Pursuant to Art. 10.1 of the Information and Communication Technology Law No. 15 of 2009, the Authority issues the following licenses: (i) Network License: allows for the construction, ownership or provision of an electronic communications network, or the provision of network services; and (ii) Service License: allows for the provision of one or more electronic communications services. Licensees must ensure that all applications submitted comply with the provisions of the 2017 Licensing Guidelines. Statutory Instrument No. 11 establishes a minimum share capital requirement for private telecommunications companies of ZMW 15,000 (approximately USD 860). The licensing requirements include the technical and financial capability of the applicant, a comprehensive business plan, company information on shareholders, relevant company registration documentation, a list of directors, place of domicile and tax clearance, technical plan, roll-out plan, network diagrams and explanations, target customers, pricing for products and services, financial projects, anticipated capital expenditure, value proposition, among others. There are complaints about the licensing process. On the one hand, it is reported that foreign investors in the telecom sector are required to disclose certain proprietary information to the Zambia Development Agency (ZDA) as part of the regulatory approval process. On the other, it is reported that prospective mobile service provider Uzi Mobile stated that licensing issues contributed to its decision to withdraw from Zambia in 2020.

Zambia has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Zambia Information and Communications Technology Authority (ZICTA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Section 18 of the Cyber Security and Cyber Crimes Act imposes a local processing obligation requiring controllers of critical information to store such data on servers or data centres situated within Zambia, subject only to limited ministerial authorisation for externalisation. The scope of this obligation is clarified in Sections 2 and 17, which define critical information as data declared by the Minister to be essential for national security or the economic and social well-being of the Republic, and critical information infrastructure as cyber infrastructure indispensable to vital services such as public safety, economic stability, and national security.

According to Section 70.3 of the Data Protection Act, sensitive personal data must be processed and stored in a server or data centre located in the Republic. Sensitive personal data is defined in Section 2 of the Act as personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms and includes the race, marital status, ethnic origin, or sex of a data subject; genetic data and biometric data; child abuse data; a data subject’s political opinions; a data subject’s religious beliefs or other beliefs of a similar nature; whether a data subject is a member of a trade union; or a data subject’s physical or mental health, or physical or mental condition.
Section 14 of the Act prohibits the processing of sensitive personal data unless it is necessitated by a legal claim or judicial function in court, in the context of health service provision, or for reasons of public interest. In health service provision, the law requires that data be processed by or under the responsibility of a professional, subject to secrecy and other obligations imposed by any law or professional bodies regulating them. Data processed to serve the public interest can only be processed where adequate measures to safeguard the rights and freedoms of the data subject have been put in place.

Section 71.1 of the Data Protection Act allows for the transfer of personal data outside Zambia, except sensitive personal data, on condition that:
- The data subject has consented, and the transfer is made subject to standard contracts or intra-group schemes that the Data Protection Commissioner has approved, or the Minister has prescribed for the transfer outside the Republic to be permissible.
- The Data Protection Commissioner approves a particular transfer or set of transfers as permissible due to a situation of necessity.
Consideration by the Minister to sanction the cross-border transfer of personal data is based on the adequate level of protection, having regard to the applicable laws and international agreements in the destination country; and that the enforcement of data protection laws by authorities with appropriate jurisdiction is effective (Section 71.2).

Zambia has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Data Protection Act No. 3 provides a comprehensive regime of data protection in Zambia. The key objectives of this Act are to not only provide for an effective system for the use and protection of personal data but also to regulate the collection, use, transmission, storage, and otherwise processing of personal data. The Act also creates an important office within the Office of the Data Protection Commissioner, whose responsibility it is to oversee all issues concerning data processing and registration of data controllers and licensing of data auditors. More importantly, the Act also provides for the rights of data subjects and in the same vein, it stipulates the duties of data controllers and data processors.
In addition, the Data Protection (Registration and Licensing) Regulations, 2021, contained in Statutory Instrument No. 58 of 2021, were issued on 14 May 2021 by the Minister of Transport and Communications in the exercise of the powers established by Section 82 of the Data Protection Act. Moreover, related issues such as cybercrime and electronic communications are governed by legislation such as the Electronic Communications and Transactions Act No. 4 of 2021 (the ECT Act) and the Information and Communications Technologies Act No. 15 of 2009. The Zambia Information and Communications Technology Authority supervises the application of the ECT Act. Lastly, Art. 17 of the Constitution provides that no person can be subject to the search of their person or property or entry by others on their premises without their consent and further provides exceptions to this right.

Section 50 of the Banking and Financial Services Act provides that a financial service provider shall retain a register or record for a period of at least ten years. Section 52 deals with the maintenance of records, and Section 48 with credit documentation.

According to Art. 51 of the Data Protection Act, a data controller and data processor must retain personal information for as long as it is used for the specific purpose for which it was collected. Additionally, the information must be kept for a period of at least one year thereafter or for any other period that may be prescribed as long as it remains relevant to that purpose.

Zambia has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Zambia has no rules applicable to the protection of trade secrets.

It is reported that there is an obligation for passive infrastructure sharing in Zambia to deliver telecom services to end users. It is practised in both the mobile and fixed sectors based on commercial agreements.

It is reported that the Zambia Development Agency (ZDA) Board conducts mandatory screening of all foreign investments. Investment applications undergo thorough due diligence to assess factors such as job creation, human resource development, the project's export orientation, its potential environmental impact, the extent of technology transfer, and any other considerations deemed relevant by the Board.

Zambia is a party to the Patent Cooperation Treaty (PCT).