A TrendMicro report positioned Africa as a “safe harbor for cybercriminals” in
2013. Today, much of the continent is living up to this label.
The African Union Convention on Cyber Security and Personal Data Protection was adopted by the AU in June 2014. To date not a single African nation has
ratified the Convention. Regardless, African nations have begun to adhere to the principles of the Convention, an agreement that is incapable of providing the privacy protection that Africa
needs.
The preamble of the Convention makes clear the AU’s understanding of Africa’s precarious position: "Bearing in mind that the major obstacles to the development
of electronic commerce in Africa are linked to security issues,
particularly…The absence of specific legal rules that protect consumers,
intellectual property rights, personal data and information systems...”
Despite these promising opening lines, the ensuing document
is a lengthy list of vague suggestions and exceptions to rules that leave
African states with the power to abuse freedom of expression and privacy rights.
In addressing Personal Data Protection, Article 13 of the Convention states that an individual’s personal data can be processed without
consent if it is required in “compliance with a legal obligation” or if doing
so is “in the public interest." Furthermore, “the collection,
recording, processing, storage and transmission of personal data shall be
undertaken lawfully, fairly and non-fraudulently."
Article
14 prohibits states from collecting “sensitive data”—that which reveals
information such as race, ethnicity, trade union membership, and political and
religious beliefs—but also offers ten examples of how this protection can be removed, including when “a judicial procedure or criminal investigation has been
instituted,” “processing is necessary in the public interest,” and “processing
is necessary for compliance with a legal or regulatory obligation.”
The Convention repeatedly protects individuals only so far
as is convenient to government, and leaves governments to define what is and is
not legal; in effect, the individual’s rights are nonexistent. Worse, the Convention's emphasis on human rights has been interpreted by many countries as an invitation to combine greater censorship with increased surveillance, a stifling pairing.
International human rights organization Access recently compiled a list
of a few of the many African nations that are doing just what the Convention
allows them to do: initiating and passing legislation that simultaneously
compromises individuals’ freedom of expression and their right to privacy. For
example, Tunisia’s proposed cybercrime law would create penalties for “content
showing obscene acts and assaulting good morals” and also allow the government
access to user IDs and traffic data. Ratified or not, the Convention has already set the tone for
cybersecurity across the continent.
Rather than ratify the Convention as is, the countries of
the African Union should look to Mauritius, an island nation east of
Madagascar, for cybersecurity guidance. Mauritius is one of 44 nations
worldwide to ratify the Council of Europe’s 2001 Convention on Cybercrime (the “Budapest
Convention”). As Eric Tamarkin, Institute for Security Studies consultant, pointed
out in a recent interview, the elements of the Budapest Convention that could infringe upon free speech exist as an addendum, thus allowing states
to support a collaborative international effort to combat cybercrime without
requiring them to compromise rights to freedom of expression and privacy.
The African Union knows internet security is necessary for economic
advancement. However, if it proceeds with the current iteration of the
Convention on Cyber Security and Personal Data Protection, it will provide the
safe harbor government cybercriminals need to flourish across the continent.
 |
| Port Louis, Mauritius |
