Commonwealth ministers adopt new model law to strengthen data protection rules

At their biennial meeting in Mauritius last week, ministers unanimously approved the adoption of the model provisions on data protection as a Commonwealth model law. The model provisions replace and update earlier Commonwealth model laws on computer-related crimes and personal information, reflecting advances in technology and cross-border data flows.

The new provisions take a principled approach in line with the latest international agreements on data protection. They include mechanisms to investigate breaches, grounds for cross-border data transfers, rules for privacy compliance, restrictions on the usage of people’s personal data and a clear definition of consent.

While many Commonwealth countries have domestic laws on data protection, with varying levels of scope and enforcement, there is no legally binding regime applicable to all Commonwealth jurisdictions.

Legislators can use the model law as a standard template to draft new data protection legislation or amend existing statutes, with options that can be adapted according to local circumstances. The purpose is to promote legislative harmonisation among the 56 Commonwealth countries to boost data protection, transnational data-driven trade and cross-border security cooperation. 

The process of developing the model provisions began in 2018, with the first meeting of an expert working group nominated by Commonwealth countries. Assisted by data law experts Dr Orla Lynskey and Ms Judith Rauhofer, the working group negotiated the complex text of the provisions through multiple revisions, before finalising the version that was adopted by law ministers in Mauritius last week.

Togo joined the Commonwealth last June.