The 8th of June marks the entry into force of African Union’s Convention on Cyber Security and Personal Data Protection also known as Malabo Convention. This means the Convention came into force nine years after its adoption on June 27, 2014 and became the only binding regional treaty on data protection outside Europe.
Following Mauritania’s ratification on May 9, 2023, the Convention entered into force officially thirty days after the date of receipt by the Chairperson of the Commission of the African Union of the fifteenth (15th) instrument of ratification as provided under article 36.
The Malabo Convention is a framework convention which is meant to provide general rules and principles on three broad themes: Personal data protection; electronic commerce; and cybersecurity and cybercrimes in the continent. Put simply, it offers a holistic continent-wide framework to harmonize data protection policies in Africa by catalyzing digital rights, mainly data protection, privacy and internet freedom. This post seeks to explore the section on personal data protection and aims to shed some light for further discussion.
(Extra)territorial application?
Unlike the European Union’s General Data Protection Regulation (GDPR), the scope of application of the Malabo Convention is territorial. This means the Convention applies when any data processing (be it automated or non-automated) is undertaken in the territory of State parties by individuals, the State, local communities, or private actors as per article 9.
Whereas GDPR applies (extra)territorially in that it applies to [t]he processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not.’
While the Malabo Convention lacks clarity as to its applicability to data processors or controllers established outside the continent, such situations are the subject of GDPR where the processing activities are related to: (a) the offering of goods or services to such data subjects in the European Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. (See here, here and here)
Heralding data subjects’ rights and digital human rights
The Malabo Convention has robust provisions on personal data protection and privacy. According to the preamble of the Convention, the basis for the African Union to consider African states to be bound by a right to privacy stems from international human rights law, particularly the African Charter on Human and Peoples’ Rights.
Elsewhere I argued that the Malabo Convention provides a potential bulwark for the right to data privacy in the digital age in Africa (see here and here). Thus, the coming into force of the Convention has heralded a number of rights for data subjects, including the right to information, right of access, the right to object, and the right to be forgotten (erasure). These rights are set out in articles 9-23 of the Convention.
Accordingly, the Malabo Convention, inter alia, seeks to achieve two major objectives. First, it requires Member States to establish an adequate legal framework that protects fundamental rights and protection of personal data. Second, it seeks to balance the fundamental rights of data subjects with that of the prerogatives of the State and the rights of local communities. But it is less clear what amounts to the right of local communities.
However, a juxtaposed reading of the preamble of the Convention in tandem with article 8(2) may give us some guidance. This suggests that the rights of local communities means the various rights mentioned under the African Charter on Human and Peoples’ Rights, including freedom of expression and access to information.
Brussels Effect
The Malabo Convention significantly mirrors the various standards from Europe both from the Council of Europe Convention for the protection of individuals with regard to the processing of personal data (Convention 108+) and EC Directive 46/95 (now EU GDPR). The Malabo Convention encapsulates six basic principles governing the processing of personal data as provided under article 13.
The first principle is consent—which requires that the consent of the data subject (right holders) must be sought before any processing of data. Second, the processing must be lawful and fair. Simply put, any processing, collection, recording, storage and transmission of personal data must be undertaken fairly, and lawfully.
The third principle relates to purpose or relevance which dictates that data must be collected for specific purposes or uses only. Accuracy of data is another principle, which requires data controllers to take reasonable steps to make sure the collected data is up-to-date, and also to erase or amend it whenever it appears to be inaccurate or incomplete. In addition, the Malabo Convention requires that data must be processed in a transparent manner.
This means that data controllers or the States must disclose information concerning processing of personal data. The last principle is confidentiality which, inter alia, mandates controllers to process personal data in secure and confidential ways. Additionally, the Malabo Convention lays down specific principles for processing sensitive data (article 14) and the interconnection of personal data files (article 15).
A number of African countries have ratified Convention 108+, which is also open for signature and ratification by non-members of the Council of Europe, including African countries. Cape Verde, Mauritius, Morocco, Senegal, and Tunisia have so far ratified the Convention. For example, the Mauritius government aligned its data protection laws with European data protection regulations to attract investment. This is what Anu Bradford has described as ‘Brussels effect.’ As a result, the ‘Brussels effect’ through Convention 108 and GDPR has not only influenced the Malabo Convention but also continues to influence African countries in digital policy making. (See here and here)
Opportunities and challenges
The Malabo Convention presents new opportunities for the development of digital rights in the continent. First, it comes into force at a time where the African Continental Free Trade Area (AfCFTA) Agreement has already been operational, which in turn, would accelerate the AU’s vision of a single market in Africa.
Given that trade and data protection are interlinked, the Malabo Convention helps realize the goals of AfCFTA, i.e., by enabling the free flow of people, goods, and capital throughout Africa, thereby requiring extensive processing of personal data across borders. Conversely, an absence of a continent-wide data protection framework was a stumbling block to the full implementation of the AfCFTA.
Second, although the digital divide in Africa remains wide, there is an exponential growth of internet connectivity and digitalization plans in the continent in the past few years. In this regard, the African Union, for example, adopted policy documents that could foster data privacy, including Agenda 2063; Digital Transformation Strategy for Africa (2020-2030) and AU Data Policy Framework 2022.
These plans, in turn, could pave the way for the Malabo Convention to be effective. Of course, the Malabo Convention is further complemented by national data protection laws. Currently, 33 African countries have adopted data protection laws at national level. According to the United Nations Conference on Trade and Development (UNCTAD) data published in 2022, 33 African countries (61%) have data protection legislation and 6 countries (11%) have draft bills on data protection, while 10 African countries have no legislation on data protection.
Additionally, the active role of sub-regional courts in Africa would be another opportunity for the Malabo Convention to be implemented in the continent ( see here, here and here). In Incorporated Trustees of Digital Rights Lawyers Initiative v. Nigeria, the ECOWAS Court of Justice handed down its decision in 2023 and was asked whether Nigeria is under obligation to enact comprehensive data protection law and found that respondent State didn’t breach its obligation to establish a legislative framework on data privacy as Nigeria has already put in place several laws meant to protect data privacy (paras 37- 58).
However, one could reasonably expect that the Malabo Convention will face some challenges. As repeatedly mentioned by academic literature and civil societies (see here and here), the Malabo Convention appears to be overbroad in its scope as it embraces multiple issues in one basket: data protection, e-commerce, cybercrime, and cybersecurity. This would give rise to the criticism that the Convention simply aggregates human rights, criminal law, trade and commercial law issues in a single instrument.
Second, while the Convention requires AU member states to establish an independent authority in charge of protecting personal data known as National Data Protection Authorities (NDPAs) as outlined in article 11, it doesn’t indicate whether NDPAs are required to cooperate themselves to enforce the Convention. The other criticism is that the Malabo Convention emulated European data protection regimes. (see here, here and here) As pointed out earlier, the Brussels effect is a real phenomenon in Africa. This suggests that the Malabo Convention is too western in its orientation and which in turn, arguably jettisoned communal and social conception of (data) privacy in Africa.
Conclusion
In sum, the coming into force of the Convention is a huge milestone to realize data privacy in the digital age in Africa. The Convention will have a far-reaching effect when African countries commence digital trade within and beyond Africa. However, as a framework treaty, it lacks detailed rules, and procedures on data processing and protection, in turn, make it a lackluster regional treaty.
As such, the African Union should enact enabling legislation that clarifies general statutory provisions. Given Africa’s diverse socio-cultural contexts, it should be appropriate and timely to reflect on the conception of data privacy. In doing so, African Union member States should consider African-approach to (data) privacy seriously.
Culled from the Blog of the European Journal of International Law
By Yohannes Eneyew Ayalew
