Call for transparency and Stakeholder Consultation on New Cyber and Data Protection Licencing Regulations

The recent implementation of the Cyber and Data Protection Licencing regulations (S.I. 155 of 2024) by the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has sparked significant concerns among a wide range of stakeholders and the public in general. The Licencing framework, which mandates various fees and regulatory requirements for data controllers and data protection officers, impacts all organisations that process personal data. This includes businesses, schools, churches, and non-profit organisations. However, there appears to have been limited or no consultation with these affected groups before the regulations were enacted. This raises questions about the process followed in introducing these laws and highlights the need for a transparent and inclusive approach to policymaking.

The new regulations require data controllers to pay Licencing fees based on their operational tier, ranging from USD 50 to USD 2,500. Additionally, data protection officers must undergo training and certification, with fees reaching USD 1,450 per person for international applicants. For many organisations, especially smaller entities, these fees represent a considerable financial burden. Without prior consultation, stakeholders had little chance to provide feedback or voice their concerns about the potential implications of the regulations on their operations.

In Zimbabwe, stakeholder engagement is a cornerstone of effective regulatory development, especially when new laws impose obligations that could fundamentally alter how organisations operate. By consulting with businesses, religious institutions and educational organisations, policymakers can better understand the unique challenges faced by each sector and design regulations that are both effective and feasible for compliance. Failure to engage in such consultations risks creating regulations that may be impractical, overly burdensome or detrimental to economic and social activities.

The Cyber and Data Protection Licencing framework appears to have been influenced by the European Union's General Data Protection Regulation (GDPR), a well-established set of laws governing data protection in Europe. However, one critical aspect of the GDPR's development was extensive public consultation, which allowed stakeholders to provide feedback, ensuring the final regulation was tailored to the needs of all parties involved. In Zimbabwe, stakeholders are calling for a similar approach, emphasising that policies with such wide-reaching implications must be developed collaboratively to address the needs of all affected entities.

We call on the Minister of Information Communication Technology (ICT), Postal and Courier Services, to clarify whether a meeting or consultation process was held with stakeholders before the introduction of the Cyber and Data Protection Licencing regulations. If consultations were conducted, it would be beneficial for the Ministry to share the feedback received and explain how it shaped the final regulations. Conversely, if consultations were not held, we urge the Ministry to consider suspending the implementation of these regulations until meaningful stakeholder engagement can take place.

By pausing the rollout of the Licencing requirements and organising a stakeholder meeting, POTRAZ would have the opportunity to address concerns, gather valuable input, and make necessary adjustments to the regulations. Such an approach would align with international best practices and foster greater trust between regulators and the public. Zimbabwe's businesses, schools, churches, and other institutions deserve to have their voices heard on a matter that directly affects their operations and financial stability.

We respectfully urge the Ministry of ICT to ensure that the implementation of the Cyber and Data Protection Licencing regulations follows an inclusive and transparent process. Consulting with stakeholders not only strengthens the regulatory framework but also promotes compliance, goodwill and effective data protection for all Zimbabweans.

Engineer Jacob Kudzayi Mutisi