DPA 2024

Data Protection Act, 2024

Flag of MW
MalawiOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 3, 2024
Enacted
February 1, 2024
Enforcing Authority
Malawi Communications Regulatory Authority (MACRA)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Malawi; significant controllers must register with MACRA

Overview

Malawi's Data Protection Act 2024 is the country's first comprehensive data protection legislation. Enacted in February 2024 and effective from June 2024, it designates the Malawi Communications Regulatory Authority (MACRA) as the supervisory authority. The law establishes fundamental data protection principles aligned with international standards, including a 72-hour breach notification requirement and mandatory DPO appointment for large-scale processing operations.

What This Means for Your Website

If your website collects personal data from Malawian visitors, consent is required as the primary legal basis for processing. Significant data controllers must register with MACRA and appoint a DPO if processing data at large scale. Data subjects have rights to access, rectify, and erase their personal data.

Key Requirements

Penalties include fines of up to MWK 5,000,000 and/or 12 months imprisonment for regulatory offences. The 72-hour breach notification requirement to MACRA aligns with GDPR standards. Organizations must adhere to principles of lawfulness, transparency, fairness, purpose limitation, and data minimization.

How ConsentStack Handles This

ConsentStack detects Malawian visitors and presents a compliant consent banner requiring opt-in before activating non-essential cookies and tracking technologies.

Penalties

MWK 5,000,000 fine and/or 12 months imprisonment for regulatory offences

Maximum Fine
MWK5,000,000 per violation

Key Requirements

  • Consent required for personal data processing
  • 72-hour breach notification to MACRA
  • Significant data controllers and processors must register with MACRA
  • DPO appointment required for large-scale data processing
  • Principles of lawfulness, transparency, fairness, purpose limitation, and data minimization
  • Data subjects have rights of access, rectification, and erasure

Notable Provisions

  • Malawi's first comprehensive data protection law
  • MACRA designated as supervisory authority
  • 72-hour breach notification aligns with GDPR standards
  • Relatively modest penalty ceiling compared to regional peers

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

When did Malawi's DPA take effect?

The law was enacted in February 2024 and became effective on June 3, 2024.

What are the penalties under Malawi's DPA?

Fines of up to MWK 5,000,000 and/or 12 months imprisonment for regulatory offences.

Does Malawi require data controller registration?

Yes. Significant data controllers and processors must register with MACRA, the supervisory authority.

Stay compliant with DPA 2024

ConsentStack helps you implement Opt-in consent for Malawi automatically.

Get started free