Electronic Communications and Transactions Act, 2021
Act 4 of 2021
- Published in Government Gazette on 24 March 2021
- Commenced on 1 April 2021 by Electronic Communications and Transactions Act, 2009
- [This is the version of this document from 24 March 2021.]
Part I – Preliminary
1. Short title and commencementThis Act may be cited as the Electronic Communications and Transactions Act, 2021, and shall come into operation on the date appointed by the Minister by statutory instrument.
2. InterpretationIn this Act, unless the context otherwise requires—"access" in relation to a computer system or electronic communication system, means the right to use or open the whole or any part of the computer system or electronic communication system, or to see, open, use, get or enter information in a computer system;"advanced electronic signature" means a digital signature that is based on a certificate, that is unique to the user, capable of verification, under the sole control of the person using it and linked to the data in a manner that if the data is changed, the signature is invalidated;"addressee" means a person who is intended by the originator to receive the electronic communication, but excludes a person acting as an intermediary in respect of that electronic communication;"authenticity" means the assurance that a message, transaction or other exchange of information is from the author or service it purports to be from;"Authority" has the meaning assigned to the word in the Information and Communications Technology Act, 2009;[Act No. 15 of 2009]"automated transaction" means an electronic transaction conducted or performed, in whole or in part, by means of electronic communications in which the conduct or electronic communication of one or both parties are not reviewed by a natural person in the ordinary course of that natural person’s business or employment;"automated message system" means a preprogrammed system, or other automated system, used to initiate an action, respond to electronic communications or generate other performances in whole or in part without review or intervention by a party each time an action is initiated or a response is generated by the system;"asymmetric crypto system" means a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key to verify the digital signature;"caching" means the storage of data in an information system in order to speed up data transmission or processing;"ccTLD" means a country code domain at the top level of the internet’s main system signed according to the two letter codes in the International Standard ISO 3166 or any other standards as may be prescribed by the Minister;"certificate" means a digital record issued by a certification authority for the purpose of supporting digital signatures which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair;"certificate holder" means a natural person in the case of a digital signature, and either a natural or a legal person in the case of a digital seal, to whose data the public key contained in the certificate is linked in the same certificate to whom a certificate is issued under this Act;"certification authority" means an entity licensed under section 28 to manage and issue certificates and public keys;"certification practice statement" means a statement issued by a certification authority specifying the practices that the certification authority employs in issuing a certificate;"certificate revocation list" means a list of certificates that have been revoked by the issuing certification authority before their scheduled expiration date and are no longer trusted certificates;"certification service" means a service of—(a)issuing certificates necessary for giving digital signatures or digital seals to users;(b)enabling the verification of digital signatures or digital seals given on the basis of certificates;(c)implementing procedures for suspension, termination of suspension and revocation of certificates;(d)checking the revocation status of the certificate and advising the relying party; or(e)issuing cross-pair certificates;"commerce business entity" means an entity that provides ecommerce services;"communication" means oral, written, wire or electronic communication;"Competition and Consumer Protection Commission" means the Competition and Consumer Protection Commission established by the Competition and Consumer Protection Act, 2010;[Act No. 24 of 2010]"computer" means equipment or any part thereof, that perform predetermined arithmetic, logical, routing, processing or storage operations in accordance with set instructions and includes input devices, output devices, processing devices, computer data storage mediums and other equipment and devices related to, or connected with the computer system;"computer network" means the interconnection of one or more computers or an information system through—(a)the use of satellite, microwave, terrestrial line or other communication media; or(b)terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;"consumer" means a person who enters or intends to enter into an electronic transaction with a supplier as the end user of goods or services offered by the supplier;"correspond" in relation to public key infrastructure or encryption keys, means to belong to the same key pair;"cryptography" means the method of protecting information by transforming the information into unreadable format;"cryptography product" means a product that makes use of cryptographic techniques in respect of data for the purpose of ensuring—(a)that the data can be accessed only by a relevant person;(b)the authenticity of the data;(c)the integrity of the data; and(d)that the source of the data can be correctly ascertained;"cryptography provider" means any person who provides a cryptography service or product in the Republic;"cryptography service" means a service which is provided to a seller or a recipient of a data message, or anyone storing a data message, and which is designed to facilitate the use of cryptographic techniques for the purpose of ensuring—(a)that the data or data message can be accessed, or can be put into an intelligible form only by a certain person;(b)that the authenticity and integrity of that data or data message is capable of being ascertained; and(c)the integrity of the data or data message or that the source of the data or data message can be correctly ascertained."data" means an electronic representation of information in any form;"data message" means data generated, sent, received or stored by electronic, optical or similar means and includes, but is not limited to electronic data interchange (EDI), voice, stored record, electronic mail, mobile communications audio and video recordings;"digital seal" means a digital signature for use by a person authorised to use a seal under any law and may be used by more than one person or system under that person’s authorisation;"digital signature" means an electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine whether the—(a)transformation was created using the private key that corresponds to the signer’s public key; and(b)initial electronic record has been altered since the transformation was made;"domain name" means the alphanumeric designation that is registered or assigned in respect of an electronic address or other resource on the internet;"domain name system" means a system to translate domain names into IP addresses or other resources;"ecommerce" means a system which allows a commercial transaction to be conducted electronically on the internet or any other network using electronic, optical or similar media for information exchange;"electronic" in relation to technology, means having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities;"electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part without review or action by an individual at the time of the action or response;"electronic communication" means a transfer of signs, signals, writings, images, sounds, data or intelligence of any nature transmitted in whole or in part by radio, electromagnetic, photo-electronic or photo-optic system, but does not include—(a)direct oral communication; or(b)any communication made through a tone only paging device; "electronic communications system" means a radio, electromagnetic, photooptical or photoelectronic facility for the transmission of electronic communications, and any computer facility or related electronic equipment, for electronic storage of those communications;"electronic signature" means—(a)sound;(b)symbol;(c)process; or(d)other data created or adopted by a person with the intent to sign a data message;"electronic transaction" means a transaction, action or set of transactions of a commercial or non-commercial nature, that takes place electronically;"hash function" means an algorithm mapping data of arbitrary size to fixed size values such that—(a)a record yields the same hash result every time the algorithm is executed using the same record as input;(b)it is computationally infeasible that a record can be derived or reconstituted from the hash result produced by the algorithm; and(c)it is computationally infeasible that two or more records can be found that produce the same hash result using the algorithm;"hosting" means the service of storage of data or providing storage of computing resources for one self or others;"information system" means a system for generating, sending, receiving, storing, displaying or otherwise processing a data message;"information system service" includes providing a connection, operating facilities for information systems, providing access to information systems, transmitting or routing of data messages between or among points specified by a user and the processing and storage of data, at the request of the recipient of the service;"key pair" in an asymmetric cryptosystem, means a private key and its mathematically related public key, having a property that allows the public key to verify a digital signature that the private key creates;"National Public Key Infrastructure" means a Government deployed public key infrastructure whose root certification authority is established as the highest level certification authority of Zambia and is managed by the National Root Certification Authority as a regulatory function;"National Root Certification Authority" means the National Root Certification Authority referred to under section 25;"operational period" in relation to a certificate, means a period beginning on the date and time the certificate is issued by a certification authority, or a later date and time specified in the certificate and ending on the date and time the certificate expires or as stated in the certificate, unless earlier revoked or suspended;"private certification authority" means a certification authority registered by the National Root Certification Authority to provide certification services to institutions whose information infrastructure is not critical;"private key" means the key of a key pair used to create a digital signature;"public key" means the key of a key pair used to verify a digital signature;"public key infrastructure" means a system comprising hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public keys;"recovery agent" means a person or entity who provides recovery information for storage services;"recovery information" means a parameter that may be used with an algorithm, other data or hardware, to decrypt data or communications;"registrar" means a person who is given authority to populate a .zm domain registry;"Registry" means a database of domain names registered under .zm;"registrant" means the person or organisation whose application of a domain name is successful;"registration authority" means a person or entity that is entrusted by the certification authority to register or vouch for the identity of users of a certification authority, but does not sign certificates;"repository" means a system for storing and retrieving certificates or other information relevant to a certificate;"secure signature creation device" means an adapted piece of software or hardware, and includes a microchip card equipped with a security chip, which is used for the storage and application of a private key;"subscriber" means a person who is the subject named or identified in a certificate issued to that person and who holds a private key that corresponds to a public key listed in that certificate;"timestamp" means a data unit created using a system of technical and organisational means which certifies the existence of electronic data at a given time;"time stamping service" is the issue of a time stamp necessary to prove the official time and temporary order of a digital signature and digital seal and the creation of conditions for verification of the issued time stamp; and"trustworthy system" means computer hardware, software and procedures that—(a)are reasonably secure from intrusion and misuse;(b)provide a reasonable level of availability, reliability and correct operation;(c)are reasonably suited to perform their intended function; and(d)adhere to generally accepted security procedures.
Part II – Legal requirements for data messages
4. Legal requirements for data message
5. WritingA requirement in law that a document or information shall be in writing is met if the document or information is—
6. Use of advanced electronic signature
7. Use of electronic signature
8. Determination of originality of data message
9. Admissibility and evidential weight of data message
10. Retention of information in data message
11. Production of document or information
12. Notarisation, acknowledgment and certification
13. Other legal requirement
14. Automated transactionIn an automated transaction—
15. Dispatch of electronic recordUnless otherwise agreed between the originator and the addressee, the dispatch of an electronic record occurs when it enters an information system outside the control of the originator or the agent of the originator.
16. Receipt of electronic recordThe time of receipt of an electronic record shall be determined as follows:
17. Expression of intent or other statementAn expression of intent or other electronic representation of an electronic record between the originator and the addressee of an electronic record is admissible in circumstances where the intent or other electronic representation is relevant at law.
18. Attribution of electronic records to originator
19. Acknowledgment of receipt of electronic record
Part III – Communication of data messages
20. Application of PartThis Part applies if the parties involved in the generation, sending, receipt, storage or other processing of data message have not reached an agreement on the issues provided for in the data message.
21. Formation and validity of agreement
22. Expression of intent or other statementAn expression of intent or other statement as between the originator and the addressee of a data message shall not be without legal effect merely on the grounds that it is—
23. Acceptance of electronic filing and issuing of documentA public body that, subject to any written law, accepts the filing of documents, or requires that a document be created or retained, issues any permit, licence or approval or provides for a manner of payment, may, despite anything to the contrary in that law—
24. Requirements for electronic filing and issuing of documentA public body may, where that public body performs any of the functions under section 23, specify, in the Gazette, a daily newspaper of general circulation in the Republic or any other form of the public body’s electronic platform—
Part IV – National public key infrastructure
25. National Root Certification AuthorityFor the purposes of this Part, the Authority shall perform the functions of the National Root Certification Authority.
26. Functions of National Root Certification Authority
27. Prohibition of providing certification service or time-stamping service without licence
29. Certification authority
30. Variation of licence
31. Surrender of licence
32. Transfer, cede or assignment of licence
33. Suspension or cancellation of licence
34. Registration of cryptography service provider
35. Recognition of foreign certification authority
36. Issue of certificate to subscriberA certification authority may issue a certificate to a subscriber where—
37. Details of certificateA certificate shall set out—
Part V – Certification authority
38. Trustworthy systemA certification authority shall utilise a trustworthy system in performing its services.
39. Disclosure and compliance with certification practice statement
40. Audit services
41. Publication of certificate revocation list
42. Prohibition of publication of certificateA person shall not publish a certificate or otherwise make it available to another person if—
43. Representations on issuance of certificateA certification authority by issuing a certificate, represents to any person who reasonably relies on the certificate, that—
44. Recommended reliance limits
45. Liability limits for certification authoritySubject to an agreement between a certification authority and a subscriber, a certification authority is not liable—
46. Suspension of certification authority certificateA certification authority may suspend a certificate—
47. Notice of suspensionA certification authority shall, after the suspension of a certificate under section 46 publish a signed notice of the suspension in the repository.
48. Revocation of certificateA certification authority shall revoke a certificate—
49. Revocation without subscriber's consent
50. Notice of revocation
51. Appointment of registration authorityThe certification authority may appoint any person as a registration authority as prescribed.
52. Appeals under this PartA person aggrieved with the decision of a certification authority may appeal to the Authority within fourteen days of receiving the move of suspension or revocation.
Part VI – Duties of subscribers
53. Generating key pair
54. Obtaining certificateA subscriber shall ensure that all material representation to a certification authority for purposes of obtaining a certificate, including all information known to the subscriber and represented in the certificate, shall be accurate and complete to the best of the subscriber’s knowledge and belief, regardless of whether such representations are confirmed by the certification authority.
55. Acceptance of certificate
56. Control of private key
57. Suspension or revocation of compromised certificateA subscriber who has accepted a certificate from a certification authority shall, where the private key corresponding to the public key listed in the certificate has been compromised, request the issuing certification authority as soon as possible to suspend or revoke the certificate.
Part VII – Time-stamping service providers
58. Time-stamping service
59. Time-stamping service providerThe following entities may provide a time stamping service:
60. Requirements for time-stamping service provider
61. Duties of time stamping service providerA timestamping service provider shall—
Part VIII – Consumer protection
62. Scope of applicationThis Part is without prejudice to any other written law in force on consumer protection in relation to electronic transactions.
63. Information to be provided by supplier
64. Online market
65. Unsolicited goods, services or communications
66. Cooling-off period
68. Application of foreign lawThe protection provided to consumers in this Part applies irrespective of the legal system applicable to the agreement in question.
69. Non-exclusionA provision in an agreement which excludes a right provided for in this Part is void to the extent of the exclusion.
70. Complaints to Authority
71. Directives, code of conduct and guidelines
Part IX – Domain name regulation
72. Regulation of domain name
73. Licensing of registers and registries
74. Regulations regarding registrars, etc.The Minister may, in consultation with the Authority, by statutory instrument, make regulations to provide for—
Part X – Limitation of liability of service provider
75. DefinitionIn this Part, "service provider" means a person providing an information system service.
76. No liability for mere conduit
78. Hyperlink providerAn internet service provider who enables the access to information provided by a third person by providing an electronic hyperlink shall not be liable for the information where—
80. Order by court to terminate illegal activityDespite other provisions of this Act, a court may order a service provider to terminate or prevent any unlawful activities under this Act or any other written law.
81. Use of information location tools by service provider
82. Take-down notification
83. No general obligation on service provider to monitor unlawful activities
84. SavingsThis Part does not affect—
Part XI – Encrypting communication
85. Use of encrypted communicationA person providing an encryption service shall use an encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used, in the manner provided for under this Act.
86. No limitation on encryption functionNothing in this Act shall be construed as requiring the use by a person of any form of encryption that—
87. Prohibition of unauthorised decryption or release of decryption key
88. Prohibition of disclosure of record or other information by key holder
89. Obstruction of law enforcement officerA person who uses an encryption to obstruct or impede a law enforcement officer or in any manner interferes with the performance by the law enforcement officer of any functions under this Act commits an offence and is liable, on conviction, to a fine not exceeding two hundred thousand penalty units or to imprisonment for a term not exceeding two years, or to both.
90. Prohibition of disclosure or use of stored recovery information
91. Immunity of recovery agentsA cause of action shall not lie in any court against a recovery agent for providing information, facilities or assistance to a law enforcement officer in accordance with the terms of a court order.
Part XII – General provisions
94. Offence by body corporate or unincorporate bodyWhere an offence under this Act is committed by a body corporate or unincorporated body, with the knowledge, consent or connivance of the director, manager, shareholder or partner, that director, manager, shareholder or partner of the body corporate or unincorporated body commits an offence and is liable, on conviction, to the penalty specified for that offence.
95. General penaltyA person who commits an offence under this Act for which no penalty is provided is liable, on conviction—
96. Evidence obtained by unlawful interception not admissible in criminal proceedingsDespite any other written law, evidence which is obtained by means of an interception effected in contravention of this Act, is not admissible in any criminal proceedings except with the leave of the court, and in granting or refusing such leave, the court shall have regard, among other things, to the circumstances in which it was obtained, the potential effect of its admission or exclusion on issues of national security and the unfairness to the accused person that may be occasioned by its admission or exclusion.
98. Supervision of compliance with ActThe Authority shall supervise the compliance with the provisions of this Act.
99. RegulationsThe Minister may, on the recommendation of the Authority, by statutory instrument, make regulations prescribing matters which by this Act are required or permitted to be prescribed.
100. Extraterritorial application of offences
101 Act to bind RepublicThis Act binds the Republic.
102. Repeal of Act No. 21 of 2009
History of this document
01 April 2021
Commenced by Electronic Communications and Transactions Act, 2009