Madagascar Data Protection Law 2014-038 | Guide

Back to Regulations Guide

Key Facts

Effective Date

June 9, 2015

Enacted

December 16, 2014

Enforcing Authority

Commission Malagasy de l'Informatique et des Libertes (CMIL)

Consent Model

Opt-in

Applies To

All entities processing personal data within Madagascar

Overview

Madagascar's Law 2014-038 establishes a comprehensive data protection framework enforced by the Commission Malagasy de l'Informatique et des Libertes (CMIL). Although the law was enacted in December 2014, the CMIL was only established in December 2023 after a nine-year delay. The law features one of Africa's highest penalty caps at 5% of pre-tax turnover, alongside criminal penalties including imprisonment for severe breaches. Prior notification to the CMIL is required before any data processing.

What This Means for Your Website

If your website processes personal data of individuals in Madagascar, you must notify the CMIL before processing, obtain consent or establish another valid legal basis, and implement data security safeguards. Cross-border data transfers are restricted to countries with adequate protection unless you obtain CMIL approval or data subject consent.

Key Requirements

Organizations must notify the CMIL before processing personal data. Consent or a valid legal basis is required. Data security safeguards must prevent unauthorized access. Cross-border transfers require adequate protection in the recipient country or CMIL approval. Data subjects have rights of access, rectification, and deletion. Data minimization and purpose limitation principles apply.

How ConsentStack Handles This

ConsentStack provides a consent management solution for Madagascar's Law 2014-038. It delivers a configurable consent banner, records consent decisions with timestamps for CMIL notification compliance, supports data subject rights workflows, and maintains audit trails. ConsentStack helps demonstrate lawful processing to the newly operational CMIL.

Penalties

Up to 5% of pre-tax turnover; fines MGA 200,000-10,000,000 for minor infractions; criminal penalties including imprisonment for severe breaches

Maximum Fine

MGA10,000,000 aggregate

Revenue-based

5% of annual revenue

Key Requirements

Consent or valid legal basis required for processing personal data
Data security safeguards mandatory to prevent unauthorized access
Cross-border transfers only to countries with adequate protection or with CMIL approval
Data subjects have rights of access, rectification, and deletion
Prior notification to CMIL required before processing
Data minimization and purpose limitation principles

Notable Provisions

CMIL was established in December 2023 — a 9-year delay after the law's enactment
5% turnover penalty cap is among the highest in Africa
Law was promulgated January 2015 but published in Official Gazette June 2015

Other Sub-Saharan Africa Regulations

POPIASouth Africa

Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.

NDPANigeria

One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.

Ghana Act 843Ghana

Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.

Kenya DPA 2019Republic of Kenya

Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.

Tanzania PDPA 2022United Republic of Tanzania

Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.

Ivory Coast Law 2013-450Ivory Coast

Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is Madagascar's data protection law actively enforced?

The CMIL was only established in December 2023 after a 9-year delay, so enforcement is in early stages but now operational.

What are the penalties under Madagascar's Law 2014-038?

Penalties include up to 5% of pre-tax turnover, fines of MGA 200,000-10,000,000 for minor infractions, and criminal penalties including imprisonment for severe breaches.

Do I need to notify the CMIL before processing data?

Yes, prior notification to the CMIL is required before any personal data processing begins.

Can I transfer data out of Madagascar?

Cross-border transfers are only permitted to countries with adequate data protection, or with appropriate safeguards, explicit consent, or CMIL approval.

Stay compliant with Madagascar Law 2014-038

ConsentStack helps you implement Opt-in consent for Republic of Madagascar automatically.

Get started free