Population: 18,383,956

Capital: Lusaka

President: Hakainde Hichilema

2021 Freedom House Score: 52/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the right to privacy is protected in Article 17 of the Constitution.

DPA legislation: In 2021, Zambia passed the Data Protection Act No. 3 of 2021 (‘the Act’), which entered into effect on 1 April 2021 when the Commencement Orders were published in the Government Gazette.  The Act is now the primary legislation regulating data protection and privacy matters in Zambia, although a number of other pieces of legislation cover relevant topics, such as the Electronic Communications and Transactions Act No. 4 of 2021 (‘ECTA’), the Cyber Security and Cyber Crimes Act No. 2 of 2021 (‘the CSCC Act’), and the Information and Communications Technologies Act No. 15 of 2009 (‘the ICT Act’), which, together, provide a comprehensive regulatory environment in Zambia. The Act establishes the office of the Data Protection Commissioner within the Ministry of Communications, although the office has not been become operational.

The Act gives data subjects the right to confirm whether their data is being processed, to access information about the processing of their data, such as the purpose, the envisaged period, and the source of the data, to obtain a copy of the data, to receive information about the logic involved in any automatic processing of their data, and to be notified if their data is disclosed to third parties.  The data subject also has the right to rectification of inaccurate data, to complete data that is incomplete, and to the erasure of data where it is no longer necessary for the purpose for which it was collected, or the data subject withdraws consent or objects to the processing on legitimate grounds.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: Signed

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Partial

Law enforcement exclusion: Partial

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: Partial

Journalistic, literary or artistic purposes exclusion: Partial

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: No

Excludes foreign entities that only transit personal data through the country: No

Under the Act, personal data is defined as information relating to an individual who can be directly linked or indirectly identified from that data:

• A name;
• An identification number;
• Location data;
• An online identifier; or
• One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The Act requires that all data controllers and processors register as such with the Data Protection Commissioner.

It also requires that when collecting and processing personal information, data controllers must:

• Process data lawfully, fairly, and transparently;
• Collect data only for specific purposes and ensure the data is relevant and limited to what is necessary for that purpose;
• Ensure the data is accurate and kept up to date;
• Keep personal information only as long as it is used for the specific purpose for which it was collected and is relevant for that purpose and for one year after that period;
• Ensure appropriate security of the personal data;
• Keep a record of the purpose and processing for which personal data was collected and any third parties to which it was disclosed; and
• Not disclose personal data they have collected without the consent and notification of the data subject, or in other narrow circumstances.

The Act places additional restrictions on the processing of sensitive personal data, defined as personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms, including but not limited to:

• The race, marital status, ethnic origin or sex of a data subject;
• Genetic data and biometric data;
• Child abuse data;
• A data subject’s political opinions;
• A data subject’s religious beliefs or other beliefs of a similar nature;
• Whether a data subject is a member of a trade union; or
• A data subject’s physical or mental health, or physical or mental condition.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: Partial

Exceptions exist to breach notifications: No

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: No

DPA is empowered to subpoena or request evidence: No

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Unclear

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): Unclear

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

Personal data may be transferred to another country if the data subject has consented and the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Data Protection Commissioner, if the Minister has prescribed that transfer is permissible, or if the particular transfer has been authorised by the Data Protection Commissioner.  Where the Minister determines that the personal data is subject to an adequate and effective level of protection, criteria for transfers may be prescribed.  The Act provides other specific circumstances in which cross-border transfers may be allowed as well.  Sensitive personal data may not be transferred outside Zambia without the consent of the data subject.

Provides a right not to be subject to automated decision-making: Yes