Provision of Real-time Lawful Interception Assistance
Disclosure of Communications Data
National Security and Emergency Powers
Oversight of the Use of Powers
Censorship-related Powers
Oversight of the Use of Powers (Censorship-related)

UPDATED: | SOURCE: Paradigm Initiative

Provision of Real-time Lawful Interception Assistance

Constitution of Zimbabwe

The Zimbabwean constitution came into force in 2013 after a referendum and guarantees press freedom, freedom of expression, and access to information.

In addition, the Constitution of Zimbabwe Amendment (No. 20) Act, 2013 (the Zimbabwean Constitution) specifically provides in section 57(d) that every person has a right to privacy, which includes the right not to have the privacy of their communications infringed.

The rights to privacy and freedom of expression are subject to limitations consistent with Section 86(2) of the Constitution, which provides that fundamental rights and freedoms may be limited by a law of general application to the extent that the limitation is fair, reasonable, necessary, and justifiable in a democratic society based on openness, justice, human dignity, equality, and freedom, taking into account all relevant factors as highlighted in the same Section.

Under this theory, the legislation authorizes ways to intercept communications and the powers to order such interception, as set out in further detail below.

The Interception of Communications Act (ICA) [Chapter 11:20]

The ICA’S objective is mainly to make provision for the lawful interception and monitoring of certain communications during their transmission through a telecommunication, postal, or any other related service or system in Zimbabwe.

As set out in section 5(1) of the ICA, the following authorities can apply for a warrant to intercept communications;

(a) the Chief of Defence Intelligence or his or her nominee;
(b) the Director-General of the President’s department responsible for national security or his or her nominee;
(c) the Commissioner of the Zimbabwe Republic Police or his or her nominee;
(d) the Commissioner-General of the Zimbabwe Revenue Authority or his or her nominee.

Application for a warrant for the interception of communications is made to the Minister, defined by ICA as the Minister of Transport and Communications or any other Minister to whom the President may assign the administration of the Act under section 5(2) of the ICA. See the procedure below in the amendment to the ICA by the Cyber and Data Protection Act (CDPA).

There is no judicial oversight of government surveillance and interception of communications at the time of application for a warrant under section 5. However, anyone aggrieved by the issuance of a warrant may appeal to the Administrative Court within a month of being notified or becoming aware of it. This provision suggests a notification of surveillance may not occur, and assumes that individuals may become aware of the surveillance after being subjected to it, detracting from any meaningful judicial oversight or remedies.

Service providers, in terms of section 9(1)(a) of the ICA, must ensure that their postal or telecommunications systems are technically capable of supporting lawful interception at all times under section 12(1)(a), which stipulates that telecommunications services providers must provide a telecommunications service capable of being intercepted. Section 9(2) of the ICA criminalizes failure to provide such access can result in a fine not exceeding level twelve or imprisonment for a period not exceeding three years, or both.

The Cyber and Data Protection Act (CDPA) [Chapter 12:07]

On 3 December 2021, the government of Zimbabwe enacted a law titled the Data Protection Act, with its main objective under section 2 to protect data. However, in March 2022, the government republished the law with an amended title – Cyber and Data Protection Act. It revised the objective to ‘increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.’

Section 37(2) of the CDPA repealed section 4 of the ICA that provided for a Monitoring of Interception of Communications Centre and replaced it with a Cyber Security and Monitoring of Interception of Communications Centre (Cyber Monitoring Centre). The Cyber Monitoring Centre’s responsibility is to give technical advice on cybersecurity to authorized persons and service providers.

According to section 4A (a) of the ICA, as amended by the CDPA, the Cyber Monitoring Centre is the sole facility through which authorized interceptions may occur. Similarly, section 4B of ICA establishes the Cyber Security Committee, an ad-hoc advisory body to the Minister of Transport and Communications or any other Minister to whom the President may assign the administration of the Act. The same Committee is mandated with the authority to give direction to the Director of the Cyber Monitoring Centre on when to issue a warrant for interception of communications in section 4(2).

Application for a warrant for the interception of communications is made to the Minister under the terms of section 5(2) of the ICA. According to section 5(4) of ICA, as amended by the CDPA, the Minister, on receiving an application for a warrant under section 5(1) of ICA, should refer the application to the Cyber Security Committee, which shall advise the Minister on whether any of the reasonable grounds to issue a warrant are satisfied. The discretion is given to the Minister to issue a provisional warrant if any of the reasonable grounds referred to in section 6 are present. If the Committee later advises that there are no reasonable grounds to issue the warrant, the Minister may withdraw it.

Section 21(3) of the CDPA states that where the DPA is “of the opinion that the processing or transfer of data by a data controller entails specific risks to the privacy rights of data subjects,” they may inspect and assess the security and organizational measures before the commencement of the processing or transfer.

Section 19 of the CDPA provides that the data controller must notify the DPA of any data breach within 24 hours.

Section 28(1) of the CDPA stipulates that a data controller may not transfer personal information about a data subject to a third party in a foreign country unless an adequate level of protection is ensured in the recipient’s country or within the recipient’s international organization. The data is transferred solely to allow tasks covered by the competence of the controller to be carried out. This provides for cross-border flows of data. However, concerning data localisation, the CDPA in section 28(3) allows the DPA to prescribe cases where data transfer to countries outside Zimbabwe is not permitted.

Where the data controller violates their duties under the CDPA, they can be charged under section 33 (2) of the Act and liable to a fine not exceeding level 11 (ZW$100000/US$310) or to imprisonment for not more than seven years or both such fine and such imprisonment. Because this is a criminal offense, the matter is adjudicated by a competent criminal court in Zimbabwe.

Criminal Law (Codification and Reform) Act (the Code)

Section 31 of the Code criminalizes the publication of false news with a penalty not exceeding a level 14 fine or a prison term of 20 years. This same penalty is provided for violations of section 14 of the Statutory Instruments 83 of 2020 on COVID-19 containment.

Disclosure of Communications Data

The Cyber and Data Protection Act (CDPA) [Chapter 12:07]

The CDPA in section 36 provides for the amendment of the CPEA and establishes Section 379A(2)(b) of the CPEA which empowers a magistrate after a police officer makes an application that specific computer data is required in investigations in criminal proceedings to order “an electronic communications service provider in Zimbabwe to produce information about persons who subscribe to or otherwise use the service.”

Criminal Procedural and Evidence Act (CPEA) [Chapter 9:07]

Section 379A(4)(b) of the CPEA empowers the police officer with a warrant granted after the application in section 379A(2) “to give written notice to a person in control of the computer system or information system concerned, require the person in control thereof to disclose relevant traffic data concerning specified communications in order to identify— (i) the service providers; or (ii) the path through which the communication was transmitted. Failure to do this results in a fine.”

National Security and Emergency Powers

The Criminal Law (Codification and Reform) Amendment Act 2023

The Criminal Law (Codification and Reform) Amendment Act 2023, also addressed by citizens as ‘the Patriot Act’, was passed on 14th July 2023 and its section 2 amends the Criminal Law (Codification and Reform) Act [Chapter 9:23] (the Code) by inserting section 22A which has provisions that limit freedom of expression.

The Act creates a crime of “wilfully injuring the sovereignty and national interest of Zimbabwe” in vague overly broad terms that can criminalize any engagement with anyone deemed a foreign agent.

The inserted section 22A(2) stipulates that any citizen or permanent resident of Zimbabwe who, within or outside Zimbabwe actively partakes (whether himself or herself or through an agent, and whether on his or her own initiative or at the invitation of the foreign government concerned or any of its agents, proxies or entities) in any meeting whose object the accused knows or has reasonable grounds for believing involves the consideration of or the planning for:

(a) military or other armed intervention in Zimbabwe by the foreign government concerned or another foreign government, or by any of their agents, proxies or entities; or
(b) subverting, upsetting, overthrowing or overturning the constitutional government in Zimbabwe; shall be guilty of wilfully damaging the sovereignty and national interes of Zimbabwe and liable to:
(i) the same penalties as for treason, in a case referred to in paragraph (a); or
(ii) the same penalties as for subverting constitutional government, in a case referred to in paragraph (b).

Section 22A(3) states that “a citizen or permanent resident of Zimbabwe who actively participates in a meeting, in Zimbabwe or elsewhere, to consider or plan sanctions or a trade boycott against Zimbabwe is guilty of an offence and liable: to a fine of up to US$12 000 or imprisonment for up to 10 years, or both, or if the offence is aggravated and the prosecutor so requests, to any or all the following: termination of citizenship where applicable, cancellation of the person’s permanent residence where relevant, disqualification, for between five and 15 years, from being registered as a voter or voting and prohibition from holding public office for between five and 15 years.

Cyber and Data Protection Act (CDPA)

Section 8 provides that a data controller shall ensure that data processing is necessary and that the data is processed fairly and lawfully. However, Section 11(4) stipulates that the Minister responsible for the Cyber Security and Monitoring Centre (a unit in the Office of the President), in consultation with the Minister responsible for information and communications technologies, may give directions on how to implement Section 11 concerning sensitive information affecting national security or the interests of the State.

The Interception of Communications Act (ICA) [Chapter 11:20]

According to section 6(1)(b) and (c) of ICA:

(1) A warrant shall be issued by the Minister to an authorized person referred to in section 5 if there are reasonable grounds for the Minister to believe that:
(b) the gathering of information concerning an actual threat to national security or any compelling national economic interest is necessary; or
(c) the gathering of information concerning a potential threat to public safety or national security is necessary.

Oversight of the Use of Powers

Cyber and Data Protection Act (CDPA) [Chapter 12:07]

Section 5 of the CDPA vests the Data Protection Authority in the Postal and Telecommunications Regulatory Authority (POTRAZ). POTRAZ advises the Minister responsible for the information and communications technologies on privacy issues in section 6(e) of the CDPA. In line with section 13(a), every data controller must ensure that data is processed with privacy in mind. Data controllers include telecommunications companies and internet service providers. The CDPA places data controllers under the supervision of the Data Protection Authority (DPA).

According to section 4A (a) of the ICA, as amended by the CDPA, the Cyber Monitoring Centre is the sole facility through which authorized interceptions may occur. Similarly, section 4B of ICA establishes the Cyber Security Committee, an ad-hoc advisory body to the Minister. The same Committee is mandated with the authority to give direction to the Director of the Cyber Monitoring Centre on when to issue a warrant for interception of communications in section 4(2).

The Interception of Communications Act (ICA) [Chapter 11:20]

There is no judicial oversight of government surveillance and interception of communications at the time of application for a warrant under section 5. However, anyone aggrieved by the issuance of a warrant may appeal to the Administrative Court within a month of being notified or becoming aware of it. This provision suggests a notification of surveillance may not occur, and someone may become aware of the surveillance after being subjected to surveillance, detracting from any meaningful judicial oversight or remedies.

Censorship-related Powers

Constitution of Zimbabwe

The Zimbabwean constitution came into force in 2013 after the referendum and guarantees press freedom, freedom of expression and access to information.

Freedom of expression in Zimbabwe is specifically provided for in Section 61(a) of the Zimbabwean Constitution, which guarantees the right of individuals to seek, receive and communicate ideas and other information. Section 61(5) provides that “freedom of expression and freedom of the media exclude, among other things, malicious or unwarranted breach of a person’s right to privacy.”.

The rights to privacy and freedom of expression are subject to limitations in Section 86(2) of the Constitution, which provides that fundamental rights and freedoms may be limited only by a law of general application to the extent that the limitation is fair, reasonable, necessary and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom, taking into account all relevant factors as highlighted in the same Section.

The Interception of Communications Act (ICA) [Chapter 11:20]

The interception of communications is authorized by the Minister of Transport and Communications (“the Minister”) and whomever the president assigns the administration of the Act. Beyond intercepting communications, Section 6(2)(a) of the ICA also empowers the Minister to order an Internet shutdown. Since the Minister of State who ordered an Internet Shutdown in 2019 was not legally responsible for the administration of the Act nor the correct functionary in terms of section 6 of ICA, the High Court of Zimbabwe concluded that the Internet shutdown was in essence an illegality.

Section 6(2(a) of the ICA provides that the Minister may use his discretion “if he or she is of the opinion that the circumstances so require⎯ (a) upon an application being made in terms of this Part” to issue instead of a warrant any directive to a service provider not involving any interception or monitoring of communications.”

Cyber and Data Protection Act (CDPA) [Chapter 12:07]

The CPEA consolidates and amends the law regarding procedure and evidence in criminal law cases and provides for incidental matters. The CDPA amends the CPEA to provide for provisions relating to cybercrime under PART XXA.

According to section 379C(1) of the CPEA amended by CDPA, “An electronic communications network or access service provider shall not be criminally liable for providing access or transmitting information through its system if the such service provider has not— (a) initiated the transmission; or (b) selected the receiver of the transmission; or (c) selected or modified the information contained in the transmission.” This provision can be read to grant immunity from liability to ISPs during service delivery (“intermediary liability”).

Section 379C(9) provides as follows: “An internet service provider (ISP) who enables access to information provided by a third person by providing an electronic hyperlink shall not be criminally liable with respect to the information if the internet service provider— (a) promptly removes or disables access to the information after receiving an order from an appropriate public authority or court to remove the link; or (b) through other means, obtains knowledge or becomes aware of stored specific illegal information promptly informs the appropriate authority to enable it to evaluate the nature of the information and if necessary issue an order for its removal.”

Criminal liability can arise for an ISP in terms of section 379C(10), which stipulates that “an internet service provider who fails to promptly remove or disable access to information in terms of subsection (9) shall be guilty of an offense and liable to a fine not exceeding level 8 or to imprisonment for a period not exceeding two years or both such fine and such imprisonment.”

Oversight of the Use of Powers (Censorship-related)

Criminal Law (Codification and Reform) Act (the Code)

The Code amends the criminal laws of Zimbabwe, consolidating them into one piece of legislation. It creates criminal offenses and prescribes their penalties.

Where the data controller violates their duties under the CDPA towards the data subject or security provisions, they can be charged under section 33 (2) of the Act and liable to a fine not exceeding level 11 (ZW$100000/US$310) or to imprisonment for not more than seven years or both such fine and such imprisonment. Because this is a criminal offense, the matter is adjudicated by a competent criminal court in Zimbabwe.

Section 164C of the Code provides that “Any person who unlawfully and intentionally by means of a computer or information system makes available, broadcasts or distributes data to any other person concerning an identified or identifiable person knowing it to be false with intent to cause psychological or economic harm shall be guilty of an offense and liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding five years or to both such fine and such imprisonment.”

Section 164G (1) of the Code states, “Any person who unlawfully and intentionally by means of information and communication technologies generates and sends any data message to another person, or posts on any material whatsoever on any electronic medium accessible by any person, with the intent to coerce, intimidate, harass, threaten, bully or cause substantial emotional distress, or to degrade, humiliate or demean the person of another or to encourage a person to harm himself or herself, shall be guilty of an offense and liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding ten years or to both such fine and such imprisonment.” This provision can be used to infringe on freedom of expression where communications are made through electronic means.

Cyber and Data Protection Act (CDPA) [Chapter 12:07]

The CDPA created critical amendments to the Code such as Section 31. Section 31(a)(iii) of the Code, which criminalized the publication of false news undermining public confidence in a law enforcement agency, the Prison Service or the Defence Forces of Zimbabwe (with a penalty of not exceeding a level 14 fine or a prison term of 20 years imprisonment), was outlawed by the Madanhire v Attorney General case in 2014. Although the court decision pronounced that such a law violates freedom of expression, it remains a tool used to charge people for online communications.