THE PARLIAMENT OF LESOTHO

COMPUTER CRIME AND CYBERSECURITY BILL, 2022 STATEMENT OF OBJECTS AND REASONS

(Circulated by the authority of the Minister responsible for communications, science and technology, Honourablc Töoinyana Rapapa.)

Information Communications Technology infrastructures and Internet access have grown rapidly and individuals, businesses and governments use electronic devices

to communicate and conduct business. However, with the use of technology comes challenges, as criminals misuse technology to commit crime. Traditional or common law offences are committed using electronic devises and the internet. Government has a responsibility to ensure that its citizens are protected against cyber-attacks and the enactment of the Computer Crime and Cybersecurity Bill is an effort by Lesotho to combat computer crime, by putting in place the appropriate punishment for it and thereby ensuring cybersecurity.

The object of the Bill is to provide for the establishment of the National Cybersecurity Advisory Council and the National Cyber Security Incident Response Team responsible for the management of cybersecurity in Lesotho. The National Cybersecurity Advisory Council shall be responsible for advising the Government on cybersecurity policy development and national cyber security strategies. The National Cyber Security Incident Response Team shall be responsible for providing cybersecurity intelligence, alerts, warnings, technical assistance, eradication of threats and recovery from cyber-attacks. In this way, the Bill provides a live and functional body to protect its cyberspace.

The Bill complies with the Convention on Cybercrime (Budapest Convention) and the African Convention on Cyber Security and Personal Data Protection. The two Conventions require (hat member Stales enact cybercrime and cybersecurity legislation.

The Bill provides for the designation and protection of critical information infrastructure. The schedule of critical information infrastructure shall be published by the Minister in the Gazette. The Bill obliges owners of critical information infrastructure to manage access to and control of data in any critical infrastructure.

1

There are several legislations which provide for criminalisation of different offences such as fraud, extortion, forgery, bribery, genocide, crimes against humanity, war crimes, terrorism and other offences. However, there is no statute which provides for criminalisation of illegal activities committed through the use of electronic devices except for the Penal Code Act, 2012 and the Communications Act, 2012 which criminalise unlawful access to computer or electronic storage devices owned by another person, while the Communications Act criminalises intentional damage of communications facilities belonging to another. There is a need for a comprehensive legislation which adequately prevents computer and internet .related crimes. The Bill provides a list of offences committed through the misuse of electronic devices.

The Bill further has provisions on procedural law which prescribe procedural standards relating to search, seizure obligations to assist the investigating officers, production of information, preservation of data, collection and disclosure of data and for interception and the use of forensic tools by law enforcement officers.

The Bill provides for limitation of criminal liability of service providers. Cybercrime has no borders and therefore there is a need for international cooperation between States in the fight against cybercrime. ‘lhe Bill provides that Lesotho should cooperate with other States in the fight against cybercrime.

2

COMPUTER CRIME AND CYBERSECURITY BILL, 2022

ARRANGEMENT 014′ SECTIONS

Section

PART 1: PRELIMINARY

1. Short title and commencement

• Interpretation

PART 11: CYBERSECURITY MANAGEMENT

• The Council

Tenure of office

• Functions of the Council
• Meetings of the Council
• Sitting allowance
• Vacation of office
• Filling of vacancy
• Reports of the Council
• National Cyber Security Incident Response Team
• Functions of the Team
• Appointment ofthe Director of the Team
• Tenure of office of Director of the Team
• Functions of the Director ofthe Team
• Funding
• Sectoral gyber security incident response teams

PART 111- CRITICAL INFORMATION INFRASTRUCTURE

1. Designation of critical information infrastructure
2. Protection of critical information infrastructure
3. Obligations Ofthc owner of critical införmation infrastructure

PART IV: OFFENCES

21, Illegal access

• Illegal remaining

• Illegal interception
• Illegal data interference
• Illegal system interference
• Data espionage
• Cyber terrorism

Cyber extortion

29, Misuse of devices

• Computer — related forgery
• Computer — related fraud
• Child pornography

• Distribution of data message of intimate image without consent
• Identity — related crimes
• Racist and xenophobic material
• Racist and xenophobic motivated insult
• Genocide and crimes against humanity
• Unsolicited messages
• Disclosure of details of an investigation
• Cyber-bullying and harassment

ii

• Violation of intellectual property rights
• Attempt, abetment and conspiracy
• Publication of false information
• Cyber squatting
• Social engineering attacks
• Interception of electronic messages or money transfers
• Willful misdirection of electronic messages
• Inducement to deliver electronic messages
• Intentionally withholding messages delivered erroneously 

50. Unlawful destruction of electronic message

• Issuance of false electronic instructions
• Modification and interference with contents of a message
• Obligation of institutions

Offences against critical information infrastructure or protected computer systems

• Offence by body corporate or un-incorporate
• General provision on cybercrimes

PART V: JURISDICTION

• Jurisdiction
• Extradition

PAR’r VI – PROCEDURAL LAW

• Search and seizure
• Assistance

61, Production order

• Expedited preservation
• Confidentiality of data
• Partial disclosure oftraffic data

65, Collection of traffic data

66. Forensic tool

PART Vll – LIABILITY

• No monitoring obligation
• Access provider
• Hosting provider
• Caching provider
• Hyperlinks prövider
• Search engine provider

• Other types of electronic service provider
• Offence and penalty

PART Vlll: MUTUAL LEGAL ASSISTANCE

75.Cooperation with other States

PART IX: GENERAL PROVISIONS

• Limitation of liability
• Forfeiture of assets
• Regulations

PART X: CONSEQUENTIAL AMENDMENTS

79, Amendment of Communications Act No. 4 of 2012

80. Amendment of Penal Code Act No. 6 of 2012

iv

COMPUTER CRIME AND CYBER SECURITY BILL, 2022

A Bill for

An Act to make provision for offences relating to the misuse of electronic communication devices and electronic networks; the jurisdiction and powers Of investigation, search, access and seizure and collection of evidence in respect of computer crime; international cooperation in dealing with computer and cyber crime matters; structures and institutional arrangements for the management of cyber security; the designation and protection of critical information infrastructure; the imposition of the obligations on electronic communications service providers and financial institutions to assist in the investigations of cyber crimes and report such crimes, and related matters.

Enacted by the Parliament of Lesotho

PART 1: PRELIMINARY

Short title and commencement

1.      This Act may be cited as the Computer Crime and Cyber Security Act, 2022 and shall come into operation on the date of publication in the Gazette.

Interpretation        

2.      In this Act, unless the context otherwise requires —

“accoss” means gaining entry to use data, computer program, computer data storage medium, computer system, their accessories or components or any part of the accessories or components or any ancillary device;

“access provider” means any natural or legal person providing an electronic data transmission service by transmitting information provided by or to a user

of the service in a communication network or providing access to a communication network;

“Authority” means the body established under section 3 of the

Communications Act, 2012¹ ;

“caching provider” means any natural or legal person providing an electronic data transmission service by automatic, intermediate and temporary storing ofinformation for the sole purpose ofmaking the onward transmission ofthe information to other users ofthe service more efficient;

“child” means a person below eighteen years of age;

“child pornography” means any material that visually depicts a child engaged in real or simulated sexually explicit conduct, or any depiction of the sexual organs of a child, for primarily sexual purposes;

“communication service” means an operation or provision for transmission of voice, data, text, sound, video and images;

“computer” means an electronic device which stores data and processes information based upon instructions provided by a user;

“computer data” means any representation of facts, concepts, information, machine readable code or instructions stored in a format suitable for processing in a computer system, including a program suitable to cause a computer to perform a function;

“computer data storage medium” means any article or material from which information is capable of being reproduced with or without the aid of any other atticle or device, irrespective of whether it is permanently connected or detachable or remotely accessible;

“computer network” means a group of computer systems and other computing hardware devices that are linked together through communication channels to facilitate communication and resource-sharing among a wide range of users;

“computer system” means a device or a group of inter-connected or related devices, one or more of which, pursuant to a program, performs automatic processing of data or any other related function;

“CounciP means the National Cyber Security Advisory Council established by section 3;

“critical information infrastructure” means computer systems, devices, electronic communication networks, electronic communication facilities, computer programs or computer data so vital to the country that the incapacity or destruction of, or interference with, such systems and assets would have a debilitating impact on national or economic security or public health and safety;

“cyber security” means the protection of information, equipment, device, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction;

“cybersquatting” means the acquisition of a domain name over the internet in bad faith with the intention to profit, mislead, destroy the reputation of or deprive another from regiStering the domain name if it is —

• similar, identical or confusingly similar to an existing trademark registered with the appropriate government agency at the time of registration;

identical or in any way similar with the name of a person other than the registrant, in the case of a personal name; or

• acquired without a right or an intellectual property interest in the domain name;

“device” includes—

• components of a computer system such as graphic cards, memory, chips or processor;
  • storage components such as hard drives, memory cards, compact discs, tapes;
  • input devices such as keyboards, mouse, track pad, scanner and digital camera;
  • output devices such as printer, screens; and
  • any other device used to process digital information or for communication;

“electronic communication” means any transfer of signs, signals or computer data of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photo-optical system;

“electronic communication facility” includes, electrical supply system, pole, cable, antenna, mast, satellite transponder, earth station, radio apparatus, exchange buildings, data centres or any other thing that can be used for or in connection with, electronic communication;

“electronic communication network” means any system or electronic communications facility including — (a) satellite systems;

• fixed systems including circuit and packet — switched;
• mobile systems;

            (d)     fiber optic cables;

electricity cable system, to the extent used for electronic communication services; and

(f)      other transmission systems used for conveyance of electronic communications;

“electronic message” means a communication from one device to another in a digital form and includes, but is not limited to, elecfronic mail, text message, instant message or a command or request to access the internet site;

“essential service” means a service the interruption of which endangers the life, personal safety or health of the whole or any part of the population;

“hindrance” in relation to a computer system, means any action that interferes with the proper functioning of a computer system and includes

• cutting the electricity supply to a computer system;
• causing electromagnetic interference to a computer system;
• corrupting a computer system by any means;
• inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data;

“hosting provider” means any natural or legal person providing an electronic data transmission service by storing information provided by a user of the service;

“hyperlink” means the characteristics or property of an element such as a symbol word, phrase, sentence or image that contains information about another source and points to and causes to display another document when executed;

“hyperlink provider” means any natural or legal person providing one or more hyperlinks;

“information system” has the same meaning as “computer system”,

 “institution” means the public or private sector;

“interception” includes, but is not limited to, the acquiring, viewing and capturing of any computer data communication whether by wire, wireless, electronic, optical, magnetic, oral or other means during transmission through the use of any technical device;

“intellectual property rights” means the rights accrued or related to copyright, patent, trade mark or any other related matter;

“law enforcement officer” means any officer of the Lesotho Mounted Police Service or the Directorate on Corruption and Economic Offences;

“Minister” means the Minister responsible for communications, science and technology;

“multiple electronic mail messages” means a mail message, including electronic mail, electronic text messages and instant messaging, sent to more than one thousand recipients;

“owner” means the head of an institution;

“payment card” has the same meaning as ascribed to it in the Payment Systems Act, 2014²;

“publish” means distributing, transmitting, disseminating, circulating, delivering, exhibiting, exchanging, bartening, printing, copying, selling or offering for sale, offering or making available in any other way; “racist and xenophobic material” means any material, including any image, video, audio, recording or any other representation of ideas or theories which advocates, promotes or incites hatred, discrimination or violence against any individuals based on race, colour, descent or national or ethnic origin as well as religion;

“remote forensic tooP means an investigative tool, including software or hardware installed on or in relation to a computer system or part of a computer system and used to perform tasks that include keystroke logging or transmission of an internet protocol address;

“seize” includes —

• activating any onsite computer system and computer data storage media;
• making and retaining a copy of computer data, including by using onsite equipment;
• maintaining the integrity of the relevant computer data;
• rendering inaccessible, or removing computer data in the accessed computer system;
• taking a printout of output of computer data; or
• securing a computer system or part of it or a computer data storage medium;

“service provider” means a natural or legal person that provides to users of its service the ability to communicate by means of computer data or that stores computer data on behalf of such communication service or users of such service;

“Team” means the National Cyber Security Incident Response Team established by section 11;

“traffic data” means computer data that —

• relates to communication by means of a computer system;
• is generated by a computer system that is part of the chain of communication; and

• shows the communication origin destination, route, time, date, size, duration or the type of underlying services; and

“utilize” includes the developing, purchasing and adopting of a remote forensic tool.

PART 11: CYBER SECURITY MANAGEMENT

The Council

• (1) There is established the National Cyber Security Advisory Council which shall be responsible for coordinating cyber security matters among relevant parties and to advise the Government on matters regarding cyber security.
  • The Council shall report to Government, through the Minister, regarding cyber security incidents and management.

Members of the Council shall hold any of the following qualifications obtained from a recognized academic institution, with the appropriate level of experience:

                                  cyber security and information;

• law;
  • policy; and
    • finance
  • The Council shall be constituted as follows-
    • the Director-General Information Communication Technology, who shall be the Chairperson;
      • the Director – National Cyber Security Incident Response Team, who shall be the Secretary;
      • a representative of the Lesotho Communications Authority;
      • a representative from institutions of higher learning conducting research and development in cyber security;  a representative from the Central Bank of Lesotho;

7

a representative from the National Security Service; and a representative from the Lesotho Mounted Police Service;

(h) a representative from the Lesotho Defence Force; a representative from the Lesotho Correctional Services; and

a representative from the Private Sector, who shall be from a mobile network operator.

• The Chairperson may co-opt up to two cyber security experts per meeting in order to provide advice to the Council.
  • Members of the Council shall be nominated by the head of the organization they are to represent and be appointed by the Minister.

Tenure of office

• A member of the Council shall hold office for a period of 6 years.

Functions of the Council

• The functions of the Council shall be to-

(a) advise the Government of Lesotho, through the Minister, on matters relating to cyber security in Lesotho including policy development and national cyber security strategies;

oversee the operations of the National Cyber Security Incident Response Team;

• identify, validate, promote and sustain the adoption of cyber security best practices;
  • accelerate availability and adoption of effective measures to sustain security in the cyber space; and
    • promote cyber security awareness and a culture for cyber security in Lesotho.

Meetings of the Council

• (1) The Council shall meet quarterly, at such times and places as the Chairperson shall determine.
  • The Chairperson may convene additional meetings as may be necessary for the discharge of the functions of the Council,
  • At meetings of the Council, five members shall form a quorum.
  • Where the Chairperson is absent, mellibers shall elect a chairperson from among themselves.
  • The Council shall regulate its own procedures at its meetings.

Sitting allowances

• A member of the Council shall be paid a sitting allowance to be determined by the Minister in consultation with the Minister responsible for finance.

Vacation of office

• A member of the Council shall cease to be a member if he—
  • resigns from office by giving notiOe of one month, in writing, to the Minister;
    • is declared incapable of performing the duties of a member of the Council;
    • ceases to hold the office in the organization of which he was a representative in the Council;
    • has been convicted of an offence without the option of a fine; or
    • fails to attend three consecutive meetings of the Council without providing a valid reason to the Chairperson.

Filling of vacancy

• The filling of a vacancy in the Council shall be done in accordance with section 3(3).

Reports of the Council

1. The Minister shall submit annual reports of the Council to the Parliament.

National Cyber Security Incident Response Team

1. (1) There is established the National Cyber Security Incident Response Team, which shall report to the Council.
   1. Team shall be a body corporate, with a common seal and perpetual succession, and shall be capable of —
      1. suing and being sued; and
      1. performing such acts as bodies corporate may, by law, perform.

Functions of Team

1. (I) Team shall be the main focal point for various national entities, and shall provide administrative oversight for sectoral cyber security incident response team structures (hereinafter referred to as “sectoral CSIRTs”) as the Minister may prescribe.
   1. Team shall –

(a)  provide cyber security incident response capabilities to the country;

• provide technical assistance to law enforcement agencies when so requested;
  • provide reactive and proactive measures in protecting Lesotho against known and future cyber security threats or attacks;
    • provide Lesotho with cyber security intelligence, alerts, warnings, technical assistance, eradication of threats and recovery from cyberattacks;

(b) (i) build awareness among the general population on how to be safe on cyberspace;

(ii)   build capacity for the sustained ability of the country to manage cyber security risks;

• measure the overall preparedness of each sector against damage or unauthorized access to critical infrastructure;
  • undertake research on matters relating to cyber security and foster working relations with local research institutions on cyber related matters, as technology changes frequently and new cyber threats emerge;

foster international cooperation on cyber security issues between Lesotho and its peers, due to the borderless nature of the cyberspace;

• act as a coordinating body for cyber security incident response teams that may be formed ill Lesotho;
  • focus on strengthening skills and performance ofthe cyber workforce within Lesotho;
    • promote cyber security research, development and innovation within Lesotho; and

any other fimction as may be identified by Team and approved by the Council.

Appointment of the Director of Team

1. (1) There shall be a Director of Team, who shall be appointed by the -Council after a competitive process.
   1. The Council shall appoint a person who holds professional qualifications, training or skills to perform the functions of the Director of Team, as may be prescribed.
   1. The terms and conditions of employment of the Director of Team shall be specified in the contract of employment.
   1. The Council shall not appoint as Director ofTeam any person who has been —  

adjudged or otherwise declared insolvent and has not been rehabilitated or discharged; or

(ii) convicted of a criminal offence of which dishonesty is an element.

Tenure of office of Director of Team

1. (l) The Director of Team shall hold office for a period of six years.
   1. The Council may terminate the appointment of the Director of Team—

for misconduct or misbehavior in terms of the code of conduct;

• for inability, incapacity or incompetence to perform the duties ofhis office; or
  • if he materially breaches his contract of employment.

Functions of the Director of Team

1. The Director of the Team shall-
   1. be responsible for the execution of the decisions of the Council;
      1. be the Secretary of the Council;
      1. oversee and manage the administration of Team;
      1. appoint, remove and discipline staff of Team; and
      1. exercise such powers as may be delegated by the Council.

Funding

1. (1)  The Council and the staff of Team shall be funded from-

appropriation made to it by Parliament;

• contributions from the sectoral CSIR teams to be determined by the Minister; or
  • any other lawful source.
  • The Director ofTeam shall submit to the Minister, through the Council, an approved annual budget estimate to support operations for the following financial year.
  • The Director of Team shall —
    • ensure that the financial books of Team are audited annually by an auditor appointed by the Auditor General;
      • submit an audited annual repolt to the Council; and
      • submit the audited report to the Minister at the end of the financial year to be presented in Parliament within three months of the end ofthe financial year

Sectoral cyber security incident response teams

1. (1) The Minister shall, by Notice published in the Gazette, designate sectors which shall establish sectoral CSIRTs.
   1. Each sector shall, at its own cost, establish a sectoral CSIRT within six months of publication of this Act in the Gazette;
   1. If a sector identified in terms of subsection (1) fails to establish a sectoral CSIR.T, the Minister shall, after consultation with such sector and on such terms and conditions as shall be agreed in order to give effect to subsection (1), establish such a secLoral CSIRT.

PART 111- CRITICAL INFORMATION INFRASTRUCTURE

Designation of critical information infrastructure

1. (1)  ‘Ihe Minister shall designate critical information infrastructure.
   1. The Minister may designate computer systems or any other systems as

critical information infrastructure if a disruption of the system would result in –

• the interruption of a life sustaining service or essential service, including the supply of water, health services, energy and transport;
  • an adverse effect on the economy of Lesotho;
    • an event that would result in massive casualties or fatalities;

failure or substantial disruption of the money market of Lesotho; or

(e) adverse and severe effect on the security of Lesotho, including intelligence and military services.

Protection of critical information infrastructure

1. (1) The Minister may, after consultation with the Council and the owners responsible for the critical information infrastructure, publish in the Gazette a schedule of critical information infrastructure.
   1. The Council may issue guidelines for the protection of the critical information infrastructure, which shall be approved by the Minister.
   1. The Minister may, in respect ofcritical infonnation infrastructure, issue directives to regulate

• the categories of classification;
  • the protection, storing and archiving of data;  cyber security incident management;
    • disaster contingency and recovery measures which must be put in place;
    • minimum physical and technical security measures that must be implemented in order to protect the infrastructure;
    • the period within which the owner or person in control of an  infrastructure must comply with the directives; and

(j) any other relevant matter which is necessary or expedient in order to promote security of the infrastructure.

Obligations of the owner of critical information infrastructure

• (1) The owner shall-
  • provide general management and protection of critical information infrastructure;
    • manage access to, transfer and control of data in any critical information infrastructure;
    • maintain the integrity and authenticity of data or information contained in any critical information infrastructure;
    • prescribe methods to be used in the storage or archiving of data or information in critical information infrastructure;

put in place and regularly test disaster recovery plans in the event of loss of the critical information infrastructure or any part ofthe critical information infrasffucture;

(O carry out an audit and inspection on any critical information infrastructure in line with acceptable practices;

 report to Team any incident likely to constitute a threat in the nature of an attack that amounts to a computer crime or cyber crime, and an action the owner intends to take to prevent the threat; and

(h) submit an annual compliance report on the critical information infrastructure to Team.

PART IV; OFFENCES

Illegal access

• (I) A person who intentionally and without lawful excuse accesses the whole or any part of a computer system commits an offence and is liable, on conviction, to a fine not exceeding M5,000,000 or imprisonment for a term not exceeding ten years or both.

 unauthorized access under subsection (1) is gained by infringing security measures or with the intent of obtaining computer data, a person convicted of the offence under subsection (1) shall be liable to fine not exceeding or imprisonment for a term not exceeding twelve years or both.

Illegal remaining

• A person who intentionally and without lawful excuse, by infringing security measures or with the intent of obtaining computer data or other dishonest intent, remains logged in a computer system or part of a computer system or continues to use a computer system after the expiration of the time which he was allowed to access the computer system or part of the computer system commits an offence and is liable, on conviction, to a fine not exceeding M5,000,000 or imprisonment for a term not exceeding ten years or both. Illegal interception
• Any person who dishonestly and without lawful authority, by use oftechnical means, intercepts a private transmission of computer data from or within a computer system commits an offence and is liable, on conviction, to a fine not exceeding M 10,000,000 or imprisonment for a term not exceeding fifteen years or both. Illegal datu interference
• (1) Subject to subsection (4), a person who intentionally, without lawful excuse —
  • alters or damages computer data so as to make it lose its integrity or render it ineffective; or
    • interferes with the lawful use of computer data,

commits an offence and is liable, on conviction, to a fine not exceeding or imprisonment for a term not exceeding ten years or both.

• A person who intentionally and without lawful excuse —
  • communicates, discloses or transmits any computer data, program, access code or command to any person not authorized to access the computer data, program, code or
    • accesses or destroys any computer data for purposes of concealing infonnation necessary for an investigation into the commission or otherwise of an offence; or
    • accepts computer data when not authorized to receive that computer data,

commits an offence and is liable, on conviction, to a fine not exceeding M5,000,000 or imprisonment for a term not exceeding ten years or both.

• A person who intentionally and without lawful excuse alters or destroys computer data where such data is required to be kept or maintained by any law for the time being in force, or any evidence in relation to any proceeding under this Act, by —  creating, destroying, mutilating, removing or modifying data or a program or any other form of information existing within or outside a computer or computer network;
  • activating, installing or downloading a program that is designed to create, destroy, mutilate, remove or modi$’ data, a program or any other form of information existing within or outside a computer or computer network; or
    • creating, altering or destroying a password, personal identification number, code or method used to access a computer or computer network,

commits an offence and is liable, on conviction, to a fine not exceeding M7,500,000 or imprisonment for a term not exceeding twelve years or both.

• A person shall not be liable under this section where —
  • he is acting pursuant to measures that can be taken under Part
    • he is acting in reliance of any other statutory power.
  • Where an offence under this section is committed in relation to data that is in a critical database or that is concerned with national security or the provision of an essential service, the person shall, on conviction, be liable to a fine 1101 exceeding Ml      or imprisonment for a term not exceeding fifteen years or both.
  • For purposes of this section, it is immaterial whether an illegal interference or any intended effect of the interference is permanent, temporary or was an attempt.

Illegal system interference

25, (1) A person who, with intent to hinder the proper functioning of a computer system –

• inputs, transmits, deletes, alters or suppresses computer data; or
  • disrupts the use of a computer by any person,

commits an offence and is liable, on conviction, to a fine not exceeding M5,000,000 or imprisonment for a term not exceeding ten years or both.

• A person who, with the intent of preventing proper use of a computer system, seizes or destroys any computer medium, commits an offence and is liable, on conviction, to a fine not exceeding  or imprisonment for a term not exceeding ten years or both.
  • Any person who willfully hinders or interferes with a computer system used in critical infrastructure operations, whether exclusively or generally, with the intention of affecting or impacting its lawful use, commits an offence and is liable, on conviction, to a fine not exceeding  or imprisonment for a term not exceeding fifteen years or both.

Data espionage

• A person who, intentionally without lawful excuse or justification or in excess of a lawful excuse or justification obtains, for himself or for another, computer data which are not meant for him and which are specially protected against unauthorized access, commits an offence and is liable, on conviction, to a fine not exceeding M12, 000,000 or imprisonment for a term not exceeding seventeen years or both.

Cyber terrorism

• Any person who willfully and without lawful excuse uses a computer and information system to communicate information intended to seriously intimidate a population, destabilise or destroy the fundamental political, constitutional, economic or social structures of a countw or an international organization or cause attacks upon persons which may lead to death, intimidation or kidnapping commits an offence and is liable, on conviction, to imprisonment for a term not exceeding twenty years.

Cyber extortion

• Any person who unlawfully and intentionally commits any offence related to illegal access as contemplated in this Act, interception of, and interference with data for purposes of

• obtaining any advantage from another person; or
  • compelling another person to perform or to abstain from performing any act,

commits an offence and is liable, on conviction, to imprisonment for a term not exceeding fifteen years.

Misuse of devices and software

• (1) A person who

(a) intentionally, without lawful excuse or justification or in excess of a lawful excuse or justification, produces, sells, procures for use, imports, exports, distributes or otherwise makes available –

• a device, including a computer program, that is designed or adapted for the purpose of committing an offence under this part;
  • a computer password, access code or similar data by which the whole or any part of a computer system is capable of being accessed; or
    • introduces or spreads a software code that damages a computer or computer system with the intent that it be

used by any person for the purpose of committing an offence under this Part; or

(b) has an item mentioned in subparagraph (i) or (ii) in his possession with the intent that it be used by any person for the purpose of committing any offence under this Part,

commits an offence and is liable on conviction, to imprisonment for a term not exceeding fifteen years, or a fine not exceeding Ml or both.

• This section shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in subsection (1) is not for the purpose of committing an offence under this part, such as for the authorized testing or protection of a computer system.

Computer — related forgery

• (l) A person who, inputs, alters, deletes, or suppresses computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as ifit were authentic, regardless of whether or not the data is directly readable or intelligible, commits an offence and is liable, on conviction, to imprisonment for a term not exceeding seven years, or a fine not exceeding

• Ifthe offence referred to in subsection (1) is committed by sending out multiple electronic mail messages from or through computer systems, the penalty shall be imprisonment for a term not exceeding eight years or a fine not exceeding or both.

Computer — related fraud

• A person causes a loss of property to another person by —
  • any input, alteration, deletion or suppression of computer data; or
  • any interference Wilh the ålnctioning of a computer system,

with the fraudulent or dishonest intent of procuring an economic benefit for oneself or for another person, commits an offence and is liable, on conviction, to imprisonment for a term not exceeding ten years or a fine not exceeding M5 or both.

Child pornography

• (1) For the purposes of this section, “child pornography” means any material that visually depicts a child engaged in real or simulated sexually explicit conduct, or any depiction of the sexual organs of a child, for primarily sexual purposes.
  • A person who, with the intention that it be used and distributed in an electronic or computer system —
    • produces child pornography, offers or makes it available to any person;       
    • disfributes or transmits it through a computer system;

• procures«öbtäüöhild pornography through a computer system for himself or for another person;
  • knowingly possesses child pornography in a computer system or on a computer-data storage medium; or
  • knowingly obtains access to child pornography through information and communication technologies,

commits an offence and is liable, on conviction, to imprisonment for a term not exceeding twenty years,

• It is a defense to a charge of an offence under subsection (l) if the person establishes that the child pornography was for a bona fide law enforcement purpose.
  • A person who knowingly makes pornography available to one or more children through a computer system or facilitates the access by children to pornography through a computer system commits an offence and is liable, on conviction, to imprisonment for a term not exceeding twenty years. Distribution of data message of intimate image without consent
• (1) A person who makes available, broadcasts or distributes, by means of a computer system, a data message of an intimate image of an identifiable person knowing that the person depicted in the image did not give his consent to the making available, broadcasting or distribution of the data message, commits an offence and is liable, on conviction, to a fine not exceeding Ml or imprisonment for a term not exceeding five years or both.
  • For purposes of subsection (I), “intimate image” means a visual depiction of a person made by any means-
    • under circumstances that give rise to a reasonable expectation of privacy; and
    • in which the person is nude, or exposing his genital organs or anal region or, in the case of a female, her breast.

Identity — related crimes

• A person who by using a computer system, transfers, possesses, or uses a means of identification of another person with the intent to commit, or to aid or abet, or in connection with any unlawful activity that constitutes a crime, commits an offence and is liable, on conviction, to imprisonment for a term not exceeding ten years or a fine not exceeding M5,0005000eboth.

Racist and xenophobic material

• A person who intentionally, without lawful excuse or justification or in excess of a lawful excuse or justification-
  • produces racist or xenophobic material for the purpose of its distribution through a computer system;
  • offers or makes available racist or xenophobic material through a computer system;
  • distributes or transmits racist or xenophobic material through a computer system;
  • distributes racist or xenophobic material that may constitute a threat through a computer system;

commits an offence and is liable, on conviction, to imprisonment for a term not exceeding ten years or a fine not exceeding MS or both.

Racist and xenophobic motivated insult

• A person who intentionally and without lawful excuse publicly, through a computer system, uses language that incites attacks and insults to-
  • persons for the reason that they belong to a group distinguished by race, colour, descent, national or ethnic origin, as well as religion, if used as a pretext for any of these factors; or
  • a group ofpersons which is distinguish by any of these characteristics,

commits an offence and is liable, on conviction, to imprisonment for a term not exceeding ten years or a fine not exceeding M5 or both.

Genocide and crimes against humanity

• Any person who intentionally and without lawful excuse distributes, through a computer system, information intended to aid, induce or incite others to commit genocide or crimes against humanity, commits an offence and is liable, on conviction, to imprisonment for a term not exceeding twenty years.

Unsolicited messages

• (1) A person who, intentionally without lawful excuse or justification-

• uses a computer system to relay or retransmit multiple electronic messages, with the intent to deceive or mislead, or uses any electronic device that does not reflect the origin of such messages; or
  • materially falsifies header information in multiple electronic messages and intentionally initiates the transmission of such messages,

commits an offence and is liable, on conviction, to imprisonment for a term not exceeding six years or a fine not exceeding Ml or both.

• It shall not be an offence under this Act where the transmission of multiple electronic messages from or through a computer system referred to in subsection (1) is done within customer or business relationships.

Disclosure of details of an investigation

• Any person who receives an order related to a cyber crime investigation that explicitly stipulates that confidentiality is to be maintained, or such obligation is stated by law, and intentionally without lawful excuse discloses(a) the fäct that an order has been made;
  • anything done under the order; or
  • any data collected or recorded under the order,

commits an offence and is liable, on conviction, to imprisonment for a term not exceeding seven years or a fine not exceeding  or both.

Cyber-bullying and harassment

• (1) A person who intentionally, without lawful excuse –
  • initiates any clcctronic communication, with the intent to coerce, intimidate, harass, abuse, or cause emotional distress to a person; or
  • initiates offensive and obscene communication with the intent to disturb the peace, quiet and privacy of another person, whether or not a conversation ensues,

commits an offence and is liable, on conviction, to imprisonment for a term not exceeding three years, or a fine not exceeding M500,000 or both.

• A person who intentionally and without lawful excuse initiates any electronic communication or ugeg a computer system with -the- intent to support severe, repeated and hostile behaviour commits an offence and is liable, on conviction, to imprisonment for a term not exceeding three years, or a fine not exceeding M500,000 or both.

Violation of intellectual property rights

• Any person who, for commercial purposes, willfully uses any computer or electronic device to violate any intellectual property rights protected under any law or treaty applicable to intellectual property rights in Lesotho, commits an offence and is liable, on conviction, to imprisonment for a term not exceeding six years or to a fine not exceeding Ml or both. Attempt, abetment and conspiracy
• (1) A person who-
  • attempts to commit;
  • aids, abets or does any act preparatory to or in furtherance of the commission of; or conspires Wilh another to commit,

an offence under this Act, commits an offence and is liable, on conviction, to the penalty provided for such an offence under this Act.

• For the purpose of this section, “attempt” shall have the meaning ascribed to it under the Penal Code Act of 2012³ .

Publication of false information

43, A person who publishes information or data presented in a picture, text,

symbol or any other form in a computer system knowing that such information or data is false, deceptive, msleading or inaccurate, and with intent to threaten, abuse, insult, mislead or deceive the public, or conceals commission of such an offence, commits an offence and is liable, on conviction, to a fine not exceeding M500,000 or imprisonment for a term exceeding five years or both.

Cyber squatting

• A person who intentionally takes or makes use of a name, business name, trademark, domain name or other word or phrase registered, owned or in use by another person on the internet or any other computer network, without authority or right, commits an offence and is liable, on conuctlon, to a fine not exceeding M500,000 or imprisonment for a term not exceeding five years or both.

Social engineering attacks

• A person who creates or operates a website or sends a message through a computer system with the intention to induce the user of a website or the recipient of the message to disclose personal information for an unlawful purpose or to gain unauthorized access to a computer system, commits an offence and is liable, on conviction, to a fine not exceeding  or imprisonment for a term not exceeding seven years or both.

Interception of electronic messages or money transfers

• A person who unlawfully or without authority intercepts an electronic message or processes through which money or information is being conveyed commits an offence and is liable, on conviction, to a fine not exceeding Ml or imprisonment for a term not exceeding six years or both.

Willful misdirection of electronic messages

• A person who willfully and maliciously misdirects electronic messages commits an offence and is liable, on conviction, to a fine not exceeding Ml ,000,000 or imprisonment for a term not exceeding six years or both.

Inducement to deliver electronic messages

• A person who induces any person in charge of electronic devices to deliver any electronic messages not specifically meant for him commits an offence and is liable, on conviction, to a fine not exceeding Ml ,000,000 or imprisonment for a term not exceeding six years, or both.

Intentionally withholding messages delivered erroneously

• A person who intentionally hides or detains any electronic mail, message; or payment card which was found by the person or delivered to the person in error and which ought to be delivered to another person, commits an offence and is liable, on conviction, to a fine not exceeding or imprisonment for a term not exceeding six years or both.

Unlawful destruction of electronic message

• A person who unlawfully destroys or aborts any electronic mail or process through which money or information is being conveyed commits an offence and is liable, on conviction, to a fine not exceeding Ml or imprisonment for a term not exceeding six years or both.

Issuance of false electronic instructions

• A person authorized to use a computer or other electronic device who, with intent to deceive, issues false electronic instructions, commits an offence and is liable, on conviction, to a fine not exceeding Ml ,000,000 or imprisonment for a term not exceeding six years or both.

Modification and interference with contents of a message

• A person who intentionally and without lawful excuse modifies or interferes with the contents ofany message sent by means ofa communication service commits an offence and is liable, on conviction, to a fine not exceeding  or imprisonment for a term not exceeding six years or both

Obligation of institutions

• (1) Any activity on third party applications or platforms shall not be the liability of mobile network providers.
  • An institution that becomes aware that its computer system is involved in the commission of an offence under this Act shall-
    • report the offence to the law enforcement authorities within a period ofnot later than 24 hours; and
    • preserve any information which the law enforcement authorities may require for the investigation of the offence.
  • An institution which fails to comply with this section commits an offence and is, on conviction, liable to a fine not exceeding

Offences against critical information infrastructure or protected computer systems

• Where a person commits an offence under this Act in relation to critical information infrastructure, that person is liable, on conviction, to imprisonment for a term not exceeding twenty-five years or a fine not exceeding Ml 5 or both.

Offence by body corporate or un-incorporate

• If a corporate body is convicted of an offence under this Act, every person who, at the time of commission of the offence-
  • was a director, officer, or otherwise concerned with the management of the corporate body; or
  • knowingly authorized or permitted the act or omission constituting the offence,

shall be deemed to have committed the same offence, unless every such person proves that the commission of the offence took place without his consent or that he exercised due diligence to prevent the commission of the offence.

General provision on cyber crimes

• Except.as provided for in this Act, any offence, under any Act which is committed in whole or in part by use of a computer, electronic device or in electronic form is deemed to have been committed under that Act and the provisions of that Act shall apply.

PART V: JURISDICTION

Jurisdiction

• (1) A court in Lesotho shall have jurisdiction to try any offence under this Act where the offence has been committed wholly or in part-

                     (a)    within the territory of the Kingdom of Lesotho;

• on a ship or aircraft registered in the Kingdom of Lesotho;
  • by a national of the Kingdom of Lesotho within the jurisdiction of any country;

• by a person, irrespective of the nationality or citizenship of the person-

(i) when the offence is committed within the territory of the Kingdom of Lesotho;

if the offence is committed by means of equipment, software, or data located within the Kingdom of Lesotho, regardless of the location of the person; or

(iii) if the offence is directed against equipment, software or data located within the Kingdom of Lesotho, regardless of the location of the person.

Extradition

• Any offence under this Act shall be considered to be an extraditable crime for which extradition may be granted or obtained under any extradition laws.

PART VI: PROCEDURAL LAW

Search and seizure

If a Court is satisfied, on the basis of an application by a law enforcement officer supported by affidavit, that there are reasonable grounds to believe that there may be, in a place, a computer system, device or computer data- (a) that may be material as evidence in proving an offence: or

(b) that has been acquired by a person as a result of committing an offence,

the Court may issue a warrant authorizing a law enforcement officer, with such assistance as may be necessary, to enter the place to search and, where necessary, seize the computer system, device or computer data, including to search or similarly

accessa computer system or part of a computer system, and computer data stored on it; and

(ii) a computer-data storage medium in which computer data may be stored, in the Kingdom ofLesotho.

• If a law enforcement officer that is undertaking a search under this section has grounds to believe that the data söught is stored in another computer system or part of it in the Kingdom of Lesotho and such data is lawfully accessible from, or available to, the initial system, he is empowered to expeditiously extend the search or similar accessing to the other system.
  • A law enforcement officer that is undertaking a search is empowered to-
    • seize or similarly secure computer data accessed according to sub-sections (1) or (2);
    • maintain the integrity of the preserved data;
    • render inaccessible or remove the stored data or information from the computer system or any computer storage medium; or (d)        retain a copy of such data or information.
  • The search referred to in this section shall be conducted in accordance with the relevant laws regulating the conduct of search and seizure and the limitation of rights as enshrined in the Constitution.

Assistance

• Any person who is not a suspect of a crime or otherwise excluded from an obligation to follow such order, but who has knowledge about the functioning of a computer system or measures applied to protect the computer data in the computer system that is the subject of a search under section 59, shall grant access to the computer system and assist, if reasonably required and requested by the person authorized to make the search by-
  • providing information that enables the undertaking of measures referred to in section 59;
  • accessing and using a computer system or computer data storage medium to search any computer data available to or in the system; obtaining and copying such computer data;

• using equipment to make copies; and
  • obtaining an intelligible output from a computer system in a format that is admissible for the purpose otlegaLproceedings.

Production order

• If the Court is satisfied on the basis of the application by a law enforcement officer that computer data, or a printout or other information, is reasonably required for the purpose of criminal investigations or criminal proceedings, it may order that-
  • a person in control of a computer system produces from the system specified computer data or a printout or other intelligible output of that data; or
  • a service provider produces information about persons who subscribe to or otherwise use the service.

Expedited preservation

If a law enforcement officer is satisfied that there are grounds to believe that computer data, irrespective of type, that is reasonably required for the purpose of criminal investigations is particularly vulnerable to loss or modification, he may, by order of court given to a person in control of the computer data, require the person to ensure that the data specified in the notice be preserved for a period of up to fourteen days as specified in the order.

(2) The period referred to in subsection (1) may be extended beyond fourteen days if, after considering an application for extension, a court authorizes an extension for a flirther specified period of time.

Confidentiality of data

• (1) A law enforcement officer or a person who is in control of computer data or a computer system shall keep the request for preservation and seizure of data, collection oftraffic data or any other applicable data request confidential.
  • A law enforcement officer or other person who fails to comply with subsection (1) commits an offence and is liable, on conviction, to imprisonment for a term not exceeding six years or a fine not exceeding Ml or both.

Partial disclosure of traffic data

• If a law enforcement officer is satisfied that computer data is reasonably required for the purposes of a criminal investigation he may, by an order of court given to a person in control of the computer system, require the person to expeditiously disclose relevant traffic data about a specified communication to identifr(a) the internet service provider; or

(b) the path through which a communication was transmitted.

Collection of traffic data

• (1) If the court is satisfied, on the basis of an application by a law enforcement officer supported by affidavit, that the traffic data associated with a specified communication is reasonably required for the purpose of a criminal investigation, he may order a person in control of such data to-
  • collect or record traffic data associated with a specified communication during a specified period; or
  • permit and assist a specified law enforcement officer to collect or record that data.
  • If the court is satisfied, on the basis of an application by a law enforcement officer supported by affidavit, that there are reasonable grounds to suspect or believe that traffic data is reasonably required for the purposes of a criminal investigation he may authorize a law enforcement officer to collect or record traffic data associated with a specified communication during a specified period through application ofteclmical means.

Forensic tool

• (1) If a court is satisfied, on the basis of an application by a law enforcement officer supported by affidavit, that in an investigation concerning an offence under this Act there are reasonable grounds to believe that essential evidence cannot be collected by applying other instruments listed in this Part but is reasonably required for the purposes of a criminal investigation, the court may authorize a law enforcement officer to utilize a remote forensic tool and direct access forensic tool with the specific task required for the investigation and install it on thc computer system belonging to the suspect in order to collect the relevant evidence.
  • The information obtained by the use ofthe tool referred to in subsection (1) shall be protected against any modification, unauthorized deletion and unauthorized access.
  • The application referred to in subsection (1) shall contain the following information-
    • the person suspected of the offence, if known, and their name and address if available;
    • a description of the targeted computer system;
    • a description of the intended measure, extent and duration of the utilization, and
    • reasons for the necessity of the utilization.
  • It shall be a condition of the authorization referred to in subsection (3) that such investigation shall ensure that modifications to the computer system ofthe suspect are limited to those modifications essential for the investigation and that, if possible, any changes can be undone after the end of the investigation.
  • During the investigation, it shall be necessary to log-
    • the technical means used and time and date of the application;
    • the identification of the computer system and details of the modifications undertaken within the investigation; and
    • any information obtained.
  • The duration of authorization referred to in subsection (1) shall be limited to three months.
  • Where the conditions ofthe authorization referred to in subsection (1) are no longer met, the action taken shall be stopped immediately.
  • The authorization to install the tool referred to in subsection (1) shall include Council to remotely access the suspect computer system.
  • Where the installation process required physical access to a place, the requirements of section 41 shall need to be fulfilled.
  • A law enforcement officcr may, pursuant fo the order of court granted under subsection (l), request that the court order an intemet service provider to support the installation process.

                                            PART       – LIABILITY

No monitoring obligation

• When providing the services under this Part an internet service provider shall have no general obligation to monitor the data which it transmits or stores, or actively seek facts or circumstances indicating an unlawful activity.

Access provider

• (1) An access provider shall not be criminally liable for providing access and transmitting information on condition that the provider(a) does not initiate the transmission;
  • does not select the receiver of the transmission; or
  • does not select or modify the information contained in the transmission.
  • The acts of transmission and of provision of access referred to in subsection (1) include the automatic, intermediate and transient storage of the information transmitted in as far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

Hosting provider

• (1) A hosting provider shall not be criminally liable for the information stored at the request of a user of the service, on condition that-
  • the hosting provider expeditiously removes or disables access to the information after receiving an order from a court of law to remove specific illegal information stored; or
  • the hosting provider, upon obtaining knowledge or awareness about specific illegal information stored by means other than an

order of court, expeditiously informs the authorities to enable them to evaluate the nature of the infonnali011 and, {f necessary, issue an order to remove the content.

• Subsection (l) shall not apply when the user of the service is acting under the authority or control of the hosting provider.
  • Where the hosting provider removes the content after receiving an order pursuant to subsection (1), no liability shall arise from confractual obligations with its customer to ensure the availability of the service.

Caching provider

• A caching provider shall not be criminally liable for the automatic, intermediate and temporary storage of information performed for the sole purpose

of making more efficient the onward transmission of the information to othéöüéGé¯ ofthe service upon their request, on condition that the caching provider (a) does not modify the information;

(b)     complies with conditions of access to the information;

complies with rules regarding the updating of the information, specified in a manner widely recognized and used by the industry;

• does not interfere with the lawful use of technology, widely recognized and used by the industry, to obtain data on the use of the infomation; and
  • acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or the relevant authority has ordered such removal or disablement.

Hyperlinks provider

• An internet service provider who enables the access to information provided by a third person by providing an electronic hyperlink shall not be liable for the information where the internet service provider –

              (a) expeditiously removes or disables access to the information after receiving an order from any court to remove the link; or

(b) upon obtaining knowledge or awareness about specific illegal information stored by other ways than an order of coufi, expeditiously informs the relevant authorities to enable them to evaluate the nature of the information and, if necessary, issue an order to remove the content.

Search engine provider

• A service provider who makes or operates a search engine that either automatically, or based on entries by others, creates an index of internet-related content or makes available electronic tools to search for information provided by a third party is not liable for search results on condition that the provider(a) does not initiate the transmission;

 (b) does not select the receiver of the transmission; or

(a) does not select or modify the information contained in the transmission.

Other types of electronic service provider

• Where an electronic communications service provider-
  • has not given rise to the information that has been transmitted;
  • does not select the recipient of the service; or
  • does not select or modify the information that has been transmitted,

it shall not be liable for offenses committed by the users of its service.

Offence and penalty

• A service provider who is found to have acted outside the scope of the limitations of criminal liability provided in this Part is, on conviction, liable to the penalty specified for the offence committed.

PART Vlll: MUTUAL LEGAL ASSISTANCE

Cooperation with other States

• (1) Lesotho shall, in making a request for mutual legal assistance in any criminal or other related matter under this Act, or responding to a request from another State, comply with the povisions of the Mutual Legal Assistance in Criminal Matters Act, 2018⁴.
  • A requesting State may request mutual legal assistance for purposes of-       
    • undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or  data;
    • collecting evidence of an offence on electronic form; or

obtaining expeditious preservation and disclosure oftraffic data, real-time collection of traffic data associated with specified communications; or

• performing any other power or function under this Act.
  • A requesting State may request to search, access, seize or secure, and disclose data stored by means of a computer system located within the Kingdom of Lesotho.
  • A requesting State may, in urgent circumstances, make a request for mutual assistance or communications related to it by expedited means of communication, including fax or e-mail, to the extent that such means provide appropriate levels of security and authentication, including the use of encryption where necessary, provided that formal correspondence shall follow within fourteen days, and the Government of the Kingdom of Lesotho shall accept and respond to the request by any such expedited means of communication.

PART rx: GENERAL PROVISIONS

Limitation of liability

• The Government, Minister, public authority or any public officer shall not be liable in respect of the performance of any act or any omission where such act or omission was done in good faith and without gross negligence in accordance with the provisions of this Act.

Forfeiture of assets

• (1) The court, in imposing sentence on any person who is convicted of an offence under this Act, may also order that the convicted person forfeit —

• an asset, money or property whether real or personal constituting or traceable to gross proceeds of such offence; and
  • a computer, equipment, software or other technology used or intended to be used to commit or to facilitate the commission of such offence.
  • A person convicted ofan offence under this act shall forfeit his passport or intemational travelling document to the Government of Lesotho until he has paid the fines or served the sentence imposed on him.
  • Notwithstanding subsection (2), the court may-
    • upon the grant of a pardon by the King to the convicted person;
    • for the purpose of allowing the convicted person to travel abroad for treatment; or
    • in the interest ofthe public,

upon application, grant an order that the passport or travelling document Of the convicted person be released to that person.

Regulations

• (1) The Minister may, in consultation with the Council, make regulations for giving effect to the provisions of this Act.
  • The Minister may make regulations for the –
    • declaration of critical information infrastructure including, but not limited to, the identification, securing the integrity and authenticity of, registration, and other procedures relating to critical information infrasfructure; and
    • liability of access providers, which regulations may include the security, functional and technical requirements for the purposes of part VIl.
  • The Council may, with the approval of the Minister, issue such guidelines as may be required for the implementation of this Act.

PART X: CONSEQUENTIAL AMENDMENTS

Amendment of Communications Act of 2012

(1) The Communications Act, 2012 is amended in section 44 (1) by deleting paragraphs (a), (e), (f) and (g).

Amendment of Penal Code Act of 2012

     80.       (1) The Penal Code Act is amended in section 62 by deleting sub-section

(2)

¹. Act No. 40f2012

• Act No. 11 of 2014
• Act No. 6 of 2012

⁴Act No.14 of 2018