April 2024

1. Governing Texts

Zambia has enacted various pieces of legislation that provide for a safe, secure, and effective environment for the conduct and use of electronic communications. Data privacy and protection issues in Zambia are mainly regulated by the Electronic Communications and Transactions Act No. 4 of 2021 ('the ECT Act'), the Data Protection Act No. 3 of 2021 ('the Data Protection Act'), the Cyber Security and Cyber Crimes Act No. 2 of 2021 ('the CSCC Act'), and the Information and Communications Technologies Act No. 15 of 2009 ('the ICT Act'). The stated legislation is comprehensive and provides for legal requirements for the communication of data messages, processing of personal information, recognition of authentication service providers, protection of critical databases, and domain name regulation. The legislation further has provisions that prohibit the interception of communications, the disclosure of stored communications, the unauthorized decryption of communications or release of a decryption key, and the disclosure of records or other information by the key holder. Furthermore, the legislation provides for rules relating to cyber inspections, cybercrimes, and the security of electronic communications.

On April 1, 2021, the Data Protection Act, the CSCC Act, and the ECT Act took effect in Zambia.

1.1. Key acts, regulations, directives, bills

The main legislations which will be addressed in this overview are as follows:

• the Constitution of Zambia ('the Constitution');
• the Data Protection Act;
• the CSCC Act;
• the ECT Act; and
• the Banking and Financial Services Act No. 7 of 2017 ('the Banking and Financial Services Act').

The Constitution

The Constitution does not specifically provide for data protection. However, such protection is recognized under the Constitution by the wider meaning of the right to privacy as enshrined under Article 17 of the Constitution. Said Article provides that except with their own consent, no person shall be subjected to the search of their person or their property or the entry by others on their premises. Article 17 however provides limitations with respect to its application and provides that nothing contained in or done under the authority of any law shall be held to be inconsistent with or in contravention if it is shown that the law in question:

• is reasonably required in the interests of  defense, public safety, public order, public morality, public health, town and country planning, the development and utilization of mineral resources, or in order to secure the development or utilization of any property for a purpose beneficial to the community;
• is reasonably required for the purpose of protecting the rights or freedoms of other persons; or
• is for the purpose of enforcing the judgment or order of a court in any civil proceedings, the search of any person or property by order of a court, or entry upon any premises by such order.

An exception to the above is where the provision or, as the case may be, anything done under the authority thereof is shown not to be reasonably justified in a democratic society.

The foregoing are permitted derogations which if exercised do not amount to the violation of Constitutional protection of the right to privacy.

The ECT Act

The ECT Act is one of the main pieces of legislation that regulates data privacy and protection issues in Zambia.

Notably, the ECT Act was recently enacted to provide a safe and effective environment for electronic transactions; promote secure electronic signatures; facilitate electronic filing of documents by public authorities; provide for the use, security, facilitation, and regulation of electronic communications and transactions; promote legal certainty and confidence and encourage investment and innovation in relation to electronic transactions; and regulate the National Public Key Infrastructure.

The ECT Act mostly builds on the repealed Electronic Communications and Transactions Act, of 2009, with some notable changes being the following: the provision for time-stamping services, the creation of a Certification Authority, and the creation of a National Public Key Infrastructure whose functions are to be performed by ZICTA on behalf of the National Root Certification Authority.

The ECT Act imposes an obligation on the Zambia Information and Communications Technology Authority ('ZICTA') to monitor the conduct, systems, and operations of an authentication service provider to ensure compliance and other obligations of authentication service providers stipulated under the Act.

Section 88(1) of the ECT Act provides that a key holder shall not disclose a record or any other personal information relating to an owner of a key held or managed by the key holder except with the consent of the owner or to a law enforcement officer pursuant to a court order.

The Financial Services Act

Section 111 of the Banking and Financial Services Act provides that, subject to the Financial Intelligence Centre Act No. 46 of 2020, a financial service provider must maintain the confidentiality of information obtained in the provision of a service to a customer and must not divulge any information except:

• in accordance with the express consent of a customer;

• in compliance with a court order;

• where the interest of the financial service provider requires disclosure;

• where the information requested is customer identification data required by another financial service provider for the purpose of conducting due diligence; or

• where the bank, in the performance of its functions as provided in the Banking and Financial Services Act, requests or directs.

Section 153(1) of the Banking and Financial Services Act provides for the publication of information and prohibits banks from revealing to a third person information regarding the affairs of a customer of a financial service provider that was obtained in the performance of the bank's functions unless lawfully required to do so.

The Data Protection Act

The introduction of the Data Protection Bill before the Parliament of Zambia ('the Parliament') was first approved in 2018 but with no date for enactment being set the passing of the Bill dragged until 2020 when it was reintroduced before Parliament as the Data Protection Bill 2020. Following its presentation before Parliament, the Data Protection Bill underwent the 3-stage legislative process and was assented to by the President on March 23, 2021. On April 1, 2021, the Data Protection Act ('Commencement') Order Statutory Instrument No. 22 of 2021 ('the Commencement Order'), was published in the Government Gazette as appointed by the Minister, which caused the Data Protection Act to enter into effect at that date that the Commencement Order was published in line with Section 1 of the Data Protection Act.

The Data Protection Act is now the primary legislation that regulates data privacy and protection issues in Zambia. The key objectives of this Act are to not only provide for an effective system for the use and protection of personal data but also to regulate the collection, use, transmission, storage, and otherwise processing of personal data. The Act also creates an important office within the Office of the Data Protection Commissioner ('the Office'), whose responsibility it is to oversee all issues concerning data processing and registration of data controllers and licensing of data auditors. More importantly, the Act also provides for the rights of data subjects, and in the same vein, it stipulates the duties of data controllers and data processors.

The Data Protection Act also provides for the protection of personal information that is obtained through electronic transactions. Section 13 provides that a data controller is required to have the express written permission of a data subject for the collection, processing, or disclosure of any information about the data subject unless the exceptions specified under the section apply. However, according to Section 12(1) of the Data Protection Act, a data controller is prohibited from electronically requesting, collecting, or storing personal information that is not necessary for the lawful purpose for which the information is required.

The Data Protection Act places a further obligation on data collectors to disclose in writing to the data subject the purpose for which any personal information is being requested, collected, processed, or stored. In addition, the Data Protection Act places an obligation on the data controller not to use any of the personal information for anything other than the disclosed purpose without the written permission of the data subject. The Data Protection Act also places a requirement on the data controller in instances where personal data is not used for a period of at least one year after permission is granted to keep a record of the personal information and the specific purpose for which the personal information was collected. Additionally, the Data Protection Act provides that a data controller shall not disclose any personal information held by the data controller to a third party unless required or permitted by law or specifically authorized to do so in writing by the data subject. A data controller is further required to keep a record of any third party to whom personal information was disclosed, the date of disclosure, and the purpose for which it was disclosed.

The CSCC Act

Following its presentation before Parliament on February 9, 2021, the bill for the CSCC Act underwent the three-stage legislative process and was assented to by the President on March 23, 2021. On April 1, 2021, the Cyber Security and Cyber Crimes Act (Commencement) Order Statutory Instrument No. 21 of 2021 ('the CSCC Commencement Order') was published in the Government Gazette as appointed by the Minister, which caused the CSCC Act to come into effect at that date that the Commencement Order was published in line with Section 1 of the CSCC Act.

It is important to note that following the repeal and replacement of the Electronic Communications and Transactions Act No. 21 of 2009, provisions dealing with cybersecurity and cybercrime therein have been incorporated into the CSCC Act.

The CSCC Act prohibits the interception of communication. Section 26 provides that any person who intercepts communication commits an offense and is liable upon conviction to imprisonment for a period of 10 years. However, Section 28 of the CSCC Act also grants power to a law enforcement officer to make an application for an interception of a communication order. The application is made ex parte before a judge of the High Court. Said application is made when the law enforcement officer has reasonable grounds to believe that an offense has been committed or is about to be committed and the order is necessary for obtaining evidence of an offense under the CSCC Act. The CSCC Act further permits the interception of communication in order to prevent bodily harm, loss of life, or property damage, or to determine location in cases of emergency. Section 31 of the CSCC Act, however, prohibits the disclosure of intercepted communications.

The CSCC Act also criminalizes the publication of personal information and provides that any person who, with intent to compromise the safety and security of any other person, publishes information or data presented in a picture, image, text, symbol, voice, or any other form in a computer system, commits an offense. The penalty for the commission of this offense is a fine not exceeding 500,000 penalty units (ZMW 150,000 (approx. $5,994) or imprisonment for a period not exceeding five years or both.

In order to ensure the protection of critical information, the CSCC Act mandates the controller to store all critical information on a server or data center located in Zambia. The CSCC Act further states that the Minister may, as prescribed by law in a statutory instrument to be issued, authorize the controller to externalize the critical information outside the Republic.

1.2. Guidelines

The CSCC Act

Following the enactment of the CSCC Act, the Minister on May 14, 2021, issued regulations in the form of a statutory instrument to supplement the operation of the CSCC Act. The Cyber Security and Cyber Crimes (National Cyber Security, Advisory and Coordinating council) Regulations, 2021 S.I. 52 of 2021 ('the Council Regulations') were issued in order to provide for the composition of the National Cyber Security Advisory and Coordinating Council which is provided for under section 7 of the CSCC Act. The Council Regulations include provisions on the composition of the council, tenure, and vacancy of council positions as well as provisions relating to the prohibition of publication or disclosure of information to unauthorized persons that is obtained through matters relating to the council.

The Data Protection Act

After the Data Protection Act entered into effect on April 1, 2021, regulations have since been issued pursuant to section 82 of the Data Protection Act to help with better administration of the Act. The Data Protection (Registration and Licensing) Regulations, 2021 ('the Data Protection Regulations') provide for the registration of organizations that have a specified number of employees to be registered as data controllers, data auditors, and data processors. The Data Protection Regulations provide that any organization dealing in the above is required to be registered with the Office which has the duty to issue certificates to applicants which shall be valid for a period of one year. The Data Protection Regulations further provide for the prescribed forms used for the application process as well as the fees for registration which range from ZMW 50,000 (approx. $1,998) to ZMW 300,000 (approx. $11,988) for the application and ZMW 500 (approx. $19.98) to ZMW 3,000 (approx. $119.88) for the Certificate of Registration.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The ECT Act

The ECT Act does not clarify its personal scope.

The Data Protection Act

The Data Protection Act defines a data subject as an individual from, or in respect of whom, personal information is processed. Although it does not define 'individual,' the Data Protection Act does define personal information as information that identifies a natural person. Therefore, the personal scope of the Data Protection Act is limited to natural persons. The only challenge is the practicality of enforcing this provision which would rely on extradition to bring the offender to face charges.

2.2. Territorial scope

The ECT Act

Zambia's data privacy laws do apply on an extra-territorial basis as Section 100(1) of the ECT Act provides that 'subject to subsection (2), this Act shall have effect in relation to any person, whatever the person's nationality or citizenship, outside as well as within Zambia, and where an offense under the ECT Act is committed by a person in any place outside Zambia, the person shall be dealt with as if the offense has been committed within Zambia.'

The Data Protection Act

The Data Protection Act does not clarify its territorial scope.

2.3. Material scope

The ECT Act

In terms of material, the ECT Act applies in respect of any electronic transaction or data message.

The Data Protection Act

In terms of material scope, the Data Protection Act applies to the processing of personal data performed wholly or partly by automated means and to any processing other than by electronic means. However, the Data Protection Act does not apply to the processing of personal data by an individual for personal use.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Data Protection Act creates the Office, which is responsible for the regulation of data protection and privacy in the Republic. On June 9, 2023, the Zambia National Broadcasting Corporation, the national news broadcaster, issued a press release announcing the appointment of Mr. Likando Lyuwa as Data Protection Commissioner (the 'Commissioner') under the Data Protection Act.

3.2. Main powers, duties and responsibilities

The main functions of the Office are as set out in Section 4(2) of the Data Protection Act. Said section lists the mandates of the Office as follows:

• register controllers and data processors;

• license data auditors;

• disseminate information and promote the participation of stakeholders in the process of data protection in the Republic;

• advise the Government of Zambia ('the Government') on matters relating to data protection;

• keep and maintain a register of data controllers, data processors, and data auditors;

• represent the Government internationally on matters relating to data protection;

• conduct research and development relating to data protection;

• ensure proper and effective coordination and collaboration with similar regional and international authorities;

• receive and investigate complaints under the Data Protection Act; and

• vary conditions and terms of a license issued under the Data Protection Act.

4. Key Definitions

Data controller: Any person, either alone or jointly with other persons, controls and is responsible for keeping and using personal data on a computer, or in structured manual files, and requests, collects, collates, processes, or stores personal data from or in respect of a data subject (Section 2 of the Data Protection Act).

Data processor: A data processor is a person or a private or public body that processes personal data for and on behalf of and under the instruction of a data controller.

Personal data: Data that relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive data: Under the Data Protection Act sensitive data has been termed as 'sensitive personal data' and means personal data which by its nature may be used to suppress the data subject's fundamental rights and freedoms and includes:

• the race, marital status, ethnic origin, or sex of a data subject;

• genetic data and biometric data;

• child abuse data;

• a data subject's political opinions;

• a data subject's religious beliefs or other beliefs of a similar nature;

• whether a data subject is a member of a trade union; or

• a data subject's physical or mental health, or physical or mental condition.

Health data: Not applicable.

Biometric data: Personal data resulting from scientific analysis relating to the physical, physiological, or behavioral characteristics of a natural person, which confirms the unique identification of that natural person.

Pseudonymization: Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Data Subject: An individual from, or in respect of whom, personal information is processed (Section 2 of the Data Protection Act).

5. Legal Bases

5.1. Consent

A data controller can process the personal data of a data subject where the data subject has given consent to the processing of their personal data.

5.2. Contract with the data subject

The Data Protection Act entitles a data controller to process personal data where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

5.3. Legal obligations

A data controller under Zambian data protection laws can process the personal data of a data subject where it is acting in compliance with a legal obligation to which it is subject.

5.4. Interests of the data subject

This legal base applies in this jurisdiction as a data controller can process personal data in an instance where it is necessary to protect the vital interests of a data subject or of another natural person.

5.5. Public interest

Data protection laws in Zambia permit a data controller to process information where the processing relates to the performance of a task carried out in the public interest or the exercise of official authority vested in the data controller.

5.6. Legitimate interests of the data controller

This legal base applies in Zambia as the data protection laws allow a data controller to process personal data for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child; or where the processing relates to personal data which is manifestly made public by the data subject.

5.7. Legal bases in other instances

A data controller can process personal information of a data subject without their consent where the processing relates to personal data which is manifestly made public by the data subject.

6. Principles

A controller is responsible for and must be able to demonstrate compliance with a set of core principles that apply to all processing of personal data. Under these principles, personal data must be (Section 12 of the Data Protection Act):

• processed lawfully, fairly, and in a transparent manner (transparency principle);

• collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle);

• adequate, relevant, and limited to what is necessary in relation to the purpose(s) for which it is processed (data minimization principle);

• accurate and where necessary kept up to date with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay (accuracy principle);

• stored in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (storage limitation principle);

• processed in accordance with the rights of a data subject; and

• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against any loss, destruction, or damage, using appropriate technical and organizational measures (confidentiality principle).

7. Controller and Processor Obligations

7.1. Data processing notification

The Data Protection Act makes it mandatory for any person who intends to process personal data to apply to the Office for registration as a data controller or data processor. This is in line with Section 19(1) of the Data Protection Act which prohibits the controlling or processing of personal data without registration.

7.2. Data transfers

The Data Protection Act under Section 70(1) sets a general restriction on cross-border transfers of personal data. It specifically provides that a data controller shall process and store personal data on a server or data center located in the Republic. However, it does give an exception where the Minister has prescribed that certain categories of personal data may be stored outside the Republic. Further, transfers of personal data by a controller or a processor to countries outside of the Republic are only permitted where the conditions laid down in Section 71 of the Data Protection Act are met. The Section lists the following context-specific situations where a transfer can be made, that is:

• where the data subject has consented, and the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Office, or the Minister has prescribed that transfers outside the Republic is permissible, or the Office approves a particular transfer or set of transfers as permissible due to a situation of necessity;

• in case of an emergency, to a particular person or entity engaged in the provision of health services or emergency services;

• where the data subject has explicitly consented to that transfer of sensitive personal data; and

• to a particular international organization or country that complies with subsection (1)(a)(ii), where the Office is satisfied that the transfer or class of transfers is necessary for any class of data controllers or data subjects and does not hamper the effective enforcement of the Data Protection Act.

It is worth noting that the Data Protection Act does have a localization requirement concerning sensitive data as it provides that sensitive personal data shall be processed and stored in a server or data center located in the Republic (Section 70(3)).

7.3. Data processing records

Data controllers or processors are required to keep data processing records as per Section 45 of the Data Protection Act. The Section specifically requires a data controller to keep and maintain, in writing, a record of processing activities and metadata under its responsibility in the prescribed manner and form, as well as all categories of processing activities carried out in the prescribed manner and form.

7.4. Data protection impact assessment

A data controller is mandated to carry out a Data Protection Impact Assessment ('DPIA'), where a type of processing uses new technologies and which, taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of an individual. The DPIA shall be carried out prior to the processing and must assess the impact of the envisaged processing operations on the protection of personal data.

A DPIA is triggered where:

• a systematic and extensive evaluation of personal aspects relating to a natural person which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect that natural person;

• processing on a large scale of sensitive personal data, of personal data relating to criminal convictions and offenses; or

• a systematic monitoring of a publicly accessible area on a large scale.

7.5. Data protection officer appointment

The Data Protection Act requires the appointment of a data protection officer by a data controller and data processor (Section 48(1) of the Data Protection Act). However, the appointment is subject to the guidelines of appointment issued by the Office (Section 48(2) of the Data Protection Act).

7.6. Data breach notification

The Data Protection Act contains a general requirement for a personal data breach to be notified by the controller to the Office, and the affected data subjects. The Data Protection Act stipulates that the Office must be notified within 24 hours of any security breach affecting personal data processed. It also provides that the data subject should be notified as soon as practicable. The Data Protection Act places an obligation on a data processor to notify the data controller as soon as practicable of any security breach affecting personal data processed on behalf of the data controller.

7.7. Data retention

The Data Protection Act sets conditions for the retention of personal data under Section 51, wherein it states that a data controller and data processor shall keep personal information for as long as that personal information is used for the specific purpose for which the personal information was collected and for as long as the personal information is relevant for that purpose and for a period of at least one year thereafter or another period that may be prescribed.

It further requires a data controller and a data processor to keep a record of the process and a record of the purpose for which the personal information was collected and third parties to whom and when the personal information was disclosed.

7.8. Children's data

The law specifically regulates the processing of children's data under Section 17 of the Data Protection Act, which stipulates that where a data subject is a child or a vulnerable person, that data subject's right may be exercised by that data subject's parents, legal guardian, or a person exercising parental responsibility as the case may be. The Data Protection Act further prohibits the processing of children's personal data unless consent is given by the child's or vulnerable person's parent, legal guardian, or a person exercising parental responsibility. Additionally, a data controller is required to incorporate appropriate mechanisms for age verification and parental consent in the processing of the personal data of a child. It is worth noting that the Data Protection Act places the responsibility of verifying that consent has been given to the data controller.

7.9. Special categories of personal data

Where special categories of data are intended to be processed, the Data Protection Act requires that a DPIA is carried out where the processing is on a large scale and relates to sensitive personal data, or personal data relating to criminal convictions.

7.10. Controller and processor contracts

Section 52 of the Data Protection Act requires that processing by a data processor should be governed by a contract that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, and categories of data subjects, the obligations and rights of the controller, and any other matter, as prescribed.

8. Data Subject Rights

8.1. Right to be informed

A data subject has the right to be notified of all third parties to whom that data subject's personal data has been disclosed and the measures put in place to safeguard the personal information of that data subject.

8.2. Right to access

A data subject is entitled to request access to and obtain a copy of their personal data, together with prescribed information about why and how the personal data may have been processed by the controller.

8.3. Right to rectification

Data subjects are entitled to require inaccurate or incomplete personal data to be corrected or completed as soon as practicable.

8.4. Right to erasure

Data subjects may request the erasure of their personal data. The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they collected it or otherwise lawfully processed, or as a consequence of the successful exercise of the right to object to the processing of the data subject's personal data, or of the withdrawal of consent.

8.5. Right to object/opt-out

Data subjects have the right to object to the processing of that data subject's personal data. Data controllers will then have to stop processing the data unless they are permitted to process the data by any written law, as such an instance overrides the rights of the data subject. Additionally, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.

8.6. Right to data portability

Where a data subject requests their personal information from a data controller, they have a right to receive that personal data in a structured, commonly used, machine-readable, or otherwise legible format and may transmit that data to another data controller. A further, right is that a data subject has a right to request the direct transfer of their personal data from one data controller to another where technically or otherwise feasible.

8.7. Right not to be subject to automated decision-making

A data subject is entitled to not be subjected to automated decision-making including profiling which produces legal effects concerning the data subject or similarly affects the data subject. However, automated decision-making is only permitted where:

• necessary for entering into or performing a contract between the data subject and data controller;

• authorized by any written law; or

• the data subject has given their explicit consent.

Further, where automated decisions are made on the basis of the grounds above, the data subject has the right to obtain human intervention on the part of the data controller, to contest the decision, and to express the data subject's point of view. Further safeguards for automated decisions are provided in respect of sensitive personal data. Section 63(4) of the Data Protection Act provides that sensitive personal data shall not be processed by automated means unless:

• the data subject expressly consents to the processing;

• the processing is in the public interest; or

• the processing is permitted by any written law and suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests are in place.

8.8. Other rights

Right to restriction of processing

Data subjects enjoy a right to restrict the processing of their personal data in well-defined circumstances. These include where the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data, where the data controller no longer needs the personal data for processing save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested pending the verification of whether the legitimate grounds override those of the data subject.

9. Penalties

General penalties under the Data Protection Act include:

• a fine not exceeding three 100,000 penalty units (ZMW 30,000 (approx. $1,198.75)) or to imprisonment for a term not exceeding three years, or to both; and

• forfeiture where there has been a conviction for any of the offenses under the Data Protection Act and the power is given to the court to pronounce the forfeiture of the medium containing the personal data to which the offense relates.

9.1 Enforcement decisions

Not applicable.