MISA writes to Parliament: Submissions on the Cybersecurity Bill

MISA Zimbabwe has written to Parliament in response to the august house’s call for submissions on the Cybersecurity and Data Protection Bill which was gazetted on 15 May 2020. The letter outlines issues that need to be addressed in specific sections of the bill and offers recommendations.

Below is the letter submitted to Parliament:

[line]

23 June 2020

CLERK OF PARLIAMENT

Parliament of Zimbabwe
Cnr 3^rd Street & Kwame Nkrumah
P.O Box CY 298, Causeway
HARARE

Dear Sir/Madam,

REF: MISA-ZIMBABWE SUBMISSIONS ON THE CYBERSECURITY AND DATA PROTECTION BILL

MISA-Zimbabwe writes to you in response to your call for submissions on the Cybersecurity and Data Protection Bill. MISA-Zimbabwe commends the executive for this bold step in developing a draft that establishes a regulatory framework for the ICT sector as this serves as address the legal gap that had been created due to the technological advancements and the absence of a legal framework on internet governance.

Be that as it may, taking note that the law is still in the making. The first submission, therefore, is that the bill must be unbundled so that three bills emerge name: Cyber Security; Electronic Transactions and Data Protection Bills respectively as these are wide and complex issues that cannot be attended to in an omnibus bill as being proposed by the executive. Further, MISA-Zimbabwe advocates for the development of a framework that promotes good and democratic internet governance and therefore makes the following submissions:

Section 3: Interpretation

Issues to be addressed

• The definition of code of conduct seems to extend to IT resources, and Internet for the data controller. IT resources is extremely wide as a definition and it might include equipment, networks, hardware, software, technical knowledge, expertise, information and computer systems in the controller’s control or possession. This definition does not address the fact that data processing is manual, electronic or automated
• The current definition of consent is not sufficient. The definition must be expanded in regulations or codes of conduct. Consent must be clear and unequivocal. It shows agreement, acceptance, concurrence or granting of authority to a processor to process data.
• Personal information definition can be expanded to include other identifiable elements which are currently not included in the Bill. The definition of personal information can include objective and subjective elements. The Bill includes traffic data in definition of data. This means that a cellphone number or an Internet Protocol (IP) address, e-mail address, location data constitute personal information. Online identifiers such as IP address, cookie identifiers, or even radio frequency identifications (RFID) tags must be considered as personal information.

Recommendations 

• IT resources and Internet should be removed from the definition of codes of conduct. In the alternative the definition should confine itself to IT processes which means any processes related to the data controller or processor for purposes of gathering or collecting data and processing data.
• At the very minimum the definition of consent must encapsulate the following attributes to constitute lawful consent: freely given in that the person must not be pressured into giving consent or suffer any detriment if they refuse; Specific, in that the person must be asked to consent to individual types of data processing. Informed; the person must be told what they’re consenting to. Unambiguous- language must be clear and simple. Clear affirmative action; the person must expressly consent by doing or saying something.
• The interpretation of personal information can include other subjective and objective elements of personal information as discussed. The definition of personal information on health is expansive. This interpretation must be carried forward for defining sensitive data. Further, the definition of health personal information can be expanded to include the provision of health care services, which reveal information about one’s health status.

Section 5 & 6: Cybersecurity Centre

Issues to be addressed

• The setting up of POTRAZ as the Cybersecurity Centre is problematic. The responsibilities of POTRAZ are already wide under the original enabling Act, the PTA. These added powers will make POTRAZ a super-executive institution, with limited independent oversight. POTRAZ under the PTA reports to the Minister, and no one else. Additional mandate under this proposed Bill will report to the Minister as well.

Recommendations

• A separate institution should be set up as the Cybersecurity Centre. However, if the Bill retains POTRAZ in this role then POTRAZ must report and be accountable to Parliament. Its mandate and enforcement of human rights require independent oversight and not the executive. It is also international practice that there should be Parliamentary oversight on such bodies.

Section 7 & 8: Data Protection Authority (DPA)

Issues to be addressed

• The Bill provides wide-ranging powers to POTRAZ, an institution that already controls significant data, processed and or controlled by mobile network operators (MNOs), internet service providers (ISPs), and mobile money operators. The powers under s 8 are very expansive and what will result is that POTRAZ will be a super-administrative body, and reporting to the executive, through the Minister.
• A quick review of the PTA establishing POTRAZ evidences an executive driven authority. This undermines functional and operational independence.
• Section 4(3) of the PTA is verbatim s 8 (2) of the Bill. Despite this intent, there are several provisions in the PTA that gives the minister powers to interfere; s 25 (1), minister issues policy directions on national interest, which the Board shall take all necessary measures to comply with, s 25 (3); s 26 (1)-(2), the minister may direct Board to reverse, suspend or rescind its decisions or actions, after the minister consultations with President, that Board decision was not in the “national or public interest or the interests of consumers or licensees.” The PTA establishing POTRAZ as the Authority is therefore clearly littered with provisions obliterating functional and operational independence.

Recommendations

• The DPA functions should be resident in a new and independent institution and a statutory commission. The Bill should provide for an independent DPA, accountable to Parliament. The appointment processes must be publicly conducted to instil confidence and legitimacy.
• It is possible that arguments on the availability of resources for such an initiative might be raised. However additional institutions are being created such as the Public Protector under Constitution Amendment Bill number 2 whose functions can easily include data protection and handling of complaints from the public. The Authority will be providing advice on constitutional matters, which also relate to the right to privacy and access to information.
• In its current composition, POTRAZ is not suited for any of these purposes. The POTRAZ Board has diverse but not appropriate skills set for conducting policy advice and oversight on issues such as the right to privacy and access to information. The technical staff working on data protection should also be recruited in open public processes.

Section 9 (1)(a)-(c): Quality of data

Issues to be addressed

• This provision summarizes the data protection principles applicable to a data controller. Unfortunately, to make this short and precise, the Bill leaves out critical aspects or has them scattered in other sections, including Part V, sections 10 and 11, making the Bill a complicated read.

Recommendations

• Part IV should clearly spell out the principles of data protection, and that these are applicable to the data controller, and any other person in their control or authority including data processor. These principles can be further expanded in the Bill as it relates to aspects of processing data for instance, on issues of consent, processing of sensitive data and automated processing of data. These principles can be placed before the functions or designation of the DPA/Authority as they constitute the foundation of DPA/Authority’s function and mandate. The current drafting makes data subject rights afterthoughts and hidden in the Bill’s text

Section 12 (3): Non-sensitive data

Issues to be addressed

• This provision allows for processing of non-sensitive data without the consent of the data subject in certain circumstances which include for purposes of “performing a task carried out in the public interest…” Public interest has attracted a wide definition and application. Absence of a definition of public interest removes clarity and lends itself to broad interpretation, if not abuse. Authorities should not be given this wide latitude to process non-sensitive data without sufficient guard rails.

Recommendations

Section 12 (3) (d) should list the specific issues that constitute or qualify as public interest. For s 12(3)(e), the drafters should provide guidance on interpretation and application to remove any prejudice or harm being suffered by the data subject if there is doubt in balancing interests.

Section 12(4)

Issues to be addressed

• This provision stipulates that conditions indicating satisfaction with subsection (3) may be outlined and this is not a sufficient safeguard.

Recommendations

• The data controller and processor have the onus of proving that their actions are for the protection of personal data and privacy. The conditions must be outlined in the regulations and codes of conduct to avoid abuse and inconsistent interpretation.

Section 13(2): Sensitive information

Issues to be addressed

• Section 13 (2) has several exceptions to consent which presents difficulties. Of note is s 13 (2) (b), (d), and (f) which focus on vital interests of the data subject or another person, national security and data in public domain respectively.
• Vital interests of data subject or another person is considerably a wide framing and can be abused, especially in the absence of guidelines.
• The use of wide exemptions that cover “national security” or “public order” is problematic, hence not recommended. History has shown that such framing lends itself to abuse.
• The Bill suggests that since data is already in the public domain it is subject to processing without the data subjects’ consent. This has grave implications. First, the data subject might have placed it in the public domain for a specific purpose that it had been processed for. The fact that the data is a public record or in the public domain, even with the consent of the data subject does not extend to further processing of any kind.
• Section 13 (2) (a) speaks of specific rights of the controller in the field of “employment law”, this is potentially misleading. A data controller in the employment field or law does not have rights as they relate to the data, they have duties and legal obligations. Rights are for the natural person whose data is being processed.

Recommendations

• To constitute a legitimate and justifiable exemption this provision must be expanded to indicate that the exemption is clearly defined and prescribed by law; they should be legitimate as they advance or respect individual rights and freedoms under the constitution and the Bill and necessary, proportionate in a democratic state. Equally substantial public interest should be considered as such if lawful if the processing is proportionate and there are sufficient safeguards for data protection and privacy.
• The data that is publicly available due to the data subject’s act must be protected from further processing of any other purposes other than the intended purposes it had been collected or made public for. Public availability should not be assumed as consent, neither does this constitute legal grounds for additional processing of the data.
• The processing of data subject’s data to protect the interests of another person should be clearly framed to indicate that “another person” is a natural identifiable person and not juristic persons. This will eliminate or mitigate against abuse. Vital interests of another person should be clearly defined as those that constitute existential needs and interests. If also there is knowledge that the data subject even if the vital interests existed would not have consented to the processing of the data, then such processing should be deemed unlawful.
• The section might be intending to address the legal obligations of the data controller in the employment law, this should be stated as such.

Section 14: Genetic data, biometric sensitive data and health data

Issues to be addressed

• Section 14 (3) has exemptions to consent on processing of genetic, biometric sensitive and health data similar to s 13 above. Section 14 (3) (a) exempts consent in writing if processing is in compliance with national security laws or (d) processing is required by or by virtue of law or any equivalent legislative act for reasons of substantial public interest or (e), processing is necessary to protect vital interests of the data subject, or another person (g) data relates to data made public by the data subject.

Recommendations

• The recommendations proffered with regards to Section 13 shall apply

Sections 15 and 16: Disclosures when and when not collecting data directly from data subject

Issues to be addressed

• Section 15 (e) (i) and section 16 (e) (ii) provides for the data to be disclosed to “recipients or categories of recipients of the data”. It presupposes some level of sharing of personal data with other recipients and categories not stated.
• Further, the provision does not specify if the recipients have safeguards or are cross border recipients.

Recommendations

• These provisions must consider inclusion of a section on sharing of data and if the data will be shared or legitimately disclosed to another recipient.
• The section should provide for the data subject to be informed when personal data are first disclosed to the recipient.

Rights of data subjects

Issues to be addressed

• The Bill provides for various rights for data subjects in different parts of the Bill. This is commendable but not sufficient. Sections with data subject rights include ss9 (1) (b), 15(1) (c), 15 (e) (iii), and 16(1) (d) providing for right to object, right to access and rectify.

Recommendations

The Bill will benefit from listing all the data subject rights separately and then reinforcing them with specific sections on their application. These rights, based on international practices and standards include the following:

• The data subject’s right of access
• The data subject’s right to rectification.
• The right to erasure or the right to be forgotten
• The right to data portability.
• The data subject right not to be subject to a decision based solely on automated processing,
• The right to be notified when there is a breach, or the personal information and data is compromised, or accessed by unauthorized means

Section 19: Security Breach Notification

Issues to be addressed

• The section is short. There is no specification of when notification should be conducted other than that there should be no undue delay. The Bill should be very clear as to what constitutes undue delay or within what period after the discovery of the breach should notification be made.
• The Bill is silent on notification of breach to data subjects

Recommendations

• The Bill must expand on the notification requirements by the data controller to the Authority, including the nature of notification, the time allowed after the breach is discovered to notify the Authority. This cannot be more than 72 hours unless the reasons for further delay are provided. If the drafters are concerned with a voluminous Bill, these clarifications must be included in regulations. Otherwise, as currently framed s19 is insufficient to allow the Authority to exercise oversight on data controllers, and or processors.
• Notification guidelines or regulations should specify;
  a) nature of the personal data breach, number of data subjects affected, categories of data breached;
  b) include contact persons or details for data protection officer;
  c) likely impact of the data breach; and,
  d) measures taken by controller.
• A data subject should be notified of data breach and it shall be in plain and clear language. Lack of notification of data subjects means that they are not able to seek redress or mitigate harm. Even if the information was encrypted or under storage capability that limits exposure, notification to the data subject is right, and not a privilege. South Africa’s POPI Act, s22 provides that notification shall be in writing and communicated through mail, sent by email, or placed in a prominent position on the website of responsible party, or published in the news. Uganda has similar provisions. Notification can only be waived if the identity of such data subject cannot be established or if the notification constitutes a disproportionate effort as defined under the Bill.

Section 20: Obligation of notification to authority

Issues to be addressed

• The section introduces a new term: automated operation in addition to automated processing. The section is convoluted, and easily creates confusion of its intended objective
• Notification for processing of data is also exempted if “there is no apparent risk of infringement of the data subject’s rights and freedoms” or the data controller has appointed a data protection officer. This is the first time a data protection officer is introduced in the Bill, in the middle of notification issue, which is the responsibility of a data controller, and or processor. Even though the DPO under the Bill is charged by the controller “with ensuring, in an independent manner, compliance with the obligations provided for in this Act” there are no detailed provisions of her or his responsibilities other than leaving that for guidelines to expand.

Recommendations

• The Bill should use consistent terms throughout unless if automated operation or set of operations is defined to mean something different from automated processing which the Bill uses on several instances.
• The DPO appointments and functions require development as much as is possible in the Bill, or immediately after enactment but before commencement to allow institutions to comply if they need to appoint DPOs. There is no clarity on when a DPO is required.

Section 22: Authorisation

Issues to be addressed

• The Bill does not outline the criteria to be used to decide to conduct an inspection and assessment of security systems other than it being the opinion that specific risks to privacy rights exists. The fact that s 22 allows the Authority to establish categories of data which requires specific processing based on risks to fundamental rights of data subjects is not sufficient.
• Categories of data do not address the discretion to conduct or not to conduct an assessment and inspection. The significantly wide discretion to the data controller leaves this to a reasonable person test on whether in that person’s opinion risks existed or not.
• Data retention periods are not clearly stipulated in the Bill

Recommendations

• An inspection and assessment should ideally be conducted before processing. The Bill should make specific provisions for data impact assessments/inspections, including requirements of notification to data subject which must be concise, and in clear, simple language. The Bill must provide for guidelines for data processors on what would result in data protection assessments and inspection. The criteria should include possible profiling, large volumes of data, merging of different data gathered by different processes, use of newer technologies or possible data transfer to countries.
• There are other laws which allow retention of data for instance in the telecommunications field in respect of traffic data, or subscriber information. This data is regulated under a different regulation and instrument. The application of the Bill in such matters must be clarified

Section 23: Openness of processing and Section 24: Accountability

Issues to be addressed

• This provision is commendable as it advances openness and transparency of the Authority’s data processing activities. Section 24 provides for accountability of data controller in complying with the principles in the Bill.

Recommendations

• The maintenance of register ideally should be included in the data protection principles and the functions of the Authority. The register should not be left to the last sections of the Bill. The level of openness must be manifest throughout the Bill. All registered data controllers should be kept in a register open for public inspection. Accountability must be listed as one of the duties that data controllers are required to comply with. An accountability principle should be included in the Bill, for the Authority and data controllers.

Section 29: Transfer of data across borders

Issues to be addressed

• Section 29(1) (d) allows for transfers without satisfaction or assurance of adequate level of protection in another place if “necessary or legally required on important public interest grounds”. Again, public interest grounds remain undefined in the Bill, making this susceptible to abuse.
• Section 29(1) (e), allows for transfer without adequate protection if this is necessary in order to protect the vital interests of the data subject. This drafting is also considerably wide on vital interests and the guidelines must outline this.

Recommendations

• Recommendations proffered in relation to Section 3 shall apply.

Section 31: Whistleblowing

Issues to be addressed

• The section is thin on any protections guaranteed to whistleblowers – it actually does not offer any protections. This pales in comparison to efforts in neighbouring South Africa to protect whistleblowers through the Protected Disclosures Act. It is unlikely that Regulations will be comprehensive enough to cover an area that countries such as South Africa, the United Kingdom and the United States of America have dedicated entire Acts to. This lack of actionable legislation to regulate whistleblowing is a cause for concern in a country such as Zimbabwe that is struggling with deep-rooted corruption in both the private and public sectors.

Recommendations

• The recommendation here is that this Section be revised to set out guarantees of protection for whistleblowers as well as other concrete steps in the handling of investigations that result from whistleblower revelations

Section 35: Amendment to the Criminal Law Code

Issues to be addressed

• There is a worrisome inclusion of the term “remote forensic tool” in the definitions. In this Bill, the remote forensic tool is defined as “an investigative tool including, software or hardware, installed on or in relation to a computer system or part of a computer system and used to perform tasks that include keystroke logging or transmission of an IP-address.”
• This is problematic for several reasons; the use of the word “forensic” gives the impression that this is an investigative tool used to investigate events after the commission of an offence. The definition shows that the tool is actually used before the commission of a crime; it is a data collection tool that collects which includes keystroke logs through software or hardware that is remotely installed on a target’s electronic device.
• Keystroke loggers are in actual fact privacy breaching tools that collect all the information inputted into a device such as a computer by recording every key typed in, the sequence the keys are typed in as well as recording every mouse click. When these keystrokes and mouse clicks are matched to websites visited, it becomes easy to collect sensitive information such as login details, passwords, banking information and other forms of sensitive information that is not related to the investigation or crime.

Recommendations

• Neither the Bill nor the Criminal Law Code that it seeks to amend contain any judicial oversight on the use of such far-reaching technologies. There is no procedure at all relating to how this technology may be used and which state security agents may use it. The lack of any boundary setting provisions within which this technology may be used is shocking and reckless.
• Such far-reaching technologies should therefore not be resorted to except in specified circumstances provided for under judicial oversight.

Offences relating to electronic communications and materials

Issues to be addressed

• Section 164 criminalizes the sending of messages that incite violence or damage to property. In the past, this charge has been used to prosecute organizers of peaceful protests and other forms of public disobedience. The same goes for sections 164A and 164B that criminalize the sending of threatening messages and cyber-bullying and harassment respectively. These provisions are necessary but however, the way these Sections are widely worded makes it easy for the State and any of its security agencies to target and persecute individuals in the name of investigating crime in terms of this cyber law.
• The same criticism applies to Section 164C which relates to the transmission of false data messages. This provision is similar to the scandalous provisions found in the outgoing AIPPA as well as the Criminal Law Code which were specifically aimed at silencing the Zimbabwean media and any other dissenting voices that dared criticize the government.

Recommendations

• It is strongly recommended that these Sections relating to electronic communications be thoroughly revised to bring them into line with the constitutional provisions relating to free speech, media freedom as well as case law that criticized and in some instances struck down similarly worded provisions in AIPPA and the Criminal Law Code.

[line]

Annexed to this letter is also a comprehensive commentary on the Cybersecurity and Data Protection Bill that MISA-Zimbabwe produced, together with a Policy brief and a Policy Guide on the same. It is MISA-Zimbabwe’s hope, that based on these submissions and the attached documents, Parliament will be fully informed to exercise its role in the law-making process.

Yours sincerely,

Golden Maunganidze
National Chairperson

Cc. Ministry of ICT, Postal and Courier Service
Cc. Acting Chairperson of the Parliamentary Portfolio Committee on ICT, Postal and Courier Services (Hon. A. Gandawa)
Cc. Speaker of House of Assembly, Hon. J. Mudenda