The article was republished with consent from Tech Policy Press.
The convergence of the global digital rights community in Lusaka for the 2026 RightsCon summit, the first to be held in Southern Africa, was to provide a timely backdrop to assess whether Zambia’s recently enacted cyber legislation meets international human rights benchmarks. In anticipation of that, Global Network Initiative (GNI) published a new Country Legal Framework Report on Zambia providing an overview of the legal legislation with particular regard to access to user data and restrictions to communications by state authorities.
The abrupt and mysterious decision by the Zambian government to “postpone” RightsCon just days before it began, in order to “ensure full alignment with Zambia’s national values, policy priorities, and broader public interest considerations,” underscores the broader governance context in which this legal framework sits and serves as a timely reminder of the unpredictable policy environment within which these laws are applied. This post sheds light on the political and operational context of these laws in order to leverage the advocacy opportunity provided by RightsCon’s unfortunate cancellation.
Zambia’s journey to a legislative framework for the online environment has been neither linear nor without controversy. In March 2021, Parliament adopted the Cyber Security and Cyber Crimes Act following a swift and limited consultative process, one that drew criticism from civil society organizations, legal practitioners, and digital rights advocates. Soon after the Act was passed, Chapter One Foundation and four other civil society organizations filed a petition in the High Court challenging the constitutionality of several provisions of the Act, citing serious concerns about their compatibility with Zambia’s Bill of Rights.
Responding to those concerns, the United Party for National Development (UPND) government, which took office in August 2021, committed to amending the Act. That reform culminated in the Cyber Security Act No. 3 of 2025 and the Cyber Crimes Act No. 4 of 2025. These laws now form the primary legal framework governing digital communications, lawful interception, and cybercrime in Zambia.
Zambia’s Constitution guarantees the right to privacy, freedom of expression, and press freedom. While these rights are not absolute, limitations must be lawful, reasonably justifiable in a democratic society, and pursue legitimate aims. Zambia is also a state party to the International Covenant on Civil and Political Rights (ICCPR), the African Charter on Human and Peoples’ Rights, and the African Union’s Malabo Convention on Cyber Security and Personal Data Protection, each of which includes requirements that legislation, including cyber legislation, does not infringe rights such as privacy, freedom of expression, and freedom of association.
The principal concerns arising from the 2025 Acts fall into three categories: the scope of surveillance and interception powers, overbroad restrictions on expression, and institutional independence.
The Cyber Security Act establishes a Central Monitoring and Coordination Center as the sole facility through which lawful interceptions of communications are effected. The Act also establishes a Cyber Security Agency under the general direction of the President of Zambia.
Section 29 of the Act requires law enforcement officers to obtain an ex-parte order from a High Court judge before intercepting communications, grounded on reasonable belief that an offense has been, is being, or is likely to be committed. On its face, this judicial oversight mechanism is a meaningful safeguard.
However, the framework contains significant gaps. Section 30 permits warrantless, oral interception requests where law enforcement officers believe there is an imminent threat to life or property without requiring subsequent judicial authorization, only a retrospective submission of an affidavit to a judge within 48 hours. The emergency geolocation provision in Section 32 is similarly broad, applying where there is a ‘potential or actual threat to national security’ or where “property is likely to be damaged,” definitions wide enough to encompass ordinary civil unrest or minor incidents.
Critically, the Acts contain no provisions governing the examination, storage, or destruction of data obtained through interceptions, a significant gap by international standards. The Data Protection Act No. 3 of 2021 provides some residual protection, requiring that data collected in the course of criminal investigations be retained only as long as proportionately necessary and processed securely. However, broad national security exemptions in the Data Protection Act limit the practical force of these protections.
The definition of “law enforcement officer” further undermines privacy protections as it extends, under both Acts, to any person designated by the President. The unchecked presidential appointment power strips law enforcement of the independence necessary to prevent politically motivated surveillance.
Section 22 of the Cyber Crimes Act prohibits the use of computers or computer systems to publish material that is “obscene, vulgar, lewd, lascivious or indecent” with the intent to humiliate or harass and further criminalizes the dissemination of information known to be false that damages a person’s reputation or subjects them to “public ridicule, contempt, hatred or embarrassment.” While the protection of individuals from online harassment is a legitimate aim, the vagueness of these terms grants law enforcement wide interpretive latitude.
The UN Human Rights Committee’s General Comment 34 clarifies that restrictions on expression must be formulated with sufficient precision to enable individuals to regulate their conduct, and must not confer unfettered discretion on those charged with enforcement. The criminal defamation provision is inconsistent with calls from both the UN Human Rights Council and the African Commission on Human and Peoples’ Rights to repeal criminal defamation laws in favor of civil remedies.
Section 21 of the Cyber Crimes Act prohibits any person from disclosing the existence of an investigation order, including individuals whose communications are the subject of such an order and raises further expression concerns. As drafted, this non-disclosure obligation can apply to ordinary users, journalists, and activists, chilling legitimate speech and undermining access to legal remedies.
Article 20(2) of Zambia’s Constitution expressly protects the freedom of the press. Yet several provisions of the new cyber laws pose tangible risks to journalism and investigative reporting. The broad definition of “interception,” covering any act of listening, viewing, reading, or recording a private communication without knowledge of the parties, in real time or otherwise, does not contain exceptions for legitimate journalistic activity or whistleblowing conducted in the public interest.
The Public Interest Disclosure (Protection of Whistleblowers) Act of 2010 offers some shield to those making disclosures through formal investigating authorities. However, the interaction between this protection and the sweeping interception and disclosure prohibitions under the cyber laws is unclear, creating legal uncertainty for journalists who may record conversations in the course of their work or who receive leaked information.
The mandatory assistance provisions, which require any person with knowledge of a computer system to assist law enforcement upon request, regardless of whether they are a suspect, similarly expose journalists and their sources to coercive disclosure demands, without adequate privilege protections.
The constitutionality of Zambia’s cyber legislation is an active legal question. In July 2025, the Law Association of Zambia (LAZ) filed a suit in the High Court challenging several provisions of the Cyber Crimes Act No. 4 of 2025. The petition challenges, among other things, provisions relating to disclosure and collection of traffic data, broad search and seizure powers, and mandatory assistance. The petition follows in the tradition of the 2021 action filed against the original Cyber Security and Cyber Crimes Act which ultimately contributed to the government’s decision to repeal and replace that legislation. The outcome of the current petition will be significant: a ruling that strikes down or reads down key provisions could compel legislative revision, while a ruling favorable to the government could harden the current framework for the foreseeable future.
Companies operating in Zambia, such as internet service providers, should monitor this litigation closely, as judicial guidance on the constitutionality of interception orders, non-disclosure provisions, and mandatory assistance obligations will directly affect their legal exposure and compliance obligations.
The enactment of the Cyber Security Act and Cyber Crimes Act was aimed at addressing the shortfalls of the Cyber Security and Cyber Crimes Act of 2021. Some problematic provisions, including those criminalizing “hate speech” and content that “tends to corrupt morals” were removed. However, the gap between constitutional aspiration and legislative reality remains substantial.
Interception powers must be grounded in clearly defined criteria, subject to meaningful independent judicial oversight, and accompanied by robust data retention and destruction protocols. Presidential appointment of law enforcement officers should be removed and replaced with statutory, merit-based processes. Vague offenses relating to expression should be repealed or substantially narrowed, with clear, unambiguous definitions provided for remaining offenses. Non-disclosure obligations should be limited to law enforcement and telecommunications providers and should not extend to individuals whose communications are subject to investigation.
The flaws in this framework mean that companies operating in Zambia must exercise heightened vigilance in responding to government requests for data and communications access, careful assessment of the legal thresholds required before complying with interception orders, and engagement with civil society and regulatory stakeholders as Zambia’s legal framework continues to evolve. For academic and civil society actors, the pending litigation creates a critical window for advocacy, and its outcome will shape the landscape for both rights holders and responsible businesses operating in Zambia’s digital space.
All stakeholders, and especially, and unfortunately, those who planned to attend RightsCon this year, should be aware of this framework and use the current circumstances as an opportunity to engage with local actors to push for the strengthening of human rights safeguards.