Mixed Feedback on the ‘African Union Convention on Cyber Security and Personal Data Protection’

In its latest biannual summit in January 2015, the African Union (AU) adopted the Agenda 2063 framework which, among other areas, addressed the development of information and communications technologies. As a prominent recent example of AU’s work in the area, the Conventionon Cyber Security and Personal Data Protection was adopted in July 2014. The Convention is welcomed as an initial step to create a legislative framework for cyber security and data protection in the African region. However, many question the vague provisions that may cause misuse by governments.

Convention finally adopted

The Convention was first drafted in 2011 and previous versions of the document were criticised mainly by the private sector, civil society organisations, and advocates of privacy who reportedly had had limited influence on its development. (Gareth van Zyl, ‘Adoption of “flawed” AU cybersecurity convention postponed,’ ITWeb Africa, 21 January 2014.) The Convention was expected to be adopted in the 22nd AU summit in January 2014, but the process was postponed as many opposed the treaty claiming that it included provisions which would endanger privacy or limit the freedom of speech (see INCYDER news). To review the Convention in light of the criticism, the AU held a meeting of experts in May 2014. The final document adopted in July 2014 has received both positive and negative feedback as presented below.

Creating a necessary legislative framework

The mere fact that the AU has passed overarching legislation on matters of cyber security is already a significant development in a continent often viewed as a safe haven for cyber criminals. (Eric Tamarkin, ‘The AU’s Cybercrime Response. A Positive Start, but Substantial Challenges Ahead, Policy Brief 73 (Institute for Security Studies, January 20, 2015), The Convention addresses three main areas that are often seen (See, for example: United Nations Economic Commission for Africa, ‘Tackling the challenges of cybersecurity in Africa,’ Policy Brief, Issue number NTIS/002/2014.  Paul Tentena, ‘Cyber crime on the increase in Africa,’ East African Business Week, 31 March 2014,  and Richard Medugno, ‘Africa: A New Safe Harbor for Cybercriminals,’ Trend Micro Fearless Web, 15 April 2014.) as either not regulated or substantially dealt with by the governments in the region: (1) electronic transactions, (2) personal data protection, (3) cyber security and cybercrime. It has also been welcomed (The Zimbabwean, ‘The African Union Convention on Cybersecurity and Personal Data Protection’ 21 July 2014.) that the Convention highlights the importance of adhering to national constitutions and international human rights law, with a particular emphasis on the African Charter on Human and Peoples’ Rights.

In addition, for example, Article 24 of the Convention states that each state party should develop a national cyber security policy. Furthermore, Article 25 focuses on the legal measures to be developed to create legislation on cybercrime, to set responsibilities to national institutions, and to ensure the protection of critical information infrastructure. Together with other similar provisions, the treaty also outlines many safeguards for citizens with regard to processing personal data (e.g., see the principles set in Article 13).

Vague provisions may give room for misuse

On the other hand, many provisions contain unclear terms that could give too much room for interpretation. For example, critics1  for example, see usage of ‘insult’ in Article 29.3.1.g:

[State Parties shall take the necessary legislative and/or regulatory measures to make it a criminal offence to:]

g) Insult, through a computer system, persons for the reason that they belong to a group distinguished by race, colour, descent, national or ethnic origin, or religion or political opinion, if used as a pretext for any of these factors, or against a group of persons distinguished by any of these characteristics;

As a general comment regarding personal data protection and cyber security requirements, the Convention has been criticized for not specifying clear minimum thresholds, giving many governments the option to avoid implementing substantial regulation. ((The Zimbabwean, ‘The African Union Convention on Cybersecurity and Personal Data Protection’ 21 July 2014)

Effects yet to be seen

The Convention will enter into force 30 days after the 15th instrument of ratification or accession is deposited, meaning that it will take some time for the document to have an effect on the region. Implications of the document are also to be seen as State Parties can ratify the treaty with reservations. At the moment, no government has ratified the treaty. ((Daniel Finnan, “Africa: Lack of Laws Governing Cybercrime Making Africa a Safe Haven for Cybercriminals,” Radio France Internationale, 16 February 2015)

Henry Rõigas

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

  1. Peter Ugwu, ‘Analyst Picks Holes in Proposed AU Cybersecurity Convention’ Nigeria Communications Week, January 8, 2014, Joel Macharia, ‘Africa Needs A Cybersecurity Law but AU’s Proposal is Flawed, Advocates Say,’ techPresident, 31 January 2014) have highlighted that the Convention could allow for many exceptions for processing personal data without the data subject giving consent. See Article 14.2.i explaining that an exception can be based, among other conditions, on a ‘public interest’:

    “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or assigned by a public authority vested in the controller or in a third party to whom data are disclosed.”

    Some provisions are also seen ((Access Policy Team, ‘African Union adopts framework on cyber security and data protection’, Access blog, 22 August 2014) as possibly giving too much authority to ‘courts’ or ‘investigating judges’ to access personal data and conduct surveillance. For example, see Article 31.3a:

    “State Parties shall take the necessary legislative measures to ensure that where the data stored in a computer system or in medium where computerized data can be stored in the territory of a State Party, are useful in establishing the truth, the court applied to may carry out a search to access all or part of a computer system through another computer system, where the said data are accessible from or available to the initial system;”

    The usage of vague definitions that could be abused to limit the freedom of speech has also been highlighted; ((Ibid. []