Global Privacy Regulations


BDO Local Resources

Deepshi Hujoory | Email | Phone

Law: Data Protection Act 2017 ('the Data Protection Act')

Regulator(s): Data Protection Office  

Adequacy Agreement with GDPR: No

Measures Announced


Mauritius amended its data protection laws to align with the GDPR and international standards. The Mauritius Data Protection Act (MDPA) came into effect in 2017 to fit Mauritius’ evolving digital environment. The new act makes a commendable effort to reassure data subjects of the reasons for collecting and processing their personal data. For example, the MDPA defines ‘consent’ more explicitly, unlike the former act, aiming to give individuals more autonomy over decision-making powers regarding their personal information.

In 2016, Mauritius became a signatory to the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108').

The Data Protection (Fees) Regulations 2020, concerning the new fees for registration of controllers and processors, came into force on 01 August 2020. The fees caused an essential change in the privacy culture across organisations in Mauritius. Per the regulations, data controllers and processors had a moratory period of 3 months to register with the Data Protection Office. The registration process pushed local organisations to focus on privacy program development and identify special categories of personal data, the purpose of processing, categories of data subjects, data transfers, risk management, and security.

In addition, Mauritius has recently signed and ratified the Protocol amending Convention for the Protection of Individuals concerning the automatic processing of personal data.

Data Protection Authority Focus

The complaints' mechanism is yet another novelty of the MDPA. The power to investigate a complaint in contravention of the act is conferred upon the Data Protection Commissioner. In the past year, the Commissioner has been researching complaints concerning unlawful access to personal data, the use of CCTV cameras, alleged data breaches, among others.

The MDPA brings criminal sanctions, including fines and possible imprisonment for unlawful processing of personal data. The MDPA says that any person who commits an offence could be liable to fines not exceeding 200,000 rupees and imprisonment up to five years. To date, the Commissioner has not imposed fines.

In June 2021, the Canadian Securities Administrators ('CSA') signed a FinTech cooperation agreement with the Financial Services Commissioner, Mauritius (‘FSC’). The purpose of the agreement is to framework for cooperation and referrals between the jurisdictions to accommodate the evolving financial services industry.


BDO Local Resources

Ebenezer Olabisi | Email

Mark Antalik | Email | Phone

Tutu Oshineye | Email | Phone

Law: Nigerian Data Protection Regulation (NDPR)

Regulator: National Information Technology Development Agency ('NITDA')

Adequacy Agreement with GDPR: No

Measures Announced


The legal name of Nigeria's local data privacy legislation is The Nigerian Data Protection Regulation (NDPR), which was issued by the Nigerian Information Technology Development Agency (‘NITDA’). The NDPR is the current data protection regulation in Nigeria. It provides for the rights of data subjects, the obligations of controllers, data administrators (processors), international data transfer, data security, amongst others. The NDPR applies to natural persons residing in Nigeria or residing outside Nigeria who are Nigerian citizens.

Nigeria is fast becoming a digital economy, and many Data Controllers are engaging the services of Data Protection Compliance Organizations (DPCO) to help their organizations comply with the requirements of the NDPR. Article 1(3)(j) of the NDPR states that: ‘A Data Protection Compliance Organization (DPCO) is any entity duly licensed by NITDA for training, auditing, consulting, and rendering services aimed at ensuring compliance with this Regulation or any foreign Data Protection law or regulation having effects in Nigeria.[1]

Additionally, pending data protection lawsuits include:

  • Incorporated Trustees of Laws and Rights Awareness Initiative v. Zoom Video Communications Inc.
  • Digital Rights Lawyers Initiative v. National Youth Service Corps (NYSC)

These lawsuits demonstrate a growing awareness by the public of the need to protect their data. By law, Nigerian data controllers in Nigeria must comply with the NDPR by safeguarding the privacy of data subjects.

Data Protection Authority Focus

Recently, on 17 August 2021, NITDA exercised its enforcement powers when it sanctioned Soko Lending Company Limited (Soko Loans) for privacy invasion. Soko Loans engaged in ‘unauthorized disclosures, failure to protect customers’ personal data and defamation of character as well as carrying out the necessary due diligence as enshrined in the NDPR.[2]

NITDA imposed a fine of Ten Million Naira (N10,000,000.00) on Soko Loans.

[1] NITDA, Nigerian Data Protection Regulation 2019

[2] NITDA, NITDA Sanctions SokoLoan For Privacy Invasion, August 17, 2021