The African Union Convention on Cyber Security and Personal Data Protection: Key Insights
- Josephine Kaaniru |
- July 24, 2023 |
- Data Protection
Technological advancement often outpaces regulation, as has been the case in cyber-security matters on the African continent. This has resulted in gaps in cyber security regulation, as legislators clamour to effect amendments to reflect new crimes occurring on the internet. The cross-border nature of cybercrime has posed an enormous challenge for African legislation since isolated national guidelines and regulations do not adequately fight crime. In recognition of this enormous threat, the African Union (AU) acknowledged the need for regional and national cybercrime strategies to protect individuals, infrastructure and national security. It was also crucial for policymakers to consider the unique African experience of cybercrime by framing principles and guidelines that reflect African values.
The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) was adopted in 2014 at the 23rd AU Assembly of Heads of State and Government to address the regulatory challenges posed by increasing cybercrime on the continent. It also aimed to provide a framework for compatible legislation by member states. The Malabo Convention entered into force on 8 June 2023 after receiving the required minimum of 15 ratifications from AU Member States, as per its provisions. So far, countries that have ratified the Convention, hence whom it binds are; Benin, Cape Verde, Côte d’Ivoire, Congo, Ghana, Guinea, Mozambique, Mauritius, Namibia, Niger, Rwanda, Senegal, Togo, Zambia, and Mauritania. All the signatories of the Malabo Convention have enacted data protection or cybersecurity legislation, other than Mozambique and Namibia.
Countries with data protection legislation have catered to the main provisions on the rights of data subjects, established mechanisms for transparency and accountability, and provided guidance on the rules governing cross-border data transfer. For instance, Benin’s data protection law No. 2009-09: Dealing with the Protection of Personally Identifiable Information (PII), has been complimented by the 2017 law, Book V of the 2017 Digital Code of the Republic of Benin: Protection of Personal Data. Although the two laws are similar and overlap on certain provisions, Book V extends provisions on the collection, storage and processing of personal data, and provisions regarding automated decision-making. The Act also caters to the principles of transparency and accountability, where the individual is entitled to notification in case of data processing, and data breaches. In addition, legal remedies for data breaches are provided for under civil liability provisions. The law prohibits cross-border data transfers, unless the country where data is to be transferred has data protection measures in place, data subject has consented, or where the transfer is necessary for the performance of a contract or serving public interest.
Additionally, the Malabo Convention signatories including Benin, Cape Verde, Côte d’Ivoire, Congo, Ghana, Guinea, Mauritius, Niger, Rwanda, Senegal, Togo, Zambia, and Mauritania, with the exception of Mozambique and Namibia, have duly laid the ground work for the establishment of data protection authorities as the main regulators of data protection activities since they are empowered to conduct investigations and issue administrative penalties and recommendations. For instance, the Niger Law No. 2019-71 of 2019 outlines the role of the Haute autorité de protection des données à caractère personnel (HAPDP), a data protection authority, to ensure protection of human rights in data processing by receiving complaints and issuing administrative penalties.
According to UNCTAD, Africa’s prevalence of dedicated cybercrime laws stands at 72%, with thirty nine countries having enacted legislation, two with draft legislation and twelve with no legislation. Some of the Malabo Convention signatories have established legislation on cybercrimes after 2014, such as Benin with its Loi No.10/2011 loi portant contre la corruption et autres infractions connexes. Ghana has established the Cybersecurity Act to complement the existing Electronic Communication Act 2008, which calls for the establishment of the National Computer Emergency Response Team (CERT). The CERT must, together with the Sectoral Computer Emergency Response Teams, respond to and solve cybersecurity incidents in the country. .
Unfortunately, African governments are at different levels of establishing cyber security policies due to inadequate resources and know-how, which exposes various government institutions to cyber espionage and terrorism.
Salient Provisions and Concerns
The Malabo Convention provides guidelines for signatories, including salient cyber security and data protection concept definitions, guidelines on e-commerce contracts, processing of sensitive personal information, data security procedures, and provisions on establishing national data protection bodies, who are to inform data subjects and controllers of their rights and duties, receive claims and complaints regarding data protection, and impose sanctions on data controllers in response to breaches.. The definitions and provisions are crucial for establishing effective and harmonised national policies, especially considering the limited know-how in most African governments on cyber-security matters.
Data protection is a significant issue arising in cyber security conversations on the continent; hence the Convention reiterates the rights of data subjects, such as the right to information, access, to object to data processing and disclosure to third parties, and the right to rectification and erasure of data. This provides an excellent framework for personal data protection in the African context in recognition of the crucial role of big data in everyday cyber activity. The importance of privacy and data protection also arises in these provisions, where the Convention seeks to ensure that data processing in Africa adheres to principles of human rights and fundamental freedoms of the people. To this end, the regulations governing personal data processing, such as consent and legitimate processing, adherence to the law and fairness, relevance and necessity of processing, accuracy, transparency, and confidentiality, are provided as best practices to guide member states.
The Convention extends the data protection mission to the regional level by creating a framework for harmonised data processing and cross-border transfer, considering the cross-border nature of cybercrime and the digital environment. To this end, it requires members to develop the legal and institutional frameworks for data protection, to ensure that data processing and transmission are lawful, fair and transparent. Member states must also develop national strategies in harmony with the Convention, create governing institutions for cyber security stakeholders, and create legislation with specific cyber security provisions.
Notably, international cooperation is a significant theme in the Convention, where member states are to promote cooperation and harmonisation by creating National Computer Emergency/Incident Response Teams (CERTs/CIRTs) to facilitate information exchange. It is also necessary to embrace multilateral information and evidence sharing and mutual legal assistance agreements to promote regional and international cooperation in cyber-security matters. Member states with these strategies must embrace efficient enforcement measures and monitoring and evaluation of legislation to determine effectiveness, as per the Convention.
Key Impacts for Sub-Saharan Africa
Since its inception, the Convention has pushed many countries in Sub-Saharan Africa to enact their data protection regulatory frameworks, as per its ambition to mobilise public and private actors to promote cyber security. This has seen states like Kenya, Nigeria, Ghana, and South Africa establish comprehensive data protection provisions in compliance with the Convention, to provide for rights and principles of data protection similar to those reflected in the Convention and other related instruments. It has also expanded the cyber security conversation and capacity-building efforts among government bodies, civil society organisations and private players engaged in the diffusion and adoption of broadband in rural areas. Finally, there has been an increased effort to establish cyber-security standards, which have significantly increased cyber protections and decreased reported crimes. For instance, Rwanda established the Rwanda Information Society Authority (RISA) to oversee the cyber-security regulatory framework, which increased cyber-security capacity in the country.
The Convention has also promoted digital inclusion by outlining provisions protecting the rights of data subjects and the duties of data controllers and processors. The defined rules and standards for data protection empowers data subjects, by granting them the rights to have, rectify and delete their personal data as they wish. Clear data protection guidelines have also increased the number of data controllers and processors in Nigeria, which recorded a 600% growth in numbers in 2021 afterthe enactment of the Nigeria Data Protection Regulation (NDPR) in 2019, which spurred digital business growth. Other than the Nigeria Data Protection Regulation (NDPR) in 2019, the Malabo Convention has also spurred the recent enactment of the Nigerian Data Protection Act, 2023 which continues this data protection mission by creating the Nigeria Data Protection Commission as the significant enforcer of the Act.
Considering the international nature of cyber security, the Malabo Convention has encouraged cross-border data flow among African states while protecting data subjects by ensuring that their data is well-protected across borders. E-commerce players like Jumia are likely to be governed under this cross-border framework, as the Convention denotes that e-commerce activities are to occur freely in all State Parties to the convention, except where e-commerce involves legal advice, the services of a notary or gambling.
Major Challenge & Insights
Notably, there are implementation variances of enacted laws on personal data protection among AU member states, which limits the ability of authorities to enforce cyber security measures. As such, data protection frameworks should get harmonised across the continent to spur more cross-border investigative information sharing, data transfers and e-commerce. This mission requires coordinated data protection frameworks to inspire consumer confidence and digital enterprise. This raises the issue of jurisdiction in the cloud computing era, where geographically distributed data centres and servers support computer services. Other similar instruments, such as the Council of Europe Convention on Cybercrime (CoECC), address the issue of jurisdiction in recognition of the challenges of regulating cybercrime when a crime is committed by a national of one state on its territory, on board an aircraft or on a vessel with the state’s flag.
Provisions on jurisdiction ensure that no cybercrime goes unpunished, especially in ambiguous situations regarding borders. They provide guidelines for international cooperation in the context of prosecuting cybercrimes. For instance, where a cybercrime is committed by a national of state X on an aircraft registered in state X while in the airspace of state Y, a lack of legal harmony among the involved states may leave the perpetrator unpunished if, for instance, states X and Y prosecute on different bases (e.g. X prosecutes based on the nationality principle, while Y prosecutes on the territoriality principle). Hence, jurisdictional guidelines at the regional level are necessary to provide an overarching framework. The Council of Europe Convention on Cybercrime is an example of best practices since it has jurisdictional provisions enabling extradition, proper evidence collection across borders and mutual assistance in cybercrime prosecutions. While it recognises the importance of international cooperation in preventing and prosecuting cybercrimes on the continent, the Malabo Convention lacks substantive provisions on jurisdiction and extradition of cyber criminals. It recommends mutual assistance among states, information sharing among Computer Security Response Teams and Computer Emergency Response Teams, and Public-Private Partnerships (PPPs) to improve cybercrime prevention and prosecution. As such, in addition to the harmonised implementation of cyber laws on the continent, it is notable that the Malabo Convention’s lack of jurisdiction and extradition provisions leaves room for improvements in the efforts to increase cooperation when prosecuting cybercrimes on the African continent.
The coming into force of the Malabo Convention marks a continued progression towards regional regulation of data protection, cyber security and emerging technologies in the African continent. Since its adoption, the Convention has spurred domestication of data protection and cyber security legislation in African countries such as Benin, Cape Verde, Ghana and Niger, who have provisions for the rights of data subjects, and have created data protection authorities as the independent bodies in charge of enforcing the data protection laws. The Convention provides for cross-border transfer of data, in consideration of the international nature of cyber activities, in the form of e-commerce.
As discussed, the Convention’s call for international cooperation in maintaining cyber security is in recognition of the cross-border nature of data and cyber security, as it calls for cooperation and harmonisation of cyber security efforts among state parties. However, the lack of jurisdictional and extradition provisions among national cyber security laws leaves gaps of enforcement of individual data rights. Hence, the continued domestication of the Malabo Convention begets more prevalence of cyber laws, even as there are calls for more harmonisation and cooperation among African policymakers.