Introduction

Mozambique is poised to significantly advance its data governance framework with the introduction of a comprehensive draft Personal Data Protection Law. The proposed legislation aims to align the nation with international standards, particularly the principles of the African Union's Malabo Convention, which Mozambique ratified in 2019. The law seeks to provide robust protection for the personal data of its citizens, regulate the activities of both public and private sector entities, and establish a clear institutional structure for oversight and enforcement. This review examines the key features of the draft law and its potential impact on the country's growing digital economy.

Scope and Application

The law applies broadly to the processing of personal data within Mozambique by natural and legal persons, whether public or private, for economic and non-private purposes. It covers data held in both physical and digital formats, ensuring its relevance across all sectors. The framework provides clear exemptions for data processing conducted for journalistic, artistic, or literary purposes, provided it does not infringe on fundamental rights. It also includes necessary carve-outs for national security and defence, which are subject to the principles of necessity and proportionality under due legal process.

Key Principles of Data Processing

The draft law establishes a set of fundamental principles that mirror international best practices. These principles form the bedrock of the legislation and guide all data processing activities. They include:

• Transparency: Ensuring individuals are clearly and accessibly informed about how their data is used.
• Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not be further processed in a manner incompatible with those purposes.
• Legality and Fairness: Processing must be lawful and conducted in good faith.
• Data Minimisation and Proportionality: Data collected must be adequate, relevant, and limited to what is necessary for the stated purpose.
• Accuracy: Personal data must be kept accurate and up-to-date.
• Storage Limitation: Data should be stored only for as long as necessary to fulfil the processing purpose.
• Security and Confidentiality: Controllers and processors must implement appropriate technical and administrative measures to protect data from unauthorised access, loss, or destruction.
• Accountability: Processing agents are responsible for demonstrating compliance with the law's provisions.

Regulatory and Institutional Framework

The draft law proposes a two-tiered governance structure. At the strategic level, a National Council for the Protection of Personal Data (CNPD) will be established. Chaired by the Prime Minister, this multi-sectoral body will include ministers from key ministries like defence, justice, education, and health, as well as representatives from various regulatory bodies and the business sector. The CNPD's primary role is to ensure high-level political and strategic coordination on data protection policy.

The day-to-day regulatory and enforcement functions will be handled by a National Authority for the Protection of Personal Data (ANPD). Notably, the law designates the existing Regulatory Authority for Information and Communication Technologies to assume the role of the ANPD. This body will be an independent public institution with administrative and financial autonomy, responsible for issuing regulations, supervising compliance, investigating complaints, and applying sanctions. A critical challenge will be operationalising this authority. The government is given 180 days from the law's publication to issue the necessary regulations for its implementation, and the law itself will only enter into force 90 days after its publication. The effectiveness of this entire legal framework hinges on this crucial step being completed in a timely and effective manner.

Key Obligations for Controllers and Processors

The law introduces several core obligations for organisations that handle personal data:

• Lawful Basis for Processing: The bill outlines the legal grounds for processing data, which include explicit consent, contractual necessity, legal obligation, public interest, and the legitimate interests of the controller.
• Processing Sensitive Data: The law prohibits the processing of sensitive data, such as information on racial origin, political opinions, religious beliefs, and health or genetic data. These categories of data can only be processed under strict conditions, including explicit consent or for reasons of substantial public interest, with authorisation from the ANPD.
• Credit and Solvency Data: The law includes specific requirements for processing financial data, limiting its use to purposes such as credit analysis and fraud prevention, and granting data subjects the right to access and correct this information.
• Data of Children: Processing children's data requires specific and clear consent from a parent or legal guardian, and information must be presented in a simple, accessible manner.
• Appointment of a Data Protection Officer (DPO): The appointment of a DPO is mandatory for all entities. The DPO acts as the primary contact for data subjects and the ANPD and must be granted the technical autonomy to perform their duties without undue interference.

Data Subject Rights

Chapter IV of the draft law grants individuals a strong set of rights to control their personal information. These include:

• Right to Information: Data subjects must be clearly informed about the identity of the controller, the purposes of processing, and with whom their data is shared.
• Right of Access: Individuals can obtain confirmation of whether their data is being processed and receive a copy of that data.
• Right to Object: Data subjects have the right to object to the processing of their data on compelling legitimate grounds.
• Right to Rectification, Update, and Erasure: Individuals can demand the correction of inaccurate data and the deletion of data that is no longer necessary for its original purpose.

International Data Transfers

The law adopts a risk-based approach to cross-border data flows. Transfers to countries deemed to have an "adequate" level of data protection are permitted, subject to notification to the ANPD. For transfers to countries without an adequacy finding, the law requires prior authorisation from the ANPD and can only proceed if specific safeguards are in place, such as the data subject's explicit consent, the necessity of the transfer for contractual performance, or the use of approved contractual clauses that guarantee an adequate level of protection.

Enforcement and Sanctions

The ANPD is empowered with a range of administrative sanctions to ensure compliance. These escalate from warnings to fines, the blocking or deletion of data, and the partial or total prohibition of processing activities. The law mandates a fair administrative process, allowing for a full defence before sanctions are applied. In determining penalties, the ANPD will consider factors such as the gravity of the infringement, the good faith of the infringer, and any corrective measures taken. This flexible enforcement mechanism, similar to the "enforcement pyramid" model, allows for a proportionate regulatory response.

Conclusion

Mozambique's proposed Personal Data Protection Law represents a comprehensive and modern legal instrument that, once enacted, will significantly strengthen privacy rights and create a more predictable regulatory environment for businesses. Its alignment with continental and global standards will facilitate digital trade and enhance trust in the country's digital ecosystem. However, the success of this ambitious law will depend entirely on the swift and effective establishment of the National Authority for the Protection of Personal Data (ANPD). Without a properly funded and empowered regulator to develop guidelines, oversee compliance, and enforce its provisions, the law will remain a document of principles rather than a tool of practical protection.

‍