Emerging threats in cybersecurity and data protection legislation in African Union countries

In January 2015, heads of state met at the 24th African Union Summit to discuss the “African Union Agenda 2063” with the goal of enabling “a continent on equal footing with the rest of the world as an information society.” The summit, which is attended by 54 African governments, occurred at a critical time for cyber security after the AU approved the African Union Convention on Cyber Security and Personal Data Protection in June. While Access applauds the human rights protections enshrined in the convention, we are deeply troubled by draft legislation that has emerged across the continent that tramples rights in the name of implementing the convention.

The Convention was originally scheduled to pass in January 2014, but was delayed for modifications after protests by the private sector, civil society organizations, and privacy experts—all of whom had very little involvement in the drafting process. But a number of countries promulgated harmful new cybersecurity legislation after it was improved in June.

As Access noted in analyzing both versions of the Convention, the Convention has some positive provisions but still needs strengthening. It requires states to consider human rights in implementing cyber security legislation, but it also supports greater government control of private user data. For example, the Convention permits governments to process private data when “in the  public interest,” a confusingly vague standard.

The Convention has not yet been ratified by any AU countries, a process which requires the executive or the legislature to deposit instruments of ratification with the AU secretariat in Addis Ababa, Ethiopia. However, that hasn’t stopped several countries from racing ahead with rushed, and potentially harmful, legislation. We have tracked proposed cyber and data protection laws in Kenya, Madagascar, Mauritania, Morocco, Tanzania, Tunisia, and Uganda. Several of the domestic reform bills fail to provide basic protections for user data. Worse yet, other bills enable the government to violate the rights of privacy, expression, and assembly.

Before countries further codify harmful laws, Access urges them to first ratify the Convention. Once they have done so, they should carefully implement the Convention’s framework with legislation that respects human rights. These domestic reform efforts should be carried out in open, consultative, multi-stakeholder processes with input from civil society organizations and subject-matter experts.


(Click the image to see the larger verions)

Much of Africa is currently considering similar bills as they look to fulfill the aims of the AU Convention. The featured countries are in fact just a small sample of the bills being considered—from Mauritania, to Botswana, to Uganda, 2015 will bring many exciting challenges and opportunities for digital rights on the Continent. But lawmakers should not put the cart before the horse, and ratify the African Convention before moving ahead too rashly.