Opinion on Zimbabwe’s Cyber Security and Data Protection Bill, 2019

Introduction

In May 2020, Zimbabwe gazetted the Cyber Security and Data Protection Bill (H.B. 18, 2019) herein referred to as (the “Bill”). The purpose of the Bill is to provide clarity over cyber security and privacy matters. Specifically, it is aimed at “increasing cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.”

The proposed law expands on and amends provisions under sections 162-166 of the Criminal Code (Codification and Reform) Act [Chapter 9:23], which were shallow in regards to the protection of cyber-crime. The Bill is also intended to create a technology-driven business environment and encourage technological development and the lawful use of technology, through providing procedures for investigation and collection of evidence of cyber-crime and unauthorized data collection and breaches, and to provide for admissibility of electronic evidence for such offences. The Bill also establishes a Cyber Security Centre a Data Protection Authority and a Whistleblowing Authority to regulate the proposed sectors under the law.

We note that the proposed cyber security and data law is a positive step by Zimbabwe towards developing its information and communication technology structures and harnessing ICT’s to advance the rights of citizens. However, we find that some provisions under the proposed law fail to meet the requisite standards due to their vagueness, unnecessary restrictions and harsh penalties for offences.

Currently, technological advancements are facilitating digital engagements and communication although many countries still struggle to update their laws to address the emerging trends. However, the UN Human Rights Committee, has stated in its General Comment 34 that international guarantees of freedom of expression apply online just as they do offline:
Paragraph 2 protects all forms of expression and the means of their dissemination. They include all forms of audio-visual as well as electronic and internet-based modes of expression.

This Opinion contains members of the Independent High-Level Panel of Legal Experts on Media Freedoms’ analysis, comments and recommendations on the Cyber Security and Data Protection Bill, 2019, hereinafter referred to as the Bill, premised on Zimbabwe’s constitutional standards, international and regional standards and best practices on the guarantee of the right to freedom of expression, access to information, privacy and the media.

Summary of recommendations

1. The interpretation clause should be reviewed and terms clarified and narrowed where necessary.
2. The Cyber Security Centre and the Data Protection Authority should be independent bodies, separate from the Postal and Telecommunications Regulatory Authority.
3. The Bill and/or Regulations should clearly stipulate the manner in which the Authority may waive consent.
4. Clarify the circumstances warranting exception of consent on grounds of national security.
5. Include a provision allowing derogation for processing carried out for journalistic, academic, artistic purposes or literary expression.
6. Clarify what Authority will be in charge of creating a whistleblowing system and ensure independence of that Authority through a clear appointment, and funding process.
7. Clearly state the protection guarantees for whistleblowers including assurance of no civil or criminal sanctions for public interest disclosures.
8. Provide defences for persons charged with an offence under the proposed law.

Read the full analysis here (1MB PDF)

Source: Freedom of Expression Hub (Uganda)