Zimbabwe
Zimbabwe Recording Laws: All-Party Consent Rules and Penalties (2026)
What Makes Zimbabwe an All-Party Consent Country
Zimbabwe's legal framework treats the recording of private conversations as a privacy violation unless every person involved has given their consent. This all-party consent standard draws its authority from the 2013 Constitution and is reinforced by two major statutes: the Interception of Communications Act of 2007 and the Cyber and Data Protection Act of 2021.
The practical effect is straightforward. If you want to record a phone call, a video meeting, or a face-to-face conversation in Zimbabwe, you need to tell the other people involved and get their agreement first. Recording without that agreement exposes you to criminal prosecution.
This places Zimbabwe among the stricter jurisdictions globally when it comes to recording consent, alongside countries like Germany and Switzerland that similarly demand all parties agree before a recording begins.
Constitutional Foundation: Section 57 of the 2013 Constitution
The backbone of Zimbabwe's recording consent requirement is Section 57 of the Constitution of Zimbabwe Amendment (No. 20) Act of 2013. This provision establishes a broad right to privacy for every person within the country's borders.
What Section 57 Protects
Section 57 declares that every person has the right to privacy. The provision breaks this into specific protections:
- The right not to have their home, premises, or property entered without permission.
- The right not to have their person, home, premises, or property searched.
- The right not to have their possessions seized.
- The right not to have the privacy of their communications infringed.
- The right not to have their health condition disclosed.
Subsection (d) is the provision that directly governs recording. The phrase "privacy of communications" covers telephone calls, electronic messages, face-to-face conversations, and any other exchange between individuals. Infringing on that privacy by recording without consent triggers a constitutional violation.
Constitutional Weight
Because Section 57 sits in the Declaration of Rights (Chapter 4 of the Constitution), it carries the highest legal authority in Zimbabwe's hierarchy of laws. Any statute, regulation, or government action that conflicts with this right can be challenged in the Constitutional Court. The right to privacy of communications is not absolute, but any limitation must satisfy the strict requirements set out in Section 86 of the Constitution, which permits restrictions only when they are fair, reasonable, necessary, and justifiable in a democratic society.
The Interception of Communications Act (Chapter 11:20)
The Interception of Communications Act, which commenced on August 3, 2007, is the primary statute governing the interception and monitoring of communications in Zimbabwe. It applies to telephone calls, postal communications, and internet-based communications.
Prohibition on Unauthorized Interception
The Act makes it a criminal offense for any person to intentionally intercept, attempt to intercept, or authorize another person to intercept any communication while it is occurring or being transmitted. This prohibition covers all forms of communication: voice calls, text messages, emails, faxes, and internet traffic.
The key word is "intentionally." Accidental capture of a communication does not trigger criminal liability. But deliberately recording a phone call without the consent of the other party, or secretly monitoring someone's electronic messages, falls squarely within the prohibition.
Penalties for Unauthorized Interception
Anyone convicted of unauthorized interception faces a fine not exceeding Level 14 on Zimbabwe's standard scale of fines, which under the most recent Statutory Instrument (SI 14A of 2023) amounts to approximately USD $5,000. Alternatively, or in addition, the offender can be sentenced to imprisonment for up to five years.
For telecommunications service providers who fail to provide required assistance with lawful interception warrants, the penalties are a Level 12 fine or up to three years in prison, or both.
Who Can Authorize Lawful Interception
The Act creates a narrow pathway for lawful interception, but it routes through the executive branch rather than the judiciary. An application for an interception warrant must come from one of four designated officials:
- The Chief of Defence Intelligence (or their nominee)
- The Director-General of the President's department responsible for national security (or their nominee)
- The Commissioner of the Zimbabwe Republic Police (or their nominee)
- The Commissioner-General of the Zimbabwe Revenue Authority (or their nominee)
These applications go to the Minister of Transport and Communications (or whichever Minister the President assigns to administer the Act). The Minister alone decides whether to issue the warrant.
Grounds for Issuing a Warrant
The Minister may issue an interception warrant when there are reasonable grounds to believe that:
- Gathering information about an actual threat to national security or a compelling national economic interest is necessary.
- Gathering information about a potential threat to public safety or national security is necessary.
The application must identify the person whose communications will be intercepted (if known) and the service provider that will receive the direction to carry out the interception.
The Judicial Oversight Gap
This is where Zimbabwe's interception framework draws its heaviest criticism. In most democracies, an independent judge reviews surveillance requests and decides whether they meet legal thresholds. Zimbabwe's Act places that decision entirely in the hands of a government minister.
No court reviews the warrant application before it is granted. No independent body audits whether warrants are being used properly after the fact. The Harvard Law School International Human Rights Clinic, the Media Institute of Southern Africa (MISA), Reporters Without Borders, and the Global Network Initiative have all flagged this structure as falling short of international human rights standards.
The Oxford Academic journal Statute Law Review published an analysis in 2024 noting that the Act does not provide adequate safeguards for the protection of journalists and lawyers, and that its broad ministerial powers undermine the separation of powers.
The Cyber and Data Protection Act of 2021 (Chapter 12:07)
Zimbabwe's Cyber and Data Protection Act, enacted in 2021, adds a second layer of regulation that directly affects recording. While the Interception of Communications Act focuses on the act of intercepting communications, the Data Protection Act governs what happens with the data captured, including audio recordings, video recordings, and photographs.
Consent Requirements for Data Processing
The Act defines consent as any specific, unequivocal, freely given, and informed expression of will by which a data subject accepts that their personal data may be processed. For general personal data, written consent is the standard. For sensitive data, genetic data, biometric data, or health data, explicit written consent is mandatory.
An audio or video recording of an identifiable person constitutes personal data under this framework. Recording someone's voice or image, storing that recording, sharing it, or using it for any purpose all qualify as "processing" under the Act and require a lawful basis.
Section 164A: Recording and Sharing Images Without Consent
Section 164A of the Cyber and Data Protection Act makes it a criminal offense to record or distribute images or recordings of a person without their consent. Posting someone's picture or video online without their agreement is specifically criminalized under this provision.
This section extends beyond just intimate or explicit content. It covers any image or recording shared without the depicted person's consent, giving Zimbabwean citizens a direct statutory tool to challenge unauthorized recordings.
Upskirting and Intimate Recording: Section 165
Section 165 addresses what is commonly known as "upskirting." Any person who records images or video beneath another person's clothing without consent faces a fine not exceeding Level 10 or imprisonment for up to five years, or both.
Data Controller Licensing Requirements
Under Statutory Instrument 155 of 2024, which took effect in September 2024, all entities that process personal data in Zimbabwe must obtain a data controller's license from POTRAZ. The deadline for compliance was March 12, 2025. Any organization that records customers, employees, or members of the public, whether through phone call recordings, CCTV, or any other means, must hold this license.
Data controllers were also required to appoint a Data Protection Officer by December 12, 2024. The DPO must possess skills in data science, information security, or a related field, and must undergo certification training.
Any data controller that continues to process data without a license is guilty of an offense carrying a fine of up to Level 11 (approximately USD $1,000) or imprisonment for up to seven years, or both.
Data Breach Reporting
When a data breach occurs, SI 155 requires the data controller to report the incident to POTRAZ within 24 hours of becoming aware of it. If the breach poses a high risk to the rights and freedoms of individuals, those affected must be notified within 72 hours.
POTRAZ: The Regulator With Dual Authority
The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) occupies a unique position in the regulatory landscape. It serves simultaneously as the national telecommunications regulator and the national data protection authority under the Cyber and Data Protection Act.
Telecommunications Oversight
POTRAZ oversees the licensing of telecommunications operators, the allocation of radio spectrum, and compliance with national regulations. Lawful interception of communications is included in the conditions attached to telecommunications licenses, meaning service providers are contractually obligated to facilitate government surveillance when presented with valid warrants.
Data Protection Authority
Under the Cyber and Data Protection Act, POTRAZ registers and licenses data controllers, certifies Data Protection Officers, investigates complaints about data misuse, and has the power to impose fines and sanctions for non-compliance.
Independence Concerns
Human rights organizations have raised questions about whether POTRAZ can serve as an effective data protection authority given its dual role. The same body that licenses telecommunications companies and facilitates government interception of communications is also tasked with protecting citizens' data privacy rights. Critics argue this creates an inherent conflict of interest.
Recording Phone Calls in Zimbabwe
Recording a telephone call in Zimbabwe without the consent of all parties on the call is illegal. The prohibition draws from both Section 57 of the Constitution (privacy of communications) and the Interception of Communications Act (unauthorized interception).
Personal Calls
If you want to record a personal phone call, you must inform the other person before the recording begins and obtain their agreement. Simply starting a recording app during a conversation without telling the other party violates the law.
Business Calls
There is no statutory exemption for business recordings. Companies that record customer service calls, sales conversations, or internal calls must inform all parties and secure consent. The common practice of playing an automated message such as "this call may be recorded for quality and training purposes" at the start of a call satisfies the notice requirement, but the caller must have the opportunity to decline.
VoIP and Messaging Apps
The law does not distinguish between traditional telephone networks and internet-based communication platforms. Recording a WhatsApp call, a Zoom meeting, or a Microsoft Teams session is subject to the same all-party consent requirement as recording a landline call.
Recording In-Person Conversations
Recording a face-to-face conversation without the knowledge and consent of every person present is prohibited under the constitutional right to privacy and can trigger criminal liability under both the Interception of Communications Act and the Cyber and Data Protection Act.
Private Settings
Conversations in homes, offices, restaurants, and other settings where participants have a reasonable expectation of privacy are fully protected. You cannot place a hidden recording device in a room to capture conversations you are not part of, and even if you are participating, you must still obtain the consent of the other parties.
Meetings and Group Conversations
The all-party requirement means every participant in a group conversation must agree to the recording. In a business meeting with ten people, all ten must consent. One person's refusal means the recording cannot lawfully proceed.
Recording in Public Places
Zimbabwe's approach to recording in public spaces is less clearly defined than its rules for private communications. The Constitution protects the "privacy of communications," which implies that public conversations broadcast to no one in particular may not receive the same level of protection.
CCTV and Public Surveillance
There is currently no comprehensive law in Zimbabwe specifically regulating the installation and use of CCTV cameras in public spaces. Businesses, government buildings, and private property owners install cameras without a standardized regulatory framework governing how footage is captured, stored, or disposed of.
The Cyber and Data Protection Act applies to CCTV operators to the extent that they capture identifiable individuals, meaning they should obtain data controller licenses and comply with data processing principles. In practice, enforcement of these requirements for CCTV operators has been limited.
Photography and Journalism in Public
Journalists and members of the public face a complicated environment when recording in public. While there is no blanket prohibition on photographing or filming in open public spaces, government authorities have historically used various legal provisions to restrict media recording, particularly during protests, political events, and in areas near government buildings.
Workplace Recording Rules
Workplace recording in Zimbabwe falls under multiple overlapping legal frameworks: the constitutional right to privacy, the Interception of Communications Act, the Cyber and Data Protection Act, and general employment law principles.
Employer Obligations
An employer that wishes to monitor or record employee communications, whether through CCTV cameras, call recording systems, or email monitoring, must comply with the Cyber and Data Protection Act's consent and transparency requirements. This means informing employees about what is being recorded, why, and how the recordings will be used.
Since September 2024, employers who process employee data through recording systems must also hold a data controller's license from POTRAZ and must have appointed a Data Protection Officer.
Employee Rights
Employees retain their constitutional right to privacy even in the workplace. An employer cannot install hidden audio recording devices in break rooms, bathrooms, or other areas where employees have a reasonable expectation of privacy. Video surveillance in common work areas is generally permissible with proper notice, but audio recording of conversations requires explicit consent.
Evidence in Labor Disputes
Under the Civil Evidence Act (Chapter 8:01), electronic evidence, including audio and video recordings, is admissible in Zimbabwean courts and labor tribunals. However, the recording must be properly authenticated, and the party submitting it must demonstrate that it was obtained lawfully. A recording made without the consent of all parties faces challenges to its admissibility.
Government Surveillance Concerns
Zimbabwe's surveillance landscape extends well beyond the formal legal framework. Several developments over the past decade have raised alarms among human rights organizations, press freedom advocates, and international observers.
Chinese Technology Partnerships
Zimbabwe has partnered with Chinese technology firms, including Hikvision, to deploy facial recognition technology at airports and international border posts. The government received nearly $240 million from China to develop NetOne, the national mobile telecommunications network, which includes its own data centers.
President Emmerson Mnangagwa has publicly stated that the government can track where people walk, who they talk to, and where they sleep. Whether or not this claim is fully accurate, it reflects an official posture that treats mass surveillance as both a capability and a policy objective.
Social Media Monitoring
The government has established social media monitoring teams to track citizens' online activities. Human rights organizations have documented cases where information gathered through online surveillance was used to arrest opposition members, journalists, and civil society activists.
Ahead of the August 2024 Southern African Development Community (SADC) summit in Harare, security forces arrested more than 160 people, including religious leaders, elected officials, political activists, union leaders, students, and journalists, in what Human Rights Watch described as an intensified crackdown.
Chilling Effect on Free Expression
Research published in the journal Big Data and Society in 2023 documented the "chilling effects" of surveillance in Zimbabwe, finding that fear of monitoring leads citizens to self-censor on online platforms and exercise extreme caution in electronic communications. The study found that surveillance undermines rights to freedom of expression and freedom of association, even when no actual interception occurs.
Penalties at a Glance
| Violation | Governing Law | Maximum Penalty |
|---|---|---|
| Unauthorized interception of communications | Interception of Communications Act, Chapter 11:20 | Level 14 fine (~USD $5,000) and/or 5 years imprisonment |
| Service provider failure to assist with lawful interception | Interception of Communications Act, Chapter 11:20 | Level 12 fine and/or 3 years imprisonment |
| Recording or sharing images/recordings without consent | Cyber and Data Protection Act, Section 164A | Criminal prosecution (specific penalty varies) |
| Upskirting or intimate recording without consent | Cyber and Data Protection Act, Section 165 | Level 10 fine and/or 5 years imprisonment |
| Processing data without a data controller license | Cyber and Data Protection Act / SI 155 of 2024 | Level 11 fine (~USD $1,000) and/or 7 years imprisonment |
| Failure to report data breach within 24 hours | Cyber and Data Protection Act / SI 155 of 2024 | Enforcement action by POTRAZ |
Business Compliance Checklist
Organizations operating in Zimbabwe that record any form of communication should take the following steps.
Obtain a data controller license. Since March 12, 2025, any entity processing personal data, including call recordings, CCTV footage, or meeting recordings, must hold a license from POTRAZ. Operating without one is a criminal offense.
Appoint a Data Protection Officer. The DPO must have relevant qualifications in data science or information security and must undergo POTRAZ-certified training.
Secure all-party consent before recording. Implement clear consent mechanisms for phone calls (automated disclosure messages with opt-out options), meetings (verbal announcement and written consent where practical), and CCTV (visible signage with details about recording, storage, and access).
Define retention and deletion policies. Establish written policies specifying how long recordings are kept and ensure systematic deletion occurs at the end of each retention period.
Report breaches promptly. Any data breach must be reported to POTRAZ within 24 hours. Affected individuals must be notified within 72 hours when the breach poses a high risk to their rights.
Train staff. Employees who handle recordings should understand the consent requirements, the penalties for non-compliance, and the organization's internal procedures for managing recorded data.
Sources and References
- Constitution of Zimbabwe Amendment (No. 20) Act, 2013(constituteproject.org)
- Interception of Communications Act [Chapter 11:20](zimlii.org)
- Cyber and Data Protection Act, 2021 [Chapter 12:07](zimlii.org)
- POTRAZ - Data Protection Act Official Copy(potraz.gov.zw).gov
- SI 155 of 2024 - Data Protection Licensing Regulations(potraz.gov.zw).gov
- Harvard Law - Right to Privacy in Zimbabwe(harvard.edu)
- Oxford Academic - Legislative Protection Under ICA(academic.oup.com)
- MISA Zimbabwe - Surveillance and Privacy(misa.org)
- Human Rights Watch - Zimbabwe 2025(hrw.org)
- U.S. State Department - Zimbabwe Human Rights 2023(state.gov).gov
- Gambe Law Group - Audio and Video Evidence in Zimbabwean Courts(gambelawgroup.com)
- MISA Zimbabwe - Data Protection Act Requirements (March 2025)(misa.org)
- Veritas Zimbabwe - New Standard Scale of Fines (SI 14A of 2023)(veritaszim.net)
- Global Voices - How Zimbabwe is Building a Big Brother Surveillance State(globalvoices.org)