Concerns grow over Zimbabwean licensing fees for WhatsApp group admins

Concerns have risen over Zimbabwe's new Cyber and Data Protection Regulations which force WhatsApp administrators of groups with over 50 members to pay an annual licensing fee of between US$50 and US$2,500 to the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ).

According to Statutory Instrument (SI) 155 of 2024 in the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations – which were published in September 2024 – any person who processes personal information without a data controller (administrator) license shall be guilty of an offence and liable to a fine or imprisonment of up to seven years, or both.

This will come into effect six months from the time the regulations were published.

The new regulation has sparked outrage from Zimbabweans online and much confusion over what type of WhatsApp groups would be required to have a license.

Zimbabwe's Minister of Information Communication Technology Postal and Courier Services, Tatenda Mavetera, claimed this was only aimed at those groups collecting data for commercial use but the regulation document's wording does not explicitly confirm that.

Government stance 

Minister Mavetera recently posted an update on her LinkedIn page about meetings with POTRAZ related to the new licensing regulation and commented that WhatsApp group admins would not be spared and even mentioned that churches would be included, which she later backtracked on.

Related:Starlink's entry into Zimbabwe lowers Internet tariffs

"I would like to distance myself from the malicious fake news of intentions by government to license or penalize WhatsApp groups or administrators of any social media platform/s for US$2,500," the Minister said in a follow up post on LinkedIn. 

"This claim is not applicable especially to players who do not collect and process personally identifiable information (PII) for commercial or business use," she clarified.

She explained that PII is any type of data that can be used to identify someone, from their name and address to their phone number, passport information and social security number.

"On my LinkedIn post I never expressed any intentions to licence or penalise WhatsApp groups or Administrators of any social media platform/s which do not collect and process Personally Identifiable Information (PII) for commercial or business use," she explained.

Zimbabwe's new Cyber and Data Protection Regulations imply that WhatsApp administrators of groups with over 50 members will have to pay an annual licensing fee. (Source: Freepik)

"I wish to assure the public of government's commitment through the Ministry of Information Communication Technology Postal and Courier Services to accelerate cyber and data democratisation and security to ensure that no one and no place is left offline. This is in line with our overarching mandate to the constitution to promote access to information for all in a safe and secure environment," she added.

Related:Zimbabwe intensifies cybersecurity awareness measures

Although the Minister mentioned that the move was meant for business WhatsApp groups, the Cyber and Data Protection Regulations state that a data controller license shall be issued to any person who processes information for a minimum of 50 data subjects.

The regulations only exempt data controllers who process personal data for personal, family or household affairs, law enforcement, journalistic, historical or archival purposes. 

Data protection officers

Furthermore, the regulations also require a data controller to appoint a data protection officer (DPO) within three months from the promulgation of SI 155.

According to the regulations, failure to appoint a DPO will result in imprisonment not exceeding two years, a fine or both.

The guidelines stipulate that a DPO should have skill, qualifications or experience in the areas of data science, data analytics, information security systems, information systems audit, law, audit, knowledge of national data protection laws and practices, an understanding of the data controller's business operations and processing activities or any other relevant qualification.

A DPO is also required to undergo a certification course approved by POTRAZ.

Data controllers are required to undergo training with the accreditation fee being US$5,000 per annum.

For data protection officers, Zimbabwean citizens are to pay US$1,250 with non-citizens paying US$1,450 per individual annually for training and certification.

The application fee for DPO training is US$30 for citizens and US$50 for non-citizens. In addition, POTRAZ will also charge for ad hoc training activities that it may conduct from time to time. 

Feasibility of the new regulations

Commenting on the regulations, Jasper Mangwana, an ICT researcher said that SI 155 complements the Cyber and Data Protection Act.

"It's a welcome development because it seeks to make operational the Cyber Protection Act, which is already there, an important law for stakeholders and companies as well as organizations to ensure that they comply, train their personnel and put resources in that area," said Mangwana.

However, Mangwana said that regulators need to be clearer about how licensing will work for group administrators on social media platforms such as WhatsApp, or where organizations are using automated robots for customer service support.

"We need clarity from POTRAZ about what exactly the position is, but I don't think it's quite feasible [to regulate]," he continued.

In addition, Mangwana commented on the pricing and emphasized that there is a need to educate the general public about the Cyber and Data Protection Act particularly in terms of personal and private information.

"The pricing figure of between US$50 and US$2,500 is a reasonable amount if we are looking at small-to-medium enterprises, but I don't think that's quite applicable to sole traders," he said.

"However, it's important to note that such measures prevent financial fraud, identity theft, impersonation and cyberbullying so it's important that whoever is collecting information puts measures of security so that if there is a breach it can be noted and countermeasures taken through end-to-end encryption especially that have larger volumes of data. Henceforth, there is need for educating the public on what is personal or private information, and the risks associated," he continued.

Cybersecurity expert Sammy Tatenda Nyere said that although the fees seem fair for businesses making money from WhatsApp groups, the new regulations might be hard to enforce.

"It's a fair deal. There is money to be made because for example if I have a WhatsApp group, I can approach a company and inform them that I have a lot of people in my group that you can reach out to for marketing purposes," said Nyere.

"At the end of the day, though intentions are genuinely based on business terms, their PII can be exploited by the company that will be advertising on that WhatsApp platform, but I think it's just a manner of securing funds for the government because who is going to be policing the WhatsApp groups? I don't think it's something worth pursuing at this particular juncture," Nyere concluded.