In 2014, the African Union (AU) Convention on Cyber Security and Personal Data Protection adopted a legal framework for addressing cybercrime and data protection in Africa. The Convention is also known as the Malabo Convention and several African countries signed up to it already. The Convention is a critical tool for protecting personal data and preventing cybercrime on the continent.

The Malabo Convention is in effect!

Article 36 of the Malabo Convention says that the treaty will come into effect when there are 15 ratifications. In May 2023, Mauritiana ratified the convention (9 May 2023). This means that the convention came into effect 30 days later, which is 8 June 2023.

Fast facts about the Convention

Fifteen African Union member states have adopted the Malabo Convention including Angola, Benin, Chad, Congo, Egypt, Gabon, Gambia, Guinea-Bissau, Lesotho, Mauritania, Namibia, Niger, Sao Tome and Principe, Senegal, and Zambia. South Africa has not yet adopted the Convention, although they are a member of the African Union. You can read the Malabo Convention on the AU Website.

The South African government has not yet adopted the Convention because of concerns about its compatibility with existing South African laws and regulations, like the Protection of Personal Information Act (POPIA). However, South Africa has implemented many of the principles of the Malabo Convention through other laws and regulations. For example, the Electronic Communications and Transactions Act (ECTA) criminalises certain types of cybercrime.  Another example is the Cybercrimes Act which aims to reduce and prevent cybercrime in South Africa.

Important takeaways

The Malabo Convention covers a broad range of issues related to cyber security and personal data protection. Here are the key takeaways:

Cybercrime

The Convention criminalises a broad range of cyber activities, including hacking, cyber fraud, and identity theft. It also establishes procedures for investigating and prosecuting cybercrime, including international cooperation between African countries.

Personal data protection

The Convention recognises the right to privacy and provides a framework for protecting personal data. Countries that have adopted the Convention must establish data protection authorities and ensure that personal data is collected, processed, and stored securely.

Cooperation

The Convention emphasises the importance of international cooperation in combating cybercrime and protecting personal data. For example, African countries must cooperate with each other and other countries in areas like information sharing, mutual legal assistance, and extradition.

Offences

The Malabo Convention has criminal provisions relating to attacks on computer systems, computerised data breaches, content-related offences, and offences relating to electronic message security measures. For example, ICT’s can face criminal sanctions and fines for non-compliance with the Convention.

Actions you can take

If your business operates in Africa, you must comply with the Malabo Convention’s provisions. Here are some practical tips to help you comply:

  • Implement data protection measures: Ensure your data protection policies and procedures comply with the Malabo Convention’s requirements. This may include implementing encryption, access controls, and other technical measures to protect personal data.
  • Train your employees: Educate your employees on the risks of cybercrime and the importance of protecting personal data. Ensure they’re aware of the relevant laws and regulations and can identify and report suspicious activity.
  • Monitor your systems: Regularly monitor your systems for cybercrime and data breaches. This may include implementing intrusion detection and prevention systems and conducting regular vulnerability assessments and penetration testing.
  • Develop an incident response plan: Have a plan in place to respond to cyber incidents and data breaches. It should include procedures for reporting incidents, containing the damage, and notifying affected individuals or authorities as required by law.
  • Transfer data lawfully: Controllers may not transfer personal data to a non-member state of the AU. Controllers can only transfer personal data to a non-member state if the country has an adequate level of protection.
  • Get updated practical tips to comply with the Malabo Convention and other instruments by joining the Michalsons Data Protection and Cybercrimes Programmes.

The Malabo Convention is a critical tool for protecting personal data and preventing cybercrime in Africa. By understanding its provisions and complying with its requirements, businesses and individuals can ensure their data is secure and their systems are protected against cyber threats.