The Cyber and Data Protection Act [Chapter 12:07] was gazetted on December 3rd , 2021, and came into force on the same day.
In essence, the data protection law mandates that all businesses operating in Zimbabwe (and outside) adhere to data protection and privacy principles when collecting personal information from their customers or employees.
Therefore, businesses are required to ensure that they implement systems that promote and protect data privacy and process data fairly and securely to keep abreast of new technology.
key provisions
Section 3 of the Act defines data as any representation of facts, concepts, or information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation, or processing in a computer device, computer system, database, electronic communications network, or related devices. It also includes a computer programme and traffic data.
In addition, personal information is defined to include information relating to a data subject, including the person’s name, address, telephone number, race, etc. – basically, information that can make any person identifiable.
Section 4 applies to matters relating to access to information, protection of privacy of information and processing and storage of data wholly or partly by automated means. The law further applies to all entities in Zimbabwe and those not permanently domiciled in Zimbabwe.
Statutory Instrument 155 of 2024
The new regulations require businesses to obtain a data controller licence and appoint a Data Protection Officer within six months of their promulgation on September 13, 2024. Therefore, the deadline for compliance is March 13, 2025.
Any person shall apply to the Data Authority—Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)—for a data controller’s licence. Such licence shall be valid for 12 months subject to compliance with the Act, regulations, and license conditions. Renewals shall be applied for three months before the expiration of such licence.
Any person who fails or without cause to renew their licence by the date of expiration of the previous licence shall be guilty of an offence and liable to a fine or plus imprisonment.
Strengths
Biometric data is defined in the regulations as referenced but not in the Act. It is a physiological characteristic related to a data subject and includes, but is not limited to, fingerprints, palm veins, and face recognition.
According to Section 3 (1) of the Regulations, only persons licensed with POTRAZ may process biometric data. In addition, any person who processes personal data or obtains a commercial gain or other benefit from the processing of personal data must apply for a licence in terms of these regulations.
Any person who processes personal information without a data controller licence within the stipulated time frames shall be guilty of an offence and liable to a fine or imprisonment for a period not exceeding seven years or to both fine and imprisonment.
Licence categories for data controllers:
These are divided into the following categories:
Tier 1 – processes information of 50 to 1000 data subjects – fee is USD50
Tier 2 – processes information of 1001 to 100 000 data subjects – fee is USD300
Tier 3- processes information of 100 001 to 500 000 data subjects – fee is USD500
Tier 4 – processes information of 500 000 plus – fee is USD 2,500
The Data Protection Officer, training and certification fee, is USD1,250 per person for citizens, which is highly priced in the current economy.
Data controllers processing personal data for personal, family, or household affairs, law enforcement, journalistic, historical, or archival purposes are exempt from applying for a licence.
However, those collecting outside of personal, family, and household affairs must register with the Authority and comply with the principles of the Act.
Weaknesses
MISA Zimbabwe believes that, if calibrated correctly, the privacy-focused elements of the regulations can benefit civil society immensely.
Under Part III, Section 6 of the Postal and Telecommunications Act, Chapter 12:05, the President of Zimbabwe has the authority to appoint the Board which governs POTRAZ. Thus, POTRAZ is not fully “independent of control by government or by political interests” despite the statutory assertion in the Cyber and Data Protection Act, Part II, Section 6(2).
MISA Zimbabwe is concerned that the Licensing and Registration of Data Controllers, under POTRAZ’s regulation, may be subject to political influence, resulting in the delay or denial of a license to an unfavoured media organisation.
The regulations do not specify what due process will be afforded to a data controller whose submission is delayed or ultimately denied. This may temporarily or permanently impede an organisation’s ability to carry out its mission in the public’s interest.
The list of those exempted from applying for licences should have included schools, clinics and other charitable organisations. These organisations often process personal data as part of their core functions, and their primary purpose is not for commercial gain. There is no need to burden these organisations with the requirement for licences. They should only be required to comply with the core principles of data protection as per the Act.
Section 17, which refers to security breach notification, fails to mention when a data controller should notify the subject of such breach.
Section 17 of the regulations rightly emphasises the importance of notifying the relevant authorities about data breaches. However, it is equally crucial to consider the rights of data subjects. Prompt notification to the Authority and data subjects of breaches that pose a high risk to individual rights and freedoms is essential as opposed to the stipulated 72-hour period in the Regulations.
Our view is that this should at least be done within 24 hours.
WhatsApp group administrators
The implications for WhatsApp group administrators may vary depending on the nature of the group and the type of data being shared. Facebook group administrators also collect large amounts of data.
However, it is advisable to be mindful of data protection principles and to exercise caution when sharing or collecting personal information within these groups.
WhatsApp and Facebook group administrators can be considered data controllers.
This categorisation arises from group administrators having control over the group and the data shared within it.
This includes:
- Adding and removing members: This involves processing personal information like phone numbers.
- Managing group settings: This can influence the visibility of members’ information.
- Moderating content: This may involve reviewing and potentially deleting personal information shared within the group.
While this interpretation has raised concerns among many, it highlights the importance of understanding data protection laws and their implications, even in seemingly casual online interactions. Administrators should follow data protection principles, but it will be unprecedented to license them as stated.
Conclusion
MISA Zimbabwe thereby recommends that the Data Authority revise the exemption categories to include schools and other charitable organisations. It also needs to clarify whether the implementation of these regulations will not amount to social media regulation that infringes on the right to privacy and freedom of association.
