According to Section 70.3 of the Data Protection Act, sensitive personal data must be processed and stored in a server or data centre located in the Republic. Sensitive personal data is defined in Section 2 of the Act as personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms and includes the race, marital status, ethnic origin, or sex of a data subject; genetic data and biometric data; child abuse data; a data subject’s political opinions; a data subject’s religious beliefs or other beliefs of a similar nature; whether a data subject is a member of a trade union; or a data subject’s physical or mental health, or physical or mental condition.
Section 14 of the Act prohibits the processing of sensitive personal data unless it is necessitated by a legal claim or judicial function in court, in the context of health service provision, or for reasons of public interest. In health service provision, the law requires that data be processed by or under the responsibility of a professional, subject to secrecy and other obligations imposed by any law or professional bodies regulating them. Data processed to serve the public interest can only be processed where adequate measures to safeguard the rights and freedoms of the data subject have been put in place.

Section 71.1 of the Data Protection Act allows for the transfer of personal data outside Zambia, except sensitive personal data, on condition that:
- The data subject has consented, and the transfer is made subject to standard contracts or intra-group schemes that the Data Protection Commissioner has approved, or the Minister has prescribed for the transfer outside the Republic to be permissible.
- The Data Protection Commissioner approves a particular transfer or set of transfers as permissible due to a situation of necessity.
Consideration by the Minister to sanction the cross-border transfer of personal data is based on the adequate level of protection, having regard to the applicable laws and international agreements in the destination country; and that the enforcement of data protection laws by authorities with appropriate jurisdiction is effective (Section 71.2).

Zambia has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Data Protection Act No. 3 provides a comprehensive regime of data protection in Zambia. The key objectives of this Act are to not only provide for an effective system for the use and protection of personal data but also to regulate the collection, use, transmission, storage, and otherwise processing of personal data. The Act also creates an important office within the Office of the Data Protection Commissioner, whose responsibility it is to oversee all issues concerning data processing and registration of data controllers and licensing of data auditors. More importantly, the Act also provides for the rights of data subjects and in the same vein, it stipulates the duties of data controllers and data processors.
In addition, the Data Protection (Registration and Licensing) Regulations, 2021, contained in Statutory Instrument No. 58 of 2021, were issued on 14 May 2021 by the Minister of Transport and Communications in the exercise of the powers established by Section 82 of the Data Protection Act. Moreover, related issues such as cybercrime and electronic communications are governed by legislation such as the Electronic Communications and Transactions Act No. 4 of 2021 (the ECT Act) and the Information and Communications Technologies Act No. 15 of 2009. The Zambia Information and Communications Technology Authority supervises the application of the ECT Act. Lastly, Art. 17 of the Constitution provides that no person can be subject to the search of their person or property or entry by others on their premises without their consent and further provides exceptions to this right.

Section 50 of the Banking and Financial Services Act provides that a financial service provider shall retain a register or record for a period of at least ten years. Section 52 deals with the maintenance of records, and Section 48 with credit documentation.

According to Art. 51 of the Data Protection Act, a data controller and data processor must retain personal information for as long as it is used for the specific purpose for which it was collected. Additionally, the information must be kept for a period of at least one year thereafter or for any other period that may be prescribed as long as it remains relevant to that purpose.

According to Section 10 of the Cyber Security and Cyber Crimes Act 2021, when a data retention notice is issued requiring an electronic communications service provider to retain internet connection records, the notice will specify the exact data to be retained. The service provider is not obligated to retain data beyond what is detailed in the retention notice.
Section 39 of the Cyber Security and Cyber Crimes Act 2021 mandates that an electronic communications service provider must obtain from subscribers information including the person's full name, residential address, and identity number as stated in their identity document before entering into a service contract.

According to Art. 46 of the Data Protection Act, a Data Protection Impact Assessment (DPIA) by a data controller is required in circumstances where the processing is on a large scale and relates to sensitive personal data or personal data relating to criminal convictions.

Section 22 of the Cyber Security and Cyber Crimes Act requires a controller of a critical information infrastructure to annually appoint an information technology auditor to audit the critical information infrastructure. The Authority is also empowered to order that an audit be conducted at any time.

The Data Protection Act permits the interception of communication in order to prevent bodily harm, loss of life, or damage to property, detection of a crime, or for the purposes of determining location in cases of emergency. Additionally, public authorities can access personal data held by private organisations where the interests of national security, defence, and public order are concerned (Section 53). The legal bases are not exhaustive. However, it is reported that it does not entail that those public authorities have discretion, as any access to such information must be authorised by a particular piece of legislation.

All internet and mobile service providers in Zambia are privately owned, with the exception of Zambia Telecommunications Company Limited (ZAMTEL), which was nationalised in 2012 under former president Michael Sata. Sata’s predecessor, Rupiah Banda, had previously privatised the company, but the state reversed this sale, restoring ZAMTEL to 100% government ownership. Despite ZAMTEL's smaller share in the mobile market, it has historically held a larger share of fixed-line subscriptions and is the only mobile operator offering landline telephone services. As of May 2018, MTN is the dominant mobile service provider with a 44% market share, followed by Airtel with 39.7% and ZAMTEL with 15.9%.

It is reported that Zambia does not mandate accounting separation for operators with significant market power (SMP) in the telecom market. However, functional separation is an obligation.

Pursuant to Art. 10.1 of the Information and Communication Technology Law No. 15 of 2009, the Authority issues the following licenses: (i) Network License: allows for the construction, ownership or provision of an electronic communications network, or the provision of network services; and (ii) Service License: allows for the provision of one or more electronic communications services. Licensees must ensure that all applications submitted comply with the provisions of the 2017 Licensing Guidelines. Statutory Instrument No. 11 establishes a minimum share capital requirement for private telecommunications companies of ZMW 15,000 (approximately USD 860). The licensing requirements include the technical and financial capability of the applicant, a comprehensive business plan, company information on shareholders, relevant company registration documentation, a list of directors, place of domicile and tax clearance, technical plan, roll-out plan, network diagrams and explanations, target customers, pricing for products and services, financial projects, anticipated capital expenditure, value proposition, among others. There are complaints about the licensing process. On the one hand, it is reported that foreign investors in the telecom sector are required to disclose certain proprietary information to the Zambia Development Agency (ZDA) as part of the regulatory approval process. On the other, it is reported that prospective mobile service provider Uzi Mobile stated that licensing issues contributed to its decision to withdraw from Zambia in 2020.

Section 91 of the Public Procurement Act establishes a preference and reservation scheme for citizens or local suppliers, as well as bidders offering goods, works, or services with local content. Certain procurement opportunities are also reserved for target groups, including SMEs, women, youths, and persons with disabilities. Additionally, greater preference is granted to joint ventures or associations involving citizens or local suppliers than to foreign suppliers subcontracting them. The margin of preference to be applied is not predetermined; instead, it is set by the Public Procurement Authority in collaboration with the Citizens' Economic Empowerment Commission and other relevant government departments and statutory bodies in each tender procedure.

According to the National Local Content Strategy 2018-2022, government policy mandates a minimum of 35% utilisation of local inputs and/or products in the production and provision of goods and services across the economy.