The African Union Convention on Cybersecurity: A Regional Response Towards Cyber Stability?
Vol.12,No.2(2018)
Following the liberalization of telecommunication markets in African States, and the increasing availability of wireless technologies and broadband capacity, the levels of Internet penetration and ICT access in Africa has continued to grow in a phenomenal manner since the beginning of the new millennium. Internet use statistics indicate that Africa’s Internet user population grew from about four and a half million people in 2000 to about 400 million people in December, 2017. However, widespread ICT access and Internet penetration in Africa has also raised concerns over the need to promote cybersecurity governance and cyber stability across the continent. This prompted the African Union to establish a regional cybersecurity treaty, known as the African Union Convention on Cyber Security and Personal Data Protection, in June, 2014. The Convention imposes obligations on Member States to establish legal, policy and regulatory measures to promote cybersecurity governance and control cybercrime. This article analyzes the nature and scope of the cybersecurity governance obligations under the Convention and examines how the adoption of the Convention can promote cyber stability in the African region. In so doing, the paper also examines the challenges impeding the application of the Convention as a framework for promoting regional cyber stability in Africa. The paper identifies the slow pace of Member State ratification and the absence of effective regional coordination as some of the major reasons why the Convention has not been effectively applied as a framework for promoting regional cyber stability. Therefore, the paper makes a case for the establishment of a regional monitoring mechanism within the AU framework to improve the regional harmonization of cybersecurity governance frameworks, and harness the application of the Convention as a framework for promoting regional cyber stability.
African Union; Cyber Stability; Regional Cybersecurity Obligations
p. 91–130
Uchenna Jerome Orji
Nnamdi Azikiwe University, Awka, Nigeria.
Dr Uchenna Jerome Orji is an attorney admitted to the Nigerian Bar. He holds an LL.B from the University of Nigeria, an LLM from the University of Ibadan, and a PhD from Nnamdi Azikiwe University, Nigeria. He is the author of Cybersecurity Law and Regulation (2012), International Telecommunications Law and Policy (2018), and Telecommunications Law and Regulation in Nigeria (2018), in addition to over 70 peer-reviewed papers on cybersecurity, data protection, telecommunications and other aspects of law. His articles have appeared in: Journal of African Law; Commonwealth Law Bulletin; Computer and Telecommunications Law Review; International Data Privacy Law; Computer Law Review International; Defence Against Terrorism Review, and OPEC Energy Review, among others. He is a Fellow of the African Center for Cyber Law and Cybercrime Prevention (ACCP) at the UN African Institute for the Prevention of Crime, Kampala, Uganda. He has also worked as an expert for the Council of Europe, the Commonwealth Rule of Law Division, and the Dutch Government.
[1] African (Banjul) Charter on Human and Peoples’ Rights, 27 June 1981 (OAU Doc. CAB/LEG/67/3 rev. 5, 21 I.L.M. 58).
[2] African Charter on the Rights and Welfare of the Child, 29 November 1999 (OAU Doc. CAB/LEG/24.9/49)(1990).
[3] African Union (2008) Study on the Harmonization of Telecommunication and Information and Communication Technologies Policies and Regulation in Africa: Draft Report. Addis Ababa: African Union.
[4] African Union. (2017) African Union in a Nutshell. [online] Available from: http://www.au.int/en/abut/nutshell [Accessed 6 June 2018].
[5] African Union. (2017) Member States. [online] Available from: http://www.au.onlinet/en/member_states/country profiles [Accessed 6 June 2018].
[6] African Union. (2018) List of Countries Which Have Signed, Ratified/Acceded to the African Union Convention on Cyber Security and Personal Data Protection. [online] Available from: https//au.int/sites/default/files/treaties/29560slafrican_union_convention_on_cybe_ security_and_personal_data_protection.pdf [Accessed 6 June 2018].
[7] African Union (AU). Available from: http://www.au.int/en/ [Accessed 6 June 2018].
[8] African Union and Symantec Corporation (2016) Cyber Crime & Cyber Security Trends in Africa. United States: Symantec Corporation.
[9] African Union Convention on Cyber Security and Personal Data Protection, 27 June 2014 (EX.CL/846 (XXV).
[10] Bertelsmann-Scott, T. (2013) Regional Cooperation in the Telecommunications Sector via CRASA. PERISA Series.
[11] Brommelhorster, J. et al. (2004) Critical Infrastructure Protection: Survey of World-wide Activities. BSI KRITIS, (4).
[12] Calandro, E.S. Regionalism and the Development of the Information Society: Policy Considerations from SADC. [online] Available from http://www.cprsouth.org/wp- content/uploads/2015/08/CPRsouth2015_PP11FINAL_vReviewed.pdf [Accessed 6 June 2018].
[13] Constitution of Cape Verde (1992).
[14] Constitution of Ghana (1992).
[15] Constitution of Liberia (1986).
[16] Constitution of Senegal (2001).
[17] Constitution of Sierra Leone (1991).
[18] Constitution of the Federal Republic of Nigeria (1999).
[19] Constitution of the Gambia (1997).
[20] Constitution of the Republic of Benin (1990).
[21] Constitutive Act of the African Union, 11 July 2000.
[22] Coomans, F. (2003) The Ogoni Case before the African Commission on Human and Peoples’ Rights, International and Comparative Law Quarterly, vol. 52. https://doi.org/10.1093/iclq/52.3.749
[23] Council of Europe (1976) Twentieth Conference of Directors of Criminological Research Institutes: Criminological Aspects of Economic Crime. Strasbourg.
[24] Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on Attacks against Information Systems and replacing Council Framework Decision
2005/222/JHA, Official Journal of the European Union.
[25] Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning Measures for a High Common Level of Security of Network and Information Systems across the Union, Official Journal of the European Union.
[26] Dunn, M. (2005) A Comparative Analysis of Cybersecurity Initiatives Worldwide. World Summit on Information Society (WSIS) Thematic Meeting on Cybersecurity. Geneva: ITU.
[27] Economic Commission for Africa (2012) Declaration of Addis Ababa on the Harmonization of Cyber Legislation in Africa. Addis Ababa: Economic Commission for Africa.
[28] Editorial (1941) The Trail Smelter Arbitral Decision. American Journal of International Law.
[29] European Commission (1999) Towards a New Framework for Electronic Communications Infrastructure and Associated Services. Brussels: European Commission.
[30] Flores, R. et al. (2017) Cybercrime in West Africa: Poised for an Underground Market. United States: Trend Micro and INTERPOL.
[31] Free Legal Assistances Group and Others v. Zaire, ACHPR/COMM, No. 25/89, 47/90, 56/91, 100/93 (1995).
[32] Garner, B. A. (ed.) (2004). The Black’s Law Dictionary. 8th ed., St Paul MN, United States: West Publishing Co.
[33] Gordon, K. and Dion, M. (2008) Protection of ‘Critical Infrastructure’ and the Role of Investment Policies Relating to National Security. Paris: OECD.
[34] Gordon, K. and Dion, M. (2008) Protection of ‘Critical Infrastructure’ and the Role of Investment Policies Relating to National Security. Paris: OECD.
[35] GSMA (2013) Sub-Saharan Africa Mobile Economy Report 2013. London: A.T. Kearney.
[36] GSMA (2013) The Mobile Economy Report 2013. London: A.T. Kearney.
[37] GSMA (2016) The Mobile Economy Africa 2016. London: GSMA.
[38] Hansungule, M. African Courts and the African Commission on Human and Peoples’ Rights. In: Bosi, A. and Diescho, J. (2009) Human Rights in Africa: Legal Perspective on their Protection and Promotion. Namibia: Macmillan Education.
[39] I. v. Finland (2008), Judgment of 17 July 2008 (No. 20511/03, ECHR).
[40] International Penn & Others (on behalf of Saro-Wiwa) v. Nigeria (1998), ACHPR/COMM, 137/94, 139/94, 154/96, 161/97 .
[41] ITU (2009) National Cybersecurity/CIIP Self-Assessment Tool. Geneva: ITU.
[42] ITU (2018) Cybersecurity Country Profiles [online] Available from: https//www.itu/en/ITU-D/Cybersecurity/Documents/Country_Profiles/ [Accessed 6 June 2018].
[43] ITU High Level Experts Group (2008) ITU Global Cyber-Security Agenda (GCA) High Level Experts Group [HLEG] Global Strategic Report. Geneva: ITU.
[44] ITU High Level Experts Group [HLEG] (2008) ITU Global Cyber-Security Agenda (GCA) High Level Experts Group [HLEG] Global Strategic Report. Geneva: ITU.
[45] ITU Toolkit for Cybercrime Legislation. Geneva: ITU.
[46] K.U. v. Finland (2008), Judgment of 2 December 2008 (No. 2872/02ECHR).
[47] Kharouni. L. (2013) Africa: A New Safe Harbour for Cyber Criminals? Trend Micro Research Paper. United States: Trend Micro Inc.
[48] Links F, (2018) Tackling Cyber Security/Crime in Namibia – Calling for a Human Rights Respecting Framework. Democracy Report – Special Briefing Report.
[49] Magliveras, K. D. (2011) The Sanctioning System of the African Union: Part Success, Part Failure?, The African Union: The First Ten Years. Addis Ababa: Institute of Security
Studies, 11–13 October 2011.
[50] Marco, G. (2009) Understanding Cybercrime: A Guide for Developing Countries. Geneva: ITU.
[51] Miniwatts Marketing Group (2017), Internet Usage Statistics for Africa. [online] Miniwatts Marketing Group. Available from: http://www.internetworldstats.com/stats1.htm
[Accessed 6 June 2018].
[52] Mkhize, S. (2014) Assessing the Efficacy of the AU Sanctions Policies with Regard to Unconstitutional Changes in Government: The Examples of Guinea and Madagascar. M.A.
University of South Africa.
[53] Oji, E. A. (2011) Application of Customary International Law in Nigerian Courts. Nigeria Institute of Advanced Legal Studies Law and Development Journal, vol. 1, no. 1.
[54] Oliver Tambo Declaration (2009).
[55] Open Forum to discuss the proposed legal framework for cybersecurity in Africa, (26 July 2013) [online] Available from: http://daucc.wordpress.com/2013/07/26/event-panel-discussion- on-the-draft-african-union-cyber-security-convention/#comment-4 [Accessed 6 June 2018].
[56] Oppong, R. F. (2008) Making Regional Economic Laws Enforceable in National Legal Systems: Constitutional and Judicial Challenges. In: Bosi, A. and Breytenbech, W. et al.
(eds.) Monitoring Regional Integration in Southern Africa Year Book. Stellenbosch, South Africa: Trade Law Center for Southern Africa.
[57] Orji, U. J. (2012) A Discourse on the Perceived Defects of the Draft African Union Convention on the Establishment of a Credible Legal Framework for Cybersecurity. Communications Law: The Journal of Computer, Media and Telecommunications Law, vol. 17, no. 4.
[58] Orji, U. J. (2012) Cybersecurity Law and Regulation. Nijmegen, Nijmegen: Wolf Legal Publishers.
[59] Orji, U. J. (2014) Examining Missing Governance Mechanisms in the African Union Convention on Cybersecurity and Personal Data Protection. Computer Law Review International, vol. 5.
[60] Orji, U. J. (2015) Multilateral Legal Responses to Cybersecurity in Africa: Any Hope for Effective International Cooperation? In: Maybaum, M. et al. (eds.) Architectures
in Cyberspace – 7th International Conference on Cyber Conflict. Tallinn: NATO CCD COE.
[61] Orji, U. J. (2016) Regionalizing Cybersecurity Governance in Africa: An Assessment of Responses. In: Samuel, C. and Sharma, M. (eds.) Securing Cyberspace: International and Asian Perspectives. New Delhi, India: Institute for Defence Studies and Analyses & Pentagon Press.
[62] Orji, U. J. (2018) International Telecommunications Law and Policy. United Kingdom: Cambridge Scholars Publishing.
[63] Ploch, L. (2010) Countering Terrorism in East Africa: The U.S. Response. Congressional Research Service, R41473.
[64] Protocol to the African Charter on Human and Peoples’ Rights on the Rights of Women in Africa, 11 July 2003.
[65] Protocol to the African Charter on Human and Peoples’ Rights on the Establishment of an African Court on Human and Peoples’ Rights, 10 June 1998.
[66] Regulation (EC) establishing the European Network and Information Security Agency (No 460/2004).
[67] Rosewarne, C. and Odunfa, A., (2014) The 2014 Nigerian Cyber Threat Barometer Report. South Africa and Nigeria: Wolfpack Information Risk and Digital Jewels.
[68] Rudnick, L. et al. (2015) Towards Cyber Stability: A User-Centered Tool for Policy Makers. Geneva: United Nations Institute for Disarmament Research.
[69] Schjolberg, S. (2008) The History of Global Harmonization on Cybercrime Legislation – The Road to Geneva (2008). [online] Available from: http://www.cybercrimelaw.net/
documents/cybercrime_history.pdf [Accessed 6 June 2018].
[70] Seck, M. (2014) Tackling the Challenges of Cybersecurity in Africa. United Nations Economic Commission for Africa Policy Brief, NTIS/002/2014.
[71] Sharpe A. (2009) Communications Technologies, Services and Markets. In: Ian Walden (ed.) Telecommunications Law and Regulation. 3rd ed. New York: Oxford University Press.
[72] Shuaibu, M. and Bernsah, L.D. (2016) An Analysis of the Macroeconomic Impact of Insecurity on Nigeria: A Dynamic Modeling Approach. Journal of Social and Management Sciences, vol. 2, no. 1.
[73] Shuma, T. (2015) Revisiting Legal Harmonization under the Southern African Development Community Treaty: The Need to Amend the Treaty. Law, Democracy and Development, vol. 19.
[74] Social and Economic Rights Action Center (SERAC) and the Center for Social and Economic Rights (CESR) v. Nigeria (2002), Communication No. 155/96, ACHPR/COMM/A044/1.
[75] Solutions Consulting (2018) West Africa Cybersecurity Indexing and Readiness Assessment. Florida, United States: Solutions Consulting.
[76] The Corfu Channel Case (United Kingdom v. Albania), (1949), Merits, ICJ Reports.
[77] The Council of Europe Convention on Cybercrime (2001), 41 I.L.M. 282.
[78] The Trail Smelter Arbitration Case (United States of America v. Canada), (1938) 3 R.I.A.A.
[79] UNCTAD 2018) Cybercrime Laws. [online] Available from: http://www.unctad.org/en/Docs/Cyberlaw/CC.xlsx [Accessed 6 June 2018].
[80] UNECA Press Release, ICT Ministers call for harmonized policies and cyber legislations on Cybersecurity. [online] Available from: http://www1.uneca.org/ArticleDetail/tabid/3018/ArticleId/1934/ICT-Ministers-call-for-harmonized-policies-and-cyberlegislationson Cybersecurity.aspx [Accessed 6 June 2018].
[81] United Nations Economic Commission for Africa (UNECA) Press Release, Draft African Union Convention on Cybersecurity Comes to its Final Stage. [online] Available from:
http://www1.uneca.org/TabId/3018/Default.aspx?ArticleId=1931 [Accessed 6 June 2018].
[82] United Nations Resolution on the Creation of a Global Culture of Cybersecurity, 20 December 2003, (A/RES/57/239).
[83] United Nations Resolution on the Creation of a Global Culture of Cybersecurity, 21 December 2009 (A/RES/64/211).
[84] United Nations Resolution on the Creation of a Global Culture of Cybersecurity, 23 December 2003 (A/RES/58/199).
[85] United States President’s Commission on Critical Infrastructure Protection (PCCIP). (1997) Critical Foundations: Protecting America’s Infrastructure. Washington DC: PCCIP,
Appendix B, Glossary B-2.
[86] UNODC (2013) Comprehensive Study on Cybercrime. New York: United Nations.
[87] UNTCAD (2012) Harmonizing Cyberlaw and Regulations: The Experience of the East African Community. New York/Geneva: UNCTAD.
[88] Van Zyl, G. (2014) Adoption of ‘flawed’ AU Cybersecurity Convention Postponed. IT Web Africa, 21 January. [online] Available from: http://www.itwebafrica.com/ict-and- governance/523-africa/232273-adoption-of-flawed-au-cybersecurity-convention- postponed [Accessed 6 June 2018].
[89] Vanguard (25 February 2017) Federal Government Committing Significant Share of 2017 Budget to North-East – Onyeama. [online] Vanguard. Available from: https://www.
vanguardngr.com/2017/02/fg-committing-significant-share-2017-budget-northeast- onyeama/ [Accessed 6 June 2018].
[90] Vienna Convention on the Law of Treaties, 23 May 1969.
[91] Walter, J. K. (1974) Comparative Law: A Theoretical Framework. International and Comparative Law Quarterly, vol. 23, no. 3.
Copyright © 2018 Masaryk University Journal of Law and Technology