The African Union Convention on Cybersecurity and Personal Data Protection (the “Convention”), 21 July 2014
The Convention was adopted during the 23rd Ordinary Session of the Summit of the African Union which concluded in Malabo, Equatorial Guinea on 27 June 2014. The Convention, which for the first time substantively brings the language of ‘protection of personal privacy’ to this level, seeks to establish a legal framework for Cyber-security and Personal Data Protection especially in the context of e-commerce. It builds on the existing commitments of African Union Member States at sub-regional, regional and international levels to build the Information Society. The adopted version is an improvement on the earlier version, which was widely criticised by several stakeholders, including by civil society groups, particularly for its failure to adequately protect the right to privacy.
Strengths at a glance
The Convention acknowledges the importance of adherence to national constitutions and international law, for instance in its preamble the Convention states that the establishment of a regulatory framework on cyber-security and personal data protection should take into account the requirements of respect for the rights of citizens, guaranteed under the fundamental texts of domestic law and protected by international human rights Conventions and Treaties, particularly the African Charter on Human and Peoples’ Rights. This requirement is emphasised more than once in the text
Importantly, the Convention enjoins states parties to establish legal and institutional frameworks for data protection and cybsecurity. However in the case of cybersecurity, states could either establish new institutions or use pre-existing ones. This requirement, if properly applied, might help bring an element of accountability in the manner in which the police and security services work and are governed on the continent.
The Convention also outlines the principles that ought to be adhered to in processing personal data, such as consent and legitimacy; lawfulness and fairness; purpose, relevance and storage of processed personal data; accuracy; transparency as well as confidentiality and security of personal data. It further enjoins state parties to prohibit any data collection and processing, without consent, that reveals racial, ethnic and regional origin, parental affiliation, political opinions, religious or philosophical beliefs, trade union membership, sex life and genetic information or, more generally, data on the state of health of the data subject, except under certain exceptional circumstances.
Weaknesses at a glance
Firstly, given the inherent weaknesses of most African security sector mechanisms, in particular, the partisan and compromised nature of the state security and population data registration sectors, the Convention could have included a requirement for strong of judicial oversight in order to strengthen the protection of the right to privacy and restrain political influence on data management, specifically data in transit, storage, cloud or at rest.
Secondly, although the Convention enjoins state parties to enact laws that take into account their constitutions and international conventions, it only overemphasizes the African Charter. Given that the African Charter does not have an explicit right to privacy in relation to access to information and processing of personal data, this creates a gap that needs to be filled.
There are also many instances where the Convention appears to put national sovereignity and discretion over international law, for example, under Chapter 3 on Promoting cybsecurity and fighting cybercrime, it uses the phrases as, ‘as it deems necessary, as it deems appropriate and as it deems effective’. Such wide discretion, gives states, especially undemocratic ones, room to abuse these powers. This is especially the case since the Convention does not explicitly outline the minimum threshold that national constitutions, legal frameworks and laws should meet and comply with. In this regard, an explicit reference to international law would have been helpful.
Giving states parties’ wide discretion on the content of the laws and their constitutions is not in line with the current international best practice and recommendations on the issue. Of relevance in this instance, the Human Rights Committee provided important guidance in its General Comment 16 on the interpretation of article 17 of the International Covenant on Civil and Political Rights. According to the Committee, the term “unlawful” means that no interference can take place “except in cases envisaged by the law. Interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant” [emphasis added].
Also of concern, while Article 15 relating to interconnection of personal data files is a positive development from both commercial and social protection schemes points of view, given that the Convention does not specify the minimum thresholds to be met by the proposed legal frameworks, the instances of creation of big data and data sharing without strict conditions and basic judicial supervision would certainly lead to increased state surveillance and monitoring thus leading to erosion of privacy and other civil liberties.
Such practice has been widely criticised in countries such as Zimbabwe where parliament recently passed an adverse report on the SIM card registration scheme. The scheme involved, inter alia, the creation of a shared database as envisaged under the Convention. In addition, press reports have recently reported on how Zimbabwe is allegedly setting up High Level Computer (HCL) project which entails the establishment of a super-information laboratory that would aggregate information from virtually all government departments and the private sector for planning, research and development purposes. Thought to be the first of its kind in Africa, it is also being reported how state authorities had infiltrated the facility.
The above weaknesses, are by no means a lack of acknowledgement that the African Union Convention lays a progressive foundation, that might for the first time, encourage states to shed light on the vital area of security service which most people perceive as dark and in need of transparency. However, on the continental level, in addition to the Convention, the African Union should take one more step by introducing the right to privacy in the African Charter. They could, for example, introduce an Optional Protocol in line with recommendations we make in our paper presented at the NGO Forum of the African Commission 55th Session.
Secondly, while most African states have taken commendable steps to include the right to privacy in their national constitutions, according to articles ‘Internet Governance: Why Africa should take the lead and ‘Global Data Privacy Laws: 89 Countries, and Accelerating; in Africa only 11 countries have enacted national freedom of information/ expression laws and eight African Countries on the right to privacy/ data protection. African states should therefore take immediate steps to adopt data protection laws and fortify constitutional provisions in line with the Convention, despite its weaknesses pointed out above. For more information and analysis on this subject on why Africa should take measures to protect the right to privacy in the digital age, please read our Briefing paper here.