Comments on the Cyber Security and Cyber Crimes Act No. 2 of 2022

1.        INSTITUTION

THE ZAMBIA FEDERATION OF EMPLOYERS (ZFE)

2.        PART I
PRELIMINARY PROVISIONS

Þ     SECTION 2 - Interpretation

·         Kindly note the definition of “harassment” under the AGBV Act No. 1 of 2011 and its potential connection with “hate speech or conduct”, and section 69 on “harassment” (which is actually not defined under this Act). The AGBV Act definition feeds into the Employment Code Act No. 3 of 2019 requirement for an anti-harassment policy in workplaces (section 95). It can be improved using the definition under ILO Convention 190 of 2019. Cyber harassment can equally happen in workplaces, and closer connection among relevant statutory provisions might increase compliance through greater visibility.

·         The definition of “critical information” must be expressly cross-referenced with section 17. As it now reads, it does not give sufficient information on precisely what criteria makes information “critical”.

·         The definition of “critical information infrastructure” adds to the inconsistency on “critical information” by having its own criteria and also not cross-referencing section 17.

·         We recommend that the definitions of “explicit sexual conduct” and “pornography” be merged.

·         The definition of “racist and xenophobic material” appears to be a subset of “hate speech and conduct”. This is in fact the only place in the Act where xenophobia is mentioned, raising a question about the purpose of the definition.

·         The term “data” is used in the Act (e.g. under section 10(2)), and yet is only defined in the context of “computer data” under this section. Consider cross-referencing the definition of “data” under the Electronic Communications and Transactions Act No. 4 of 2021.

·         There is no definition of “wire communication”, despite its use in, e.g. section 35.

·         On the general subject of harmonization of laws, this Act directly and indirectly refers to access to information that may be protected by the Data Protection Act No. 3 of 2021. Yet, there is no apparent cross-referencing with that Act. Consider a closer examination of whether that Act has an impact on the enforcement of this one.

Þ     SECTION 3: Supremacy of Act

·         Reconsider the superiority section 3 and the Act as a whole in the context of the soon to be published Penal Code Bill. The Penal Code is meant to harmonize the currently fragmented criminal laws.

·          

3.        PART II
REGULATION OF CYBER SECURITY SERVICES

Þ     SECTION 6: Zambia Computer Incidence Response Team

·         The significant functions of the Zambia-CIRT mandate that its composition and tenure should not be solely determined by ZICTA. That is a potential window for patronage and personalization.

·         There should be some basic guidelines in the Act, with details in a statutory order from the Minister. The Order should be promulgated after consultation with principal stakeholders in electronic communications and cyber security.

Þ     SECTION 7: National Cyber Security Advisory and Coordinating Council

·         This provision is also too open and must have some basic guidelines on the composition and tenure of the Council. These fundamental issues should not be left to the Minister in an SI. They must be in the Act. Ideally, the experts in cyber security and cyber crime should be appropriately skilled senior officers of the relevant the security wings.

4.        PART III
INSPECTORATE

Þ     SECTION 8: Cyber Inspector

·         The production of the certificate of appointment under paragraph (b) of subsection (4) should be automatic whenever acting in official capacity. The Inspector should not wait to be asked. This should be phrased in similar terms to section 13(2).

Þ     SECTION 10: Data retention notice

·         Some punctuation is necessary to break up the run-on sentence under subsection (1) and make the meaning clearer.

Þ     SECTION 11: Power to access, search and seize

·         Section 8(1) expressly provides that a cyber inspector’s role is solely to ensure compliance with the Act. However, paragraph (f) of subsection (1) of section 11 contains a very open-ended provision by allowing the inspector to access and inspect any computer, equipment or associated apparatus the inspector has “reasonable cause to believe is, or has been used in, connection with any offense”. For the avoidance of doubt, this should be clarified to “any offense under this Act”.

·         This restriction should also be considered for paragraph (i), in relation to inquiries “on any other law on which an investigation is based”. Cyber inspectors do not have the general powers of Police Officers.

Þ     SECTION 13: Cyber security technical expert

·         The punctuation in subsection (1) needs to be corrected. The comma between “may” and “appoint” in the first line should be moved to after “appoint”.

Þ     SECTION 14: Emergency cyber security measures and requirements

·         This provision can easily be abused. Its intent must be better reflected as justifiable in a democratic society, in order to support the offense created under subsection (2).

5.        PART IV
INVESTIGATION OF CYBER SECURITY INCIDENTS

Þ     SECTION 15: Power to investigate

·         The protection of all good faith disclosures under subsection (3) is dangerous. It undermines legal professional privilege and other forms of privileged information, and does not have sufficient protection for the discloser. Individual statutes should not create sector exceptions to what is principally a rule of evidence better understood by the Ministry of Justice and Attorney General’s Chambers. We strongly recommend that the subject of disclosure is left to the Public Interest Disclosure (Protection of Whistleblowers) Act No. 4 of 2010 through cross-referencing.

·         This provision may need to be reexamined when read with section 33.

6.        PART V
PROTECTION OF CRITICAL INFORMATION INFRASTRUCTURE

Þ     SECTION 17: Declaration of critical information

·         Please see our comments above on the respective definitions of “critical information” and “critical information infrastructure”. There are some inconsistencies between those and the provisions of this section.

·         “Critical information” and “Critical information infrastructure” are such significant parts of the Act and the wide-ranging powers and obligations thereunder, that they should not be determined by the Minister alone.

·         Some information such as that covered by the State Security Act, Cap 111, should be automatically (and expressly) included. Other types of information to be declared by the Minister must only be so declared after consultations. For instance, the “social wellbeing of the Republic” is extremely subjective and open to political manipulation.

·         The ultimate definition of “critical information” must necessarily lead to consideration of whether ZICTA is the most appropriate repository of all the various types under section 18(3).

Þ     SECTION 20: Change in ownership of critical information infrastructure

·         A “change in ownership” under the law is a very nuanced concept, especially under the Companies Act No. 10 of 2017. We recommend that this section is examined carefully in that context, especially since it is coupled with penal sanctions under subsection (2).

7.         

Þ     SECTION 24: National cyber security exercises

·         The “further fine” under paragraph (b) of subsection (3) of one hundred thousand penalty units “for every day and part thereof during which the offense continues” is excessive. Daily penalties:

o   are generally smaller because they accumulate. It is peculiar to have the same daily penalty as the total fine for the offense under paragraph (a);

o   are generally definitive. The fact that the 100, 000 penalty units is a ceiling means a Judge is at liberty to set any penalty up to and including that. Daily penalties are known in advance; and

o   must be realistic. They continue to accrue during weekends and public holidays. The defaulter may pay by, e.g. bank transfer during such days, but would only be receipted on a working day, or may face other challenges that can only be resolved on a working day.

8.        PART VI
INTERCEPTION OF COMMUNICATIONS

Þ     SECTION 27: Central Monitoring and Coordination Center

Þ     SECTION 28: Lawful interception

·         The CMMC is the “sole facility through which authorized interceptions in terms of this Act” shall be effected and forwarded. The CMMC is under the “department for Government communications” and is not under ZICTA. It works only in liaison with it. Its exact composition is not defined, creating some opacity for such a significant entity in cyber security. We recommend more details on its composition.

·         Lawful interception under the Act is only done by Court warrant, the application for which must be approved by the Attorney General. However, there is no further role for the Attorney General between approving the ex parte application for the warrant, and the collection of information through the interception. In order words, there appears to be no involvement of the Government’s legal advisor in the way the warrant is effected.

·         While we acknowledge that investigation is the mandate of the law enforcement agencies and the interception order is supposed to “specify” its parameters, we are of the view that it is important for there to be continuous legal advice on a warrant issued by a Court as it is being effected. That is to ensure that the investigators do not exceed what was authorized by the warrant, leading to information being inappropriately stored by the CMMC. For instance, the interception order may relate to Mr. X and his involvement in Y. Intercepted communications however contain information on Z. Government officials with access to the CMMC may find information on Z to be useful for their own purposes, and yet it was effectively illegally intercepted in terms of sections 26 and 28.

·         Subsection (3) of section 27 should therefore also provide for “liaison” with the Attorney General.

·         There should be no “shadow” institutions in modern-day Government, or other ways in which transparency and rule of law is deliberately diminished.

Þ     SECTION 28: Lawful interception

·         It appears that subsection (5) may not have been properly formatted to reflect the intention that all lawfully intercepted communications are considered an exception to the evidentiary rules against hearsay, not only those intercepted by a foreign state.

·         The validity periods under subsection (6) are insufficient. The three months of initial validity is clear and accepted. The open-ended validity for renewal is not. There must be express limitation to how long each renewal can last before a new one should be sought on justifiable reasons. People should not be permanently under surveillance.

Þ     SECTION 29: Interception of communication to prevent bodily harm, loss of life or damage to property

·         The inclusion of “damage to property” in this provision on a potentially dangerous power is dangerous. “Damage to property” could be small and insignificant, or effectively sabotage of vital infrastructure. Equally, “bodily harm” has degrees. This is recognized by both civil law and criminal law. It can range from a slap that causes minor and brief discomfort, to life-threatening injuries.

·         Realistically speaking, if a law enforcement officer could intercept communications without warrant every time they heard a threat to damage property or cause “bodily injury”, communications would be perpetually intercepted. The extreme risk of abuse created by this section needs to be better controlled by setting parameters of how significant the property damage or bodily injury should be before interception without warrant can be permitted. It should not be left to the Judge after the communication has been intercepted to take action under subsection (7), or to criminal proceedings under section 49.

·         Additionally, the action a Judge can order under subsection (7) must expressly include the complete destruction of improperly intercepted communications. Otherwise, there is a risk that information would continue to be stored by the CMMC and eventually used improperly. Non-disclosure / prohibition of improper use under section 31 is insufficient because the information will still be in existence.

·         It is peculiar that section 29 does not appear to contain provisions on legitimating the interception of the necessary information. It only provides for a Judge keeping record (subsection 6)). There does not appear to be any clarification on whether such information can be used as evidence in prosecution, and what weight it would have if considered hearsay.  Section 85 refers to information obtained through unlawful interception.

Þ     SECTION 30: Interception of communication for the purposes of determining location

·         We reiterate our concerns about permitting interceptions in relation to “injury” or “property damage” without better parameters.

·         We also reiterate our submission on the action a Judge can order in relation to an improper interception under subsection (9).

Þ     SECTION 35: Protection of user from fraudulent or other unlawful use of service

·         It may be more appropriate for service providers to report potential fraud, unlawful or abuse of their services directly to ZICTA, rather than “any” law enforcement officer. ZICTA can then coordinate with the relevant agencies.

Þ     SECTIONS 38 and 40: Assistance by service provider

·         These provisions effectively place the cost of cyber security on the electronic communication service providers for the “convenience” of the Government.

·         They are very onerous obligations for service providers that should be placed as gradually implementable for existing licensed service providers; and as part of technological specifications for service licenses for prospective new service providers. Even in so doing, there must be consideration on whether such specifications act as barriers to the provision of electronic communication services in the country. Prospective new entrants to the market may be discouraged, and current service providers may see these are unsustainable costs.

·         Section 89 should be reconsidered in this context.

9.        PART VII
LICENSING OF CYBER SECURITY SERVICE PROVIDERS

Þ     SECTION 42: Application for license

·         The timelines under this section need to be revised. It is good that ZICTA must make a decision either way within a specified timeframe (subsection (3)), but ZICTA should not be allowed to indefinitely delay the process by asking for “further particulars” (subsection (6)).

·         If the thirty days under subsection (2) has proved to be too short, increase it to, e.g. sixty days. Otherwise, ZICTA will deliberately ask for additional information to take advantage of the indefinite extension under subsection (6).

·         Subsection (6) must have parameters, rather than simply stopping the clock. E.g. the applicant should have up to fourteen days to provide the requested information, failure to which the application will be rejected. ZICTA should have thirty days to decide on the application once the additional information has been given, failure to which subsection (3) will apply and it will be deemed granted.

·         Application timeframes in statutes should never be open-ended. That encourages bureaucratic inertia and has a negative impact on the ease and cost of doing business. That facilitates corruption.

Þ     SECTION 44: Refusal to grant or renew license

·         The penalty ceilings of 100, 000 penalty units and/or one year imprisonment for knowingly providing incorrect information for an application to be licensed as a cyber security provider is too low (subsection (3)). The person may have thereby fraudulently obtained a license, and put their clients to considerable risk before the fraud was discovered for purposes of revoking the license under section 46. We recommend the doubling of the penalty ceilings.

Þ     SECTION 46: Revocation or suspension of license

·         It is not enough for ZICTA to serve the licensee alone a copy of the suspension or revocation order under subsection (8). It must be published in a newspaper of general circulation once it takes effect in accordance with subsection (9).

10.    PART VIII
INTERNATIONAL COOPERATION IN MAINTAINING CYBER SECURITY

Þ     SECTION 47: Identifying areas of cooperation

·         We recommend that ZICTA does not engage with “private, international organizations and other government entities” without the approval of the Minister granted in consultation with the Attorney General. That will create a vetting process to ensure that those third parties are reputable and aligned with Government policy.

11.    PART IX
CYBER CRIME

Þ     SECTION 50: Illegal devices and software

·         There appears to be need for grammatical correction of paragraph (a) of subsection (1) when read with items (iii) and (iv).

Þ     SECTION 53: Identity-related crimes

·         “A means of identification” needs to be expressly connected to official identity documentation and the use of such for criminal purposes, especially with such a steep penalty attached. Otherwise, it can be used for something as simple as using “John” or “Jane” on an innocuous online forum to maintain anonymity. The openness of this section is alarming when compared to section 54, which has expressly incorporated criminal intent and yet has a lower penalty ceiling.

·         There is nothing overtly criminal about anonymity; and it is possible to find someone, somewhere, with the official name a person unwittingly uses to maintain their anonymity. Sometimes anonymity is the only way people can seek help.

Þ     SECTION 56: Prohibition of pornography

·         We submit that there must be a higher penalty for “revenge porn” than the five years and/or the fine. Imprisonment should be mandatory for a minimum of five years, without the option of a fine. It is a growing problem globally and is an example of GBV.

Þ     SECTION 58: Child solicitation

·         There should be a minimum period of imprisonment. Merely setting the ceiling at 15 years is not enough.

Þ     SECTION 59: Obscene matters or things

·         Subsection (1) cannot refer to subsection (1) of the very same section.

Þ     SECTION 67: Unlawful disclosure of details of investigation

·         We believe that seeking professional legal advice is an implied “lawful excuse” for disclosure of an order related to a criminal investigation. We nonetheless recommend that it is expressly included, for the avoidance of doubt and as part of incorporating fundamental rights into the Act.

Þ     SECTION 69: Harassment utilizing means of electronic communication

·         We reiterate our comment in relation to the definition of “harassment” under section 2 and the apparent fragmentation of the laws on this subject.

Þ     SECTION 71: Cyber attack

·         It is advisable to have a clear definition of “cyber attack”.

·         Criminal offenses must always have clear criteria in order for prosecution to be valid under Article 18 of the Republican Constitution.

12.    PART X
ELECTRONIC EVIDENCE

Þ     SECTION 73: Admissibility of electronic evidence

·         This provision seems to be out of place. The Electronic Communications and Transactions Act No. 4 of 2021 provides for the “legal requirements for data messages”. It seems logical that this provision should be there, because that Act is of more general application than this one. The use of electronic evidence is not limited to cyber crimes. It is a regular occurrence in regular civil suits as well, in all Courts.

13.    PART XI
GENERAL PROVISIONS

Þ     SECTION 74: Appeals

·         There should always timeframes for appeals procedures. There should be limitation periods for when appeals can be made. There should also be timeframes for how long administrative decisions should take.

Þ     SECTION 75: Search and seizure

·         The reference to “its territory” under subsection (3) is unclear.

Þ     SECTION 78: Production Order

·         We are concerned that this section does not make allowance for privileged information. The fact that an application can be made ex parte adds to the danger that the Judge may not be made aware that the information is protected by legal professional privilege or other forms of privilege recognized by law.

Þ     SECTION 79: Expedited preservation

·         It does not appear clear what purpose the preservation order would serve in the absence of a production order under section 78.

Þ     SECTIONS 80 and 81: Traffic data

·         We recommend a clearer connection between these two sections.

Þ     SECTION 82: No monitoring obligation

·         We are concerned about paragraph (b) of subsection (2). There should be grounds under the Act itself regarding the circumstances under which the “competent authorities” can request “information enabling the identification of recipients of their service.” This should not be left to an SI.

Þ     SECTION 85: Evidence obtained by unlawful interception

·         Further to our comments on sections 29 and 30. Improperly intercepted information should be destroyed immediately and not kept until it can be used through section 85.

·         The Act does not contain the usual provision on circumstances under which the corporate veil can be lifted and senior personnel held liable for offenses.