African Union adopts framework on cyber security and data protection

Without much media attention, the heads of state of the African Union (AU) agreed to a landmark convention this summer affecting many aspects of digital life.

In June, leaders in the AU, a group of 54 African governments launched in 2002, met at the 23rd African Union Summit and approved the African Union Convention on Cyber Security and Personal Data Protection.

The Convention covers a very wide range of online activities, including electronic commerce, data protection, and cybercrime, with a special focus on racism, xenophobia, child pornography, and national cybersecurity. If and when it is implemented, many African nations will enact personal data protection laws for the first time, upheld by new, independent public authorities. These moves would represent a huge boon to user control over private information. In addition, each state would be required to develop a national cybersecurity strategy, pass cybercrime laws, and ensure that e-commerce is “exercised freely.”

On a continent known for leap-frogging wired technology in the march toward mobile connectivity, this Convention marks a leap forward in internet regulation. Change won’t happen overnight, though, because the Convention must be ratified by 15 countries to enter into force. And even then it will likely be a few years before the 54 African governments each pass laws implementing the Convention.

The remarkable breadth of the treaty resists overarching analysis, but Access has picked out the potentially good, bad, and ugly clauses in the document. Access encourages AU member states to attach reservations to their ratification documents, noting concerns about the specific provisions we outline below.

The potentially good

Data Protection

A large part of the Convention mirrors the data protection framework and language developed by the European Union. As the E.U. considers an overhaul via the Data Protection Regulation, lawmakers there should consider this Convention as one example of the “standard setting” their work often embodies.

Per the Convention, each member state of the African Union is required to have a national data protection authority (DPA) — an independent administrator to ensure the processing of personal data is conducted in accordance with the Convention. Data can only be processed for a specific legitimate purpose, however, no definition of legitimate purpose is given. Processing and storage are limited to the time necessary for the purpose for which the data were collected or processed, with exceptions for “the public interest, especially for historical, statistical or scientific purposes.”

A specific, individual right to object to processing was added, potentially empowering users, but it’s not clear on what “legitimate grounds” objections can be raised (Art. 18). Data subjects have the right to be notified before their data are shared with a third party for the first time (Art. 18).

Each member state is required by the Convention to establish a legal framework for the protection of “physical data.” Yet “physical data” has not been defined anywhere in the convention, leaving uncertainty regarding the scope and substance of the legal standards States will have to put forward. Likewise, the Convention authorises data controllers to transfer personal data to third countries so long as those nations provide an “adequate level of protection,” a vague standard as the Convention does not provide guidelines for establishing a safeguard mechanism, or even criteria to determine adequacy.

AU member countries have been instructed to institute Data Protection Authorities (DPAs). While the Convention bars members of government, business executives, and even shareholders of information and communication technologies (ICT) companies from participating in the DPA in order to promote independence of this body, further guidelines on members selection process should be articulated to fully ensure both transparency and independence.

While we don’t have space here to do a deep analysis, a number of other concepts in the data protection section — “consent”, “data controller”, “data subject”, “personal data”, “sensitive data” — need further attention. For instance, the definition of sensitive data includes “legal proceedings,” which are a matter of public interest and shouldn’t be sealed by default; and “health data” is too broad and could even be interpreted to extend to Facebook status updates about having a cold! Overall, most of the AU’s definitions are far less comprehensive than those found in the EU. To adequately enforce these standards, DPAs will need much more refined definitions and clearer mandates.

Cybersecurity and human rights

The cybersecurity sections of the Convention specifically protect human rights. Governments “shall” ensure their new laws uphold the “African Charter on Human and Peoples Rights, and other basic rights such as freedom of expression, the right to privacy and the right to a fair hearing, among others” (Art. 25 ¶3). The inclusion of privacy is most welcome, considering it is not explicitly found in the African Charter.

Furthermore, civil society is expressly included as part of multistakeholder and public-private partnerships (Art. 26 ¶3) and the cybersecurity “culture” (Art. 26 ¶ 1b).

The cybersecurity rules also support the rule of law: The Convention insists that governments sign mutual legal assistance agreements (MLATs) to establish standards for international data sharing in an efficient way (Art 28 ¶ 2).

Importantly, member states must pass laws protecting data security and notifying users of risks to their data (Art. 29), and of data transfers to third parties (Art. 18), a provision which should apply to data breach and unlawful transfers.

The possibly bad

Content restrictions

The definition of child pornography seems to include any depiction whether or not real children were used, and the ban is a potentially broad provision that could be enforced in very ugly ways if internet intermediaries are held liable for the behavior of users (Art. 29 ¶3).

The explanation of incitement under “racism/xenophobia” does not include sexual orientation or gender, though it does cover race, color, ancestry, national/ethnic origin, and religion. Given the serious threats to the safety of LGBT human rights defenders in many African countries, any protections should account for incitement to violence based on sexual orientation and gender.

More on cybersecurity

While encouraging public/private partnerships on cybersecurity, the Convention fails to put safeguards into the sharing of information between companies and governments (Arts 24-27). Moreover, the Convention requests broad cybersecurity authority for regulators without clarifying limits to the regulator’s power (Art. 25 ¶2). To protect user data, data protection standards should have a place even in cyber security contexts.

In fact, the framing of the basic mandate on governments to develop “a national cyber security policy which recognizes the importance of Critical Information Infrastructure (CII)” takes the wrong approach to cybersecurity. Member states should note their reservations about this flawed, top-down paradigm, and signal their intention to put individual users at the center of data security efforts, rather than ill-defined CII.

Strangely, the Convention defines “secret conventions” as having to do with encryption keys, but never mentions “secret conventions” or cryptography elsewhere in the document — a rather cryptic decision.

The just plain ugly

User Consent

Personal data should only be processed where the data subjects give express, unequivocal, free, specific, and informed consent. However, the Convention adds exceptions, including for “Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed” (Art. 14.2.i). A loophole of this size is ripe for abuse by governments eager and willing to define the “public interest” as their own interest.

More content restrictions

The Convention bans use of a computer to “insult” someone for reasons of race, color, national/ethnic origin, religion, or political opinion. It never defines “insult,” leaving this subjective provision to criminalize speech instead of a criminal act. In conjunction with the following provision, which disallows intentionally approving, denying, or justifying “acts constituting genocide or crimes against humanity,” these ill-conceived and harmful provisions will only serve to limit free expression and chill expression online.

Finally, the Convention confers broad authority to Courts to access databases and conduct surveillance of networks if it is “useful in establishing the truth” (Art. 31.3), a vague, if well-intentioned clause that is open to abuse.

Computer fraud and journalism

Vague, broad provisions defining computer fraud hinge on “unauthorized access,” an undefined term. The provision criminalizes attempts to “enter data fraudulently in a computer system” or “remain fraudulently in a computer system” which could apply, among other things, to violations of social media platform’s Terms of Service (Art. 29 ¶ 1).

One clause increases penalties for existing crimes if they have a computer component, an unnecessary and disproportionate tactic (Article 31.2.a). Simply using a computer does not justify higher penalties.

Whistleblowers and journalists could suffer under a restriction on the use of “data that was fraudulently obtained” (Art. 29.2). This criminalizes journalism based on leaked documents or disclosures, a necessary activity for journalists in many African countries, which often lack freedom of information and similar information access laws, leaving large swaths of public information off-limits. An exception on data processing only applies to licensed journalists (Art. 14.3), discriminating against many bloggers and independent voices.


The African Union has conducted a thorough survey of provisions related to modern communications law, and taken on an ambitious reform project in this Convention. But the treaty has a long walk toward implementation. First, parliaments in 15 of the 54 member states must indicate agreement with its terms. Then, laws executing the treaty in each member state must pass and come online.

Access congratulates the African Union on completing the first stage of the effort, despite our criticism of certain provisions. The following steps are crucial: when ratifying the convention, member countries should take the opportunity to note these concerns in their reservations. While legislating bills to enforce the Convention, Parliaments should proceed in an open, consultative, and multistakeholder way, including inputs from civil society groups. Access will keep close watch over this exciting process, with its many potential pitfalls, to ensure protection for African users over the years to come.