Population: 19,129,955

Capital: Lilongwe

President: Lazarus Chakwera

2021 Freedom House Score: 66/100

Data protection law? No, with no data protection authority yet appointed

Privacy enshrined in Constitution: Yes, privacy is protected in Section 21 of the Constitution.

DPA legislation: Malawi does not have a comprehensive data protection law, but the Electronic Transactions and Cybersecurity Act No. 33 of 2016 replicates some provisions seen in data protection laws.

Under Act No. 33 of 2016, individuals have the right to:

• obtain all of their personal data in an understandable form, as well as any available information as to the origin;
• oppose, for legitimate reasons, the processing of personal data concerning them;
• object to the processing of their personal data for prospecting purposes; and
• rectify or erase personal data concerning them where it is inaccurate, incomplete, equivocal, out of date, or if collection, use, communication or conservation is prohibited.

The Malawian government also issued a call for comments on the Data Protection and Privacy Bill, 2021, which aims to “provide a comprehensive legislative framework for the protection and security of personal data, consolidate data protection provisions currently found in various Acts of Parliament, and protect the privacy of individuals without hampering social and economic development in Malawi.”

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: No

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: No

Excludes foreign entities that only transit personal data through the country: No

Under Act No. 33 of 2016, personal data means any information relating to an individual who:

• may be directly identified; or
• if not directly identified, may be identifiable by reference to an identification number or one or several elements related to his physical, physiological, genetic, psychological, cultural, social, or economic identity.

Personal data processing may only occur with consent from the data subject or if processing is necessary for:

• compliance with a legal obligation to which the controller is subject;
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which he, she or they are a party;
• safeguarding the interests or fundamental rights and freedoms of the data subject; or
• the pursuit of legitimate interests of the controller or third-party data processor, provided these interests preserve the fundamental rights and freedoms of the data subject.

Personal data must be:

• processed fairly and legally;
• collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
• adequate, relevant, and not excessive in relation to the purposes for which they are collected and processed;
• accurate and kept up to date, where necessary; and
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: NA

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Unclear

DPA is empowered to investigate: Unclear

DPA is empowered to subpoena or request evidence: Unclear

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): Unclear

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Unclear

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): Unclear

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: No

There are currently no data transfer restrictions in Malawi, although Part IV of the draft Law contains restrictions on data transfers to other jurisdictions.

Provides a right not to be subject to automated decision-making: No