Cyber and data protection regulations unconstitutional

Cyber and data protection regulations

Lawyers generally don’t know much about technical matters such as information communication technologies (ICT). 

Conversely, tech-savvy computer whiz-kids generally don’t know much law.  So when legislative drafters, who are lawyers, get together with ICT experts to prepare a draft law they meet in mutual incomprehension. 

The result, at its worst, is something like the Cyber and Data Protection Act and the regulations published under that Act.

In September the Information Communications Technology, Postal and Courier Services minister published the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (SI 155 of 2024) .

 The regulations did not cause much stir when they were published but a storm blew up earlier this month when the minister was reported to have said that churches which collect personal data about their members will have to be licensed under the regulations, and even administrators of WhatsApp groups will have to take out licences.

 The minister subsequently denied she had said any such thing;  instead, she now claims the regulations apply only to people who collect and process personal information for commercial or business use.

In fact, the minister was correct in her first statement, if indeed she made it:  the regulations do require churches, WhatsApp administrators and anyone else who collects personal information electronically to obtain a licence and to appoint a data protection officer.

Rather confusingly there are two sections of the regulations which each require persons to obtain a data controller licence if they “process” electronic data containing personal information — i.e. if they perform any operation on the data such as obtaining the data, holding the data and organising or altering the data.

 They obtain their licences from a body called the Data Protection Authority which — also confusingly — is actually the Postal and Telecommunications Regulatory Authority of Zimbabwe [Potraz].

In addition to being ultra vires the regulations are also unconstitutional since they infringe various fundamental rights, namely:

  • Freedom of expression, which is guaranteed by section 61 of the constitution.  Everyone is entitled to seek, receive and communicate ideas and information. 

If you have to be licensed in order to collect the names and addresses of people to whom you send ideas and information — even if it is only one name and address — then your freedom of expression is severely limited.

 If you have to be licensed in order to administer a WhatsApp group, and appoint a data protection officer as well, then your ability to use social media to communicate ideas and information becomes almost non-existent.

  • Freedom of conscience is guaranteed by section 60 of the constitution.  If churches have to be licensed in order to keep electronic lists of their congregants, their freedom to practise and propagate their religion is curtailed.
  • Political rights are guaranteed by section 67 of the constitution.  Political parties need to keep lists of their members, and if they keep those lists electronically they will have to be licensed by the Postal and Telecommunications Regulatory Authority of Zimbabwe, a government-controlled organisation. 

Opposition parties in particular will find this degree of control intimidating.

All these rights can be limited under section 86 of the constitution, but the limitation must be “fair, reasonable, necessary and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom”;  it must not impose greater restrictions on the right than are necessary to achieve its purpose. 

The licensing requirement imposed by the regulations goes far beyond what is legitimately needed to prevent misuse of personal data;  so too does the requirement that everyone who processes personal data, even someone who keeps a list of email addresses for private use, must appoint a data protection officer. 

The regulations, in other words, are grossly disproportionate and go far beyond anything permitted by the Constitution.

Conclusion

Apart from being ultra vires and unconstitutional, the regulations are badly put together. 

One small example:  data controllers are given six months in which to take out licences under section 4 but must obtain licences immediately under section 3, and are given three months to appoint data protection officers.

 There is no rational explanation for the different deadlines.

The reason for these and all the other defects is probably that the lawyers who drafted the regulations did not understand the technical experts whose ideas were supposed to be incorporated into them. 

There was mutual incomprehension, as we suggested at the beginning of this bulletin. 

Even the minister, it seems, does not understand the regulations – and she made them.

Protection of private information does not require the draconian measures found in the regulations. 

They should be repealed without delay and replaced in due course with new ones drafted with due regard to the constitution after careful discussion between all parties involved.

Related Topics