A modified GDPR: Zimbabwe’s Data Protection Act
On 3rd December 2021, Zimbabwe adopted its data protection legislation, the Data Protection Act [Chapter 11:12] (DPA). Before the enactment of the Data Protection Act, Zimbabwe had a data protection law that applied only to the public sector with the processing of data in the private sector largely unregulated. As with the majority of data protection legislation in Africa, Zimbabwe’s Act is a modified version of the General Data Protection Regulation (GDPR). Key features of Zimbabwe’s Act are derived from the GDPR with some deviations which undermine the essence of the framework they were derived from. The Act does not just create a data protection framework. It also amends other key acts such as the Criminal Codification and Reform Act, the Criminal Procedure and Evidence Act and the Interception of Communications Act.
Subject matter, objectives, territorial scope and material scope.
The DPA, unlike the GDPR, does not limit the subject matter of regulation to personal information (personal data) of natural persons. The scope of the DPA is wide enough to include the processing of non-personal information of natural persons. The DPA provides that it applies to access to information, matters relating to the protection of privacy of information and the processing and storage of data. Data is defined in the Act as
“…any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data.”
This definition is wide enough to encompass non-personal data. The DPA applies to all processing of data and there are no exceptions. This is in contrast to the GDPR which excludes processing by, a natural person in the course of a purely personal or household activity.’ The DPA also applies to the processing by law enforcement activities and there is no separate Act to govern processing by law enforcement. While the GDPR makes the object of the regulation the protection of fundamental rights and freedoms of natural persons in particular the right to data protection, the DPA seeks to increase data protection.
The territorial scope of the DPA is similar to that of the GDPR. It applies where data processing is conducted by controllers or processors established in Zimbabwe. While the Zimbabwean Act does not make specific reference to “establishment”, it uses the words effective and actual which are used in Recital 22 of the GDPR. The DPA also applies to the processing of data by a controller who is not established in Zimbabwe where the means used is located in Zimbabwe. This is similar to when the GDPR applies to processing when there is an offering of goods or services to data subjects situated in the EU and monitoring their behaviour. However, the DPA excludes processing and storage of data where Zimbabwe functions as a data transit.
Most of the definitions in the DPA mirror those of the GDPR. A few examples will be demonstrated here. Personal information is broken down into three separate definitions, “personal information”, “data subject” and “identifiable person.” ’ From these definitions, personal information is any information relating to an identified or identifiable person who can be identified, directly or indirectly, by reference to an identifier. This is similar to the GDPR which defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.’ A data controller is defined as a natural or legal person licensable by the DPA who determines the purpose and means of processing. Similarly, the GDPR defines a controller as a natural or legal person who determines the purpose and means of processing. The Act defines a processor as a natural or legal person who processes data on behalf of the controller under the instruction of a controller. Similarly, the GDPR defines a processor as a person or organisation that processes data on behalf of the controller. Another similarity can also be found in the definition of sensitive data or special category data. However, the DPA does not define some other times which are in the GDPR such as pseudonymisation and profiling.
Rights of data subjects
The rights that are vested to data subjects in the DPA are derived from the GDPR. The first is a right to provide information about what data is being processed. The second is a right of access to data held about them by a data controller. The third is a right to rectification. The fourth is the right to restrict processing. The fifth is a right to object processing. The sixth is a right concerning the processing of data for purposes of automated decision making. However, there are modifications to the rights of a data subject. The first modification concerns the right to erasure. The DPA limits the right to erasure to incorrect or false information. There is no general right to the erasure of data as is contained in the GDPR. The second modification is that there is no timeline set within which requests made a data subject must be processed yet the GDPR requires that a be processed within one month of receipt of a valid request.
Core Data Protection Principles
The DPA provides for seven core principles for the processing of data. These are mainly derived from the GDPR. However, unlike the GDPR, the principles are not provided for in one section but are spread throughout the legislation. These principles are lawfulness, fairness, data storage and minimisation, integrity and confidentiality, accuracy and accountability. The scope of all principles in the Act is similar to that found in the GDPR.
Lawful processing conditions
The DPA provides for six lawful conditions for the processing of data. The first is consent. Consent is defined as any manifestation of specific unequivocal, freely given, informed expression of will by which the data subject or his or her legal, judicial or legally appointed representative accepts that his or her data be processed. Consent is also a lawful condition of processing under the GDPR. However, the DPA modifies consent as a lawful condition of processing by providing that this can be implied from a data subject. The DPA does not define the circumstances under which consent can be implied. The second lawful condition for processing is where it is done being material as evidence in proving an offence. This condition for processing is not found within the GDPR. The other lawful conditions are compliance with a legal obligation; protecting the vital interests of the data subject; performing a task carried out in the public interest, or the exercise of the official authority vested in the controller and promoting the legitimate interests of the controller unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The fourth, fifth and sixth conditions are found within the GDPR.
The processing conditions for sensitive data (special category data) are similar to the GDPR. However, the DPA has modified some of the conditions. The DPA requires written consent before the processing of sensitive information. Another modification relates to health data which is only be processed under the responsibility of a healthcare professional, unless the data subject has given written consent or if it is necessary to prevent imminent danger or mitigation of a specific criminal offence. Further, health data is only processed if a unique patient identifier is, ‘given to the patient which is distinct from any other identification number, issued by the public authority established for this purpose.’
The DPA follows the approach of the GDPR of creating a supervisory authority. However, there are key differences between the GDPR and the DPA. The telecommunications regulator, the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is designated as the supervisory authority. It is not a standalone body as found by the GDPR. The DPA provides that it will be independent in the conduct of its functions, however, this seems unlikely given that POTRAZ is under the control of the Minister for Information Communication Technology. The DPA does not provide for the financial independence of the supervisory authority as its budget will be derived from that of POTRAZ. POTRAZ is also a conflicted authority. It derives its revenue from licensing of telecoms companies. Telecoms companies are data controllers and in some circumstances processors. It is difficult to see if POTRAZ will enforce violations by telecom companies of the Act where enforcement would undermine the profitability of the telecoms companies.
Obligations of controllers and processors
The DPA modifies the obligations of controllers and processors. The first modification concerns data protection by design and default. There is no obligation for controllers to implement data protection by design and default. Secondly, there is no obligation to conduct impact assessments. Thirdly, there is no requirement for the maintenance of records of processing activities. However, the remainder of the obligations are imposed on controllers and processors in the GDPR are mirrored in the DPA such as the appointment of data protection officers; cooperation with the supervisory authority; prior consultation; security of processing and breach notification. However, the timeline to advise of breach notification in terms of the DPA is twenty-four (24) hours and there is no obligation to notify a data subject of the breach.
Transfer of information outside Zimbabwe
The DPA prohibits the transfer of personal information to a third party in a country outside Zimbabwe or an International Organisation unless an adequate level of protection is ensured in the country of receipt or recipient international organisation. This is similar to the adequacy criterion in the GDPR. However, the DPA does not follow in the GDPR in transfers of data to a country without an adequacy decision. Transfers of data to a country that does not assure an adequate level of protection can occur in six circumstances. These are, where the data subject has unambiguously given their consent; where transfer is necessary for the performance of a contract between the data subject and the controller or in the implementation of pre-contractual measures at the request of the data subject. The third is where the transfer is necessary for the conclusion or performance of a contract that is concluded or is to be concluded by the data subject and the controller. The fourth is where the transfer is necessary or legally required on important public interest grounds or for the establishment, exercise or defence of legal claims. The fifth is where a transfer is necessary to protect the vital interests of the data subject. The sixth is when the transfer is made from a register that is intended to provide information to the public and is open to the public in terms of an act of parliament or regulations. Another modification to the GDPR is that the supervisory authority has exclusive power to determine categories and circumstances in which the transfer of data to countries outside Zimbabwe is not authorised.
Offences and penalties
The DPA provides for criminal offences and penalties that may be imposed on data controllers, their representatives, agents or assignees. A data controller commits an offence where they violate the provisions relating to the processing of sensitive data; when they do not fulfil their duties; when they are unaccountable; when they transfer data outside Zimbabwe contrary to the provisions of the Act when they do not follow the security requirements imposed by the Act. The supervisory authority has no power to issue penalties or fines for violations of the Act by data controllers and data processors. The DPA does not provide remedies to data subjects in the event of a breach. Data subjects might therefore have to rely on the law of delict to recover damages where a data breach would have resulted in harm.
An adequacy decision by the EU?
It is unlikely that Zimbabwe will obtain an adequacy decision from the EU. There are several shortcomings with the DPA that would likely hinder an adequacy decision. The first relates to the independence of the supervisory authority. POTRAZ as a regulatory authority is not independent enough and subject to control by the government. The second relates to other statutes that allow the collection and storage of data by the government without judicial oversight. One such statute is the Interception of Communications Act. Thirdly, Zimbabwe has a poor record for respect for human rights and freedoms and concerns have been raised by the EU1. The fourth reason that an adequacy decision is unlikely is that currently, Zimbabwe has not entered into any binding commitments in respect of data protection. Thus it seems that an adequacy decision is unlikely. However, the Act constitutes the first steps by the country in protecting personal data of Zimbabweans.
1 ‘Zimbabwe: Declaration by the High Representative on Behalf of the European Union’ https://www.consilium.europa.eu/en/press/press-releases/2021/02/19/zimbabwe-declaration-by-the-high-representative-on-behalf-of-the-european-union/ accessed 13 December 2021.