Summary Analysis of the Cybersecurity and Data Protection Bill 2019

The Cybersecurity and Data Protection Bill (H.B. 18, 2019) ('the Bill') was published, on 15 May 2020, with the Government Gazette. The purpose of this Bill is to consolidate cyber related offences and provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest, to establish a Cyber Security Centre and a Data Protection Authority, to provide for their functions, provide for investigation and collection of evidence of cyber crime and unauthorised data collection and breaches, and to provide for admissibility of electronic evidence for such offences. It will create a technology driven business environment .

The Bill comes against the backdrop of the 2013 Constitution, with an expanded Bill of Rights, as well as the requirement to must take into account international law and all treaties and conventions to which Zimbabwe is a party when giving effect to the fundamental human rights and freedoms enshrined in the Constitution. Zimbabwe is a party to several treaties and conventions which are potentially implicated in this Bill .

Current Legal Framework

?           Cybercriminal law in Zimbabwe is provided for mainly in Chapter VIII of

?           the Criminal Law (Codification and Reform) Act [Chapter 9:23] enacted in 2004.

?           This whole chapter (Sections 162- 168 of the Code) provide for computer

?           related crimes (often collectively described as ‘cybercrime’).

?           Other statutes providing for cybercrime related offences are the

?           Interception of Communications Act [Chapter 11:20] and the Postal and

?           Telecommunications Act [Chapter 12:05]

The Criminal Law (Codification and Reform) Act will be amended by the repeal of sections 162 to 168 and substitution with contents of ‘the bill’.

Summary Analysis of the Bill

?           The paper will give a summarised analysis of sections and provisions of the Bill, which will then be measured against the Constitution and regional and international standards.

This paper will provide a summarised analysis of sections and provisions of the Bill, which will then be measured against the Constitution, regional and international standards.

1.      The Merging of the Data protection and Cybercrimes Bills

The draft model laws that were drafted under International Telecommunication Union (ITU) HIPSSA project whose aim was to standardise ICT legislation in the region had separate cyber, data protection and electronic transactions legislation. The merging of the Data Protection and Cybercrimes Bills is a big step away from the ITU model. Other countries in the region such as; Kenya have retained the standard set by the HIPSSA model laws to keep the Bills separate. Data protection and cybercrime are two broad and distinct domains which require separate legislation.

Recommendation=

The recommendation here is that data protection should form its own Bill, as well as cybersecurity and protection forming its own Bill.

2.      Oversight Mechanism [s4]

The Bill establishes a Computer and Cybercrime Committee to oversee the implementation of law and policy related to cybercrimes and security. It also establishes a Data Protection Authority to oversee data handling issues in the country. Section  5  and  7  of the  Bill  seek  to  establish the  Postal  and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), as the Cybersecurity Centre and Data Protection Authority, respectively.

POTRAZ is the regulatory authority of Zimbabwe’s postal and telecommunications sector and is established in terms of the country’s Postal and Telecommunications Act Chapter 12:05. POTRAZ ‘s already extensive mandate includes; licensing internet and telecoms companies, allocating frequencies, tariff and price regulation, consumer protection, collecting and administering the universal fund etc. This Bill will add more roles to POTRAZ in order to include overseeing cybercrime and managing public data handling as the Cybersecurity Centre and the Data Protection Authority. POTRAZ reports solely to the Ministry meaning that the parliament has no authority over its operations. There is no requirement in the Bill for representation in the Cybersecurity Centre and Data Protections Authority from independent IT professionals, IT Business, or civil society especially those who are working on relevant human rights issues as their inclusion is critical.

Recommendation

 The recommendation here is for separate institutions to be set up for the Cyber Security Centre and Data Protection Authority respectively. The institutions should be independent, and we recommend that the committees include representatives from civil society, business, and academic backgrounds.

3.      Definition of Personal Data

The definition of personal information in the Bill does not specify the crucial digital aspects of personal information. Digital personal data should include; the IP address or username (which enables indirect identification), digital signatures and fingerprints, passwords, tags, and retina scans. The General Data Protection Regulation (GDPR) for Europe provides a broader definition and framework for personal information management. It is therefore important to know exactly how personal data is collected, managed, and stored by your digital analytics provider. Your use of personal data must also be documented, and you must clearly inform your end-users

4.      Forensic Tool

The above is defined as an investigative tool that has software or hardware installed on or in a computer system or part of a computer system that is used to perform tasks. These tasks include but are not limited to keystroke logging or transmission of an internet protocol address. This tool is not mentioned in any other section in the Bill. The Bill does not state how the tool will be used nor what its limitations are.

Recommendation

The recommendation here is that this highly intrusive tool should not be included within the Bill.

5.      Disclosures, Security, Breach, Obligation to Notify, Content, Openness, and Accountability

 There is no timeframe or guideline provided in the Bill in relation to when and how a data controller should report a data breach. The Bill only provides that “the data controller shall notify the Authority, without any undue delay”.

Recommendation

 The recommendation here is that this section should be broader and include the timeframe required to notify affected persons and the public of the relevant breach, and the extent of the Bill. In addition, what should be included in the notification should be specified as a requirement in the Bill.

6.      Consent in Genetic Data, Biometric Sensitive Data and Health Data [14 (1)]

The processing of genetic data, biometric data, and health data is prohibited unless the data subject has given consent in writing to the processing. The Bill does not clearly define what “in writing” means. In this technology, era consent should not only be limited to written form.

Recommendation

 The recommendation here is that the Bill should allow an electronic means of giving consent which includes the use of electronic signatures.

 7.      Transmission of False Data Message Intending to Cause Harm [164C]

 Any person who unlawfully and intentionally, by means of a computer or information system, makes available, broadcasts, or distributes data to any other person concerning an identified or identifiable person knowing it to be false with an intent to cause psychological or economic harm shall be guilty of an offence. Additionally, they will be liable to a fine not exceeding level 10 or imprisonment for a period not exceeding 5 years or to both fine and imprisonment.

This sweeping criminalisation of "transmitting false information" would effectively arrogate to authorities the role of determining "truth" in public discourse, severely curtailing citizen journalism, freedom of expression, civic engagement and other activities essential to a democratic society. The vague prohibition of transmitting false information is highly subjective and prone to abuse, providing authorities with a pretext to prosecute reporting, criticism or commentary they disagree with or find controversial.

 This section could also be broadly interpreted to penalize writers, bloggers, artists and anyone publishing satirical or comedic material online. Online users and citizen journalists will be held to unrealistic standards of factual accuracy under the threat of grave criminal penalties. The intent requirement is redundant, since a person who inadvertently publishes inaccurate data would reasonably (albeit mistakenly) believe in its authenticity at the time of publication. This prohibition is likely to encourage self-censorship of journalists, civil society, and others engaged in reporting and analysing rapidly unfolding news stories and other fast-paced developments.

 Recommendation

 The recommendation here is that section 164C should be removed in its entirety. The authorities should explore less intrusive measures for addressing disinformation such as; technical support for media and news literacy programs and independent and human rights-compliant mechanisms for media self-regulation.

8.      Cyberbullying and Harassment [16B]

 Any person who unlawfully and intentionally by means of a computer or information system generates and sends any data message to another person, or posts on any material whatsoever on any electronic medium accessible by any person, with the intent to coerce, intimidate, harass, threaten, bully or cause substantial emotional distress, or to degrade, humiliate or demean the person of another or to encourage a person to harm himself or herself, shall be guilty of an offence and liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding 10 years or to both fine and imprisonment.

 This section could potentially target ordinary citizens who receive memes and other electronic communication which are deemed degrading or humiliating. Given the widespread use of criminal insult laws in Zimbabwe to clamp down on free expression, the wording of this section is overbroad. The offence should be revised to comprise only conduct that one can actually control and be confined only to the person who initiates the electronic communication with malicious intent.

Recommendation

The recommendation here is that the offence should be revised to comprise only conduct that one can actually control and be confined only to the person who initiates the electronic communication with malicious intent.

 It is unclear why the scope of section 16B should be limited to using "a computer system" (which is defined to include any electronic communication) to harass, intimidate or cause substantial emotional distress or anxiety to another person. It is apparent that such conduct would be equally criminal even without the use of a computer or electronic communication. Therefore, it would be better as a matter of basic principle for the authorities to address such conduct by way of general provisions of the criminal law, rather than on a piecemeal basis. 

Section 16B of the Bill should be struck out in its entirety. Legislation against bullying and harassment should be dealt with by way of the general criminal law, rather than in the context of cybercrime.

9.      Unlawful Interference Sections [162A-F]

These provisions must be amended to include a seriousness or harm component as one of the elements of the offence. 

10.  Jurisdiction [166A]

The section should be revised to require a harmful effect in Zimbabwe as an element of an offence or in very least; it should require the reasonable foreseeability of harm in Zimbabwe.

11.  Admissibility of Electronic Evidence [166B]

 There is need for additional safeguards in the Bill to ensure that the authenticity of data or evidence collected by the police is safeguarded given the amenability to manipulation of computer forensic data. There is also a need for measures to ensure the reliability and accuracy of the data collection and forensic processes. To this end, there is need for section 166B to include measures for the verification of the forensics process by an independent expert in the field.

12.  Standards for Authorising Search and Seizure [166B]

Search and seizure can be authorised by a magistrate based on an application by the police. The standard used for authorising these instructions is “reasonable grounds to suspect or believe” that the information gathered by these intrusions would provide evidence as to the commission of an offence. However, basing this application on “belief” is problematic as it leaves room for applications to be made based on personal, emotional or other legally unjustified convictions. Thus, this ground should either be revised if not removed altogether.

Similarly, section 29(2) of the Bill makes reference to whether a police officer believes “the data sought is stored in another computer system or part of it in its territory…” but the use of “territory” is vague and it is not clear what exactly this is.

 13.  Expedited Preservation [165C]

 A magistrate may, on an application by a police officer in the prescribed form, believe that there are reasonable grounds to suspect or think that traffic data associated with a specified communication is required for the purposes of a criminal investigation. They could order any person in control of such data to do the following:

(i) collect, record or preserve the traffic data associated with a specified communication during a specified period; or;

(ii) permit and assist a specified police officer to collect or record that data; or;

(iii) authorise the police officer to collect or record traffic data associated with a specified communication during a specified period.

The grounds for such authorisation of data preservation are very vague, i.e. “reasonable grounds” for the purpose of a criminal investigation. There is no requirement that the police take into consideration any other less invasive investigative methods before seeking to preserve data. There is no limit to the duration of this order. Given the degree of interference with privacy rights, a higher standard to authorise preservation would be more appropriate.

Moreover, there is no reference as to what the police application should contain in order to enable the magistrate to decide on the measures of data preservation. The proof or burden required for the authorisation to be granted for such should place a higher onus on the police and err on the side of protecting individual rights and privacy as provided in the Constitution. Furthermore, the court must be satisfied that the police have taken into consideration other less invasive investigative methods before seeking such an order. It would also be appropriate to place a limit on the duration of the order.

14.  Obligations and Immunity of Service Providers [166]

The service provider shall be liable if more information is stored than necessary for transmission. It is, therefore, the liability of the police to provide information to be transmitted, choose the recipient, and dictate the duration of time they want the information stored. Section 166(2) fails to clarify how information can be identified as altered or how to identify the time necessary to store the information for other purposes of transmission.

Section 166(4) describes how information purported to be illegal can be proven as illegal. The article also provides the service providers with the right to access client’s information, and the ISP is not accountable if the information is leaked.

Limited liability is conditional. The ISP is now playing the role of the police. The internet is global and borderless. Zimbabwean citizens will shun the services if local hosting companies and providers opted for hosts outside the country who will not be affected by this law.

Constitution

The provisions of the Constitution that are relevant for consideration in the drafting and enactment of a cyber-crime bill such as the proposed one, are highlighted below and recommendations for possible review for compliance with the Constitution.

Section 2 Supremacy of Constitution

The Constitution of Zimbabwe is the supreme law of the lands. Section 2 (1) and (2) provides respectively: “This Constitution is the supreme law of Zimbabwe and any law, practice, custom or conduct inconsistent with it is invalid to the extent of the inconsistency” and “The obligations imposed on this Constitution are binding on every person, natural or juristic, including the State and all executive, legislative and judicial institutions and agencies of government at every level, and must be full filled by them”.

 Section 46 Interpretation of Chapter 4 (Bill of Rights)

Section 46 (1) provides that when interpreting this Chapter (Bill of Rights), a court, tribunal, forum or body must give full effect to the rights and freedom enshrined in this Chapter; (b) must promote values and principles that underlie a democratic society based on openness, justice, human dignity, equality and freedom,…(c) must take into account international law and all treaties and conventions to which Zimbabwe is a party; (d) must pay due regard to all provisions of the Constitution in particular the principles and objectives set out in the Chapter 2 (National Objectives)

 Section 51 Right to human dignity

Section 51 provides that “every person has inherent dignity in their private and public life, and the right to have that dignity respected and protected”.

 Section 52 Right to Personal Security

Section 52 (a) provides that “every person has the right to bodily and psychological integrity, which includes the right to freedom from all forms of violence from public or private sources”.

 Section 57 Right to privacy

Section 57 provides that “every person has the right to privacy, which includes the right not to have- (a) their home, premises or property entered without their permission, (b) their person, home, premises or property searched; (c) their possessions seized; (d) the privacy of their communications infringed; or (e) their health disclosed”

Section 61 Freedom of expression and freedom of the media

Section 61 (1) provides that “Every person has the right to freedom of expression, which includes—(a) freedom to seek, receive and communicate ideas and other information; (b) freedom of artistic expression and scientific research and creativity; and (c) academic freedom.

 Section 61 (3) Broadcasting and other electronic media of communication have freedom of establishment, subject only to State licensing procedures that—(a) are necessary to regulate the airwaves and other forms of signal distribution; and (b) are independent of control by government or by political or commercial interests.

 Section 62 Access to Information

Section 62 (1) provides that “Every Zimbabwean citizen or permanent resident, including juristic persons and the Zimbabwean media, has the right of access to any information held by the State or by any institution or agency of government at every level, in so far as the information is required in the interests of public accountability”.

Section 62 (2) “Every person, including the Zimbabwean media, has the right of access to any information held by any person, including the State, in so far as the information is required for the exercise or protection of a right”.

Section 62 (3) “Every person has a right to the correction of information, or the deletion of untrue, erroneous or misleading information, which is held by the State or any institution or agency of the government at any level, and which relates to that person”.

Section 68 Right to administrative justice

Section 68 (1) provides that “every person has a right to administrative conduct that is lawful, prompt, efficient, reasonable, proportionate, impartial and both substantively and procedurally fair.

Section 68 (2) provides that “Any person whose right, freedom, interest or legitimate expectation has been adversely affected by administrative conduct has the right to be given promptly and in writing the reasons for the conduct”.

Section 70 Rights of accused persons

Section 70(1) provides that “Any person accused of an offence has the following rights (a) to be presumed innocent until proved guilty; (b) to be informed promptly of the charge, in sufficient detail to enable them to answer it;(c) to be given adequate time and facilities to prepare a defence;...(h) to adduce and challenge evidence;

 Section 70 (3) provides that “In any criminal trial, evidence that has been obtained in a manner that violates any provision of this Chapter must be excluded if the admission of the evidence would render the trial unfair or would otherwise be detrimental to the administration of justice or the public interest”

 Section 86 Enforcement of fundamental rights and freedoms

Section 85(1) provides that “Any of the following persons, namely—(a) any person acting in their own interests; (b) any person acting on behalf of another person who cannot act for themselves; (c) any person acting as a member, or in the interests, of a group or class of persons; (d) any person acting in the public interest; (e) any association acting in the interests of its members; is entitled to approach a court, alleging that a fundamental right or freedom enshrined in this Chapter has been, is being or is likely to be infringed, and the court may grant appropriate relief, including a declaration of rights and an award of compensation.

 Section 85 (2) provides “The fact that a person has contravened a law does not debar them from approaching a court for relief under subsection (1)”.

Subsidiary Law

laws such as the Interception of Communications Act (ICA), the Postal and Telecommunications Act, the Criminal Procedure and Evidence Act (CPEA), Censorship and Entertainments Control Act ,Criminal Matters (Mutual Assistance) Act and Extradition Act which are likely to be affected by provisions of ‘the Bill’. There is therefore need for a holistic review of the laws and their relations to avoid absurdities in law that could be easily avoided such as on basic definition or interpretation of terms, penalty provisions, authorities and enforcement mechanisms.