Data protection & privacy laws in Madagascar (2026)

Law No. 2014-038 (9 January 2015, published in the Official Gazette 20 July 2015) comprises 9 chapters and 78 articles and applies to any automated or non-automated processing of personal data carried out wholly or partly on Malagasy territory, by public or private entities.

The Commission Malagasy de l'Informatique et des Libertés (CMIL) is the independent administrative authority mandated by the law. It was formally instituted by Decree No. 2023-1541 (6 December 2023); its members were sworn in before the Supreme Court in August 2025, rendering it fully operational. In November 2025 the CMIL was admitted as the 28th full member of the Francophone Association of Personal Data Protection Authorities (AFAPDP).

The law grants individuals rights of access to their personal data, rectification or erasure, right to object to processing, and the right to obtain information about data controllers or processors who have handled their data.

Data controllers must rely on a valid legal basis (including consent) for processing, collect data for specified legitimate purposes only, implement security measures to prevent unauthorized access or destruction, and declare or obtain authorization from the CMIL before initiating processing activities. Breach notification to the CMIL is also required.

Law No. 2014-038 restricts transfers of personal data to third countries to those offering an adequate level of protection, consistent with the general GDPR-influenced model applied by Francophone African data protection laws.

Madagascar's parliament adopted Law No. 2024-004 authorizing ratification of the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention) on 21 June 2024; Madagascar's Haute Cour Constitutionnelle confirmed its constitutionality on 10 July 2024. Ratification strengthens the CMIL mandate and enables regional data-protection cooperation.