Following the gazetting of the Cybersecurity and Data Protection Bill, MISA Zimbabwe convened a capacity-building workshop on the proposed law in Harare on 16 June 2020 with parliamentarians during which it highlighted its concerns with some of its provisions.
The parliamentarians were drawn from the Portfolio Committees on ICT, Postal and Courier Services, and that of Information, Media and Broadcasting Services.
The workshop was aimed at enlightening parliamentarians on the Bill’s contentious provisions and their potential to limit the enjoyment of fundamental rights such as the right to free expression, access to information, media freedom and privacy.
Discussions also focused on international standards and best practice pertaining to cybersecurity and data protection laws and how these are implemented and enforced for purposes of safeguarding fundamental rights.
It was highlighted that best practice was to separate cybersecurity and data protection as standalone laws respectively.
MISA Zimbabwe National Director Tabani Moyo urged the parliamentarians to close ranks from the narrow party-political interests towards the making of modern laws that are responsive to the interests of the peoples of Zimbabwe.
He said when parliament is done with the Bill, the final product should promote and protect digital rights. Moyo said Parliament should not allow for the merging of three entities: Cybersecurity Centre, Data Protection Authority and Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as it will compromise the citizens’ right to privacy as espoused under Section 57 of the Constitution of Zimbabwe.
He also paid tribute to the Parliament of Zimbabwe, specifically the Portfolio Committee on Media Information and Broadcasting Services for the priceless role it played in fine-tuning the Freedom of Information Bill (FoI), which now awaits signing into law by the President.
“I call upon esteemed members of Parliament to summon the same spirit that guided you in engagements on the Freedom of Information Bill, towards defending the right to privacy, which is under threat…” said Moyo.
Acting Chairperson of the Portfolio Committee on ICT, Postal and Courier Services, Honourable Ability Gandawa, in his opening remarks, noted that modern data protection laws with robust safeguards were central to securing the public’s trust and confidence in the use of personal information within the digital economy, delivery of public services and the fight against crimes.
The following recommendations were thus agreed upon as an action plan for further engagements relating to the Bill:
- The Committees will assess the possibility of separating the two components of cybersecurity and data protection into two separate pieces of legislation as has been done in other jurisdictions such as South Africa and Kenya. This is meant to cater to the extent to which the law will amend other existing laws, also taking into account the practical challenges of implementing laws that have public and private application.
- Through technical support from MISA Zimbabwe, the Committees will also consider how the Bill can be strengthened through adopting acceptable and clear definitions on some of the terms such as ‘consent’, ‘code of conduct’ and ‘personal and private information’, among others. The Bill should also define non-defined and ambiguous terms like ‘national interest’, ‘public interest’, ‘pseudonymisation’ and ‘anonymisation’, among others.
- It was also recommended that the law should consider removing the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), as the Data Protection Authority and the Cyber Security Centre. This should be done to avoid creating a super-administrative authority with unfettered powers and access to data while also reporting to the Executive.
- There is a need for harmonisation of the Bill with other existing legislation as the data aspect does not only relate to online data but also offline data. It was also noted that the Bill had the potential of duplicating certain offences, for instance, on the communication of false information, among other aspects.
- While the Bill allows for the use of remote forensic tools like keystroke logging, it is recommended that the Bill should have measures in place to regulate the use of such far-reaching technology and also provide for judicial oversight in that regard.
- The Bill should also clearly highlight the principles for data protection and privacy which include lawfulness, fairness, data accuracy, accountability and transparency as they constitute the foundation of the Data Protection Authority’s mandate. As it stands, the principles are scattered in the Bill thus making it a complicated read.
- Following its signing into law by the President, the Bill should not immediately come into operation, but instead have transitional provisions to allow for compliance and regulatory reform within an agreed timeframe. Practical implementation of this law will require putting in place organisational and technical measures that cater to its provisions. In South Africa, a period of 12 months was given before the law became operational. The European Union’s General Data Protection Regulations became operational after two years.
- Noting that the Bill criminalises free speech, it was highlighted that in terms of international standards civil remedies are more appropriate and those criminal penalties should be of last resort. In instances where criminal sanctions are inevitable, the penalty should not be so stiff in a manner that promotes self-censorship and infringes on free expression.
- The Bill should be clearly elaborated where it concerns the protection of the rights of data subjects, which include the right to information, the right to erasure or the right to be forgotten and the right to access to information, among others.
Meanwhile, following the workshop with the parliamentarians, MISA Zimbabwe on 17 June 2020, met the Deputy Minister of Information Communication Technology, Postal and Courier Services, Honorable Dingimuzi Phuti, during which it discussed its key concerns relating to the Bill.
MISA Zimbabwe appreciates the opportunity it was granted by the parliamentarians and the deputy minister to engage and discuss the contents of the Bill and hopes due diligence and consideration will be paid to the concerns raised during the engagements.