Mauritius

When drafting an international agreement, the focus is often on financial clauses or liability exemption and less attention and strategy is given to jurisdiction clause. Nevertheless, this point should not be neglected. Consequences of jurisdiction clause are important when a dispute arises between the parties above all, when one of the parties is affected by an asymmetric jurisdiction clause. What does asymmetric clause mean? “Asymmetric” mean that one of the parties has different options and can seize the judge more adapted to its situation when the jurisdiction clause offers no such choice to the other parties. Under Mauritius Law, the validity of such asymmetric clause could be disputed for different reason: 1/ Under Article 1174 of the Mauritius Civil Code « All obligations are null and void when they have been contracted under a potestative condition on the part of the party obliged “ [1] . A potestative condition is defines by the same Code as “one which makes performance of the agreement dependent on an event which it is in the power of one or other of the contracting parties to bring about or prevent.” Then, a jurisdiction clause which offers different option of jurisdiction which can be unilaterally denied by only one of the party could be analyzed as a potestive clause. 2/ Under Mauritius law, the principles of the international private law is issued from the French international private law (Austin v/s Bailey 1962 MR 11) and then, the French jurisprudence which analyses an asymmetric clause as a potestive clause and sanctions its validity may apply. This case dated September 26 ,2012[2] concerned an asymmetric clause contained in a contract between an individual and a bank. The French solution is not based on article 1174[3] of the civil code, which is similar in Mauritius but on the general principle of nullity of the potestative clause at the light of principles of predictability and legal security arising from European texts unapplicable in Mauritius. However after 2012, the validity of an asymmetric clause is not always sanctioned by the French Hight Court. In a case dated 11 may 2017[4], the judge of the commercial court of the Cour de Cassation had a very liberal point of view and held that the clause included in a commercial agreement between two companies which gives the power to a sole party to choice other jurisdictions is valid whatever the fact that it bonds only one party. In Mauritius, the concept of a clause potestative has been invoked before the judge[5] but no jurisprudence exists yet relative to asymmetric jurisdiction clause. Then, as it is not impossible that the Mauritian judge may decide under the circumstances the nullity of such clause, even more if the clause binds individuals. [1] Article 1170 of the Mauritius Civil Code provides that « la condition potestative est celle qui fait dépendre l’exécution de la convention, d’un événement qu’il est au pouvoir de l’une ou de l’autre des parties contractantes de faire arriver ou d’empêcher » and Article 1174 of the Mauritius Civil Code provides that « Toute obligation est nulle lorsqu’elle a été contractée sous une condition potestative de la part de celui qui s’oblige. » [2] Cass, Civ. 1 September 26, 2012 Rothschild No.11-26022 [3] in France, article 1174 of the Mauritian Civil code is now article 1304-2 of the French Civil Code [4] Cass, com. May 11, 2017 No.15-18758 [5] Ex : Cie Sucrière de Mont Choisy Ltée v Government of Mauritius [1996 SCJ 263] ; Cie Sucrière de Mont Choisy v Honourable Minister of Housing [2000 SCJ 044]

VEIL OF INCORPORATION Under Mauritius law, a company duly incorporated is a separate legal entity distinct from its shareholders, its employees and its individual directors[1]. Then, a director cannot be confounded with the company he manages and the company creates a veil between third parties and its directors and officers.[2] The Mauritian Law[3] provides for the duty of directors to act in good faith and in best interests of company. However, the duties of directors shall be owed to the company and not to the shareholders, debenture holders or creditors of the company. Nevertheless, a shareholder may sue a director to enforce obligations owed to the company in a derivative action [4].  EXCEPTIONAL CIRCUMSTANCES WHERE DIRECTOR’S LIABILITY IS ENGAGED However, there are exceptional circumstances where the corporate veil of a company can be pierced and the personal liability of a director engaged, e.g. where the company is a mere façade concealing the true facts and the faute is committed outside the director’s normal functions[5]. Directors may also need to take the interests of creditors, rather than just shareholders, into account, in situations closer to insolvency the company. As per Mauritius Law[6] a director of a company who believes that the company is unable to pay its debts as they fall due shall forthwith call a meeting of the Board to consider whether the Board should appoint a liquidator or an administrator, or to carry on the business of the company. Where, a director fails to comply with the above requirement, at the time of that failure the company was unable to pay its debts as they fell due; and the company is subsequently placed in liquidation, the Court may, on the application of the liquidator or of a creditor of the company, make an order that the director shall be liable for the whole or any part of any loss suffered by creditors of the company as a result of the company continuing to trade. If a director did not take every step to minimize losses when insolvent liquidation was predictable and has actually occurred, he/she engages his/her personal liability towards creditors of the company[7]. [1] Mauritius Broadcasting Corporation v Ashrafi Financial World Company Limited & 2 ors [2011 SCJ 155] [2] Rory Kenneth Dunoon Kirk v. The Bay (Holding) Limited & Ors [2013 SCJ 108] [3] Section 143 of the Companies Act 2001 (the “Act”) [4] Borneo Investment Group Inc, Egon Mauss v. Borneo Investment Group Inc [2012 SCJ 448] [5] Mauritius Commercial Bank Ltd vs Robert Lesage & Ors [2010 SCJ 222], Maudar & Ors vs Moirt & Ors [2011 SCJ 387], Rory Kenneth Dunoon Kirk v. The Bay (Holding) Limited & Ors [2013 SCJ 108] [6] Section 162 of the Companies Act 2001 [7] Same ref. above [2011 SCJ 1555]

Mauritius is the first country in the southern hemisphere to have recently revamped its data protection legal regime by repealing the previous Data Protection Act 2004 ("DPA 2004") and adopting a new law, namely the Data Protection Act 2017 ("DPA 2017") following the adoption of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") in the European Union.  The DPA 2004 was largely based on the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and free movement of such data, and was supplemented by the Data Protection Regulations 2009. The DPA 2017 came into force on 15 January 2018. It aims at strengthening the control and personal autonomy of individuals over their personal data in line with current relevant international standards, namely the GDPR. The reform brought to the legal regime of data protection in Mauritius was also made in an effort to simplify an area of law that is sometimes seen by the market as overly cumbersome and complex, the more so given the increasing cross-border nature of activities conducted in or through Mauritius. In an attempt to protect data subjects, the Mauritian legislator has conferred additional rights on data subjects, and has imposed additional obligations on data controllers. For instance, under the DPA 2017, data subjects now have the right to request a copy of their personal data which is being processed by any data controller free of charge and in an intelligible form. Under the DPA 2004, it was somewhat unclear whether personal data could be transferred to another country not ensuring an adequate level of protection of the personal data even if the data subject has consented to such transfer – a point which has been the subject of frequent discussions with the Data Protection Office in Mauritius (“DPO”). There is now an obligation on data controllers to provide the Data Protection Commissioner evidence that the country to which personal data is being transferred, has adequate safeguards to protect the personal data which is being transferred. Moreover, the DPA 2017 also extends the right of data subjects to request data controllers who have made the personal data of the data subjects public, to take reasonable steps to inform any third party processing the personal data to erase such data. Another novelty in the DPA 2017 is that it is now incumbent upon a data controller to report any breach of personal data to the Data Protection Commissioner without undue delay and where feasible, not later than 72 hours after having become aware of such breach. Another major change brought under the DPA 2017 is that prior to processing the personal data of a child below the age of 16, it is requisite to obtain the consent of the child’s parent or guardian. The effort made by the Mauritian legislator to align the DPA 2017 with the GDPR is laudable. However, the hefty administrative penalties under the GDPR have not been reflected in the DPA 2017. A data controller in breach of the GDPR may be fined an amount equivalent to 4% of its worldwide annual revenue or EUR 20 million whichever is higher. The DPA 2017 provides for criminal sanctions instead of civil sanctions. The maximum penalty under the DPA 2017 has remained unchanged to what was provided under the DPA 2004, which is a maximum of MUR 200,000 (approximately EUR 5,000) and a term of imprisonment not exceeding 5 years. It is still too early to gauge whether the reform brought to the data protection law in Mauritius would act as a sufficient safeguard against potential violations of privacy and personal data of individuals. The DPA 2017 is still being implemented and detailed regulations to supplement the DPA 2017 have not yet been published. The DPO has yet to issue guidelines to facilitate the interpretation, comprehension and practical application of certain provisions of the DPA 2017. Mauritian companies must not only ensure that they comply with the DPA 2017 but in addition, in some cases, they must determine if their activities trigger the GDPR. Finally, whether it is criminal or civil sanction, the processing of personal data carries with it a reputational risk which data controllers and processors must consider seriously with the assistance of data protection professionals.