According to Section 70.3 of the Data Protection Act, sensitive personal data must be processed and stored in a server or data centre located in the Republic. Sensitive personal data is defined in Section 2 of the Act as personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms and includes the race, marital status, ethnic origin, or sex of a data subject; genetic data and biometric data; child abuse data; a data subject’s political opinions; a data subject’s religious beliefs or other beliefs of a similar nature; whether a data subject is a member of a trade union; or a data subject’s physical or mental health, or physical or mental condition.
Section 14 of the Act prohibits the processing of sensitive personal data unless it is necessitated by a legal claim or judicial function in court, in the context of health service provision, or for reasons of public interest. In health service provision, the law requires that data be processed by or under the responsibility of a professional, subject to secrecy and other obligations imposed by any law or professional bodies regulating them. Data processed to serve the public interest can only be processed where adequate measures to safeguard the rights and freedoms of the data subject have been put in place.

Section 71.1 of the Data Protection Act allows for the transfer of personal data outside Zambia, except sensitive personal data, on condition that:
- The data subject has consented, and the transfer is made subject to standard contracts or intra-group schemes that the Data Protection Commissioner has approved, or the Minister has prescribed for the transfer outside the Republic to be permissible.
- The Data Protection Commissioner approves a particular transfer or set of transfers as permissible due to a situation of necessity.
Consideration by the Minister to sanction the cross-border transfer of personal data is based on the adequate level of protection, having regard to the applicable laws and international agreements in the destination country; and that the enforcement of data protection laws by authorities with appropriate jurisdiction is effective (Section 71.2).

Zambia has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Data Protection Act No. 3 provides a comprehensive regime of data protection in Zambia. The key objectives of this Act are to not only provide for an effective system for the use and protection of personal data but also to regulate the collection, use, transmission, storage, and otherwise processing of personal data. The Act also creates an important office within the Office of the Data Protection Commissioner, whose responsibility it is to oversee all issues concerning data processing and registration of data controllers and licensing of data auditors. More importantly, the Act also provides for the rights of data subjects and in the same vein, it stipulates the duties of data controllers and data processors.
In addition, the Data Protection (Registration and Licensing) Regulations, 2021, contained in Statutory Instrument No. 58 of 2021, were issued on 14 May 2021 by the Minister of Transport and Communications in the exercise of the powers established by Section 82 of the Data Protection Act. Moreover, related issues such as cybercrime and electronic communications are governed by legislation such as the Electronic Communications and Transactions Act No. 4 of 2021 (the ECT Act) and the Information and Communications Technologies Act No. 15 of 2009. The Zambia Information and Communications Technology Authority supervises the application of the ECT Act. Lastly, Art. 17 of the Constitution provides that no person can be subject to the search of their person or property or entry by others on their premises without their consent and further provides exceptions to this right.

Section 50 of the Banking and Financial Services Act provides that a financial service provider shall retain a register or record for a period of at least ten years. Section 52 deals with the maintenance of records, and Section 48 with credit documentation.

According to Art. 51 of the Data Protection Act, a data controller and data processor must retain personal information for as long as it is used for the specific purpose for which it was collected. Additionally, the information must be kept for a period of at least one year thereafter or for any other period that may be prescribed as long as it remains relevant to that purpose.

According to Section 10 of the Cyber Security and Cyber Crimes Act 2021, when a data retention notice is issued requiring an electronic communications service provider to retain internet connection records, the notice will specify the exact data to be retained. The service provider is not obligated to retain data beyond what is detailed in the retention notice.
Section 39 of the Cyber Security and Cyber Crimes Act 2021 mandates that an electronic communications service provider must obtain from subscribers information including the person's full name, residential address, and identity number as stated in their identity document before entering into a service contract.

According to Art. 46 of the Data Protection Act, a Data Protection Impact Assessment (DPIA) by a data controller is required in circumstances where the processing is on a large scale and relates to sensitive personal data or personal data relating to criminal convictions.

Section 22 of the Cyber Security and Cyber Crimes Act requires a controller of a critical information infrastructure to annually appoint an information technology auditor to audit the critical information infrastructure. The Authority is also empowered to order that an audit be conducted at any time.

The Data Protection Act permits the interception of communication in order to prevent bodily harm, loss of life, or damage to property, detection of a crime, or for the purposes of determining location in cases of emergency. Additionally, public authorities can access personal data held by private organisations where the interests of national security, defence, and public order are concerned (Section 53). The legal bases are not exhaustive. However, it is reported that it does not entail that those public authorities have discretion, as any access to such information must be authorised by a particular piece of legislation.

Section 38 of the Cyber Security and Cyber Crimes Act requires electronic communication service providers to use electronic communication systems that are technically capable of supporting lawful interceptions, install hardware and software facilities and devices that enable interception, provide services capable of rendering real-time and full-time monitoring facilities for the interception of communications, and provide call-related information in real-time or as soon as possible upon call termination. Further, service providers are required to provide interfaces for the transmission of intercepted communication to the Central Monitoring and Coordination Centre. The penalty for non-compliance is a fine of ZMW 150,000 (approx. USD 7,100), imprisonment for up to five years, or both. It is reported that this high penalty compels service providers to render interception assistance even when they receive dubious oral orders that lack judicial backing or any evidence justifying the interception.

The Electronic Communications and Transactions Act, 2021 establishes a safe harbour regime for intermediaries for copyright infringements. According to Part X of the Act, service providers are not liable for infringing material that is transmitted, routed, or stored on their networks or platforms, provided that they do not modify the data; adhere to conditions for access to the data; do not have actual knowledge of the infringing material; and remove or disable access to the data upon receiving a takedown notice. This safe harbour provision also applies to hyperlink providers and hosting service providers. In addition, the Act establishes a “notice and takedown” procedure but does not impose a general obligation on service providers to monitor unlawful activities on their platforms or hold them liable for the use of location tools.

The Electronic Communications and Transactions Act, 2021 establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Part X of the Act, service providers are not liable for infringing material that is transmitted, routed, or stored on their networks or platforms, provided that they do not modify the data; adhere to conditions for access to the data; do not have actual knowledge of the infringing material; and remove or disable access to the data upon receiving a takedown notice. This safe harbour provision also applies to hyperlink providers and hosting service providers. In addition, the Act establishes a “notice and takedown” procedure but does not impose a general obligation on service providers to monitor unlawful activities on their platforms or hold them liable for the use of location tools.

Zambia has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that anonymous communication through digital media is compromised by SIM card registration requirements instituted in 2012. The government drew the mandate to introduce SIM Card registration from Section 12 of the ICT (Registration of Electronic Communication Apparatus) Regulations 2011. The registration requires an original and valid identity card, such as a national registration card, to be presented in person to the mobile service provider. While the government indicated that the registration requirements were instituted to combat crime, investigative reports from 2012 found that subscriber details may be passed directly to the Secret Service for the creation of a mobile phone user database.