“We cannot afford to operate without a strong data protection regime in the age of AI”

Drudeisha Madhub, Data Protection Commissioner

• “The Freedom of Information Bill forms an integral part of the broader amendments to the Data Protection Act.”

• “Data protection goes far beyond IT. It concerns every piece of information about an individual.”

Digital technologies are becoming part of everyday life and the way personal data is used, shared, and sometimes exposed is raising growing concerns in Mauritius. From social media to financial information and sensitive personal records, the risks are no longer theoretical. They are real, and increasingly visible. In this context, questions of privacy, responsibility, and trust are coming to the forefront.

In this interview with Bizweek, Drudeisha Madhub, Data Protection Commissioner, talks on these challenges while also outlining the direction the country is taking. Since the new government came into power, the Ministry of ICT has been driving a number of initiatives in this area. At the centre of this effort is the Digital Transformation Blueprint introduced, which includes amendments to the Data Protection Act, the introduction of regulations governing Data Protection Officers, and the development of e-privacy regulations for the telecommunications sector. The Freedom of Information Bill also forms part of this broader reform agenda, alongside other initiatives such as sector-specific guidance, including for the financial services industry. Most of these projects, which form part of a wider programme covering the 2025-2029 period, have already been initiated and are now nearing completion. 

Beyond these reforms, Drudeisha Madhub emphasises that data protection is not only about laws and institutions. It is also about awareness, behaviour, and individual responsibility in an increasingly digital society.

Rudy Veeramundar and Klyven Veeramundar

During your presentation with compliance officers at an AML-CFT workshop, you mentioned that every organisation needs a Data Protection Officer. Which organisations are concerned?

Under the Data Protection Act, there is a specific provision which states that every organisation, whether in the public or private sector, is required to appoint a Data Protection Officer. This is not optional; it is clearly set out in the law. If an organisation does not have a designated Data Protection Officer, this constitutes a criminal offence under the Data Protection Act. So, it is a mandatory requirement for all organisations to ensure that such a function is in place.

“Respecting privacy is not only a legal obligation, but also a societal responsibility.”

The rationale is straightforward: the Data Protection Officer plays a key role in ensuring that the organisation complies with data protection principles, monitors how personal data is handled, and provides guidance internally. Without such a function, it becomes much more difficult to ensure accountability and proper oversight.

Since when has this obligation been in place?

This requirement has been in force since the Data Protection Act 2018, which came into effect on 1 January 2018.

And what is the role of a Data Protection Officer?

A Data Protection Officer is responsible for monitoring compliance with the data protection obligations of controllers under the Data Protection Act. In practical terms, this means ensuring that the organisation respects all the requirements set out in the law.

For example, in the case of a financial institution, the controller is the organisation itself. The Data Protection Officer, who is typically an employee of that organisation, is responsible for implementing and overseeing the functions and obligations provided under the Data Protection Act.

These obligations are quite extensive. The controller must, for instance, maintain a record of processing operations. In certain circumstances, data protection impact assessments must be carried out. The organisation must also register with the Data Protection Office and ensure that personal data in its custody is properly monitored and protected, using the mechanisms provided under the law.

To ensure that all these responsibilities are fulfilled, the Data Protection Officer plays a central role within the organisation. It is a demanding function, requiring both technical understanding and regulatory awareness.

This is precisely why every organisation is required to have a Data Protection Officer. It is to ensure that compliance with data protection obligations is a significant and ongoing responsibility.

What progress has there been since the law came into force in 2018?

When the law came into force in 2018, we published a guide for Data Protection Officers, setting out clearly their roles and responsibilities within organisations. This guide explains what is expected of a Data Protection Officer and how the function should be carried out in practice.

Since then, I must say that there has been tangible progress. One of the reasons we have been able to see Data Protection Officers appointed across many organisations is that we have adopted a flexible approach. We do not require organisations to recruit a separate individual solely for this role. The function can be carried out by an existing member of staff, such as someone from the compliance team or an IT officer, provided that the person is adequately trained as a Data Protection Officer.

To support this, we have been actively providing training. Since 2019, around 500 Data Protection Officers have been trained directly by our Office. In addition, private organisations have also started offering training programmes in this field.

Taking all this into account, we estimate that there are now around 2,000 individuals who have been trained to carry out data protection responsibilities. However, in many organisations, this function is not always reflected in a formal job title. The role is often performed alongside other responsibilities.

That said, the law remains clear: the organisation must formally designate this individual as a Data Protection Officer. The function must be recognised, even if it is not a standalone position.

You mentioned that 2026 will be a defining year for data protection. Could you elaborate?

Since the new government came into power, the Ministry of ICT has been actively driving a number of initiatives in this area. To begin with, the Minister of Technology and Innovation introduced the Digital Transformation Blueprint. If you look specifically at the section dedicated to data protection within this Blueprint, you will find a series of concrete projects that are already underway.

These include, first, amendments to the Data Protection Act; second, the introduction of regulations specifically governing Data Protection Officers; and third, the development of e-privacy regulations for the telecommunications sector. In addition, there is the Freedom of Information Bill, as well as other related initiatives, such as the preparation of sector-specific guidance, including for the financial services sector. All these projects have been entrusted to the Data Protection Office.

As I mentioned, the Freedom of Information Bill forms an integral part of this broader effort. Most of these projects have already been initiated and are now nearing completion. They form part of a wider programme covering the period from 2025 to 2029.

 

“This culture of oversharing is becoming widespread, and it is causing serious harm in our society.”

 

These are all critical initiatives for strengthening data protection in Mauritius. If you look at the government programme, you will see that significant emphasis has been placed on the protection of personal data, the modernisation of our legal and regulatory framework, and the reinforcement of institutional structures. The objective is clear: to ensure that data protection is given the importance it deserves in our society.

This is particularly important in the context of artificial intelligence. As you know, there is no scope for compromise when it comes to data protection in today’s digital environment. Mauritius aims to position itself as a secure and trusted destination, not only for the financial sector but for the wider economy.

In the age of artificial intelligence, we simply cannot afford to operate without a strong and credible data protection regime. This is no longer optional. It is a necessity.

You also mentioned that safeguarding data and confidentiality is not only a legal requirement, but a cornerstone of trust. Could you expand on this?

We often believe that once we have laws in place and we comply with them, our duty is fulfilled. But when we are dealing with fundamental human rights, the issue goes much further. Here, we are talking about the right to privacy, which is a constitutional and fundamental human right. So, the discussion goes beyond the Data Protection Act alone.

Take, for example, a management company. When individuals entrust their data to such an organisation, they do so based on trust. They expect that their data will be protected, that it will not be misused, and that they will not be exposed to legal, financial, or reputational risks as a result.

However, if that data is not properly safeguarded, it may leave the organisation, whether through negligence, weak systems, or malicious attacks, and fall into the hands of hackers or ill-intentioned individuals. When this happens, it clearly means that the organisation has failed in its responsibility to protect that data.

Once data is exposed in this way, the consequences become unpredictable. The data may circulate beyond Mauritius, reaching jurisdictions where there is little or no protection. It can then be used for harmful purposes, including sexual exploitation, the circulation of pornographic content, financial fraud, or unauthorised access to personal accounts. These are real risks, and they are already happening.

Globally, data breaches have become widespread, and significant fines have been imposed in many jurisdictions, including in local contexts and in countries such as the United States. This shows the seriousness with which data protection is now being treated.

What we are now seeking to do is also to identify those responsible, particularly individuals or entities acting with harmful intent, so that appropriate enforcement action can be taken. This is an essential part of strengthening trust and ensuring accountability in the system.

Is there a particular challenge, from a local perspective, when it comes to technology?

Education is at the core of everything. We often feel that we understand the Internet, but as time goes by, we realise that our understanding remains limited and constantly evolving. The same applies to data protection, especially as we operate within an increasingly complex digital landscape.

This is precisely why data protection is so closely linked to information technology. Most data breaches today occur in the digital sphere, which naturally leads to the perception that data protection is primarily an IT-related issue.

However, it is important to emphasise that it is not only IT-related. While technology plays a central role, data protection is also about behaviour, awareness, and responsibility. Without a proper understanding of how data is used, shared, and exposed, even the most advanced technological safeguards may not be sufficient.

You mentioned that data protection is not only related to IT…

No, not at all. It goes far beyond IT. Data protection concerns every piece of information about an individual.

Take, for example, genetic data, DNA, or medical records. These are highly sensitive forms of personal data, and they are not always confined to digital systems. A doctor may store such information in physical files or records, even if some of it is also held on a computer. Regardless of the format, this remains personal data that must be properly protected.

So, the question becomes: how do we protect this data? The answer is that protection must go beyond digital safeguards. We also need physical safeguards to ensure that such information is not accessed, disclosed, or misused.

 

“Personal data is not neutral. It carries reputational, professional, and psychological consequences when exposed without control.”

 

Data is present in every aspect of our lives. In almost every activity, we generate and share data. Ultimately, data protection is not only about technology; it is about individuals and how we protect ourselves and the information that defines us.

To what extent does individual responsibility come into play in data protection?

We have the duty to protect our own data. If we do not do this, no one will do it for us. You have a regulator, yes, but the scope of protection is always limited. We need to be conscious and educated about what we are doing with our data.

If we do not have that sense of responsibility, if we do not educate ourselves as we grow in our daily lives, then we expose ourselves. If we do not even know how to use a bank account, we should not go online. We should do things in a way that is respectful, but also protective of ourselves.

If we do not know, then we just click on a button, and all our data, all our money, is gone. So, the question is: why do we use the internet and digital equipment when we do not understand what it is?

So where does education come from? First and foremost, education starts with us. We educate ourselves, and then we go to universities and other institutions to get training. That is professional training.

But what about citizenship training? This is something we have to do ourselves. And when we do not do it, we do not get what we need. We can also go to institutions like the Data Protection Office, ask questions, and they will help us understand our duties and how to protect our data.

Is there an oversharing of data by users?

Oversharing is happening because we do not fully realise the value of our data. We also do not fully appreciate the risks associated with sharing that data. Very often, we tend to think: ‘I am sharing my data with you today, and that data will remain only with you because I trust you.’ We tell ourselves, ‘This is a good person, I trust him, so he will keep the data to himself.’

However, if that person needs to use the data for any purpose, he may do so. This is because he does not necessarily feel restricted, whether by ethical considerations or by a clear understanding of the law. Why should he not share the data with someone else? From his perspective, there may be no immediate consequence. First and foremost, he may not even be aware that he does not have the right to share that data in every circumstance. If he knew, he would likely be more careful and more responsible in handling such information.

This brings us back to education. The issue is not only about regulation, but also about awareness and behaviour. That is why we are working closely with educational institutions. We are trying to introduce data protection at primary, secondary, and tertiary levels, so that individuals understand from an early stage that personal data carries value and responsibility.

At the tertiary level, modules on data protection already exist, as professionals understand that this is both an educational and a professional matter, particularly in a digital economy where data is constantly being collected, processed, and shared.

But what about children’s understanding of data protection at the primary and secondary levels? This is where the real challenge lies. We have devised educational booklets, and the Ministry of Education will help spread the message. Teachers are also being encouraged to introduce these concepts in classrooms, so that children learn, from a young age, not only how to use digital tools, but also how to protect their personal information and respect the data of others.

You spoke about the EU adequacy project, GDPR, and the new Data Protection Bill. How does this project relate to Mauritius?

This is a very important project for Mauritius. As I mentioned earlier, if we want to be recognised as a trusted jurisdiction, whether for the financial sector, the wider economy, or even the health sector, we need to ensure that international standards are fully respected. This has become essential in an environment where cross-border data flows are central to economic activity.

We have therefore undertaken this EU adequacy project with the European Union, with the objective of aligning ourselves with EU GDPR principles and, more broadly, with internationally recognised best practices. In fact, these principles are already largely embedded in our existing legal framework. However, the adequacy assessment carried out by the EU is far more rigorous.

 

“One is not entitled to publish someone’s personal information without consent.”

 

It is not limited to a review of the legal framework. The EU also assesses how data protection is implemented in practice. In addition, this process establishes a form of ongoing partnership between Mauritius and the EU in the field of data protection. It is not a one-off exercise, but rather a continuous process of engagement and evaluation.

As part of this process, the new Data Protection Bill will introduce the necessary changes to further align our framework with EU expectations. Thereafter, we will continue to work closely with the EU, as the assessment itself is ongoing. The EU will continue to review our data protection landscape, and where there are gaps or shortcomings, these will be highlighted.

Ultimately, this will allow Mauritius to strengthen its framework and position itself as a trusted platform for the EU. This recognition is important not only from a regulatory standpoint, but also in terms of reinforcing confidence among investors and facilitating international business.

And the Bill is likely to come this year?

Yes, it is likely to come this year.

We have seen that during high-profile investigations, bank statements, financial information, and data relating to companies and clients often find their way into the public domain. What message would you have for lawyers, institutions, and the media? And secondly, is this not doing more harm than good to the jurisdiction?

Absolutely! It is in fact very harmful for such data to be posted, whether on social networks, in newspapers, or on any other platform. It is extremely damaging for the individuals concerned. Personal data is not neutral. It carries reputational, professional, and psychological consequences when exposed without control.

You may have seen a recent communiqué from the Data Protection Office where we strongly reminded the public that personal information cannot simply be shared on social networks without the consent, or at the very least the knowledge, of the person concerned. This is a fundamental principle.

Quite recently, for example, there was a case before the Supreme Court where an individual won a defamation case because his data had been published online. The Court found that it was not acceptable for such information to be shared and circulated. The case was brought under defamation, which is indeed one legal avenue available when personal information is wrongfully disclosed. But beyond defamation, there are also specific provisions under the Data Protection Act that provide protection in such situations.

In that particular case, the individual succeeded, and the newspaper concerned was required to remove the data and take corrective measures. This illustrates clearly that there are legal consequences for the misuse of personal data.

At the core of the issue is a simple principle: personal data should not be shared on any platform without the prior consent of the person concerned. There are, of course, exceptions under the law, but these do not apply to everyone. They apply in clearly defined circumstances, for instance, where a regulator is authorised to publish certain information, or where the police or the FCC, in the course of an investigation, may disclose specific elements in the public interest. These actions take place within a legal and institutional framework. However, this does not give any individual the right to take such information and redistribute it. 

A citizen does not have investigative authority. For example, if you witness someone polluting a street, you may record the incident, but you are not entitled to publish that video on social media. Your role is to provide that evidence to the relevant authorities, who will then conduct the necessary inquiry. That is the proper legal channel.

In the same way, individuals cannot take matters into their own hands by disclosing personal data. Just as one is not entitled to take the law into one’s own hands in other contexts, one is not entitled to publish someone’s personal information without consent.

This culture of oversharing is becoming widespread, and it is causing serious harm in our society. We have seen cases where personal photos, including highly sensitive images, are circulated online, leading to severe consequences, including mental distress, depression, and, in some tragic instances, suicide. These are not abstract risks; they are real and deeply human consequences.

Ultimately, this is about privacy. Respecting privacy is not only a legal obligation; it is a societal responsibility.

We are also seeing similar issues in the financial services sector, where a significant amount of financial information is circulating, whether in cases of dismissal or ongoing investigations, with bank account statements being shared widely. How do you view this situation?

It is indeed the same issue, and it is a very serious one. Financial data is considered sensitive data in data protection terms. It requires an even higher level of protection than basic personal information such as a name, an address, or even a photograph. The level of responsibility attached to such data is significantly higher.

If this type of data is being circulated without permission or without proper legal authority, it clearly indicates a major misunderstanding, or disregard, of the law. And when this is done by professionals, there is absolutely no excuse. How can someone not be aware of a law that has been in place for so many years under the Data Protection Act? How can a lawyer, in particular, not know these obligations?

So yes, in many cases, it is done knowingly. It is done on purpose. But the consequences are serious. These are not minor breaches. We have the authority to initiate prosecutions, including against professionals, and steps are being taken in that direction. We are also engaging with the police to ensure that certain cases are pursued.

At the level of the police, of course, investigations are ongoing, and these processes take time. However, there is also a recognised need to strengthen expertise in data protection within the police force. This is why we provide support and share our expertise, with the aim of bringing investigations to a conclusion and ensuring that the law is properly enforced.

At the same time, not all cases necessarily require prosecution. In many instances, we are able to resolve matters through appropriate arrangements, and we have had success in doing so. This is an approach we are continuing to pursue.

I can say that the vast majority of our cases – around 99 per cent – are progressing well. This is largely because we engage with stakeholders, explain clearly how data should be protected, and ensure proper follow-up. This combination of enforcement, guidance, and support is central to what we are doing.

Finally, over the past years, we have seen a number of high-profile cases and denunciations, with sensitive and public information continuing to be exposed. Are we not witnessing a worrying trend?

We are. We are definitely in a bad trend. But we should not look at this issue only within the Mauritian territory. We need to take a broader perspective and examine the problem at its source.

What is the problem? The reality is that, in Mauritius, we are largely a consumer society. Whether it is technological equipment or digital tools, we import and use what is developed elsewhere. We do not yet have enough capacity to create and fully control our own systems. As a result, when we use software, for example, even IT professionals may not fully know what is embedded within it.

We use these systems in the Mauritian context, but through them, foreign entities may potentially access data. In such situations, we may be jeopardising the sovereignty of the country without even realising it. Our data may be travelling across borders without our knowledge or control.

So, the issue is broader than Mauritius itself, and this makes it much more complex to address. We can carry out awareness campaigns, strengthen regulations, and even introduce new legislation, particularly in areas such as cross-border data responsibility and the accountability of social networks. These are important steps, and they will certainly help reduce the problem to some extent.

However, even with stronger laws, the root of the issue will remain. The question, then, is how we address it at a deeper level.

One key element is individual responsibility. People need to understand that social networks should not be used in ways that expose personal data unnecessarily. We are not saying that people should stop using social media. Rather, we are saying: use them carefully, and only for the purpose you need.

Even private conversations are not entirely without risk. Today, you may believe a conversation is private, but tomorrow, if required by a court, access may be granted. Investigators may also use such information as part of their work. But what happens if that information is leaked? A private conversation can quickly become public, circulating on social networks, and the damage to a person’s reputation can be irreversible.

This is the reality we are facing. There are no safeguards that can guarantee 100 per cent protection, whether in Mauritius or elsewhere. So, the question becomes: how do we take responsibility in a meaningful and lasting way?

To reverse this trend, we need a collective effort. Schools and public institutions have a critical role to play. They must actively teach these issues to children. Even something as simple as a short daily session, ten minutes each morning, to discuss rights, responsibilities, and real-life examples can help shape awareness from an early age. This requires commitment. 

It would not be fair to place all the responsibility on the government or on institutions alone and ask, ‘What are you doing?’ But what about users themselves? If individuals do not take responsibility, then at some point, they will have to be held accountable. When someone acts in a way that violates the law, there are consequences. And those consequences can be serious, including legal sanctions and even imprisonment.