Skip to content
World Watch/Madagascar/Data & Privacy

Data & Privacy · Madagascar

Data protection & privacy law in Madagascar (2026)

Comprehensive lawLaw No. 2014-038 of 9 January 2015 on the Protection of Personal Data, supervised by the Commission Malagasy de l'Informatique et des Libertés (CMIL), with Decree No. 2023-1541 of 6 December 2023 setting out CMIL's attributions, organisation and functioningCountry index 62 · C+

Madagascar shaded by its data & privacy status

Data protection in Madagascar: comprehensive law, under Law No. 2014-038 of 9 January 2015 on the Protection of Personal Data, supervised by the Commission Malagasy de l'Informatique et des Libertés (CMIL), with Decree No. 2023-1541 of 6 December 2023 setting out CMIL's attributions, organisation and functioning.

Madagascar has an in-force, GDPR-inspired comprehensive personal data protection law (Loi n° 2014-038, promulgated 9 January 2015) covering automated and non-automated processing carried out wholly or partly on Malagasy territory. The independent supervisory authority CMIL was structurally created by Decree 2023-1541 (December 2023); its members were appointed and sworn in before the Supreme Court in 2025, with the Commission declared operational and admitted as the 28th full member of the AFAPDP in November 2025. Enforcement is therefore now beginning, after roughly a decade in which the law existed on paper but lacked an operational regulator.

Key points

Primary law

Law No. 2014-038 was adopted by the National Assembly on 16 December 2014, promulgated by the President on 9 January 2015 and published in the Official Gazette in mid-2015. It sets principles of lawfulness, purpose limitation, proportionality, data quality, security and confidentiality for processing personal data in Madagascar.

Supervisory authority (CMIL)

The Commission Malagasy de l'Informatique et des Libertés (CMIL) is the independent administrative authority responsible for enforcement. Its organisation and functioning were defined by Decree No. 2023-1541 of 6 December 2023, and following the swearing-in of its members in 2025 the CMIL has now begun operations, accompanying public-service dematerialisation projects and auditing electoral files.

Legal bases & consent

Processing of personal data must rest on the data subject's prior consent or, alternatively, on compliance with a legal obligation of the controller, performance of a public-interest mission, performance of a contract, protection of a vital interest, or the legitimate interests of the controller balanced against the rights of the data subject.

Data subject rights

Data subjects enjoy rights of information, access, rectification, erasure and objection regarding their personal data, and the law prohibits decisions that significantly affect a person from being based solely on automated processing intended to profile or evaluate aspects of their personality.

Cross-border transfers

Transfers of personal data outside Madagascar are conditional on the recipient country ensuring an adequate level of protection; where adequacy is not established, transfers require additional safeguards, the data subject's explicit consent or CMIL authorisation, and onward transfers by the recipient also require the original controller's and CMIL's authorisation.

Sanctions & international recognition

The law provides for administrative and criminal sanctions for breaches of its obligations, with fines and, for serious violations, prison terms. In November 2025 CMIL became the 28th full member of the Association francophone des autorités de protection des données personnelles (AFAPDP), formally embedding Madagascar in the francophone DPA network.

Timeline - major decisions & events

Dec 3, 2025guidanceofficial
CMIL Publishes Official Procedures Manual

The Commission Malagasy de l'Informatique et des Libertés (CMIL) published its full procedures manual on 3 December 2025, governing all organs, agents, and enforcement activities of the data-protection authority. This document operationalises complaint handling, audits, and sanctions under Law No. 2014-038.

Unité de Gouvernance Digitale (digital.gov.mg)
Nov 1, 2025decisionofficial
CMIL Admitted as 28th Full Member of AFAPDP

Madagascar's CMIL was accepted as the 28th full member of the Association francophone des autorités de protection des données personnelles (AFAPDP) in November 2025. Membership integrates CMIL into the global Francophone data-protection network and unlocks peer-support and capacity-building resources.

AFAPDP
Aug 1, 2025decisionofficial
CMIL Members Sworn In — Data Protection Authority Declared Operational

CMIL commissioners took the oath of office before Madagascar's Supreme Court in August 2025, making the supervisory authority functional more than a decade after the underlying statute was enacted. CMIL announced readiness to enforce Law No. 2014-038 and oversee data flows in telecom, banking, and the national e-identity programme.

PREA (prea.gov.mg)
Feb 1, 2025guidanceofficial
AFAPDP Expert Mission Supports CMIL Operationalisation

AFAPDP dispatched an expert mission to Antananarivo in February 2025, in cooperation with the Organisation Internationale de la Francophonie (OIF), to deliver recommendations on CMIL's governance, staffing, and enforcement procedures. The mission directly informed the authority's inaugural composition and its August 2025 swearing-in.

AFAPDP
Jun 21, 2024lawofficial
Parliament Enacts Law No. 2024-004 Ratifying the AU Malabo Convention

Madagascar's Senate and National Assembly adopted Law No. 2024-004 on 21 June 2024, ratifying the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014). The move aligns Madagascar with the continent-wide standard on data protection, e-transactions, and cybercrime, which entered into force globally in June 2023.

African Union
Dec 6, 2023lawofficial
Decree No. 2023-1541 Establishes CMIL's Structure and Mandate

Government Decree No. 2023-1541 of 6 December 2023 formally defined the attributions, organisation, and functioning of CMIL — the supervisory body provided for by Law No. 2014-038 since 2015 but never activated. The decree ended a nine-year enforcement vacuum and set the stage for appointing and swearing in commissioners.

Ministère de l'Économie et des Finances (mef.gov.mg)
Jul 20, 2015lawofficial
Law No. 2014-038 Enters Into Force via Official Gazette

Publication in Madagascar's Official Gazette on 20 July 2015 completed the entry into force of Law No. 2014-038. Despite the law being on the books, no implementing decrees were issued and CMIL was not yet constituted, leaving enforcement unapplied for nearly a decade.

Unité de Gouvernance Digitale (digital.gov.mg)
Jan 9, 2015lawofficial
President Promulgates Law No. 2014-038 on Protection of Personal Data

Adopted by the National Assembly on 16 December 2014 and promulgated on 9 January 2015, Law No. 2014-038 became Madagascar's first comprehensive data-protection statute. Modelled on the EU Data Protection Directive 95/46/EC and shaped with AFAPDP guidance, it covers consent, purpose limitation, data-subject rights, and security obligations for all automated processing on Malagasy territory.

AFAPDP / Journal Officiel de Madagascar
Jul 17, 2014lawofficial
Law No. 2014-006 on Cybercrime Enacted

Madagascar enacted its cybercrime law on 17 July 2014, criminalising unauthorised system access, data interference, and online fraud across 41 articles. As the primary instrument for prosecuting data-theft and digital attacks, it complements the data-protection framework adopted later the same year.

UNODC Cybercrime Law Library
Jan 1, 2014law
Digital Legal Package Enacted: Electronic Transactions, Signatures, and Dematerialisation

In 2014 Madagascar adopted a coordinated set of digital-governance laws — Law No. 2014-024 on Electronic Transactions, Law No. 2014-025 on Electronic Signatures, and Law No. 2014-026 on Dematerialisation of Administrative Procedures. Together with the data-protection and cybercrime statutes enacted the same year, these laws constitute the foundational digital legal framework still in force today.

ICT Policy Africa / Madagascar Government
Dec 11, 2010lawofficial
2010 Constitution Enshrines Right to Privacy

Madagascar's Fourth Republic Constitution, promulgated on 11 December 2010, guarantees the inviolability of the person, the home, and the secrecy of correspondence. These provisions form the constitutional bedrock on which all subsequent data-protection and privacy legislation rests.

Constitute Project / Madagascar Official Constitution

Madagascar - other topics

Data & Privacy in other countries

Last verified 6/28/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →