How safe are investors’ data in Mauritius?
As the Navingate video takes the popular imagination by storm, it is important to look past the implications at an individual and political party level, and to grasp what this flagrant and widely publicised data breach means for our country as a jurisdiction that is the cynosure of investors’ eyes.
Individual data, and, by extension, investor data as well, is protected by a slew of acts in Mauritius, such as the:
- Data Protection Act
- Banking Act; and
- Computer Misuse and Cybercrime Act (under the National Cyber Security Strategy)
Over and above other pieces of legislature, this holy trinity protects investor interests and ensures that their data – on a personal, financial or investment front – is safe from prying eyes.
Robust data protection framework
Mauritius has had a new data privacy law since 15 January 2018 in an anticipatory effort to comply with the General Data Protection Regulation (GDPR) regime which came into force on 25 May 2018 and has set a global benchmark in the data protection space.
Indeed, the Data Protection Act 2017 (DPA) has been guided by the founding principle of the GDPR itself.The DPA stands for the protection and safeguard of privacy rights of individuals as far as the processing and storage of personal data is concerned.
Among the key features of the new and improved DPA are:
- Safeguards imposed for the transfer of personal data outside the jurisdiction of Mauritius in terms of notification requirements to the Commissioner;
- Minimised risk of data breaches and notification requirements for any data breach;
- Security of data processing by way of encryption and pseudonymisation of personal data;
- And Data Protection Impact Assessment to identify and mitigate data protection risks.
Combatting Cybercrime
Most lately, in 2018, Mauritius has ratified the AU convention on cybersecurity and personal data protection as well as introduced the MAUCORS (Mauritius Cyber Crime Online Reporting System) in the same year.
Further, Mauritius is the first African country to have acceded to the Budapest convention on cybercrime in 2013 as one of the priority countries of the GLACY+ project of the European Union (EU). The Budapest convention provides a consistent approach to criminalising conduct, procedural powers for law enforcement and international cooperation in cases of cybercrime and provides for an essential contribution to human rights and the rule of law in cyberspace.
Finally, Mauritius has a Computer Misuse and Cybercrime Act (CMCA) 2003 as one of the pioneering nations in Africa to understand the threatening implications of emerging technologies. Illegal access to data is covered by Sections 3 and 4 of the CMCA while illegal interception is covered under Section 5, providing for the relevant steps and enforceable action that can be taken in instances of data breach with the use of technological tools.
However, legal challenges loom large in the face of cross border legal shortcomings and no common legal framework for Africa (as opposed to the ENISA NIS Directive for Europe and the EU Cyber Security Act agreed in 2018) as well as no obligation for Digital Service Providers to notify the relevant authority of any incident having a substantial impact on the provision of service (such as data breaches, among others).
In data we trust!?!
Under Section 64 (9) of the Banking Act 2004 , The Director-General under the Prevention of Corruption Act , the Chief Executive of the Financial Services Commission , the Commissioner of Police, the Director-General of the Mauritius Revenue Authority, the Enforcement Authority under the Asset Recovery Act (the Director of the Financial Intelligence Unit (FIU) under Act 29 of 2015) , or any other competent authority in or outside Mauritius who requires any information from a financial institution relating to the transactions and accounts of any person, may apply to a Judge in Chambers for an order of disclosure of such transactions and accounts or such part thereof as may be necessary.
Indeed, within the provisions of the Act, the above parties may access personal banking records if a suspicious transaction(s) is being investigated into by the FIU and the Independent Commission Against Corruption (ICAC).
With so many moving parts to the investigative machinery, it is difficult, if not impossible, to pinpoint where a data breach may have occurred if any party is compromised and their intentions are found wanting in the context of conducting an impartial and fair investigation.
National interests above all
It is critical that all political parties and public institutions involved in the electoral exercise and process follow due and fair procedures during the upcoming elections and prevent the reputation of Mauritius as an investor-friendly jurisdiction from being damaged amid an ugly tug of war for the seat of power.
Ultimately, national interests as represented by our economic integrity must be upheld at all costs, over and above personal and political agendas that are playing out in the battlefield of the election.
We should strictly condemn such data breach like the details being widely circulated on Dr. Navin Ramgoolam’s Bank accounts in context of its potentially adverse implications on Mauritius as an investor-friendly jurisdiction and its deleterious effects on our attempts to establish the island economy as an International Financial Centre (IFC) of substance and repute. Otherwise it’ll be too late…
Alexandre Laridon, LL.M.
