IN today’s digital age, the world is grappling with the delicate balancing act of providing individual privacy and security while harnessing the power of data-driven technologies.
As governments, corporations and individuals navigate this complex terrain, concerns about mass surveillance, data breaches and Artificial Intelligence (AI) powered profiling are on the rise.
Zimbabwe is not immune to these developments.
Notably, ahead of the 2018 and 2023 elections, many mobile phone users received unsolicited text messages from Zanu PF canvassing for votes. It remains unclear how the third party accessed users’ personal data, such as mobile numbers.
Last Friday, the Media Institute of Southern Africa (Misa) launched a timely policy brief in the capital, sounding alarm on the country’s data protection gaps and highlighting the need for robust legislation to safeguard citizens’ privacy and security in the digital age.
“The significance of the launch is that we are bringing out the gaps within our data protection and privacy laws. As we forge ahead with AI, we need to safeguard our legislation and ensure it addresses the major gaps. The data laws should be stringent enough to protect people’s fundamental rights,” said Helen Sithole, Misa’s legal and ICT policy officer.
“To start [with], we focus on data protection, then move on to privacy and surveillance because those are interlinked,” she added.
Innocent Mandongwe, a legal practitioner who helped to prepare the policy brief, highlighted critical areas of concern in the current legislation, including the Cyber and Data Protection Act and the Postal and Telecommunications Act. The primary pieces of legislation regarding surveillance are the Interception of Communications Act and the Postal and Telecommunications Act.
“The most important thing is to decouple cyber and data protection legislation. Currently, we have one piece of legislation covering both data protection and privacy on one hand, and surveillance on the other. We need to separate the two and create two Acts of Parliament to address these issues holistically and comprehensively,” Mandongwe said.
“Once we do that, we will have data protection and privacy legislation that enhances data subject rights, establishes a truly independent National Data Protection Authority, imposes additional obligations on data controllers regarding international data transfers and mandates user-friendly privacy policies,” he added.
Currently, the Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz) is designated as the national data authority. However, the policy brief highlights that Potraz’s dual role as the cyber security centre and regulator of the postal and telecommunications sector stretches its responsibilities.
Additionally, Potraz is subject to the Minister of ICTs’ policy direction, further testing its independent role.
Mandongwe also noted that having two separate Acts will allow for cyber legislation that adequately addresses how communication surveillance should be conducted, including independent judicial oversight and provisions for the rights of individuals subjected to data surveillance.
The event was attended by researchers, civic society organisations, legal practitioners, Potraz, the media, students and Members of Parliament from the Media and ICTs portfolio committees.
According to Darlington Chigumbu, a member of the parliamentary Portfolio Committee on ICTs and Courier Services, the workshop, “was a very insightful and empowered us as Members of Parliament to understand what the Data Protection Act aims to achieve and identify areas needing improvement to ensure its effectiveness. This will help us to focus our discussions on addressing the gaps.”
“I have also started working on a motion to present in Parliament with other members who attended the workshop to highlight the gaps in the Act so they can be addressed,” he said.
Sithole stressed the importance of maintaining momentum after the launch to ensure that the recommendations made by the participants and the policy brief are implemented.
“It’s all part of our advocacy strategy to push for amendments to these laws. We want to include issues related to AI. But to adequately address AI issues, our data protection laws need to safeguard our data. This will feed into the future AI regulation,” she said.