Demystifying the Cyber Bill

Obituaries
This past week I was among those that were observing the Zimbabwean parliamentary public hearings on the Cyber Security and Data Protection Bill, gazetted on May 15 2020. These public hearings are called for in terms of the country’s constitution, which compels Parliament, through its respective committees, to consult with members of the public in […]

This past week I was among those that were observing the Zimbabwean parliamentary public hearings on the Cyber Security and Data Protection Bill, gazetted on May 15 2020. These public hearings are called for in terms of the country’s constitution, which compels Parliament, through its respective committees, to consult with members of the public in the law-making process.

The Parliamentary Portfolio committees on Information Communication Technologies (ICTs), Postal and Courier Services and the Information, Media and Broadcasting Services as well as the Senate’s Committee on Peace and Security jointly sought the public’s input into the Cyber Bill. There were three teams of these committees spread across the country’s 10 provinces exercising their mandate to gather submissions that will contribute to the debates when the Bill is being considered in Parliament. I was with the team in the southern parts of the country, wherein citizens residing in Bulawayo, Gwanda, Nyamandlovu and Kwekwe had an opportunity to express their views on this rather technical bill. As largely expected, most citizens were ill-equipped to make sound submissions as either they were yet to have sight of the Bill or they couldn’t understand the Bill’s intentions. In any case, most of the legislators did not understand the Bill either and this was evidenced by the rather shallow manner in which they would paraphrase the intentions of the Bill. In a trend set by most government ministers, the legislators would narrow the Bill’s intentions to regulating social media. A typical example that would be given, perhaps to stimulate discussions through emotional blackmail was that of revenge porn and its effects. Naturally, no one would dare stand to oppose such noble intention to stop such blatant abuse of social media. As a result, most of the submissions save for a handful that had been equipped to understand the Bill by the Media Institute of Southern Africa (Misa) Zimbabwe and the Media Alliance of Zimbabwe (MAZ), supported the Bill based on social media abuse. There was however notable submissions by former legislator Brian Tshuma, who went at length to expose the inadequacies of the Bill in ensuring data protection. The Bill mainly focuses on the protection of raw data and Tshuma made valid arguments around how data is evolving and in an era of algorithms, the Bill is archaic. He also made reference to the Bill’s inadequacy to clearly define the rights of data subjects, among them the right to access, to erasure and to be forgotten among other digital rights. Outside these submissions and those made by civil society and media organisations, there are certain myths and misconceptions around the regulation of social media that informed the deliberations. In this instalment, I will look at about five of these myths and misconceptions and conclude by arguing why the Cyber Security and Data Protection Bill should not be passed in its current form. There is a misconception that there is currently no legal framework governing social media abuse For some reason, there is this thinking that people can get away with crimes committed online, be it theft, rape, violence or any other crime for that matter. This is not true and the more citizens are made aware that the rights and protection that they have at law offline apply online. Yes, the Bill under the objectives clause claims to intend to consolidate offenses specifically committed online, but as I will argue in my conclusion, the Bill doesn’t do this but rather entrenches surveillance. Regulating social media through legislation will result in an ethical society During the public hearings, particularly the one in Kwekwe, there were representations from the faith-based community that the cyber law would address widespread pornographic material online and that this law would protect children from accessing this and other non-child friendly material online. Again, this is somewhat a misconception, as if that were the case, the entertainment and censorship laws in this country would have long dealt with this issue. Civil strife is a result of social media If there is one myth that governing parties in polarised countries have managed to effectively yet senselessly argue is that civil strife is exacerbated by ease of communication as a result of the internet and social media. The focus is on the platform and not on the message. There is a stark difference between cyber terrorism and citizens organising themselves and expressing their views online. Criminalising expression silences dissenting voices Government often has an appetite to enforce criminal offences to silence dissent. This has often been done in the name of national security and public interest. However, it is very difficult to silence citizens as speaking out one’s mind is a natural right. So even if platforms are closed as was the case with the closure of critical media at some point in Zimbabwe, citizens often find other platforms to express their views even under fear. Legislating is meant to enhance government control of the internet There were misconceptions in some quarters that should government, through the Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz) take control of internet governance and by assuming the role of the Data Protection Authority and Cyber Security Centre, there is centralised control of the internet. This is not necessarily the case as even when government seeks to control the internet to the extent of enforcing shutdowns, as was the case in Zimbabwe on some occasions, there are other ways that citizens access the internet. There are other misconceptions that were not necessarily accurate, but the bottom line is that our legislators need to rise above these and take the Bill back to the executive. Zimbabwe cannot have a law like the repealed Access to Information and Protection of Privacy Act (Aippa) that lumped up three different and broad areas, making the law ominous and clumsy. We cannot have a law that criminalises expression by having broadly defined crimes such as cyber bullying, incitement to violence and false news as obtained in Section 164 of the Bill. In fact, close reading of this section, one could be arrested for merely forwarding a message or for being added to a WhatsApp group. It would be retrogressive for Parliament to accept a law that gives excessive powers to the executive, as obtained in Section 5 -7 of the Bill that effectively makes a Cabinet minister a player, referee, coach and supporter. Parliament should reject a bill that empowers the executive to use undefined investigative tools such as the key-stroke logger obtained in Section 35 of the Bill. Use of remote forensic tools should be clearly defined and explained including the circumstances they can be used. There should actually be judicial oversight before these are used.

l Nigel Nyamutumbu is a media practitioner currently serving as the Programmes Manager of the Media Alliance of Zimbabwe (MAZ). He can be contacted on [email protected] or +263 772501557