On December 3, 2021, Zimbabwe joined the list of African countries that can now boast a data protection law.
Never having followed the Zimbabwean scene, it was nice to see. However, the tweet’s contents were of more interest to me.
From the screenshots Mberi shared, several acts such as revenge pornography, child pornography, and taking pictures of people's genitalia without their consent have become illegal.
For a data protection act, these were some intriguing provisions.
A walk down memory lane
Before the current Act, Zimbabwe’s laws have made provisions — albeit in a fragmented manner — for data protection and privacy.
The Access to Information and Protection of Privacy Act dealt more with the collection, protection, and retention of personal information held by public officers. Other laws included the Consumer Protection Act, Census and Statistics Act, and the Interception of Communication Act, among others.
But this new law has been in the works for a while as well. First gazetted in May 2020 as the Cybercrimes and Data Protection Bill, it has since undergone some changes.
Initially, The Cybercrimes and Data Protection Bill was to cover all things incidental to Cybercrime and Data Protection. Essentially a mash-up of two different but related fields.
But a lot of people weren't having that. Transparency International complained that it was a human rights lawsuit waiting to happen — especially regarding government spying and stifling freedom of speech. Other persons decried the bill as well.
In July 2020, Joint Parliamentary Portfolio Committees released a report asking that both fields be separated and an independent body be set up, among other recommendations.
And it appears Parliament may have listened, somewhat.
The current state of affairs
The Data Protection Act, as it is known now, is styled after the Southern Africa Development Community (SADC) model law on data protection.
It provides for most of what you'd expect from a data protection law; things like data rights of the data subject, what personal information is, and what sensitive information is, among others.
It provides extensively for consent — very important — and it introduces the vital issue of representation of infants and persons that are mentally, legally, or physically incapacitated by their parents and guardians.
It also explains other important provisions and duties of the data controller and processor, which we have touched on in previous articles.
The Act also establishes a Data Protection Authority (DPA), but this is where it gets a bit tricky. The DPA appointed in this case is an existing authority called the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ).
POTRAZ is Zimbabwe's telecommunications sector regulator, already saddled with responsibilities in that regard. Adding this to that is an interesting move, especially considering all of the duties assigned to them under this new law.
"I think they are going to be saddled with too much administrative authority. Because imagine having to handle all these breaches that will come within 48 hours. I don't know yet how adequately prepared they are for this.
"I tried to put together the duties of the DPA, and I don't know — resource-wise — whether they'd be able to achieve all of that," Nellie Tiyago, a Zimbabwean lawyer, tells me.
But there's also the fact that POTRAZ already has some experience on the data collection and protection front.
"It should have been because POTRAZ was already collecting data. Because that's where our telecoms as well fall under in terms of picking up sensitive information. We've got the Interception of Communication Act, and I think POTRAZ was in charge of that. The rationale could have been that they already have a lot of data. And it might be easier than starting afresh."
Following the recommendation of the Parliamentary Joint Committee, the new act was renamed the Data Protection Act instead of the Cybercrimes and Data Protection Act.
However, after comparing the previous bill and the current Act, I found that it was merely rearranged to have all the parts touching on data protection at the beginning and the chapters touching on cybersecurity at the end.
I worried that this could also create a duplication of laws and expressed this to Tiyago. But she had a differing opinion.
"Data and cyber go hand-in-hand. There needed to be something that speaks to the issue of cybersecurity from a data perspective, which is what has been done. And I'm sure [that] when we get the Cybersecurity law we will be able to see whether there's a duplication. I don't think that this causes any confusion. It's necessary."
Interestingly, the Act does not mention notifying a data subject where there is a breach of their data. So, say Peter, a Zimbabwean who uses a fintech app for sending money, has his data stolen by someone who hacked into the company's servers, it appears he might never find out that his data has been stolen.
The European Union's General Data Protection Regulation — the first comprehensive data protection law — provides for this. For some reason, Nigeria's National Data Protection Regulation has no such provision.
There are also issues of cross-border transfer of information between countries within and outside the SADC.
For instance, say you are conducting a cross-border transfer of funds, your data is flying over several countries, and the platform you are using has to ensure that the receiving platform has adequate resources in place to protect your data. If it doesn't, then your data should not be transferred.
Tiyango is interested in how this would play out, especially in scenarios where data is transferred to a non-SADC country.
The tech ecosystem and data protection
According to Tiyago, "The Act aims to create a technology-driven business environment, encourage technological development, and the lawful use of technology."
From what she tells me, companies like electronic communications networks or access providers, data collection and analytics techs, fintechs, mobile service providers, payment platforms, Internet service providers, satellite television service providers, and health services, including laboratories and testing techs, would have to comply.
The Zimbabwean Act is fresh out of the oven and needs time to cool before we can fully dissect all of the possible scenarios that could occur here.
Will POTRAZ be able to handle all of its duties? Will there be a marked difference between the Data Protection Act and a possible Cybercrimes bill? Most of all, how would all of this affect the data rights of Zimbabweans?
This is a developing story, and we'll be bringing more on this as we get more information.