News 

Balancing Privacy and Press Freedom: Zimbabwe’s CDPA Shapes a New Media Landscape

MrBarns 63 Views 0 Comments

By Desire Tshuma

Harare – Harare hosted a media‑police engagement workshop on the Cyber and Data Protection Act (CDPA), drawing journalists, law‑enforcement officers and regulators into a lively debate on privacy, security and press freedom. The session was jointly facilitated by the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) and the Media Institute of Southern Africa (MISA), with senior officials from both bodies outlining the Act’s practical impact on newsrooms across the country.

Tsitsi Mariwo (pictured), the inaugural Director of Data Protection in Zimbabwe, has pioneered the implementation of the nation’s legal and regulatory data‑protection framework. She has positioned Zimbabwe as a regional player by establishing a functional national Data Protection Office and designing the country’s data‑protection architecture.

Her strategic leadership has shaped national policy, regulatory instruments, capacity‑building programmes, and cross‑border cooperation mechanisms, setting new benchmarks for data governance across SADC and the African continent. Under her guidance, Zimbabwe now actively participates in the Network of African Data Protection Authorities (NADPA) and the Global Privacy Assembly (GPA), and has negotiated a landmark MoU with South Africa to harmonise cross‑border data flows.

She also represents Zimbabwe in regional negotiations, including the review of the SADC Model Law on data protection. Tsitsi holds an LLM and LLBS (Hons) from the University of Zimbabwe, plus professional certifications in data protection, cybersecurity, intellectual property law, telecommunications policy and regulation, and international trade law.

Tsitsi opened the workshop with a clear message: “The CDPA is designed to protect personal information, not to silence reporters.” She explained that media houses are now classified as data controllers, requiring them to adopt written data‑protection policies, train staff on secure information handling, and notify the regulator of any data breach within 24 hours of becoming aware of it, Failure to comply can trigger administrative fines, but the law does not introduce new criminal charges for legitimate journalistic work.

MISA’s Advocacy Officer, Malvern Mukundu, emphasized that the Act provides a lawful basis for processing personal data when it serves the public interest, allowing investigative journalists to pursue stories without obtaining consent from every source. “When applied correctly, the CDPA becomes a shield for reporters, clarifying when data can be used and when it must be protected,” he said. He urged newsrooms to appoint a data‑protection officer and to conduct regular audits of digital archives, noting that such steps bolster credibility and safeguard sources.

Participants learned that recent media‑related prosecutions have been based on Section 164C of the Criminal Law (Codification and Reform) Act, not on the CDPA. No journalist has been arrested for reporting under the data‑protection framework, a fact both facilitators highlighted to ease fears of a “press gag.”

The workshop also featured a practical demonstration by the Zimbabwe Republic Police’s Cybercrime Unit, which showed how to preserve digital evidence and report cyber‑incidents. Officers stressed that journalists who quickly share information on emerging threats help law‑enforcement respond faster, creating a collaborative front against online harassment, false news and other cyber offences.

Facilitators recommended that newsrooms embed encryption for source material, develop a breach‑response checklist, and hold quarterly refresher sessions on data‑protection compliance. These actions, participants agreed, turn regulatory requirements into everyday newsroom habits, reinforcing public trust.

Tsitsi added, “In an effort to build the cyber security posture of the nation, the CDPA obligates data controllers to report any data breach within 24 hours, as required by section 19 of the Act read with section 17(1) of Statutory Instrument 155 of 2024. The reports are critical in detecting, tracking and mitigating the impact of breaches on institutions and data subjects, enabling the Data Protection Authority to intervene appropriately.”

Offences and Penalties under the CDPA
– Unlawful processing of personal data (e.g., using data without a lawful basis or beyond its stated purpose) – fine up to Level 12 (approximately ZWL $200,000) and/or imprisonment up to 5 years,
– Failure to report a data breach within 24 hours – administrative penalty of up to Level 10 (about ZWL $100,000) and possible suspension of data‑controller licence.
– Negligent security practices leading to a breach– fine up to Level 11 (around ZWL $150,000) and/or imprisonment up to 3 years.
– Obstruction of investigations by the Data Protection Authority – fine up to Level 12 and/or imprisonment up to 5 years.
– Unauthorised disclosure of personal data – fine up to Level 13 (approximately ZWL $250,000) and/or imprisonment up to 7 years.

These penalties underscore the importance of compliance for media houses, which handle large volumes of personal information in their reporting and record‑keeping.

In closing, POTRAZ and MISA called for sustained dialogue between regulators, media practitioners and police, noting that a well‑informed press is a vital partner in building a secure digital ecosystem. “When journalists understand their rights and obligations under the CDPA, they become guardians of both information and privacy,” Mariwo concluded.

You May Also Like

ZEXCOM Celebrates It’s First Ever Security Guards Pass Out

MrBarns 0

Mike Chimombe, Moses Mpofu reveal they have 24 kids as State pushes for them to be jailed for 35 years

MrBarns 0

Xi says China confident, capable to navigate all kinds of risks, challenges

MrBarns 0

Leave a Reply

Your email address will not be published. Required fields are marked *