In September the Minister of Information Communications Technology, Postal and Courier Services published the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (SI 155 of 2024).  The regulations did not cause much stir when they were published but a storm blew up earlier this month when the Minister was reported to have said that churches which collect personal data about their members will have to be licensed under the regulations, and even administrators of WhatsApp groups will have to take out licences.  The Minister subsequently denied she had said any such thing;  instead, she now claims the regulations apply only to people who collect and process personal information for commercial or business use.

In fact, the Minister was correct in her first statement, if indeed she made it:  the regulations do require churches, WhatsApp administrators and anyone else who collects personal information electronically to obtain a licence and to appoint a data protection officer.

Data Controller Licences

Rather confusingly there are two sections of the regulations which each require persons to obtain a data controller licence if they “process” electronic data containing personal information – i.e. if they perform any operation on the data such as obtaining the data, holding the data and organising or altering the data.  They obtain their licences from a body called the Data Protection Authority which – also confusingly – is actually the Postal and Telecommunications Regulatory Authority of Zimbabwe [POTRAZ].

Section 3 of the regulations says that no one may process personal information for certain purposes unless they are licensed.  The relevant part of the section – subsection (2) – reads:

“(2)  Subject to section 4, [we shall deal with that section below] any person who processes personal information with the intention to—

(a) decide the means, purpose or outcome of the processing;

(b) decide what personal data should be collected;

(c) decide which individuals to collect personal data from;

(d) obtain a commercial gain or other benefit from the processing of personal data;

shall apply for a licence in terms of these regulations.”

The problem with this provision – or rather, one of the problems – is that it is not clear if the paragraphs are to be read together as constituting a single intention or purpose, in which case a person would need to obtain a licence only if he or she decided all the matters set out in paragraphs (a), (b) and (c) and, in addition, obtained a commercial gain or benefit from the data;  or conversely if each paragraph is to be read separately so as to require a person to be licensed if he or she decided how the data were to be processed, or if he or she decided what data should be collected, or if he or she made no such decisions but simply obtained a commercial gain or benefit from the processing.

If the paragraphs are to be read together then the Minister is probably right in her revised interpretation of the section, and a person would not need a licence unless he or she processes personal data with the intention of obtaining a “commercial gain or other benefit” – though those words are not very clear.  If on the other hand the paragraphs are to be read separately, then the Minister was right first time, and anyone who processes personal data, even for non-commercial purposes, must take out a licence.

Section 4 of the regulations is clearer.  Subsection (1) reads:

“(1)  Any person whether alone or jointly with others, who determines the purposes and means of the processing of personal data shall apply for a data controller licence.”

Put more simply, anyone who decides why and how electronic data containing personal information is to be processed must get a data controller licence.

Under this section there is no requirement that someone must obtain a benefit from the processing of personal data:  if a person decides how and why data are to be processed he or she must take out a licence, whether their purpose is commercial, social or recreational – even perhaps if the purpose is malicious.  So churches which collect their members’ data in electronic form must obtain licences, and so must professional bodies such as the Law Society which keep electronic records of their members.  Even administrators of WhatsApp groups must be licensed.  If they fail to get a licence within six months after the regulations were published (i.e. by the 12th March next year) they will be guilty of an offence under section 4(6) and liable to a fine of US$1 000 or seven years’ imprisonment.

Appointment of Data Protection Officers

Not only must people who process personal data electronically be licensed, they must also appoint data protection officers under section 12(1) of the regulations, which reads:

“(1) A data controller shall appoint a data protection officer and notify the Authority [i.e. POTRAZ] in writing.”

The scope of this provision is clear from the definition of “data controller” in the Cyber and Data Protection Act:

““data controller” or “controller”—

(a) refers to any natural person or legal person who is licensable by the Authority;

(b) includes public bodies and any other person who determines the purpose and means of processing data;”

Licensing and the appointment of data protection officers go hand in hand, it seems:  if persons who process data are licensable, they must appoint data protection officers.  So churches, professional bodies, WhatsApp administrators and everyone else who processes personal data must appoint someone to be their data protection officer.  Failure to do so will render the data controller liable to a fine of US$400 or two years’ imprisonment.

Validity of the Regulations under the Enabling Act

It may be doubted if the Minister or anyone else in her Ministry intended the regulations to have such a wide reach, but whatever her intention may have been the regulations apply to everyone who collects or processes personal data, in however small a way and regardless of their purpose.  They must all be licensed and appoint data protection officers.

The Cyber and Data Protection Act almost certainly does not permit such far-reaching regulations to be made.  Admittedly the Minister’s regulatory power under the Act is very wide:  under section 32 the Minister can make regulations “for all matters which … in his or her opinion are necessary or convenient to be prescribed for carrying out or giving effect to this Act”;  but even such a wide power must be interpreted reasonably.  In other words, the Minister must make regulations that are reasonable.  These regulations, which require the licensing of anyone who processes even the smallest amount of personal data, are surely unreasonable:  the Legislature cannot have envisaged the Minister using his or her powers to make such regulations.  For that reason the regulations are ultra vires the Act.

A further ground for regarding the regulations as ultra vires  is that they create criminal offences for which swingeing penalties can be imposed – up to seven years’ imprisonment.  There is nothing in the Act that empowers the Minister to create offences and penalties, and such a power needs to be given expressly:  it is not to be simply presumed.

Unconstitutionality of the Regulations

In addition to being ultra vires the regulations are also unconstitutional since they infringe various fundamental rights, namely:

·      Freedom of expression, which is guaranteed by section 61 of the Constitution.  Everyone is entitled to seek, receive and communicate ideas and information.  If you have to be licensed in order to collect the names and addresses of people to whom you send ideas and information – even if it is only one name and address – then your freedom of expression is severely limited.  If you have to be licensed in order to administer a WhatsApp group, and appoint a data protection officer as well, then your ability to use social media to communicate ideas and information becomes almost non-existent.

·      Freedom of conscience is guaranteed by section 60 of the Constitution.  If churches have to be licensed in order to keep electronic lists of their congregants, their freedom to practise and propagate their religion is curtailed.

·      Political rights are guaranteed by section 67 of the Constitution.  Political parties need to keep lists of their members, and if they keep those lists electronically they will have to be licensed by POTRAZ, a government-controlled organisation.  Opposition parties in particular will find this degree of control intimidating.

All these rights can be limited under section 86 of the Constitution, but the limitation must be “fair, reasonable, necessary and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom”;  it must not impose greater restrictions on the right than are necessary to achieve its purpose.  The licensing requirement imposed by the regulations goes far beyond what is legitimately needed to prevent misuse of personal data;  so too does the requirement that everyone who processes personal data, even someone who keeps a list of email addresses for private use, must appoint a data protection officer.  The regulations, in other words, are grossly disproportionate and go far beyond anything permitted by the Constitution.

Conclusion

Apart from being ultra vires and unconstitutional, the regulations are badly put together.  One small example:  data controllers are given six months in which to take out licences under section 4 but must obtain licences immediately under section 3, and are given three months to appoint data protection officers.  There is no rational explanation for the different deadlines.

The reason for these and all the other defects is probably that the lawyers who drafted the regulations did not understand the technical experts whose ideas were supposed to be incorporated into them.  There was mutual incomprehension, as we suggested at the beginning of this bulletin.  Even the Minister, it seems, does not understand the regulations – and she made them.

Protection of private information does not require the draconian measures found in the regulations.  They should be repealed without delay and replaced in due course with new ones drafted with due regard to the Constitution after careful discussion between all parties involved.

 

© Copyright The Zimbabwean. All rights reserved. Provided by SyndiGate Media Inc. (Syndigate.info).