Provision of Real-time Lawful Interception Assistance
Disclosure of Communications Data
National Security and Emergency Powers
Oversight of the Use of Powers
Censorship-related Powers
Oversight of the Use of Powers (Censorship-related)

UPDATED: April 2026 | SOURCE: Chilombo Mukena, Fellow, Global Network Initiative (GNI)

Provision of Real-time Lawful Interception Assistance

Constitution of Zambia

Part III of Zambia’s Constitution guarantees several civil and political rights including the right to privacy. Article 17 of Zambia’s Constitution guarantees the right of all persons to not be subjected to the search of their person or property or entry by others on their premises without their consent. The provision permits derogation of the right in the interest of, among other things, public order, morality and for purposes of protecting the rights and freedoms of others. However, such derogation must be reasonably justifiable in a democratic society.

The Cyber Security Act No. 3 of 2025

Lawful interceptions of communications in Zambia are carried out pursuant to the Cyber Security Act. The Act establishes the Cyber Security Agency which is responsible for administration of the Act and a Central Monitoring and Coordination Centre (established under the repealed Cyber Security and Cyber Crimes Act of 2021) which is the sole facility through which lawful interceptions are effected and to which intercepted communication and call related information are to be forwarded. The Cyber Security Agency is established under the general direction of the President of Zambia while the Centre is managed and operated by the division responsible for Government communications.

Section 29 of the Cyber Security Act provides as follows:

(1) Subject to subsection (2), a law enforcement officer shall, where the law enforcement officer has reasonable grounds to believe that an offence has been committed, is likely to be committed, or is being committed, apply ex-parte to a judge for an interception of communication order.

(2) A judge to whom an application is made under subsection (1) may issue an interception of communication order—
(a) requiring an electronic communications service provider to intercept and retain specified communication or communications of a specified description received or transmitted, or about to be received or transmitted by that electronic communications service provider;
(b) authorising the law enforcement officer, through the Centre, to enter specified premises and to install on such premises any device for the interception and retention of communication or communications of a specified description and to remove and retain such device;
(c) requiring any person to furnish the law enforcement officer with information, facilities and assistance as the judge considers necessary for the purpose of the installation of the interception device; or
(d) imposing terms and conditions for the protection of interests of persons specified in the interception of communication order or any third parties or to facilitate investigations.

For purposes of the Act, a ‘law enforcement officer’ includes a police officer, an officer of the Anti Corruption Commission, the Drug Enforcement Commission, the Zambia Security Intelligence Service, the National Anti-terrorism Centre or any other person the President of the Republic may designate for purposes of the Act. Section 29 further provides with regard to interception orders:

(5) A law enforcement officer shall on receipt of an order under subsection (2), serve the order on an electronic communications service provider.

(6) An electronic communications service provider shall, within twenty four hours of receipt of an order issued under subsection (2), route duplicate signals of an indirect communication to the Centre.

(7) The Centre shall make available to a law enforcement officer the duplicate signals of an indirect communication routed to the Centre under subsection (6).

The Act does not address the examination, storage and/or erasure of data obtained through such interceptions.

In addition to interceptions pursuant to a court order, section 30 of the Cyber Security Act provides that law enforcement officers may, without a warrant, orally request an electronic communications service provider to intercept any communication and route duplicate signals to the Central Monitoring and Coordination Centre where the law enforcement officer has reasonable grounds to believe that:

(a) a person who is party to any communication —
(i) has caused, or may cause, the infliction of bodily harm to another person;
(ii) threatens, or has threatened, to cause the infliction of bodily harm to another person;
(iii) threatens, or has threatened, to kill oneself or another person, or to perform an act which may endanger that person’s own life or that of another person;
(iv) has caused or may cause damage to property; or
(v) has caused or may cause financial loss to banks, financial institutions, account holders or beneficiaries of funds being remitted or received by such account holders or beneficiaries;

(b) it is not reasonably practical to make an application under section 29 for an interception of communication order as the delay to intercept a specified communication would result in the infliction of bodily harm, the death of another person or damage to property; or

(c) the sole purpose of the interception is to prevent bodily harm to, or loss of life of, any person or damage to property.
An electronic communications service provider which receives such an oral request from a law enforcement officer is mandated to route duplicate signals of the indirect communication to the Centre.

While the Act prohibits random monitoring of communications, Sections 37 and 40(2) require that electronic communications service providers offer services which are capable of being intercepted and storing call related information and internet connection records. Section 39 further requires that electronic communications service providers offer the following assistance:

(b) install hardware and software facilities and devices to enable interception of communications when required by a law enforcement officer or under a court order;

(c) provide services that are capable of rendering real time and full time monitoring facilities for interception of communications;

(d) provide all call-related information in real time or as soon as possible on call termination;

(e) provide one or more interfaces from which an intercepted communication shall be transmitted to the Centre;

An electronic communications service provider that contravenes this provision commits an offence and is liable to a fine. Per Section 40(4), the President may, by statutory instrument, make Regulations to provide for the manner in which electronic communications service providers are to provide interception capabilities. Electronic communications service providers must acquire the necessary facilities to conduct interceptions at their own expense.

Disclosure of Communications Data

The Cyber Crimes Act No 4 of 2025

Section 32 of the Cyber Crimes Act provides for the collection of traffic data by law enforcement officers. It provides that a law enforcement officer may, where they have reason to believe that traffic data is reasonably required for the purposes of a criminal investigation, make an ex-parte application to a judge for an order directed at a person in control of such data to:

(a) collect or record traffic data associated with a specified communication during a specified period; or

(b) permit and assist a specified law enforcement officer to
collect or record that data.

A judge may grant an order for the collection or recording of traffic data for a specified period of time. Judges have discretion to determine the validity of this order with no minimum or maximum period prescribed.

National Security and Emergency Powers

The Cyber Security Act No. 3 of 2025

Section 32 of the Cyber Security Act empowers a law enforcement officer to, where they have reasonable grounds to believe that the determination of the location of a party to a communication is necessary for purposes of an emergency, request an electronic communications service provider to intercept a communication for purposes of geolocation. An ‘emergency’ for purposes of this provision is broadly defined to include where:

(a) there is potential or actual threat to national security;

(b) there is potential or actual threat to public safety;

(d) property is likely to be damaged, is being damaged or has been damaged.

Interception of communications for purposes of determining location under section 32 is subject to the provisions of section 29 ‘with necessary modifications’. The Act does not clarify whether these modifications relate to the requirement to obtain an ex-parte communications order from a judge or the duration prescriptions of section 29 given that the interception under section 32 is carried out on the basis of an emergency.

Oversight of the Use of Powers

The Cyber Security Act No 3 of 2025

The Cyber Security Act provides for judicial oversight over interception orders. Section 29 of the Cyber Security Act requires that the interception of communications be carried out pursuant to an interception order granted by a Judge of the High Court. A judge may grant an interception order only where they are satisfied that there are reasonable grounds to believe that the communication relates to the commission of an offence under the Cyber Security Act or any other written law or that the whereabouts of a person suspected to have committed an offence is contained in that communication.

Additionally, section 30 (4) provides that a law enforcement officer who makes an oral request for interception of data without a warrant must, within 2 days after the interception, submit to a judge, among other things, an affidavit setting out the results and information obtained from the interception, a recording of the communication obtained and a full or partial transcript of the intercepted communication. An electronic communications service provider which routes duplicate signals under section 30 must similarly submit an affidavit to a judge setting out the steps taken to give effect to the request and the results obtained, as soon as practicable.

Section 30 (6) of the Cyber Security Act provides that a judge may make an order as they consider appropriate in relation to the electronic communications service provider, the user whose communications are intercepted or the law enforcement officer where they find that the interception was carried out for purposes contrary to purposes of the Act or in contravention of any other law.

The Cyber Crimes Act No. 4 of 2025

Section 10 of the Cyber Crimes Act prohibits the recording of private conversations without notice to the parties to the conversation, whether one is a party to the conversation or not. A person found guilty of violating this provision is liable to a fine or may be imprisoned for up to 2 years. The only exceptions to the provision are where the conversation is recorded unintentionally, where a law enforcement officer reasonably suspects that there is a threat to life, property or an offence and where it is reasonably necessary for the protection of the lawful interests of a party to the conversation.

The Data Protection Act No 3 of 2021

Zambia’s Data Protection Act regulates the collection, use, transmission and storage of personal data. ‘Personal data’ for purposes of the Act is data which relates to an individual who can directly or indirectly be identified from that data such as their name, location data, online identifier or any other factors specific to the identity of that natural person. The Act establishes the office of the Data Protection Commissioner which is responsible for the regulation of data protection in Zambia.
Section 12 of the Data Protection Act sets out the principles relating to the processing of personal data. It expressly sets out principles of data minimization, lawful processing, fairness, transparency, purpose specification and proportionality. However, sections 39 and 40 of the Data Protection Act exempt the processing of personal data in the interest of national security, public order, prevention, detection, and investigation of crimes from the provisions relating to the principles of processing personal data set out in section 12 except sub-section (1) (c) (d), (e) and (g). Those provisions require that personal data is:

(d) accurate and where necessary, kept up to date, with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;

(e) stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;

(g) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction or damage, using appropriate technical or organisational measures.

Any processing of personal data in the interest of national security or investigation of crime must therefore be legitimate and proportionate to the interests sought to be protected and the aims to be achieved. A person who violates the provisions of section 12 is liable, on conviction, to imprisonment for a term not exceeding 5 years.

Additionally, section 40 of the Data Protection Act prohibits the retention of personal data which is processed for the purposes of prevention, investigation or prosecution of offences beyond its lawful purpose. Any retention of such personal data must be a proportionate measure to prevent, detect, investigate or prosecute future offences.

Further, section 53 of the Data Protection Act provides that personal data may only be disclosed without the consent of a data subject where its purpose is to prevent a threat to national security or public order, or in the investigation or prosecution of a cognisable offence. The offences set out in the Cyber Security Act are not cognisable offences (per Chapter 88 of Zambia’s Criminal Procedure Code) and therefore do not fall under this exception.

Censorship/Freedom of Expression

Constitution of Zambia

Article 20 of Zambia’s Constitution provides that no person shall be hindered in their freedom to hold opinions, receive ideas and information, or impart and communicate ideas and information, whether the communication be to the public generally or to any class of persons. Article 20(2) further provides that no laws shall be made which derogate from the freedom of the press.
Article 20(3) permits limitations to freedom of expression and freedom of the press that are legal and that are reasonably required in the interests of defence, public safety, public order, public morality, or public health, or are reasonably required for the purpose of protecting the reputations, rights and freedoms of other persons. Any such limitations must be reasonably justifiable in a democratic society.

Censorship-related Powers

The Cyber Crimes Act No. 4 of 2025

Section 21 of the Cyber Crimes Act prohibits a person who receives an order relating to a criminal investigation under the Act from disclosing that an order has been made, that anything has been done under such an order or any data collected or recorded under the order. A person who contravenes this provision is liable on conviction to a fine or imprisonment for up to 5 years. The provision is drafted in broad terms and can apply to any person who is affected by an order or whose communications are the subject of such an order.

Section 22 of the Act provides that a person shall not use a computer or computer system to publish or transmit electronic data that is obscene, vulgar, lewd, lascivious or indecent with intent to humiliate, harass or cause substantial emotional distress to another person. It further criminalizes the use of a computer or computer system to disseminate information which is known to be false and causes damage to the reputation of another person or subjects them to ridicule, contempt, hatred or embarrassment. These broad provisions are open to interpretation by law enforcement. A person who is found guilty of contravening the provisions of section 22 may be imprisoned for a term not exceeding 2 years.

Oversight of the Use of Powers (Censorship-related)

Constitution of Zambia

Zambia’s Constitution offers safeguards for the protection of the rights contained in Part III articles 11 to 26 which is referred to collectively as the Bill of Rights. A person charged under any statute may challenge the constitutionality of their charge pursuant to Article 28 (2) of the Constitution, which provides the High Court with exclusive jurisdiction in such instances, provides as follows:

(2) (a) If in any proceedings in any subordinate court any question arises as to the contravention of any of the provisions of Articles 11 to 26 inclusive, the person presiding in that court may, and shall if any party to the proceedings so requests, refer the question to the High Court unless, in his opinion the raising of the question is merely frivolous or vexatious.

As highlighted above, Zambia’s Bill of Rights expressly includes the right to privacy, freedom of expression, freedom of the press, and the right to information.

The Public Interest Disclosure (Protection of Whistleblowers) Act No. 4 of 2010

The Protection of Whistleblowers Act was enacted to protect private and public actors who make disclosures in the public interest. Disclosable conduct under the Act includes dishonesty, impartiality, misuse of information acquired in the course of public functions, breach of public trust and maladministration. According to Sections 11 and 12, in order to be protected under the Act, a whistleblower must make their disclosure to an “investigating authority” as defined under the Act, which includes the Anti-Corruption Commission, Drug Enforcement Commission and any other body so prescribed.