ZAMBIA: THE CYBER SECURITY AND CYBER CRIMES ACT, 2021- KEY PROVISIONS AND IMPLICATIONS FOR SERVICE PROVIDERS AND PRIVATE CITIZENS
Zambia recently enacted a controversial digital security law aimed at tackling digital crime, the Cyber Security and Cyber Crimes Act 2021 (Act). The Act came into force on 1 April 2021 and has extra-territorial reach where the conduct has an effect in Zambia.
Leading to and post enactment, various quarters of society have expressed fear that the Act could be used to muzzle the freedom of expression, the freedom of the press and the right to privacy, especially as the nation heads for polls this August.
Government, on the other hand, maintains that the Act will help combat cybercrime, coordinate cyber security matters, develop relevant skills and help promote the responsible use of social media platforms. Further, the Act will facilitate the identification, declaration and protection of national critical infrastructure, it adds.
Notwithstanding the debate and in addition to the above concerns, the Act has a significant impact on businesses operating in the telecommunications sector.
Some of the key the provisions of the Act and their implications for service providers in the telecommunications sector as well as private citizens are outlined below. The key offences introduced by the Act that individual citizens must be aware of and the regulatory approach adopted by the Act are also highlighted.
Interception of communication - general
While the Act prohibits the interception of communication, it legalises the lawful interception of communication, by a law enforcement officer, where there are reasonable grounds to believe that a crime has been committed or is likely to be committed or is being committed.
Under the Act, a law enforcement officer must obtain an order from a judge of the High Court of Zambia prior to intercepting the communication. The Act also permits a law enforcement officer intercepting communication without an order of the High Court if the delay caused by obtaining an order would result in harm to a person or to property.
To facilitate the effective interception of communication, the Act creates the Central Monitoring and Co-ordination Centre (Centre), which will be managed, controlled and operated by the department responsible for Government communications in liaison with the Zambia Information Communications and Technology Authority (Authority). The Centre is the sole facility through which all intercepted communication can be effected and call-related information may be forwarded.
A service provider has been defined as a public or private entity:
- authorised to provide or offer an electronic communication system; or
- authorised to process or store computer data on behalf of a communication service or user of such service; or
- that owns an electronic communication system to provide, or to offer an electronic communication service (Service Providers).
Service Providers are required to comply with requests for interception of communication from enforcement agencies.
Service Providers are also required to use an electronic communication system which has the capability of being lawfully intercepted and to store call-related information in accordance with the provisions of the Act. Should a Service Provider’s electronic communication system not have such capacity, it is required to put in place equipment or to make the necessary upgrades to its existing system in order to allow for the lawful interception of communication.
The requirement to comply with the interception provisions of the Act will place significant compliance and financial obligations on Service Providers whose systems do not already allow for lawful interception. The costs of procuring new infrastructure or upgrading of existing infrastructure to ensure that a Service Provider is compliant with the provisions of the Act must be borne by Service Provider. It will be interesting to see how this will be monitored, but it is likely that any price adjustments in the services to the public must not be attributed to the acquisition of compliant infrastructure.
In addition to the interception provisions, the Minister responsible for communication (Minister) may declare information that is of importance to the protection of national security, economic or social wellbeing of the Republic to be critical information, and infrastructure containing critical information as critical information infrastructure.
Such a declaration would impose additional compliance obligations on the controller of such information. These obligations would include:
- restrictions on the location of the server or data centre;
- the need to register the critical information infrastructure with the Authority;
- a restriction on change of ownership of the infrastructure;
- the appointment of an information technology auditor to audit the critical information infrastructure; and
- a requirement to submit reports to the Authority.
Interception of communication - private citizens
The provisions relating to interception equally have an impact on a private citizen’s right to privacy.
For purposes of the Act, a private citizen has no right to be notified by either a law enforcement officer or Service Provider that they are being investigated or that communication to which they are a party is being intercepted and transferred to the Centre.
Further, the Act empowers a cyber inspector to, with a warrant at any reasonable time and without prior notice, access and inspect the operation of any computer or equipment forming part of an information system and any associated apparatus or material which the cyber inspector has reasonable cause to believe is, or has been used in, connection with any offence.
To promote the responsible use of cyber space, the Act introduces various cybercrimes, including sophisticated and non-sophisticated offences.
For example, to curb social media abuse, the Act has criminalised hate speech or conduct through any form of communication and any form of electronic communication or publication of information through a computer system, with the intent to coerce, intimidate, harass, or cause emotional distress to a person or to compromise the safety and security of another person.
The provision relating to hate speech is quite broad and lends itself to a subjective interpretation of what constitutes ‘intent’ and emotional distress.
The penalty for hate speech is a fine of ZMW 150 000 or imprisonment for a period not exceeding two years, or both.
The Act also provides for the following offences all of which attract a penalty of a fine or imprisonment, or both:
- illegally intercepting data;
- installing illegal devices for purposes of committing an offence;
- introducing malicious software into a computer system;
- using a computer system to undertake cyber extortion or a cyber-attack;
- publishing information through a computer system with intent to compromise the safety and security of any other person; and
- initiating the transmission of multiple unsolicited electronic messages.
In addition, the Act has introduced strict offences relating to producing, distributing, selling or making available, being in possession of pornography or child pornography. The offences relating to child pornography attract a minimum sentence of 15 years, if convicted.
The Act has also criminalized child solicitation, the use of a computer system to meet a child for purposes of making it easier to procure the child to engage in sexual activity.
The Act follows the current legislative practice of using a two-level regulatory approach with the Authority being the key regulator responsible for the implementation of the Act, while the Minister will retain supervisory oversight through the National Cyber Security Advisory Coordinating Council (Council).
The Council will be constituted by the Minister and its key functions will be to, among other functions, monitor and evaluate the performance of the Authority in relation to cyber security and provide advice to the Minister and the Authority on matters relating to cyber security.
The Authority will be assisted by the Zambia Computer Incidence Response Team which will, among other things, be the first point of contact with reference to the handling of cyber incidents and communication among local, regional and international cyber security emergency response teams or cyber security incident response teams.