Africa moves towards a common cyber security legal framework

For several years, African states have been working towards common cyber security norms and regulations through the African Union (AU). Over June 20-27, the AU Heads of State will be meeting where they’re expected to adopt a new Convention on Cyber Security and Personal Data Protection. While Access and other partners criticized an earlier draft of the Convention, the rewritten draft has yet to be released to the public, even as it races closer to adoption.

Background

Since 2009, the African Union (AU), has engaged in efforts to harmonize various information and communications technology (ICT) regimes particularly around cyber security laws. Discussions about establishment of a common framework have been ongoing since a 2009 directive, the Oliver Tambo Declaration. In 2013, a draft African Union Convention on the Confidence and Security in Cyberspace (AUCC) was made pursuant to the resolution of the Assembly of Heads of State and Government of the African Union and was published on the African Union website for discussion from the African internet community. Major concerns were then voiced around this draft, and in May 2014 it was revised to a final version of the Convention, which is now set to be approved by African Heads of State at the end of June.

Delay in Passage

The AUCC was scheduled to pass during an AU meeting in January 2014, but was delayed as a result of protests from the private sector, civil society organizations, and privacy advocates, who had very little involvement in the process. Several leading voices in African internet policy spoke out against the draft Convention, including: KICTANet and ISOC-KE in Kenya, and on the I-Network list moderated by the Collaboration on International ICT Policy in East and Southern Africa (CIPESA) as well as by ISOC -Uganda. Access also raised concerns and transmitted comments about the previous draft.

According to a presentation from the African Union, telecom/ICT experts were involved in the drafting process and discussions. However, it is unclear who these experts were, what sectors they came from, or how they were chosen.

The AUCC was supported by some government stakeholders and regional multilateral entities, but many in the internet community opposed it, as the treaty contained a number of provisions that could violate user privacy, chill online expression, and endanger other rights.

On May 12 and 13, 2014, a meeting of experts from the AU members’ justice ministries undertook a thorough review of the AUCC; on May 15th, it was adopted and scheduled for presentation at the 23rd African Union Summit, 20 – 27 June 2014 to be held in Malabo, Equatorial Guinea. The AUCC was adopted as the “African Union Convention on Cyber Security and Personal Data Protection.”

The final outcome of the AUCC has not yet been released and Access cannot confirm whether the concerns raised with the previous draft were addressed. Without transparency, it is very difficult for civil society and other stakeholders to play a meaningful role in the drafting and political process around this potentially far-reaching convention. Given that the previous draft raised a number of concerns from civil society, negotiating this kind of convention in the dark, raises a number of human rights and legitimacy concerns. In the absence of having the final text, we thought it might be helpful here to highlight the concerns that were raised with the previous version, the AUCC.

Contentious Provisions that caused delay of transmission to heads of State and Government

In short, the draft convention includes provisions on electronic commerce, personal data protection, cybercrime — with a special focus on racism, xenophobia, and child pornography — and national cybersecurity. It also encourages member states to promote cybersecurity education for information technology professionals and to add to their legal codes criminal offences for hacking computer systems. Below, we will expand on the problematic issues we identified in the draft text.

Infringing on the right to privacy

Articles II (8); II (9); II 28(2); and II 36(9) of the draft AUCC, allow African states to process personal and sensitive data without the owner’s consent for the purpose of state security and the public interest. Furthermore, the government doesn’t have to go before a judge to get approval to violate user privacy in this way, leaving the door open for abuse.

Article I (4) of the convention compels a person or corporation engaging in electronic financial transactions (e.g M-PESA) to provide full identity information as prescribed in the clause such as his/her name, identification number, and contact information among other information. This provision puts personal information at risk, given the fact that very few African countries have comprehensive data protection laws. One does not need to look far to see the kind of abuse that can occur in this environment. Recently, a number of Kenyans were unknowingly registered with various Kenyan political parties without their consent; Safaricom, a major African telecom suggested that M-PESA agents might have sold M-PESA registration and transaction records to the political parties.

Lack of limitations on judicial power

Article III (55) provides for , “…the investigating judge [to] use appropriate technical means to gather or register in real time the data in respect of the content of specific communications in its territory, transmitted by means of a computer system…” The provision empowers judges to assume the role of the prosecutor in both common law and civil law African countries and does not provide checks and balances to ensure a separate investigation and adjudication process.

Looking forward

Already, we can see that advocacy initiatives by individuals, civil society, and academia representatives have had an impact on this process. During Africa ICT Week in December 2013, officials from the African Union Commission met with individuals, civil society, and academia representatives who were opposed to the initial draft. At the meeting, the AU Commission agreed to examine input received by concerned stakeholders and provide explanation and justification regarding areas of disagreement.

We note that this new document is named, the “African Union Convention on Cyber Security and Personal Data Protection” as opposed to the previous draft, the “African Union Convention on the Establishment of a Credible Legal Framework for Cyber Security in Africa. Though the final outcome of the convention has yet to be released, we can only hope that the change of name is an indication of a shift in focus to Personal Data Protection and that the human rights concerns highlighted above are addressed. However, given the opacity of the process, it’s hard to know.

Stay tuned! We’ll have more analysis once the final text is published.

For additional analysis of the  draft African Union Convention on the Confidence and Security in Cyberspace please see: