Despite sustained pushback from civil society and digital rights groups, Zambia has enacted sweeping cyber laws that threaten fundamental freedoms under the guise of countering terrorism and cybercrime.
This statement was originally published on cipesa.org on 19 May 2025.
In April 2025, the Zambian Parliament enacted two laws – the Cyber Security Act, 2025, and the Cyber Crimes Act, 2025 – which pose significant threats to digital rights and civil liberties in the country.
Despite significant concerns raised by civil society and digital rights advocates, including the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and Bloggers of Zambia, the two laws were passed with minimal revisions, leaving intact several provisions that undermine fundamental freedoms, including the right to privacy, freedom of expression, access to information, assembly and association.
Last December, CIPESA and Bloggers of Zambia submitted to the parliament a detailed analysis highlighting critical human rights concerns with the two proposed laws. The concerns include the overly broad surveillance powers and the weak oversight mechanisms that provide latitude for wantonly interfering with individuals’ rights.
Broadly Worded and Vague Definitions
The laws are riddled with broadly worded and vague definitions. Terms such as “law enforcement officer,” “critical information,” “critical information infrastructure,” “internet connection record,” and “call-related information” are so vague that they risk being interpreted to serve the interests of those in power. There is also a high risk they could be weaponised to target government opponents, critics, journalists and online activists.
For instance, the expansive definition of “critical information” refers to computer data that relates to a broad range of areas, including public safety, public health, economic stability, national security, international stability and the sustainability and restoration of critical cyberspace, providing authorities with a carte blanche to monitor and control information flow.
Similarly, the definition of “law enforcement officer” extends beyond traditional roles to include officers from the Anti-Corruption Commission, Drug Enforcement Commission and even individuals designated by the President. This expansion raises concerns about accountability, particularly as these officers can apply for communication interception orders ex parte (without notifying the target), thereby denying affected parties the right to contest such actions. This dangerously expands the scope of surveillance without meaningful judicial oversight or accountability.
Oversight and Accountability Concerns
Section 4 of the Cyber Security Act establishes the Zambia Cyber Security Agency under the general direction of the President. This arrangement can undermine the agency’s independence and increase the risk of political interference in its operations. The agency’s mandate, which includes regulating service providers, coordinating cybersecurity responses, and auditing information systems, requires robust oversight mechanisms, which are glaringly absent in the law.
Similarly, the establishment of the Central Monitoring and Coordination Centre under section 21 (Part V) of the Cyber Security Act, with powers to lawfully intercept communications, raises red flags. Section 21 grants this body sweeping authority without creating adequate checks and balances. The lack of robust judicial oversight and transparency mechanisms raises alarms about privacy violations, which would contravene Zambia’s constitution and international human rights instruments.
Risk of Abuse and Shrinking Civic Space
The two new laws are an addition to a catalogue of restrictive laws, regulations and policies that control the enjoyment of civil liberties in online spaces. For instance, in 2021, the government ordered restrictions on social media platforms such as WhatsApp, Facebook, Twitter, and Instagram during the general elections. With general elections due in August 2026, the passage of these laws fuels fears of heightened controls, intensified censorship, surveillance, and clampdowns on civic actors.
Section 39 of the Cyber Security Act requires electronic communications service providers to install systems that can facilitate real-time interception of communications. These provisions can enable real-time surveillance of individuals’ private communication. Such provisions can be misused by the government, unscrupulous individuals and other unauthorised persons to snoop on individuals’ private communications, particularly since the laws do not provide for adequate oversight over surveillance.
Section 22 of the Cyber Crimes Act criminalises vague offences such as the use of digital platforms for harassment or humiliation, terms that are open to subjective interpretation and could be used to suppress legitimate speech, including criticism of public officials. It also reintroduces aspects of defamation which have attracted wide calls for decriminalisation, including by the African Commission on Human and Peoples’ Rights. In 2022, Zambia had shown progress when plans to decriminalise defamation were revealed. Defamation has been widely employed to arrest and prosecute government critics and opponents in the country.
The enactment of these laws highlights a disturbing trend across Africa, where cyber laws are increasingly being used to curtail democratic participation rather than protect citizens from cyber threats. The overreach seen in Zambia’s laws mirrors similar patterns in other countries, where digital regulation is co-opted for political control.
The history of elections in Africa has further shown the elevation of controls over the civic space, including online spaces, to curtail speech, engagements and participation for civil society organisations (CSOs), human rights defenders (HRDs), journalists, bloggers and other online activists including through enhanced surveillance. The developments in Zambia raise fears of similar occurrences of high-handed control.
Zambia’s parliament should get back on the drafting table and ensure that the two new laws are aligned with regional and international human rights standards, including the African Charter on Human and Peoples’ Rights, the African Union Convention on Cybercrime and Personal Data Protection, and the Declaration of Principles on Freedom of Expression and Access to Information in Africa.
- Overbroad criminal provisions should be expunged from the laws or narrowed.
- Oversight mechanisms should be strengthened to ensure independence and accountability in surveillance activities.
- All responsible parties, including enforcement and judicial officials, should be trained and their capacities built to ensure application of the laws within the acceptable human rights standards including legality and proportionality.
- Zambia should ensure compliance with data protection and privacy standards in implementation of the laws to avoid overlaps and wanton infringements.
As Zambia prepares for its 2026 general elections, it is vital that cybersecurity and cybercrime measures do not become tools for political repression. Instead, they should serve to protect users, enhance trust in digital systems, and uphold the rights and freedoms guaranteed to all.
