By
Costa
Nkomo
The
controversial
licensing
scheme,
outlined
at
a
recent
POTRAZ
breakfast
meeting,
will
see
WhatsApp
group
administrators
facing
fees
ranging
from
US$50
to
US$2,500,
depending
on
the
type
of
group.
The
government’s
stated
purpose
for
the
policy
is
to
enhance
data
security
and
privacy
for
all
citizens.
Information
Communications
Technology,
Postal
and
Courier
Services
Minister,
Tatenda
Mavetera,
has
been
the
driving
force
behind
the
new
regulations.
“The
time
is
ticking
for
organisations
that
collect
first-party
data,
as
you
are
required
by
law
to
have
a
data
protection
licence
and
the
licence
fees
range
from
US$50
to
US$2500.
Furthermore,
a
data
protection
officer
(DPO)
who
is
trained
and
certified
by
POTRAZ
should
be
appointed
by
such
a
licensee
and
the
appointment
should
be
communicated
to
POTRAZ.
“Even
churches
who
collect
personal
data
ought
to
have
such
a
licensee
and
appoint
a
DPO.
WhatsApp
group
admins
are
not
spared
too,
if
your
groups
are
meant
for
business,
you
should
as
well
get
a
licence.
Failure
to
comply
attracts
penalties,”
Mavetera
stated
on
her
LinkedIn
page
recently.
The
policy
draws
on
Zimbabwe’s
Cyber
and
Data
Protection
Act,
which
defines
personal
data
as
information
that
can
be
used
to
identify
an
individual
directly
or
indirectly.
Since
WhatsApp
group
administrators
have
access
to
members’
phone
numbers,
the
government
argues
that
these
groups
fall
under
the
purview
of
the
data
protection
regulations.
However,
IT
expert
Christopher
Musodza
believes
the
government’s
approach
is
misguided
and
lacks
clarity.
“If
we
go
by
what
she
said,
then
it
is
very
sad
for
Zimbabwe
to
treat
WhatsApp
group
administrators,
or
WhatsApp
group
platforms
and
churches
broadly
like
that.
You
can’t
put
everyone
in
the
same
bracket.
You
can’t
say
a
telecommunication
provider
that
has
all
the
data
that
they
store.
“And
also
talk
in
the
same
vein
even
the
hospitals
that
have
sensitive
information
like
people’s
health
records
and
including
churches
in
that
category
it
would
not
make
sense.
So
we
need
to
have
those
regulations
in
place
first,”
he
said.
Musodza
further
highlighted
the
broad
definitions
within
the
Cyber
and
Data
Protection
Act.
“The
definitions
in
our
Cyber
and
Data
Protection
Act
are
broad
when
it
comes
to
data
processors
and
data
controllers.
The
definition
can
indeed
stretch
to
anyone
who
collects
data.
Be
it
for
a
workshop,
data
attendance
register,
be
it
a
church,
be
it
any
organisation
can
fit
into
that
definition.
“I
had
hoped
that
POTRAZ
as
the
data
protection
authority
as
a
statutory
designated
data
protection
authority
would
set
out
guidelines
or
standards
in
terms
of
who
fits
into
that
category.
This
is
in
terms
of
numbers,
capacity
or
type
of
business.
It
is
not
practical
for
you
to
have
a
law
that
includes
everyone.
“In
other
countries
or
jurisdictions,
they
would
have
guidelines
to
say
such
and
such
organisation
or
such
many
records
and
so
forth
is
required
to
have
data
protection
officer
and
also
required
to
be
licenced
by
the
data
protection
authority
who
is
POTRAZ
in
our
case,”
Musodza
argued.