The first version of a draft Personal Data Protection Law has been released. This is significant as, currently, Mozambique does not have a dedicated data-protection law.
The proposed law outlines principles for data processing, such as consent, transparency, legality, purpose, and proportionality. It applies to any collection, processing, storage or use of personal data carried out in Mozambique, regardless of the public or private nature of the controller; any automated or non-automated processing of data contained or required to be contained in a file; and data processed in embassies and consulates owned by Mozambicans residing abroad, but provides for certain exclusions, including for domestic use, journalism purposes, and in respect of certain classified information.
Non-compliance can result in administrative, criminal and civil penalties. This includes fines and imprisonment.
Key provisions of the proposed law include:
- National Data Protection Authority (NDPA): The establishment of independent authority to oversee data protection, handle complaints, enforce compliance, and promote awareness.
- Data-protection officers: The appointment of data-protection officers in public entities is mandatory. For private entities, they must be appointed where the private activity carried out involves processing operations which, due to their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale; or large-scale processing operations of special categories of data pursuant to Article 9 of the GDPR, or of personal data related to national criminal and anti-order convictions pursuant to Article 10 of the GDPR.
- Data-processing requirements: Personal data can only be processed with the explicit consent of the data subject and with notification to the NDPA. Certain exceptions to the consent requirement apply, including in compliance with a legal obligation.
- Requirements for processing certain data: The processing of personal data that reveals racial, ethnic, affiliation, ideological, political, religious beliefs or philosophical beliefs, membership in a political or trade-union association, sex life, genetic information or, in general, information relating to the health status of the data subject is prohibited, subject to certain exceptions.
- Data from children and adolescents: Processing personal data of children and adolescents must be carried out in their best interest, and with consent of at least one parent or legal guardian.
- Processing for purposes of public interest: This must respect the principle of data minimisation and include the anonymisation or pseudo-minimisation where the data subjects may be affected by one of these means.
- Data relating to illegal activities, crimes and misdemeanours: Processing personal data relating to persons suspected of unlawful activities, criminal offences, misdemeanours and the imposition of penalties, security measures, fines and ancillary sanctions, which are considered sensitive data, may only be carried out by a public authority, provided certain conditions are met.
- Data in video-surveillance systems and other means of electronic control: Processing of personal data in connection with the installation of video-surveillance systems and other forms of capturing, processing and broadcasting sound and images that make it possible to identify persons, including electronic-surveillance systems, is subject to the Basic Principles Governing the Processing of Personal Data set out in the draft law.
- Rights of data subjects: These include the right to information, right of access, right to object, and right to rectification, updating and deletion.
- International data transfers: Transfer of data to countries that ensure an adequate level of protection is subject to notification to the NDPA. A country is understood to ensure an adequate level of protection when it guarantees at least a level of protection equal to that established in the law. Transfer of data to a country that does not ensure an adequate level of protection is subject to authorisation from the NDPA, which can only be granted in certain circumstances.
- Notification and authorisation: The draft law sets out procedures for notification and obtaining authorisation from the NDPA.
- Sectoral codes of conduct: The NDPA is mandated to promote the development of codes of conduct aimed at contributing, according to the characteristics of the different sectors, to the proper implementation of the law. Codes of conduct must be registered with the NDPA.
- Recourse: Without prejudice to the right to lodge a complaint with the NDPA, any person may resort to administrative or judicial means to ensure compliance with the legal and regulatory provisions on the protection of personal data. Any person, under the terms of the law, may appeal in court against the violation of the rights provided for in the law. The data subject may bring actions against the controller or processor, including civil-liability actions.
- Criminal and administrative offences: The draft law provides for various administrative offences, classified according to severity, as well as crimes (including attempted crimes). Crimes include intentionally not notifying or requesting authorisation from the NDPA; providing false information in the notification or in requests for authorisation; using personal data in a way that is incompatible with the purpose for which it was collected; and unlawfully interconnecting personal data. Limitation periods are also provided.
- Penalties: These include fines and imprisonment, among others for unauthorised access to personal data; for copying or transferring personal data without legal provision or consent; unauthorised erasure, modification, suppression, concealment, or destruction of personal data, making it unusable or affecting its potential use; inserting false personal data with the intention of obtaining an undue advantage or to cause damage; and breach of professional secrecy (including for negligence).
- Transitional provisions: Processing data existing in manual files on the date of entry into force of the new law must comply with the provisions of Articles 7 (Processing of sensitive data), 8 (Suspicion of illegal activities, criminal offences and administrative offences), 10 (Right of information) and 11 (Right of access) within two years. The NDPA may authorise that data existing in manual files and kept solely for historical research purposes does not have to comply with Articles 7, 8 and 9 (Interconnection of personal data), provided that they are not reused for a different purpose.
- Other provisions: These cover aspects such as liability, security, confidentiality and retention obligations, as well as on anonymised data.
This proposed law fits into the government’s strengthening of its legal and regulatory framework through initiatives like the proposed Cyber Security Act, Cybercrimes Act, Copyright Law, Regulation for the Construction and Operation of Data Centers and Regulation for the Development, Procurement and Operation of Cloud Computing Platforms, as well as the recent adoption of the Regulation on Registration and Licensing of Intermediary Providers of Electronic Services.
At the end of February 2025, it was stated that the draft law would need to be presented to the Advisory Board of the Ministry of Communications and Digital Transformation to seek additional input before being submitted to public consultation. It is unclear if this has taken place, however, it seems so as the INTIC, IP - Instituto Nacional de Tecnologias de Informação e Comunicação website indicates that the draft law is currently open for comment.
16 May 2025 update: INTIC has just confirmed that an updated version of the draft law is currently in progress and is expected in the coming weeks.
--
This article was written by Kim Hawkey, Chief Content & Product Officer at Afriwise. Read the original publication here.
