WhatsApp Group Admins Now Need Data Protection License in Zimbabwe

Zimbabwe’s ICT Minister announced today that WhatsApp group admins using their groups for business purposes will be required to obtain a government-issued data protection license. These WhatsApp admins will also need to appoint a government trained and certified Data Protection Officer.

The announcement was made on social media and is part of government’s efforts to implement the Cyber and Data Protection Act, which was gazetted in 2022. The Act had a Statutory Instrument (SI) issued to complement it on 13 September 2024. You can download the SI here. Implementation here means enforcing. Businesses have until 13 March to act on the requirements.

The Minister’s announcement followed a “National Stakeholder Meeting for Board Members, CEOs and Management on the Implementation” of the Act and SI held in Harare yesterday.

The minister’s post on LinkedIn said in part:

I would like to thank all those who attended the crucial breakfast meeting organised by POTRAZ yesterday.

The time is ticking for organisations that collect first party data, as you are required by law to have a data protection licence and the license fees range from $50 to $2500.

Furthermore, a data protection officer(DPO) who is trained and certified by POTRAZ should be appointed by such a licensee and the appointment should be communicated to POTRAZ.

Even churches who collect personal data ought to have such a licence and appoint a DPO. Whatsapp group admins are not spared too, if your groups are meant for business, you should as well obtain a licence. Failure to comply attracts penalties.

For further enquiries, get in touch with the POTRAZ team.

What does the Cyber & Data Protection Act say

The Act defines anyone who processes people’s data as a “data controller” and states that data controllers are “licensable.”

The Act also defines a phone number as “personal information.” Since people in a WhatsApp group have access to the phone numbers of other members, the government is categorizing WhatsApp admins as “data controllers.”

As for the Data Protection Officers (DPOs), Potraz announced some weeks ago the graduation of the first batch of DPOs in collaboration with Harare Institute of Technology. We didn’t think much of it then, but clearly it was a step towards this enforcement of the act.

Is this practical?

It’s hard to think how practical it is to require anyone running a WhatsApp group for business to get a license. And paying $50 to government just to have a WhatsApp group is absurd.

Or is it a case of having a law waiting in case a crime involving data happens – say someone complains to Potraz about their phone number being used outside a WhatsApp group’s objectives?

Whatever the case, this is likely to bury people and businesses under the weight of regulatory red tape. It’s also likely to criminalise otherwise everyday behaviour by well-meaning citizens. For a country that claims to be open for business, it’s amazing how we keep throwing spanners in the works.