What is AI regulation in Madagascar?
AI regulation: countries and regions
Madagascar has no dedicated AI law and no adopted national AI strategy. AI is governed indirectly, mainly through Law No. 2014-038 on the protection of personal data and its regulator, the Commission Malagasy de l'Informatique et des Libertes (CMIL), which became operational in 2025. Telecoms and digital infrastructure sit with ARTEC. The African Union Continental AI Strategy provides non-binding regional direction, but Madagascar has not yet enacted AI-specific rules.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no statute in Madagascar that regulates artificial intelligence as such. Anyone deploying AI in the country works within general laws, the most important of which is Law No. 2014-038 on the protection of personal data, promulgated on 9 January 2015. That law was modelled on the European data protection tradition and sets out principles, data subject rights and an independent authority, the Commission Malagasy de l'Informatique et des Libertes (CMIL).
For years the law existed on paper but the regulator did not function. That changed recently: the CMIL was given effect by Decree No. 2023-1541 of December 2023, its members were sworn in before the Supreme Court on 4 August 2025, and it has since described itself as operational. This matters for AI because most AI systems process personal data, and the data protection law is currently the main enforceable constraint on how they do so.
Beyond data protection, Madagascar's AI footprint is mostly policy and economics rather than law: a national Digital Strategic Plan (Plan Strategique du Numerique 2023-2028), a feasibility study for a regional applied AI institute, and the use of AI tools inside the customs administration. The African Union Continental AI Strategy, adopted in July 2024, sets the regional direction that Madagascar is expected, but not required, to follow.
Why it matters
For organisations, the absence of an AI-specific statute does not mean an absence of rules. If your AI system processes personal data of people in Madagascar, Law No. 2014-038 applies, and after years of dormancy it now has a functioning regulator that can investigate, order processing to stop, and impose financial penalties. The practical risk has shifted from theoretical to real.
Three features carry the most weight for AI users. First, the law restricts decisions about people taken solely on the basis of automated profiling, which speaks directly to algorithmic decision-making. Second, sensitive data, including biometric and health data, is in principle prohibited from processing except under tight conditions, which constrains many computer vision and health AI applications. Third, cross-border transfers, the backbone of cloud and foreign model providers, are only permitted to countries offering similar protection or under safeguards approved by the regulator.
Madagascar is also a significant location for AI data annotation work, where foreign firms send training data to be labelled. Academic research by Le Ludec, Cornet and Casilli, published in Big Data and Society in 2023 under the title "The problem with annotation. Human labour and outsourcing between France and Madagascar", documents how French AI start-ups delegate dataset annotation to Malagasy contractors; the researchers interviewed founders and employees across 22 Parisian firms and found that most of the data work was outsourced to Madagascar. That makes the country a node in global AI supply chains, and raises labour and data governance questions that the current legal framework was not specifically designed to answer.
How it works
No dedicated AI statute
As of mid-2026 Madagascar has neither an AI law nor a formally adopted national AI strategy. International surveys of African national AI strategies do not list Madagascar among the countries that have published one. The governing instruments are therefore general laws, applied to AI by analogy, rather than purpose-built AI rules. This is the honest baseline: the country regulates the data that AI uses, not AI itself.
The data protection law: Law No. 2014-038
Law No. 2014-038 was adopted by the National Assembly on 16 December 2014, promulgated on 9 January 2015 and published in the Official Gazette (Journal Officiel) No. 3630 of 20 July 2015. It applies to automated and non-automated processing of personal data carried out wholly or partly on Malagasy territory, and reaches controllers established in Madagascar as well as those outside who use processing means located there. It exempts purely personal activity and journalistic, literary or artistic expression.
The law rests on familiar pillars: lawful basis and consent, purpose limitation, data security, defined data subject rights (information, access, rectification, objection), special protection for sensitive data, controls on cross-border transfers and an independent supervisory authority. Article 3 limits administrative and private decisions that are based solely on automated processing intended to profile a person or evaluate aspects of their personality, the provision most relevant to automated decision-making and AI.
Sensitive data, transfers and penalties
Article 18 prohibits, in principle, the processing of sensitive data, defined to include racial origin, biometric data, genetic data, political opinions, religious or other convictions, trade union membership, and data on health or sex life, subject to narrow exceptions such as explicit consent. Cross-border transfers are permitted where the destination country provides a similar level of protection, or otherwise under safeguards such as appropriate contractual clauses approved by the CMIL. The CMIL can issue warnings, order processing to cease or withdraw an authorisation, and impose financial penalties; the law also carries criminal penalties enforced through the courts, with fines and imprisonment for offences such as processing sensitive data unlawfully or obstructing the Commission. Secondary analysis notes a recognised gap: corporate criminal liability is not part of general Malagasy law, which can blunt enforcement against companies.
The regulator: CMIL
The Commission Malagasy de l'Informatique et des Libertes is the independent authority created by the law and given operational effect by Decree No. 2023-1541 of December 2023. Its members were sworn in before the Supreme Court on 4 August 2025, and it has since presented its first report on data confidentiality and protection in Madagascar and described itself as fully operational. Its functions include informing controllers and data subjects of their rights, receiving declarations and authorisations for processing, controlling processing, issuing recommendations and security standards, handling complaints, and pronouncing administrative sanctions. It is accompanying national digitalisation projects, including e-government and the Prodigy digital identity programme, and auditing electoral files.
The telecoms regulator: ARTEC
The Autorite de Regulation des Technologies de Communication (ARTEC) regulates telecommunications and ICT. It is a public industrial and commercial body under the supervision of the ministry responsible for digital development, operating under Law No. 2005-023 and Decree No. 2006-213, and is the successor to the earlier OMERT. ARTEC grants licences, manages the radio frequency spectrum, approves equipment and proposes legislative and regulatory texts to its supervising ministry. It does not regulate AI, but it shapes the connectivity and infrastructure layer on which AI depends, and it has begun coordinating with the CMIL on a modern regulatory framework.
National digital strategy and AI initiatives
The Plan Strategique du Numerique (PSN) 2023-2028, led by the ministry responsible for digital development (MNDPT), is a digital economy plan rather than an AI strategy. As presented by Minister Tahina Razafindramalo in January 2024, the plan aims to raise the digital sector's contribution to GDP from 1.5 percent in 2019 to 6 percent by 2028, and the posts and telecommunications share from 3 percent to 12 percent of GDP. It also flags a deficit of 40,000 specialised technicians, noting that the country's training institutions produce only about 900 graduates per year, judged insufficient. In May 2024 the ministry took a further step on AI: on Friday 31 May 2024, at GITEX Africa in Marrakech, Minister Razafindramalo signed a partnership agreement with Professor Serge Miranda of the University of Cote d'Azur and the Ecole Superieure des Technologies Industrielles Avancees (ESTIA) in France to launch a feasibility study for an International Institute of Applied Artificial Intelligence for the Indian Ocean region. The customs administration, meanwhile, has deployed several AI-driven tools, including automatic image analysis (RESNET), Smart Scanning and an Enhanced Risk Assessment (ERA) system, which contributed to a 68 percent increase in customs revenues in January 2025 compared with January 2024; the IMF subsequently designated Madagascar as a pilot project in Africa for the integration of AI into customs services. These are use cases, not a regulatory framework.
African, SADC and continental context
Madagascar is a member of the African Union and of the Southern African Development Community (SADC). It ratified the AU Convention on Cyber Security and Personal Data Protection (the Malabo Convention) in 2024. The AU Continental AI Strategy, adopted by the AU Executive Council in July 2024, is the key regional reference; it is a guiding framework that does not impose binding obligations on member states, and it leans heavily on data protection and data governance as the foundation for AI regulation. SADC produced a Model Law on Data Protection under the HIPSSA initiative to encourage harmonisation, but it is voluntary and has had limited uptake.
Examples
A foreign software company deploys an AI credit scoring tool used to assess loan applicants in Antananarivo. Because the tool processes personal data on Malagasy territory and produces a decision about individuals, Law No. 2014-038 applies. Article 3 limits decisions based solely on automated profiling, so a human review step and a clear legal basis for the processing are needed, and the use of any sensitive data would face the Article 18 prohibition.
A hospital wants to use an AI diagnostic system hosted on a foreign cloud. Health data is sensitive data under Article 18, so processing is restricted and requires a valid exception such as explicit consent or a legal basis, plus security safeguards. Sending the data abroad triggers the cross-border transfer rules, meaning the provider must rely on a country with similar protection or on safeguards the CMIL can accept.
A data annotation firm in Antananarivo labels images and text to train models for overseas clients. The capital hosts established operators in this sector: TelesourcIA, founded in 2015, is one of the oldest annotation firms and can employ up to 300 people, while Ingedata is another long-running provider. Where the data being labelled contains personal data, such a firm acts as a processor under the law and must apply security and purpose limitations, and any onward transfer back to the foreign client engages the transfer regime. This reflects Madagascar's real position in global AI supply chains as a centre for annotation work.
Common misunderstandings
Madagascar has an AI law. It does not. The country regulates the personal data that AI systems use through Law No. 2014-038, not artificial intelligence as a distinct subject.
The data protection law is dormant, so nothing is enforced. This was true for years, but the CMIL became operational in 2025, has presented its first annual report and can now impose sanctions. The risk is no longer theoretical.
The law does not touch algorithms. Article 3 specifically limits decisions taken solely on the basis of automated profiling, which is directly relevant to algorithmic and AI decision-making.
Foreign companies are outside its scope. The law reaches controllers outside Madagascar who use processing means located on its territory, and it governs cross-border transfers of Malagasy residents' data.
The African Union strategy is binding law. The AU Continental AI Strategy is a guiding framework with no binding obligations on member states; it influences national choices rather than compelling them.
Risks and boundaries
This article describes a framework that governs AI indirectly. There is no AI statute, no AI-specific regulator and no adopted national AI strategy in Madagascar, so anyone expecting a risk-based AI regime of the kind seen elsewhere will not find one here.
What is confirmed: Law No. 2014-038 is in force; the CMIL exists, has been operationalised by Decree No. 2023-1541 and was constituted in August 2025; ARTEC regulates telecoms and ICT; Madagascar ratified the Malabo Convention in 2024; and the AU Continental AI Strategy was adopted in July 2024. What is still developing: the CMIL is young, building its capacity and case load, and the practical depth of enforcement is not yet established. What could change: Madagascar may develop AI-specific policy or align with the AU strategy's first implementation phase, and the data protection law itself predates modern AI and may be revised. Some details circulating in commentary, such as specific enforcement statistics, could not be verified from primary sources and are omitted here. None of this is legal advice; verify current obligations with the CMIL and qualified Malagasy counsel before acting.
What to do next
Treat Law No. 2014-038 as your operative rulebook for AI in Madagascar. Map where your AI systems process personal data on Malagasy territory and identify your lawful basis for each use.
Build a human review step into any AI that makes or materially influences decisions about people, to respect the Article 3 limit on decisions based solely on automated profiling.
Audit your use of sensitive data, especially biometric and health data, against the Article 18 prohibition and its narrow exceptions before deploying computer vision or health AI.
Map your cross-border data flows. If you use foreign cloud or model providers, document your transfer safeguards and be ready to satisfy the CMIL's transfer requirements.
Engage early with the CMIL on declarations, authorisations and complaints, and watch for guidance as it builds out its practice. Track the AU Continental AI Strategy and any national digital plan updates as leading indicators of where Malagasy rules may head.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Madagascar have a law that specifically regulates AI?
No. There is no dedicated AI statute and no adopted national AI strategy. AI is governed indirectly, mainly through Law No. 2014-038 on the protection of personal data.
Which law matters most for AI in Madagascar?
Law No. 2014-038 on the protection of personal data, promulgated on 9 January 2015. Most AI systems process personal data, so this law is the main enforceable constraint.
Who is the data protection regulator?
The Commission Malagasy de l'Informatique et des Libertes (CMIL), an independent authority operationalised by Decree No. 2023-1541, with members sworn in before the Supreme Court on 4 August 2025.
What does the law say about automated decisions?
Article 3 limits administrative and private decisions taken solely on the basis of automated processing intended to profile a person or evaluate aspects of their personality.
What about ARTEC?
ARTEC is the telecoms and ICT regulator. It manages licensing, spectrum and equipment approval and shapes the connectivity layer AI depends on, but it does not regulate AI.
Can personal data be transferred outside Madagascar for AI processing?
Only where the destination provides a similar level of protection, or under safeguards such as approved contractual clauses, consistent with the law's transfer rules.
How does the African Union strategy affect Madagascar?
The AU Continental AI Strategy, adopted in July 2024, is a non-binding guiding framework. Madagascar is expected to align national approaches with it but is not legally compelled to.
Is the data protection law actually enforced?
After years of dormancy, the CMIL is now operational, has presented its first annual report and can issue warnings, order processing to stop and impose penalties.