An Analysis of Malawi’s New Data Protection Law: A Data Practitioner’s Perspective
The Malawi Data Protection Bill was introduced in December 2023, marking a key step in protecting personal information. When the Bill became law in February 2024, it was a big step towards bringing Malawi up to international data protection standards such as the General Data Protection Regulation (GDPR). Now, PowerPoint slides can be updated to show that Malawi, too, has joined the data protection club. While the new law establishes a strong base, it shows both clear strengths and areas that need improvement.
The new law- now cited as the Data Protection Act, 2024- commendably outlines a broad legal framework that regulates the processing and movement of personal data across various sectors. One of its major strengths lies in the comprehensive scope it covers, including a range of data protection principles like fairness, transparency, data minimization, and accountability. These principles are all key for building trust and ensuring ethical management of information.
Further, the designation of the Malawi Communications Regulatory Authority as the overseeing body provides a clear governance structure which is needed for effective implementation and enforcement. The new law emphasizes the rights of data subjects, including rights to access, rectification, erasure, and to object to processing, which empower individuals and research participants by giving them control over their personal data. An aspect researchers and all working with data need to pay attention to as this affects data management plans and how consent is obtained going forward.
It is important for researchers, non-profits and data professionals in the social sector to note and understand the new penalties for Act contraventions and data breaches as outlined in the legislation. This necessary measure ensures accountability, as data breaches can often go unnoticed without proper oversight in these settings. Failing to adhere to these standards will lead to substantial fines, highlighting the necessity for personal data handlers to be well-informed of their legal responsibilities.
While the Act is recognized as a work in progress, it could be refined further to fully address the evolving demands of the digital world.
The Act’s approach to technology poses a limitation. The rapid evolution of technology presents a challenge to the static nature of legislation. Including language that anticipates future technological developments, particularly in areas such as big data and artificial intelligence (AI), -which pose unique risks, especially in terms of profiling and automated decision-making- is important. These technologies play a significant role in advancing Sustainable Development Goals (SDGs), and their consideration in the law would ensure its provisions remain relevant and adaptable without frequent amendments.
Moreover, while a comprehensive legal framework has been outlined, it does not sufficiently connect with institutional review boards (IRBs) that oversee the ethical aspects of research involving human data. This gap is significant in contexts where data protection intersects with research, as IRBs play a critical role in evaluating the ethical implications of data use in research projects. Establishing a formal connection between the data protection authority and IRBs could enhance the ethical management of research data, ensuring that protections are consistently applied both in commercial and academic settings.
In general, there are multiple avenues to refine the legislation to better protect data. There needs to be a balanced approach in a world where we are advocating for responsible sharing and open access to data. Future versions of the law could outline targeted protections for vulnerable groups such as children, women, and marginalized communities, who are often at greater risk of data breaches and misuse. It is also essential to heavily invest in public awareness and training initiatives for stakeholders, data controllers, researchers and processors to ensure the law is applied effectively. This will make sure that the principles of the new law are truly operational and not just theoretical.
Malawi’s new Data Protection law is a shift in the right direction; however, implementation and enforcement is the most important next step. While it is acknowledged that it will take time to fully mature into a working system, to stay effective in the fast-changing digital world, it will need to evolve as rapidly. This will help support research and digital innovation while making sure that data protection and the rights of its citizens are well maintained.