Convention 108 which is the Handbook of the EU’s data protection laws. Compliance with international standards has been achieved by Mauritius in the cyber world. We have left no stone unturned for all these to happen. Currently, Mauritius is being cited as an example at the Council of Europe level in terms of compliance.
What advice do you have for the AU to record brilliant success with the development of an effective regional data governance framework?
All the regional bodies, including the Economic Community of West African States (ECOWAS) and the South African Development Community (SADC) need to come together on this data protection agenda and ensure they all work together to produce the same type of documents.. Let us, for instance, put the ECOWAS Principles, SADC Model Laws and others in the same data governance perspective. From the data governance perspective, this is one area where all these regional institutions can come together, sit together and work on one document which will apply to all African countries. At the level of the AU, it’s highly critical to say that we need a technical team of experts detailed by the regional institution to go to each African country to assist it in devising its own strategy. Unfortunately right now, we do not have such a team. I know that the AU is working with the EU, as well as with other stakeholders, to be able to get assistance.
Furthermore, there is a need for AU to create binding principles to be able to influence each African state. This kind of legislation that I am suggesting, combined with the Malabo Convention, is highly recommended. In fact, I don’t want to go into the weaknesses of this Malabo Convention, as it is not attuned to international standards. In view of this, we need to innovate by bringing this much-talked-about Malabo Convention more in tune with the realities on ground. And this is one area where the AU needs to work very quickly and urgently. The existing Malabo Convention may be scraped off or amended or entirely replaced with a new one or redesigned to attract more ratification. That is one. The second issue relates to the data governance framework which the AU has adopted. Let’s say we don’t have a binding law on data governance right now in Africa. But what can we do? We can work bilaterally for the African Continental Free Trade Agreement (AfCFTA) whereby each country concludes a bilateral trade agreement with the AU by imposing, upon themselves, very important principles in data governance and data protection. That will help in achieving some nascent milestones. So, this is how we should start; but we can work to make things happen at the same time. If, however, we want to achieve all of these one-by-one, we may lose the whole time and fail to accomplish our aim.
What form of support do you think the regional institutions in Africa, like the AU, can provide for African states to thrive in the global digital space?
Good. Let’s take a guiding example of what is happening at the EU level. You have the European Data Protection Board. They are the people who are actually bringing in all these elements of data protection innovation in the whole of Europe. So, let’s think about having such a disciplined structure for data governance and data protection and all types of data you may have, regardless of the names you wish to call such. There is a need for something which would be centred around data, that is, an institution which is lacking at the AU level. If we rely on each African country’s having data protection laws and data protection institutions, and we do not have a higher up body which will be overarching the implementation across the African region, then there will be no point. The AU should take concrete steps beyond the advisory role which it has been playing, by being a value-strong and effective body which is bringing result.
Beyond the foregoing, what steps do you think Africa should take to emerge as the next frontier in the global digital market space?
If I understand the question very well, I will translate it as asking about what actions should Africa take to become a leader in the global digital market. The logical way to answer this question is by asking, “How do we lead actually in any area?” We lead, basically, by creating, by being innovative and bringing in our own expertise. Expertise here is very important. Although we learn from others, it is also important we make our own contributions which is another level of expertise that Africa needs. So, Africa needs innovation to become leader in the global digital market. There is a need for a team of experts from all the states in Africa to be brought to the table, where actions that all African states should take in order to be digitally prepared, can be properly debated. You see, it’s impossible that all the states will have the same level of digital preparedness and the same level of infrastructure. But what we are looking at here is people. We need people. We don’t really need the infrastructure. We have the private sector which can put in place infrastructure. We also have international and multinational companies which will come and support the country in terms of critical infrastructure. This is what is happening everywhere. We don’t need to worry about infrastructure. What we need to focus on is giving the right level of education to the African people for them to be able to stand on their feet and be able to work in this area. We have people in the ICT sector, like computer scientists and data scientists, who should be given the opportunity, without which the country will never innovate. This should shape the kind of university education we provide people within the country. Furthermore, we need commitment. Having institutions is good. Having data protection authorities is good. But if you have a regulator who is digitally educated with a population of people that are not digitally educated, what is the point? There is supposed to be a certain level of parity and equity in the country between the institutions, the private sector, the public sector and the citizens
- The Dialogue on Data and Development (DDD) Team of the Centre for the Study of the Economies of Africa (CSEA) is led by Adedeji Adeniran (Ph.D.), and other members that include Sone Osakwe, Drusilla David, Kashema Bahago and Kunle Balogun.