Back to main site

    Trends in Africa

    Module 7: Cybercrimes

    Malabo Convention comes into force

    Adopted by the African Union in 2014, the AU Convention on Cybersecurity and Personal Data Protection, known as the Malabo Convention, finally took effect in June 2023 following Mauritania’s ratification, becoming a vital regional treaty for safeguarding personal data in Africa. Despite its significance, the Convention’s lengthy nine-year journey to ratification highlights the need for updates to address evolving digital technologies’ impact on personal information usage.(1)

    The Convention’s implementation marks a crucial stride in Africa’s cybersecurity and data protection efforts. Envisioned to establish a comprehensive legal framework for electronic commerce, data protection, and cybercrime and cybersecurity, the Convention necessitates all 55 AU member states to align their domestic laws with its standards and principles once operational. However, concerns over the Convention’s lack of detail and enforcement mechanisms have been raised alongside its positive reception.

    Moving forward, effective implementation and gap addressing become paramount. The AU Commission can spearhead this by formulating implementation guidelines and action plans, enhancing human rights protection in artificial intelligence use, ensuring adequate resourcing for domestic data protection frameworks, and instituting regional oversight bodies. Supporting data protection authorities and fostering alignment across the continent will be crucial in actualizing the Convention’s objectives.

    The AU has previously noted that:

    “[T]he rapid pace of innovation in the ICT sector can result in gaps in the legislative and regulatory cybersecurity framework since the challenge for the legislator is the delay in the recognition of the new types of offences and the adoption of amendments to the applicable legislation.”(2)

    As a result, many African governments have been keenly adopting new cybercrime legislation in an attempt to keep pace and to continue to protect against crimes committed online. Currently, at least 39 African states have basic cybercrime legislation either fully or partially in place, though many are missing implementing regulations.(3)

    However, cybercrimes legislation is increasingly being used to unjustly regulate internet content as well, including undesirable criticism or dissent. Access Now notes that one of the main concerns about the plethora of laws that are currently being enacted to regulate cybercrimes — whilst there may be a legitimate aim in doing so — is that many of them lack clear definitions and are susceptible to being used to regulate online content and restrict freedom of expression.(4)

    This is a growing concern among human rights defenders as many have been subjected to a wave of arrests and convictions in what is an escalating assault on freedom of expression by cybercrime laws. Many of the laws are vague and overbroad, lacking clear definitions, leaving them open to arbitrary and subjective interpretation.

    For example, Nigeria’s Cybercrime Act of 2015 has been widely criticised for being used to suppress dissent and silence the media.(5) The Committee to Protect Journalists states that in just the first year of the law being in force, five bloggers who criticised politicians and businesspeople online and through social media were accused of the crime of cyberstalking under the new law, which carries a fine of up to 7 million naira (USD$22 000) and a maximum jail term of three years. According to Paradigm Initiative Nigeria, it gives law enforcement “extensive powers to hold personal data without corresponding liability” and has “no provision… to seek redress.”(6) It also makes the all-too-common error of using vaguely defined “national security” as a justification for outlawing a wide range of online activities.(7) In 2020, the ECOWAS Community Court of Justice (ECOWAS Court) ruled that section 24 of the Act — which criminalises the sending of grossly offensive, indecent, or false messages — did not align with Nigeria’s obligations under the African Charter and the ICCPR, and ordered Nigeria to repeal or amend the law.(8)

    Other common problematic clauses in cybercrimes legislation include those that criminalise the “creation of sites with a view to disseminating ideas and programmes contrary to public order or morality”, “broadcasting information to mislead security forces”, “publication of false information,” and more.(9) Recently, Zimbabwe, Eswatini, Tanzania, Zambia, Uganda, Rwanda, and Malawi have recently passed cybercrimes legislation.(10) Zambia’s Cyber Security and Cyber Crimes Act is currently being challenged at the Constitutional Court by a group of civil society organisations alleging that it contains provisions that threaten the right to protection of the law and the right to freedom of expression.(11)

    In the case of Andare v Attorney General of Kenya,(12) the High Court of Kenya emphasised that the state has a duty to demonstrate that cybercrimes laws are permissible in a free and democratic society, to establish the relationship between the limitation and its purpose, and to show that there were no less restrictive means to achieve the purpose intended.(13)

    Footnotes

    1. ALT Advisory, ‘AU’s Malabo Convention set to enter force after nine years’ (2023) (accessible at https://dataprotection.africa/malabo-convention-set-to-enter-force/). Back
    2. African Union, ‘A global approach on Cybersecurity and Cybercrime in Africa’ at p 9 (accessible at: https://au.int/sites/default/files/newsevents/workingdocuments/31357-wd-a_common_african_approach_on_cybersecurity_and_cybercrime_en_final_web_site_.pdf) at p.3. Back
    3. UNCTAD above n 17. Back
    4. Access Now, ‘When “cybercrime” laws gag free expression: stopping the dangerous trend across MENA’ (2018) (accessible at: https://www.accessnow.org/when-cybercrime-laws-gag-free-expression-stopping-the-dangerous-trend-across-mena/). Back
    5. Committee to Protect Journalists, Peter Nkanga ‘How Nigeria’s cybercrime law is being used to try to muzzle the press’ (2016) (accessible at: https://cpj.org/2016/09/how-nigerias-cybercrime-law-is-being-used-to-try-t/). Back
    6. Id. Back
    7. OrderPaper, ‘Tomiwa Ilori, The Nigerian Cybercrimes Act 2015: Is It Uhuru Yet?’ (accessible at: http://www.orderpaper.ng/nigerian-cybercrimes-act-2015-uhuru-yet/). Back
    8. The Incorporated Trustees of Laws and Rights Awareness Initiatives v Nigeria, ECOWAS Court Suit No. ECW/CCJ/APP/53/2018 (2020) (accessible at: http://www.courtecowas.org/wp-content/uploads/2020/09/JUD_ECW_CCJ_JUD_16_20.pdf). Back
    9. Id at p 8. Back
    10. Media Defence, ‘Mapping Digital Rights and Online Freedom of Expression Litigation in East, West and Southern Africa,’ (2020) (accessible at: https://www.mediadefence.org/resource-hub/resources/mapping-digital-rights-and-online-freedom-of-expression-litigation-in-east-west-and-southern-africa/). Back
    11. MISA-Zimbabwe, ‘Zambia’s newly enacted cybercrime law challenged in court,’ (2021) (accessible at: https://zimbabwe.misa.org/2021/04/06/zambias-newly-enacted-cybercrime-law-challenged-in-court/). Back
    12. High Court of Kenya at Nairobi, Petition No. 149 of 2015 (2015) (accessible at: http://kenyalaw.org/caselaw/cases/view/121033/). Back