Context and Background

Mauritius is a small island state in the Indian Ocean with a population of approximately 1.26 million (2022). Over the past five decades, it has transitioned from a mono-crop sugar economy to an upper-middle-income country, driven by political stability, economic diversification, and strong institutions. Key sectors including tourism, financial services, ICT, fisheries, and manufacturing now contribute significantly to GDP, with financial and ICT services alone accounting for a substantial share of economic activity.

The 2024 analysis underscored Mauritius' reputation as one of Africa's leaders in regulatory governance, including in data protection. That positioning remains largely intact in 2025. However, increasing digitisation of financial services, cross-border business processing, and e-government platforms continues to intensify personal data flows, raising new questions about regulatory adaptability, enforcement transparency, and technological oversight.

While the COVID-19 pandemic temporarily disrupted economic performance, recovery measures have stabilised growth. The policy emphasis in 2025 remains on strengthening digital trust to support Mauritius' role as a financial and ICT hub, making effective data protection governance a strategic priority rather than merely a compliance obligation.

Positive Developments and Emerging Issues

As noted in the 2024 assessment, Mauritius maintains one of the most advanced statutory data protection frameworks in Africa through the Data Protection Act 2017 (DPA), in force since 15 January 2018. The DPA replaced the 2004 Act and was designed to align domestic law with the EU General Data Protection Regulation (GDPR).

A significant milestone retained from the 2024 review is Mauritius' status as the first African country to sign and ratify Convention 108+ (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). This international commitment reinforces the country's ambition to align with global standards and enhance cross-border data adequacy.

Positive developments retained for 2025 include:

• Continued annual reporting obligations by the Data Protection Commissioner to the National Assembly
• Mandatory appointment of Data Protection Officers (DPOs) by controllers and processors
• Issuance of sector-specific guidance (including financial data protection guidance)
• Ongoing public awareness and capacity-building initiatives

However, as identified in 2024 and still relevant in 2025, several emerging issues persist:

• Limited publicly available enforcement statistics (investigations, sanctions, administrative fines)
• Insufficient transparency regarding compliance rates and audit outcomes
• Expanding digital surveillance measures (e.g., SIM registration requirements under ICT legislation)
• Tension between constitutional privacy interpretation and broader international standards following Madhewoo v The State of Mauritius (2016)

While Mauritius' normative framework remains strong, enforcement visibility and regulatory reporting continue to shape perceptions of institutional maturity.

Legal and Institutional Framework

The Constitution of Mauritius (1968) provides foundational protections under Sections 3 and 9, safeguarding individual liberty and protection of the home and property. However, the Supreme Court's decision in Madhewoo v The State of Mauritius (2016) adopted a narrow interpretation of constitutional privacy, limiting it primarily to the home, body, and property rather than recognising a broad, overarching right to privacy.

This interpretation remains unchanged in 2025 and continues to distinguish Mauritius' constitutional privacy framework from broader interpretations under instruments such as the ICCPR and the African Charter. Article 22 of the Mauritian Civil Code offers statutory protection of private life, though without constitutional status.

The primary legislation governing data protection is the Data Protection Act 2017. The Act:

• Establishes principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, integrity, and accountability
• Grants data subjects rights of access, rectification, erasure ("right to be forgotten"), objection, restriction, and protection against automated decision-making
• Imposes stricter safeguards for special categories of personal data
• Regulates cross-border data transfers
• Mandates appointment of Data Protection Officers
• Requires registration of data controllers and processors (valid for three years)

Non-compliance may result in fines or criminal sanctions, reinforcing the Act's deterrent intent.

Complementary legislation includes the Information and Communication Technologies Act and the Cybersecurity and Cybercrime Act 2021, which strengthen digital security but may also introduce surveillance-related implications.

The central supervisory authority is the Data Protection Office, headed by the Data Protection Commissioner. The Commissioner is empowered to:

• Register controllers and processors
• Conduct investigations and audits
• Issue enforcement notices
• Seek court orders to preserve data
• Submit annual reports to Parliament

Supporting institutions include the Ministry of Technology, Communication and Innovation (policy oversight and IT Security Unit), and the Information and Communication Technologies Authority (ICTA), responsible for licensing and oversight in telecommunications and broadcasting under the ICT Act 2002.

Compared to 2024, the institutional framework remains stable and functionally operational. The emphasis for 2025 is less on structural reform and more on demonstrating measurable regulatory outcomes.

Enforcement Dynamics and Challenges

The 2024 assessment identified enforcement transparency, not legislative weakness, as the principal gap in Mauritius' regime. This observation remains largely valid in 2025. Consistent with the previous review period, outreach was made to Mauritius's supervisory authority, the Data Protection Office, to obtain first-hand information on registration processes, enforcement actions, institutional capacity, public awareness efforts, and compliance monitoring.

In this instance, the Office was responsive and provided substantive input on its regulatory activities and oversight functions. This constructive engagement strengthened the reliability of the analysis and allowed for a clearer assessment of enforcement performance, operational capacity, and the overall implementation status of Mauritius's data protection framework.

The Data Protection Office (DPO) continues to demonstrate an active and increasingly systematised regulatory approach, combining registration oversight, complaints handling, inspections, public engagement, and international cooperation. The Office submits an annual report to the National Assembly, enhancing institutional transparency and parliamentary accountability.

Mauritius maintains a publicly accessible digital register of data controllers and processors through the DPO's online platform. The register is searchable by entity name, strengthening transparency and enabling public verification of compliance status. As of the 2024–2025 reporting period:

• 22,699 controllers are registered
• 1,847 processors are registered
• 7,425 controllers require renewal
• 330 processors require renewal

The introduction of the "e-DPO" integrated digital system has significantly strengthened compliance oversight. The platform operates 24/7 and facilitates:

• Online registration and renewal (with e-payment functionality)
• Automated issuance of digitally signed certificates
• Online complaint submission
• Electronic filing of breach notifications and Data Protection Impact Assessments (DPIAs)

This digitised infrastructure enhances administrative efficiency, improves accessibility for regulated entities, and supports structured monitoring of compliance obligations.

Enforcement activity in 2024 reflects a strong concentration of complaints relating to CCTV surveillance, unlawful disclosure of personal data and right of access, indicating heightened public awareness around surveillance and workplace privacy.

CCTV cases accounted for a significant proportion of complaints:

• 39 closed cases involving private premises, resolved following joint inspections with the Police. In most instances, cameras were either confined to respondents' premises or repositioned following regulatory intervention.
• 104 ongoing cases requiring further site inspections and technical verification, often complicated by property disputes or non-cooperation of parties.
• 4 workplace CCTV cases, raising concerns about constant monitoring of employees. Two were closed following inspections; one remains ongoing; and one was resolved through a formal hearing convened by the Data Protection Commissioner, resulting in corrective repositioning of cameras and reinforced necessity-based placement principles.

These cases demonstrate a corrective and mediation-oriented enforcement approach, supported by police collaboration where site verification is required.

17 complaints were registered in 2024 involving unlawful disclosure:

• Unauthorized sharing of customer information by employees (6 cases)
• Disclosure of personal data to colleagues (5 cases)
• Unauthorized use of employee email accounts (2 cases)
• Misfiling and disclosure of sensitive financial records (1 case – closed following corrective measures)
• Use of biometric data (fingerprints/facial recognition) without consent (2 cases – ongoing)
• Alleged unlawful interception of private communications (1 case – ongoing, with police assistance)

Of the 17 cases:

• 3 were closed after evidence review and remedial action
• 14 remain under investigation

The DPO's approach includes formal written notices referencing statutory provisions, requests for internal compliance documentation, cross-examination of safeguards, and, where necessary, on-site inspections and security audits. Biometric data cases have been treated with heightened scrutiny, with emphasis on consent and proportionality.

Right of Access Case: One complaint concerning access to CCTV footage was resolved after on-site verification confirmed that no personal data was processed or stored.

Overall, case resolution timelines vary depending on complexity, cooperation of parties, and whether police involvement is required.

Beyond reactive complaint handling, the DPO conducted four compliance inspections under the Data Protection Act during the reporting period. The Office prioritises sectors handling high volumes of sensitive data, particularly:

• Financial services
• Management and corporate services
• Telecommunications

This reflects a risk-based supervisory model focused on sectors with systemic data exposure.

The DPO is staffed by officers with legal, IT, and administrative expertise, enabling multidisciplinary investigations. However, staffing levels remain critically constrained, limiting proactive oversight and international engagement.

The Office's operating budget for FY 2024–2025 stands at Rs 5.6 million, which must support regulatory operations, digital infrastructure, inspections, training, and public engagement activities.

For criminal enforcement under the Data Protection Act, the DPO relies on police collaboration. The Commissioner may delegate investigative powers to police officers under statutory authority, and there is an identified need for a dedicated prosecution unit with seconded officers to streamline enforcement.

Mauritius is pursuing alignment with international standards through:

• Ongoing discussions with the European Commission toward EU adequacy recognition
• A draft Data Protection Bill under consideration
• Proposed regulations clarifying the role and responsibilities of Data Protection Officers
• A draft e-Privacy framework
• Proposed Freedom of Information legislation
• Consideration of constitutional amendments to reinforce digital privacy rights

This reform trajectory signals a strategic shift toward strengthening cross-border data transfer safeguards and enhancing Mauritius' global competitiveness.

The DPO maintains active participation in global and regional privacy networks, including:

• The Global Privacy Assembly
• The Global Privacy Enforcement Network
• The Council of Europe
• The Organisation for Economic Co-operation and Development
• The African Union
• The Francophone Association of Personal Data Protection Authorities (AFAPDP)

In October 2024, the Data Protection Commissioner was elected President of AFAPDP. In May 2025, the Commissioner was elected Chair of the African Union Data Governance Committee and Co-Chair of the Common Thread Network (CTN). These leadership roles enhance Mauritius' influence in continental and global data governance discourse.

Public awareness remains a core pillar of regulatory strategy. In 2024, the DPO:

• Conducted nationwide sensitisation campaigns on television and radio
• Organized a youth-focused workshop attended by approximately 400 students and educators
• Trained over 455 Data Protection Officers across public and private sectors
• Participated in professional forums, including engagements with the Mauritius Institute of Directors and private-sector consultancies on AI and ethical data governance
• Delivered a Human Rights Day presentation on digital privacy for children

The e-DPO system further enhances public accessibility by enabling 24/7 complaint submission and breach reporting.

Despite operational progress, the DPO faces:

• Severe staffing shortages
• Resource limitations
• Dependence on police for criminal enforcement
• Need for enhanced prosecutorial mechanisms

A central strategic priority is achieving EU adequacy status, which is expected to strengthen cross-border data flows, elevate regulatory standards, and enhance Mauritius' standing as a trusted digital jurisdiction.

Overall, the Data Protection Office demonstrates a structured and increasingly mature oversight model, characterised by a transparent and searchable registration regime, active complaint handling supported by corrective enforcement measures, continued digitalisation of regulatory processes through the e-DPO system, issuance of sector-specific guidance, and growing leadership within regional and international data governance networks.

However, the long-term sustainability of this oversight framework will depend on strengthening staffing levels, enhancing prosecutorial support mechanisms, and increasing financial resources to match the Office's expanding regulatory mandate.

Notwithstanding these capacity constraints, Mauritius remains comparatively advanced within the region. This position is underpinned by strong statutory alignment with GDPR-inspired principles, binding international commitments including the International Covenant on Civil and Political Rights and the Convention 108+, as well as institutional continuity supported by structured Data Protection Officer Compliance obligations.

In summary, the assessment reflects continuity rather than regression. Mauritius retains its standing as a regional leader in data protection governance. Nonetheless, more detailed enforcement reporting, enhanced transparency metrics, and greater proactive regulatory disclosure would further strengthen public confidence and consolidate its international credibility.