The Malabo Convention has now entered into force. But with ratifications from only 15 of 55 AU member states – and none yet from any of Africa’s power countries, such as Egypt, Algeria, Nigeria, South Africa, Kenya, Morocco or Ethiopia – will the Convention be accorded the regional and international validation needed to become a viable instrument for regulating cybersecurity in the entire African region?
The Malabo Convention
Africa’s cybersecurity governance landscape is at an important juncture. The African Union Convention on Cybersecurity and Personal Data Protection 2014, otherwise known as the Malabo Convention, was drafted in 2011 to establish a credible framework for cybersecurity in Africa. The African Union (AU) adopted the Convention in June 2014. Nine years later, the Convention has now, finally, received the 15 ratifications required to enter into force.
The Convention entered into force on 8 June 2023, 30 days after Mauritania deposited the 15th instrument of ratification on 9 May 2023. For Africa, this marks not only the first regional treaty on cybersecurity, but also the first instrument relating to any digital discourse to be enacted at the continental level. Notably, this development comes while the United Nations (UN) ad hoc committee is finalising negotiations on elaborating a global convention on cybercrime.
Questions surrounding the entry into force of the Malabo Convention
The treaty’s entry into force, with ratifications from only 15 of the AU’s 55 member states, has a variety of implications for the AU. While the Convention has now entered into force by the operation of law, with only 15 ratifications, it is another question entirely whether it will receive enough support to be acknowledged as a relevant continental treaty that mandates national implementation. Fifteen country ratifications won’t go far in getting the Convention the regional and international acknowledgment it needs to be recognised as a viable regional instrument with the force to regulate cybersecurity across Africa.
There are also concerns about the perceived lack of transparency in the drafting process of the Convention. After the Convention was drafted, for example, the AUC merely hosted three validation workshops with AU member states, inviting very little involvement from civil society organisations and the private sector. In addition, not all AU member states were involved in the drafting process, rather, they became involved in the later efforts to improve the draft and reach consensus.
So far, none of Africa’s noted power countries – such as Egypt, Algeria, Nigeria, South Africa, Kenya, Morocco or even Ethiopia, which is the seat of the African Union Commission – have yet to ratify the Convention.
In the intervening years between the Convention’s drafting in 2011 and its entry into force, there have been many developments in the digital realm, so it’s reasonable to question whether it’s still fit for purpose. There have been significant policy advances in Africa’s digital space, including the Africa Digital Transformation Strategy 2020-2023, the Lomé Declaration on Cybersecurity and Fight Against Cybercrime 2022 and other regional policy efforts. Many pieces of national cybersecurity legislation have also been drafted and enact cybersecurity and data protection laws separately – a departure from the Malabo Convention model, which incorporates cybersecurity and data protection in one instrument. It is therefore appropriate to ask whether the Malabo Convention will conform to the region’s cybersecurity and data protection realities or instead pose implementation challenges for states in the region. The AU introduced its Data Policy Framework in 2022, before the Malabo Convention entered into force, forcing further reconsideration of the value of the Malabo Convention.
While the Malabo Convention intends a unified continental approach, the idea of merging three interrelated but separate topics – electronic transaction, personal data protection and cybersecurity – into one legal instrument has been called a challenge to the Convention’s success. This broader scope raises the possibility of overlap with existing national laws and may affect implementation alongside laws that aren’t compatible with the Convention’s provisions. An example is Article 2(1)(a) of the Convention, which seeks to abolish gambling, including betting and lotteries, in African countries as a cybersecurity measure.
Enhancing the significance of the Malabo Convention
With the ongoing negotiations for a global cybercrime convention, the adoption of the Malabo Convention by all African states could represent the panacea of a united continent with shared standards and principles, and provide a common language for cybersecurity governance in the continent. It is important for the African Union Commission (AUC) to allocate resources to encourage increased ratification of the Convention and urge African states to adopt the Convention in their national contexts. The AUC also needs to prioritise capacity building for the implementation of the Convention.
In the absence of effective regional/continental legal frameworks for cybersecurity, Africa’s burgeoning digital landscape will face constraints. Cybersecurity is one of the cross-cutting themes of the Digital Transformation Strategy for Africa. Africa’s digital transformation is intertwined with diverse discourses such as the digital economy and infrastructure, meaning that its digital transformation agenda cannot be accomplished without prioritising cybersecurity. This is even more important with the introduction of regional initiatives such as the African Continental Free Trade Area (AfCFTA), the Digital Single Market and the AU Agenda 2063.
The 15 countries which have ratified the Malabo Convention are now faced with a colossal task. First, the Malabo Convention was drafted in 2011, and emergent digital advancements mean that provisions in the Convention may require revision and updating. If the Convention is deemed outmoded, it may lead countries to implement inadequate cybersecurity legislation. Therefore, now that the Convention has entered into force, state parties to the Convention must review it in light of technological and legal developments since 2011. This will need to include debate over which emergent activities, such as the use of ransomware, should be criminalised by contemporary cybersecurity legislation.
The state parties must also debate the possibility of adding protocols to or amending the Malabo Convention. This review should include consideration of emergent international standards for cybersecurity. African countries have shown obvious interest in the ongoing UN negotiations to elaborate a global cybercrime convention. As a starting point, the state parties may draw lessons from the process and consider best practices in light of other international frameworks.
With increasing cyber uncertainties in the region, the ratification of the Malabo Convention is a major step towards African regional consistency on cybersecurity. The Convention will further provide a platform for cooperation aimed at harmonising cybersecurity policy approaches in the region. The Malabo convention is also embedded with diverse cybersecurity values for the Continent: it underscores, for example, the importance of multi-stakeholder engagement for promoting regional cybersecurity. The Convention also enjoins African states to uphold the African Charter on Human and Peoples’ Rights and enact cybersecurity laws that take into account their constitutional and international obligations to human rights.
The need for Africa-Europe cybersecurity cooperation
Multilateralism is valuable for cyber governance and state parties to the Malabo Convention must also debate which international cooperation approaches are best suited to promoting cybersecurity in the region. The European Union (EU) has highlighted digital transformation as one of its pillars of cooperation with Africa and, together with the Council of Europe, has continued to promote efforts to enhance cybersecurity through regional cooperation with the African region. The sixth European Union – African Union summit set a Joint Vision for 2030, which identifies strengthening cooperation on cybersecurity as a crucial area of focus. Through the Africa-EU Partnership on the Policy and Regulation Initiative for Digital Africa (PRIDA), the GLACY (Global Action on Cybercrime) and the GLACY+ projects, the EU and the Council of Europe have partnered with the AUC to ensure that African countries build policy capacity necessary to enhance cybersecurity.
The Budapest Convention, which opened for signature over 20 years ago, is one of the most important international instruments on cybercrime, however, only six African countries have ratified the Convention. Some African states tend to view the Budapest Convention as a ‘competitor’ treaty to the Malabo Convention, because other regions were not involved in the enactment process of the Budapest Convention. The Budapest and Malabo Conventions are not in competition, but complementary to each other, and the Budapest Convention provides a platform to enhance international cybersecurity cooperation.
Since 2018, the AUC has been partnering with the European Union and the Council of Europe (GLACY+ and Octopus Project) to deliver the African Forum on Cybercrime, at which stakeholders discuss the benefits of both Malabo and Budapest conventions for African states and commit to work together towards strengthening international cooperation against cybercrime. Improving such policy exchange approaches and sharing best practices – especially lessons from the implementation of the Budapest Convention, which has been in force for 22 years – as a capacity building strategy will help strengthen the implementation of the Malabo Convention.
A comprehensive cooperation strategy for policy improvement which would support the African region in designing and implementing cybersecurity policy solutions adapted to local challenges will strategically build capacity for the effective transposition of the Malabo Convention into national laws, and enhance the development of national cybersecurity legislation which is compatible with functional international standards. African countries would benefit from ratifying the Budapest Convention as well, to take advantage of the cybersecurity cooperation platform it affords state parties. Some African policymakers have already benefitted from capacity building efforts provided through the framework of the Budapest Convention.
While the core reason to enact cybersecurity treaties is to create legal instruments regulating cybercrime, they also provide a framework for states to build relationships for international cooperation, capacity building and exchange of best practices. They are also needed to enhance dual criminality and mutual legal assistance. The Malabo Convention is not without challenges, however, regional cybersecurity legislation is indispensable for Africa, and the significance of the Malabo Convention will depend on its adoption by African states. It will also further opportunities for continental support in promoting a cybersecurity agenda for Africa.
About the Author
Dr. Nnenna Ifeanyi-Ajufo is a lawyer and a Senior Lecturer of Law and Technology at the School of Law, Swansea University. She is also the Vice-Chairperson of the African Union Cyber Security Experts Group (AUSCEG), a Senior Research Fellow at the African Centre for International Criminal Justice and a member of the Cyber Threats Research Centre (CYTREC) Team at Swansea University. Nnenna holds an LLM in International Information Technology Law, MA in African Studies and LLD in International Law.