Minister of Information and Communication Technology Tatenda Mavetera last month published the Cybersecurity and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 ( SI 155 of 2024).

Legal think tank LOCAL Veritas says cybersecurity and data protection regulations (licensing data controllers and appointing data protection officers) are unconstitutional and infringe on various fundamental rights.

Minister of Information and Communication Technology Tatenda Mavetera last month published the Cybersecurity and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 ( SI 155 of 2024).

The regulations came under fire this month when Maretera reportedly said churches that collect personal data about their members should be licensed under the regulations, while administrators of WhatsApp groups should also be licensed.

Mavetera, however, backtracked on licensing.

In its latest Bill Watch, Veritas said the regulations were unconstitutional and unreasonable.

“In other words, the minister must make reasonable regulations. These regulations, which require a license for anyone processing even the smallest amount of personal data, are certainly unreasonable; the legislature could not have imagined that the Minister would use his powers to make such regulations. For this reason, the regulations are ultra vires the Act.

“Another reason for considering these regulations ultra vires is that they create criminal offenses for which varying penalties can be imposed – up to seven years’ imprisonment.

“Nothing in the Act authorizes the Minister to create offenses and penalties and such power must be conferred expressly; this should not simply be assumed.

Veritas said everyone has the right to seek, receive and communicate ideas and information.

“If you need to obtain a license to collect the names and addresses of people to whom you send ideas and information – even if it’s just one name and address – then your freedom to “Expression is severely limited,” the legal think tank said. .

Veritas said the licensing requirement imposed by the regulations went far beyond what was legitimately necessary to prevent the misuse of personal data.

“In addition to being ultra vires and unconstitutional, the regulations are poorly designed. A small example: data controllers have six months to obtain licenses under Article 4, but must obtain licenses immediately under Section 3 and have three months to appoint data protection officers . There is no rational explanation for the different delays.

“The reason for these and all other flaws is probably that the lawyers who wrote the regulations failed to understand the technical experts whose ideas were supposed to be incorporated into them.

“There was a mutual incomprehension, as we suggested at the beginning of this bulletin. Even the minister, it seems, does not understand the regulations – and she is the one who made them.

Related topics