Electronic Transactions and Cyber Security Act
- Published in Malawi Gazette Supplement 6C on 4 November 2016
- Commenced on 1 June 2017 by Electronic Transactions and Cyber Security Act, 2016: Commencement
- [This is the version of this document at 31 December 2017 and includes any amendments published up to 31 October 2021.]
- [Note: This version of the Act was revised and consolidated in the Fifth Revised Edition of the Laws of Malawi (L.R.O. 1/2018), by the Solicitor General and Secretary for Justice under the authority of the Revision of the Laws Act.]
Part I – Preliminary provisions
1. Short titleThis Act may be cited as the Electronic Transactions and Cyber Security Act.
2. InterpretationIn this Act, unless the context otherwise requires—"Authority" means the Malawi Communications Regulatory Authority established under section 3 of the Communications Act;[Cap. 68:01]"CCTLD" means the Country Code Top Level Domain which is at the top level of the internet domain name, system assigned according to the two letter codes in the international standards ISO3166-1 by ICANN;"certification authority" means a trusted third party organization or company licensed or authorized by the Authority to issue digital certificates used to create digital signatures and public-private key pairs;"child pornography" means visual and pornographic material that depicts, presents or represents a person under the age of eighteen engaged in sexually explicit conduct or an image representing a person under the age of eighteen engaged in sexually explicit conduct;"comparative advertising" means any advertising winch explicitly or impliedly identifies a competitor, or goods or services offered by a competitor;"computer system" means a device or a group of interconnected or related devices, one or more of which performs automatic processing of data pursuant to a program;"consumer" means any person who enters or intends to enter into a contract by electronic means with a supplier as the end-user of the goods or services offered by the supplier and acts, for that purpose, outside his trade, business or profession;"content provider" means a person or organization who supplies information for use on a website or an electronic media platform;"critical data" means data which is declared by the Minister in accordance with this Act, to be of importance to the protection of national security of the Republic or the economic and socio well being of its citizens;"cryptography" means the method of storing and transmitting data by transferring it into unreadable format so that only those for whom it is intended can process and read it;"cyber inspector" means a person appointed as such under section 69;"data" means electronic presentation of information in any form;"data controller" means a person who, acting either alone or in common with other persons, determines the purpose for which, and the manner in which, any personal data is processed, or is to be processed and thus, controls and is responsible for the keeping and using of personal data, and the term includes a person who collects, processes or stores personal data;"data subject" means a person from whom data relating to that person is collected, processed or stored by a data controller;"digital certificate" means an electronic document to prove ownership of a public key, and certificate includes information about the key owners’ identity and the digital signature of an entity that has verified the certificates contents are correct;"digital signature" means an electronic signature consisting of a transformation of an electronic message using an asymmetric crypto system and a hash function such that a person having the initial and transformed electronic message and the signatory’s public key can accurately determine—(a)whether the transformation was created using the private key that corresponds with the signatory’s public key; and(b)whether the initial electronic message is as it was after the transformation was made;"digital signature certificate" means a record which is issued by the Authority for the purpose of supporting a digital signature;"distance contract" means any contract concluded between a supplier and a consumer under an organized remote sales or service-provision scheme run by the supplier, who, for the purpose of that contract, makes exclusive use of one or more electronic means up to and including the time at which the contract is concluded;"domain name" means an alphanumeric designation that is registered or assigned in respect of an electronic address or other resources on the internet;"e-government service" means a public service provided by electronic means;"electronic commerce" means any economic activity provided by electronic means, including remote services and products, particularly services that consist of providing online information, commercial communications, research tools, or access to, or downloading of, online data, access to a communication network or the hosting of information;"electronic message" means any communication created, sent, received or stored by electronic communication means, such as computerized data exchange system, electronic mail system and instant messaging;"electronic record" means a record created, generated, sent, communicated, received and maintained by electronic means;"electronic signature" means data attached to, incorporated in, or logically associated with, other data and which is intended by the user to serve as a signature;"encryption" means a method of transforming signals or messages in a systematic way so that the signal would be unintelligible without a suitable receiving apparatus;"financial services" has the meaning ascribed to the term under section 2 of the Financial Services Act;[Cap. 44:05]"financial services law" has the meaning ascribed to the term under section 2 of the Financial Services Act;[Cap. 44:05]"ICANN" means Internet Corporation for Assigned Name and Numbers;"information system" means a system for generating, sending, receiving, storing, displaying or otherwise processing electronic messages, including internet;"intermediary service provider" means any person or entity that provides electronic communications services consisting of the provision of access to communications networks, storage, hosting or transmission of information through communication networks;"internet" means the interconnected system of networks that connects computers around the world using Transmission Control Protocol/Internet Protocol (TCP/IP) or other protocols, and includes future versions thereof;"Internet Service Provider (ISP)" means a company that provides access to the internet and other related services such as website building and virtual hosting to individuals or other companies;"key" means a piece of information that determines the functional output of a cryptographic algorithm;"key pair" means a pair of keys used for cryptography;"Malawi CERT" means the Malawi Computer Emergency Response Team established under section 6;"misleading advertising" means any advertising which in any way, including its presentation, deceives or is likely to deceive a person to whom it is addressed or whom it reaches and which, by reason of its deceptive nature, is likely to affect his economic behaviour or which, for those reasons, injures or is likely to injure a competitor’s economic or business interests;"online public communication" means any transmission of digital data, signs, signals, texts, images, sounds or messages, of whatever nature, that are not private correspondence, by electronic communication means that enable a reciprocal exchange of information between an issuer and a receiver;"opt-in" means a system where a consumer gives consent to an electronic communication service provider to receive any other communication;"open standard" means any protocol for communication, interconnexion or exchange and any format of interoperable data whose technical specifications are public and the access or use thereto is not restricted;"personal data" means any information relating to an individual who—(a)may be directly identified; or(b)if not directly identified, may be identifiable by reference to an identification number or one or several elements related to his physical, physiological, genetic, psychological, cultural, social, or economic identity;"place of business" means a place where a person has established, in a stable and lasting way, his activity whatever it is, and as regards a legal person, the place where its registered office is located or where it has its principal activity;"pornography" means visual material that depicts images of a person engaged in sexually suggestive or explicit conduct;"private key" means the key of a pair of an isometric crystal system used to create a digital signature by a holder of the digital signature which is exclusively known by the holder and is not made available to anyone;"processing of data" means any operation or set of operations which is performed upon data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;"public key" means a key of a pair of an isometric crystal system used to verify a digital signature that the holder of a digital signature makes available to the public or intended recipients;"recipient" means a person to whom a sender intends to send an electronic communication, but does not include an intermediary for that communication;"record" means recorded information, in any form, including data in computer systems, created or received and maintained by a public body in the course of official duties and kept as evidence of such activity;"record keeping" means making and maintaining a complete, accurate and reliable evidence of official formalities in the form of recorded information;"Registrar" means an entity designated by the Authority to manage and maintain the reservation of domain names and domain name registry;"registry" means a central place where domain names are kept and maintained in an organized way;"sender" means a person by whom, in whose name, or on whose behalf an electronic communication is sent or created before being stored, where necessary, but does not include an intermediary for that communication;"signatory" means a person who holds a digital signature creation device and acts either on his own behalf or on behalf of a person he represents;"subscriber" means a person who agrees to receive or be allowed to access electronic texts or services by subscription;"supplier" means a person or entity that is the source for goods or services;"Transmission Control Protocol/Internet Protocol (TCP/IP)" means a system of digital rules for data exchange within or between computers; and"virus" means a malicious program or script that negatively affects the functioning of a computer by creating files, moving files, erasing files or consuming computer memory, causing the computer not to function properly.
3. ObjectivesThe objectives of this Act are—
4. PrinciplesThe following principles shall, at all times, be adhered to in the implementation and application of this Act—
5. Implementation of this ActUnless otherwise provided in this Act, the Authority shall be responsible for the implementation of this Act.
Part II – Administration
6. Establishment of the Malawi CERT
Part III – Formation and validity of electronic transactions
7. Recognition of electronic writingNotwithstanding the contrary intention of any written law, where a law requires that certain information or any other matter be in writing, typewritten or printed form, the requirement shall be satisfied if the information or the matter is—
8. Electronic signature
9. Equal treatment of electronic signatureExcept as otherwise provided for in this Act, the provisions of this Act shall not exclude, restrict or affect the legality of any method of creating an electronic signature which—
10. Conduct of a person relying on a digital signatureA person may sign an electronic record by affixing a personal digital signature or using any other recognized, secure and verifiable mode of signing agreed by parties or recognized by a particular industry to be safe, reliable and acceptable.
11. Bearing legal consequences of relying on electronic signatureA person who relies on a digital signature shall bear the legal consequences of failure to—
12. Recognition of digital signature certificates and digital signatures
13. Notarization, acknowledgement and certification
14. Other requirements
15. Determination of originality of an electronic message
16. Admissibility and evidential weight of electronic messages
17. Storage of electronic messages
18. Secure electronic record
19. Validity of a contract executed in electronic formValidity of a contract shall not be affected by the sole reason that it is executed in electronic form, if the contract has fulfilled all other requirements for formation of such type of contract.
20. Time and place of dispatch and receipt of an electronic message
21. Offer and acceptance
22. Attribution of electronic messages to sender
23. Acknowledgement of receipt of an electronic message
Part IV – Liability of online intermediaries and content editors and protection of online users
24. Freedom of communication and its limitations
25. Liability of an intermediary service provider
26. Liability for being a conduit
27. Liability for caching servicesAn intermediary service provider shall not be liable for the automatic intermediate and temporary storage of the electronic message, where the intention of such storage is for its onward transmission to other recipients who requested it, if the intermediary service provider—
28. Liability for the supply of hosting servicesAn intermediary service provider who provides a service comprising storage of electronic messages shall not be liable for the information stored if—
29. Saving of data
30. Takedown notification
31. Online content providers
32. Right of reply
Part V – Electronic commerce
33. Information to be provided by a supplier
34. Formation of electronic contracts with consumers
35. Cooling-off period
36. Performance of an electronic transaction
37. Default in contract performance
38. Review and cancellation of contract by a consumer
39. Cancellation of paymentA consumer may require the cancellation of a payment in case of fraudulent use of his payment for the purposes of execution of a contract by electronic means, and in such a case the sums paid shall be reimbursed to the consumer.
40. Prohibition of misleading advertising
41. Identification of advertisement content
42. Unsolicited communications
43. Scope of application of financial provisions
44. Identity of a provider of financial or banking services
45. Right of withdrawal from a contract
Part VI – Security and digital economy
46. Use, supply, transfer, etc.Where any portion of an electronic message is signed with a digital signature, the digital signature shall be treated as a secure electronic signature with respect to such portion of the message if—
47. Presumptions regarding digital signature certificatesExcept for information identified as subscriber information which has not been verified, any other information included in a digital signature certificate issued by a licensed certification authority shall be deemed correct if the subscriber accepted the digital signature certificate, unless evidence to the contrary is adduced.
48. Unreliable digital signaturesUnless otherwise provided for by any written law or contract, a person relying on a digitally signed electronic message shall bear the risk that the digital signature is invalid as a signature or authentication of the signed electronic message, if reliance on the digital signature is not reasonable under the circumstances having regard to the following factors—
49. Reliance on digital signature and certificateA person who relies on a digital signature shall be deemed to have relied on a valid certificate containing the public key by which the digital signature may be verified.
50. Requirements to publish digital signature certificateA digital signature certificate may be published where—
51. Authority to appoint a certification authority
53. Trustworthy system
55. Issuance of a digital signature certificate
56. Representations upon issuance of a digital signature certificate
57. Suspension of a digital signature certificateA certification authority that issued a digital signature certificate shall suspend the certificate after receiving a request by—
58. Revocation of a digital signature certificateA certification authority shall revoke a digital signature certificate that it issued—
59. Revocation without a subscriber’s consentA certification authority shall revoke a digital signature certificate, regardless of whether the subscriber listed in the certificate consents, if the certification authority confirms that—
60. Notice of suspension of a digital signature certificate
61. Notification of revocation of a digital signature certificate
62. Generating a key pair
63. Accurate and complete representationsA subscriber shall not make material representations to a certification authority for purposes of obtaining a digital signature certificate, including all information known to the subscriber and represented in the certificate, unless the representations are accurate and complete.
64. Acceptance of a digital signature certificate
65. Control of a private key
66. Requesting for suspension or revocationA subscriber who has accepted a digital signature certificate shall, as soon as possible, request the issuing certification authority to suspend or revoke the certificate if the private key corresponding to the public key listed in the certificate has been compromised.
67. Provision of encryption services
68. Administrative sanctions
69. Appointment of cyber inspectors
70. Powers and functions of a cyber inspector
Part VII – Data protection and privacy
71. Processing of personal data
72. Rights of a data subject
73. Accuracy and completeness of informationA data controller shall provide a data subject from whom data relating to himself is collected with at least the following information—
74. Security obligations
Part VIII – Domain name and management
75. Appointment of the Registrar of domain names
76. Functions and powers of the Registrar
77. Recommendations relating to domain names
78. Offence of administering domain name without authorityA person who administers, manages or operates second level domain name without authority commits an offence and shall, upon conviction, be liable to a fine of K5,000,000 and to imprisonment for seven years.
79. Dispute resolution concerning domain namesAny unresolved dispute under this Part shall be submitted to arbitration in accordance with the Arbitration Act.[Cap. 6:03]
Part IX – Electronic-government transactions
80. Requirement of electronic filing and issuing of documents
81. Specific guidelines to public bodiesThe Department of E-government shall, for the purposes of section 80, from time to time, publish guidelines specifying—
82. Implementation of e-governmentThe application of the provisions of this Part shall be subject to the adoption of necessary regulations made by the Minister, which shall establish—
Part X – Offences
83. Search warrant
84. Unauthorized access, interception or interference with data
85. Child pornography
86. Prohibition of cyber harassmentAny person who uses any computer system and continues—
87. Prohibition of offensive communicationAny person who wilfully and repeatedly uses electronic communication to disturb or attempts to disturb the peace, quietness or right of privacy of any person with no purpose of legitimate communication whether or not a conversation ensues, commits a misdemeanour and shall, upon conviction, be liable to a fine of K1,000,000 and to imprisonment for twelve months.
88. Prohibition of cyber stalkingAny person who wilfully, maliciously, and repeatedly uses electronic communication to harass another person and makes a threat with the intent to instil reasonable fear in that person for his safety or to a member of that person’s immediate family, commits an offence known as cyber stalking and shall, upon conviction, be liable to a fine of K1,000,000 and to imprisonment for twelve months.
89. Prohibition of hacking, cracking and introduction of virusesAny person who hacks into any computer system, or knowingly introduces or spreads a virus into a computer system or network, commits an offence and shall, upon conviction, be liable to a fine of K5,000,000 and to imprisonment for seven years.
90. Unlawfully disabling a computer systemAny person who wilfully or maliciously renders a computer system incapable of providing normal services to its legitimate users, commits an offence and shall, upon conviction, be liable to a fine of K5,000,000 and to imprisonment for seven years.
91. Prohibition of spammingAny person who transmits any unsolicited electronic information to another person for the purposes of illegal trade or commerce, or other illegal activity, commits an offence and shall, upon conviction, be liable to a fine of K2,000,000 and to imprisonment for five years.
92. Prohibition of illegal trade and commerceAny person who uses the internet as a medium for any illegal activity or trade, fraudulent transaction or as a means of procuring any internet related fraud, commits an offence and shall, upon conviction, be liable to imprisonment for ten years.
93. Attempting, aiding and abetting crime
94. Offences committed by legal personsWhere a legal person is convicted of an offence under this Act, every person who—
95. General offence and penaltyA person who violates any provision of this Act, whose penalty has not been provided, commits an offence and shall, upon conviction, be liable to a fine of K5,000,000 and to imprisonment for seven years.
Part XI – General provisions
96. Lodging of complaints to the Authority
97. Public education programmesThe Authority shall implement public educational programs on the safe use of internet focusing in particular on—
98. Intermediary service providers’ levyFor the purposes of implementing the public educational programmes referred to in section 97, the Authority may impose intermediary service providers’ levy on intermediary service providers who offer access to communications networks.
99. Codes of conduct
100. Act to prevail in case of inconsistencyWhere any inconsistency arises between a provision of this Act and a provision of any other written law relating to the regulation of electronic transactions, the provisions of this Act shall prevail to the extent of the inconsistency.
101. Administrative penaltiesThe Authority may in its discretion impose administrative penalties to persons who violate a provision of this Act or the regulations made under it by imposing a fine not exceeding K5,000,000.
103. Exemption ordersThe Minister may, in consultation with the Authority, by notice published in the Gazette, make an order to exempt certain transactions from the application of the requirements of some provisions of this Act.
104. Transitional provisionThe Minister shall, by order published in the Gazette, appoint a date or dates beyond which stakeholders affected by this Act, shall be required to comply with this Act.
History of this document
31 December 2017 this version