By Costa Nkomo
HARARE – A new policy requiring WhatsApp group administrators in Zimbabwe to obtain licenses and appoint data protection officers has drawn sharp criticism from a local Information Technology (IT) expert, who views the move as misguided and overly broad.
The controversial licensing scheme, outlined at a recent POTRAZ breakfast meeting, will see WhatsApp group administrators facing fees ranging from US$50 to US$2,500, depending on the type of group. The government’s stated purpose for the policy is to enhance data security and privacy for all citizens.
Information Communications Technology, Postal and Courier Services Minister, Tatenda Mavetera, has been the driving force behind the new regulations.
“The time is ticking for organisations that collect first-party data, as you are required by law to have a data protection licence and the licence fees range from US$50 to US$2500. Furthermore, a data protection officer (DPO) who is trained and certified by POTRAZ should be appointed by such a licensee and the appointment should be communicated to POTRAZ.
“Even churches who collect personal data ought to have such a licensee and appoint a DPO. WhatsApp group admins are not spared too, if your groups are meant for business, you should as well get a licence. Failure to comply attracts penalties,” Mavetera stated on her LinkedIn page recently.
The policy draws on Zimbabwe’s Cyber and Data Protection Act, which defines personal data as information that can be used to identify an individual directly or indirectly.
Since WhatsApp group administrators have access to members’ phone numbers, the government argues that these groups fall under the purview of the data protection regulations.
However, IT expert Christopher Musodza believes the government’s approach is misguided and lacks clarity.
“If we go by what she said, then it is very sad for Zimbabwe to treat WhatsApp group administrators, or WhatsApp group platforms and churches broadly like that. You can’t put everyone in the same bracket. You can’t say a telecommunication provider that has all the data that they store.
“And also talk in the same vein even the hospitals that have sensitive information like people’s health records and including churches in that category it would not make sense. So we need to have those regulations in place first,” he said.
Musodza further highlighted the broad definitions within the Cyber and Data Protection Act.
“The definitions in our Cyber and Data Protection Act are broad when it comes to data processors and data controllers. The definition can indeed stretch to anyone who collects data. Be it for a workshop, data attendance register, be it a church, be it any organisation can fit into that definition.
“I had hoped that POTRAZ as the data protection authority as a statutory designated data protection authority would set out guidelines or standards in terms of who fits into that category. This is in terms of numbers, capacity or type of business. It is not practical for you to have a law that includes everyone.
“In other countries or jurisdictions, they would have guidelines to say such and such organisation or such many records and so forth is required to have data protection officer and also required to be licenced by the data protection authority who is POTRAZ in our case,” Musodza argued.
