There’s no digital ID without data protection: Mauritius privacy chief

Drudeisha Madhub, the Data Protection Commissioner of Mauritius, has emphasized that technologies like digital identity systems cannot operate in a legal vacuum without strong and adaptable data protection safeguards for citizens.

The comments come as governments across Africa accelerate digital identity and digital public infrastructure (DPI) deployments. While much of the focus has been on enrollment, interoperability and service delivery, Madhub argues that privacy, cybersecurity and governance must be treated as foundational components of digital identity infrastructure rather than compliance afterthoughts.

In an interview with Biometric Update during the ID4Africa 2026 AGM in Abidjan, Madhub, who is also President of the Francophone Association of Data Protection Authorities, spoke about her country’s data protection strides as one of the pioneers in Africa, and why African governments must treat data protection as a digital ID imperative.

“The simplest way to make people convinced about the importance of data protection is just to tell them that if you need [digital ID] technology, then you also need data protection. You also need cybersecurity. It’s like two sides of the same coin,” she said.

“You cannot have technology without data protection and cybersecurity. This is because if you operate technology in a legal vacuum and in a non-protection side, then you’re obviously putting the lives of your people at stake. Data represents us, it is us. You’re putting us at stake if you do not have the right data protection safeguards,” Madhub, who has more than 20 years as a data governance expert, underscored.

She went on that it doesn’t just suffice to have the laws, but it’s necessary for countries to explore how they can actually embed data protection into the technologies they deploy, such as through privacy by design.

“We can register controllers and processors. We can make them fill in forms. We probably can do some enquiries and fine them. That’s good, it’s a good start. But data protection is much more than this. It’s not only about these obligations. It’s about how systems respond to data protection requirements,” she opined.

According to Madhub, data protection considerations have to be seriously taken on board by every country when they are purchasing technologies, creating new software systems, apps, or everything related to digital identity.

“If at the foundation we have not put these requirements, we will perhaps see that many digital identity vendors and sellers come to market them to us. They’ll tell you they are marketing trust, or the right trust-by-design, or privacy-by-design systems. We cannot operate in such a way,” she cautioned.

Mauritius as a data protection model

Madhub retraced Mauritius’ evolution in data protection, from its first law in 2004, through the partial implementation of that framework in 2009, to the adoption of a new data protection regime in 2017 aligned with international standards.

“In 2026, we are going for the EU adequacy assessment, and we are fully aligning our law with the European Union’s General Data Protection Regulation (EU-GDPR) requirements. This is being done to ensure that Mauritius is treated as a safe and equivalent destination in data protection by the EU. As you know, one of the impactful regulations and international standards is the EU-GDPR,” Madhub stated.

Under the EU-GDPR, biometric data used in digital identity systems is generally treated as special category personal data, requiring enhanced protections and stricter processing conditions.

According to Madhub, Mauritius is also a part of a number of other continental and global efforts that prioritize data governance.

“We have also ratified the Malabo Convention, and we are also a party to the African Continental Free Trade Agreement and all its Protocols. From the regional side, we are also implementing the SADC [Southern African Development Community] requirements. We have also ratified the Convention on Data Protection of the Council of Europe. We were the first African country to have done it,” the official said.

“That type of international standardization of data protection standards in Mauritius through our legal framework is actually going to help us make sure that economic cross-border data flows and economic investment from our foreign counterparts is properly secured, as well as the rights of people locally and in other parts of the world.”

Mauritius launched a mobile digital ID system in 2024. The deployment gives the country practical experience in balancing digital identity innovation with privacy, governance and cross-border data protection requirements.

Benchmarking other African nations

Madhub explained that Mauritius has served as an example for some other African countries which are building data protection mechanisms for their digital public infrastructure.

“We have been benchmarking many African countries such as Rwanda, Uganda, Seychelles, Cote d’Ivoire, and many other countries that I can’t immediately remember. We have worked with them and advised them on the way forward,” the official disclosed.

She said they have developed templates which they are willing to share with any country that is interested.

“I elaborated the Mauritius National Data Strategy. This is a document which could have been done by consultants or some other people, but my government trusted me to do it because I’m in data governance. You want to do data governance and you don’t know how to go about it? You can take the templates, get some training from us, and then go ahead with your data governance effort.”

As more African countries roll out digital identity and DPI programs, Mauritius is positioning itself as a model for how data protection, governance and digital identity can evolve together. That balance, Madhub argues, will ultimately determine whether citizens trust the next generation of digital public infrastructure.

Article Topics

Africa  |  biometrics  |  data protection  |  digital ID infrastructure  |  digital identity  |  digital public infrastructure  |  ID4Africa  |  ID4Africa 2026  |  Mauritius