Let’s talk about Data Protection
The Data Privacy Day or Data Protection Day is celebrated globally and in Mauritius every 28th January and this year marks the 17th edition of this celebration. On this day, awareness is raised on the right to the protection of one’s personal data, such as one’s name, address, phone number, facial image, health status, and fingerprint to name but a few. The main objective of the Data Privacy Day is to educate the public on data protection challenges, and inform the data subjects (i.e. individuals) about their rights and how to exercise them.
A few weeks back, whilst visiting India, I was asked by the cashier of a shop to fill in a form so that my payment could be processed. To my astonishment, I was required to provide details such as my name, address, phone number, date of birth, wedding date, my spouse’s name, phone number etc. Upon declining to give any of the information asked, as none was relevant, I was proposed a free nail varnish in exchange of my Indian phone number. Convinced by my daughter who was smitten by the green nail varnish, I finally gave in and communicated my, albeit temporary, Indian phone number, which I was not going to use in any case as I was returning to Mauritius on the very day. In the end, the shop got what it wanted-a way to contact me to market their future products when I was gone!
Just as under high pressure and temperature carbon is converted into diamond, similarly, those who have the right recipe can turn data into big money. The world’s most valuable companies such as Amazon, Microsoft, Apple, Alphabet (Google), which are all tech giants churning data day in and day out, have the recipe. Consequently, situations like the one described above will become more recurrent where creative methods will be used to collect a maximum amount of data, and with the right mix of marketing strategy, consumers will be induced to consuming more.
One has to be cautious when asked for his personal data. The instinctive reply should always be “why” as data should only be given when it is necessary and relevant for the service which is being provided. One has to remember that there is nothing which is free. If you are being offered something “free”, you may be giving your data in exchange.
The Data Protection Act 2017 (the “Act”) governs the processing of personal data in Mauritius. The Act is highly inspired from the GDPR (General Data Protection Regulation) which is a European law and which sets the new international standards for the protection of personal data. The Act provides for a Data Protection Commissioner who is the supervisory authority overseeing all data protection matters in Mauritius. An individual’s personal data should not be processed if he/she has not given his consent to such processing or if there is no legal justification for such processing. By way of example, an employer (who is the data controller) cannot install CCTV cameras in a place of work, unless he can justify that it is for the legitimate interest of his business or his employees; a shop cannot send marketing materials to a prospective client unless that prospect has consented to receiving such marketing material whether be it by email, post, telephone, via a website or on social media.
An individual whose data is being processed can exercise a certain number of rights with respect to his personal data. One such right is the right of access, which entails that an individual can ask from the data controller, what data it has on him/her. This was been highlighted by the Supreme Court in the case of Currimjee-Juboo v C-Care (Mauritius) Ltd [2022] SCJ 284. In this case, the applicant exercised her right of access to her medical records. The learned Judge ordered the respondent to disclose and communicate to the applicant a copy of her medical file and records including operation notes and details which pertained to the applicant’s surgery at the respondent’s clinic as all this information formed part of the applicant’s personal data to which she has a right of access.
When something is valuable, there is a tendency to make an abuse of it. To avoid such abuse, obligations are imposed on data controllers and data processors. One of such obligations is the need to inform individuals of the purpose for which their personal data are collected and processed, how the data will be used and kept as well as the rights of data subjects vis a vis the data. Such information is normally provided by the controller in a privacy notice which can be found on the controller’s website or in onboarding documents. Controllers and processors are also required to address their mind to the security of the data they process, whether be it information security for data in soft copies or physical security for information in hard copies. Cybersecurity is key to protecting data and should be high on the agenda of any data controller/processor. The biggest cyber risk is not from hackers outside the company but from complacency within the company and therefore staff training is key to curb or curtail such risks, besides technological and physical measures.
Though in Mauritius our courts have not yet started imposing fines for breach of data protection laws, at the level of Europe, the year 2022 was a record year with an aggregate of EUR 2.92bn GDPR fines issued across Europe, which is more than double the value of fines issued in 2021 (according to the DLA Piper GDPR Fines and Data Breaches Survey: January 2023).
With an increase in the use of artificial intelligence, the Internet of Things (IOT) and machine learning, which are all fuelled by data, data breaches and the consequent fines are bound to be on the rise. Some of the measures which controllers and processors can take to protect themselves against data breaches are to invest more in cybersecurity, consider subscribing to a cyber-liability insurance, conduct regular cybersecurity/data protection audits and train their staff on data protection and cybersecurity to break the myth that the human link is the weakest link.