www.misa.org 3. Data Protection and Privacy Legislation The Cyber and Protection Act is the main act that deals with data protection in Zimbabwe to give effect to the constitutional right to privacy. This can be gleaned from its long title, which states that the purpose of the Act is “to provide for data protection with due regard to the Declaration of Rights under the Constitution”. It is submitted that, in terms of international best practices, the Cyber and Protection Act is blighted with various gaps that detract from its ability to properly and adequately provide for data protection and privacy. 3.1. Definitions The Cyber and Data Protection Act laudably distinguishes between ordinary data and sensitive data for purposes of data protection. While the definition of sensitive data in Section 2 is quite broad, it does not encompass biometric data. Although the reference to biometric data in Section 12 of the Act suggests that biometric data is intended to enjoy the same high level of protection as sensitive data, it is submitted that it is imperative that, for the avoidance of data, the definition of sensitive data in Section 2 be amended to cover biometric data expressly. This is particularly necessary because there is wide processing of biometric data in our country. For instance, as noted above, in terms of Statutory Instrument 85 of 2017, a person’s biometric data is captured for voter registration purposes. Further, while Section 12 of the Act refers to biometric data, the term is not defined in Section 2. Accordingly, a definition of biometric data is needed in the Act to avoid doubt as to its envisaged meaning. In that regard, guidance as to the meaning of biometric data may be derived from Article 4 (14) of EU GDPR9. Further, while Section 2 of the Cyber and Data Protection Act defines data controller by inclusion of the term “licensable”, there is no provision in the Act which sets out the criteria that a data controller must satisfy for it to be licensable. Accordingly, there is a need for a substantive provision in the Act which fleshes out the term licensable used therein. This is particularly important so that a data controller knows whether it is licensable, regulates its conduct and arranges its affairs accordingly. 3.2. Application of the Act Section 4 (1) of the Cyber and Data Protection Act refers to the Protection of Personal Information Act [Chapter 10:27], which does not exist in our statute book. It stands to reason that such a reference requires removal to eliminate the confusion created thereby. Further, while the EU GDPR10 and the Malabo Convention11 expressly provide that they do not apply to the processing of personal data by a natural person during a purely personal or household activity, Section 4 of the Act does not stipulate such an exemption. It is submitted that the regulation of how a natural person handles their personal data during a purely personal or household activity constitutes an unwarranted intrusion upon the right to privacy. So, the Act should expressly state that it does not apply to such a situation to avoid doubt. 9. It defines biometric data as “personal data resulting from specific technical processing relating to the physical, physio logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. 10. See Article 2 (2) thereof. 11. See Article 9 thereof. Misa Zimbabwe Policy Brief 7