ZIMBABWE’S controversial Data Protection Act has raised concern it could become the latest instrument for the state to control or sanction online activities by citizens after a man last month became the first casualty of the new law when he was convicted of cyberbullying.
The law is geared at regulating private collection of data, with organisations, companies and even associations like burial societies required to obtain consent from data subjects and giving the subjects the right to rescind such consent.
While this is necessary, media and human rights activists worry that there is no regulation to stop the state from using private data to monitor and snoop on citizens, more importantly members of the opposition and the independent Press, who have often been labelled enemies of the state by the ruling party and government officials.
President Emmerson Mnangagwa’s government has rolled out an ambitious Smart Cities initiative, underpinned by use of artificial intelligence, to boost security in the cities.
It has deployed facial recognition technology cameras for a mass surveillance system on the streets, airports and border posts, and is moving slowly towards delivering digitally-networked cities that Mnangagwa said will ensure high-level security systems, a euphemism for sophisticated mass surveillance, which analysts fear will target critics and opposition activists.
Facial recognition cameras use biometric software application capable of distinctively recognising individuals using data captured from people’s faces. It can accurately and quickly identify targeted individuals once they come within range of surveillance cameras.
The government signed a strategic agreement with Chinese artificial intelligence firms Cloudwalk Technologies and HikVision in 2018 for cooperation on a mass facial recognition project, under which it has been harvesting data at the country’s airports, state facilities and border points using facial recognition technology with deep learning capacity donated by these companies.
Cloudwalk inadvertently disclosed that Zimbabwe would give it the harvested data to develop its algorithms for facial recognition cameras tailored for the local black population.
“The key concern with the Data Protection Act is the lack of transparency and accountability mechanisms on the collection of personal data (by the state) which can then be used for any purposes either by authorities, by the security sector, or those who are collecting this information,” Rashweat Mukundu, the International Media Support’s sub-Saharan Africa adviser, said.
He said the storage and collection of personal data was always a matter of concern in the digital era, as such information has previously been “weaponised and instrumentalised to target rivals, opponents — political opponents of those in power — and business rivals”.
Zimbabweans, he said, have to be seriously concerned with a data protection law that enables the establishment of a data centre which collects citizens’ information without clarity over what that information is collected or used for.
“There is need for transparency mechanisms and a framework to ensure that private information of individuals is not abused for political or personal agendas,” he said.
In addition, Mukundu says it is also concerning that the infrastructure would be housed under Postal and Telecommunications Regulatory Authority (Potraz), which is a regulator and now a collector and storer of information, making it a supra-regulatory body that regulates the sector and also collects information and deploys it for whatever purposes.
Njabulo Ncube, the national coordinator of the Zimbabwe National Editors’ Forum, says the legislation is “a bad law for journalism”.
“This is a bad piece of legislation as far as the practice of journalism is concerned. It has the likely adverse effect of (allowing government) to snoop into journalists, media and political activists’ phones, which in itself is a threat to freedom of expression, information and freedom of the media,” Ncube said.
A month before promulgation of the law, Information, Publicity and Broadcasting Services minister Monica Mutsvangwa said they had put together a “cyber team that constantly monitored what people send or receive on social media”.
She said people used to have respect and operated with fear on social media during the late former president Robert Mugabe’s era “but all that is no longer there in the Second Republic”.
The law has now made it unlawful for people to, by means of a computer or information system, make available, transmit, broadcast or distribute data messages to any person, group of persons or to the public with the intention of inciting such persons to commit acts of violence against any person or persons or to cause damage to any property.
It has also made it an offence for any person to unlawfully and intentionally, by means of a computer or information system, make available, broadcast or distribute data to any other person concerning an identified or identifiable person knowing it to be false with the intention of causing psychological or economic harm.
The new law also makes it an offence to unlawfully and intentionally possess data knowing that such data was acquired unlawfully.
This is a deadly blow to media which thrives on investigations and leaks to report on government corruption and to social media which exposes ruling party and government officials’ abuse of office daily.
Unlawful acquisition of information includes using, examining, capturing, copying, moving to a different location or diverting data to a destination other than its intended location.
This puts media under scrutiny for content published online or posted on social media platforms.
“In short, this is a bad law for freedom of expression, yet it is supposed to be designed to protect citizens,” Ncube said.
He said precedents clearly point to a desire by the government to “use this law to further stifle the rights citizens enjoy” under the constitution.
Several people have been arrested and hauled before the courts for criticising Mnangagwa online, or for speaking critically against government corruption on social media.
In its analysis of the law, the Media Institute of Southern Africa (Misa) said making Potraz, a Data Protection Authority, was a recipe for disaster.
Despite stakeholder submissions and public hearings having clearly and unambiguously spoken against this arrangement for potentially creating a super-administrative authority, it was however retained in the new law.
The functions of the Data Protection Authority include establishing conditions for the lawful processing of data, issuing its opinion either of its own accord or at the request of any person with legitimate interest on any matter relating to the application of fundamental principles of the protection of privacy.
There are fears the new law may end up creating a police state, in the process undermining freedom of expression. Hardly two months after the promulgation of the law, Potraz sent a public notice ordering all companies, non-governmental organisations, parastatals and other entities to notify it if they kept information for more than 30 people.
Such institutions were ordered to employ data protection officers. Potraz can call upon these officers to make available to it information related to employment, anti-money laundering, data on subjects and record keeping of data processing activities.
Misa said the Cybersecurity and Monitoring of Interception of Communications Centre, another body established by the Data Protection Authority, would present problems to the democratic space.
This centre is being established through the repeal of provisions in the Interception of Communications Act, which resulted in an overhaul of the monitoring centre whose functions on are now vested on the new body.
In terms of the Interception of Communications Act, all telecommunications companies had put in place infrastructure linking their mobile centres with the authorities, who connect their own equipment to the system.
The Act had categorically placed upon networks the burden to ensure that their services had “the capability to be intercepted”.
“What is clearly noted from these provisions, is that the government is operating under a very misled presumption that cyber security equals national security. Cyber security issues concern every person who is an internet user, more so now when the entire globe is living in a digital age,” Misa said in its analysis.
Disturbingly, the Cybersecurity and Monitoring of Interception of Communications Centre is now housed in the Office of the President. Such provisions, said Misa, would “continue to infringe on fundamental rights”.
“Not only is it not advisable for a cyber-security centre to be housed in the Office of the President, but the same body is also now responsible for the issuing of interception of communications warrants. This presents a legal basis for the government, and more so, the executive, to be monitoring and intercepting communications of targeted persons, who are believed reasonably or not to be enemies of the state, especially political opponents,” Misa said.
The Cybersecurity and Monitoring of Interception of Communications Centre will also be the sole facility through which authorised interceptions shall be made, and will advise government and implement government policy on cybercrime and cyber security.
It will also identify areas for intervention to prevent cybercrime and establish and operate a protection-assured whistleblower system that will enable members of the public to report cases of alleged cybercrime to a cyber security committee, which will comprise of 11 members appointed by the minister of ICTs from state agencies.
It will also promote and coordinate activities focused on improving cybersecurity and preventing cybercrime by all interested parties in the public and private sectors.
The surveillance capabilities of the state machinery are not known, but Zimbabwe has certainly been building a massive surveillance system over the years, although this has been couched in secrecy.
State security agencies use IMSI Catchers, also known as GSM Interceptors, to track citizens’ movements and mobile phone usages.
A senior police officer once disclosed that they had received the latest surveillance equipment from the government, but declined to reveal the nature of the devices.
An alleged leak on social media of Joint Operations Command minutes of a meeting in 2013 suggested that the state machinery had equipment, installed with the support Potraz and the Zimbabwe National Roads Administration, to counter unfavourable feeds from individuals and institutions.
A United Nations Educational, Science and Cultural Organisation (Unesco) report on the state of Press freedom in southern Africa this year named Zimbabwe as one of the seven countries that had bought surveillance software from Circle, an affiliate of the NSO Group known for its Pegasus spyware, used by authoritarian regimes to spy on journalists, opposition members and human rights activists.
“In southern Africa, Botswana, Zambia and Zimbabwe are some of the countries that have been reported to have acquired sophisticated software to surveil their citizens. These governments have so far not been transparent about how they intend to use these technologies in the surveillance of citizens,” the report said.
Mukundu said he feared the new law would be used for political purposes, with collection of information being manipulated to target political opponents, including human rights defenders, especially during election periods.
“The new law will become a new threat to the rights of the citizens of Zimbabwe, more so the right to privacy, the right to freedom of expression because if you know your information is being collected, you are likely to self-censure,” he said.
“Essentially, we are seeing a new legal regime on telecoms, on digital online communications that lacks transparency, that is not pushing for accountability of those that are bearing the responsibilities of our communications and online information that can then be deployed for political purposes.”
The latest conviction under the Data Protection Act involved David Kanduna, an actor on local television dramas, who posted a video on a WhatsApp group and on TikTok of a police officer being jeered by footballs fans, with one of them hoisting and running around with the officer at a football match in Chinhoyi.
Despite the incident having been a public spectacle, the state charged Kanduna with cyberbullying, arguing that by posting the video of the embarrassed police officer, he intended to “coerce, intimidate, harass, threaten, bully or cause substantial emotional distress, degrade or demean” him.
The Data Protection Act was gazetted in the country on 3 December 2021, making Zimbabwe the 151th country to enact such a law, and the 34th African country to do so, with the intention of increasing data protection in order to build confidence and trust in the secure use of information and communication technologies.
The Data Protection Act had initially been promoted as part of the Cybercrime, Cybersecurity and Data Protection Bill, but was truncated to the current version after public concerns.
The Cybercrime, Cybersecurity and Data Protection Bill had been pushed through Parliament to deal with increasing public agitation against Mnangagwa’s government, which first came into power after a coup in 2017, but then sought election in 2018 which was disputed by his main rival, opposition Citizens’ Coalition for Change leader Nelson Chamisa. It was withdrawn after public criticism, but brought back a few months later as the Data Protection Bill.
The law’s preamble states that it is meant to consolidate cyber-related offences and provide for data protection in line with the Declaration of Rights under the constitution and the public and national interest. It also intends to create a technology-driven business environment and encourage technological development and lawful use of technology.
The Data Protection Act consolidates several pieces of legislation that govern cyber security and data protection. These include the Postal and Telecommunications Act, Official Secrecy Act, Criminal law (Codification and Reform) Act and the Interceptions of Communications Act.
The issue of data protection and protection of privacy had been outstanding for a long time and requires urgent intervention in the form of law.
The Data Protection Act criminalises the transmission of messages inciting violence or damage to property. It is illegal to send messages with the intent to incite people to commit acts of violence against any person or persons or to cause damage to any property.
It also criminalises sending messages to another person threatening to harm them, or to harm their family and friends, or threatening to damage their property, as well as cyber-bullying and harassment, transmission of false information that is meant to cause harm and transmission of intimate images without consent.
For example, one cannot send someone’s nude pictures without that person’s consent. It is also not allowed to take someone’s intimate pictures without them agreeing to it.
Production and dissemination of racist and xenophobic material has also been outlawed, and child pornography and exposing children to pornography is now a serious criminal offence.
The law has also made it an offence to send spam messages or unsolicited messages to many people under false pretences. In its analysis, Misa said numerous provisions of the law were of grave concern and a threat to the exercise of fundamental rights such as freedom of expression and media freedom.
“One of the provisions is that which criminalises what is termed as the transmission of data message that incites violence or damage to property. Incitement laws have been there in the statute books for a while now. Several individuals particularly activists and opposition leaders have been charged for allegedly contravening such provisions. However, what amounts to incitement in Zimbabwe is very vague,” Misa said.
The trouble is the law might be more manipulated and abused to curtail and undermine citizens’ freedoms than what it is supposedly intended for. There is too much room for discretion and grey areas, which must be narrowed and addressed to avoid violations of people’s rights under the guise of ensuring cybersecurity and dealing with cybercrime.
As Hong Kong-based Conventus Law, a digital media platform providing legal-focused content to business leaders and lawyers, says, there will always be a need to strike an appropriate balance between ensuring citizens’ freedom, access to information and privacy, while at the same time protecting them, state institutions and critical infrastructures.
Cybersecurity needs to be strengthened by making cross-border cooperation and information exchange more efficient and by significantly increasing cyber resilience. At the same time, the right to freedom of information and adequate privacy remains essential for global, as well as individual, security.
Finally, there is a need to reach an ethical balance to fine-tune cybersecurity measures and individual rights.
About the writer: Dumisani Ndlela is a journalist researching digital surveillance with support from the Media Policy & Democracy Project, run by the University of Johannesburg, Department of Communication and Media.
