A TrendMicro report positioned Africa as a “safe harbor for cybercriminals” in 2013. Today, much of the continent is living up to this label.
The African Union Convention on Cyber Security and Personal Data Protection was adopted by the AU in June 2014. To date not a single African nation has ratified the Convention. Regardless, African nations have begun to adhere to the principles of the Convention, an agreement that is incapable of providing the privacy protection that Africa needs.
The preamble of the Convention makes clear the AU’s understanding of Africa’s precarious position: "Bearing in mind that the major obstacles to the development of electronic commerce in Africa are linked to security issues, particularly…The absence of specific legal rules that protect consumers, intellectual property rights, personal data and information systems...”
Despite these promising opening lines, the ensuing document is a lengthy list of vague suggestions and exceptions to rules that leave African states with the power to abuse freedom of expression and privacy rights.
In addressing Personal Data Protection, Article 13 of the Convention states that an individual’s personal data can be processed without consent if it is required in “compliance with a legal obligation” or if doing so is “in the public interest." Furthermore, “the collection, recording, processing, storage and transmission of personal data shall be undertaken lawfully, fairly and non-fraudulently."
Article 14 prohibits states from collecting “sensitive data”—that which reveals information such as race, ethnicity, trade union membership, and political and religious beliefs—but also offers ten examples of how this protection can be removed, including when “a judicial procedure or criminal investigation has been instituted,” “processing is necessary in the public interest,” and “processing is necessary for compliance with a legal or regulatory obligation.”
The Convention repeatedly protects individuals only so far as is convenient to government, and leaves governments to define what is and is not legal; in effect, the individual’s rights are nonexistent. Worse, the Convention's emphasis on human rights has been interpreted by many countries as an invitation to combine greater censorship with increased surveillance, a stifling pairing.
International human rights organization Access recently compiled a list of a few of the many African nations that are doing just what the Convention allows them to do: initiating and passing legislation that simultaneously compromises individuals’ freedom of expression and their right to privacy. For example, Tunisia’s proposed cybercrime law would create penalties for “content showing obscene acts and assaulting good morals” and also allow the government access to user IDs and traffic data. Ratified or not, the Convention has already set the tone for cybersecurity across the continent.
Rather than ratify the Convention as is, the countries of the African Union should look to Mauritius, an island nation east of Madagascar, for cybersecurity guidance. Mauritius is one of 44 nations worldwide to ratify the Council of Europe’s 2001 Convention on Cybercrime (the “Budapest Convention”). As Eric Tamarkin, Institute for Security Studies consultant, pointed out in a recent interview, the elements of the Budapest Convention that could infringe upon free speech exist as an addendum, thus allowing states to support a collaborative international effort to combat cybercrime without requiring them to compromise rights to freedom of expression and privacy.
The African Union knows internet security is necessary for economic advancement. However, if it proceeds with the current iteration of the Convention on Cyber Security and Personal Data Protection, it will provide the safe harbor government cybercriminals need to flourish across the continent.
|Port Louis, Mauritius|