The Africa Data Protection Conclave (“The Conference”) is themed Personal Data Protection and Cybersecurity: Action Points for the Rise of the Africa Knowledge Economy.
The Conference is structured along 4 distinct lines of intervention which include:
- The AU Convention on Cyber Security and Personal Data Protection: Understanding the Convention, its Challenges and Prospects.
- Comparative Review of the Regulation/Administration of Personal Data Protection and Cybersecurity Laws in Jurisdictions in Africa: Learning from the Best and Encouraging the Upcoming.
- Data Sovereignty, Intellectual Property Protection and the Africa Knowledge Economy: Debating the Myths, Realities, Possibilities and Solutions.
- Personal Data Protection and Cybersecurity Justice Administration in Africa: Practical Steps to getting Judicial Systems in Africa to Advance the Africa Knowledge Economy.
Over the next few weeks building up to the event, we would be taking a cursory look at each one of these lines of intervention. In this piece, we take a look at the AU Convention on Cybersecurity and Personal Data Protection.
A PRÉCIS OF THE AFRICAN UNION CONVENTION ON CYBERSECURITY AND PERSONAL DATA PROTECTION
The African Union Convention on Cybersecurity and Personal Data Protection (the “Malabo Convention”) was adopted at the Twenty-Third Ordinary Session of the Assembly of Heads of States and Governments, held in Malabo, Equatorial Guinea on 27th June 2014. So far, of a total of 55 countries that adopted the Malabo Convention, 14 have signed, 8 have ratified and 8 have deposited an instrument of accession with the African Union. The Malabo Convention aims to deal with various aspects of Information Technology such as Electronic Transactions, Personal Data Protection, Cybersecurity and Cybercrimes. The objective of the Malabo Convention is to set out the essential rules for establishing a credible digital environment and address the gaps affecting the regulation and legal recognition of electronic communications and electronic signature. It is also concerned with the absence of specific legal rules that protect consumers, intellectual property rights, personal data and information systems and privacy online.
2. How does the Malabo Convention aim at ensuring cybersecurity and personal data protection?
Relevant key provisions of the Malabo Convention are:
- It sets forth security rules essential for establishing a credible digital space for electronic transactions, personal data protection and combating cybercrime.
- Each State is expected to commit to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, protection of physical data, and punishing any violation of privacy without prejudice to the free flow of personal data.
- State parties are also expected to adopt legislative and or regulatory measures as they deem necessary to confer specific responsibility on institutions and their officials in relation to their responses to cybersecurity incidents, coordination and cooperation in the field of restorative justice, forensic investigations, prosecutions, etc.
- State parties are charged with the responsibility for clear accountability in matters of cybersecurity at all levels of Government, by defining their roles and responsibilities in precise terms.
- It requires a national protection authority to be established as an independent administrative authority with the task of ensuring that processing of personal data is duly regulated. Relatedly, members of Government, persons carrying out the functions of business executives and persons with shares in businesses in the information and communication technologies sector cannot be members of the national protection authority.
- Processing of certain kinds of personal data, both general and sensitive, may only be undertaken upon an authorization principle from the national protection authority.
- The processing of personal data by a public institution or for public reasons must comply with the legal requirements set out under a regulatory act, after an informed advice of the protection authority.
- Each State is also expected to develop public-private partnerships as a model to engage industry, the civil society, and academia in the promotion and enhancement of a culture of cybersecurity.
- Seeing as the issues of cybersecurity and personal data protection transcend borders, the Malabo Convention encourages international partnerships which aim to regulate issues of double criminal liability, exchange of information between State Parties, and response to cyber threats.
- Overall, the Malabo Convention is a worthy piece of international legislation. It attempts to eliminate conflict of interest in State Parties’ policy management, by excluding leadership of industry parties in the administration of cybersecurity and personal data laws. It creates a string of checks and balances in the processing of personal data, through a procedure that requires pre-approval of any form of processing likely to gravely affect the personal rights of citizens. It is further inclusive of the private sector in creating a culture of cybersecurity.
- While the Malabo Convention poses to have a good grip on essentials for the promotion of cybersecurity and protection of personal data, its greatest challenge may well be its state of dormancy until it goes through a State Parties rigorous legislative process.
The adoption by all countries of appropriate legislation against the misuse of information and communication technology, for criminal or other purposes, and for the protection of personal data, remains both critical and central to achieving global information management. The Malabo Convention offers just that, as an essential piece of legislation which may well bridge the gap that transcends international borders on this delicate international issue.
This conversation would be further explored during a Panel Session at the Conference on Thursday, 15th October 2020. Click here to view the schedule.