3. Excessive Data collection and retention provisions without adequate data protection laws 3.1. Section 42 requires telecommunication network owners to register users. Section 43 requires telecommunication network owners to keep subscriber records, copies of which POTRAZ will maintain. Subscriber information must be kept in these registers for up to 5 years after deactivation of a user’s SIM card. 3.2. This is problematic because Zimbabwe currently has inadequate data protection laws. There is therefore, no guarantee on how confidentially such user data will be kept and whether it will be protected from abuse by the telecommunication network owners or any other third parties affiliated to them. 3.3. Zimbabwean users hardly ever deactivate SIM cards, this will make it hard to determine when to start calculating the 5 year period before disposing of a user’s records. This means that users’ records will potentially be kept indefinitely. 3.4. There is no restriction in the Bill on how the user records will be used either by telecommunication network owners or by POTRAZ. These provisions in their current state contradict users’ right to privacy which is protected in section 57 of the Constitution. 3.5. Recommendations: Zimbabwe needs to put in place a Data Protection Act which matches globally accepted data protection principles. 3.6. There should be periodic transparency reports issued both by telecommunication network owners and POTRAZ. These reports would outline the number of requests to access user information received from State organs and other third parties within a specified period. This would help users know who has access to their data and what it is possibly used for. 3.7. The length of time for which user data is retained should be limited to about 24 to 30 months at most. This period should not be calculated from the time a user