Executive Summary
Zimbabwe has various pieces of legislation that affect data protection, privacy, and surveillance. The relevant pieces of legislation regarding data protection and privacy include, but are not limited to, the Cyber and Data Protection Act [Chapter 12:07] and the Postal and Telecommunications Act [Chapter 12:05].
The main relevant pieces of legislation regarding surveillance are the Interception of Communications Act [Chapter 11:20] and the Postal and Telecommunications Act. The supposed principal purpose of these pieces of legislation is to give effect to various fundamental rights and freedoms enshrined in the Constitution of Zimbabwe Amendment (No.20) Act, 2013, including the right to privacy, freedom of expression, and access to information.
The adequacy of the pieces mentioned above of legislation in giving full effect to the relevant constitutional rights can be assessed by reference to the best international standards. The international standards are captured and set out in various instruments, including the Southern African Development Community (SADC) Model Law on Data Protection, the African Union (AU) Convention on Cyber Security and Personal Data Protection (Malabo Convention), Declaration of Principles on Freedom of Expression and Access to Information in Africa 2019, the International Principles on the Application of Huma Rights to Communications Surveillance and the European Union (EU) General Data Protection Regulations (GDPR).
In that regard, it is imperative to point out that the Cyber and Data Protection Act, the main legislation dealing with data protection and privacy in Zimbabwe, is mainly modelled on the EU GDPR, as it borrows the bulk of its provisions. Accordingly, it is appropriate to use the EU GDPR as the main benchmark for assessing the adequacy of the provisions of the Cyber and Data Protection Act concerning data protection and privacy.
This policy brief posits that there are various yawning gaps in our data protection, privacy and surveillance legislation. The gaps include but are not limited to, the absence of independent data protection and cyber monitoring authorities, the limited scope of data subject rights, an inadequate framework for cross-border data transfers, a draconian surveillance regime and a lack of effective remedies against data and privacy breaches.
Accordingly, this policy brief recommends a litany of measures to plug and bridge the gaps to achieve a legal framework that fully reflects the underlying constitutional rights.