Zambia has published the Cyber Security Bill, 2024 and the Cyber Crimes Bill, 2024, which would repeal the Cyber Security and Cyber Crimes Act of 2021. These proposed laws’ objective of combating cyber crimes and promoting a safe and healthy digital society is welcome, as is the need for the country to strengthen its cyber security posture, including through legislation.
However, the current drafts of the laws not only miss the opportunity to cure some of the deficiencies in the 2021 cyber crimes law they are repealing but also introduce several, more regressive provisions.
In an analysis of the two Bills, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and the Bloggers of Zambia, who also hosts the Zambia CSO Coalition on Digital Rights, point to the retrogressive and vague provisions in the two Bills, and offer recommendations that can render the proposed laws more robustly rights-respecting and effective in combating cyber crimes.
The bills have some progressive provisions, such as the separation of cybersecurity and cybercrime functions; the structured cybersecurity governance that includes the creation of dedicated bodies such as the Cyber Security Agency and the Cyber Incident Response Teams (CIRTs); and provision of a framework for mutual legal assistance and cooperation with foreign entities. The bills also introduce new offences in response to emerging cyberthreats, such as identity-related crimes, attacks on critical information infrastructure, cyber harassment, cyber terrorism, and “revenge pornography”.
However, the list of concerns is much longer, as detailed below:
- Weak Human Rights and procedural safeguards: The bills do not affirm adherence to regional and international human rights standards and obligations, such as privacy, freedom of expression, access to information, or due process. Also, enforcement measures lack comprehensive human rights and due process safeguards to ensure provisions and practices are proportionate, necessary, and pursue legitimate aims.
- Potential for abuse of power: The bills provide law enforcement agencies significant discretion in applying their provisions, thereby increasing risks for political interference, unchecked surveillance and the widespread targeting of dissenters. These are aided by broad surveillance powers and ambiguous definitions of terms and offences, which create room for subjective interpretation and arbitrary application. These could be used to suppress freedom of expression and legitimate public discourse.
- Weak oversight and governance: There are limited independent or judicial review processes mandated for surveillance, data collection, or search and seizure activities. Further, the centralised control of the Cyber Security Agency and Central Monitoring and Co-ordination Centre (CMCC) and the absence of independent oversight mechanisms raise accountability concerns. Also, there is no clear separation of cybersecurity functions from the cybercrime-related functions between the two bills, which could lead to duplication and implementation challenges.
- Overly broad surveillance powers: Law enforcement is granted broad interception powers including real-time data collection and communication interception and extensive search-and-seizure powers. The provisions do not include clear limits or provide sufficient safeguards such as judicial oversight, proportionality, or transparency and accountability.
- Insufficient safeguards for privacy: The bills enable widespread surveillance and interception without clear provisions on data retention limits, purpose limitation, secure handling of intercepted data and oversight. This could allow for indefinite storage of data, increasing the risk of misuse or unauthorised access. Also, the absence of anonymity protections for whistleblowers, journalists, and researchers could criminalise legitimate anonymous or pseudonymous activities. The provisions limit privacy rights, and are in total disregard of the country’s Data Protection Act, 2021.
General Recommendations
- Provide adequate human rights and procedural safeguards: Incorporate a dedicated section affirming the bill’s compliance with Zambia’s constitutional and international human rights obligations. Further, align the bills with the Declaration of Principles on Freedom of Expression and Access to Information in Africa and the African Union Convention on Cybercrime and Personal Data Protection. In addition, conduct a Regulatory and Human Rights Impact Assessment and require periodic review of the bill’s implementation for potential human rights impacts.
- Strengthen oversight and governance mechanisms: Introduce mandatory independent judicial oversight, notification and documentation and annual reporting requirements on the use of powers under the bill, ensuring accountability and public trust. Establish independent oversight mechanisms for the Cybersecurity Agency, CMCC and surveillance practices.
Review the structure and functioning of the newly established agencies vis-a-vis the roles of other agencies e.g. Office of the President, Ministry of ICT, Zambia Information Technology Authority (ZICTA), security agencies, among others, to enhance coordination and avoid duplication of roles and fragmentation. It is also important to have clear delineation of cybersecurity functions and cybercrime functions to avoid confusion or duplication of roles.
- Ensure proportionality: Many offences in the Cyber Crimes Bill criminalise minor or vague conduct without proportionality thresholds. Introduce proportionality clauses limiting criminalisation to significant harm, or graduated scales that enhance penalties based on severity, complexity and impact of offences on victims, critical infrastructure or organisations.
- Invest in capacity building: Provide a framework for training of law enforcement, prosecution and judiciary officials on applying the law proportionately, balancing enforcement with human rights protection.
- Ensure compliance with data protection laws: Ensure the bills align with the provisions of Zambia’s Data Protection Act, 2021, to protect individuals’ privacy rights.