ELECTRONIC COMMUNICATION AND TRANSACTIONS ACT

to provide a safe and effective environment for electronic transactions; promote secure electronic signatures; facilitate electronic filing of documents by public authorities; provide for the use, security, facilitation and regulation of electronic communications and transactions; promote legal certainty and confidence, and encourage investment and innovation in relation to electronic transactions; regulate the National Public Key Infrastructure; repeal and replace the Electronic Communications and Transactions Act, 2009; and provide for matters connected with, or incidental, to the foregoing.

[1st April, 2021]

Act 4 of 2021,

SI 23 of 2021.

PART I
PRELIMINARY

1. Short title

This Act may be cited as the Electronic Communications and Transactions Act.

2. Interpretation

In this Act, unless the context otherwise requires-

"access" in relation to a computer system or electronic communication system, means the right to use or open the whole or any part of the computer system or electronic communication system, or to see, open, use, get or enter information in a computer system;

"advanced electronic signature" means a digital signature that is based on a certificate, that is unique to the user, capable of verification, under the sole control of the person using it and linked to the data in a manner that if the data is changed, the signature is invalidated;

"addressee" means a person who is intended by the originator to receive the electronic communication, but excludes a person acting as an intermediary in respect of that electronic communication;

"authenticity" means the assurance that a message, transaction or other exchange of information is from the author or service it purports to be from;

"Authority" has the meaning assigned to the word in the Information and Communications Technology Act, 2009;

"automated transaction" means an electronic transaction conducted or performed, in whole or in part, by means of electronic communications in which the conduct or electronic communication of one or both parties are not reviewed by a natural person in the ordinary course of that natural person's business or employment;

"automated message system" means a pre-programmed system, or other automated system, used to initiate an action, respond to electronic communications or generate other performances in whole or in part without review or intervention by a party each time an action is initiated or a response is generated by the system;

"asymmetric crypto system" means a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key to verify the digital signature;

"caching" means the storage of data in an information system in order to speed up data transmission or processing;

"ccTLD" means a country code domain at the top level of the internet's main system signed according to the two letter codes in the International Standard ISO 3166 or any other standards as may be prescribed by the Minister;

"certificate" means a digital record issued by a certification authority for the purpose of supporting digital signatures which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair;

"certificate holder" means a natural person in the case of a digital signature, and either a natural or a legal person in the case of a digital seal, to whose data the public key contained in the certificate is linked in the same certificate to whom a certificate is issued under this Act;

"certification authority" means an entity licensed under section 28 to manage and issue certificates and public keys;

"certification practice statement" means a statement issued by a certification authority specifying the practices that the certification authority employs in issuing a certificate;

"certificate revocation list" means a list of certificates that have been revoked by the issuing certification authority before their scheduled expiration date and are no longer trusted certificates;

"certification service" means a service of-

(a) issuing certificates necessary for giving digital signatures or digital seals to users;

(b) enabling the verification of digital signatures or digital seals given on the basis of certificates;

(d) checking the revocation status of the certificate and advising the relying party; or

(e) issuing cross-pair certificates;

"commerce business entity" means an entity that provides ecommerce services;

"communication" means oral, written, wire or electronic communication;

"Competition and Consumer Protection Commission" means the Competition and Consumer Protection Commission established by the Competition and Consumer Protection Act, 2010;

"computer" means equipment or any part thereof, that perform pre-determined arithmetic, logical, routing, processing or storage operations in accordance with set instructions and includes input devices, output devices, processing devices, computer data storage mediums and other equipment and devices related to, or connected with the computer system;

"computer network" means the interconnection of one or more computers or an information system through-

(a) the use of satellite, microwave, terrestrial line or other communication media; or

(b) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;

"consumer" means a person who enters or intends to enter into an electronic transaction with a supplier as the end user of goods or services offered by the supplier;

"correspond" in relation to public key infrastructure or encryption keys, means to belong to the same key pair;

"cryptography" means the method of protecting information by transforming the information into unreadable format;

"cryptography product" means a product that makes use of cryptographic techniques in respect of data for the purpose of ensuring-

(a) that the data can be accessed only by a relevant person;

(b) the authenticity of the data;

(d) that the source of the data can be correctly ascertained;

"cryptography provider" means any person who provides a cryptography service or product in the Republic;

"cryptography service" means a service which is provided to a seller or a recipient of a data message, or anyone storing a data message, and which is designed to facilitate the use of cryptographic techniques for the purpose of ensuring-

(a) that the data or data message can be accessed, or can be put into an intelligible form only by a certain person;

(b) that the authenticity and integrity of that data or data message is capable of being ascertained; and

(c) the integrity of the data or data message or that the source of the data or data message can be correctly ascertained;

"data" means an electronic representation of information in any form;

"data message" means data generated, sent, received or stored by electronic, optical or similar means and includes, but is not limited to electronic data interchange (EDI), voice, stored record, electronic mail, mobile communications, audio and video recordings;

"digital seal" means a digital signature for use by a person authorised to use a seal under any law and may be used by more than one person or system under that person's authorisation;

"digital signature" means an electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can accurately determine whether the-

(a) transformation was created using the private key that corresponds to the signer's public key; and

(b) initial electronic record has been altered since the transformation was made;

"domain name" means the alphanumeric designation that is registered or assigned in respect of an electronic address or other resource on the internet;

"domain name system" means a system to translate domain names into IP addresses or other resources;

"ecommerce" means a system which allows a commercial transaction to be conducted electronically on the internet or any other network using electronic, optical or similar media for information exchange;

"electronic" in relation to technology, means having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities;

"electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part without review or action by an individual at the time of the action or response;

"electronic communication" means a transfer of signs, signals, writings, images, sounds, data or intelligence of any nature transmitted in whole or in part by radio, electromagnetic, photo-electronic or photo-optic system, but does not include-

(a) direct oral communication; or

(b) any communication made through a tone only paging device;

"electronic communications system" means a radio, electromagnetic, photo-optical or photo-electronic facility for the transmission of electronic communications, and any computer facility or related electronic equipment, for electronic storage of those communications;

"electronic signature" means-

(a) sound;

(b) symbol;

(d) other data created or adopted by a person with the intent to sign a data message;

"electronic transaction" means a transaction, action or set of transactions of a commercial or non-commercial nature, that takes place electronically;

"hash function" means an algorithm mapping data of arbitrary size to fixed size values such that-

(a) a record yields the same hash result every time the algorithm is executed using the same record as input;

(b) it is computationally infeasible that a record can be derived or reconstituted from the hash result produced by the algorithm; and

(c) it is computationally infeasible that two or more records can be found that produce the same hash result using the algorithm;

"hosting" means the service of storage of data or providing storage of computing resources for oneself or others;

"information system" means a system for generating, sending, receiving, storing, displaying or otherwise processing a data message;

"information system service" includes providing a connection, operating facilities for information systems, providing access to information systems, transmitting or routing of data messages between or among points specified by a user and the processing and storage of data, at the request of the recipient of the service;

"key pair" in an asymmetric cryptosystem, means a private key and its mathematically related public key, having a property that allows the public key to verify a digital signature that the private key creates;

"National Public Key Infrastructure" means a Government deployed public key infrastructure whose root certification authority is established as the highest level certification authority of Zambia and is managed by the National Root Certification Authority as a regulatory function;

"National Root Certification Authority" means the National Root Certification Authority referred to under section 25;

"operational period" in relation to a certificate, means a period beginning on the date and time the certificate is issued by a certification authority, or a later date and time specified in the certificate and ending on the date and time the certificate expires or as stated in the certificate, unless earlier revoked or suspended;

"private certification authority" means a certification authority registered by the National Root Certification Authority to provide certification services to institutions whose information infrastructure is not critical;

"private key" means the key of a key pair used to create a digital signature;

"public key" means the key of a key pair used to verify a digital signature;

"public key infrastructure" means a system comprising hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public keys;

"recovery agent" means a person or entity who provides recovery information for storage services;

"recovery information" means a parameter that may be used with an algorithm, other data or hardware, to decrypt data or communications;

"registrar" means a person who is given authority to populate a .zm domain registry;

"Registry" means a database of domain names registered under .zm;

"registrant" means the person or organisation whose application of a domain name is successful;

"registration authority" means a person or entity that is entrusted by the certification authority to register or vouch for the identity of users of a certification authority, but does not sign certificates;

"repository" means a system for storing and retrieving certificates or other information relevant to a certificate;

"secure signature creation device" means an adapted piece of software or hardware, and includes a microchip card equipped with a security chip, which is used for the storage and application of a private key;

"subscriber" means a person who is the subject named or identified in a certificate issued to that person and who holds a private key that corresponds to a public key listed in that certificate;

"timestamp" means a data unit created using a system of technical and organisational means which certifies the existence of electronic data at a given time;

"time stamping service" is the issue of a timestamp necessary to prove the official time and temporary order of a digital signature and digital seal and the creation of conditions for verification of the issued timestamp; and

"trustworthy system" means computer hardware, software and procedures that-

(a) are reasonably secure from intrusion and misuse;

(b) provide a reasonable level of availability, reliability and correct operation;

(d) adhere to generally accepted security procedures.

3. Application

(1) This Act applies to electronic transactions, electronic communications and electronic records used in the context of commercial and non-commercial activities that include domestic and international transactions, arrangements, agreements and exchanges and storage of information and other related transactions.

(2) Except as otherwise specified, this Act shall not be construed as-

(a) requiring any person to generate, communicate, produce, process, send, receive, record, retain, store or display any information, document or signature by, or in electronic form; or

(b) prohibiting a person from establishing requirements in respect of the manner in which that person will accept data messages.

(3) Except as otherwise specified, this Act does not limit the operation of any written law that authorises electronic payments, electronic money and value transaction services, prohibits or regulates the use of data messages, including any requirement by, or under, any law for information to be posted or displayed in a specified manner, or for any information or document to be transmitted, stored or retained by a specified method.

PART II
LEGAL REQUIREMENTS FOR DATA MESSAGES

4. Legal requirements for data message

(1) Data has legal force and effect if that data-

(a) is wholly or partly in the form of a data message; and

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

{{{_source.title}}} {{#_source.showPrice}} {{{_source.displayPrice}}} {{/_source.showPrice}}