Database

Browse Database

MALAWI

Since September 2015

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Malawi National Health Information System Policy of September 2015
Section 12.4 of the Malawi National Health Information System Policy provides a requirement for any health-related data, whether physical or electronic, to be stored only within the borders of Malawi except for the purpose of continuation of care. Section 14.1 ascribes ownership of any health-related data to the Ministry of Health. This policy was elaborated for the health sector of Malawi, i.e. public and private. The stipulations therein, therefore, apply to all public and private health facilities alike (Section 2).
Coverage Health sector

MALAWI

Since January 2024, entry into force in June 2024

Pillar Cross-border data policies  |  Indicator Conditional flow regime
Data Protection Act, 2024
Section 38 of Malawi’s Data Protection Act prohibits the transfer of personal data from Malawi to another country or international organisation unless the recipient is subject to a legal or institutional framework that ensures an adequate level of protection. This includes laws, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms. Under Section 39, the Malawi Communications Regulatory Authority is empowered to assess adequacy, either on its own initiative or upon application. The assessment considers factors such as the enforceability of data subject rights, respect for the rule of law and human rights, the existence of effective data protection legislation, independent supervisory authorities, and relevant international commitments. Where adequacy is not established, Section 39(4) permits transfers only under specific conditions, such as explicit informed consent, contractual necessity, or where the transfer is clearly in the interest of the data subject and obtaining consent is impracticable. Section 40 requires that any adopted binding corporate rules, codes of conduct, or certification mechanisms be submitted to the Authority.
Coverage Horizontal

MALAWI

N/A

Pillar Cross-border data policies  |  Indicator Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
Malawi has not joined any free trade agreement committing to open transfers of cross-border data flows.
Coverage Horizontal

MALAWI

Since January 2024, entry into force in June 2024

Pillar Domestic data policies  |  Indicator Framework for data protection
Data Protection Act, 2024
The Data Protection Act establishes a comprehensive regime for data protection in Malawi. It repeals the data protection provisions contained in the Electronic Transactions and Cyber Security Act, 2016, and designates the Malawi Communications Regulatory Authority (MACRA) as the national data protection authority. The Act applies to the processing of personal data within Malawi, including by entities outside the country that offer goods or services to, or monitor the behaviour of, individuals in Malawi. It excludes processing undertaken solely for personal or household purposes, as well as the mere transmission of data through Malawi. The Act imposes obligations on data controllers and processors, including mandatory registration for those of significant importance. These entities are required to comply with the Act within six months of its commencement, while others are granted a 24-month grace period. MACRA is empowered to investigate potential or actual violations of the Act.
Coverage Horizontal

MALAWI

Since February 2017, entry into force in September 2020
Since November 2016, entry into force in June 2017

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Access to Information Act, 2016

Electronic Transactions and Cybersecurity Act of 2016
Section 13 of the Access to Information Act mandates information holders to maintain information for a period of seven years from the date on which the information is generated by the institution or on which the information comes under its custody or control. If that information is exempted from disclosure, it may be kept for a longer period. Section 2 establishes that information holder means a public body and a relevant private body, and according to Section 3, this Act shall apply to information in custody or under the control of any information holder listed in the Schedule. Among the information holders to which the Act applies are the institutions and organisations, whether established by or under an Act of Parliament or otherwise, in which the Government hold shares or exercises financial or administrative control and persons in the service of those institutions and organisations, and organisations contracted by Government to do work for the Government and persons in the service of those organisations.
Furthermore, Section 17 of the Electronic Transactions and Cybersecurity Act establishes that where any written law requires that a document, record or information shall be retained, that requirement shall be satisfied if the document, record or information is held in electronic form. Such document, record or information shall be kept in electronic form for at least seven years.
Coverage Horizontal

MALAWI

Since January 2024, entry into force in June 2024

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Data Protection Act, 2024
Section 30 of the Data Protection Act stipulates that data controllers are obliged to undertake a data protection impact assessment (DPIA) where the envisaged processing is likely to give rise to significant risks to the rights of data subjects. The Act delineates categories of high-risk processing, including the use of automated processing systems, profiling, the large-scale processing of sensitive data or data relating to criminal convictions, and the large-scale monitoring of publicly accessible areas. The resulting DPIA report must be submitted to the Malawi Communications Regulatory Authority (MACRA) prior to the commencement of processing. Also, data controllers are required to review and, where necessary, update the DPIA when the nature or level of risk has changed.
In addition, Section 33 provides that, where a data controller or processor constitutes a public authority other than a court, or its core activities involve either large-scale monitoring or the large-scale processing of sensitive data, the Act requires the appointment of a data protection officer to discharge the responsibilities prescribed therein.
Coverage Horizontal

MALAWI

N/A

Pillar Intellectual Property Rights (IPRs)  |  Indicator Adoption of the WIPO Copyright Treaty
Lack of signature of the WIPO Copyright Treaty
Malawi has not signed the World Intellectual Property Organization (WIPO) Copyright Treaty.
Coverage Horizontal

MALAWI

N/A

Pillar Intellectual Property Rights (IPRs)  |  Indicator Adoption of the WIPO Performances and Phonograms Treaty
Lack of signature of the WIPO Performances and Phonograms Treaty
Malawi has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.
Coverage Horizontal

MALAWI

Since November 2016, entry into force in June 2017

Pillar Intellectual Property Rights (IPRs)  |  Indicator Mandatory disclosure of business trade secrets such as algorithms or source code
Electronic Transactions and Cybersecurity Act of 2016
The Law in Malawi, according to Sections 52 and 53 of the Electronic Transactions and CyberSecurity Act of 2016, requires cryptography services or products to be registered by the Communications Authority. Additionally, the use, importation, and exportation of encryption programs and encryption products is subject to authorisation by the government. In addition, Section 67 of the Act mandates encryption services providers to declare to the Authority the technical characteristics of the encryption means as well as the source code of the software used. Violation of these regulations is a criminal offence punishable by up by imprisonment and a fine.
Coverage Encryption services

MALAWI

N/A

Pillar Intellectual Property Rights (IPRs)  |  Indicator Effective protection covering trade secrets
Lack of regulatory framework covering trade secrets
Malawi has no rules applicable to the protection of trade secrets.
Coverage Horizontal

MALAWI

N/A

Pillar Telecom infrastructure & competition  |  Indicator Passive infrastructure sharing obligation
Requirement of passive infrastructure sharing
It is reported that there is an obligation for passive infrastructure sharing in Malawi to deliver telecom services to end users. It is practised in both the mobile and fixed sectors based on commercial agreements.
Coverage Telecommunications sector

MALAWI

Since October 2016

Pillar Telecom infrastructure & competition  |  Indicator Maximum foreign equity share for investment in the telecommunication sector
Communications Act of 2016
Section 35 of the Communications Act mandates an electronic communications licensee (Network and Application Services) to maintain a shareholding by nationals of at least 20%.
Coverage Telecommunications sector

MALAWI

Reported in 2022

Pillar Telecom infrastructure & competition  |  Indicator Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
It is reported that the government has a 20% share in Malawi Telecommunications Limited (MTL).
Coverage Telecommunications sector

MALAWI

N/A

Pillar Telecom infrastructure & competition  |  Indicator Functional/accounting separation for operators with significant market power
Lack of mandatory accounting separation for dominant network operators
It is reported that Malawi does not require accounting separation for operators with significant market power (SMP) in the telecom market. However, functional separation is legally required.
Coverage Telecommunications sector

MALAWI

N/A

Pillar Telecom infrastructure & competition  |  Indicator Signature of the WTO Telecom Reference Paper
Lack of appendment of WTO Telecom Reference Paper to schedule of commitments
Malawi has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector

Report issue     Report new measure