By Mlondolozi Ndlovu| In a country where democracy is a foundational principle it is comical to wake up and hear that data collectors should pay ‘tax’, which in terms of the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (hereinafter referred to as the regulations) called licence.
These regulations do seem to be quite restrictive and potentially harmful to the free flow of communication in Zimbabwe.
Before we go too far, it is important to understand these regulations and to unpack them.
The main goal of the regulations is to establish a structured and thorough framework for licensing organizations involved in cyber and data protection activities.
It outlines key standards for managing and safeguarding personal data, ensuring adherence to current data protection laws.
The regulations are applicable to all entities in Zimbabwe that process personal data, including but not limited to businesses, government agencies, financial institutions, banks, pension funds and universities.
They address the licensing requirements for data protection service providers and detail the appointments and responsibilities of Data Protection Officers (DPOs).
The implementation of these regulations will greatly affect organizations that manage personal data.
These organisations will therefore need to align their data protection services with the regulations, appoint a DPO, and secure the required licences for operation.
Organizations have a timeline of 6 months to comply with the regulations. During this period, they must take the necessary actions to ensure compliance as failure to do so will attract a punishment.
In a tweet by Hon. Tatenda Mavetera which sparked a frenzy in the digital world of WhatsApp, these regulations also apply to WhatsApp group Admins.
By requiring WhatsApp group admins to obtain a licence and appoint a Data Protection Officer, the government may be overstepping its bounds and infringing on citizens’ freedom of expression and freedom of the media as guaranteed by Section 61 of the Constitution of Zimbabwe.
The Cyber and Data Protection Act [Chapter 12:07] (Hereinafter referred to as the Act) which these regulations fall under, aims to increase cybersecurity and build trust in the use of information and communication technologies.
However it is questionable whether these specific measures will achieve that goal. Instead they may stifle free communication, impose unnecessary burdens by placing undue administrative and financial strain on group admins and it does not provide meaningful safeguards for personal data.
It is essential to consider the potential consequences of these regulations on online communication and data protection practices in Zimbabwe.
The government should ensure that any measures taken to protect data are balanced with the need to preserve citizen’s fundamental rights.
The new regulations imposed by POTRAZ (Postal and Telecommunications Regulatory Authority of Zimbabwe) do raise some eyebrows.
Requiring the said data collectors to obtain a licence and appoint a DPO seems excessive and could be seen as a money making scheme or in a way limit mass communication.
Another potential harm to be caused by these regulations is its poor and ambiguous interpretation clause. The regulations refers a lot to data collectors but it does not specify or define who the data collectors are. It is vague and unclear and is very much open to misinterpretations. Does it include WhatsApp group admins who are already panicking and ready to close their groups?
The law ought to be clear and concise so as to avoid these scenarios. It is not only the interpretation clause that is vague and ambiguous, the regulations have a lot of vague terminologies.
Laws couched in such broad terms that their application cannot be delimited, and where the implementing officers can take different decisions on the same facts with all such decisions being justifiable on one or other reading of the law, should be revisited.
One cannot be blamed for implying that these regulations are there to tax all persons who collect data. Section 3 (2) (d) states that any person who processes personal information with the intention to obtain a commercial gain or other benefit from the processing of personal data shall apply for a license in terms of these regulations.
This is no different from taxation only that it is now hidden as a licence for making benefits. This section is loosely drafted and an overly broad provision which is subject to abuse clearly starting from the Minister’s pronouncement.
It is not even clear how the acquisition of these licenses will safeguard personal data and improve cyber security.
The regulations impose a high degree of punishment for people that do not oblige with the licencing rules as it states in Section 3 (3) that any person who processes personal information in terms of this section without a data controller licence within the stipulated time frames shall be guilt of an offence and liable to a fine not exceeding level 11 or to imprisonment for a period not exceeding seven years or both such fine and such imprisonment.
This kind of punishment is excessive and unwarranted.
The whole procedure of applying provided for in section 4, for a licence is tedious. It involves multiple steps which include application, submission, review, potential requests for additional information and licencing.
The Specific and strict requirements such as use of Form DP1 and payment of scheduled fees prove to be tedious as well as the uncertainty of the approval of the application which may be rejected by the reasons given by the POTRAZ.
It is in a way unfair and unjust for the Authority to reject an application and give reasons later.
The regulations lack and should have provided clear prerequisites and guidelines upfront as to how the applications are made, the steps and orders to follow so that such rejections are avoided.
The regulations also do not provide how long applicants have to wait before their licences are issued out. There is no guarantee how long one will have to wait before they get their licence and continue with their venture which makes them commercial profit.
People may have losses while they wait for their applications to be approved or rejected as the case may be.
However, the regulations cannot be wholly taken in bad faith, In a digital world where cyber security is always a threat, it is important to ensure measures which will protect people’s personal data. The regulations are a part of Zimbabwe’s broader data protection and cybersecurity legal framework.
They harmonize existing laws to create a unified approach to data protection. They aim to enhance data protection practices, ensure compliance with legal standards, and protect personal data in the digital age.
For example, Section 10 (3) of the Regulations states that a data controller shall not subject a data subject to a decision based solely on automated processing which produces legal effects concerning him or her without the consent of that data subject or based on a provision established by the law.
Subsection 4 of Section 10 further states the obligations and duties of a data controller which in essence seek to protect the personal information.
These regulations in as much are supposed to come from a good place; they are adversely vague and restrictive and may do more harm than good.
Mlondolozi Ndlovu is a Zimbabwean media practitioner, researcher and trainer. He is finalising his LAW studies at the University of Zimbabwe