Teddy Musonda
INTRODUCTION
The
Cyber Security Act[1] and the Cyber Crimes Act[2] (herein
collectively referred to as the ‘Cyber Laws’) were both assented to on the 8th
of April 2025. The cyber laws are to repeal and replace the Cyber Security and
Cyber Crimes Act No 2 of 2021. What must be noted though, is that the cyber
laws are not yet operational as the commencement order which would
operationalise them has not yet been promulgated by the Minister responsible. Leave
that as it may, the constitutionality of the Cyber Laws has been called into
question. On that basis, this piece of writing will interrogate several
provisions of the Cyber Laws that, as this writing will discuss, are
unconstitutional as they undermine freedoms of expression, privacy and contravene
our national values and principles as enshrined in the Zambian Constitution.
The
Cyber Crimes Act
1. Section
5: Section 5 (1) states as follows:
A person shall not intentionally and without lawful
authority, communicate, disclose or transmit data, information, a programme, an
access code or a command relating to critical information or critical
information infrastructure to any person not authorised to access such data,
information, programme, access code or command.
This provision is poorly
drafted and when strictly interpreted contravenes Article 20(1) of the
Constitution. Essentially, the Section prohibits the communication of
information that relate to critical information or critical information infrastructure.
Critical information as defined by Cyber Security Act essentially
means computer data that relates to public safety, public health, economic
stability, national security, international stability and the sustainability
and restoration of critical cyberspace. Therefore, the interpretation of the Section
is that the mere communication or expression of information that would relate
to public safety, public health, economic stability, national security,
international stability and the sustainability and restoration of critical
cyberspace without permission of the state is crimialised. The inherent
danger of this provision is that it is broadly couched with the risk of
fundamentally undermining the freedoms to communicate ideas, to criticise the
government, to expose information regarding the above sectors that would be in
interest of public in as far as checking and holding government accountable is
concerned.
Although freedom of expression
is not absolute, any restriction to freedoms must not abridge or deny the
exercise of the right but may only regulate its exercise.[3] what
this means in the context of Section 5(1) is that any restriction to the
freedom of expression as guaranteed by Article 20(1) must not prevent or
prohibit individuals from communicating or expression information relating to
public safety, public healthy etc. but may only provide instances in which the
freedom may not be exercised. It is within this understanding that the author opines
that Section 5 (1) contravenes Article 20 (1) of the Constitution.
2. Section
6: Section 6 (1) provided as follows:
A person shall not
intentionally and without lawful authority possess unauthorised data relating
to critical information or critical information infrastructure.
Therefore, this provision
seems to criminalize the possessing or holding of information or expressions
that would be linked to computer data that relates to public safety, public
health, economic stability, national security, international stability and the
sustainability and restoration of critical cyberspace. This fundamentally undermines and do indeed
infringe on the right of freedom of expression as provided under Article 23 of
the constitution. In the case of Mulundika and 7 Others v People[4]
the Supreme Court indicated that the freedom of expression includes the freedom to receive ideas and information
without interference and to communicate ideas and information without
interference. And this is also provided by Article 20(1) of the Constitution. Further,
Article 20 (3)(a) allows for a restriction of freedom of expression only if it
is reasonably required in the interests of defence, public safety,
public order, public morality or public health. To some observers, it is the restriction
provided under Article 20 (3)(a) that qualifies Section 6 as being constitutional.
However,
the author holds a contrary view. It the authors opinion that the restriction
under Article 20(3)(a) does not prevent one form holding or receiving
information that relates to defence, public safety, public health – as the
cyber security seeks to do – but it only restricts one from holding or
receiving information that could reasonably be perceived to adversely impact
the defence, public safety, public health of the nation. Put otherwise, Article 20(3)(a) does not
prevent or restrict the mere holding of information that relates to public
defence, safety, health as doing so would ultimately render the freedom of
expression defunct.
Therefore,
section 6 is badly broadly drafted consequently contravening the letter and
spirit of Article 20 of the Constitution which guarantees the freedom of
expression.
3.
Section
21: this section
to the author is one of the most appalling provisions of the Cyber Crimes Act. Section
21(1) stipulates:
“ A person who
receives an order relating to a criminal investigation under this Act, shall
not without lawful excuse, disclose—
(a) that an order
has been made;
(b) anything done
under the order; or
(c) any data
collected or recorded under the order.”
Essentially,
the provision criminalises the act of disclosing to any person that one is
under investigation for an alleged offence under the Act, without permission
from the State. It is difficult to
appreciate the good will behind this provision. Generally, crimes are intended
to prohibit conduct that would harm the pubic or another person,[5] it is thus difficulty to
appreciate what harm or danger to society would occasion by one simply
disclosing to anyone (including one’s spouse, family member, friends) that they
are being investigated by the State. Therefore, this provision manifestly
contravenes Article 20(1) of the Constitution. The provision prohibits one from
exercising their protected freedom of expression as it denies one from
disclosing information that affects them. Moreover, the restriction on freedom
of expression under Section 21(1) of the Cybercrimes Act does not fall within
the permissible limitations outlined in Article 20(3)(d), rendering the
restriction unjustified and to that extent unconstitutional.
The
above provisions of the Cyber Security Act significantly negatively impact on
the freedom of expression contrary to the Constitution. Freedom of expression
must not be unwarrantedly curtailed as it is vital for any society. The Supreme
Court for Zimbabwe commenting in the case of Re Munhumeso and Others[6]
stated as follows regarding the importance of freedom of expression
“Freedom
of expression, one of the most precious of all the guaranteed freedoms has four
broad special purposes to serve: (i) it helps an individual to obtain self-fulfilment;
(ii) it assists in the discovery of truth; (iii) it strengthens the capacity of
an individual to participate in decision making; and (iv) it provides a
mechanism by which it would be possible to establish a reasonable balance
between stability and social change.”
The Cyber Security Act
Some of the objectives of the Cyber
Security Act (Herein referred to as ‘the Act’) is to provide for cyber security
in the Republic; establish the Zambia Cyber Security Agency and provide for its
functions; provide for the regulation of cyber security service providers;
provide for the designation, protection and registration of critical
information and critical information infrastructure.[7] The objectives of the Act
are well acknowledged as it is vital that Zambia’s cyber space is enhanced and
made safe. However, there are several provisions – which are highlighted below
– that depart from the virtues of democracy thus undermining constitutionalism.
1.
Section 3:
Section 3 (1) of the Act provides for the establishment of the Zambia
Cyber Security Agency (ZCSA) under the office of the President. The
establishment of the ZCSA under the office of the President inherently undermines
the independence of the ZCSA. It would be easy for the ZCSA to run along with
the political agenda of the Executive. It is worth noting that the ZCSA’s
objective is to prevent cyber-crimes, therefore, it is difficult to accept that
the ZSCA – being established under the office of the President – will be
independent enough to investigate cyber security crimes involving members of
the Executive or close associates to the President.
Section 3 makes it
clear that the ZCSA will operate under the ‘general direction of the
President.’ The President who already as overwhelming powers is granted direct
power to control the cyber space, the danger of placing the ZCSA under the
direct control of the President is that the President may, quite easily,
abusive his/her powers to gain political advantage over his/her rivals.
According to Valeria Palanza, limiting the powers of the President over State
bodies is one way of checking Executive powers.[8]
Section 3 (1) of the Act instead clothes the President with so much power over
a very critical sector.
Article 8 (d) of the
Constitution read together with Article 9 (1) (b) demands that democracy and
constitutionalism are among the national values and principles that must be
applied in the enactment of laws. It is thus difficult to entertain the idea
that Section 3 (1) is consistent with the spirit of democracy, as democracy advocates
for the independence of state bodies and organs from interference or control. This
risk is equally manifested in Section 5 of the Act.
2.
Section 5: As noted from Section 5, the ZCSA
is headed by the Director General who is appointed by the President, and the
President is given powers to appoint supporting staff. The very fact that the
ZCSA is constituted by the President and chaired by an appointee of the
President undermines its operations in respect of their independence and
credibility.
3.
Section 19: The Section provides for a Cyber
Security Exercise. Section 19(1) mandates the ZCSA to conduct an exercise at
least once a year whose purpose is to test the readiness of controllers to a
cyber-attack. Section 19(2) grants the ZCSA discretion to conduct this very
exercise at intervals they deem fit. The primary concern with these Sections is
that they do not delineate the scope or framework within which the exercise is
to be conducted. Without a clearly
established limit, or identifiable scope and description of such exercise, it
leaves us with little or no room to question the extent or depth of such
exercise when it is conducted. Consequently, these provisions have the
potential for judicial manipulation in a sense that, due to the lack of a clear
benchmark upon which to test the reasonableness or legality of a conducted
Cyber Security Exercise, the Courts may avoid intervening on account that the
ZCSA would be exercising discretionary powers in pursuance of their administrative
function.
Evidently, the ZCSA has
been granted extensively undefined powers to conduct a Cyber Security Exercise,
and in the absence of clear guidelines governing their actions, the
President-who oversees the ZCSA – could potentially exploit the exercise for
personal gain, using it to target political opponents and others for strategic
advantage. Furthermore, the absence of clear guidelines governing their actions
makes it difficult to use the Act as a reliable measure to determine the
legality of their conduct or particular exercise.
With regards to the
Constitutionality of the Section 19. Article 17 of the Constitution provides
for the Protection for Privacy of Home and Other Property. Essentially, every
person is protected against the invasion of their privacy whether through their
property, person or home. The Article provides for circumstances in which the
exercise of this right may be restricted, among which are for purposes of
safeguarding the public defence, public safety, health, morality inter alia.[9] And when it is reasonable
in order to protect another person’s rights.[10] However. Section 19 by
granting the ZCSA extensive powers to conduct a cyber exercise whenever it deems
fit while not providing clear guidelines on the manner and extent of such
exercise, risks the invasion of people’s privacy. People’s privacy may be
invaded even when the restrictions or limitation of the right to privacy as
provided under Article 17 of the Constitution have not been satisfied. On this
account, the broad manner in which Section 19 is couched does not respect the
letter and spirit of Article 17 of the Constitution.
CONCLUSION
It
must be mentioned that the general essence and objectives of the Cyber Laws are
well acknowledged. It is of good sense, as Kaaba states that threats and crimes
that would be committed physically are equally prohibited when done online.[11]
However, the provisions highlighted in this writing are just a few examples of
the many provisions that have been broadly drafted and as Kaaba observes,
poorly drafted.[12]
Hence, these provisions manifestly contravene provisions of the Constitution,
as those discussed in this writing, directly
or in effect potentially undermines the exercise of fundamental freedoms
guaranteed by our Constitution. The end
which the cyber laws seek to serve may be good intended; however, the language
of the laws must be significantly improved, ensuring that the align to
Constitutional provisions.
[1] No
3 of 2025
[2] No 4 of 2025
[3] [1996]
ZMSC 26
[4] Ibid
[5] Stanton-Ife,
J. What is the Harm Principle For?. Criminal Law, Philosophy 10,
329–353 (2016). https://doi.org/10.1007/s11572-014-9311-8
[6] (1994)
1 L.R.C. 282
[7] Memorandum
of the Act
[8]
Palanza, V. Checking Presidential Powers: Executive
Decrees and the Legislative Process in New Democracies (Cambridge,
Cambridge University Press, 2019)
[9] Article
17(2)(b)
[10] Article
17 (2)(c)
[11] Kaaba,
O. The Cyber Crimes and the Cyber Security Acts: The Good and the Bad. (2025)
The
Cyber Crimes and the Cyber Security Acts: The Good and the Bad - Amulufeblog
[12] ibid
About the Author:
