Zimbabwe’s Licensing of WhatsApp Group Admins: Data Protection? — Digital Control?

In a controversial move, the Zimbabwean government has announced that all WhatsApp group administrators must register with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) and obtain a license. This unprecedented policy, framed as a measure to enhance data security and privacy, has triggered debate about the delicate balance between data protection, government control, and freedom of expression in an increasingly digital society.

Why Regulation?

Under the new policy, any individual or organization administering a WhatsApp group within Zimbabwe must register with POTRAZ and secure a license. This requirement is associated with fees ranging from $50 to a hefty US$2,500 depending on the nature and size of the group. Additionally, administrators must appoint a certified Data Protection Officer (DPO), as per Zimbabwe’s Data Protection Act, 2021.

Tatenda Mavetera, the Minister of Information Communications Technology, Postal, and Courier Services, has defended the new regulations as necessary for safeguarding personal data.

With WhatsApp groups frequently storing personal information such as phone numbers, names, and other identifiable data, the government views these groups as data controllers under the Act. Given that administrators possess access to group members’ phone numbers, the government argues that WhatsApp groups must adhere to the same data protection standards as any other entity handling such personal data.

On the surface, the policy seems like a logical extension of Zimbabwe’s Data Protection Act, aligning digital interactions with broader data protection standards. However, the implications of this new requirement stretch far beyond the realm of data privacy, touching on deeper issues of freedom of expression, government surveillance, and digital control. Begging the question, what is the global stand on the topic?

Processing Data for Household Purposes

The licensing of whatsapp group administrators has the potential of infringing one’s right to privacy, as most of the processing that occurs is for “household” or personal use. Article 2(2)(c) of the GDPR and Section 4(2) of the Kenyan Data Protection Act, 2019 agree that if personal data is processed by an individual for purely personal or household purposes, it falls outside the scope of the Act. For instance, activities such as managing personal contacts, household administration, or personal correspondence.

However, if the data processing goes beyond personal or household activities — for instance, if personal data is shared or used for business or professional purposes — the exemption would not apply, and GDPR rules would come into effect.

In practice, both legal frameworks acknowledge that individuals should be free to process their own personal data (for example, storing contacts, family photos, or other private data) without being subject to the formalities required for business or professional data processing, like obtaining consent or ensuring the rights of the data subjects.

Regulation Vs Freedom

While the government’s stated intention is to protect citizens’ data, the policy raises red flags for several reasons.  Zimbabwe’s move places it among a growing number of countries adopting stricter regulations over digital spaces, often citing data protection and national security as justifications. However, in many cases, these measures have been criticized as thinly veiled attempts to stifle free speech and tighten state control over digital communication.

For Zimbabwe, where political tensions run high, the timing of this regulation is particularly concerning. In recent years, WhatsApp has become a crucial platform for political discussion, social activism, and community organization. With opposition voices often silenced in traditional media, digital platforms have emerged as vital spaces for dissent.

Human rights activists and civil society organizations have voiced fears that the licensing could serve as a tool for government surveillance. By requiring groups to register and appoint a DPO, the state gains a direct line of oversight into these digital communities. The fear is that the government may use this regulation to monitor politically sensitive conversations, effectively clamping down on dissenting voices.

Freedom of Expression?

Zimbabwe has seen a notable increase in the use of WhatsApp groups as platforms for political discourse and activism. Critics view the timing of the policy with suspicion, expressing concern that the new regulations are not simply about data protection but represent a deliberate attempt to constrict digital spaces and curb free speech.

The potential chilling effect on freedom of expression is a significant concern. Even without aggressive enforcement, the mere existence of these regulations, with the threat of fines or imprisonment for violations, could lead individuals and groups to self-censor out of fear. This reluctance to engage in critical discussions could limit the open exchange of ideas and information, undermining the role that digital platforms play in fostering democratic debate.

What Will It Cost You?

The licensing fees, ranging from $50 to $2,500, create a financial barrier for smaller community groups and nonprofits.  They are prohibitive for churches, and non-profit organizations that often use WhatsApp to communicate. For instance, a local church group or a neighborhood association may struggle to afford the costs, let alone navigate the bureaucratic process of registering and appointing a DPO.

The regulations’ lack of clarity regarding enforcement raises concerns about potential misuse. While penalties, including fines and imprisonment, are stipulated, their specific application remains unclear, leaving room for arbitrary enforcement.

A Precedent for Other Digital Regulations?

This move might be the first step in a broader strategy to control digital spaces in Zimbabwe. The country has already seen increased efforts to monitor and regulate the internet, with previous attempts to introduce laws that would grant the government sweeping powers to access private communications under the guise of national security.

By treating WhatsApp groups as entities requiring formal regulation, Zimbabwe is setting a precedent that could pave the way for more invasive digital policies in the future. Today it is WhatsApp groups; tomorrow, it could be other social media platforms like Facebook, Telegram, or even private chats. The implications of such a policy could be far-reaching, potentially reshaping how Zimbabweans engage in digital discourse and how they organize politically.