By 
Ross Moyo & Lydia Mponda
The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has clarified that the Cyber and Data Protection Act does not criminalise journalism or restrict lawful media practice.
Speaking at a media engagement workshop on the Cyber and Data Protection Act (CDPA) held at Golden Conifer in Strathaven, Harare, Tsitsi Mariwo, Director of Data Protection at POTRAZ, emphasized that the Act has often been misinterpreted as a threat to press freedom and misunderstood by many because of the way the law is packaged.
Tsitsi Mariwo explained that the Cyber and Data Protection Act (CDPA) as amended by Statutory Instrument 155 of 2024, ends at chapter 34, while the criminal codification act under section 164 (C) is carried in the same ACT, its administered by a different ministry, specifically the ministry of Justice not ICT ministry as many perceive.
Section 164C states that “
Any person who unlawfully and intentionally by means of a computer or information system makes available,
broadcasts or distributes data to any other person concerning an identified or identifiable person
knowing it to be false with intent to cause psychological or economic harm shall be guilty of an
offence and liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding five
years or to both such fine and such imprisonment.”
This is the act that has been used to arrest journalists as they interview people who may say defamatory issues during the interview.
However this act has been cited by most investigating officers and media houses as the Cyber and Data Protection Act in their formal dockets, misleading many to take the act as one with the criminal codification act.
“The Act was not enacted to silence journalists,” Mariwo said. “Its primary objective is to protect citizens’ personal data and promote responsible use of digital platforms.” She noted that no journalist has been arrested under the Cyber and Data Protection Act since its promulgation, and that cases involving journalists have instead fallen under other existing statutes.
“If there are any issues with the Act, it’s not POTRAZ or the Ministry of ICT that deals with criminality, but rather the Ministry of Justice,” Mariwo said, clarifying the role of POTRAZ in regulating data protection and cybersecurity.
Mariwo explained that the Act contains provisions that recognize journalistic exemptions, particularly when personal data is processed in the public interest. She noted that responsible journalism, carried out ethically and within legal frameworks, remains protected under Zimbabwe’s constitutional guarantees.
“The law acknowledges the role of journalism in a democratic society,” she said. “Processing personal information for journalistic purposes is permissible where it is justified by public interest.”
The Act applies to all entities (public/private) established in Zimbabwe processing personal data in Zimbabwe, including those not established in Zimbabwe but processing data of Zimbabweans. Media institutions are not exempt from the Act, but there are exemptions applicable to all data controllers, including defence of a legal claim, meeting a legal obligation, and performing a task carried out in the public interest.
Comments