Cybersecurity and Cybercrime Laws in the SADC Region https://zimbabwe.misa.org CONCLUSION This report has looked at enacted and proposed cybersecurity and cybercrime laws in the SADC region and how they have impacted the exercise of rights more specifically, the right to privacy, freedom of expression and media freedom. It has critically examined how these laws contravene provisions of the European Union, African Union, and SADC Model Laws. It has provided an overview of how the internet space has impacted the exercise of rights; highlight regional and international legal frameworks on cybercrimes and cybersecurity and the key principles highlighted therein for the protection and promotion of rights. It analysed cybersecurity laws in the Southern African region and how they impact the exercise of rights in countries such as Botswana, Lesotho, South Africa, Namibia, Zimbabwe and Zambia. Some SADC countries have already used the Budapest Convention as a model for developing their domestic legislations on cybercrime. The legislations of Mauritius, Botswana and Tanzania, and the draft legislations of Lesotho and South Africa are clearly premised on the Convention. This study which relied heavily on desktop review and key informants has demonstrated that although some countries in the SADC region have enacted cybersecurity and cybercrime laws, others are still in the process of drafting similar laws. On the one hand, countries like Botswana, eSwatini, Tanzania, Malawi and Zambia have already passed cybersecurity and cybercrime laws. On the other hand, countries such as Namibia, South Africa, Lesotho and Zimbabwe have gazetted draft legislation on cybersecurity and cybercrime. It has argued that although some of the enacted and proposed cybersecurity and cybercrime laws are modeled along international, regional and sub-regional model laws and other human rights instruments, 40 there are a number of problematic provisions, which infringes on the right to privacy and freedom of expression. Second, while most of the enacted and proposed laws in the SADC region attempt to balance cybersecurity issues with human rights frameworks as espoused in national constitutions, there are still restrictive laws dealing with interception of communication, data protection and electronic transactions. Third, in countries such as Zambia, Zimbabwe, Namibia and Malawi, there is deep-seated fear that existing and new legislation are already being used for surveillance purposes. For instance, South Africa uses the RICA Act to regulate the interception of communication. Zimbabwe has the Interception of Communications Act. Zambia deploys the Electronic Communications and Transactions Act of 2009. Fourth, there are concerns around broad and vague definitions of criminalised offences and key terms such keystroke, false news, race and xenophobicrelated offences, modification, unauthorised access, or asymmetric cryptosystem, cyber terrorism, child pornography and cyber extortion and so forth. Fifth, inadequate oversight or accountability mechanisms over the functions of cyber inspectors, data controllers, internet service providers and ministers pose serious threats to the integrity and effectiveness of the legislation. Finally, the study has demonstrated that while some countries have made significant inroads in terms of criminalising cyber-related conduct, providing adequate procedural tools and mapping out international cooperation arrangements, others are still stuck at the ‘crossroads’ of indecision, procrastination and slow policy making.