Since March, Facebook and Cambridge Analytica have been at the forefront of the news. Documents circulated show that Cambridge Analytica used data improperly obtained from Facebook to build voter profiles for the United States elections in 2016. Our Data Protection Commissioner, Drudeisha Madhub, said yesterday, at a Breakfast Session on ‘Data Protection Act 2017 – Key Implementation Guidelines and The Role of the Regulator’, that she is not investigating the Cambridge Analytica scandal yet. But she is closely following the situation, and if there is any case related to Mauritius, the needful will be done. She also gave an overview of the new legislation and the European legislation known as the General Data Protection Regulation (GDPR)
If there is any case related to Mauritius, the needful will be done. Says Drudeisha Madhub, Commissioner of the Data Protection Office in relation to the Facebook – Cambridge Analytica scandal. She was the keynote speaker at the Breakfast Session organized by Temple Professionals on the theme ‘Data Protection Act 2017 – Key Implementation Guidelines and The Role of the Regulator’.
In March, The New York Times, working with The Observer of London and The Guardian, obtained a cache of documents from inside Cambridge Analytica. The documents proved that the firm used data improperly obtained from Facebook to build voter profiles. The news put Cambridge under investigation and thrust Facebook into its biggest crisis ever. Facebook said, Wednesday that Cambridge Analytica, data firm with ties to President Donald Trump’s campaign, may have had information on about 87 million Facebook users without the users’ knowledge.
The new legislation and the GDPR
“I am not yet investigating the Cambridge Analytica scandal. My colleagues in other countries are already doing it. If there is anything which relates to Mauritian data in this particular scenario, we will be investigating. We are following this situation very closely, like any regulator would do. We can investigate and give a decision on this. It’s a simple thing: whether consent has been collected. Did Facebook collect consent? Yes. Did Cambridge Analytica collect consent? No. That’s where it faulted. So, when you did not collect consent, and you are not found to be under any exception, you are liable under the law. And under the new Data Protection Act 2017, they would have been prosecuted,” explained the Data Protection Commissioner.
The main objective of the Breakfast Session was to talk about the new Data Protection Act (DPA) 2017 which came into force on the 15th of January this year. It has been enacted by the State Law Office (SLO) and the Data Protection Commissioner herself. For the latter, it was important to keep our legislation up to date so that we do not face any type of criticism, and especially to protect our reputation, as Mauritius is leading in the region.
“The old Data Protection Act was supposed to be replaced years ago, being in line with the old European directives of 1996. It was a copycat of the European directives. Some novel ideas were introduced, as we say in the jargon, to be in line with the local context. So, we had to correct a situation which was not very easy to live with. When I joined the office in 2007, I realized the 2004 law was not going to be practical in the long term,” affirmed Drudeisha Madhub.
She further added that many Bills were presented before reaching the final version of the new Act. But then the European legislation known as the General Data Protection Regulation (GDPR) came along. “I think we did the right thing – it was a bit of luck – by waiting. Finally, the GDPR came after five years. We then realized we are on the right track,” she pursued.
EU view and comments
However, she says, her office has not had the opportunity to ask the view of the European Union on the new DPA 2017.
“Some people said we should. Yes, of course we should have done it. But we did not have the time. Because the new legislation is going for adequacy, we will surely get the EU comments and if there is any change to be made, we will do it. But I do not think there will be major changes.”
According to the Commissioner, the GDPR is certainly a law but she sees it as “a dictionary” with many subsections.
“In my view, we are dealing with a piece which, in practice, we may have problem in implementing. This is reality,” she further affirmed.
Therefore, she tried to make the new DPA simple, and not come up with a legislation of too many pages. What her office did is take the essence of the GDPR and put it in their own words to suit the local context.
“The new legislation is GDPR based, and is nothing superfluous. It’s grounded in reality. The main focus of this legislation is making sure there is safe transfer of personal information from Mauritius to abroad, and why not from other jurisdictions to Mauritius. We are talking about globalization,” declared Drudeisha Madhub.
And “personal data” means any information relating to a data subject; a data subject being any living individual.
“If you go through the ‘Rights of Data Subjects’ in the new Data Protection Act, you will understand that the individual is very powerful. My humble advice is to not underestimate his power,” suggests the Commissioner.