https://zimbabwe.misa.org Cybersecurity and Cybercrime Laws in the SADC Region protection authority. Whilst the convergence of regulatory authorities may help the government to save on financial resources, it defeats the principle of separation of powers and check and balances, which are critical in the era of “data deluge”. Furthermore, this convergence can foster unnecessary operational inefficiencies. In order to remedy the situation, key informants observed that there is need for the equal prioritisation and balancing of the functions of the Cybersecurity Centre and Data Protection Authority to ensure that significance is not placed only on cybersecurity while data protection, privacy and the interrelated fundamental rights are neglected. The conflation of these three institutions poses a dual crisis, with POTRAZ, on one hand, becoming the surveillance arm of the state while also having access to the large volumes of data collected by the Mobile Network Operators (MNOs) and Internet Service Providers (ISPs). This, therefore, compromises data protection and the right to privacy. This is partly because it borrows heavily from the African Union’s model law. In view of this amalgamation of two separate but mutually related issues (cybersecurity and data protection), civil society groups have called for the drafting of two separate laws. The Bill makes provision for the processing of data, which can be done by telecommunication operators, electronic management bodies, ministry of home affairs and other immigration agencies. It stipulates that data processors must notify the data subjects before the collection of the information as well as how the data will be processed. The Bill criminalises the processing of sensitive information, genetic data, biometric data and health data. It is only allowed under specified circumstances, which include where the processing is necessary to comply with national security laws and also for the prevention of imminent danger or the mitigation of a specific criminal offence. The Zimbabwe’s Cybersecurity and Data Protection Bill is an omnibus law combining cybersecurity and data protection (MISA-Zimbabwe, 2020). Although the Bill does not explicitly mentions the issue of intrusive communications surveillance, there are several pieces such as the Official Secrets Act, Criminal Law (Codification and Reform) Act and the Interceptions of Communications Act, which have been used to justify the snooping on citizens’ online communication. Some of these laws were passed before 2013 hence have not yet been aligned with the Constitution. In circumstances where information relates to national security, more often than not, there is no disclosure of sufficient information under the auspices of national interests. This poses the danger of such provisions being abused and exposing citizens to over surveillance by government and state security agents, thus, violating their right to privacy. In the event of any security breach, the Bill provides in Section 19, that the data controller shall notify the Authority, without any undue delay of any security breach affecting data that he or she processes. It is imperative that the law should provide a specific timeline under which the security breach shall be communicated rather than leaving the provision open to interpretation on what entails undue delay. In addition, the Bill provides an obligation to data controllers, except for those in specified circumstances to notify the Data Protection Authority prior to any wholly or partly automated operation or set of operations intended to serve a single purpose or several related purposes. The notification is not required where the data controller has appointed a data protection 33