Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: bill

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  bill
13Dec

ANALYSIS: Zambia’s Proposed Cyber Laws Facilitate Suppression of Civil Liberties

Author CIPESA Writer Posted on

Zambia has published the Cyber Security Bill, 2024 and the Cyber Crimes Bill, 2024, which would repeal the Cyber Security and Cyber Crimes Act of 2021. These proposed laws’ objective of combating cyber crimes and promoting a safe and healthy digital society is welcome, as is the need for the country to strengthen its cyber security posture, including through legislation.

However, the current drafts of the laws not only miss the opportunity to cure some of the deficiencies in the 2021 cyber crimes law they are repealing but also introduce several, more regressive provisions.

In an analysis of the two Bills, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and the Bloggers of Zambia, who also hosts the Zambia CSO Coalition on Digital Rights, point to the retrogressive and vague provisions in the two Bills, and offer recommendations that can render the proposed laws more robustly rights-respecting and effective in combating cyber crimes.

The bills have some progressive provisions, such as the separation of cybersecurity and cybercrime functions; the structured cybersecurity governance that includes the creation of dedicated bodies such as the Cyber Security Agency and the Cyber Incident Response Teams (CIRTs); and provision of a framework for mutual legal assistance and cooperation with foreign entities. The bills also introduce new offences in response to emerging cyberthreats, such as identity-related crimes, attacks on critical information infrastructure, cyber harassment, cyber terrorism, and “revenge pornography”.

However, the list of concerns is much longer, as detailed below:

  1. Weak Human Rights and procedural safeguards: The bills do not affirm adherence to regional and international human rights standards and obligations, such as privacy, freedom of expression, access to information, or due process. Also, enforcement measures lack comprehensive human rights and due process safeguards to ensure provisions and practices are proportionate, necessary, and pursue legitimate aims. 
  1. Potential for abuse of power: The bills provide law enforcement agencies significant discretion in applying their provisions, thereby increasing risks for political interference, unchecked surveillance and the widespread targeting of dissenters. These are aided by broad surveillance powers and ambiguous definitions of terms and offences, which create room for subjective interpretation and arbitrary application. These could be used to suppress freedom of expression and legitimate public discourse.
  1. Weak oversight and governance: There are limited independent or judicial review processes mandated for surveillance, data collection, or search and seizure activities. Further, the centralised control of the Cyber Security Agency and Central Monitoring and Co-ordination Centre (CMCC) and the absence of independent oversight mechanisms raise accountability concerns. Also, there is no clear separation of cybersecurity functions from the cybercrime-related functions between the two bills, which could lead to duplication and implementation challenges.
  2. Overly broad surveillance powers: Law enforcement is granted broad interception powers including real-time data collection and communication interception and extensive search-and-seizure powers. The provisions do not include clear limits or provide sufficient safeguards such as judicial oversight, proportionality, or transparency and accountability.
  1. Insufficient safeguards for privacy: The bills enable widespread surveillance and interception without clear provisions on data retention limits, purpose limitation, secure handling of intercepted data and oversight. This could allow for indefinite storage of data, increasing the risk of misuse or unauthorised access. Also, the absence of anonymity protections for whistleblowers, journalists, and researchers could criminalise legitimate anonymous or pseudonymous activities. The provisions limit privacy rights, and are in total disregard of the country’s Data Protection Act, 2021.

General Recommendations

  1. Provide adequate human rights and procedural safeguards: Incorporate a dedicated section affirming the bill’s compliance with Zambia’s constitutional and international human rights obligations. Further, align the bills with the Declaration of Principles on Freedom of Expression and Access to Information in Africa and the African Union Convention on Cybercrime and Personal Data Protection. In addition, conduct a Regulatory and Human Rights Impact Assessment and require periodic review of the bill’s implementation for potential human rights impacts.
  2. Strengthen oversight and governance mechanisms: Introduce mandatory independent judicial oversight, notification and documentation and annual reporting requirements on the use of powers under the bill, ensuring accountability and public trust. Establish independent oversight mechanisms for the Cybersecurity Agency, CMCC and surveillance practices. 

Review the structure and functioning of the newly established agencies vis-a-vis the roles of other agencies e.g. Office of the President, Ministry of ICT, Zambia Information Technology Authority (ZICTA), security agencies, among others, to enhance coordination and avoid duplication of roles and fragmentation. It is also important to have clear delineation of cybersecurity functions and cybercrime functions to avoid confusion or duplication of roles.

  1. Ensure proportionality: Many offences in the Cyber Crimes Bill criminalise minor or vague conduct without proportionality thresholds. Introduce proportionality clauses limiting criminalisation to significant harm, or graduated scales that enhance penalties based on severity, complexity and impact of offences on victims, critical infrastructure or organisations.
  2. Invest in capacity building: Provide a framework for training of law enforcement, prosecution and judiciary officials on applying the law proportionately, balancing enforcement with human rights protection.
  3. Ensure compliance with data protection laws: Ensure the bills align with the provisions of Zambia’s Data Protection Act, 2021, to protect individuals’ privacy rights.

The full analysis can be found here.

29Jul

Uganda: CIPESA Submits Comments on the Computer Misuse (Amendment) Bill, 2022 to Parliament

Author CIPESA Writer Posted on

By Edrine Wanyama |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has made a submission on emerging concerns from the proposed Computer Misuse (Amendment) Bill, 2022 (the Bill) to the Parliamentary Committee on Information and Communications Technology. In its submission, CIPESA analyses the changes proposed by the Bill which are a blow to online civil liberties in Uganda.

The private members Bill is seeking to amend the Computer Misuse Act of 2011and  argues that existing laws “do not specifically address regulation of information sharing on social media” or are “not adequate to deter the vice”. The objectives of the amendment are: to enhance the provisions on unauthorised access to information or data; prohibit the sharing of any information relating to a child without authorisation from a parent or guardian; prohibit the sending or sharing of information that promotes hate speech; prohibit the sending or sharing of false, malicious and unsolicited information; and to restrict persons convicted of any offence under the Computer Misuse law from holding public office for a period of 10 years.

While the amendment could be justified by advancements in technology, upsurge in cybercrime, disinformation, and hate speech (clause 4), experience has shown that the law since enactment has been used to suppress digital rights including free expression and access to information.

The underlying provisions of the bill including clause 5 which seeks to prohibit the sending or sharing of unsolicited information through a computer, and clause 6 on prohibition of sharing malicious or misleading information, could be misused and abused by the government and its agencies to curtail sharing and dissemination of information, which would limit freedom of expression and access to information. Moreover, such restriction would counter the ruling by Supreme Court in Charles Onyango Obbo and Another v Attorney General that the penalisation of the publication of false news under Section 50 of the Penal Code is unconstitutional.

The Bill also duplicates existing laws including the Regulation of Interception of Communications Act, 2010 and Data Protection and Privacy Act in as far as it relates to unlawful interception of communications and unlawful access to and sharing of personal information under clause 2 and  prohibition of processing and sharing information about children under clause 2.

Similarly, the Bill proposes the adoption of very punitive and prohibitive penalties which could not only hinder expression and access to information but also transparency and accountability in governance. The penalties proposed stretch to UGX 15 million (USD 3,900), imprisonment not exceeding 10 years, or both for unauthorised access, interception, recording and sharing of information under clause 2. On the other hand, sharing information related to children (clause 3), hate speech (clause 4), unsolicited information (clause 5) and misleading or malicious information (clause 6) are punished with imprisonment not exceeding seven years.

While specifically targeting leaders, Clause 7 of the Bill seeks to bar persons convicted under the Computer Misuse Act from holding public office for a period of 10 years, and to further dismiss convicted personsfrom public offices that they were holding.  In addition to the restrictions under the  Official Secrets Act  it may discourage the disclosure of information by duty bearers where such disclosure would be necessary for enforcing transparency and accountability.

The Computer Misuse Act has been previously used to suppress digital rights including free expression and access to information. For instance, academic and social critic Dr. Stella Nyanzi was arrested for insulting the president in a social media post. In 2019, she was convicted of cyber harassment contrary to section 24 of the Act but acquitted of offensive communications, which is proscribed under section 25. Other individuals who have suffered the wrath of the same law include former presidential aspirant Henry Tumukunde who was arrested over alleged treasonable utterances in radio and television interviews, the Bizonto comedy group who were arrested over alleged offensive and sectarian posts, and author Kakwenza Rukirabashaija who was arrested, detained and prosecuted over offensive communication against the president and his son.

While the need for amendment of the Computer Misuse Act might be eminent to address emerging technologies, the proposed provisions are unfounded and redundant, and stipulate highly punitive penalties. They fail to address existing retrogressive provisions including section 24 on cyber harassment and section 25 on offensive communication, which have been used to criminalise freedom of expression. Moreover, trolling, cyber harassment, unauthorised sharing of intimate images, and other forms of online violence against women and girls are not addressed.

Read CIPESA’s full submission!