A New Degree of Data Privacy for Zambian Citizens

A New Degree of Data Privacy for Zambian Citizens

Zambia’s Data Protection Act No. 3 of 2021 or Data Protection Act for short is a data protection law that was recently passed in Zambia. In addition to the Electronic Communications and Transactions Act No. 4 of 2021 or ECT Act and the Cyber Security and Cyber Crimes Act No. 2 of 2021 (‘the CSCC Act’), the Data Protection Act for the purposes of creating a secure and effective environment for the use and protection of electronic data communications within Zambia. To this end, the Data Protection Act establishes the legal framework for which personal data may be collected, processed, and disseminated within Zambia, as well the punishments that can result from failing to comply with the law.

What is the scope and application of the Data Protection Act?

In terms of the scope and applicability of Zambia’s Data Protection Act No. 3 of 2021, the personal scope of the law applies to the collection and processing of personal data by natural persons. Under the law, personal data is defined as “Data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person”. Alternatively, the Data Protection Act does not provide any clarification as it relates to the territorial scope of the law, while the material scope of the law “applies to the processing of personal data performed wholly or partly by automated means and to any processing otherwise than by electronic means”.

What are the requirements of data controllers and processors under the law?

Under Zambia’s Data Protection Act No. 3 of 2021, data controllers and processors within the country are tasked with upholding the following principles when collecting, processing, and disseminating personal data:

What are the rights of data subjects under Data Protection Act No. 3 of 2021?

Under Data Protection Act No. 3 of 2021, Zambian citizens are entitled to the following rights in terms of the protection of their personal data:

What are the penalties for violating Data Protection Act No. 3 of 2021?

In addition to mandating that data controllers and processors within Zambia fulfill various obligations as it pertains to the data processing activities, Data Protection Act No. 3 of 2021 also establishes “the Office, which is responsible for the regulation of data protection and privacy in the Republic”. To this point, the Office has the authority to impose a variety of sanctions in relation to non-compliance with the law, including a monetary fine of up to MW 30,000 ($1,259), as well as a term of imprisonment of up to three years. Moreover, data controllers and processors who violate the law are also subject to “forfeiture where there has been a conviction for any of the offenses under the Data Protection Act, and the power is given to the court to pronounce the forfeiture of the medium containing the personal data to which the offense relates”.

2021 has very much been a bust year in Zambia as it relates to data protection and personal privacy, as the country has passed various laws and policies that govern the collection, processing, and dissemination of personal data, with the foremost being the Data Protection Act No. 3 of 2021. As such, Zambia has become the latest of a number of countries in Africa that have sought to guarantee the data privacy rights of their respective citizens through legislative means, such as Ghana’s Data Protection Act, 2012 and Kenya’s Data Protection Act 2019. As such, Zambian citizens can have peace of mind in knowing that their personal data is being protected at all times by the law.

Related Reads