Home 9 - 9 Artificial Intelligence 9 Legislative and Regulatory Reform in Zimbabwe’s Digital Sector: A rights-based perspective

Legislative and Regulatory Reform in Zimbabwe’s Digital Sector: A rights-based perspective

1 Jul, 2026
The governance architecture of the National AI Strategy reflects a centralised coordination model under executive authority. The National Digital Regulatory Committee (NDRC) is chaired by the President, with the Ministry of Information Communication Technology, Postal and Courier Services serving as Secretariat. The Steering Committee is housed within POTRAZ, and the AI Strategy Implementation Office (AISIO) serves as the central coordinating body.

Zimbabwe has embarked on a programme of legislative and policy reform to govern its digital ecosystem, anchored in the Cyber and Data Protection Act, the amended Broadcasting Services Act, and the recently launched National AI Strategy (2026–2030). 

The Zimbabwe National AI Strategy builds on existing commitments to digital transformation, data governance, and innovation, and organises them into structured programmes. 

While these developments mark progress towards modernising the legal framework, a rights-based analysis reveals both opportunities and gaps that require attention to ensure these instruments serve the interests of all Zimbabweans.

Where policies are fragmented or outdated, strategies risk staying aspirational.

The AI Strategy: Governance, Ethics, and Regulation

One pillar of the National AI Strategy focuses on governance, ethics, and regulation. It outlines the frameworks and institutions needed to guide responsible AI development. 

This includes establishing oversight bodies and ethical guidelines grounded in Ubuntu principles, as well as regulatory mechanisms for accountability, risk management, and data governance.

The UNESCO Artificial Intelligence Readiness Assessment for Zimbabwe presents a more constrained baseline. It identifies persistent gaps in legal harmonisation, institutional coordination, infrastructure, and human capital.

This shows that the country remains in the early stages of AI readiness. This disconnect between ambition and readiness introduces tension into the strategy’s design.

The strategy emphasises that AI systems should be human-centric, inclusive, and aligned with societal values, drawing on Ubuntu philosophy to emphasise human dignity, collective responsibility, and social cohesion. 

It addresses privacy, non-discrimination, access to information, and inclusion through its focus on data governance, ethical impact assessments, digital literacy initiatives, and public engagement.

Data Protection Reform: Balancing Security and Rights

Although Zimbabwe is a signatory, it is among the 39 African countries that have not ratified the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention). 

In 2021, Zimbabwe enacted the Cyber and Data Protection Act (CDPA), which designates the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as the data protection authority and lays the groundwork for safeguarding personal data. 

From a rights-based perspective, the Act may be assessed against regional and international standards, particularly the African Charter on Human and Peoples’ Rights and relevant resolutions to which Zimbabwe has committed to align. 

Key considerations include the following:

  • The Cyber and Data Protection Act (CDPA) provides foundational guidance on the collection, storage, use, and transfer of data, including the privacy of genetic, biometric, sensitive, and health data. It also serves as foundational legislation for regulating AI development.
  • Algorithmic Accountability: As AI systems proliferate, data protection laws will need to address algorithmic bias, transparency in automated decision-making, and the right to meaningful human review. The AI Strategy’s adoption of a risk-based approach, modelled on frameworks such as the EU AI Act, offers a pathway. However, this requires embedding data protection principles, including data minimisation, purpose limitation, and accountability, within AI governance structures. The current data protection framework does not fully address data ownership, sovereignty, platform power, or economic control over locally generated data.
  • Ubuntu and Cultural Context: The AI Strategy explicitly recognises the need to protect “our Ubuntu philosophy and natural culture”. A rights-based data protection framework should therefore reflect local values while remaining interoperable with global standards, including the UNESCO Recommendation on the Ethics of AI (2021), which Zimbabwe has adopted.

Broadcasting Reform: From Control to Co-Regulation

The amendment to the Broadcasting Services Act and the launch of Media Policy mark a shift towards what the government describes as a “co-regulatory” framework, with shared standard-setting among the State, industry players, and professional bodies. 

From a rights-based perspective, several issues require attention.

  • Content Regulation and Freedom of Expression: The government has expressed concern about deepfakes and misinformation. While these concerns are legitimate in the age of AI-generated media, content regulation should be narrowly tailored, non-discriminatory, and consistent with constitutional protections for freedom of expression.
  • Independence of the Regulator: The Broadcasting Authority of Zimbabwe (BAZ) requires genuine independence, with appointment processes subject to parliamentary oversight and public participation. The African Charter on Broadcasting provides a framework for regulatory independence.
  • Plurality Without Diversity: As MISA Zimbabwe notes, although dismantling the Zimbabwe Broadcasting Corporation’s monopoly has enabled new commercial and community broadcasters, “the country’s channels of expression remain concentrated in a few hands”, resulting in “plurality without diversity”. A rights-based broadcasting framework would need to promote diversity of ownership, content, and voices, particularly for marginalised communities, women, youth, and rural populations.

Postal and Telecommunications Amendment Bill: Convergence, Surveillance, and Rights

The Postal and Telecommunications Amendment Bill, 2025, aims to modernise Zimbabwe’s telecommunications sector by: 

  • expanding definitions to include digital platforms
  • promoting fair competition, 
  • mandating infrastructure sharing, 
  • establishing a Complaints Tribunal for dispute resolution, 
  • broadening the Universal Service Fund (USF) to support ICT access for underserved communities and for persons with disabilities. 

These provisions reflect an awareness of technological convergence and the need for affordable connectivity.

However, several provisions raise concerns from a rights-based perspective:

  • Regulatory Independence: The Minister is empowered to appoint the Board, Chairperson, and Vice-Chairperson, after consulting the President, without an independent, transparent selection process. The Authority’s funding is made contingent on ministerial approval of donations. The Minister is also granted broad authority to issue binding ‘policy directions’ on the basis of the ‘national interest’. These provisions may affect regulatory independence.
  • Surveillance Powers: Section 93L permits private companies and their employees to detain communications on mere suspicion, with only retrospective authorisation from the Prosecutor-General and no requirement for a prior judicial warrant. This circumvents constitutional privacy protections under Section 57 of Zimbabwe’s Constitution, which ordinarily requires court oversight before interfering with private communications. The provision establishes a low-threshold mechanism vulnerable to abuse, particularly against journalists, activists, and political opponents. It falls short of regional and international standards, which require privacy intrusions to be lawful, necessary, and proportionate, with independent oversight.
  • Universal Service Fund: The Bill diverts 10% of the USF directly to the Ministry for “government infrastructure and policy initiatives”. This may reduce resources available for public connectivity.
  • Convergence of Mandates: The Bill expands the mandate of the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), potentially creating jurisdictional overlap with BAZ (broadcasting) and the Data Protection Authority. Without clear coordination mechanisms, this could lead to regulatory gaps or overlapping enforcement.
  • Network Security: Provisions on network security and critical infrastructure protection should be balanced against the right to freedom of expression and access to information. Broad definitions of “cyber threats” or “national security” could be used to justify network shutdowns or content blocking.

Governance Structure of the AI Strategy

The governance architecture of the National AI Strategy reflects a centralised coordination model under executive authority. The National Digital Regulatory Committee (NDRC) is chaired by the President, with the Ministry of Information Communication Technology, Postal and Courier Services serving as Secretariat. The Steering Committee is housed within POTRAZ, and the AI Strategy Implementation Office (AISIO) serves as the central coordinating body.

This design addresses a legitimate concern: AI is cross-cutting, and fragmented governance can undermine coordination and slow decision-making. A centralised model may offer advantages in policy coherence and resource mobilisation. 

However, the proposed structure moves beyond coordination to a concentration of authority. Positioning the Presidency at the apex, together with ministerial control of the Secretariat, regulatory anchoring within POTRAZ, and operational execution through the AISIO, consolidates strategic, regulatory, and implementation functions into a single governance chain.

The strategy provides for the inclusion of independent experts and stakeholders in Working Groups and Technical Working Groups managed by the AISIO. However, their role is primarily consultative and operational. 

They do not exercise decision-making authority over policy direction, regulatory outcomes, or resource allocation, which remain with the NDRC and its associated executive bodies.

When governance functions are integrated within a single chain of authority, oversight may become internal rather than independent. Regulatory processes may be shaped by the very structures they are meant to constrain. 

The result is a governance model in which oversight, regulation, and execution are vertically integrated.  This may reduce the structural checks that typically underpin accountability in complex regulatory environments.

Conclusion

Zimbabwe stands at a pivotal moment. The Cyber and Data Protection Act, the amended Broadcasting Services Act, the Postal and Telecommunications Amendment Bill, and the National AI Strategy provide building blocks for a modern digital governance framework. 

However, legislation alone is insufficient. Realising a rights-based approach requires independent oversight, meaningful public participation, and algorithmic transparency. 

Commitment to constitutional freedoms, particularly freedom of expression, access to information, and the right to privacy, is therefore critical.

The Postal and Telecommunications Amendment Bill warrants scrutiny. While its aim of modernising the telecommunications sector is commendable, provisions that expand surveillance powers without robust judicial oversight may undermine the rights that data protection and broadcasting reforms are intended to protect. 

The opportunity before Zimbabwe is not merely to regulate technology but to harness it in the service of democracy, equity, and human dignity. 

This requires a review of the Postal and Telecommunications Amendment Bill, the Broadcasting Services Act, and the Cyber and Data Protection Act, with the National AI Strategy serving as a guiding framework for ethical, inclusive, and rights-based governance.

 

This piece is part of a series on Zimbabwe’s digital sector reforms and their implications for human rights, curated by Helen Sithole. The series examines how the Cyber and Data Protection Act, the amended Broadcasting Services Act, the Postal and Telecommunications Amendment Bill, and the National AI Strategy shape freedom of expression, privacy, and access to information in Zimbabwe’s evolving digital governance landscape. Writes – Helen Sithole

About MISA

The Media Institute of Southern Africa (MISA) was founded in 1992. Its work focuses on promoting, and advocating for, the unhindered enjoyment of freedom of expression, access to information and a free, independent, diverse and pluralistic media.

Share this

Related news

Urgent need for AI legal sector policy framework

Urgent need for AI legal sector policy framework

Last week, the Supreme Court of Zimbabwe issued a landmark ruling declaring invalid legal submissions prepared with the help of artificial intelligence (AI) that included fictitious case citations. The ruling arose from the Pulserate Investments (Pvt) Ltd v Andrew...

Ensuring safety for women journalists in the Digital Age

Ensuring safety for women journalists in the Digital Age

The past few years have seen a significant rise in the use and adoption of artificial intelligence (AI). For journalists, generative AI is a double-edged sword, as it is both an efficient enhancement technology and accentuates online abuse and technology-facilitated...

Legislators pledge to support co-regulation of the media 

Legislators pledge to support co-regulation of the media 

On 23 October 2025, MISA Zimbabwe engaged members of the Parliamentary Portfolio Committee on Information, Media and Broadcasting Services, along with several other stakeholders, regarding the proposed Zimbabwe Media Practitioners Bill and Zimbabwe Media Commission...