The Cyber and Data Protection Act provides for a safe harbour regime in Zimbabwe. This is provided for in Section 379C(1), which states that an ISP shall not be responsible or liable for a crime if they have not initiated the transmission, selected the receiver of the transmission and/or modified the information contained in the transmission. Most importantly, the Act provides that the ISPs will not be liable for data carried on their platforms and those of intermediaries if they remove it after a court order. In addition, ISPs and intermediaries will not be liable if they remove the information upon their realisation or gain knowledge that the information is illegal.

According to Art. 5.1 of the Postal and Telecommunications (Subscriber Registration) Regulations, 2013. Telecommunications providers must each establish a subscriber database of all SIM card holders, connecting their phone number to their name, address, gender, nationality, and passport or ID number. The law obliges service providers to regularly hand over copies of this data to the government, which will then establish its own central subscriber information database.

The indicator "6.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 3 in Zimbabwe for the year 2023. This corresponds to "Rarely but there have been a few occasions throughout the year when the government shut down domestic access to Internet."

According to Art. 7.1 of the Broadcasting Services Act, no person may provide a broadcasting service or operate as a signal carrier in Zimbabwe without a broadcasting licence or a signal carrier licence. Art. 7.2 specifies that a broadcasting licence authorises the licensee to offer various types of broadcasting services, including narrowcasting, datacasting, and webcasting. However, under Art. 8.1, a broadcasting licence can only be issued to individuals who are citizens of Zimbabwe or to a corporate entity in which a controlling interest is held, whether directly or indirectly, by one or more Zimbabwean citizens.
Art. 7 of Broadcasting Services (Licensing and Content) Regulations, 2004 provides the licensing requirements for narrowcasting, datacasting, and webcasting. It is reported that the Zimbabwean authorities might use this section to require licensing fees for video-on-demand and live-streaming services (YouTube, Facebook, Netflix, etc.), and, as a result, smaller companies have to obtain licenses ranging from USD 2,500 to USD 20,000.

Sections 28 and 29 of the Cyber and Data Protection Act establish a framework for the cross-border transfer of data. Data can be transferred to countries that offer adequate protection. In addition, data can be transferred if it is in the public interest to do so. The data subject must provide consent for their information to be transferred. However, this consent may also be implied or offered ambiguously.
Moreover, Section 11 of the Cyber and Data Protection Act prohibits the processing of sensitive personal information unless with the consent of the data subject or where processing is for legitimate purposes. Sensitive data, according to Section 3, includes social, political, and cultural information, as well as health and genetic information, and any information which may be considered as presenting a significant risk to the rights of the data subject.

Zimbabwe has not joined any free trade agreement committing to open transfers of cross-border data flows.

Zimbabwe has a comprehensive regime of data protection in place: the Cyber and Data Protection Act [Chapter 12:07] was promulgated with the policy objective of data privacy and protection of all data collected by Data Controllers both within and outside Zimbabwe depending on the location of the means used to process the said data. The Act seeks to shield the privacy of such information and regulate the way in which such information is stored, used and disclosed.

Sections 4-7 of the Postal and Telecommunications Regulations mandate ICT service providers to obtain, record and store personal information of juristic and natural persons who are registered with these entities. Such a register is to be known as a Subscriber Register. The register is to be provided to POTRAZ or any state agency upon request and without delay. Furthermore, the regulation provides for the establishment of a Central Subscriber Database, which is the consolidated portal for personal information gathered from subscribers.

It is reported that copyright is not adequately enforced online in Zimbabwe. Pirating of books, videos, music, and computer software is reported to be common in the country.

Zimbabwe has not signed the World Intellectual Property Organization (WIPO) Copyright Treaty.

Zimbabwe has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Section 11 of the Interception of Communications Act allows security and law enforcement agencies to impose disclosure requirements in respect of encrypted information where they believe that a key to encrypted information is in the possession of that person and that a disclosure requirement is necessary in the interests of national security, to prevent or detect a serious criminal offence, or in the interests of the country’s economic well being. Failure to comply is a criminal offence punishable by imprisonment, a fine, or both.

Zimbabwe has no rules applicable to the protection of trade secrets.

It is reported that there is an obligation for passive infrastructure sharing in Zimbabwe to deliver telecom services to end users. It is practised in both the mobile and fixed sectors based on commercial agreements.

In Zimbabwe, state-owned companies play a dominant role in the telecommunications sector. The government owns a significant stake in two of the three mobile service providers, including full ownership of NetOne and 60% of Telecel through Zimbabwe Academic Research and Education Network (ZARNet), a government-owned internet service provider and government agency. In addition, the state owns the only fixed-line service provider, TelOne. As for the main operators of the national network infrastructure, TelOne controls about 24% of the country's bandwidth capacity and about 23% of the revenues generated by the Internet. On the other hand, Powertel, belonging to the Zimbabwe Electricity Supply Authority, controlled 4.3% of the country's bandwidth capacity.