By Conrad Mwanawashe
Harare – Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has moved to clear the air over misconceptions surrounding the Cyber and Data Protection Act, with Director of Data Protection, Tsitsi Mariwo, insisting that the law is not an instrument to silence the media but a framework to strengthen accountability, trust and responsible digital practice.
Speaking at a media engagement workshop in Harare, Mariwo said much of the public debate around the Cyber and Data Protection Act (CDPA) has been driven by misunderstanding rather than fact.
Chief among the misconceptions is that the Act has led to arrests of journalists and could trigger widespread criminalisation of media work. According to Mariwo, the CDPA itself does not criminalise responsible journalism.
Arrests that have occurred in the digital space have been made under the Criminal Law (Codification and Reform) Act, not under the Cyber and Data Protection Act, she added.
“The CDPA is a regulatory framework focused on data governance and privacy protection,” she said.
“Arrests that have occurred have been made under the Criminal Law (Codification and Reform) Act, not under the CDPA. The Act itself does not criminalise responsible journalism,” said Mariwo.
Mariwo said that while the law recognises the special role of journalism in a democratic society, it does not remove accountability.
Instead, it provides structured safeguards to ensure that the right to privacy and the right to freedom of expression coexist as constitutional partners rather than adversaries.
Another common claim is that the CDPA bans the processing of personal information by journalists. Mariwo dismissed this as inaccurate.
The law, she said, does not prohibit the media from handling personal data. Rather, it permits such processing within a clear legal framework grounded in lawfulness, fairness and public interest considerations.
Consent, she added, is another area where confusion persists. Many assume that the Act is always about obtaining consent before publishing or processing personal information.
Mariwo clarified that while consent is one lawful basis for processing data, it is not the only one. Personal information may also be processed without consent where there is a legitimate legal basis, including public interest, compliance with a legal obligation, or other recognised grounds provided for in the Act.
Crucially, Mariwo said that POTRAZ does not determine what qualifies as public interest.
The assessment of public interest, she said, rests primarily with the media institution.
The regulator does not substitute its editorial judgment for that of journalists. However, decisions must be rational, defensible and capable of withstanding objective scrutiny if challenged.
The Act provides specific exemptions for journalistic purposes, but these are conditional.
Data must be processed solely for journalism, there must be a reasonable belief that publication is in the public interest, and there must be a reasonable belief that complying with certain requirements, such as consent, would defeat public interest demands.
However, Mariwo noted that not everything is exempt. Media houses are still required to comply with obligations unrelated to core journalistic activity.
These include licensing and registration with POTRAZ for non-journalistic functions such as processing human resources records, managing supplier details, handling client information for marketing and advertising, and implementing adequate security safeguards to protect personal data.
The media is also not exempt from reporting data breaches, from liability for unlawful acquisition of data, or from being sued for compensation where damage or distress is caused.
Processing children’s data requires written consent from a guardian. Sensitive categories such as genetic, biometric and health data demand heightened protection.
Penalties under the Act for offences can be severe, including fines, imprisonment of up to seven years, and seizure of infringing equipment.
But Mariwo emphasised that these sanctions are aimed at unlawful conduct, not legitimate investigative reporting carried out responsibly and in the public interest.
Positioning Zimbabwe within a broader continental and global context, she noted that 82% of countries worldwide now have data protection frameworks, including 64% of African nations and 75% of SADC member states.
Zimbabwe’s law aligns with regional and continental instruments such as the African Union’s Malabo Convention and SADC’s Model Law, reinforcing trust in digital trade and secure cross-border data flows.
At its core, Mariwo said, the Cyber and Data Protection Act seeks to build confidence in the secure use of information and communication technologies, promote lawful digital innovation and create a technology-driven business environment.
She called on the media to implement clear data protection policies, train journalists and editors on lawful processing, conduct risk assessments when handling sensitive information, anonymise data where possible, document public interest reasoning, and establish incident response protocols for data breaches.
“The CDPA strengthens responsible journalism; it does not weaken it,” Mariwo said. “Freedom of expression and the right to privacy are not opposing forces — they are constitutional partners.”
