Population: 31,255,435

Capital: Maputo

President: Filipe Nyusi

2021 Freedom House Score: 43/100

Data protection law? No, with no data protection authority yet appointed

Privacy enshrined in Constitution: Yes, the Constitution of the Republic of Mozambique entitles all citizens to the protection of their private life and grants them the right to honour, good name, reputation, protection of their public image, and privacy. The Constitution also acknowledges the need to legislate on access, generation, protection, and use of computerised personal data, but such legislation has not yet been enacted.

Similarly, the Constitution also provides that all individuals shall have the right to access data collected on them and have it rectified, but this right has not yet been defined. Nonetheless, a data subject is entitled to demand the correction and the update of any inaccurate, incomplete, or wrong personal information related to them.

DPA legislation: Aside from the Constitution, provisions within the Civil Code, the Penal Code, the Labour Law, and the Electronic Transactions Law grant Mozambican persons a limited degree of data protection, but the country has no comprehensive data protection law. In November 2022, a new Cybersecurity Law was also proposed by the Instituto Nacional de Tecnologias de Informação (INTIC), which makes some references to personal data protection.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: Ratified

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: No law

Applies to juristic persons: No law

Applies to public entities: No law

Domestic/personal purposes exclusion: No law

National security exclusion: No law

Law enforcement exclusion: No law

Cabinet or Executive Council exclusion: No law

Judicial functions exclusion: No law

Journalistic, literary or artistic purposes exclusion: No law

Temporary copies exclusion: No law

Other exclusion(s): No law

Broad or vague exclusions: No law

Applies to foreign entities: No law

Excludes foreign entities that only transit personal data through the country: No law

The Constitution places limits on the use of individually identifiable information about a person’s political, philosophical or ideological beliefs, religious beliefs, political affiliation, trade union membership, and particulars related to the person’s privacy.

Individually identifiable information concerning political, philosophical or ideological beliefs, religious beliefs, membership in a political party or trade union and particulars related to the person’s privacy may not be stored or processed in a database.

Accessing a database for the purpose of obtaining the personal data of third parties, as well as transferring personal data from one computerised file to another that belongs to a different service or institution, is forbidden unless specifically permitted by law or by judicial decision.

Notification that data is being processed: No law

Notification to DPA in event of data breach: No law

Notification to data subject in event of data breach: No law

Timeframe for notification is specified: No law

Exceptions exist to breach notifications: No law

Requires a data processing register: No law

Register is publicly available: No law

Provides for terms of service icons: No law

DPA must submit at least annual report: No law

DPA report is made public: No law

Explicit provision for civil liability: No law

Established/designates a Data Protection Authority: No law

DPA is empowered to investigate: No law

DPA is empowered to subpoena or request evidence: No law

Law provides for criminal penalties: No law

Law provides for administrative penalties: No law

DPA is independently structured (does not exist within or receive instructions from another public body): No law

DPA receives funding directly from the state budget/legislative body: No law

DPA may receive some forms of external funding/own revenue: No law

Adequate protections against undue removal: No law

Number of members in DPA: No law

Maximum term length for members of the DPA (years): No law

Right of data subject to access a copy of their personal data: No law

Right of data subject to request a correction of data: No law

Right of data subject to request deletion of data: No law

Justification required for a request for deletion: No law

Defines the requirements for consent: No law

DPA is mandated to participate in policy formulation: No law

While the Constitution does restrict disclosures of personal data to third parties, cross-border transfers of personal data are not specifically addressed in the law. The Labour Law includes a provision safeguarding employee personal data, mandating employee consent for an employer to transfer such data to third parties. This same provision also subjects computer files and access to personal data of a job applicant to specific legislation, but such legislation does not yet exist.

Provides a right not to be subject to automated decision-making: No law