14 Jun How Zambia’s New Cyber Security Law is Putting Telecoms Companies Under Pressure
Zambians woke up on April 1, 2021 to the reality that one of the country’s most controversial pieces of legislation in recent times had come into force.
In the space of only two months, the fiercely debated Cyber Security and Cyber Crimes Bill was approved by the Cabinet of Zambia, passed by Parliament and assented to by the President, resulting in the Bill becoming an enforceable Act from the beginning of April this year.
Many citizens and businesses alike may have been caught off guard by the swift passage of the Cyber Security and Cyber Crimes Act 2021 – not least because it had been shelved in 2018 after a fierce public outcry.
The gist of the fears expressed then and now is that the Act could be used to muzzle freedom of expression, freedom of the press and the right to privacy, especially as the nation heads for the polls in August 2021.
Government, on the other hand, maintains that the Act will help combat cyber-crime, coordinate cyber security matters, develop relevant skills, help promote the responsible use of social media platforms and protect critical national infrastructure.
Significant implications for telecommunications businesses
Zambians woke up on April 1, 2021 to the reality that one of the country’s most controversial pieces of legislation in recent times had come into force.
In the space of only two months, the fiercely debated Cyber Security and Cyber Crimes Bill was approved by the Cabinet of Zambia, passed by Parliament and assented to by the President, resulting in the Bill becoming an enforceable Act from the beginning of April this year.
Many citizens and businesses alike may have been caught off guard by the swift passage of the Cyber Security and Cyber Crimes Act 2021 – not least because it had been shelved in 2018 after a fierce public outcry.
The gist of the fears expressed then and now is that the Act could be used to muzzle freedom of expression, freedom of the press and the right to privacy, especially as the nation heads for the polls in August 2021.
Government, on the other hand, maintains that the Act will help combat cyber-crime, coordinate cyber security matters, develop relevant skills, help promote the responsible use of social media platforms and protect critical national infrastructure.
Service providers to foot the bill
The parties that will be required to actually carry out the requests are public or private service providers authorised to provide or offer an electronic communication system, process or store computer data on behalf of a communication service or user, or own an electronic communication system to provide or offer an electronic communication service.
In complying with interception requests, these service providers are expected to use electronic communication systems with the capability to conduct lawful interception and to store call-related information.
If they do not have this capacity, service providers will have to provide the necessary equipment or upgrade their existing systems to allow for the lawful interception of communication – at their own cost.
It is unlikely that service providers will be allowed to pass on the cost of acquiring compliant infrastructure by adjusting their prices, although it will be interesting to see how this will be monitored.
Spotlight on critical information and infrastructure
The interception provisions of the Act are not the only requirements that will significantly affect companies in the telecommunications sector. Also pertinent are the provisions dealing with information and infrastructure considered to be critical to the national security or economic and social wellbeing of Zambia.
Should the Minister responsible for communication issue a declaration on critical information or critical information infrastructure, those in control of that information would be subject to additional compliance obligations.
These would include restrictions on the location of the entity’s server or data centre, as well as on any change of ownership of the infrastructure, which would also have to be registered with the Information Communications and Technology Authority.
Furthermore, entities storing critical information or operating critical information infrastructure will need to have it audited by an information technology auditor, and will be required to submit reports to the regulator.
Over and above all this, telecommunications companies need to be conversant with various other provisions of the Act, including those dealing with the investigation of cyber security incidents, the licensing of cyber security service providers, the gathering of electronic evidence and the Act’s extra-territorial reach where digital crimes or security incidents have an effect in Zambia.
Given the urgency with which the new Act has been ushered in, and the absence of timelines other than the April 1, 2021 commencement date, telecommunications companies have little time to waste in familiarising themselves with the new cyber security compliance obligations.
No Comments