The 28th of January is celebrated globally as a day that raises awareness on and promotes privacy and data protection best practices.
Today marks 40 years since the signing of Convention 108, a binding international instrument which protects individuals against abuses which may accompany the collection and processing of personal data.
The theme for this year is: Own Your Privacy.
Further, Convention 108+ which was signed in 2018, being the modernised convention for the protection of individuals in the processing of personal data, is also in place to protect every individual whatever his or her nationality or residence, thereby contributing to respect for human rights and fundamental freedoms, and in particular the right to privacy.
In Zimbabwe, the right to privacy is a constitutional right, in terms of Section 57 of the Constitution. This right includes the right not to have one’s person, premises or property searched, not to have the right of their communications infringed or their health condition disclosed.
Despite the existence of this constitutional provision, Zimbabwe is, however, yet to fully provide for the practical enjoyment of this right. This has become even more critical considering that we are living in the digital age and personal data is collected and stored by different institutions and individuals in the absence of legal safeguards.
In 2018, Zimbabwe made a commitment to send vast amounts of biometric and personal data to CloudWalk Technology, a Chinese based entity that was providing Zimbabwe with facial recognition technology.
More recently, the Minister of Finance, Mthuli Ncube, highlighted in a post-Cabinet briefing, that government was using a sophisticated algorithm to select beneficiaries of the Covid-19 economic relief fund, which algorithm relied on how much money one had in their bank account or mobile wallet as well as using their phone number for purposes of identifying their location.
Although the Cybersecurity and Data Protection Bill was gazetted in May 2020, the Bill did not have sufficient safeguards for data protection. As it stands, there are therefore no legal mechanisms in Zimbabwe to appropriately regulate the processing, storage or dissemination of all that data.
MISA Zimbabwe position
MISA Zimbabwe urges Parliament, the Ministry of Information Communication Technology, and the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), and other relevant stakeholders, to ensure that legal and policy interventions are put in place for purposes of data protection and enjoyment of the right to privacy.
The Cybersecurity and Data Protection Bill should be appropriately amended as was highlighted in MISA Zimbabwe submissions to Parliament, and further elaborated in the commentary the organisation published on the Bill.
Such proposed amendments should pave way for an independent and effective Data Protection Authority and the rights of data subjects should be explicitly provided for in the law. This should also include the right to be notified within a reasonable time in the event of a security breach.
Exemptions such as national security and public order, or the public interest, are very wide and vague terms that should not be relied on for the processing of sensitive data or for purposes of cross-border transfers of data.
In addition, there is also an urgent need for the amendment of the Interception of Communications Act, as it continues to infringe on the right to privacy by allowing mass surveillance, and also by authorising the Minister, instead of a judicial officer to issue a warrant for purposes of interception of communication.
Meanwhile, the use of technology under the smart city initiative, though being a noble idea, involves the collection of vast amounts of data, including personally identifying information through traffic cameras, for instance.
This necessitates the urgent need for adequate and clear data protection legislation to be put in place.
MISA Zimbabwe, therefore, calls on the government to ensure that mechanisms are in place for the promotion of transparency around the acquisition and use of unspecified surveillance equipment in Zimbabwe.
Before Zimbabwean citizens can start to ‘Own Their Privacy’, there are several drawbacks hindering them from enjoying that right, and the responsibility lies with all stakeholders, policymakers included, to set the optimum environment for exercise and enjoyment of rights.