Data & Privacy · Madagascar
Data protection & privacy law in Madagascar (2026)
Madagascar shaded by its data & privacy status
Data protection in Madagascar: comprehensive law, under Law No. 2014-038 of 9 January 2015 on the Protection of Personal Data, supervised by the Commission Malagasy de l'Informatique et des Libertés (CMIL), with Decree No. 2023-1541 of 6 December 2023 setting out CMIL's attributions, organisation and functioning.
Madagascar has an in-force, GDPR-inspired comprehensive personal data protection law (Loi n° 2014-038, promulgated 9 January 2015) covering automated and non-automated processing carried out wholly or partly on Malagasy territory. The independent supervisory authority CMIL was structurally created by Decree 2023-1541 (December 2023); its members were appointed and sworn in before the Supreme Court in 2025, with the Commission declared operational and admitted as the 28th full member of the AFAPDP in November 2025. Enforcement is therefore now beginning, after roughly a decade in which the law existed on paper but lacked an operational regulator.
Key points
Law No. 2014-038 was adopted by the National Assembly on 16 December 2014, promulgated by the President on 9 January 2015 and published in the Official Gazette in mid-2015. It sets principles of lawfulness, purpose limitation, proportionality, data quality, security and confidentiality for processing personal data in Madagascar.
The Commission Malagasy de l'Informatique et des Libertés (CMIL) is the independent administrative authority responsible for enforcement. Its organisation and functioning were defined by Decree No. 2023-1541 of 6 December 2023, and following the swearing-in of its members in 2025 the CMIL has now begun operations, accompanying public-service dematerialisation projects and auditing electoral files.
Processing of personal data must rest on the data subject's prior consent or, alternatively, on compliance with a legal obligation of the controller, performance of a public-interest mission, performance of a contract, protection of a vital interest, or the legitimate interests of the controller balanced against the rights of the data subject.
Data subjects enjoy rights of information, access, rectification, erasure and objection regarding their personal data, and the law prohibits decisions that significantly affect a person from being based solely on automated processing intended to profile or evaluate aspects of their personality.
Transfers of personal data outside Madagascar are conditional on the recipient country ensuring an adequate level of protection; where adequacy is not established, transfers require additional safeguards, the data subject's explicit consent or CMIL authorisation, and onward transfers by the recipient also require the original controller's and CMIL's authorisation.
The law provides for administrative and criminal sanctions for breaches of its obligations, with fines and, for serious violations, prison terms. In November 2025 CMIL became the 28th full member of the Association francophone des autorités de protection des données personnelles (AFAPDP), formally embedding Madagascar in the francophone DPA network.
Timeline - major decisions & events
The Commission Malagasy de l'Informatique et des Libertés (CMIL) published its full procedures manual on 3 December 2025, governing all organs, agents, and enforcement activities of the data-protection authority. This document operationalises complaint handling, audits, and sanctions under Law No. 2014-038.
Unité de Gouvernance Digitale (digital.gov.mg) ↗Madagascar's CMIL was accepted as the 28th full member of the Association francophone des autorités de protection des données personnelles (AFAPDP) in November 2025. Membership integrates CMIL into the global Francophone data-protection network and unlocks peer-support and capacity-building resources.
AFAPDP ↗CMIL commissioners took the oath of office before Madagascar's Supreme Court in August 2025, making the supervisory authority functional more than a decade after the underlying statute was enacted. CMIL announced readiness to enforce Law No. 2014-038 and oversee data flows in telecom, banking, and the national e-identity programme.
PREA (prea.gov.mg) ↗AFAPDP dispatched an expert mission to Antananarivo in February 2025, in cooperation with the Organisation Internationale de la Francophonie (OIF), to deliver recommendations on CMIL's governance, staffing, and enforcement procedures. The mission directly informed the authority's inaugural composition and its August 2025 swearing-in.
AFAPDP ↗Madagascar's Senate and National Assembly adopted Law No. 2024-004 on 21 June 2024, ratifying the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014). The move aligns Madagascar with the continent-wide standard on data protection, e-transactions, and cybercrime, which entered into force globally in June 2023.
African Union ↗Government Decree No. 2023-1541 of 6 December 2023 formally defined the attributions, organisation, and functioning of CMIL — the supervisory body provided for by Law No. 2014-038 since 2015 but never activated. The decree ended a nine-year enforcement vacuum and set the stage for appointing and swearing in commissioners.
Ministère de l'Économie et des Finances (mef.gov.mg) ↗Publication in Madagascar's Official Gazette on 20 July 2015 completed the entry into force of Law No. 2014-038. Despite the law being on the books, no implementing decrees were issued and CMIL was not yet constituted, leaving enforcement unapplied for nearly a decade.
Unité de Gouvernance Digitale (digital.gov.mg) ↗Adopted by the National Assembly on 16 December 2014 and promulgated on 9 January 2015, Law No. 2014-038 became Madagascar's first comprehensive data-protection statute. Modelled on the EU Data Protection Directive 95/46/EC and shaped with AFAPDP guidance, it covers consent, purpose limitation, data-subject rights, and security obligations for all automated processing on Malagasy territory.
AFAPDP / Journal Officiel de Madagascar ↗Madagascar enacted its cybercrime law on 17 July 2014, criminalising unauthorised system access, data interference, and online fraud across 41 articles. As the primary instrument for prosecuting data-theft and digital attacks, it complements the data-protection framework adopted later the same year.
UNODC Cybercrime Law Library ↗In 2014 Madagascar adopted a coordinated set of digital-governance laws — Law No. 2014-024 on Electronic Transactions, Law No. 2014-025 on Electronic Signatures, and Law No. 2014-026 on Dematerialisation of Administrative Procedures. Together with the data-protection and cybercrime statutes enacted the same year, these laws constitute the foundational digital legal framework still in force today.
ICT Policy Africa / Madagascar Government ↗Madagascar's Fourth Republic Constitution, promulgated on 11 December 2010, guarantees the inviolability of the person, the home, and the secrecy of correspondence. These provisions form the constitutional bedrock on which all subsequent data-protection and privacy legislation rests.
Constitute Project / Madagascar Official Constitution ↗Madagascar - other topics
Data & Privacy in other countries
Last verified 6/28/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →