Data protection in Africa: The prospects of the Malabo Convention in the digital age
Introduction
In 2020, the Experian data breach in South Africa became what is often described as one of the largest data breaches on the African continent.
It was reported that about 24 million South Africans and 793,749 business entities were affected by this breach (South African Banking Risk Centre, n.d.). How did this happen? The data was handed over to a cybercriminal who pretended to be representing one of Experian’s clients.
This was discovered on the popular data transfer website “WeSendIt” (Jamgotchian, 2021). Experian is a multinational data analytics and consumer credit reporting company, so it can be assumed that banking details, credit card details, phone numbers, and residential addresses, among other sensitive data were exposed.
This is a typical incident of social engineering. For the uninitiated, social engineering in cybersecurity refers to the practice of using social tactics to gain information. It’s often low-tech and encourages individuals to do something they wouldn’t normally do or cause them to reveal some piece of information, such as user credentials (Gibson, 2021).
One of the modus operandi of social engineers is impersonating someone to get access to some sensitive information, which is what is reported to have happened in the Experian data breach. The Experian breach is just one of the many data breaches on the African continent in recent years.
Some of the most recent breaches include the SilentCards breach in Kenya in 2019; the Shadow Kill hack in Johannesburg in 2019; and the Jumia Nigeria data breach in 2021.
For many individuals, discussions about data breaches sound esoteric, as they believe the likelihood of such incidents happening to them is wildly improbable. Which, perhaps, is the reason it is not considered a serious topic in many African countries.
So, let’s make this more practical and relatable. Let’s assume that there is a supermarket in your neighbourhood where you buy all your groceries and other basic necessities. Every time you visit the shop, you pay with either your credit card or debit card.
The Supermarket keeps your information in their system for ease of transacting business every time you go there. One day, the supermarket experiences a data breach, probably orchestrated by one of its customers. The attacker gets access to all your credit card details, phone numbers, and email addresses, among other information.
A few weeks later, you notice transactions on your bank account that you did not authorize. The attacker is using your credit card details to make purchases in your name.
He may even send phishing emails to your email address, which can give him access to other information on your personal computer, and by extension, your company’s servers if your company does not have robust security protocols in place.
And the escalation continues. The attacker may even steal your identity. Your only mistake was shopping for groceries at your favourite neighborhood supermarket. I believe you catch my drift now.
If you are a fan of movies like myself, you’ve probably seen depictions of social engineering and data theft in movies such as Mission Impossible, Catch Me if You Can, or the White Collar TV series.
Technology is evolving at a blistering speed, and data processing is at the heart of this evolution. There is an urgent need to protect personal data from cybercriminals and unauthorized persons who may want to access it for criminal or other purposes.
According to the African Private Capital Activity Report, private capital fundraising surpassed the $2.7 billion yearly fundraising average from 2016 to 2020 by 63% to reach record levels of US$4.4 billion in 2021 (Eisen, 2022). This demonstrates how rapidly technology is growing in Africa.
The African Union has taken a bold step, and has through its Assembly adopted the African Union Convention on Cyber Security and Personal Data Protection, also known as the Malabo Convention.
Overview of the Malabo Convention
The Malabo Convention was drafted sometime in 2011 and was adopted by the African Union (AU) on June 17, 2014 in Malabo, Equatorial Guinea.
However, it didn’t come into force until 8th June 2023. You might be wondering why it took almost a decade for it to enter into force. The simple reason is this: Article 36. Article 36 of the Convention provides as follows:
This Convention shall enter into force thirty (30) days after the date of receipt by the Chairperson of the Commission of the African Union of the fifteenth (15th) instrument of ratification.
This meant that the Convention would have no effect unless 15 member states had ratified and returned the ratification instrument to the Chairperson of the AU Commission. Thankfully, on the 9th of May, 2023, Mauritania became the 15th member state to ratify and return the instrument to the Chairperson.
As is clearly stated in Article 36, the Convention shall enter into force 30 days after the Chairperson has received the 15th ratification instrument. Effectively, the Convention entered into force on 8th June, 2023, 30 days after 9th May, 2023.
The 15 member countries that have ratified the Convention are Angola, Cape Verde, Côte d’Ivoire, Congo, Ghana, Guinea, Mozambique, Mauritania, Mauritius, Namibia, Niger, Rwanda, Senegal, Togo, and Zambia. This leaves forty (40) countries within the AU that have still not ratified the Convention.
The Convention contains 38 Articles, and a preamble that encapsulates the essence of the convention. Part of the preamble reads:
the goal of this Convention is to address the need for harmonized legislation in the area of cyber security in Member States of the African Union, and to establish in each State party a mechanism capable of combating violations of privacy that may be generated by personal data collection, processing, transmission, storage and use; that by proposing a type of institutional basis, the Convention guarantees that whatever form of processing is used shall respect the basic freedoms and rights of individuals while also taking into account the prerogatives of States, the rights of local communities and the interests of businesses; and take on board internationally recognized best practices;
Article 13 enumerates six (6) basic principles governing the processing of personal data. These principles are:
- Principle of consent and legitimacy of personal data processing.
- Principle of lawfulness and fairness of personal data processing.
- Principle of purpose, relevance and storage of processed personal data.
- Principle of accuracy of personal data.
- Principle of transparency of personal data processing.
- Principle of confidentiality and security of personal data processing.
Articles 29 to 31 contain criminal provisions. The Convention imposes a duty on state parties to criminalize certain conducts in their national legislation and to impose criminal sanctions on perpetrators who breach those provisions. The offences relate to attacks on computer systems, computer data breaches, and electronic messages among others.
It also requires state parties to take the necessary legislative measures to ensure that the offences provided for under the Convention are punishable by effective, proportionate and dissuasive criminal penalties. State parties are again required to take the necessary legislative measures to ensure that the offences provided in the Convention are punishable by appropriate penalties under their national legislations. The Convention also imposes a duty on state parties to make it a criminal offence to gain or attempt to gain unauthorized access to part or all of a computer system or exceed authorized access.
The Convention does a great job of providing some guidance to state parties as to what should be done at the national level to protect personal data. It admonishes each state party to establish national cybersecurity frameworks; establish an authority in charge of protecting personal data; enact laws to combat cybercrime; adopt laws that will not infringe on citizens’ human rights contained in their national constitution; develop public-private partnership as a model to engage industry; adopt frameworks that strengthen regional harmonization of measures contained in the Convention, among others.
The GDPR: How does it compare with the Malabo Convention?
The General Data Protection Regulation (GDPR) is a data protection framework that governs how the personal data of individuals in the European Union (EU) may be processed and transferred. It has been described as the world’s strongest set of data protection rules (Burgess, 2020). It was adopted by the EU in 2016 and came into force on May 25, 2018. It replaced Directive 95/46/EC of the European Parliament and of the Council, which was the primary data protection framework in the EU. By the coming into force of the GDPR on May 25, 2018, Directive 95/46/EC was effectively repealed, as is expressly stated in Article 94 of the GDPR. The purpose of this article is not to discuss the GDPR in detail and therefore discussions on the GDPR will be kept succinct.
The Regulation contains 99 overarching articles that provide for almost every aspect of personal data protection within the EU, including enforcement and penalties for breach of certain provisions. The GDPR prioritizes accountability and mandates that where there is a serious breach by an organization, supervisory authorities should impose administrative fines of Twenty Million Euros (€20,000,000) or 4% of the organization’s global turnover, whichever is greater. Since the coming into force of the GDPR, several hefty fines have been imposed by state parties on multinational data processors. Notable among them are the €1.2 billion fine imposed on Meta by the Irish Data Protection Commission, the €746 million fine imposed on Amazon by the Luxembourg National Commission for Data Protection, the €345 million fine imposed by the Irish Data Protection Commission on TikTok, the €50 million fine imposed on Google France by the National Commission on Informatics and Liberty (CNIL), among others (Data Privacy Manager, 2023).
Article 68(1) of the GDPR establishes the European Data Protection Board (“Board) as a body that shall have legal personality, and Articles 68(2) and 68(3) provide the composition of the Board. The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives. The Board shall also act independently when performing its tasks or exercising its powers. These tasks and powers are listed extensively under Articles 70 and 71 of the Regulation. The board has the task of ensuring compliance and enforcement of the Regulation within member states.
A very important aspect of the GDPR that is conspicuously missing in the Malabo Convention is its extraterritorial application. Despite being passed by the EU, the GDPR’s application and obligations extend to any organization that collects and processes data of persons within the EU. The Malabo Convention, on the other hand, does not have this extraterritorial scope. For foreign companies that are doing business or planning to do business in Africa, their compliance with data protection principles will depend on the countries within which such foreign companies operate.
To explain the point in the preceding paragraph, it is necessary to juxtapose Article 9 of the Malabo Convention and Article 3 of the GDPR. They provide the territorial application of the respective frameworks. The Malabo Convention’s territorial scope is limited to data processing done within state parties. This means that where the data subject is not within a state party, or the data processor is not within a state party, notwithstanding that the data subject is from a state party, the Convention will not apply. This is not the case with the GDPR. The GDPR is applicable to all data processors and Controllers established within the European Union, whether the data is processed within the Union or not.
Also, in some instances, the GDPR applies to data processors who are not established within the European Union but process data of persons within the Union. However, in this instance, the data must necessarily fall under any of these two categories:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
To illustrate this point, if a company is established in say Ghana but processes personal data of individuals from the EU through the offering of some goods and services, this Ghanaian company is expected to comply with the GDPR although it is not established within the EU.
Another important point worth mentioning is the issue of compliance. The Malabo Convention does not adequately provide for mechanisms to ensure compliance and enforcement of its provisions. It makes no provision for any central authority that guarantees compliance by state parties and data processors with the Convention. Essentially, it does not assign any enforcement duties or imposition of penalties for non-compliance, leaving such determinations entirely to the state parties. There is no central body that enforces it, unlike the GDPR that has the European Union Data Protection Board.
Again, the GDPR was drafted purposely for the protection of the personal data of EU data subjects, and its provisions were crafted carefully, providing minute details to achieve this purpose. The Malabo Convention, however, is a combination of many aspects of data protection, making the document too broad and concentrated. The Malabo Convention is the only cybersecurity convention in the world that combines cybersecurity, cybercrime, electronic transactions, and data protection in one legal instrument (Koech-Kimwatu, 2023). In my opinion, the fact that it fuses the various aspects into one document made it difficult or near impossible for the drafters to break the provisions into their minutest forms.
Recommendations
- The AU should intensify its efforts at getting every African country to ratify the Convention and also get them to enact domestic laws that align with the Convention for easy implementation and enforcement. it is interesting to note that quite a number of African countries still do not have data protection laws. How are these countries expected to lend support to the enforcement of the Convention? It is reported that as of July 2022, 22 African countries still did not have data protection laws in place (ALT Advisory, 2022). Between that time and now, Nigeria has passed a Data Protection Act, which came into force on 14th June, 2023. It replaced the Nigerian Data Protection Regulation, which was the primary data protection law before the Act. This is commendable, especially as Nigeria has the largest economy on the continent and most likely processes more personal data than any other African country.
As a Ghanaian, I am proud to say that Ghana passed its Data Protection Act in 2012 and is making strides in its implementation and enforcement. Getting data processors and controllers to register with the Data Protection Commission has, however, not been easy. Calls are constantly being made by the Commission to get all data processors and controllers to register with it, failing which they shall be prosecuted as mandated by the Act. The Commission also has a dedicated prosecutor who will prosecute persons who breach the Act. A step in the right direction.
- It is my considered view that the Convention is too broad, causing it to miss vital details. The amalgamation of cybersecurity, cybercrime, electronic transactions, and data protection into a legal instrument may not have been the best decision, and the consequence of that decision is the Convention’s apparent lack of granular details. Each of the domains has its own complexities that require special approaches. I recommend two possible solutions. First, copious guidelines or directives should be issued by the Union to aid in the implementation of the Convention. There should be separate guidelines covering Cybersecurity, data protection, cybercrime, and electronic transactions. These guidelines or directives will basically be expanding what is contained in the Convention. Article 37 allows the commission to amend the Convention and provides the procedure for doing so. If this first solution is adopted, there must first be an amendment of the Convention to accommodate these guidelines or directives.
The second solution is for the Union to break the various domains into separate conventions and provide more details in each of them. Data protection should have its own convention. So too should Cybersecurity, Cybercrime, and electronic transactions. This strategic division will afford the Union the avenue to provide enough information in the respective Conventions for easier monitoring and implementation. Cross-border e-commerce on the continent is picking up pace by the day, and with this rise come security and privacy issues that need to be addressed urgently. The Convention in its current state is not enough to combat its attendant security and data privacy issues.
- As noted above, the Malabo Convention does not have extraterritorial application. Its territorial scope is limited to data processed within member states, and even in those cases, there is a heavy reliance on domestic legislation. Where a domestic law does not align with the Convention, its application becomes a problem. Also, data subjects from member states whose personal data are being processed by organizations outside the Continent are not protected. The following countries are in Europe but have not implemented the GDPR: Albania, Belarus, Bosnia and Herzegovina, Kosovo, Moldovia, Montenegro, North Macedonia, Russia, Serbia, Turkey, and Ukraine. Despite not implementing the Regulation, any organization in these countries that collects data in EU/UK member states is subject to the GDPR (GDPR Advisor, 2023).
It is recommended that the Convention be amended to expand its territorial scope to protect African data subjects irrespective of where their personal data are processed just like the GDPR does.
- Another recommendation is in respect of enforcement and monitoring. The Convention should be amended to provide for a Central body that will ensure enforcement, monitoring, and implementation as the GDPR has. The Data Protection Board established by the GDPR is composed of representatives from the member states whose duty is to ensure compliance. It is recommended that the AU should take a page out of the EU’s book and provide for effective monitoring and implementation by establishing a Board that will oversee the activities of member states in this regard. The convention places a lot of responsibility on state parties to implement certain measures to guarantee compliance but does not establish a body to oversee these state institutions. Article 32 of the Convention states that the Chairperson of the Commission shall report to the Assembly on the establishment and monitoring of the operational mechanisms of the convention but it does not say who shall do the monitoring or how the team shall be put together. This is a necessary detail that is missing from the Convention that needs to be rectified.
Conclusion
The Malabo Convention represents a political pledge made by AU member states to take all the necessary steps to ensure data protection is given the needed attention and protection.
The Comparison of the Convention with the GDPR has revealed possible areas that require reforms and harmonization to ensure that it aligns with global best practices. This comparison highlights the global relevance of safeguarding personal data in our increasingly interconnected society. As data becomes the core of technological progress, the need for strong rules to protect individual privacy becomes more essential than ever. It is therefore not only a legal requirement but also a moral one to protect personal data. The Malabo Convention’s guiding principles provide the groundwork for an internet future in Africa that is safe and respects privacy. African countries can strengthen their data protection policies by paying attention to the lessons that established frameworks like the GDPR have to teach them and tailoring them to meet local variations. The Malabo Convention also represents a great point of reference for countries in the AU that have not yet enacted data privacy legislation. The point is clear— data is the new oil in this ever-evolving digital economy and robust steps must be taken to protect it against cybercriminals.
References
South African Banking Risk Centre. (n.d.). Experian Data Breach. sabric.co.za. Retrieved November 15, 2023, from https://www.sabric.co.za/media-and-news/press-releases/experian-data-breach/
Jamgotchian, R. (2021, January 25). Everything You Need to Know About Experian’s Data Breach. Triada Networks. https://triadanet.com/experian-data-breach/#:~:text=The%20Experian%20data%20breach%20was,representing%20one%20of%20Experian’s%20clients.
Gibson, D. (2021, June 30). CompTIA Security+ Get Certified Get Ahead.
Eisen, L. (2022, November 10). Africa Is A Tech Hub On The Rise. Forbes. https://www.forbes.com/sites/forbesbusinesscouncil/2022/11/10/africa-is-a-tech-hub-on-the-rise/?sh=679ee3672736
Burgess, M. (2020, March 24). What is GDPR? The summary guide to GDPR compliance in the UK. WIRED UK. https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
D. (2023, October 30). 20 biggest GDPR fines so far [2023]. Data Privacy Manager. https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/
Koech-Kimwatu, N. S. N. I. A. M. O. Y. A. H. A. D. S. L. T. O. D. W. R. (2023, July 10). Continental Cyber Security Policymaking: Implications of the Entry Into Force of the Malabo Convention for Digital Financial Systems in Africa. Carnegie Endowment for International Peace. https://carnegieendowment.org/2023/07/10/continental-cyber-security-policymaking-implications-of-entry-into-force-of-malabo-convention-for-digital-financial-systems-in-africa-event-8146
ALT Advisory. (2022, September). THE MALABO ROADMAP Approaches to promote data protection and data governance in Africa. In https://dataprotection.africa/. Retrieved November 12, 2023, from https://dataprotection.africa/wp-content/uploads/malabo_roadmap_Sept_2022.pdf
Advisor, GDPR. (2023, September 14). GDPR Countries in 2023 | GDPR Advisor. GDPR Advisor. https://www.gdpradvisor.co.uk/gdpr-countries
About the author: Harrison Kpotor, Esq. is an Associate at Nana Obiri Boahen & Associates, and has a special practice interest in Cybersecurity and Data Protection. He welcomes views on this article via harry.kpotor@gmail.com/ +233 208435606)