Zambia has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Zambia has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Zambia has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

Service providers and technology companies are required by law to assist the government in the lawful interception of communications. The law gives the government significant powers to compel service providers to monitor communications. According to Section 9 of the Cyber Security and Cyber Crimes Act, a cyber inspector may in the performance of the inspector’s functions, with a warrant—(a) monitor and inspect a computer system or activity on an information system, where such activity or information is not in public domain or is not accessible to the public; (b) enter and inspect the premises of a cyber security service provider if there is reasonable ground to believe that the licensee has contravened the provisions of this Act; and (c) audit critical information infrastructure".

According to Art. 34 of the Electronic Communications and Transactions Act 2021, cryptography service providers must register with the National Root Certification Authority. This requirement has been retained from the Electronic Communications and Transactions Act of 2009. Providing cryptography services without registration is classified as a criminal offence, punishable by imprisonment for up to five years, a fine of up to ZMW 150,000 (approximately USD 7,100), or both.

In August 2020, the Independent Broadcasting Authority (IBA) stated that online broadcasters would have to apply for licenses from the authority and be subject to its regulations. The statement followed an investigation into whether Prime TV could operate exclusively online. Legal experts criticised the IBA's assertion that Zambian law (through the Zambia Information and Communications Technology Association Act) designates the Zambia Information and Communications Technology Authority (ZICTA) as the sole regulator with authority over the Internet. The IBA once again urged online broadcasters to register with it in March 2021. However, reportedly, no broadcasters have registered because there is still no framework for applying for licences.

Section 66 of the Information and Communication Technologies Act prohibits the use, supply, sale, offer for sale, lease or hire of any electronic communications equipment or electronic communications apparatus, including radiocommunications equipment, used or to be used in connection with the provision of electronic communications unless subjected to approval test to ascertain conformance with the technical standards formulated by the Authority.
It is reported that test certificates from foreign laboratories are accepted if the laboratories are accredited.

Section 34 of Act No. 4 of 2021 requires a person who intends to provide cryptography services to apply for registration to the National Root Certification Authority and to pay the prescribed fee. It is reported that the registration requirements might make it easy for the regulator and other government agencies to access information held by encryption service providers, including decryption keys and encrypted data. Under Section 34, a person who provides a cryptography service without registration is liable for a fine of ZMW 150,000 (approx. USD 8,300) or imprisonment of up to five years. Moreover, per Section 83, the Minister may, by statutory instrument, prescribe procedures for service providers to inform the competent public authorities of alleged illegal activities or information provided by recipients of their service and communicate to the competent authorities, at their request, information enabling the identification of recipients of their service. Section 85 permits the use of encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used, in the manner provided for under the law. Further, section 86 of the Act provides that the Act should not be construed as requiring the use of any form of encryption that “limits or affects the ability of the person to use encryption without a key escrow function, or limits or affects the ability of the person who uses encryption with a key escrow function not to use a key holder.” Section 89 punishes the use of encryption to obstruct or impede a law enforcement officer or interfere with their performance of any functions under the Act, with a fine of up to ZMW 60,000 (approx. USD 2,700), imprisonment for a term not exceeding two years, or both.
Act No. 4 of 2021 repealed and replaced Act No. 21 of 2009. Sections 22 and 23 of Act No. 21 established a register of all cryptography providers. A person could only provide cryptographic services or products if they were registered with the Communications Authority. Section 89 of Act No. 21 made it an offence to use encryption to hinder or obstruct a law enforcement officer or to interfere with the performance of a law enforcement officer of any function under the Act.

Section 38 of the Cyber Security and Cyber Crimes Act requires electronic communication service providers to use electronic communication systems that are technically capable of supporting lawful interceptions, install hardware and software facilities and devices that enable interception, provide services capable of rendering real-time and full-time monitoring facilities for the interception of communications, and provide call-related information in real-time or as soon as possible upon call termination. Further, service providers are required to provide interfaces for the transmission of intercepted communication to the Central Monitoring and Coordination Centre. The penalty for non-compliance is a fine of ZMW 150,000 (approx. USD 7,100), imprisonment for up to five years, or both. It is reported that this high penalty compels service providers to render interception assistance even when they receive dubious oral orders that lack judicial backing or any evidence justifying the interception.

The Electronic Communications and Transactions Act, 2021 establishes a safe harbour regime for intermediaries for copyright infringements. According to Part X of the Act, service providers are not liable for infringing material that is transmitted, routed, or stored on their networks or platforms, provided that they do not modify the data; adhere to conditions for access to the data; do not have actual knowledge of the infringing material; and remove or disable access to the data upon receiving a takedown notice. This safe harbour provision also applies to hyperlink providers and hosting service providers. In addition, the Act establishes a “notice and takedown” procedure but does not impose a general obligation on service providers to monitor unlawful activities on their platforms or hold them liable for the use of location tools.

The Electronic Communications and Transactions Act, 2021 establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Part X of the Act, service providers are not liable for infringing material that is transmitted, routed, or stored on their networks or platforms, provided that they do not modify the data; adhere to conditions for access to the data; do not have actual knowledge of the infringing material; and remove or disable access to the data upon receiving a takedown notice. This safe harbour provision also applies to hyperlink providers and hosting service providers. In addition, the Act establishes a “notice and takedown” procedure but does not impose a general obligation on service providers to monitor unlawful activities on their platforms or hold them liable for the use of location tools.

Zambia has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that anonymous communication through digital media is compromised by SIM card registration requirements instituted in 2012. The government drew the mandate to introduce SIM Card registration from Section 12 of the ICT (Registration of Electronic Communication Apparatus) Regulations 2011. The registration requires an original and valid identity card, such as a national registration card, to be presented in person to the mobile service provider. While the government indicated that the registration requirements were instituted to combat crime, investigative reports from 2012 found that subscriber details may be passed directly to the Secret Service for the creation of a mobile phone user database.

It is reported that the Zambia Information and Communications Technology Authority (ZICTA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Part V of the Cyber Security and Cyber Crimes Act is dedicated to the protection of critical information and critical information infrastructure, where the former is defined as any information that is declared critical by the Ministry on account of its importance to the protection of national security, economic, or social well being of Zambia. The latter is any infrastructure that contains such information (Section 17). Section 18 of the Cyber Security and Cyber Crimes Act of 2021 has a local processing requirement for ‘critical information’, which is defined in Section 2 as ‘information that is declared by the Minister to be critical for the purposes of national security or the economic and social wellbeing of the Republic’. All critical information must be stored on a server or data centre within Zambia unless otherwise authorised by the Ministry.