Telecommunications companies under pressure to comply with Zambia’s new cyber security law
By Bwalya Chilufya-Musonda, partner, and Joshua Mwamulima, senior associate, Bowmans Zambia
Zambians woke up on 1 April 2021 to the reality that one of the country’s most controversial pieces of legislation in recent times had come into force.
In the space of only two months, the fiercely debated Cyber Security and Cyber Crimes Bill was approved by the Cabinet of Zambia, passed by Parliament and assented to by the President, resulting in the Bill becoming an enforceable Act from the beginning of April this year.
Many citizens and businesses alike may have been caught off guard by the swift passage of the Cyber Security and Cyber Crimes Act, 2021 – not least because it had been shelved in 2018 after a fierce public outcry.
The gist of the fears expressed then and now is that the Act could be used to muzzle freedom of expression, freedom of the press and the right to privacy, especially as the nation heads for the polls in August 2021.
Government, on the other hand, maintains that the Act will help combat cyber-crime, coordinate cyber security matters, develop relevant skills, help promote the responsible use of social media platforms and protect critical national infrastructure.
Significant implications for telecommunications businesses
Now that the Act is a fait accompli, the implications for businesses in the telecommunications sector are starting to sink in.
The Cyber Security and Cyber Crimes Act has a significant compliance and financial impact on telecommunications companies in Zambia. It is their networks and systems that will be used to carry out the interception requirements of the Act, among other things, and it is they who will carry the costs associated with this.
The Act has considerably broadened the scope of law enforcement authorities to intercept communications in Zambia.
While it broadly prohibits the interception of communication, the Act permits law enforcement and security officials to intercept communications in the execution of their duties, in accordance with an order from a designated judge of the High Court of Zambia. However, if the delay caused by obtaining a High Court order would result in harm to a person or property, the Act permits a law enforcement officer to intercept the communication without an order.
Facilitating such interception requests will be the task of a yet-to-be established Central Monitoring and Co-ordination Centre, which will be managed, controlled and operated by the Government communications department in liaison with the Zambia Information Communications and Technology Authority. The Centre is the sole facility through which all intercepted communication can be effected and call-related information may be forwarded.
Service providers to foot the bill
The parties that will be required to actually carry out the requests are public or private service providers authorised to provide or offer an electronic communication system, process or store computer data on behalf of a communication service or user, or own an electronic communication system to provide or offer an electronic communication service.
In complying with interception requests, these service providers are expected to use electronic communication systems with the capability to conduct lawful interception and to store call-related information.
If they do not have this capacity, service providers will have to provide the necessary equipment or upgrade their existing systems to allow for the lawful interception of communication – at their own cost.
It is unlikely that service providers will be allowed to pass on the cost of acquiring compliant infrastructure by adjusting their prices, although it will be interesting to see how this will be monitored.
Spotlight on critical information and infrastructure
The interception provisions of the Act are not the only requirements that will significantly affect companies in the telecommunications sector. Also pertinent are the provisions dealing with information and infrastructure considered to be critical to the national security or economic and social wellbeing of Zambia.
Should the Minister responsible for communication issue a declaration on critical information or critical information infrastructure, those in control of that information would be subject to additional compliance obligations.
These would include restrictions on the location of the entity’s server or data centre, as well as on any change of ownership of the infrastructure, which would also have to be registered with the Information Communications and Technology Authority.
Furthermore, entities storing critical information or operating critical information infrastructure will need to have it audited by an information technology auditor, and will be required to submit reports to the regulator.
Over and above all this, telecommunications companies need to be conversant with various other provisions of the Act, including those dealing with the investigation of cyber security incidents, the licensing of cyber security service providers, the gathering of electronic evidence and the Act’s extra-territorial reach where digital crimes or security incidents have an effect in Zambia.
Given the urgency with which the new Act has been ushered in, and the absence of timelines other than the 1 April 2021 commencement date, telecommunications companies have little time to waste in familiarising themselves with the new cyber security compliance obligations.