On the 31st January 2024, the Malawian president, Dr. Lazarus McCarthy Chakwera assented the Malawi data protection Act (MDPA) on the 31st of January 2024. It came into force on the 2nd February 2024.¹ The MDPA is Malawi’s first general data protection legislation. Before it, the constitution and sectoral laws regulated data protection law in Malawi. The MDPA was enacted for the protection of the personal data of natural persons, the regulation of the processing and movement of personal data, the obligations of data controllers and data processors, and the designation of a data protection authority.² Some key provisions of the MDPA are addressed subsequently. The MDPA states that personal data must be processed lawfully, fairly and transparently.³ A data controller or data processor shall collect data for a specific and legitimate purpose and shall not process the data in a manner that is incompatible with the purpose for which it was initially collected.⁴ A data controller and data processor shall ensure that personal data intended to be processed by the data controller or data processor is adequate, relevant and limited to what is necessary for the purpose for which the data is intended to be processed.⁵ From the above, it is clear that the Act incorporates the traditional principles of data protection law. In furtherance of these data protection principles, data controllers and data processors shall develop and implement appropriate technical and organizational measures to ensure that the processing of personal data complies with the provisions of MDPA.⁶ A data controller and data processor shall maintain in writing, a record of each personal data processing activity.⁷ In respect of cross-border data transfers, the MDPA ensures that there is adequate level of personal data protection.⁸ The Malawi communication regulatory authority,⁹ has been designated as the data protection authority charged with overseeing the implementation and enforcement of the MDPA. The agency is also saddled with the responsibility of developing and publishing guidelines on data protection, promoting public awareness, encouraging development, etc.

It would appear that the “Brussels effect” is far from over with Malawi being the latest country to justify such an assertion with the passing of the MDPA. This is evident from the robust data protection practices introduced by the MDPA. Implementation and enforcement are key factors in ensuring that the MDPA achieves its objectives. The Malawi communication regulatory authority, has a huge role to play with the implementation and enforcement of the MDPA. How well they carry out this task will determine the success or otherwise of the MDPA.