A New Degree of Data Privacy for Zambian Citizens

Zambia’s Data Protection Act No. 3 of 2021 or Data Protection Act for short is a data protection law that was recently passed in Zambia. In addition to the Electronic Communications and Transactions Act No. 4 of 2021 or ECT Act and the Cyber Security and Cyber Crimes Act No. 2 of 2021 (‘the CSCC Act’), the Data Protection Act for the purposes of creating a secure and effective environment for the use and protection of electronic data communications within Zambia. To this end, the Data Protection Act establishes the legal framework for which personal data may be collected, processed, and disseminated within Zambia, as well the punishments that can result from failing to comply with the law.

What is the scope and application of the Data Protection Act?

In terms of the scope and applicability of Zambia’s Data Protection Act No. 3 of 2021, the personal scope of the law applies to the collection and processing of personal data by natural persons. Under the law, personal data is defined as “Data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person”. Alternatively, the Data Protection Act does not provide any clarification as it relates to the territorial scope of the law, while the material scope of the law “applies to the processing of personal data performed wholly or partly by automated means and to any processing otherwise than by electronic means”.

What are the requirements of data controllers and processors under the law?

Under Zambia’s Data Protection Act No. 3 of 2021, data controllers and processors within the country are tasked with upholding the following principles when collecting, processing, and disseminating personal data:

• Personal data must be collected and processed in accordance with the principles of fairness, lawfulness, and transparency.
• Personal data may only be collected for legitimate, specific, and explicit purposes and personal data cannot be processed further for any reason that is not consistent with these purposes.
• Personal data that has been collected or processed must be relevant, adequate, and limited to what is necessary with regard to the purposes for which it was collected or processed, otherwise known as data minimization.
• Personal data that has been collected or processed must be kept accurate and up to date at all times, and data controllers and processors are responsible for ensuring that personal data in their possession that has been found to be inaccurate is rectified or erased, without delay.
• Personal data must be stored in a format that allows for the identification of applicable data subjects, for a period of time no longer than is necessary in relation to the purposes for which said personal data was collected or processed.
• Personal data must be collected and processed in a manner that ensures that said personal data is secure, including protecting personal data from damage, unauthorized access, loss, or destruction. Data controllers and processors are responsible for implementing organizational and technical measures to ensure the security of personal data in their possession.

What are the rights of data subjects under Data Protection Act No. 3 of 2021?

Under Data Protection Act No. 3 of 2021, Zambian citizens are entitled to the following rights in terms of the protection of their personal data:

• The right to be informed– Data subjects have the right to be informed of the collection and processing of their personal data, as well as any third parties who may also have access to, said personal data.
• The right to access– Data subjects have the right to request and obtain access to their personal data.
• The right to rectification– Data subjects have the right to have their personal data corrected or completed if it has been found to be inaccurate or incomplete.
• The right to erasure– Data subjects have the right to request that a data controller or processor erase their personal data, subject to certain conditions and exceptions.
• The right to object or opt-out– Data subjects have the right to object to or opt-out of the processing of their personal data.
• The right to data portability– Data subjects have the right to request a copy of their personal data in “a structured, commonly used, machine-readable, or otherwise legible format and may transmit that data to another data controller”.
• The right not to be subject to automated decision making– Data subjects have the right not to be “subjected to automated decision-making including profiling which produces legal effects concerning the data subject or similarly affects the data subject”.

What are the penalties for violating Data Protection Act No. 3 of 2021?

In addition to mandating that data controllers and processors within Zambia fulfill various obligations as it pertains to the data processing activities, Data Protection Act No. 3 of 2021 also establishes “the Office, which is responsible for the regulation of data protection and privacy in the Republic”. To this point, the Office has the authority to impose a variety of sanctions in relation to non-compliance with the law, including a monetary fine of up to MW 30,000 ($1,259), as well as a term of imprisonment of up to three years. Moreover, data controllers and processors who violate the law are also subject to “forfeiture where there has been a conviction for any of the offenses under the Data Protection Act, and the power is given to the court to pronounce the forfeiture of the medium containing the personal data to which the offense relates”.

2021 has very much been a bust year in Zambia as it relates to data protection and personal privacy, as the country has passed various laws and policies that govern the collection, processing, and dissemination of personal data, with the foremost being the Data Protection Act No. 3 of 2021. As such, Zambia has become the latest of a number of countries in Africa that have sought to guarantee the data privacy rights of their respective citizens through legislative means, such as Ghana’s Data Protection Act, 2012 and Kenya’s Data Protection Act 2019. As such, Zambian citizens can have peace of mind in knowing that their personal data is being protected at all times by the law.