Mauritius has established a comprehensive legal framework to enforce data protection through the Data Protection Act 2017 (DPA 2017), which came into effect on 15 January 2018. This legislation was a significant step toward aligning the country’s data protection regime with international standards, particularly the European Union’s General Data Protection Regulation (GDPR). The alignment with the GDPR strengthens Mauritius’s position as a reliable and secure business hub, especially for sectors like Business Process Outsourcing (BPO).

The Data Protection Office (DPO), led by the Data Protection Commissioner, is the primary authority responsible for ensuring compliance with the DPA 2017. The office has broad investigatory and enforcement powers. It can receive and investigate complaints regarding data protection breaches, conduct audits of data controllers and processors, and issue enforcement notices to organisations failing to comply with data protection obligations.

Despite these enforcement mechanisms, the process for imposing penalties under the DPA 2017 is relatively slow compared to jurisdictions governed by the GDPR. Unlike the European Union, where Data Protection Authorities (DPAs) have the authority to impose administrative fines directly, in Mauritius, only the courts of law can levy fines under the DPA 2017 after a successful prosecution. This procedural requirement can extend the timeline for penalising data breaches, which may affect the overall efficiency of enforcement.

Mauritius has taken proactive steps to enhance the accessibility and efficiency of data protection enforcement. In December 2022, the DPO launched the e-DPO platform, an online system that allows inter alia organisations and individuals to register themselves as data controllers or processors, submit complaints and report personal data breaches. This initiative aims to streamline communication between the public and the DPO while improving the responsiveness of enforcement actions.

The Data Protection Office also emphasises the importance of regular audits and compliance reviews. Data controllers and processors are required to adopt stringent technical and organisational measures to protect personal data. BPO service providers, which often act as data processors, must enter into written contracts with data controllers outlining their obligations. These obligations include maintaining data confidentiality, implementing appropriate security measures, assisting with data subject requests and reporting breaches promptly. Furthermore, they must seek approval before engaging sub-processors and must ensure that personal data is either returned or deleted once the processing relationship ends.

One of the key challenges for Mauritius remains the absence of an adequacy decision from the European Commission. An adequacy decision would simplify cross-border data transfers from the EU by recognising Mauritius as having equivalent data protection standards. Although Mauritius does not yet have this designation, personal data can still be lawfully transferred to Mauritius through the use of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or Transfer Impact Assessments to ensure that adequate safeguards are in place.

The enforcement of data protection laws in Mauritius is evolving, with ongoing efforts to strengthen regulatory oversight and improve compliance. The Data Protection Commissioner has consistently urged organisations to take their responsibilities seriously and warned that non-compliance could lead to legal consequences and reputational damage. By fostering a culture of accountability and transparency, Mauritius continues to position itself as a competitive player in the global outsourcing market while safeguarding the privacy rights of individuals.

Overall, while the enforcement of data protection breaches in Mauritius is grounded in a robust legal framework, procedural delays in imposing penalties remain a challenge. However, initiatives like the e-DPO platform and the emphasis on regular audits reflect a commitment to enhancing the effectiveness of data protection enforcement. As global data protection standards continue to evolve, Mauritius remains focused on aligning its practices with international best practices to ensure ongoing compliance and maintain trust in its digital economy.

Shalinee Dreepaul Halkhoree is a partner at Juristconsult Chambers, which forms part of the DLA Piper Africa Network. She heads the data privacy practice at Juristconsult Chambers.