Emerging threats in cybersecurity and data protection legislation in African Union countries

In January 2015, heads of state met at the 24th African Union Summit to discuss the “African Union Agenda 2063” with the goal of enabling “a continent on equal footing with the rest of the world as an information society.” The summit, which is attended by 54 African governments, occurred at a critical time for cyber security after the AU approved the African Union Convention on Cyber Security and Personal Data Protection in June. While Access applauds the human rights protections enshrined in the convention, we are deeply troubled by draft legislation that has emerged across the continent that tramples rights in the name of implementing the convention.

The Convention was originally scheduled to pass in January 2014, but was delayed for modifications after protests by the private sector, civil society organizations, and privacy experts—all of whom had very little involvement in the drafting process. But a number of countries promulgated harmful new cybersecurity legislation after it was improved in June.

As Access noted in analyzing both versions of the Convention, the Convention has some positive provisions but still needs strengthening. It requires states to consider human rights in implementing cyber security legislation, but it also supports greater government control of private user data. For example, the Convention permits governments to process private data when “in the  public interest,” a confusingly vague standard.

The Convention has not yet been ratified by any AU countries, a process which requires the executive or the legislature to deposit instruments of ratification with the AU secretariat in Addis Ababa, Ethiopia. However, that hasn’t stopped several countries from racing ahead with rushed, and potentially harmful, legislation. We have tracked proposed cyber and data protection laws in Kenya, Madagascar, Mauritania, Morocco, Tanzania, Tunisia, and Uganda. Several of the domestic reform bills fail to provide basic protections for user data. Worse yet, other bills enable the government to violate the rights of privacy, expression, and assembly.

Before countries further codify harmful laws, Access urges them to first ratify the Convention. Once they have done so, they should carefully implement the Convention’s framework with legislation that respects human rights. These domestic reform efforts should be carried out in open, consultative, multi-stakeholder processes with input from civil society organizations and subject-matter experts.

access_africa_au_cyberlaw

Much of Africa is currently considering similar bills as they look to fulfill the aims of the AU Convention. The featured countries are in fact just a small sample of the bills being considered—from Mauritania, to Botswana, to Uganda, 2015 will bring many exciting challenges and opportunities for digital rights on the Continent. But lawmakers should not put the cart before the horse, and ratify the African Convention before moving ahead too rashly.

This article was originally published on Ephraim’s professional page on Access Now.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s