The African Union Cybersecurity Convention: A Missed Human Rights Opportunity

Mailyn Fidler is a Marshall Scholar studying international relations at the University of Oxford. You can follow her on Twitter @mailynfidler. Fadzai Madzingira is a Rhodes Scholar from Zimbabwe studying law at the University of Oxford.

A year ago this month, the African Union (AU) adopted its Convention on Cybersecurity and Personal Data Protection. This convention addresses many issues associated with increased use of information and communication technologies in Africa simultaneously. It establishes a standard legal framework for conducting electronic commerce, protecting personal data, promoting cybersecurity, and addressing cybercrime.

One year later, no AU member state has ratified the convention, and serious concerns remain about its human rights implications, particularly about provisions that might support discrimination and expand government power. Although human rights issues were debated before the convention’s adoption, there has unfortunately been little continued discussion.

The convention offers protection from online threats made against a person on the basis of race, color, descent, national or ethnic origin, or religion. The convention claims consistency with the African Charter on Human and Peoples’ Rights, but the charter includes sex in its list of protected classes, and the convention does not, a notable and concerning omission.

African governments can take advantage of broad exceptions in the convention to restrictions on personal data processing in the name of “public interest” or “exercise of official authority.” These terms are not defined in the convention and, as such, could be used to justify abuse of personal data by government entities. For instance, the definition of public interest can vary between countries. In one country, targeting individuals on the basis of sexual orientation could be construed as in the “public interest” and thus legitimized by this exception. The Ugandan government’s continued efforts to pass anti-gay laws demonstrate the reality of such concerns.

The convention requires the prohibition of making, disseminating, or downloading content containing threats or insults on the basis of race, color, descent, national or ethnic origin, or religion. This language echoes the protocol on xenophobia and racism added to the Council of Europe Convention on Cybercrime and likely reflects recent African conflicts. However, the restrictions on insults, dissemination of insults, and downloading of threats or insults of this nature pose concerning restrictions on free speech.

The convention also permits limits on freedom of association. It requires that countries criminalize participation in online or physical groups “established with a view to preparing or committing” a criminal offense as defined in the convention. This language would make it possible to punish an individual member of a group, even if the individual did not personally demonstrate intent to commit a crime. The convention does not define what “a view to preparing or committing” means, which may result in a lower threshold than conspiracy to commit. As a result, governments may label opposition groups as criminal and use this provision to go after membership rosters, deterring free association.

The convention broadens the powers of judicial actors. When data is deemed “useful in establishing the truth,” a judge may authorize search and seizure of data. This broad authority raises the potential for governmental overreach, especially in contexts where the judiciary is not independent from the political branches of government. The convention also empowers judges to impose additional penalties for crimes committed through digital mediums and to mandate dissemination of verdicts through the same medium that was used to commit the crime. This clause means if a person was convicted of hate speech on Twitter, the person’s verdict should be broadcast via Twitter, heightening the public availability of criminal records. Taken together, the additional penalties and broadcast requirement establish further barriers to free expression.

African civil society has split opinions on the convention in its current form. A digital rights organization, Access, admits the convention has problems but supports ratification. The Centre for Intellectual Property and Information Technology Law at Strathmore University in Kenya, which led resistance to the convention during its negotiation, does not support implementing the treaty in its current form. The African Cyber Risk Institute supports African states adopting good cybersecurity laws but recognizes potential problems with the convention.

Although no AU member states have ratified the convention, several have enacted or proposed domestic cybersecurity legislation. Sections of South Africa’s Protection of Personal Information Act went into effect shortly before the AU adopted its convention. Kenya, Madagascar, Mauritania, Morocco, Tanzania, Tunisia, and Uganda are in the process of adopting national cybersecurity legislation. On the whole, these laws are more punitive in nature and contain more potential to violate human rights than the convention. For instance, Tanzania’s proposed legislation seems to place extreme restrictions on freedom of expression. The text of these laws is not easily available to citizens, worsening the situation.

Moving forward, heightened human rights scrutiny is needed as African states adopt the convention or develop independent domestic cyber legislation. Although the AU convention has worrisome human rights aspects, it may be spurring domestic laws that are even worse.