Proposed bill on experts’ radar

The Data Protection Bill (DPB) 2021 that government is preparing to table in Parliament is missing several key aspects which experts fear would create gaps in the law if not incorporated.

Data protection is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them should be communicated to others.

In its analysis of the Bill, the Collaboration on International ICT Policy for East and Southern Africa (Cipesa) observes that while the regulations make strides in guaranteeing data protection and privacy of the individual, the missing aspects in the Bill need to be included to seal the gaps.

According to Cipesa, some of the missing aspects worth including in the Bill are “arrest with or without warranty” which governs the manner in which arrests, seizure of property and restoration may be made.

Others are application for registration of data controllers and data processors, prohibition from controlling or processing personal data without registration, renewal of registration, changes in details or address of data controllers and processors and termination of registration/deregistration.

“Malawi’s Parliament should therefore, subject to the above proposals,

swiftly enact the Data Protection Bill to provide for protection of rights of individuals. Similarly, the Minister responsible for personal data protection and security should, upon the enactment of the data protection law, swiftly make regulations for the better carrying out of the purposes of the Act,” reads the analysis.

The Bill is currently under consultation stage and the experts hope that government will agree in good faith to amend the draft before it is tabled in Parliament.

While commending government for the ongoing efforts to legislate the law, the Uganda-based ICT body notes the country’s Data Protection Act is long overdue and urges Parliament to swiftly enact it.

Information and communications law expert Gonjetso Dikiya said in an interview data protection is a field that has developed over time and is an ambit of the broader field of privacy law.

“Section 21 of the Constitution of the Republic of Malawi guarantees the right to privacy and among the expressly mentioned facets is the right not to be subjected to interferences with private communications including mail and all forms of telecommunications. This ideally sets the tone for data protection in Malawi,” he said.

Dikiya said data protection was currently taking centre stage because people are living in an information age where technology has become so advanced with greater reliance on internet usage as evident in the popular use of social media platforms.

“These developments have eased access to and processing of personal data. A negative side to this is that it now makes invasion of privacy more imminent as well, hence; the urgent need to address data protection frameworks and systems.”

Currently, the Electronic Transactions and Cyber Security Act, (ETCSA), 2016, is the only legislation that expressly provides for data protection in the country and contains provisions that incorporate most governing core principles of data protection recognised internationally.

However, Dikiya observed, the ETCSA 2016 also omits several key principles that internationally have been embraced as core to any data protection regime.

“For example, it does not provide for the protection of sensitive data and children’s data. The international best practices require a higher threshold for the protection of such data,” said the expert, who is head of legal services: Dispute Settlement Services at Rizt Attorneys at Law.

But just like Cipesa, Dikiya also observed the DPB has aspects that must be improved like how it omits to exempt the application of the Bill in circumstances where data has been de-identified.

“Internationally data controllers or processors can further process data without fresh consent where data has been sufficiently de-identified or pseudonymised. This helps to facilitate other pertinent goals like medical research.

“The DPB also prohibits automated decision-making including profiling. However, this is not broad enough to cover other aspects of spam resulting from direct marketing which cannot be attributed to automated decision making,” he explained.

Jimmy Kainja, an ICT researcher, media and communications lecturer at the University of Malawi, also said while the proposed legislation was a welcome step in addressing policy and practice gaps in privacy and data protection in the country, certain provisions such as those relating to exemptions have the potential to undermine privacy and should be revised.

“Revisions to the Bill should also take into account penalties commensurate with offences, and provide for establishment of a truly independent oversight body. It is also hoped that the Bill will be passed swiftly and not take decades in the pipeline as was the case with the Access to Information law, whose proposals were first tabled in 1999, only to be passed in 2016, enacted in 2017 and operationalised in 2020,” he said.

ICT Association of Malawi president Bram Fudzulani said the Bill would benefit Malawians especially when sharing their personal identifiable information with businesses.

“Data privacy is also important because in order for Malawians to be willing to engage online, they have to trust that their personal data will be handled with care. On the other hand, organisations are going to use data protection practices to demonstrate to their customers that they can be trusted with their personal data,” he said.