https://zimbabwe.misa.org Cybersecurity and Cybercrime Laws in the SADC Region Executive summary This report focuses on enacted and proposed cybersecurity and cybercrime laws in the SADC region and how they have impacted the exercise of rights, more specifically, the right to privacy, freedom of expression and media freedom. It also makes a comparative of these laws with international conventions, standards and norms for instance as found in the provisions of the European Union, African Union, and SADC Model Laws. This report focuses on countries such as Botswana, Lesotho, South Africa, Namibia, Zimbabwe and Zambia. This study which relies heavily on desktop review and key informant interviews shows that although some countries in the SADC region have enacted cybersecurity and cybercrime laws, others are still in the process of drafting similar laws. On the one hand, countries like Botswana, eSwatini, Tanzania, Malawi and Zambia have already passed cybersecurity and cybercrime laws while countries such as Namibia, South Africa, Lesotho and Zimbabwe have gazetted draft legislation on cybersecurity and cybercrime. It is also shown in this report that although some of the enacted and proposed cybersecurity and cybercrime laws are modeled along international, regional and subregional model laws and other human rights instruments, there are a number of problematic provisions, which infringe on the right to privacy and freedom of expression. Second, while most of the enacted and proposed laws in the SADC region attempt to balance cybersecurity issues with human rights frameworks as espoused in national constitutions, there are still restrictive laws dealing with interception of communication, data protection and electronic transactions. Third, in countries such as Zambia, Zimbabwe, Namibia and Malawi, there is deep-seated fear that existing and new legislation are already being used for surveillance purposes. For instance, South Africa uses the RICA Act to regulate the interception of communication and Zimbabwe has the Interception of Communications Act while Zambia deploys the Electronic Communications and Transactions Act of 2009. Fourth, there are concerns around broad and vague definitions of criminalised offences and key terms such keystroke, false news, race and xenophobic-related crime, modification, unauthorised access, or asymmetric cryptosystem, cyber terrorism, child pornography and cyber extortion and so forth. Fifth, inadequate oversight or accountability mechanisms over the functions of cyber inspectors, data controllers, internet service providers and ministers pose serious threats to the integrity and effectiveness of the legislation. The minister must ideally report to parliament. Finally, the study has demonstrated that while some countries have made significant inroads in terms of criminalising cyber-related conduct, providing adequate procedural tools and mapping out international cooperation arrangements, others are still stuck in the ‘foggy zone’ of procrastination, bickering and slow policy making. 1