Addressing The Gaps In The Data Protection, Privacy And Surveillance Legislation former Minister of State for National Security between 2005 and 2009, namely Didymus Mutasa, made a chilling statement to the effect that the government “sees everything … We have our means of seeing things these days, we just see things through our system. So, no one can hide from us in this country”7. This statement is significant in that it suggests that the current surveillance powers reposed in the government are prone to abuse and weaponisation to the detriment of the constitutional right to privacy. Accordingly, the fact that the surveillance powers set out in the Interception of Communications Act are apt to be abused implies gaps in the current state of surveillance legislation that warrant close examination. As to data protection and privacy legislation, although the Cyber and Data Protection Act is the main relevant law, it is imperative to point out that in Zimbabwe, various pieces of legislation also have a bearing on data protection and privacy. For instance, regarding the Census and Statistics Act [Chapter 10:29], the use and disclosure of aggregate information collected and relating to commercial, agricultural, mining, social and general activities of inhabitants of Zimbabwe during a census is regulated and restricted. Further, under the Consumer Protection Act [Chapter 14:44], disclosing any customer’s confidential information is prohibited8. In addition, in terms of Section 7 (1) (d) of the Electoral (Voter Registration) Regulations, 2017 Statutory Instrument 85 of 2017, a person’s biometric features are captured during voter registration. Further, in terms of Sections 4 and 5 of the Postal and Telecommunications (Subscriber Registration) Regulations, 2014 Statutory Instrument 95 of 2014, telecommunication service providers are required to obtain, record and store a customer’s information and details before SIM-card registration. In terms of Section 8 (1) of the said Regulations, customer’s information obtained and recorded by a telecommunication service provider is stored in the so-called Central Subscriber Information Database. Section 8 (2) (c) of the Regulations provides that the purpose of the Central Subscriber Information Database is, inter alia, to enable the Postal and Telecommunications Regulation Authority (“POTRAZ”) to assist law enforcement agencies or safeguard national security. Further, Section 8 (5) of the Regulations states that the customer information in the Central Subscriber Information Database is held strictly confidential, and no persons or entities are allowed access to the information except authorised personnel. However, the Regulations do not expressly define the persons who qualify as authorised personnel. Ahead of the 2018 and 2023 harmonised elections, many mobile phone users received unsolicited text messages from the Presidential candidate of the Zimbabwe African National Union-Patriotic Front (Zanu PF) canvassing for votes. It is not immediately clear how the third party managed to access the mobile phone users’ personal data, such as their phone numbers. However, what is clear is that such data breaches suggest the existence of gaps in our data protection and privacy laws, which need to be addressed. 7. Newzimbabwe.com “CIO watching your bedrooms, Mutasa warns critics”, New Zimbabwe 10 June 2014. 8. See section 78 of the Consumer Protection Act [Chapter 14:44]. 6 www.misa.org