Gonjetso Dikiya || Head of Legal -Dispute Settlement Services
In my last article I highlighted some of the notable and positive things that the Data Protection Bill [ DPB] seeks to bring about in the protection of personal data in Malawi. Inasmuch as the DPB is indeed comprehensive legislation in so far as data protection is concerned it nevertheless leaves out or inadequately addresses some aspect of data protection. This brief commentary highlights those areas and suggests possible ways in which the DPB could be improved before it is enacted into law.
- Weaknesses and Recommendations
- Unclear Key definitions
The first aspect to note is on the definition sections of the DPB. Definitions are quite key in establishing the scope and application of the DPB. The DPB offers a good definition of personal data. However, the definition seems to be focused on natural persons. This ambiguity is compounded due to no further definition offered for the term “person”. In the circumstances this ambiguity may cause exclusion of legal persons who also benefit greatly from data protection laws. It will be important to expressly mention the extension of personal data to cover data belonging to legal persons as data protection may also be applicable and relevant to them.
Further, the DPB among others covers the processing of personal information wholly or partly by automated means. However, the term “automated means” is not defined in the Bill and this may cause some uncertainty as to which information is to be protected by the DPB.
- Narrow Exemption Clauses
The DPB also contains some exemptions on the processing of personal information. This is crucial as strict application of the DPB may in some instances conflict with other goals like national security and freedom of speech. The DPB does not apply for the processing of personal data for personal, recreational, or household purposes. Further data controllers and processors who are not of major importance are given an exemption The DPB allows for the lawful processing of personal data for journalistic or scientific research. This is to promote other interest like the right to freedom of expression and education. The DPB further allows an exemption in the application of the provisions of the Bill where national security is concerned.
However, the DPB omits to exempt the application of the Bill in circumstances where data has been de-identified. Internationally data controllers or processors can further process data without fresh consent where data has been sufficiently de-identified or pseudonymised. This helps to facilitate other pertinent goals like medical research without much red tape. The lack of inclusion of this exemption under the Bill may work to slow the pace of research in the Country.
- Inadequate Incorporation of some Core Data Protection Principles
Despite the comprehensive inclusion of all the core principles of data protection, some of the elements of the core principles are inadequately incorporated.
The DPB provides for the further processing of personal data but only in accordance with the purposes for which the data was collected. The DPB fails to elaborate on the considerations to check this compatibility. To facilitate this, it may be beneficial to include such considerations for instance the relationship between the purpose and intention for the further processing, nature of personal information concerned, consequences of the further processing and how the personal information has been collected This would help in ensuring certainty for the circumstances in which further processing is allowed.
Further, in as much as the DPB incorporates Data minimization principles, it fails to give exceptions to which the principle may not be complied with. Thus, it is trite that some laws dictate the period of retention of records and or retention may be dictated by contractual terms and consent. In failing to provide for such exceptions the DPB may work to interfere with other laws and contractual arrangements.
Finally, in as much as the DPB provides for the duty of data controllers or processors to inform a data subject of any data breach, the DPB fails to put a corresponding right for the subject to be informed of a data breach. This is a minor issue that can easily be rectified to ensure maximum data security for data subjects.
- Cross Border Regulation Missing aspects
As stated, the DPB contains threshold requirements for considering the adequacy of the protection offered in another jurisdiction before data can be transferred. These considerations are indeed pertinent. However, some equally important considerations are left out. For instance, the DPB does not require consideration of the type of data that are to be transferred, the purpose for which the data are being transferred, or security measures in place in the foreign country. Further, the factors included mainly apply where a generic assessment of the law is being considered. A comprehensive assessment of the adequacy of the protection offered by contractual clauses, for instance, may require meticulous drafting of contractual terms to include essential elements of protection missing in a particular situation. The omission of such key factors and considerations in the assessment of the adequacy of the data protection threshold is cause for worry as it may mean weak data protection for cross-border flows in Malawi.
The DPB is also silent in terms of enforcement procedures and remedy avenues to be followed by data subjects whose data are misused when it has been transferred to a foreign country. The threshold considerations for the adequacy of protection involve an assessment of the available administrative or judicial remedies. However, the question of the data subject’s legal standing in the foreign jurisdiction is not addressed. As highlighted, the issue of jurisdiction takes a central focus in matters of cross-border flows as, once transferred to a foreign country, it is difficult to enforce one’s rights and get remedies. Thus, a comprehensive cross-border legal framework ought to expressly address the issue of jurisdiction and standing for aggrieved data subjects.
Finally, the DPB is also rather unclear on who can decide on the adequacy of the protection offered by a foreign country and at what point. The DPB primarily gives the regulatory authority the power to decide whether a foreign country to which personal data are to be transferred offers adequate data protection. However, in some way, the DPB also suggests that a data controller can make the decision on the adequacy of data protection and proceed to transfer data. This is an uncertainty that ought to be addressed by the DPB.
- Protection Against Spam
Spam is defined as ‘unsolicited communications that are sent bulk to electronic addresses. Spam mainly takes the form of unsolicited e-mail or electronic junk mail. Spam may have varied impacts on online users ranging from mere annoyance to causing destruction and threats to email and internet security.
The DPB prohibits automated decision-making including profiling. However, this is not broad enough to cover other aspects of spam resulting from direct marketing which cannot be attributed to automated decision making. There is thus a need for the DPB to have a separate provision against spam in direct marketing and the conditions under which such spam may be allowed.
DPB promises a lot of progressive and positive changes in the legal landscape regulating data protection in Malawi. There is a need to ensure the version of the DPB to be enacted comprehensively addresses all key and crucial areas. To this end a timely amendment to the DPB will be a welcomed development.
Gonjetso Dikiya LLB(Hons) University of Malawi; LLM candidate in Information and Communications Law, University of the Witwatersrand.
Head of Legal Services- Dispute Settlement Services
RITZ ATTORNEYS AT LAW
 S. 2 of the DPB.
 S.4(1) of the DPB.
 S. 5 of the DPB.
 S. 18 of the DPB.
 S.44 of the DPB.
 S 18 of the DPB.
Tana Pistorius & Sem Tladi ‘The hall of shame—double standards for spam’ (2014) 26 SA MERC LJ 688.
 Sylvia Papadopoulos ‘Online Consumer Protection’ in Sylvia Papadopoulos & Sizwe Snail (eds) Cyberlaw @ SA III: The Law of the Internet in South Africa (2012) 85
Bernard Hamann & Sylvia Papadopoulos ‘Direct marketing and spam via electronic communications: An analysis of the regulatory framework in South Africa’ 2014 De Jure 44
 S.29 of the DPB.