Lot 58, Part of Stand 2374, Great East Road
+260 955 195 454
zambia@bellmacconsulting.com

The Cyber Regulatory Framework in Zambia

Cyber Regulatory Framework

The use of technology has become common all over the world and the use of social media is on the rise, with many gadgets being produced and many services being largely digitized. It is progressive for countries to enact laws that will create a legal framework for the crimes committed in cyberspace. Cybersecurity has become a major risk for companies and individuals. Zambia has notably enacted several pieces of legislation with the purpose of regulating cyberspace and the protection of personal information on both an individual and national level. The purpose of this article is to briefly give an overview of the legal framework of the ICT sector in Zambia.

1. Brief Historical Background of the Digital Sector in Zambia

The cyber space falls within the information and communication technology (“ICT”) sector. The history of the ICT sector in Zambia dates back as far as 1913 where the common of ICT was telecommunication. During that period the first telephone was installed in Livingstone as part of the General Post Office.[1] In 1975, the General Post Office was renamed as the Zambian Post and Telecommunication Corporation. From 1964 till 1991, Zambia experienced socialistic measures put in place by the then government. Thereafter, in 1994 the Telecommunications Act of 1994, Chapter 469 of the Laws of Zambia was enacted which resulted in the reorganization of the sector in Zambia. The Zambian Post and Telecommunications Corporation was restructured into two separate commercial entities namely, ZAMTEL and ZAMPOST.

Additionally, the advent of the Telecommunications Act abolished the regulatory functions of the Zambian Post and Telecommunications and established the office of the Communications Authority. In 2009, the enactment of the Information and Communication Technologies Act No. 15 of 2009, Chapter 288 of the Laws of Zambia (the “ICT Act”) abolished the Communications Authority and replaced it with the new and improved Zambia Information and Communication Technologies Authority (“ZICTA”). ZICTA is the regulatory body which is till date responsible for the regulation of the ICT sector. As can be seen, the ICT sector, previously majorly related to telecommunications, however, the sector has now expanded to include various other components such as the internet.

The following Acts and policy create the regulatory framework of the ICT sector:
  • The Cyber Security and Cyber Crimes Act No. 2 of 2021;
  • The ICT Act;
  • Electronic Communications and Transactions Act No.4 of 2021;
  • Data Protection Act No. 3 of 2021; and
  • National Cyber Security Policy of 2021.
Overview and Salient Provisions of the ICT Related Legislation

Below is a brief overview of the salient provisions of the legislation indicated in 1.2 above that will be of interest to businesses.

The Cyber Security and Cyber Crimes Act No. 2 of 2021

The Cyber Security and Cyber Crimes Act No. 2 of 2021 (the “Cyber Security Act”) was enacted on 24 March 2021. The main purpose of the Cyber Security Act is to provide for national cyber security and protection against cyber-crimes. The Cyber Security Act takes precedence over all other legislation relating to cyber-crimes and cyber security subject to the Constitution of Zambia. The Cyber Security Act mandates ZICTA with its enforcement.

The Act empowers ZICTA and the Minister of Information and Communication Technologies to constitute the Zambia Computer Incidence Response Team (“ZCIRT”) whose main function (amongst many) is to respond to all cyber threats and incidents whether current or impending. ZCIRT’s primary responsibility is to handle cyber security incidents as and when they arise. The ZCIRT is required to be the first point of contact with reference to handling cyber incidents and communication between local, regional and international cyber security emergency response teams or cyber security incident response teams.

The Cyber Security Act also provides for the establishment of the National Cyber Security Advisory and Coordinating Council whose main function is to oversee ZCIRT. The Cyber Security Act defines a ‘cyber security incident’ as an act or activity on or through a computer or computer system, that jeopardises or adversely impacts, without lawful authority, the security, availability or integrity of a computer or computer system, or the availability, confidentiality or integrity of information stored on, processed by, or transiting a computer or computer system. This will progressively assist companies who store large or sensitive data to have recourse for data breaches that may occur. It will also help ZICTA and other cyber security emergency response teams and incident teams to be able to detect potential data breaches and put measures in place to prevent data breaches.

The Cyber Security Act further establishes the office of the Cyber Inspector and gives the Cyber Inspector the powers to inspect and monitor, issue a notice of data retention and conduct a search and seizure on reasonable grounds respectively. It should be noted that Section 12 of the Cyber Security Act makes the obstruction of Cyber Inspectors’ functions in relation to a lawful search and seizure a crime punishable by law to a fine not exceeding two hundred thousand penalty units (ZMW 60, 000.00) or to imprisonment for a period not exceeding two years, or to both. Therefore, if your business is visited by an inspector speak to a legal adviser in order to avoid taking actions that may be considered to be obstruction.

Furthermore, it is worth noting that the Cyber Security Act was enacted in line with the National Cyber Security Policy of 2021 (the “Policy”). The main aim of the Policy is to help establish a coordinated cybersecurity framework and enhance resilience of national ICT systems to cyber incidents in order to attain the desired transformation into a Smart Zambia that is underpinned by trust and confidentiality. The Policy also aims at reforming the legal and regulatory framework on cybersecurity and cybercrimes in the country. Successful implementation of this Policy will require extensive collaboration with all stakeholders. The Ministry of Science and Technology is responsible for the development of the ICT Sector and has undertaken to put in place a multi-sectoral framework that allows all stakeholders to play their role in the prevention and detection of and recovery from cyber-attacks and incidences.

The Information and Communication Technologies Act No. 15 of 2009

One of the salient features of the ICT Act is that it provides for licensing of electronic communications, radio communications and also for the regulation of electronic communications apparatus or equipment.

It provides inter alia the procedure to obtain licenses to operate an electronic communications network, an electronic communications service, a radio communication service and a network. It also provides that all electronic communications apparatus and equipment must be approved by ZICTA. Therefore, companies making use of electronic communications apparatus or equipment must confirm with ZICTA on whether their equipment is approved or whether the equipment should be approved. For more information on the procedure to obtain a license with ZICTA or to have your electronic communications equipment or apparatus approved, please write to us at zambia@bellmacconsulting.com.

The Electronic Communications and Transactions Act No.4 of 2021

One of the most relevant salient features of the Electronic Communications and Transactions Act (“ECT Act”) is the introduction of electronic signatures. The ECT Act provides for advanced electronic signatures and electronic signatures generally. It provides for instances when a particular type of electronic signature would suffice. This is relevant because most businesses today are conducted electronically.

With many businesses increasing their use of the internet and social media it is also important to note that the ECT Act also provides for the regulation of domain names. Interestingly, the ECT Act provides that ZICTA shall enhance public awareness of the economic and business benefits of domain name registration.

Further, because businesses are increasing their online presence and due to the fact that e-commerce is on the rise, worth noting is that the ECT Act also provides for consumer protection. The ECT Act provides that a supplier offering goods or services for sale, hire or exchange should make the following information available to consumers on the website, application or other electronic media platform where the goods or services are offered:

  • the supplier’s full name and legal status;
  • the supplier’s physical address and telephone number;
  • the supplier’s website address and email address;
  • membership to any self-regulatory or accreditation body to which that supplier belongs or subscribes and the contact details of that body;
  • any code of conduct to which that supplier subscribes and how that code of conduct may be accessed electronically by the consumer;
  • in the case of a legal person, its registration number, the names of its office bearers and its place of registration;
  • the physical address where that supplier will receive legal service of documents;
  • a description of the main characteristics of the goods or services offered by that supplier to enable a consumer make an informed decision on the proposed electronic transaction;
  • the full price of the goods or services, including transport costs, taxes and any other fees or costs;
  • the manner of payment for the goods or services;
  • any terms of agreement, including any guarantees, that will apply to the transaction and how those terms may be accessed, stored and reproduced electronically by consumers;
  • the time within which the goods will be dispatched or delivered or within which the services will be rendered;
  • the manner and period within which consumers can access and maintain a full record of the transaction;
  • the return, exchange and refund policy of that supplier;
  • any alternative dispute resolution code to which that supplier subscribes and how the wording of that code may be accessed electronically by the consumer;
  • the security procedures and privacy policy of that supplier in respect of payment, payment information and personal information; and
  • where appropriate, the minimum duration of the agreement in the case of an agreement for the supply of products or services to be performed on an ongoing basis or recurrently.

It is also worth noting that the ECT Act now provides that a person may market by means of electronic communication and is only permitted to send one unsolicited commercial to a consumer. Further and interestingly, an electronic commercial communications can only be sent where an optin requirement is met. Finally, the ECT Act also introduces a cooling off period which allows a consumer to cancel without giving any reason and without incurring any penalty, a transaction and related credit agreement for the supply of:

  • goods within seven days after the date of the receipt of the goods; or
  • services within seven days after the date of the conclusion of the agreement.

The Data Protection Act No. 3 of 2021

The Data Protection Act No. 3 of 2021 (“DTA”) provides a framework relating to data protection in Zambia. it regulates, amongst others, the collection, use, transmission, storage and otherwise processing of personal data, it establishes the office of the Data Protection Commissioner, the registration of data controllers and licencing of data auditors; it provides for the duties of data controllers and data processors; provides for the rights of data subjects and provides for matters connected with, or incidental to, the foregoing.

It is worth highlighting that the Data Protection Commissioner is responsible for the regulation of data protection and privacy in Zambia. This office is yet to be established. At the moment any matters relating to the DTA may be referred to ZICTA or the Ministry of Science and Technology.

For any data protection related queries please write to zambia@bellmacconsulting.com.

In conclusion, most businesses are making use of the internet in order to conduct their businesses whether it is using websites, applications, or social media. It is, therefore, important for businesses to know the regulatory framework in order to avoid being penalized by regulators. This brief overview of the regulatory framework of the ICT sector provides businesses with a starting point to confirm whether they are compliant with the ICT regulatory framework and how they can get compliant.