Why it is important for African states to ratify the Malabo convention

What is the Malabo convention

The African Union member states in 2014 adopted the African Union Convention on Cyber Security and Personal Data Protection, also known as the Malabo convention. The convention encourages AU member states to recognise the need to protect critical cyber/ICT infrastructure, personal data and to encourage free flow of information with the aim of developing a credible digital space in Africa.

Despite all the great policies and regulations the Malabo Convention promises to deliver, the Convention still hasn’t taken effect, as only 2 states of the 55 member states have ratified the convention. The two countries are Mauritius and Senegal, even though 10 countries have signed it.

Current state of privacy, data security and cross-border data transfer

Most African states today have no data protection regulation. Where there exists some form of data protection regulation, implementation is disparate, with no unified approach.

According to a Deloitte 2017 report on the state of Personal Data Protection in Africa, of the 55 member states, only 17 countries currently have comprehensive data protection laws with 9 others in progress. It is believed some of the reasons African states do not have laws and regulation in this very important part of our lives in the 21st century is amongst other things, lack of skills and capacity to appreciate the importance of such conventions, the absence of skill and will to evaluate the cost of cyber crime to national economies, ICT not considered priority by most African governments and the fear by repressive governments, of being held accountable once committed by ratifying such conventions.

Why is data security and transfer important

In January 2012, African heads of states adopted a decision to establish a single continental market by 2017, which promises an economic revolution. In March this year, 44 out of 55 member states signed the proposed agreement. Some leaders like the Nigerian president have reasserted the resolve of the regional free trade area. The project called the Continental Free Trade Area (CFTA), is a project to bring together all African countries – comprising 1.2 billion people and a combined GDP of over $3.4 trillion – under a single continental market for goods and services, including free movement of businesspeople and investments, and expansion of intra-African trade, according to World Economic Forum (WEF).

In light of current technological trends and innovation, free intra-regional trade will not only be offline, but we are sure to see a significant amount of the intra-regional trade taking place on the Internet. Digital trade generally requires a great deal of free movement and flow of personal data, as data is the lifeblood of the digital economy. A continent-wide digital trade involving consumers cannot occur without the collection and movement of personal data like names, email addresses and billing information, across borders. In order for such a market to be efficiently regulated, the region will need to look into unifying implementations of cybersecurity and data protection regulations across the continent. The best way to do that would be to adopt the Malabo Convention.

Current disparate implementations of data protection regulation (where they exist) makes it a very tedious task for multinational businesses or any company carrying out business with partners in multiple countries in the region to lawfully transfer data across borders as part of their operations. Non-compliance to the different data protection regulations may preclude companies from potential business exploits in the region. To be compliant in the current state of things, organisations will need to adopt different data protection policies that take into consideration the legislative nuances in the region. This would create unnecessary barriers to trade in the region, would be expensive and time consuming. Thereby negating the benefits of the free trade area.

The AUC/ISOC Personal Data Protection Guidelines

It is not all bad news, as there seem to be some progress made by AU, in promoting a unified data protection regulation on the continent. In May 2018, the African Union Commission (AUC) jointly developed and launched the Privacy and Personal Data protection Guidelines with Internet Society (ISOC). The Guidelines emphasize the importance of ensuring trust in online services and also offer guidance on how to help individuals take a more active part in the protection of their personal data. In addition, the AUC is organising a workshop on Cybersecurity Strategies, Cybersecurity legislation and CIRT/CERT for AU member states with the aim at providing member states with the appropriate knowledge to prepare and adopt National Cybersecurity and National Cyber legislations as well as requirements for the setting of a Computer Emergency Incident/Response Team (CERT/CIRT). The workshop is against the backdrop of a 2015 survey the AU Commission carried out, and found that only 8 of the surveyed states had a national strategy on Cybersecurity, 11 had adopted Cybercrime laws and only 13 states had a National CERT.

Hopefully, these efforts will encourage more of the member states to sign and ratify the Malabo convention, and start transposing its framework to their national laws, hence creating a unified data protection regulation on the continent, ready for the Continental free Trade Area.