www.misa.org 3.8. Cross-border data transfer Section 28 (2) of the Cyber and Data Protection Act sets out the scope of considerations that a data controller must consider in assessing the adequacy of the level of protection afforded by a third party for cross-border data transfer. It is submitted that there is a need to broaden the scope of the said considerations by expressly including such factors as the rule of law, respect for human rights and fundamental freedoms, case law and effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred29. Further, the Act is silent on mechanisms of international cooperation concerning the enforcement of data subject rights arising out of cross-border data transfer. Accordingly, the Act should provide mutual legal assistance to multilateral and bilateral treaties30. The said mutual assistance processes and agreements should be documented, publicly available and subject to guarantees of procedural fairness31. 3.9. Data subject remedies Section 33 of the Cyber and Data Protection Act only recognises criminal remedies, except for civil remedies in favour of data subjects. In recognition and codification of the principle that there are no rights without remedies, there is a need for the Act to expressly recognise the right of data subjects to effective judicial remedies against data controllers or processors32. In that regard, the Act should express the right of data subjects to receive compensation from a data controller or processor for financial or emotional damage suffered because of infringement of Act33. 4. Surveillance legislation As noted above, the main pieces of legislation providing surveillance in Zimbabwe are the Interception of Communications Act and the Postal and TelecommunicationsAct. In that regard, the long title of the Interception of Communications Act states that the purpose of the Act is to “provide for the lawful interception and monitoring of certain communications in the course of their transmission through a telecommunication, postal or any other related service or system in Zimbabwe”. By allowing for interception and monitoring of communications, the Interception of Communications Act and the Postal and Telecommunications Act operate to abridge the constitutional right to privacy, which is defined to include a person’s right not to have “the privacy of their communications infringed”34. While in Section 86 of the Constitution of Zimbabwe, the limitation of the right to privacy is permissible, such limitation must be necessary and proportionate for it to be valid35. In that regard, the International Principles on the Application of Human Rights to Communications Surveillance states: Activities that restrict the right to privacy, including communications surveillance, can only be justified when they are prescribed by law, they are necessary to achieve a legitimate aim, and are proportionate to the aim pursued. 29. See Article 45 (2) of the EU GDPR. 30. See Article 61 of the EU GDPR. 31. See the International Principles on the Application of Huma Rights to Communications Surveillance. 32. See Article 19 of the EU GDPR. 33. See Article 82 of the EU GDPR. 34. See section 57 (d) of the Constitution of Zimbabwe, 2013. 35. This can be gleaned from section 86 (2) of the Constitution. Misa Zimbabwe Policy Brief 11