In February 2026, Zimbabwe's Broadcasting Authority (BAZ) issued a formal regulatory warning that was remarkable not for what it prohibited — explicit content accessible to minors — but for what it claimed. The authority asserted that all broadcasting and digital content consumed in Zimbabwe falls under the country's legal and constitutional framework, regardless of the platform used. TikTok, Instagram, X, YouTube: all of it, now subject to a regulator whose mandate was originally confined to radio and television licences.
That claim was not an accident. It was the latest step in a methodical three-year process that has constructed one of sub-Saharan Africa's most layered social media surveillance architectures — one that combines a broad cybersecurity statute, an expanded broadcasting law, a pending platform-specific bill, and physical interception infrastructure into an interlocking system with limited independent oversight.
Three Laws, One Direction
The architecture begins with the Cyber and Data Protection Act 2021 (Chapter 12:07), which came into force in March 2022. The Act does two things simultaneously: it gives Zimbabwean citizens a formal data protection right, and it creates a Cybersecurity and Monitoring Centre housed directly in the Office of the President — the sole hub through which authorised communications intercepts are effected. The same legislation that promises privacy also routes surveillance authority through the executive, with national security exemptions broad enough to swallow the protections.
The second layer arrived in May 2025. The Broadcasting Services Amendment Act, passed by the National Assembly in March 2025 over the objections of both MISA Zimbabwe and the Media Alliance of Zimbabwe, extended the broadcasting regulator's statutory remit to include "digital media platforms and internet-based broadcasting services." It also removed a provision that had required parliamentary consultation before the President could appoint BAZ's board. In a single bill, the scope of regulatory reach expanded upward and democratic accountability contracted.
The third layer is still in formation. Information Minister Jenfan Muswere has publicly announced draft legislation specifically targeting social media platforms. Citing "ghost accounts" and the spread of disinformation, the proposed law would introduce user accountability requirements — effectively mandatory de-anonymisation. MISA Zimbabwe has warned that this would replicate patterns seen in Tanzania and Rwanda, where similarly justified legislation became tools for suppressing political dissent, particularly around elections.
Infrastructure That Predates the Laws
The legal architecture sits atop physical surveillance infrastructure built in parallel. In June 2022, POTRAZ commissioned a Telecommunications Traffic Monitoring System (TTMS) — a national-level traffic monitoring platform capable of intercepting calls and data flows across all providers. The stated purpose was revenue assurance and fraud prevention. But as MISA Zimbabwe noted at a September 2022 stakeholder engagement, the system's capabilities extend well beyond billing compliance: data collected could, under the Interception of Communications Act, be accessed by police and intelligence services.
Huawei-supplied CCTV networks are already operational in Harare and Bulawayo. And a planned Zim Cyber City in New Harare, developed with Dubai-based Mulk International and backed by President Mnangagwa, is slated to include AI-enabled facial recognition directly linked to law enforcement databases.
Against this backdrop, the February 2026 BAZ warning looks less like a child-safety initiative and more like the activation of a pre-built system.
Steelmanning Harare's Case
The government's position deserves a fair hearing before being dismissed. Online harassment, non-consensual intimate imagery, and disinformation campaigns are real harms — and Zimbabwe is not alone in grappling with platforms that have shown limited willingness to moderate content in markets with smaller advertising revenue. A regulator insisting that foreign platforms respect domestic law is not, in principle, an illegitimate demand. Australia, the UK, and the EU have all asserted extraterritorial jurisdiction over platform content without being labelled surveillance states.
"Freedom of expression must be enjoyed responsibly," BAZ stated in its February 2026 warning, citing Section 61 of Zimbabwe's Constitution — the very provision that protects that freedom.
The problem is not the principle. The problem is the institutional architecture through which it is exercised.
Why This Architecture Is Different
In functional democracies, content regulation is typically administered by bodies independent of the executive, subject to judicial review, and constrained by proportionality requirements. Zimbabwe's system fails on all three counts.
The Cybersecurity and Monitoring Centre sits in the President's office. BAZ's board is now presidential-appointee-dominated without parliamentary check. The proposed social media law would create de-anonymisation requirements enforced by the same executive. There is no independent data protection authority with genuine enforcement power against the state; the regulator and the surveilled share a chain of command.
Freedom House rated Zimbabwe 50 out of 100 on its Freedom on the Net 2025 index — "Partly Free" — with its lowest scores in the category tracking violations of user rights. The report documented the February 2025 arrest of journalist Blessed Mhlanga, detained for three months after an interview in which a former official called for governmental change.
CIPESA's analysis of Zimbabwe's 2026 National AI Strategy added another data point: Zimbabwe scored zero on the 2024 Global Index on Responsible AI Governance. The gap between the government's digital-modernisation rhetoric and its accountability infrastructure is not rhetorical — it is measurable.
Scale of What's at Stake
This is not a marginal policy affecting a small online population. POTRAZ's Q4 2025 Abridged Sector Performance Report recorded an internet penetration rate of 84.55% — 13.25 million active subscriptions in a country of roughly 16 million people. Mobile internet is how most Zimbabweans access news, organise civic life, and communicate with diaspora. The surveillance architecture being constructed operates at that scale.
Proportionate regulation of social media is achievable and worth pursuing. It requires an independent regulator, clear and narrow definitions of prohibited content, judicial authorisation for surveillance, and genuine public consultation — Zimbabwe's December 2024 public hearings produced 485 citizen submissions that the Minister then disregarded. What Harare has built instead is a flexible legal system, a capable interception infrastructure, and a regulator answerable to the Presidency — precisely the combination that, in comparable contexts across the continent, has been turned against critics when political pressure rises.
The child-safety framing is not dishonest. But it is incomplete. The architecture being normalised under that framing will outlast any particular content controversy.