Guardians Of Privacy: A Comparative Analysis Of Data Protection Laws In South Africa And Mauritius

In an era where personal data is a valuable commodity, robust data protection laws are essential to safeguard privacy and foster trust in digital economies. South Africa and Mauritius, two prominent African nations, have both enacted comprehensive data protection frameworks. While their laws share common objectives, they also exhibit notable differences in scope, enforcement, and alignment with international standards. This article explores the similarities and distinctions between South Africa's Protection of Personal Information Act, 2013 ("POPIA") and Mauritius' Data Protection Act, 2017 ("DPA"), offering insights into their approaches to privacy and data security.

Legal frameworks at a glance

• South Africa:  Enacted in 2013 and fully effective from July 2021, POPIA is South Africa's principal data protection legislation. It regulates the processing of personal information by public and private bodies, aiming to balance the right to privacy with other rights such as access to information.
• Mauritius:  The DPA, which came into force in January 2018, replaced the earlier Data Protection 2004. It is designed to align closely with the European Union's General Data Protection Regulation ("GDPR"), reflecting Mauritius's ambition to position itself as a trusted international business hub.

Key similarities

1. Comprehensive scope - Both POPIA and the DPA apply to the processing of personal data by both public and private entities. They cover a wide range of data processing activities, including collection, storage, use, and sharing of personal information.
2. Data subject rights  – Data subjects (persons to whom personal information/data relates) in both countries are granted rights such as access to their personal data, correction of inaccuracies, and the right to object to certain forms of processing. These rights empower individuals to maintain control over their personal information.
3. Obligations for data controllers/responsible parties  - Both laws impose obligations on organisations to implement appropriate security measures, ensure data accuracy, and process data lawfully and transparently. They also require notification of data breaches to the relevant authorities and, in some cases, to affected individuals.

Key differences

1. Data subjects

In Mauritius, the DPA only applies to the personal data of individuals who are natural persons. In contrast, POPIA extends protection to both natural and juristic persons, a reflection of its constitutional foundation in South Africa, where the right to privacy under section 14 of the South African Constitution has been interpreted to include juristic persons.

2. Regulatory authorities

• In South Africa, the Information Regulator is an independent body established to enforce POPIA and the Promotion of Access to Information Act, 2002 (PAIA).
• In Mauritius, the Data Protection Office, headed by the Data Protection Commissioner (Commissioner), oversees compliance with the DPA. The Commissioner plays an essential role in supervising data controllers and processors, conducting investigations, issuing enforcement notices, and promoting cross-border cooperation.

3. Cross-border data transfers

Both laws restrict the transfer of personal data to countries without adequate data protection. POPIA allows for cross-border transfers if the recipient is subject to laws, binding corporate rules, or agreements that provide an adequate level of protection.

In Mauritius, cross-border transfers are allowed where appropriate safeguards are demonstrated to the Commissioner, or where the data subject has given explicit, informed consent. Transfers are also permitted if necessary for contractual performance, public interest, legal claims, or the protection of vital interests. In limited cases, transfers based on compelling legitimate interests may be allowed subject to risk assessment and prior authorisation. The Commissioner retains the authority to prohibit or condition transfers to protect data subjects' rights and may require proof of the effectiveness of the safeguards or the legitimacy of the claimed interests and may prohibit, suspend, or impose conditions on the transfer to protect the rights and freedoms of data subjects.

4. Sanctions and penalties

In South Africa, POPIA allows for administrative enforcement as well as fines of up to ZAR 10 million and/or imprisonment for up to 10 years.

In Mauritius, breaches of the DPA may result in much lower fines of up to MUR 200,000 (approximately ZAR 80,000) and/or imprisonment for up to 5 years. However, the Commissioner does not have the authority to impose fines directly. Instead, cases must be referred to the Director of Public Prosecutions, and penalties may only be imposed by a court following a successful prosecution.

Conclusion

South Africa and Mauritius have both demonstrated a strong commitment to protecting personal data, though their approaches reflect distinct legal traditions. POPIA is rooted in constitutional privacy rights and benefits from an independent regulatory authority with robust enforcement powers. Mauritius, on the other hand, has adopted a GDPR-inspired model, with international alignment as a key policy objective.

Both countries are part of a wider continental shift toward harmonisation of data protection regimes. In this context, Mauritius's 2025 Budget Speech announced plans to amend the DPA to better align with international and regional standards, including the Council of Europe Convention and the GDPR, a move that mirrors broader efforts across Africa to build interoperable, trusted data frameworks.

As data increasingly flows across borders, continued regulatory dialogue and convergence will be essential to ensuring privacy, facilitating trade, and building digital resilience in the region.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.