Zimbabwe recently enacted the Consumer Protection Act (Chapter 14:44) which has introduced several measures aimed at protecting consumers from unfair trade practices.
The Consumer Protection Act does not make specific reference to electronic marketing; however, it provides certain guidelines around electronic transactions, Information to be provided by the service provider, a cooling-off period in electronic transactions and unsolicited goods, services, or communications.
The NCC Regulations provide that no licensee shall engage in unsolicited telemarketing unless it discloses:
- At the beginning of the communication, the identity of the licensee or other person on whose behalf it is made and the precise purpose of the communication. During the communication, the full price of any product or service that is the subject of the communication must be specified.
- The person receiving the communication shall have an absolute right to cancel the agreement for purchase, lease or other supply of any product or service within seven (7) days of the communication, by calling a specific telephone number (without any charge, and that the Licensee shall specifically identify during the communication) unless the product or service has by that time been supplied to and used by the person receiving the communication.
Licensees are required to conduct telemarketing in accordance with any “call” or “do not call’ preferences recorded by the consumer, at the time of entering into a contract for services or after, and in accordance with any other rules or guidelines issued by the Commission or any other competent authority.
Internet Service Providers (ISP)
The NCC Legal Guidelines for Internet Service Providers (ISP) provides that Commercial Communications ISPs must take reasonable steps to promote compliance with the following requirements for commercial email or other commercial communications transmitted using the ISP’s services:
- The communication must be clearly identified as a commercial communication.
- The person or entity on whose behalf the communication is being sent must be clearly identified.
- The conditions to be fulfilled in order to qualify for any promotional offers, including discounts, rebates or gifts, must be clearly stated.
Promotional contests or games must be identified as such, and the rules and conditions to participate must be clearly stated. Persons transmitting unsolicited commercial communications must take account of any written requests from recipients to be removed from mailing lists, including by means of public “opt-out registers” in which people who wish to avoid unsolicited commercial communications are identified.
Advertising
The Advertising Regulatory Council of Nigeria Act 2022 (ARCON Act) is the apex law regarding advertising and marketing communications in Nigeria; its scope covers both terrestrial and online advertisements. The Nigerian Code of Advertising Practice Sales Promotion and Other Rights / Restrictions on Practice (5th Edition) which continues in force under the ARCON Act, provides that all advertisements and marketing communications directed at the Nigerian market using the Internet or other electronic media must comply with the following requirements:
- The commercial nature of such communications must not be concealed or misleading, it should be made clear in the subject header.
- Terms of the offer should be clear and devices should not be used to conceal or obscure any material factors, such as price or other sales conditions likely to influence customer decisions.
- The procedure for concluding a contract should be clear.
- Due recognition must be given to the standards of acceptable commercial behavior held by public groups before posting marketing communications to such groups using electronic media.
- Unsolicited messages should not be sent except where there are reasonable grounds to believe that consumers who receive such communications are interested in the subject matter or offer.
- All marketing communications sent via electronic media should include a clear and transparent mechanism enabling consumers to expressly opt-out from future solicitations.
- Care should be taken to ensure that neither the marketing communication, or applications used to enable consumers to open marketing or advertising messages, interfere with consumers normal use of electronic media.
- Customer information must not be transferred to any party except to the extent agreed with the Customer, as permitted or required by the NCC or other applicable laws or regulations.
Access to Information and Protection of Privacy Act (Chapter 10:27);
Banking Act (Chapter 24:20);
Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04);
Consumer Protection Act (Chapter 14:44);
Census and Statistics Act (Chapter 10:29);
Cyber and Data Protection Act (Chapter 12:07);
Interception of Communications Act (Chapter 11:20); and,
National Registration Act (Chapter 10:17);
Communication Technology (“ICT Policy”).
Definition of personal data
The Access to Information and Protection of Privacy Act defines personal information as recorded information about an identifiable person which includes:
- The person's name, address, or telephone number;
- The person's race, national or ethnic origin, religious or political beliefs or associations;
- The person's age, sex, sexual orientation, marital status, or family status;
- An identifying number, symbol or other particulars assigned to that person;
- Fingerprints, blood type or inheritable characteristics;
- Information about a person's healthcare history, including a physical or mental disability;
- Information about educational, financial, criminal or employment history;
- A third party's opinions about the individual;
- The individual's personal views or opinions (except if they are about someone else); and,
- Personal correspondence with home or family.
Definition of sensitive personal data
There is no law that defines Sensitive Personal Data. However, in terms of the Data Protection Act sensitive data refers to:
- information or any opinion about an individual which reveals or contains the following:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sex life;
- criminal educational, financial or employment history;
- gender, age, marital status, or family status;
- health information about an individual;
- genetic information about an individual; or
- any information which may be considered as presenting a major risk to the rights of the data subject;
In terms of the Data Protection Act, the Postal and Telecommunication Regulatory Authority established in terms of section 5 of the Postal and Telecommunications Act [Chapter 12:05]; is the recognised National Data Protection Authority. The Authority has the responsibility to promote and enforce the fair processing of personal data and advise the Minister of Information Communication Technology on matters relating to privacy rights. The Authority is mandated to conduct inquiries and investigations either on its own accord or on the request of any interested person in relation to data protection rights.
Under the recently enacted Draft Protection Act, a data protection officer must be appointed to ensure the compliance with all obligations provided for in the Data Protection Act.
The Zimbabwe Media Commission's mandate does the following:
- Ensures that the people of Zimbabwe have equitable and wide access to information;
- Comments on the implications of proposed legislation or programs of public bodies on access to information and protection of privacy; and,
- Comments on the implications of automated systems for collection, storage, analysis, or transfer of information or for the access to information or protection of privacy.
The Revised ICT Policy proposes the establishment of a quasi-government entity to monitor Internet traffic. It states that all Internet gateways and infrastructure will be controlled by a single company, while a National Data Centre to support both public and high security services and information will be established.
There is no law that requires the registration of databases.
In terms of the Data Protection Act, a Data Protection Officer refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act.
There are no specific provisions for the collectors of personal data to obtain the prior approval of data subjects for the processing of their personal data. However, when collecting data the controller or the controller’s representative shall provide the data subject with at least the following information:
- the name and address of the controller and of his or her representative, if any;
- the purposes of the processing;
- the existence of the right to object, by request and free of charge, to the intended processing of data relating to him or her, if it is obtained for the purposes of direct marketing;
- whether compliance with the request for information is compulsory or not, as well as what the consequences of the failure to comply are;
- taking into account the specific circumstances in which the data is collected, any supporting information, as necessary to ensure fair processing for the data subject, such as:
- the recipients or categories of recipients of the data;
- whether it is compulsory to reply, and what the possible consequences of the failure to reply are;
- the existence of the right to access and rectify the data relating to him or her except where such additional information, taking into account the specific circumstances in which the data is collected is not necessary to guarantee accurate processing.
- other information dependent on the specific nature of the processing, as specified by the Authority.
For purposes of processing the information Section 13 of the Data Protection Act is quite instructive. In terms of that Section every data controller or data processor shall ensure that personal information is:
- processed in accordance with the right to privacy of the data subject;
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
The Census and Statistics Act contains provisions which restrict the use and disclosure of information obtained during the conducting of a census exercise. Under this Act, authorities are able to collect, compile, analyse, and abstract statistical information relating to any of the following:
- Commercial
- Industrial
- Agricultural
- Mining
- Social
- Economic
- General activities and conditions of the inhabitants of Zimbabwe and to publish such statistical information
The transfer of data to any other jurisdiction is governed in terms of Part VII of the Data Protection Act under section 28 and 29.
In terms of Section 28 of the Data Protection Act:
- a data controller may not transfer personal information about a data subject to a third party who is in a foreign country unless an adequate level of protection is ensured in the country of the recipient or within the recipient international organisation and the
data is transferred solely to allow tasks covered by the competence of the controller to be carried out. - The adequacy of the level of protection afforded by the third country or international organisation in question shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; with particular consideration being given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the recipient third country or recipient international organisation, the laws relating to data protection in force in the third country or international organisation in question and the professional rules and security measures which are complied with in that third country or international organisation.
- The Authority shall lay down the categories of processing operations for which and the circumstances in which the transfer of data to countries outside the Republic of Zimbabwe is not authorised.
- The Minister responsible for the Cyber security and Monitoring Centre in consultation with the Minister, may give directions on how to implement this section with respect to transfer of personal information outside of Zimbabwe.
Section 18 of the Data Protection Act provides guidelines for the protection of data. It states that to safeguard the security, integrity and confidentiality of the data, the controller or his or her representative, if any, or the processor, shall take the appropriate technical and organisational measures that are necessary to protect data from negligent or unauthorised destruction, negligent loss, unauthorised alteration, or access and any other unauthorised processing of the data.
Further the Section also provides that the Data Protection Authority may issue appropriate standards relating to information security for all or certain categories of processing. Since the enactment of this Act the Data Protection Authority is still to issue any appropriate standards.
The Revised ICT Policy states that there will be development, implementation and promotion of appropriate security and legal systems for e-commerce, including issues related to cybersecurity, data protection and e-transactions. The Policy states that the following laws will be enacted to cater for intellectual property rights, data protection and security, freedom of access to information, computer related and cybercrime laws:
- data protection and privacy
- intellectual property protection and copyright
- consumer protection and
- child online protection.
Breach notification
Section 19 of the Data Protection Act places a duty on the data controller to notify the Authority “within twenty-four (24) hours of any security breach affecting data he or she processes.
Mandatory breach notification
Section 19 of the Data Protection Act uses the word “shall” which makes it mandatory to notify the Authority within twenty-four (24) hours.
The Constitution mandates the Human Rights Commission (HRC) to enforce a citizen's human rights where they have been violated. The right to privacy, including the right not to have the privacy of one's communication infringed, is a basic human right and, thus, falls within the purview of the HRC. However, the Cyber Security and Monitoring of Interceptions of Communications Centre (CSMICC), established by the Interception of Communications Act, is mandated to, among other things, monitor communications made over telecommunications, radio communications and postal systems and to give technical advice to service providers. The mandate of the CSMICC does not preclude it from monitoring computer-based data for the purposes of enforcing an individual's right to privacy where it is found that such right has been infringed.
Further, the CSMICC also has the duty to oversee the enforcement of the Act to ensure that it is enforced reasonably and with due regard to fundamental human rights and freedoms.
Zimbabwe recently enacted the Consumer Protection Act (Chapter 14:44) which has introduced several measures aimed at protecting consumers from unfair trade practices.
The Consumer Protection Act does not make specific reference to electronic marketing; however, it provides certain guidelines around electronic transactions, Information to be provided by the service provider, a cooling-off period in electronic transactions and unsolicited goods, services, or communications.
There is currently no specific online privacy legislation.
