Cyber and Data Protection Act and its impact on freedom of expression

The Cyber and Data Protection Act introduces Section 164B in the Criminal Law (Codification and Reform) Act, which criminalises cyberbullying and harassment.

The use of the internet in Zimbabwe, just like in the rest of the world, has led to the creation of laws that regulate its use.

One such law is the Cyber and Data Protection Act [Chapter 12:07] became law in December 2021.

 In terms of section 2 of the Act, the objective of the Act is to increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.

What are the advantages of this Act?

The Cyber and Data Protection Act introduces Section 164B in the Criminal Law (Codification and Reform) Act, which criminalises cyberbullying and harassment.

It states that any person who unlawfully and intentionally, by means of a computer or information system, generates and sends any data message to another person, or posts on any material whatsoever on any electronic medium accessible by any person, with the intent to coerce, intimidate, harass, threaten, bully or cause substantial emotional distress or to degrade, humiliate or demean another person or to encourage a person to harm himself or herself shall be guilty of a criminal offence. 

In terms of this section, it is a criminal offence to generate and circulate data messages with the intention to coerce, intimidate, harass, threaten, bully or cause substantial emotional distress, or to degrade, humiliate or demean another person through any electronic medium.

This provision protects individuals of all ages, including children, teens, adults as well as corporate entities or organisations.

In terms of the Act, it is a criminal offence to circulate by computer or information system, of false data messages about a person, which are intended to cause psychological or economic harm.

Essentially, anyone who circulates, broadcasts or distributes false messages about a person is criminally liable, and can face a level 10 fine or five years imprisonment.

 Through this section, the Act provides significant protection to victims, particularly where they can prove that the messages are false.

Such messages be they voice notes, or text messages or pictures or documents, do in fact cause significant psychological, emotional and reputational harm to the victims.

In some cases these messages also lead to financial and economic harm, as some victims lose their jobs or sources of livelihood.

It is a welcome development that such conduct be visited by prison sentence, so that the perpetrators can atone for their actions.

The Act further criminalises certain conduct as it relates to electronic communications and materials, in addition to cyberbullying and transmission of false messages.

These include transmission of data message inciting violence or damage to property, sending threatening data message, spam, transmission of intimate images without consent, production and dissemination of racist and xenophobic material, and identity-related offence.

Criticism of the Act

The Act has however been used by government officials to further their own interests.

The Act is open to misinterpretations and has been weaponized to target anyone who exercises their freedom of expression.

It criminalises the spread of what the government classifies as ‘false’ information.

The provision does not qualify or define that which it refers to as false, leaving room for wide interpretation and making it prone to abuse.

The provision in other words is criminal defamation renamed.

 Zimbabwe has outlawed criminal defamation but the proviso of the Act revives it.

 The false news offences promote self-censorship and unjustifiably infringe on freedom of expression.

The penalties to this offense are too stiff with very high chances that this provision will also smuggle back criminal defamation, which was declared unconstitutional in the case of Madanhire & Anor v Attorney General CCZ 2/14.

 The Act has ceased to be a data protection law and has become, a tool to protect the state.

The original intention in drafting the law as a data protection tool has been overridden by state protection interests.

Clause 164 of the Act criminalises transmission of data message inciting violence or damage to property.

The provision could be abused by the government to crack down on protest organisers.

The Act is and has been used as a tool against expressing anti-government sentiments, which can easily be interpreted as incitement of violence or injurious falsehoods.

What amounts to incitement in Zimbabwe is very vague.

For example public figures such as Job Sikhala, Fadzai Mahere, Tsitsi Dangarembgwa, and many others have been arrested for allegedly inciting violence whereas they were citizens expressing their views and exercising their freedom of expression.

In short, this provision potentially criminalises digital activism in Zimbabwe.

Ordinary citizens in Zimbabwe cannot campaign, or demonstrate and petition online in line with their constitutional rights, without running the risk of being charged with inciting violence.

This raises concerns as to whether or not the provisions of the Act infringe the constitutional freedom of expression, in its preamble, the Act states that “An Act to provide for data protection with due regard to the Declaration of Rights under the constitution and the public and national interest….”. Section 60 (1) and 60 of the constitution provide for the freedom expression.

Section 61 (5) (a) of the constitution states that freedom of expression and freedom of the media exclude incitement to violence.

 In practice anyone who expresses his opinion by criticising the government or making any statement that does not sit well with the government, he or she will be accused of inciting violence.

How then should citizens enjoy their freedom of expression? Is it by the dictates of the government?

The preamble of the Act is anything but true as it disregards the Declaration of Rights under the constitution by threatening the freedom of expression and freedom of the media.

There is need for the Act to be split into two, to separately cater for cyber security and data protection.

As it stands the Act is clustered, a single Act cannot adequately deal with all such issues at once.

There is need to ensure that significance is not only placed only on cybersecurity while data protection, privacy and other fundamental rights are neglected.

Currently, the Act provides for a cyber security committee, called, Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz) which is the sole Cybersecurity Centre and Data Protection Authority.

This essentially gives Potraz the roles of potentially three bodies, being the regulator of the telecommunications industry, the Cybersecurity Centre and the data protection authority.

It is inappropriate to also allocate the functions of the Cybersecurity Centre and data protection authority in entirety to Potraz.

There is no justifiable basis to promote such monopoly by Potraz as this frowns upon the basic principles of efficiency.

The Potraz, on one hand is the surveillance arm of the state while also having access to the large volumes of data collected by the Mobile Network Operators and Internet Service Providers.

This therefore compromises data protection and the right to privacy. Consequently the Act cannot sufficiently and adequately cater for data protection and cyber security on its own. It will prioritize one aspect of the Act over the other.

 *Mlondolozi Ndlovu is a Zimbabwean media practitioner. A media trainer and researcher who is also a student at the University of Zimbabwe.

Related Topics