Authored By: Malumbo Mugala
University of Zambia
Abstract
In Zambia, cybersecurity and internet privacy have been topics of interest and have sparked conversations for years. For a long time, the country faced the challenge of how to address internet crime and cybercrime. In an effort to safeguard the safety of people online and protect them from cyberbullying and other harmful acts on the internet, Zambia enacted the Cyber Crimes Act and the Cyber Security Act in 2025. This article examines the impact of these newly introduced laws on Zambia’s cyber community and how they have helped improve the safety of internet users.
Introduction
For years, people have had unlimited — perhaps too much — freedom on the internet. Individuals exploit the internet through various acts such as online bullying, cybertheft, scamming, phishing, and invasion of privacy, among others. Many innocent people, especially those of younger ages, have fallen victim to such acts and have struggled to cope with their consequences. The United Party for National Development (UPND) came to the defence of the Cyber Security Act and the Cyber Crimes Act, emphasising that the legislation aims to protect Zambian citizens from digital threats while safeguarding their constitutional rights to freedom of expression and privacy.1 This article analyzes the provisions and statutes on cybersecurity and examines how they have benefited society since their introduction to combat issues relating to the internet.
THE NEW LEGAL FRAMEWORK
The Cyber Security Act
Security and privacy are vital in order to ensure the proper safety of individuals. Without privacy, a person loses security — everything they do is watched, and their life is ultimately at the mercy of others, often without their knowledge. In the context of online activity, when personal information falls into the wrong hands, one essentially loses freedom. There are many attendant problems, including hacking, phishing, online fraud, identity theft, and cyberbullying. The Cyber Security Act was enacted to address these concerns. It seeks to protect Zambia’s digital infrastructure as well as citizens’ privacy from fraudsters,2 thereby strengthening national security and digital safety for citizens and businesses alike.
This is demonstrated in Part V of the Cyber Security Act. Section 22 states that no person shall attempt, knowingly or unknowingly, to intercept, or attempt to intercept, or procure another person to intercept, any communication.3 This provision prohibits a person from surveilling, deliberately listening to, recording, or unlawfully accessing another person’s information without their consent. The Act further provides that no person shall attempt to use, or procure another to use, any electronic, software, or mechanical device to intercept communication.4 Anyone found committing the said offences is liable, on conviction, to a fine not exceeding one million penalty units or to imprisonment for a term not exceeding ten years, or in some cases, both.5 This would not only deter existing offenders but also discourage would-be criminals, as the prospect of facing sanctions serves as a powerful repellent. In turn, this ensures greater online security for all users. A considerable number of provisions within the Cyber Security Act further highlight cybersecurity concerns, but those discussed here amply demonstrate the essence of what the Act governs.
The Cyber Crimes Act
The two Acts were intended to repeal and replace the Cyber Security and Cyber Crimes Act No. 2 of 2021, which received heavy criticism for limiting human rights. This Act, together with the Cyber Security Act, represents the government’s growing commitment to regulating and securing cyberspace.6 The Cyber Crimes Act aims to provide protection to internet users against cybercrime while concurrently enforcing sanctions on offenders. Part II states that a person commits an offence if that person, using a device, records a private conversation, whether or not that person is a party to the conversation.7 A person who commits this offence is liable, on conviction, to a fine not exceeding two hundred thousand penalty units or to imprisonment for a term not exceeding two years, or to both.8
In addition to provisions regarding private conversations, the Act prohibits the exposure and distribution of sexualised content involving children. A person commits an offence under this Act when he or she intentionally:
- produces child pornography for the purpose of its distribution through a computer or computer system;9
- sells, imports, exports, or makes available child pornography to a child through a computer or computer system;10
- offers or makes child pornography available through a computer or computer system.11
A person who contravenes the said provision is liable, on conviction, to imprisonment for a term of at least fifteen years and not exceeding twenty-five years.12 This is consistent with the constitutional guarantee that all young persons must be protected against physical or mental ill-treatment, all forms of neglect, cruelty, or exploitation.13
INTERPRETATION OF CYBER LAWS
Case Law
Shreya Singhal v. Union of India
This is a landmark judgment delivered by the Supreme Court of India in 2015, addressing online speech and intermediary liability. Section 66-A of India’s Information Technology Act, 2000 made it a punishable offence to send “grossly offensive” or “menacing” information via a computer or communication device. The provision also criminalised the persistent sending of information the sender knew to be false, intended to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will. However, the vague and arbitrary terms used in the section led to widespread misuse, with criminal cases being instituted against innocuous instances of online speech, including political commentary and humour. The Supreme Court struck down Section 66-A, holding that it was vague and overbroad, and therefore inconsistent with Article 19(1)(a) of the Constitution of India, as the statute was not narrowly tailored to the specific categories of speech it purported to curb.14
This case illustrates how laws should not contradict one another, and how legislation must not hinder fundamental rights. It also underscores the supremacy of the constitution and its binding effect on all other laws. In the Zambian context, the Constitution is the supreme law of the land, and any written law, customary law, or customary practice that is inconsistent with its provisions is void to the extent of the inconsistency.15 The Constitution binds all persons in Zambia, all State organs, and all State institutions.16
This constitutional principle was affirmed in Arthur Lubinda Wina and Others v The Attorney General. In that case, the President of Zambia prohibited the Times of Zambia from publishing affairs of the Movement for Multi-Party Democracy (MMD), thereby infringing the rights to freedom of association and freedom of expression guaranteed by the then-Articles 22 and 25 of the Constitution. The High Court held that the Constitution, as the supreme law of the country, is binding upon everyone and that no one is above it.17
LOOPHOLES
“What happens when the bad guys take advantage of the digital spaces to undermine the offline world?” — Nanjala Nyabola18
While the Cyber Security Act puts in place measures to prevent illegal interceptions of communication through Sections 22, 29, and 30, it appears that the Act simultaneously permits mass surveillance.19 Section 39 requires electronic communication service providers to cooperate with interception authorities by: installing hardware and software capable of being intercepted; providing services that can be intercepted and monitored in real time and on a continuous basis; providing an interface through which intercepted communications are channelled to the Central Monitoring and Coordination Centre; and providing access to all intercepted subjects operating temporarily or permanently within the service provider’s communication system.20 In practice, this means that calls, messages, and transactions can potentially be intercepted at any time.
While cyber laws are designed to protect privacy, an investigation scenario may require that privacy be lawfully overridden. In R v Khan (Sultan),21 the police installed a device in a private home to record conversations confirming a drug importation conspiracy, without any statutory authorisation for doing so at the time. The House of Lords affirmed that evidence, regardless of the method used to obtain it, is generally admissible. Nonetheless, the court held that judges retain the power to exclude evidence under Section 78 of the Police and Criminal Evidence Act 1984 in order to maintain the fairness of proceedings, provided such exclusion is not made per incuriam. While this principle is beneficial to investigations, it carries the risk of normalising invasive surveillance methods, such that cyber security protections may gradually be eroded.
This tension is also visible within the Cyber Crimes Act itself. Section 10, subsections 2 and 3 create exceptions to the general prohibition in subsection 1 against recording private conversations. It is not an offence to record where there is a threat to life or an imminent threat of serious violence;22 a threat of substantial damage to property;23 or an offence under any written law that may be committed.24 Similarly, an officer shall not be held accountable if he or she records a private conversation where it is reasonably necessary for the protection of the lawful interests of a party. While these exceptions serve legitimate purposes, they may encourage officers who are not fully conversant with the law to record conversations without proper justification, or be exploited by those who invoke legal exceptions as a pretext for unlawful recording.
WAY FORWARD
Limited Access to Network Service Providers
Given that calls, texts, and other forms of communication can be intercepted by anyone with access to network service providers, a key reform would be to restrict such access to a carefully vetted and limited number of trusted individuals. This would result in greater privacy for citizens, as fewer messages, transactions, calls, and items of personal information would be susceptible to interception.
Prohibition on Access to Recording Devices
While Section 10, subsections 2 and 3 of the Cyber Crimes Act permit the recording of conversations without consent in special circumstances, the potential for abuse by law enforcement officers must be addressed. Law enforcement agencies should restrict access to recording devices by rank, requiring officers below a specified grade to seek formal authorisation from a senior officer before accessing such devices. This recommendation finds support in Section 30 of the Cyber Security Act, which provides that a law enforcement officer may make an oral request to an electronic communications service provider to intercept communication,25 suggesting that a structured authorisation process is already contemplated by the framework.
CONCLUSION
Cyber laws have made a significant impact, particularly within the legal community. The Cyber Security Act prohibits unlawful interceptions, the deliberate and unlawful recording of private communications, the unlawful access of private information, and the use of electronic devices to intercept communications. The Cyber Crimes Act, in turn, provides that persons must not access or record private conversations without authorisation, stalk or surveil private communications, or produce, offer, sell, import, export, or make available child pornography through computer systems. Though these two laws appear to complement each other and share certain similarities, they are independent pieces of legislation with independent objects and must be treated as such. The introduction of these laws has not only strengthened the protection of human rights but has also served to deter and reduce the deviant activities that threaten those rights.
BIBLIOGRAPHY
PRIMARY SOURCES
Zambian Cases
Arthur Lubinda Wina and Others v The Attorney General 1990 Z.R. 95 (H.C.)
Other Cases
Shreya Singhal v. Union of India AIR 2015 SC 1532
R v Khan (Sultan) [1997] AC 558 (HL)
Legislation
Constitution of Zambia Cap 1, as amended by the Constitution of Zambia (Amendment) Act No. 13 of 2025
The Cyber Security Act, No. 3 of 2025
The Cyber Crimes Act, No. 4 of 2025
SECONDARY SOURCES
Online Resources
Mark Simuuwe, ‘UPND Clarifies Intent Behind Cybersecurity Act Amid Opposition Criticism’ Lusaka Times (21 April 2025) <https://www.lusakatimes.com/2025/04/21/upnd-clarifies-intent-behind-cybersecurity-act-amid-opposition-criticism/> accessed 11 February 2026
Arnold Mulenga, ‘Zambia Denies Spying on Citizens Through Cyber Laws’ ITWeb Africa (27 May 2025) <https://itweb.africa/article/zambia-denies-spying-on-citizens-through-cyber-laws/lLn14MmQ33GMJ6Aa> accessed 11 February 2026
Dr. O’Brien Kaaba, ‘The Cyber Crimes and Cyber Security Acts: The Good and the Bad’ Amulufe Blog (30 April 2025) <https://www.amulufeblog.com/2025/04/the-cyber-crimes-and-cyber-security.html> accessed 11 February 2026
Footnote(S):
1 Mark Simuuwe, ‘UPND Clarifies Intent Behind Cybersecurity Act Amid Opposition Criticism’ Lusaka Times (21 April 2025) <https://www.lusakatimes.com/2025/04/21/upnd-clarifies-intent-behind-cybersecurity-act-amid-opposition-criticism/> accessed 11 February 2026
2 Arnold Mulenga, ‘Zambia Denies Spying on Citizens Through Cyber Laws’ ITWeb Africa (27 May 2025) <https://itweb.africa/article/zambia-denies-spying-on-citizens-through-cyber-laws/lLn14MmQ33GMJ6Aa> accessed 11 February 2026
3 The Cyber Security Act, No. 3 of 2025, Part V, s 22(1)(a)
4 ibid s 22(1)(b)
5 ibid s 22(2)
6 Dr. O’Brien Kaaba, ‘The Cyber Crimes and Cyber Security Acts: The Good and the Bad’ Amulufe Blog (30 April 2025) <https://www.amulufeblog.com/2025/04/the-cyber-crimes-and-cyber-security.html> accessed 11 February 2026
7 The Cyber Crimes Act, No. 4 of 2025, s 10(1)
8 ibid s 10(2)
9 ibid s 15(a)
10 ibid s 15(b)
11 ibid s 15(c)
12 ibid s 15(2)
13 Constitution of Zambia Cap 1, as amended by the Constitution of Zambia (Amendment) Act No. 13 of 2025, art 24(2)
14 Shreya Singhal v. Union of India AIR 2015 SC 1532 <https://share.google/2UZdgrTzzt3l5xuBV> accessed 13 February 2026
15 Constitution of Zambia (n 13) art 1(1)
16 ibid art 1(3)
17 Arthur Lubinda Wina and Others v The Attorney General 1990 Z.R. 95 (H.C.)
18 Kaaba (n 6)
19 ibid
20 ibid
21 R v Khan (Sultan) [1997] AC 558 (HL) [Note: The original manuscript cited [1984] AC 588; the correct citation is [1997] AC 558. The author should verify against a primary law database.]
22 The Cyber Crimes Act, No. 4 of 2025, s 10(3)(b)(i)
23 ibid s 10(3)(b)(ii)
24 ibid s 10(3)(b)(iii)
25 The Cyber Security Act, No. 3 of 2025, s 30(1)
