Cyber Law at Zambia
Zambia's cyber law landscape has undergone significant changes in recent years, particularly with the enactment of two key pieces of legislation in April 2025: the Cyber Security Act, 2025, and the Cyber Crimes Act, 2025. These laws were introduced to address rising cyber threats and promote digital safety, but they have also raised considerable concerns from human rights organizations and civil society regarding their potential impact on freedom of expression, privacy, and surveillance.
1. Key Cyber Laws in Zambia:
The Cyber Security Act, 2025 (Act No. 3 of 2025):
Purpose: This Act provides for cyber security in the Republic, establishes the Zambia Cyber Security Agency and the Zambia Cyber Incident Response Team, regulates cyber security service providers, and outlines the management of critical information infrastructure.
Key Provisions and Concerns:
Broad Surveillance Powers: Allows for real-time surveillance and interception of communications. Critics argue that these powers are overbroad and lack sufficient judicial oversight, extending to various state actors, including law enforcement and individuals designated by the President.
Zambia Cyber Security Agency: Establishes this agency under the general direction of the President, raising concerns about its independence and potential for political interference. Its mandate includes regulating service providers and coordinating cybersecurity responses.
Central Monitoring and Coordination Centre: Section 21 establishes this body with sweeping authority to intercept communications, again without robust checks and balances, leading to alarms about privacy violations.
Data Localization: Requires persons controlling "critical information" to store such information within Zambia. The definition of "critical information" is broad (including public health, economic stability, national security), which could impact NGOs and other organizations.
Information Security Audits: Allows inspectors to conduct audits on "critical information" without a warrant, providing wide discretion to access computers and devices.
Service Provider Obligations: Electronic communications service providers are required to install systems that facilitate real-time interception of communications.
Criminal and Administrative Penalties: The Act introduces various offenses with significant penalties for non-compliance.
The Cyber Crimes Act, 2025 (Act No. 4 of 2025):
Purpose: This Act focuses on defining and criminalizing offenses relating to computers and computer systems, providing for the protection of persons against cybercrimes, and addressing child online protection.
Key Provisions and Concerns:
Cybercrime Offenses: Criminalizes a range of activities, including:
Unauthorized access to computer systems and data (hacking).
Unauthorized interference with computer systems and data.
Illegal acquisition or disclosure of data relating to critical information/infrastructure.
Introduction of malicious software (malware).
Computer-related misrepresentation and fraud.
Cyber extortion and cyber terrorism.
Identity-related crimes.
Child pornography, child solicitation, and child grooming.
Online human trafficking.
Vague Definitions and Chilling Effect: This is a major area of concern. The Act criminalizes broad and vaguely defined categories of speech, such as:
Publication of "false information" that causes "public ridicule" or "damage to reputation" (Section 22). This reintroduces a form of criminal defamation for online speech, despite calls for its decriminalization.
Online communication that may cause "emotional distress" (Section 24).
Prohibition of "inauthentic data" that could mislead others about authenticity.
Undermining Encryption/VPNs: Vague provisions on "deceptive electronic communications" could be used to restrict legitimate tools for anonymous and secure communication.
Significant Criminal Penalties: Offenses under this Act carry substantial fines and imprisonment terms.
Data Protection Act, 2021 (Act No. 3 of 2021):
Purpose: This Act aims to provide an effective system for the use and protection of personal data, regulate its collection, use, transmission, storage, and processing. It also established the Office of the Data Protection Commissioner.
Key Provisions:
Principles of Data Protection: Outlines principles for lawful, fair, and transparent processing of personal data, ensuring data accuracy, security, and limited retention.
Rights of Data Subjects: Grants individuals rights such as access to their data, rectification, erasure, objection to processing, and data portability.
Data Controller and Processor Obligations: Requires data controllers and processors to be transparent, accountable, and implement security measures.
Consent: Emphasizes the need for consent, especially for vulnerable persons like children.
Penalties: Imposes significant fines and imprisonment for violations of data protection principles (e.g., failure to register as a data controller, unlawful disclosure).
Challenges: While a progressive step, the effective operationalization of the Data Protection Commissioner's office and the full implementation of the Act's provisions are ongoing.
2. Concerns and Criticisms:
The enactment of the 2025 Cyber Security and Cyber Crimes Acts has drawn strong criticism from local and international civil society, human rights groups, and digital rights advocates due to:
Chilling Effect on Freedom of Expression: The vague and broad definitions of offenses like "false information," "harassment," and "emotional distress" are feared to stifle legitimate criticism, satire, and whistleblowing, leading to self-censorship.
Overbroad Surveillance and Lack of Oversight: The extensive powers granted to authorities for real-time interception and information security audits, coupled with insufficient judicial and independent oversight mechanisms, raise serious concerns about privacy violations and potential abuse for political repression.
Centralization of Power: The placement of the Cyber Security Agency under the President's direction raises fears of political interference in its operations.
Erosion of Civil Liberties: Critics argue that these new laws, combined with existing restrictive legislation, collectively threaten fundamental freedoms and civic space, particularly with general elections due in August 2026.
Lack of Transparency: The laws were reportedly developed and enacted with minimal public participation and transparency.
3. Digital Forensics and Enforcement:
The Cyber Security Act and Cyber Crimes Act provide the legal framework for investigating cybercrimes, which implicitly includes provisions for digital forensics. Law enforcement officers, with warrants, can search and seize computer systems and data. The Acts also address the admissibility of intercepted communication as evidence. The Zambia Cyber Security Agency and Cyber Incident Response Team are intended to develop national capacity to respond to cyber threats and facilitate investigations.
In essence, Zambia's cyber law framework is developing rapidly, with a commendable move towards data protection but also significant controversy surrounding new cybercrime and cybersecurity legislation that grant extensive powers to the state, raising concerns about fundamental rights in the digital space.
RELATED Blog
0 comments