LOCAL legal think tank, Veritas, says the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations are unconstitutional and infringe upon various fundamental rights.

Information Communication Technology minister Tatenda Mavetera last month published the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (SI 155 of 2024).

The regulations brew a storm this month when Maretera was reported to have said that churches which collect personal data about their members would have to be licensed under the regulations while WhatsApp group administrators would also need to be licensed.

Mavetera, however, backtracked on the licensing.

In its latest Bill Watch, Veritas said the regulations were unconstitutional and unreasonable.

“In other words, the minister must make regulations that are reasonable.  These regulations, which require the licensing of anyone who processes even the smallest amount of personal data, are surely unreasonable, the Legislature cannot have envisaged the minister using his or her powers to make such regulations.  For that reason the regulations are ultra vires the Act.

Keep Reading

“A further ground for regarding the regulations ultra vires is that they create criminal offences for which swingeing penalties can be imposed — up to seven years imprisonment. 

“There is nothing in the Act that empowers the minister to create offences and penalties and such a power needs to be given expressly; it is not to be simply presumed.”

Veritas said everyone was entitled to seek, receive and communicate ideas and information. 

“If you have to be licensed in order to collect the names and addresses of people to whom you send ideas and information — even if it is only one name and address — then your freedom of expression is severely limited,” the legal think tank said.

Veritas said the licensing requirement imposed by the regulations went far beyond what was legitimately needed to prevent misuse of personal data.

“Apart from being ultra vires and unconstitutional, the regulations are badly put together.  One small example:  Data controllers are given six months in which to take out licences under section 4 but must obtain licences immediately under section 3 and are given three months to appoint data protection officers.  There is no rational explanation for the different deadlines.

“The reason for these and all the other defects are probably that the lawyers who drafted the regulations did not understand the technical experts whose ideas were supposed to be incorporated into them. 

“There was mutual incomprehension, as we suggested at the beginning of this bulletin.  Even the minister, it seems, does not understand the regulations — and she made them.”