In April 2025, the Zambian Parliament enacted the Cyber Security Act and the Cyber Crimes Act of 2025 (the Acts), a legislative package intended to address rising cyber threats and promote digital safety. These Acts were developed and deliberated upon with minimal transparency and public participation. While the Global Network Initiative (GNI) acknowledges Zambia’s efforts to strengthen its digital infrastructure and tackle cybercrime, the substance of these laws raise serious concerns to the freedom of expression, access to information and privacy of its citizens and others in the country.
These Acts were signed into law by Zambia’s President, Hakainde Hichilema, on April 8, 2025. Many citizens only became aware of the legislation following a U.S. Embassy social media advisory warning of intrusive provisions. This lack of transparency contradicts President Hichilema’s earlier promises to reform Zambia’s digital laws through inclusive dialogue with civil society.
At a broad level, the Acts collectively establish certain institutional structures like the Cyber Security Agency and Cyber Incident Response Teams, in an effort to develop national capacity to respond to cyber threats. The Acts collectively also introduce provisions against emerging cyber offences including identity-related fraud, cyber terrorism, attacks on Critical Information Infrastructure and non-consensual sharing of intimate content. While these steps are aligned with efforts to improve digital resilience, without adequate oversight, accountability frameworks and clear definitions of the terms, the same laws are likely to become tools for repression and suppressing dissent.
To this end, GNI adds its voice to the many local and international civil society alliances who have mobilized to oppose this legislation on the basis that (1) it causes a chilling effect to freedom of expression and access to information, (2) imposes overbroad and opaque surveillance powers without adequate oversight and data protection, and (3) casts a wide net through vague terms leaving room for abuse of power.
Sections of the Cyber Crimes Act criminalize unclarified and vague categories of speech, such as section 22, on the publication of “false information” that causes “public ridicule” or “damage to reputation.” Section 44 of the Cyber Crimes Act also penalizes the disclosure of “critical information” without authorization but fails to define what constitutes critical information or offer public interest exemptions.
These provisions are incompatible with African regional human rights standards which state that criminal defamation laws violate freedom of expression. Such provisions are also likely to discourage whistleblowing and shield public officials from accountability. In addition, they also risk being used to suppress investigative journalism and stifle dissenting opinions by citizens. This risk is especially acute in politically sensitive contexts, given that social media and messaging apps have been blocked in the context of previous elections.
Section 22 of the Cyber Security Act allows for real-time surveillance and interception of communications without sufficient procedural checks. The Act grants authority for these sweeping surveillance powers to a wide array of state actors, including law enforcement officers, the Drug Enforcement Commission, Anti-Corruption Commission, and alarmingly, individuals designated by the President. These individuals can obtain interception orders ex parte without notifying or allowing the subject to contest such actions.
The Cyber Security Agency set up under this Act is placed directly under the control of the President, raising serious concerns about its independence and scope for misuse. There are no additional judicial safeguards or mandatory transparency reporting requirements, such as public disclosures of how often surveillance powers are used and under what justifications.
The definition of “cybercrime” in the Acts is excessively broad. Combined with open-ended terms such as “false information,” “critical information,” and “public embarrassment,” this vagueness can lead to arbitrary enforcement.
Additionally, Section 24 of the Cyber Crimes Act criminalizes online communication that may cause another person to experience “emotional distress.” Such clauses are ripe for misuse because they can be subjectively interpreted and inconsistently applied. The lack of precise criteria in such terms leaves room for misuse against legitimate expression.
Legislative Process and Regional Trends
The legislation was first tabled in November 2024, but its passage was deferred due to widespread criticism from civil society. Concerns included the absence of comprehensive data protection, and the risk of undermining due process. These concerns were not meaningfully addressed before final enactment.
This mirrors a growing trend across sub-Saharan Africa where cybersecurity laws are deployed not to protect citizens, but to consolidate state power and limit digital freedoms. As the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) notes, similar digital repression tactics have appeared in Tanzania, Uganda, and Nigeria, where cyber laws are increasingly used to justify surveillance and prior-censorship.
Recommendations for Reform
The enactment of the Cyber Security Act, 2024, and Cyber Crimes Act, 2024, marks a pivotal moment for digital rights in Zambia. Though ostensibly crafted to safeguard cyberspace, these laws threaten fundamental freedoms, facilitate unchecked surveillance, and create legal tools for political repression. GNI’s Content Regulation and Human Rights Policy Brief (CRPB) analyzes more than 20 such governmental initiatives that claim to address various forms of digital or cyber harms. The brief offers practical guidance for governments and other stakeholders on how to formulate and implement content regulations that are effective, fit-for-purpose, and enhance and protect the rights to freedom of expression and privacy.
GNI calls on the Zambian Government to repeal the Acts in their current form and commit to a transparent, inclusive review process grounded in democratic values and consistent with international human rights principles on freedom of expression and privacy.
GNI urges the Government of Zambia to:
Digital laws must protect, not endanger, the rights of their citizens, journalists, and civil society. GNI urges the Zambian Government to consider these recommendations and remains committed to leverage its global and multi-stakeholder community to engage in positive dialogue with the legislators of Zambia. We remain open to engaging in and helping to facilitate any such engagements.
About GNI
The Global Network Initiative (GNI) is the leading multistakeholder forum for accountability, shared learning, and collective advocacy on government and company policies and practices related to technology and human rights. GNI is a membership organization comprising over 100 academics, civil society organizations, investors, and technology companies. We have members on every populated continent, with nearly one-third based in the majority world.
GNI brings together more than 100 prominent academics, civil society organizations, information and communications technology (ICT) companies, and investors from around the world. Over the last several years, GNI has reviewed, commented on, and helped shape a range of “online safety” bills across several jurisdictions.