Human rights groups worldwide highlight that the bill in its current form does not meet international standards on protecting privacy and personal data
Dear Speaker of Parliament, Hon Advocate Jacob Mudenda,
The undersigned group of civil society organisations who work to promote and defend freedom of expression and information as a fundamental right worldwide, are writing to express our concern over the gazetted Zimbabwean Cybersecurity and Data Protection Bill.
While the government has taken a bold step in developing a Bill that establishes a regulatory framework for the ICT sector, the merging of cybersecurity and data protection into a single piece of legislation will make it challenging to strike a strategic balance between security concerns and digital rights. In its current form, the proposed Bill has a number of significant shortcomings that do not meet international standards on protecting privacy and personal data, and, therefore, risk undermining the purpose and scope of the law.
One such issue, is the lack of clearly defined circumstances and procedures for the use of forensic tools like key stroke logger, which is being permitted by this legislation and poses a high risk of infringement on the right to privacy. A key stroke logger is an investigative tool or software that permits the user to remotely access data, monitor and record computer activities of another person. Furthermore, the Bill does not provide for judicial oversight or other accountability measures for monitoring and reviewing potential abuses of such intrusive technologies. In addition, we stress that the Bill should place an emphasis on prioritizing less intrusive methods of gathering evidence as a way to avoid the use of excessive investigative methods. This is especially crucial given the lack of specific safeguards to protect whistleblowers, which should also be incorporated to prevent this legislation from being used to target individuals leaking information of public interest.
Whilst the Bill establishes a management framework through the Cybersecurity Centre and Data Protection Authority, the oversight mechanism lacks independence, given that this regulatory role is given to the Postal and Telecommunications Regulatory Authority of Zimbabwe, which would report directly to the Executive. Instead, there is a crucial need for an independent data protection authority that is answerable to parliament, with its appointment processes publicly conducted – as is the case in other jurisdictions and according to best practice. This will serve to minimize the potential for Executive abuse.
Finally, the rights of data subjects should be clearly defined, listed and reinforced. Provisions outlining the handling of individual’s data need to include specific procedures for the timely reporting of security breaches. At the same time, those that allow for the processing of personal data in the name of national security or the public interest must be provided for by law with a clear explanation of what constitutes ‘national security’ and the ‘public interest’. In this regard, other vaguely worded offences related to electronic communications and material have the potential of promoting self-censorship and infringing on free expression, and should be struck down or reconstituted to align with international standards and the Constitution.
The country’s internet regulatory framework and digital security laws must be democratic and serve to protect and enable the enjoyment of citizens’ rights to communication, access to information and free expression in a secure environment, both online and offline. A number of international standards and best practices have been developed and endorsed by governments. African regional standards that can be drawn on to inform Zimbabwe’s proposed bill include, the SADC Model Law on Computer Crime and Cybercrime, SADC Model Law on Data Protection, the African Convention on Cybersecurity and Data Protection, and the African Declaration on Internet Rights and Freedoms.
The equal prioritisation and balancing of cybersecurity with data protection, privacy and interrelated fundamental rights is essential, and it is therefore imperative to ensure that the proposed law is unbundled into two standalone laws, in conformity with both the Constitution and international legal frameworks.