Cybersecurity and Cybercrime
Laws in the SADC Region

Executive summary
This report focuses on enacted and proposed
cybersecurity and cybercrime laws in the SADC region
and how they have impacted the exercise of rights, more
specifically, the right to privacy, freedom of expression
and media freedom. It also makes a comparative of these
laws with international conventions, standards and norms
for instance as found in the provisions of the European
Union, African Union, and SADC Model Laws.
This report focuses on countries such as Botswana,
Lesotho, South Africa, Namibia, Zimbabwe and Zambia.
This study which relies heavily on desktop review and key
informant interviews shows that although some countries
in the SADC region have enacted cybersecurity and
cybercrime laws, others are still in the process of drafting
similar laws. On the one hand, countries like Botswana,
eSwatini, Tanzania, Malawi and Zambia have already
passed cybersecurity and cybercrime laws while countries
such as Namibia, South Africa, Lesotho and Zimbabwe
have gazetted draft legislation on cybersecurity and
It is also shown in this report that although some of the
enacted and proposed cybersecurity and cybercrime
laws are modeled along international, regional and subregional model laws and other human rights instruments,
there are a number of problematic provisions, which
infringe on the right to privacy and freedom of expression.
Second, while most of the enacted and proposed laws in
the SADC region attempt to balance cybersecurity issues
with human rights frameworks as espoused in national

constitutions, there are still restrictive laws dealing with
interception of communication, data protection and
electronic transactions.
Third, in countries such as Zambia, Zimbabwe, Namibia
and Malawi, there is deep-seated fear that existing and
new legislation are already being used for surveillance
purposes. For instance, South Africa uses the RICA Act
to regulate the interception of communication and
Zimbabwe has the Interception of Communications Act
while Zambia deploys the Electronic Communications
and Transactions Act of 2009. Fourth, there are concerns
around broad and vague definitions of criminalised
offences and key terms such keystroke, false news,
race and xenophobic-related crime, modification,
unauthorised access, or asymmetric cryptosystem, cyber
terrorism, child pornography and cyber extortion and
so forth. Fifth, inadequate oversight or accountability
mechanisms over the functions of cyber inspectors, data
controllers, internet service providers and ministers pose
serious threats to the integrity and effectiveness of the
legislation. The minister must ideally report to parliament.
Finally, the study has demonstrated that while some
countries have made significant inroads in terms of
criminalising cyber-related conduct, providing adequate
procedural tools and mapping out international
cooperation arrangements, others are still stuck in the
‘foggy zone’ of procrastination, bickering and slow policy


Select target paragraph3