Understanding data protection
TECHNOLOGICAL advancements have revolutionised the manner in which business is conducted. Digitalisation is the current buzzword and businesses are creating online trading platforms to interface with consumers.
Contracts can be initiated, negotiated and concluded online using smart phones and laptops. The Covid-19 pandemic has accentuated the drive towards digitalisation by forcing more businesses to go online. An increasing number of people find themselves having to share private and confidential information with online traders and service providers.
The new-found popularity of e-commerce affects companies, consumers and the government. Public and private entities who deal with the citizenry often extract a substantial amount of personal information which may include, among other details, a person’s nationality, marital status, sex, residential address, contact details, medical history and financial information.
Consumers, for example, are often required to disclose their personal data while transacting online. However, online transactions come with an assortment of risks.
Cybercrime is on the upsurge as criminals and con-artists exploit loopholes in e-commerce to commit a litany of offences including identity theft and fraud. Persons who disclose their personal data risk having their privacy infringed and private details used against them.
The Cambridge Dictionary defines data protection as; “laws and regulations that make it illegal to store or share some types of information about people without their knowledge or permission”.
Entities which collect and use personal data, be they public or private, must be subjected to strict regulations imposing standards on how to handle any data they process.
They must be obligated to be transparent and accountable. Moreover, they must be subjected to checks and balances, compelled to respect the rights of individuals and the rule of law. More importantly, it is imperative for the protection of individual rights that a data protection framework is given the force of law.
There are numerous elementary principles upheld by broadly recognised codes, practices, decisions, recommendations, and policy instruments which provide the framework for effectively regulating the processing of personal data. For instance, as far back as 1980, the Organisation for Economic Co-operation and Development (OECD) in its Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, identified privacy principles that must guide states in developing data protection policies.
These privacy principles speak to collection limitation, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation and accountability.
It is, therefore, prudent to have one comprehensive statute which regulates the manner in which the personal data of consumers is processed, handled and stored. Section 57 of the Constitution provides for the right to privacy; this includes the right to not have the privacy of one’s communications infringed and the protection of sensitive personal data from being disclosed.
The current legal framework for data protection in Zimbabwe is incoherent and inchoate. There is no comprehensive legal framework which regulates data privacy and protection.
Instead, data privacy and protection are dealt with under an assortment of statutes. For example, Part IV of the Freedom of Information Act (Chapter 10:33) “the FIA” provides for exemptions to the obligation of public entities to afford the public access to information.
Section 21, of the FIA, for instance, provides that public entities may refuse access to information to protect the personal and confidential information of third parties who are natural persons.
Sections 22 up to 26 of the FIA are populated with provisions that seek to protect sensitive information relating to natural and artificial persons. However, the FIA only deals with the protection of information held by public entities, thus leaving private entities unregulated.
The public may also have recourse to the Consumer Protection Act (Chapter 14:14) the “CPA”. Section 48 of the CPA makes provision for the consumer’s right to confidentiality and privacy.
It states that any person who receives, compiles, retains or reports any confidential information pertaining to a consumer or prospective consumer must protect the confidentiality of that information and must only use that information for a purpose permitted by the CPA or some other statute.
Section 48 further provides that the confidential information can only be released to third parties to the extent allowed by the CPA or other national legislation or as directed by the consumer or an order of court.
Sections 52 to 54 of the CPA also regulate data protection in respect of businesses conducting electronic transactions. Amongst other things, it places a duty on a supplier of goods and services by electronic transaction to disclose the security procedures and privacy policy of that supplier in respect of payment — payment information and personal information.
Section 54 combats the abuse of personal data of consumers by suppliers to harass consumers by way of unsolicited electronic commercial communications. Without doubt, the obligations placed on suppliers by the CPA afford consumers a measure of safety and security when conducting electronic transactions but the level of data protection offered is still not adequate enough to guard against the plethora of risks people are exposed to with regard to data privacy.
The Criminal Law (Codification and Reform) Chapter 9:23 “the Code” dedicates an entire chapter to computer-related crimes such as hacking which is a criminal offence under section 163 of the Code. Victims of hackings already have an express legal remedy under Chapter VIII of the Code.
The Code, however, still falls short of adequately protecting people transacting in the digital age as it does not cover some of the most rampant cybercrimes found in e-commerce; particularly mobile money transaction-related fraud.
In response to the changing environment, a progressive upgrade of data protection legislation was gazetted May 15, 2020 in the form of the Cyber Security and Data Protection Bill (House Bill 18 of 2019) the “Bill”. The purpose of this Bill is to consolidate cyber related offences and provide for data protection with due regard to the Declaration of Rights under the Constitution.
The Bill further aims to establish a Cyber Security Centre and a Data Protection Authority and to provide for investigation and collection of evidence of cyber crime and unauthorised data collection and breaches. Additionally, the Bill seeks to amend Sections 163 to 166 of the Code to broaden their scope and application.
Lastly, the Bill aims to provide for admissibility of electronic evidence for such offences, creating a technology driven business environment which encourages technological development and the lawful use of technology.
Despite criticism levelled against the Bill in its current form; the Bill is definitely a step in the right direction. Subject to further public consultations and further parliamentary work on it, this Bill has all the hallmarks of a success story concerning the regulation of data protection.
Once enacted, this legislation will certainly bring our laws closer to our constitutional ideals and international best practice.
Data protection laws need careful examination to ensure that the resultant framework is as watertight as possible and not undermined by legal ambiguities.
Once it comes into effect, data protection legislation must be complemented by effective implementation and enforcement