HON. SEN. DR. PARIRENYATWA:
The Cyber Security and Data Protection Bill (H.B. 18, 2019) was gazetted on 15 May 2020. The Bill intends to address cyber-crime and increase cybersecurity in order to build confidence, trust and the secure use of ICTs. The Cyber Security and Data Protection Bill is an advanced, modern Bill that aims to consolidate cyber-related offences, establish a Cyber Security Centre, provide for investigation and collection of evidence of cyber-crime, provide electronic evidence for such offences, and encourage lawful use of technology. It will create a technology-driven business environment and encourage technological development and the lawful use of technology. The Bill also seeks to amend certain parts of the Criminal Law, (Codification and Reform) Act [Chapter 9:23] by repealing sections 163 to 166.
2.1 The Joint Portfolio Committees on Information Communication Technology, Postal and Courier Services, Information, Media and Broadcasting Service and Thematic Committee on Peace and Security had a meeting with the Officials from the Ministry of ICT, Postal and Courier Service on 15 June 2020.The purpose of the meeting was for the Ministry to unpack the Bill for Members.
2.2 The Committees conducted public consultations on the Bill in terms of Section 141 of the Constitution from 5 to 10 July, 2020. The Committees covered part of Harare, Midlands, Masvingo, Bulawayo, Mashonaland West, Mashonaland East, Mashonaland Central, Matabeleland North and South provinces.
2.3 During the hearings, the Committees received submissions from youths, pensioners, church representatives, business organisations, representatives from media industry, Government officials, resident associations, and the general public. The Committees expressed their heartfelt gratitude to all stakeholders who contributed at the public consultations and those who made written submissions.
2.4 The Joint Committees also had a virtual hearing on Zoom to cater for interested people who were not able to participate in the hearings.
3.0 SUBMISSIONS ON THE CYBERSECURITY AND DATA PROTECTION BILL
3.1. In all areas visited by the Committee, members of the public were aggrieved because they were not aware of the content and context of the Bill. In addition, they were concerned about the Bill being too technical for ordinary citizens especially those in remote areas. Members of the public in different areas were of the opinion that the Bill was supposed to be compiled in different recognised languages in the Constitution. It was, therefore, submitted that before Parliament engages on public consultations, there was a need to conduct awareness and unpacking of the Bills.
Stakeholders highlighted that there is a need to provide for two separate Bills; the Cyber Security Bill and the Data Protection Bill in accordance to international standards and best practices, for instance, the SADC Model Law on Data Protection and the African Convention on Cyber Security and Data Protection. Stakeholders highlighted that by combining the two legislations, the Bill becomes difficult to understand.
3.2 CLAUSE 1: APPLICATION
3.2.1 Stakeholders recommended that the date of commencement of the Bill should be clearly defined because a good law should not apply in retrospect.
3.3 CLAUSE 2: OBJECTIVES
Stakeholders noted that the objective of the Bill does not accurately describe its provisions. They mentioned that the provisions of this Bill regulate the collection, processing, transmission, storage and use of personal data by the data controller. It was stated that the Bill creates new offences relating to cyber-crime and its investigations, therefore the objective of the Bill must be amended to include the criminalisation of computer and network-related crimes
3.4 CLAUSE 3: INTERPRETATION
Clause 3 of the Bill defines a data controller as “any natural person or legal person who is licencable by the Authority.
Several stakeholders including Google were concerned about three issues on this provision which are as follows:
(i) the definition of a data controller in its present form suggests that a data controller must be licenced by the Authority. This is the only reference in the Bill to a licencing requirement. (ii) The powers of the Data Protection Authority (the Authority) under Section 8 of the Bill do not include the power to licence data controllers.
(iii) It is unclear whether persons or entities seeking to collect, record or otherwise process data within Zimbabwe will require any form of licencing or registration with the Authority.
Stakeholders suggested that the Bill should have an inclusion of a comprehensive definition describing what entity or person qualifies as a data controller.
The stakeholders highlighted that definition of “data controller” is limited to natural or legal persons licencable by the Authority. This means Bill’s application is currently limited to persons providing telecommunication services. It was submitted that the definition needed to be broadened to include public bodies and any other person who determines the purpose and means of processing data.
Stakeholders indicated that the Bill in its current form aims to regulate the collection, processing, transmission, storage and use of personal data by telecommunication licence holders and excludes the entities who collect personal information such as banks, insurance companies and hospitals. They recommended that the definition of a data controller should be widened to include these entities since they are not currently licencable by POTRAZ.
Members of the public mentioned that the definition of “critical database” does not include a definition of what “critical data” is. It was submitted that there is a need to specify what “critical data” means, particularly because the Bill in the amendment of Section 163 of the Criminal Law (Codification and Reform) Act [Chapter 9:23] seeks to make it an offence “to copy, move, add or change critical data”. This makes it imperative to define the term because of its inclusion as an essential element of the offence of hacking.
It was submitted that the definition of “code of conduct” seems to extend to IT resources and the internet for the data controller which is on the extremely wide definition. The stakeholders recommended that IT resources be removed from the definition of code of conduct and confirm the definition to IT processes, which means any processes related to the data controller or processor.
Stakeholders suggested that the ‘Personal Information’ definition can be expanded to include objectives and subjective elements of personal information.
Clause 5 to Clause 8: DESIGNATION OF THE CYBERSECURITY CENTRE AND DATA PROTECTION AUTHORITY WITHIN POSTAL AND TELECOMMUNICATIONS REGULATORY AUTHORITY OF ZIMBABWE (POTRAZ).
There were mixed views from the people regarding POTRAZ being the Cyber Security Centre and Data Controller. There were concerns from some stakeholders that if POTRAZ is established as the Cyber Security Centre and Data Controller, this would limit the effectiveness, efficiency and independence of the board since POTRAZ reports to the Executive. They pointed out that the POTRAZ Board was appointed by the Minister hence the board would be a rubber stamp of the Executive decisions. The stakeholders proposed a separate institution as a Cyber Security Centre that is appointed by Parliament and reports to Parliament. Alternatively, it was proposed that POTRAZ should report to and be accountable to Parliament in the discharge of this new role as the enforcement of human rights requires oversight by a body independent from Government.
Other stakeholders, however, were of the view that POTRAZ is the perfect Cyber Security Centre as it already has the requisite data and infrastructure in place.
3.6 CLAUSES 9 – 14: STANDARDS AND GENERAL RULES FOR A DATA CONTROLLER FOR THE PROCESSING OF DATA.
The stakeholders indicated that the principles in the Bill needed to be expanded as it relates to the aspects of processing of data as the current drafting makes data subjects rights after-thoughts and hidden in the Bill’s text.
3.7 CLAUSES 13-14: SENSITIVE INFORMATION, GENETIC DATA, BIOMETRIC SENSITIVE DATA AND HEALTH DATA
Stakeholders highlighted that the Bill is not explicit on the issue of sensitive information. Stakeholders were not sure if they will be consulted first before their information and data is used. The stakeholders pointed out that Government institutions and network providers already had personal information and at times the information is already used without their consent.
Stakeholders submitted that Section 13 (1) (c) of the Bill gives the Authority the power to determine circumstances where the processing of data is prohibited despite the consent of the data subject. It was highlighted that this provision gives wide powers to the Authority to prevent the collection of sensitive data, even for legitimate purposes where for instance:
(a) the data subject has freely and voluntarily consented to the collection or processing of his or her personal data;
(b) all the necessary disclosure requirements have been met; and
(c) there is no real risk of infringement of the data subject’s right.
In relation to consent, it was recommended that Section 13 (1) of the Bill should clearly set out the circumstances under which consent is considered unequivocal and freely given to avoid any confusion surrounding the nature of consent that has been provided.
3.8 CLAUSE 19: SECURITY BREACH NOTIFICATION
Members of the public highlighted the need for the provision to stipulate a timeline under which the security breach should be communicated rather than leaving the provision open to interpretation on what “undue delay” means.
3.9 CLAUSES 23 AND 24: OPENNESS OF PROCESSING AND ACCOUNTABILITY.
Stakeholders highlighted that level of openness must manifest throughout the Bill by registering all data controllers in a register that is open for public inspection. They noted that accountability must be listed as one of the duties that controllers are required to comply with. This principle should be included in the Bill for the Authority and Data Controllers.
Stakeholders also stated that the Bill does not speak to algorithms and explained that algorithms mutate due to the developments in artificial intelligence hence the Bill might have been overtaken by events, by speaking to the 1990s state of affairs.
3.10 CLAUSES 26 AND 27: PROTECTION OF RIGHTS OF DATA SUBJECTS
Children representatives submitted that there is need to accommodate the right to be heard when considering consent given on behalf of a child. They indicated that this was in line with Article 12 of the Convention on the Rights of the Child which provides that State parties shall assure to the child who is capable of forming his or her own views, the right to express those views freely in all matters affecting the child, the views of the child being given due weight in accordance with the age and maturity of the child.
Stakeholders submitted that there should be a provision for data processors and service providers to protect and ensure children rights are upheld. It was mentioned that the Bill should incorporate the five core provisions which are namely:
1) Clear on minimum age limits on content.
2) Protections for accounts that are opened by under eighteen years.
3) Management inappropriate or illegal content posted on their platforms
4) Use of age verification and identity authentication solutions.
5) Clear safeguard to ensure children rights online
The Committee was informed that the Bill of rights sets out rights and freedoms that the people of Zimbabwe are entitled to by virtue of being human beings. These rights are constitutional rights and therefore legally binding. These rights include
1) freedom of expression (protected in section 61 of the Constitution);
2) freedom of the media (Section 62);
3) access to independent and impartial news.
4) right to personal security (Section 52),
5) right to dignity (Section 51),
6) right to privacy (Section 57),
7) right to petition and demonstrate (section 59)
Stakeholders were concerned with the rights that the Bill is likely to violate. They highlighted that the Bill should include rights of data subjects as a standa-lone clause as the Bill does not adequately address and protect data subject rights. These rights include freedom of expression, right to privacy and many other fundamental rights.
Stakeholders strongly recommended Section 164 relating to electronic communication be thoroughly revised to bring them into line with the constitutional provisions relating to freedom of speech and freedom of media.
The public highlighted that new rights have emerged over the years due to the coming into age of the internet. Therefore, there is need to include new rights in the Bill such as the right to oblivion also known as the right to be forgotten. Thus, information uploaded on the cyber space should have a specific timeline to be disregarded and should be forgotten.
3.11 CLAUSE 31: WHISTLEBLOWER
The Committee was informed that much of the cases of corruption were being unearthed by whistle-blowers. The public underscored the need to put necessary safeguards to protect whistle-blowers in the statute as well as other concrete steps in the handling of investigations that result from whistle-blowers revelations.
3.12 CLAUSE 163: UNLAWFUL INTERFERENCE WITH COMPUTER SYSTEM
The Committee was informed that this Bill stifles innovation and creativity by completely criminalising hacking without recognising the potential benefits of ‘ethical hacking’. They pointed out that ethical hackers identify loopholes and vulnerabilities in computer systems and use them to strengthen cyber security systems technologies and applications.
3.13 CLAUSE 164E: TRANSMISSION OF INTIMATE IMAGES OR VIDEOS WITHOUT CONSENT.
Stakeholders highlighted that information on social media platforms is shared through forwarding messages. Effectively, anyone who forwards or distributes messages should be criminalised in terms of this Bill. They indicated that the Bill should be clear on determining the source of the criminal activity.
Some stakeholders proposed that on Clause 164 (f), the Bill should also include the terminology that criminalises the recording of up-skirting, and nudity. It was suggested that any person who unlawfully and intentionally records an image or video without the person’s consent should be guilty of an offence and liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding five years or to both such fine and such imprisonment.
3.14 CLAUSE 165: CHILD PORNOGRAPHY
The stakeholders submitted that the term ‘Child Pornography’ should be replaced with the term ‘child sexual abuse material’ throughout the Bill so that it broadens the focus of the law towards other child sexual harassments and violence to children within the cyber space. It was suggested that any person who unlawfully and intentionally produce, offers, distributes and possess child sexual abuse material should be guilty of an offence and liable to a fine not exceeding level fourteen or to imprisonment for a period not exceeding ten years, or both such fine and such imprisonment.
3.15 CLAUSE 165A: CYBERGROOMING OF CHILDREN
The stakeholders suggested a penalty of a fine not exceeding level 10 for any person of the age of eighteen or above who unlawfully and intentionally, through information and communication technologies, proposes to meet a child who has not reached the age of consent to sexual activity as set by the Criminal Law (Codification and Reform Act) [Chapter 9:23] for the purpose of engaging in sexual activity with him or her.
4.0 COMMITTEE OBSERVATION
4.1 The Committees were of the view that admissibility rule should not be restricted to criminal acts established under the Bill, but to all criminal offences recognised under the laws of Zimbabwe.
4.2 The Committees agreed with stakeholders that POTRAZ should not be designated as the Cyber Security Centre and Data Protection Authority. The Committees suggested that the functions that the Bill assigned to the Cyber Security Centre need to be carried out by an independent body due to the sensitivity of matters relating to cyber security.
4.3 The Committees also supported the need to include in Section 31(1) of the Bill, provision for the guarantee of the protection of whistle-blowers.
4.4 The Committees were in agreement with stakeholders that Clause 26 of the Bill should protect the rights that are enshrined in the Constitution of Zimbabwe.
4.5 The Committees were of the view that the Cyber Security Centre and Data Protection Authority should also be separated into two stand-alone pieces of legislations.
4.6 The Committees further supported the need to criminalise the recording of up-skirting and recognition of the rights of children on Clause 164E.
In light of the above submissions and observations, the Committees make the following recommendations;
1. Clause 2 – objectives of the Bill should clearly describe its provisions.
2. Clause 3 – The Bill should be amended to improve on definition of terms as they should be clearly defined.
3. The need to split the Bill into two; namely the Cyber Security Bill and Data Protection Bill.
4. Clauses 5-8 should establish an independent body which is set up as the Cyber Security Centre and Data Protection Authority instead of POTRAZ being the Cyber Security Centre and Data Protection Authority.
5. Clause 31(1) of the Bill should be amended, to have a clause that guarantee the protection of whistle-blowers in terms of handling investigations.
6. The Bill should be amended and have a clause that provides for the right to oblivion, that is the right for deleting information and records of the past in the cyber space, and clearly spell out the data retention period.
7. That the Bill should be amended to include a stand-alone clause that recognises the rights of data subjects which are enshrined in the Constitution namely;
i. right to personal security (Section 52),
ii. right to dignity (Section 51),
iii. right to privacy (Section 57),
iv. right to petition and demonstrate (Section 59) and
v. the right to freedom of expression (Section 61).
8. That Clause 19 should be amended to include the time under which security breach should be notified.
9. The Bill should strike a balance between the protection of national security and the exercise of rights of ordinary individuals.
10. Clause 164E of the Bill should be amended to include the terminology that criminalises up-skirting and recording of nude images without a person’s consent.
11. Clause 165 on child pornography should take into cognisance offences relating to child sexual abuse materials such as using social media to lure minors for the purposes of exploitation.
The introduction of the Cyber Security and Data Protection Bill is welcomed as it is drafted to apply to all sectors of the economy. It will put in place one of the final pieces of much-needed data protection reforms. The Bill is a baseline legislation that will operate concurrently with other legislation. Effective modern data protection laws are central to securing public trust and confidence in the use of personal information within the digital economy and the fight against cyber-crime. Members of the public have raised many different scenarios about the protection of individuals. However, Government must strive to ensure a proper balance on how best to use the proposed Bill to effect a positive outcome for the public and the private sector. I thank you.