According to Sections 92-94 of the Communications Act of 2016, All SIM cards in Malawi need to be registered on a central database, and a customer’s national identity number needs to be verified when purchasing, replacing, or swapping a SIM card.

According to Section 52-53 of the Electronic Transactions and CyberSecurity Act of 2016, cryptography services or products are required to be registered by the Communications Authority. Additionally, the use, importation, and exportation of encryption programs and encryption products are subject to authorisation by the government.

Section 12.4 of the Malawi National Health Information System Policy provides a requirement for any health-related data, whether physical or electronic, to be stored only within the borders of Malawi except for the purpose of continuation of care. Section 14.1 ascribes ownership of any health-related data to the Ministry of Health. This policy was elaborated for the health sector of Malawi, i.e. public and private. The stipulations therein, therefore, apply to all public and private health facilities alike (Section 2).

Section 38 of Malawi’s Data Protection Act prohibits the transfer of personal data from Malawi to another country or international organisation unless the recipient is subject to a legal or institutional framework that ensures an adequate level of protection. This includes laws, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms. Under Section 39, the Malawi Communications Regulatory Authority is empowered to assess adequacy, either on its own initiative or upon application. The assessment considers factors such as the enforceability of data subject rights, respect for the rule of law and human rights, the existence of effective data protection legislation, independent supervisory authorities, and relevant international commitments. Where adequacy is not established, Section 39(4) permits transfers only under specific conditions, such as explicit informed consent, contractual necessity, or where the transfer is clearly in the interest of the data subject and obtaining consent is impracticable. Section 40 requires that any adopted binding corporate rules, codes of conduct, or certification mechanisms be submitted to the Authority.

Malawi has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Data Protection Act establishes a comprehensive regime for data protection in Malawi. It repeals the data protection provisions contained in the Electronic Transactions and Cyber Security Act, 2016, and designates the Malawi Communications Regulatory Authority (MACRA) as the national data protection authority. The Act applies to the processing of personal data within Malawi, including by entities outside the country that offer goods or services to, or monitor the behaviour of, individuals in Malawi. It excludes processing undertaken solely for personal or household purposes, as well as the mere transmission of data through Malawi. The Act imposes obligations on data controllers and processors, including mandatory registration for those of significant importance. These entities are required to comply with the Act within six months of its commencement, while others are granted a 24-month grace period. MACRA is empowered to investigate potential or actual violations of the Act.

Malawi is a party to the Patent Cooperation Treaty (PCT).

Malawi has a copyright regime under the Copyright Act of 2016. However, the exceptions do not follow the fair use or fair dealing model, therefore limiting the lawful use of copyrighted work by others. Arts. 36-53 list the exceptions, which include personal and teaching purposes; reproduction, translation, adaptation, arrangement or other transformation of a work exclusively for the user’s own personal or private use of a work which has already been lawfully made available to the public; among others.

Malawi has not signed the World Intellectual Property Organization (WIPO) Copyright Treaty.

Malawi has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

The Law in Malawi, according to Sections 52 and 53 of the Electronic Transactions and CyberSecurity Act of 2016, requires cryptography services or products to be registered by the Communications Authority. Additionally, the use, importation, and exportation of encryption programs and encryption products is subject to authorisation by the government. In addition, Section 67 of the Act mandates encryption services providers to declare to the Authority the technical characteristics of the encryption means as well as the source code of the software used. Violation of these regulations is a criminal offence punishable by up by imprisonment and a fine.

Malawi has no rules applicable to the protection of trade secrets.

It is reported that there is an obligation for passive infrastructure sharing in Malawi to deliver telecom services to end users. It is practised in both the mobile and fixed sectors based on commercial agreements.

Section 35 of the Communications Act mandates an electronic communications licensee (Network and Application Services) to maintain a shareholding by nationals of at least 20%.

It is reported that the government has a 20% share in Malawi Telecommunications Limited (MTL).