African Union Convention on Cyber Security and Personal Data Protection

by Pragya Chaturvedi

In response to the growing cyber threats and the need for data protection, the African Union (AU) introduced the African Union Convention on Cyber Security and Personal Data Protection. This landmark document, also known as the Malabo Convention, represents a significant step towards creating a robust cybersecurity framework across Africa. It aims to enhance the security of cyberspace and ensure the protection of personal data for individuals within the member states of the AU

The convention was driven by the rapid digital transformation across the continent and the accompanying rise in cyber threats. Recognizing the importance of a coordinated approach, the AU developed this convention to harmonize cybersecurity laws and data protection measures across its member states.

Objectives of the Convention

The Malabo Convention has several key objectives:

  1. Enhance Cybersecurity: Establish comprehensive cybersecurity measures to protect information systems and critical infrastructure.
  2. Protect Personal Data: Safeguard personal data of individuals, ensuring privacy and data integrity.
  3. Promote Cybercrime Prevention: Establish legal frameworks to prevent and combat cybercrime effectively.
  4. Foster Cooperation: Encourage collaboration between AU member states in cybersecurity and data protection.

Summary of the report

This Group studied the threats posed by the misuse of information and communications technologies (ICTs) and proposed measures to enhance international security.

  1. Enhance Agency Cooperation: Strengthen cooperation among relevant agencies to address ICT security incidents. Develop technical, legal, and diplomatic mechanisms for ICT infrastructure-related requests. Consider exchanges of personnel in areas such as incident response and law enforcement. Encourage exchanges between research and academic institutions.
  2. Information Exchange: Enhance cooperation by developing focal points for exchanging information on malicious ICT use and providing assistance in investigations.
  3. Establish National Response Teams: Establish a national computer emergency response team (CERT) or cybersecurity incident response team (CIRT), or designate an organization to fulfill this role. Consider these bodies within the definition of critical infrastructure. Support and facilitate cooperation among national response teams and other authorized bodies.
  4. Promote CERT/CIRT Practices: Expand and support cooperation among CERTs and CIRTs. This includes information exchange about vulnerabilities, attack patterns, and best practices for mitigating attacks. Coordinate responses, organize exercises, support handling of ICT-related incidents, and enhance regional and sector-based cooperation.
  5. International Cooperation in ICT-related Investigations: Cooperate with requests from other states in investigating ICT-related crimes, terrorist use of ICTs, or mitigating malicious ICT activity emanating from their territory, in a manner consistent with national and international law.

Institutional Dialogue and Cooperation

  1. Regular Dialogue: Recommend regular institutional dialogue with broad participation under the United Nations and through bilateral, regional, and multilateral forums. Enhance common understandings and cooperation in response to the rapid development of ICT and associated threats.

Capacity-Building in ICT Security

  1. Primary Responsibility and International Assistance: States bear primary responsibility for national security, including in the ICT environment. Lack of capacity can make states vulnerable to malicious actors. International cooperation and assistance are crucial for enabling states to secure ICTs and ensure their peaceful use. Capacity-building is essential for improving states’ abilities to cooperate and take collective action.
  2. Capacity-Building Recommendations: Endorse recommendations from 2010 and 2013 reports on capacity-building. These include identifying measures to support less developed countries, improving security of critical ICT infrastructure, developing technical skills, appropriate legislation, strategies, and regulatory frameworks. Capacity-building should promote the use of ICTs for peaceful purposes and involve knowledge exchange among all states.
  3. Voluntary Measures for Capacity-Building: Consider voluntary measures to provide technical and other assistance to build ICT security capacity:
    • Strengthen cooperative mechanisms with national CERTs and other bodies.
    • Provide assistance and training to improve security in ICT use, including critical infrastructure.
    • Facilitate access to essential ICT security technologies.
    • Create procedures for mutual assistance in responding to incidents and securing networks.
    • Facilitate cross-border cooperation to address critical infrastructure vulnerabilities.
    • Develop strategies for sustainable ICT security capacity-building.
    • Prioritize ICT security awareness and capacity-building in national plans and budgets.
    • Encourage further capacity-building efforts, including forensics and cooperative measures against criminal or terrorist use of ICTs.
  4. Regional Approaches: Develop regional approaches to capacity-building, considering specific cultural, geographic, political, economic, or social aspects for tailored solutions.
  5. Bilateral and Multilateral Initiatives: Form bilateral and multilateral cooperation initiatives to improve mutual assistance in ICT incidents, building on established partnerships.

International Law and ICT Use

  1. Application of International Law: Reaffirm that international law, especially the UN Charter, applies to the use of ICTs by states.
  2. Charter Obligations: States must adhere to their Charter obligations when using ICTs, including principles of sovereign equality, peaceful settlement of disputes, non-use of force, respect for human rights, and non-intervention in the internal affairs of other states.
  3. State Sovereignty: States have jurisdiction over ICT infrastructure within their territory.
  4. Peaceful Use and Legal Principles: States should use ICTs peacefully and in accordance with established international legal principles such as humanity, necessity, proportionality, and distinction.
  5. Proxies and Accountability: States must not use proxies to commit internationally wrongful acts using ICTs and should ensure their territory is not used by non-state actors for such acts.

Conclusions and Recommendations for Future Work

  1. Progress and Recognition: Significant progress has been made in recognizing the risks to international peace and security from malicious ICT use. ICTs can drive development, but their security must be preserved.
  2. Future Measures: Possible future measures include:
    • Developing concepts for international peace and security in ICT use at legal, technical, and policy levels.
    • Increasing cooperation at regional and multilateral levels to foster common understandings of ICT-related risks and critical infrastructure security.
  3. Private Sector and Civil Society Involvement: Effective international cooperation should involve the private sector, academia, and civil society organizations.
  4. Further Research: Areas for further research include concepts relevant to state use of ICTs. The United Nations Institute for Disarmament Research and other think tanks could undertake relevant studies.
  5. United Nations Role: The United Nations should lead dialogue on ICT security and the application of international law and norms for responsible state behavior. These efforts should complement, not duplicate, other international work on criminal and terrorist ICT use, human rights, and internet governance.
  6. New Group of Governmental Experts: Consider convening a new Group of Governmental Experts in 2016 to study and promote common understandings of ICT-related threats, cooperative measures, and the application of international law.
  7. Existing Efforts: Recognize valuable efforts by international organizations and regional groups. Encourage new bilateral, regional, and multilateral platforms for dialogue, consultation, and capacity-building.
  8. Active Consideration: Member States should actively consider the report’s recommendations to build an open, secure, stable, accessible, and peaceful ICT environment and assess how to further develop and implement them.
  9. By addressing these points, the Group aims to enhance global ICT security, promote peaceful use of ICTs, and foster international cooperation and capacity-building efforts.

More information:

African Union Convention on Cyber Security and Personal Data Protection Report