Cybersecurity and Cybercrime Laws in the SADC Region https://zimbabwe.misa.org and cybercrime laws strike a balance between the protection of national security and exercise of the rights of ordinary citizens. existing bodies as would limit the effectiveness, efficiency and independence of the Board since it is appointed by and reports to the Executive. A case in point is the Zambian scenario where a separate entity (Cyber Security Centre) was created. There is need to adhere to the Necessary and Proportionate Principles when coming up with cybersecurity and cybercrime, data protection and electronic transaction laws in the SADC region. Public consultation processes in the coming up with cybersecurity and cybercrime legislation must follow clearly laid out procedures. Input from marginalised and vulnerable constituencies must be taken on board. Any cybersecurity law and institutional framework be the product of an extensive and meaningful cooperative multistakeholder consultative process and that the eventual frameworks make provision for some level of multi-stakeholder oversight involvement. There is need to desist from coming with an omnibus type of legislation as evidenced in Malawi, Zimbabwe and Namibia. Instead of lumping cybersecurity and data protection issues together, it is recommended that the proposed Bills must be separated into two Bills that deal with cybersecurity and data protection separately in line with international best practice and instruments such as the SADC Model Law on Data Protection, African Convention on Cybersecurity and Data Protection. Enacted and proposed leg islat ion must ensure that there is a clause that guarantees the protection of whistleblowers in terms of handling investigations. In order to strengthen the protection framework, all protection arrangements should include a legal obligation for public officials to report misconduct and/or procedures for protecting whistleblowers and enforcing fair treatment after a disclosure has been made. There is need to come up with independent national regulatory authorities rather than using 38 Cybersecurity and cybercrime laws must not be used as a smokescreen to normalise arbitrary, disproportionate and unnecessary surveillance of citizens without regard to citizens’ right to privacy. These laws must clearly define the term data subject. The rights of the data subject must be derived from the Bill of Rights in the Constitution. He/she must also be afforded the right to request a record or description of the personal information about the data subject being held by a data processor, as well as information concerning the identity of all third parties who have had access to the data subject’s personal information. The obligation of the data controller in terms of safeguarding the security, integrity and confidentiality of the data must be clearly spelt out in any proposed legislation. The clause on data controllers must ensure that they collect only the data absolutely necessary for their purposes, and access to personal data should be limited to only those necessary for processing. Legislation on cybersecurity and cybercrime must ensure that there are adequate accountability or oversight mechanisms on data breaches. Rather than placing the duty to report on the national Cybersecurity Centre, the law must ensure that the data subject must also be given the duty to report in cases of data breaches. This clause will offer adequate protection or recourse for potential victims of breaches emanating from the Data Controller’s negligence or incompetence. The law must spell out consequences for avoidable breaches e.g. by providing compensation to a data subject whose information was not adequately