The Cyber Security and Data Protection Bill gazetted by the Zimbabwean government in May 2020 makes very difficult reading and is all over the place.
Most provisions in the Bill are either ambiguous or undefined.
It is not really clear on the intentions that the law seeks to achieve outside the broader objective to ensure cyber security and protection of personal information.
The “clumsy” nature in which the Bill has been drafted probably explains why some senior government officials have been widely quoted pronouncing that the Bill seeks to regulate social media and clampdown on those that disseminate fake news.
Admittedly, cyber security and data protection online are complex matters and the world is still grappling to find mechanisms that can strike a balance between protecting of citizen rights and ensuring the safe use of computer systems.
The rampant growth of the internet, while it has brought about great opportunities for human development, poses equal threats, sometimes of a huge magnitude such as sophisticated crime and even cyber terrorism.
As such, the regulation of the online space is as equally important as the democratic governance of the offline space.
On this end, the move to have specific cyber legislation in Zimbabwe and in southern Africa in general is indeed welcome and perhaps long overdue.
It doesn’t make sense that the legal framework governing the online space in Zimbabwe still defines a computer in terms of the convectional desktop and laptop machines in an era when we have refrigerators with capacity to store and decode information.
We are in an era in which governments can use sophisticated algorithms to track citizens’ online transactions and ascertain the most vulnerable in the country, as was revealed by Finance minister Mtuli Ncube.
This is an era in which governments can trace the movements of citizens and determine their locations and possibly what they are up to in their private places.
We have seen citizens’ private information, such as one’s mobile number being used for other purposes such as unsolicited adverts, including political ones.
Even more sophisticated is the definition of rape online in an era in which one could hack in a consensual couple having sex online. Would we have the capacity in Zimbabwe to prosecute against such? What degree and level of this non-physical rape, but intrusion and invasion of privacy be classified? There are many broad examples that I could share as food for thought just to demonstrate on how cyber security and data protection go much further than our social media activity on WhatsApp, Facebook or Twitter.
In this submission, I share some resolutions from a meeting convened by the Zimbabwe chapter Media Institute of Southern Africa (Misa) in which the Parliamentary committees on information communication technologies (ICTs) and the information, media and broadcasting services deliberated upon the Cyber Security and Data Protection Bills. These recommendations provide a broad and holistic framework on what needs to be done to improve the Bill in its current form.
The full recommendations read as follows:
We, Members of Parliament who sit in the ICT, postal and courier services and the information, media and broadcasting services committees
Cognizant of our legislative role in advancing citizens rights and good governance in Zimbabwe
Acknowledging advancements in the digital space and compelling need for democratic governance of the internet
Noting the need for digital legislation to strike a balance between protecting individual and national security and enforcing citizens’ rights to privacy enshrined in Section 57 of the Zimbabwean constitution
Aware of the current legislative framework governing the internet including the Interception of Communications Act, the Criminal Law and Codification Reform Act, the Postal and Telecommunications Act among others
Recognizing that internet regulation transcends boarders and as such important to consider international frameworks and laws governing the digital space regionally and internationally
Having deliberated upon the Cyber Security and Data Protection Bill (henceforth referred to as the Bill) and reviewed progressive provisions and assessing the gaps and opportunities
Hereby make the following recommendations:
That the committees will assess mechanisms on how the Bill could separate Cyber Security and Data Protection components into two pieces of legislation
The committees will with technical support from Misa Zimbabwe consider how the Bill can be strengthened through adopting acceptable definitions of non-defined terms within the Bill including, incitement to violence, harmful speech for example.
In debating the bills, it is recommended that the Data Protection Authority and the Cyber Security Centre be distinguished and the law strengthened to ensure accountability and enhanced functions, roles and responsibilities.
There is need for harmonisation of the Bill with other existing legislation governing the online space in Zimbabwe.
On remote forensic tools, it is recommended that the Bill has provisions for judicial oversight in order to balance citizens right to privacy and digital security.
The Bill or adopted law should be strengthened in order to mainstream data protection standards (including erasure of information) and to deal with data obtained offline.
There is need for transitional mechanisms within the Bill based on practical timelines and that take cognisance of evolving technologies.
The Bill should be reviewed such that provisions with criminal penalties for cyber crimes could be revised in favour of civil remedies where necessary criminal penalties are standardised with the model laws.
The Bill should have defined rights of data subject, including right to information, the right to be forgotten among others.
It was recommended that Misa Zimbabwe and other partners should compile Factsheets and alternative frameworks of strengthening the Bill and internet governance policies in Zimbabwe
The crux of these recommendations augment the view that I expressed around making wholesome changes to the Cyber Security and Data Protection Bill, by first breaking these two components into two separate pieces of legislation, further tightening the provisions and clearly defining ambiguous terms that are open to interpretation and potentially used as an instrument to install fear among citizens. It will be equally important to ensure there are levels of accountability and judicial oversight around citizens’ surveillance.
Yes, we urgently need to a legislative framework to govern the cyber space to ensure the security of citizens. But this must not be done at the expense of citizens’ rights, which should be at the centre of any law. The Cyber Security and Data Protection Bill does not pass this test. There is scope, through the Parliamentary process to make wholesale changes. We deserve better.