Cyber Security And Cyber Crimes Act 2021 Zambia

[Nathen Paisley]

AnAct to provide for cyber security in the Republic; provide for the constitution of the Zambia Computer Incidence Response Team and provide for its functions; provide for the constitution of the National Cyber Security Advisory and Coordinating Council and provide for its functions; provide for the continuation of the Central Monitoring and Co-ordination Centre; provide for the protection of persons against cyber crime; provide for child online protection; facilitate identification, declaration and protection of critical information infrastructure; provide for the collection of and preservation of evidence of computer and network related crime; provide for the admission; in criminal matters, of electronic evidence; provide for registration of cyber security service providers; and provide for matters connected with, or incidental to, the foregoing.

Each member is a full service law firm with expert knowledge and experience in both local law and the local business, political, cultural and economic environment. Our members and their lawyers are recognised by clients and major legal directories as leaders in various practice areas.

The purpose of the Cyber Act is, amongst other things, to provide for cyber security in Zambia, to ensure protection of persons against cyber crime, to facilitate the identification, declaration and protection of critical information infrastructure, and to provide for the collection of and preservation of evidence of computer and network related crime.

As ZICTA is yet to exempt persons or classes of persons from application of the Cyber Act, it is prudent for persons using the cyber space in Zambia or with an effect in Zambia, to be aware of provisions in the Act.

Cyber inspectors are therefore mandated with ensuring compliance with the Cyber Act. To note that as the Constitution of Zambia Act No.2 of 2016 provides for the right to privacy, a cyber inspector must have or be in possession of a warrant prior to exercising their powers to inspect, monitor, access, search and seize. The powers to access, search and seize can be exercised at any reasonable time and without prior notice. It is an offence for any person or entity to obstruct a cyber inspector from conducting a lawful search or seizure and if convicted, one would be liable to a fine not exceeding ZMW 60,000 (approximately USD 2,697.14 as at the date of this alert) or to imprisonment for a period not exceeding 2 years, or to both.

It is worth noting that where a person is orally examined and that person in good faith discloses information, that person is granted immunity from any duty imposed upon them not to disclose that information either under law, contract or rules of professional conduct.

It is an offence for any person to wilfully give false information or without lawful excuse to refuse to perform any act required of such person by ZICTA or indeed refuse to cooperate with or hinder a cyber inspector from conducting a lawful search or seizure. Any person that is found guilty of such offence is liable to a fine not exceeding ZMW 60,000 (approximately USD 2,697.14 as at the date of this alert) or to imprisonment for a term not exceeding 2 years, or to both.

It would therefore be prudent to be on the look-out for the prescription by the Minister as persons captured to be in control of critical information will be required to adhere to the compliance obligations set out above. These obligations may require assessments of current systems to ensure compliance. In addition, there may be a cost attached to ensuring compliance.

Law enforcement officers may, where the law enforcement officer has reasonable grounds to believe that an offence has been committed, is likely to be committed or is being committed and for the purpose of obtaining evidence of the commission of an offence under the Cyber Act, apply, ex-parte, to a Judge, for an interception of communications order. Such order is valid for a period of three months and may, on application by a law enforcement officer, be renewed for such period as the Judge may determine.

Any information contained in a communication intercepted shall be admissible in proceedings for an offence under the Cyber Act, as evidence of the truth of its contents despite the fact that it contains hearsay. Notably, the prior written consent of the Attorney-General is required prior to making an application for an interception of communications order.

Worth noting is that an application for an interception order is made ex-parte i.e., without the attendance in court of the person whose communication will be intercepted. Further, any communication intercepted is admissible despite it containing hearsay. This deviates from the general position under Common Law that hearsay evidence is not admissible.

No action lies in any court against a service provider, any officer, employee or agent of the service provider or other specified person, for providing information, facilities or assistance in accordance with the terms of a court order issued under the Cyber Act or any other law.

It is therefore now a mandatory requirement for any person providing cyber security services to be licensed with ZICTA. Any person who carries on cyber security services without being licensed commits an offence and is liable on conviction to a fine not exceeding ZMW 100, 000 (approximately USD 4,495.23 as at the date of this alert) or to imprisonment for a term not exceeding 1 year or to both.

The Cyber Act recognises several cyber crimes. A cyber crime is a crime committed in, by or with the assistance of the simulated environment or state of connection or association with electronic communications or networks including the internet.

The Cyber Act makes it an offence for a person to, with intent to compromise the safety and security of any other person, publish information or data presented in a picture, image, text, symbol, voice or any other form in a computer system. This offence is punishable by a fine of not less than ZMW 150,000 (approximately USD 6, 742.85 as at the date of this alert) or to imprisonment for a term not exceeding 5 years, or to both.

The Cyber Act also addresses issues of hate speech. A person who, using a computer system, knowingly without lawful excuse, uses hate speech commits an offence and is liable, on conviction, to a fine not exceeding ZMW 150,000 (approximately USD 6,742.85 as at the date of this alert) or to imprisonment for a period not exceeding 2 years, or to both.

Equally, a person who, using a computer system intentionally initiates any electronic communication, with the intent to coerce, intimidate, harass, or cause emotional distress to a person commits an offence and is liable, on conviction, to a fine not exceeding ZMW 150,000 (approximately USD 6,742.85 as at the date of this alert) or to imprisonment for a period not exceeding 5 years, or to both.

It is an offence for a person to intentionally access or intercept any data without authority or permission to do so or exceed the authorised access. Also, a person who intentionally and without authority to do so, interferes with or deviates data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, commits an offence. Both are punishable, upon conviction, by a fine not exceeding ZMW 150,000 (approximately USD 6,742.85 as at the date of this alert) or to imprisonment for a term not exceeding 5 years, or to both.

It is equally an offence for a person to knowingly, without lawful excuse, input, alter, delete, or suppress computer data, resulting in unauthentic data with the intent that it be considered or acted on as if it were authentic, regardless of whether or not the data is directly readable and intelligible. If convicted, such person would be liable to a fine not exceeding ZMW 210,000 (approximately USD 9, 439.99 as at the date of this alert) or to imprisonment for a term not exceeding 7 years, or to both. Should the foregoing offence be committed by sending out multiple electronic mail messages from or through computer systems, the penalty is ZMW 450,000 (approximately USD 20228.56 as at the date of this alert) or imprisonment for a period not exceeding 15 years, or to both.

In addition, a person who aids, abets, counsels, procures, incites, solicits another person to commit or conspire to commit, or attempts to commit any offence under the Cyber Act commits an offence and is liable, on conviction, to the penalty specified for that offence.

WHEN Hakainde Hichilema was inaugurated as the seventh president of Zambia in August 2021 following the country's watershed elections, the nation founded by liberation icon Kenneth Kaunda began a new journey of hope and prosperity.

But while his government begins the arduous work of rebuilding the country and making it one of the SADC region's economic powerhouses and the destination of choice for international investors, they must think carefully about some of the legislation they are pushing through or risk sending conflicting messages to the world.

One of these is the proposed Cyber Security and Cyber Crimes (Critical Information Infrastructure) Regulations 2022 supposedly developed to give effect to the critical information infrastructure requirements under the Cyber Security and Cyber Crimes Act No.2 of 2021, which, on paper, is envisaged to deal with national security, threats of sabotage, espionage and other cyberspace risks in the post-Covid era.

The unintended consequence of this proposed legislation by the Ministry of Technology and Science is that it will hurt current investors and scare those who have been listening to Hichilema's message that country is open for business.

Cybersecurity experts warn that Zambia will be throwing the baby with the bath water if it goes ahead with the proposed legislation, which will force multinationals operating in the country to store customer data locally or pay hefty fees to keep the information outside Zambia's jurisdiction.

While several African countries have enacted new legislation to fight cybercrimes in recent years, their focus has been to make sure companies commit to protecting their data and reporting any breaches to authorities as quickly as they happen.

3a8082e126