The Maldives is moving towards a formal legal regime for digital privacy, as the government seeks to define how personal data can be collected, processed, transferred and used by public and private entities.
The Data Protection Bill was submitted to Parliament on behalf of the government by West Henveyru MP Ali Ibrahim. The bill proposes a structured framework for the protection of personal information, setting out the rights of individuals as well as the obligations of organisations that handle such data.
If passed, the legislation would create legal standards for how personal data is managed, including the responsibilities of data controllers and processors. It also outlines the rights of data subjects and the procedures through which individuals may exercise those rights.
The proposed law also addresses cross-border data transfers, including the sharing of personal information with foreign countries and international organisations. This is likely to become increasingly relevant as more government services, financial systems and business operations move into digital platforms.
The bill includes provisions on how entities must respond to data breaches, requiring procedural action in the event of a security incident involving personal information. It also sets out record-keeping obligations for data controllers and processors, creating a clearer compliance structure for institutions handling sensitive information.
A Privacy Commissioner would be designated under the proposed law to oversee enforcement. According to the bill, the Information Commissioner appointed under the Right to Information Act would initially assume the responsibilities of the Privacy Commissioner.
The bill further identifies circumstances in which data controllers and processors would be required to appoint data protection officers. This would place added compliance responsibilities on institutions whose operations involve significant handling of personal data.
The proposal comes as the Maldives continues to expand digital public services and private sector technology platforms. A dedicated data protection law would mark a significant step in establishing clearer privacy safeguards, while also creating new regulatory duties for businesses, state agencies and other organisations that rely on personal information.
