1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
The collection, processing and use of personal data by public and private entities for the most several ends have now reached a dimension that deserves specific and very careful legal protection. However, Mozambique does not have any specific laws governing data breach notifications, besides those related to the financial sector. Accordingly, under Mozambican law, there is no specific legal obligation or requirement to notify either affected individuals or any regulator (in fact, there is no Data Protection Authority in Mozambique) of a data breach.
The only legal rules that relate to privacy and data protection in Mozambique are:
- A general protection enshrined in Article 71 of the Mozambican Constitution (ideas of protection of personal data in computer records, requirements for access to databases and the use by public and private authorities of these databases or computer media); in the concept that can be extracted from our Constitution, personal data are those that identify or allow to identify an individual and relating to political, philosophical or ideological beliefs, religious faith, party affiliation and private life.
- Although the constitutional norm refers only to the use of data on a computer media, the concept of personal data cannot be limited to those which are treated in this way only. For this reason, personal data are, of course, worthy of protection regardless of the media, from computer to electronic, paper, image and so on.
- Our Constitution deals with the theme in four dimensions:
(a) The first is a ban on the use of computer resources for the recording and processing of personal data. The provisions of Article 71 (2) provide for obligations to obtain the consent of the holder, to provide the holder with appropriate information and sometimes to impose the authorization of the regulatory authority to data processing;
(b) The second is to refer to the law of the regulation of the protection and processing and use of personal data by public authorities and private entities;
(c) The third is the express prohibition of access to databases for the knowledge of third party personal data, as well as the transfer, except in cases established by law or court decision;
(d) Lastly, the Constitution guarantees everyone the right to access the data collected about them and to obtain their data rectification.
- The Mozambican Civil Code establishes the right to privacy (v. Article 80), thus instituting the regime for the confidentiality of personal data, according to which the collection, processing and storage of personal data requires the explicit permission of the interested parties, insofar as the rights of personality can only be limited voluntarily (v. Article 81).
- In that aspect, Article 10 of the Consumer Protection of the Telecommunications Service Regulation (Decree no. 44/2019, of 22 May), provides that consumers shall have the right to privacy and protection against unauthorized use of their personal information, i.e., to not provide the consumer's number or personal data to third parties without their permission.
However, even though there are no specific laws on this subject, through the Resolution no. 5/2019, of 20 June, the Government of Mozambique has recently ratified the African Union Convention on Cybersecurity and Protection of Personal Data, adopted by 23rd Ordinary Session of the Summit of Heads of State and Government of the African Union. This Convention aims to define the objectives and general orientations of the Information Society in Africa.
As regards financial institutions regulations, please note:
- Mozambican bank legislation that regulates the prevention of money-laundering in the financial system (Law no. 14/2013, of 12 August and Decree no. 66/2014, of 29 October), and also Notice 4/GBM/2015, of 17 June, of the Central Bank of Mozambique, provides that all banks are lawfully authorized to collect all the relevant personal data of their clients, when performing some specific operations, as opening a bank account. Moreover, banks are obliged to keep and are responsible for the personal data collected of their clients for a maximum period of 15 (fifteen) years, counted from the date of the closing of the bank accounts or performance of the bank operations.
- In what specifically refers to credit or debit cards, the Notice 1/GBM/2014, of 4 July, of the Central Bank of Mozambique, establishes that in the case of intentional or unintentional security personal data breach, banks are explicitly obliged to carry out any notifications to their clients and for taking all necessary actions to prevent any damage from such security or integrity incidents, threats or vulnerabilities.
- With the approval of Law no. 3/2017 in January of 2019, which establishes the legal regime of the Electronic Transactions ("Electronic Transactions Law"), the legal provision for the protection of personal data in Mozambique are provided in a sectoral manner. This law, which aims to ensure the security of information and communication technology providers and users, aims to establish a legal framework for electronic commerce, data messaging, electronic communications and e-government services.
- For example, Article 63 provides that the data processor shall protect personal data against risk, loss, unauthorized access, destruction, use, modification or disclosure. Moreover, it adds in Article 64 of the same legal diploma that, access to files and records of banks or related to third parties is not allowed, nor the transfer of personal data from one to another computer file pertaining to different services or institutions, except in cases established by law or court decision.
- This law, combined with the guarantee of the right to privacy reserve of Article 80 of the Mozambican Civil Code, strengthens the legal framework for privacy and protection of personal data, but is not intended to regulate autonomous, exhaustive and common to all sectors concerning the protection of personal data.
Notwithstanding, the requirements for access to databases and transmission of data are yet to be regulated, including the definition of what is meant by personal data, as well as the consequences of the violation of that right.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
Considering the above-mentioned legislative gap on data protection matters and bearing in mind that Mozambique does not have a Data Protection Authority, it is nearly impossible to address this matter by giving an accurate response about the standard required notification procedure to follow and the exact consequences of the violation of personal data.
Even knowing that, it is recommended, both for private or administrative entities, to formally notify the respective individuals, in the event of a data breach. From a legal point of view, and under the assumption that either the private or the administrative entity were responsible for collecting and storing the same data, such notification shall be interpreted as industrious, apart from useful for mitigating damages.
As regards credit card data breaches please refer to 1.1 above.
1.6 What are the applicable data protection laws or guidelines within your country?
Despite not directly addressing the issue, the Constitution of Mozambique, the Mozambican Civil Code, the Labor Law (Law no. 23/2007, of 1 August), Law no. 34/2014, of 31 December, provide for certain guidelines. The Penal Code, Law no. 24/2019 of 24 December, applies as well.
On the other hand, Article 80 of the Civil Code institutes the reserve on the intimacy of private life and Article 81 of the same law provides for the general regime of confidentiality of personal data, according to which the collection, processing and storage of personal data require the explicit permission of the interested parties.
With regard to the employment relationship, Article 6 of the Labor Law provides for the protection of personal data, having left to specific legislation, which does not yet exist, the regulation of the use of computer files and access to personal data related to the job applicant or employee and, moreover, attributes the employee, as a general rule, the right to confidentiality of correspondence of a personal nature made by means of electronic messages.
The Law no. 34/2014, of 31 December, regulates the exercise of public right to information and public democratic participation within the procedure and interaction between private entities or individuals and administrative and governmental bodies or entities. According to the referred law, the exercise of public right to information and public democratic participation shall be made with respect for human dignity, namely, observing and respecting the right to honour, good name and reputation, as well as the right to defend the private life or data of the people concerned.
Consistent with the said main principle, one of the most important rules introduced by Law no. 34/2014, of 31 December, is that personal data or information regarding to the privacy of people concerned, contained either on electronic or physic files held by such public entities, are classified as confidential and cannot be shared with any third or interested parties, unless in case of express written consent of people concerned or in case a court decision requires so. Please note that the breach of said terms and conditions in the use of confidential information shall be punished with fines and may lead to a criminal prosecution, on a case-by-case basis.
In this sense, the Mozambican Penal Code – Law no. 24/2019 of 24 December, section on "Crimes Against the Privacy" draws attention. It was incorporated in Article 252 that punishes with imprisonment of up to 1 year and a corresponding fine, who, without consent and with the intention of looking into people's privacy, namely the intimacy of family or sexual life:
1.6.1 intercept, record, use, transmit or disseminate conversation, telephone communication, image, photo, video, audio, detailed billing, e-mail messages, social media or other data transmission platform;
1.6.2 capture, photograph, film, record or disseminate images of people or of intimate objects or spaces;
1.6.3 observe or listen to hidden people who are in a private place; or
1.6.4 disseminate facts relating to another person's private life or serious illness.
It is also safeguarded that this last fact is not punishable when it is practiced as an adequate means to carry out a legitimate and relevant public interest.
Thus, we start from the assumption that "every citizen has the right to honor, to a good name, to reputation, to the defense of his public image and to the reserve of his privacy", as provided for in Article 41 of the Mozambican Constitution, in conjunction with Articles 79 (right to image) and Article 80 (right to privacy), both of the Mozambican Civil Code. All these moral values that the law recognizes are universally enshrined rights.
Notwithstanding the general principle under which all the personal data are protected by professional privilege, banks must collaborate with any judicial or criminal authorities in the event of a formal investigation by sharing all the required information (including personal data information), without any prior authorization or consent given by the client, nor implying any contractual or civil liability of the bank.
1.7 Contact information for Data Protection Authority:
For more information, contact:
TTA Sociedade de Advogados
Edificio Millennium Park, Torre A, Avenida Vladimir Lenine, no 179, 6o Dto, Maputo – Mocambique
+258 843 141 820
PLMJ Sociedade de Advogados, RL
PLMJ Colab Headquarters, Avenida Fontes Pereira de Melo, 43, 1050 – 119 Lisbon – Portugal
+351 213 197 446 / Mobile: +351 916 346 219 / +258 843 318 695