In Zimbabwe, more businesses are going digital and interacting directly with consumers. This has seen the rise of e-commerce business whereby a contracts are solicited, offered, negotiated and contracted online. The evolution of e-commerce business by information technology affects all the major stakeholders who include the companies, consumers and the government. One area which poses challenges is the processing, handling and storage of large volumes of personal data of consumers handled by commercial enterprises.

Data privacy regulates all stages of the processing of personal data. Privacy and Data protection have become major issues in the global economy. Companies and individuals have become more concerned with how their personal data is handled, stored and transferred. The establishment of any commercial contract requires the exchange of large amounts of data, often of a personal nature. It should be noted that the only law dealing with Data Protection, or protection of personal privacy is the Access to Information and Protection of Privacy Act Chapter 10:27. However the Act only deals with the prevention of unauthorized collection, use or disclosure of information by public bodies. It is thus clear that private institutions are not regulated.

The Constitution of Zimbabwe in section 57 provides for the right to privacy. This Constitutional right, one could argue, could be used as the basis for transforming the law on privacy and data protection to include all institutions not presently covered by the present legal provisions. The law should be developed in line with the need to protect the sensitive and personal information of all consumers.

Other countries have already put legislative measures to protect personal information of data, including rules and regulations for international transfer of data. South Africa has come up with the The Protection of Personal Information Act, No 4 of 2013 which promotes the protection of personal information by public and private bodies.  In Europe, the EU General Data Protection Regulation will apply from 25 May 2018, repealing the current EU Data Protection Directive. The primary objectives of the EU General Data Protection Regulations is to give citizens of the EU back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The law should deal with principles on data privacy such as collection limitation, use limitation and security safeguards. The current law results in a lot of legal uncertainty and risk between the consumers and the business enterprises who hold personal and private data. Any law enacted to deal with protection of information should seek to increase data security compliance obligations and consequences, including significant fines for organisations , that fil to adhere to same. While some institutions may adopt international best practice on collecting and processing confidential information there remains a need for specific law on data collection, handling and disclosure.


About the author(s)

Nobert is a duly admitted Legal Practitioner, Notary public and Conveyancer. He is an attorney of the High Court and Supreme Court of Zimbabwe with experience in advocacy and corporate advisory.
Read More