Malabo Convention: African Data Regulators call for Action

By UW Team

At the 3rd Data Privacy Symposium Africa, 2021 held in Kampala, one of the key takeaways from a bevy of presentations by expert panelists from across the continent and world was that the Covid-19 pandemic has exposed glaring gaps in how governments and private actors collect and manage personal data. The outcome augments the interminable call from Civil Society Organizations (CSOs) for the “urgent” need to prioritize data security and privacy.

Data privacy is a human right, which connotes the freedom of an individual to determine at their own discretion how, and to what extent their personal information is collected, managed, or shared. The lifeline of this right is to give people the power to directly engage in determining who accesses their information and the purpose for it. This personal data can include; names, location, contact information, or online or real-world behavior.   

The pandemic has further cleared the path for growth and development of Africa’s cyber sector on the background that the “new normal” has dictated to both public and private entities to digitize services. Over the past year, the use of technology has increased significantly and so has the associated threat which is unfolding into a genuine crisis, and yet authorities have been too slow to act.

According to experts at this year’s symposium, there has never been a better time to prioritize the operationalization of privacy laws and frameworks to guarantee the protection of personal data than now.

“Dawn is breaking, but we are yet to be in full daylight,” Tunde Fafunwa, the Lead Advisor to Economic Commission for Africa (FCA) Digital center told participants, adding that although some African countries are enacting some form of safeguards, the continent is still far from guaranteeing these rights.

An ignored tool for collective good

In 2014, fifty-five (55) African heads of state adopted the Convention on Cyber Security and Personal Data Protection, also known as the Malabo Convention. Almost seven years down the road, only fourteen (14) have signed and 8 have ratified the Convention.

Speaking at the 3rd Privacy Symposium Africa, the National Director, Personal Data Protection Office UgandaStella Alibateesa described the increased endorsement of data protection legislation across the continent and the formation of data protection authorities, as steps toward ratifying the convention.

“African states have indeed performed poorly in regards to the ratification of this convention …. whereas they may not have ratified the convention, they have still taken measures to ensure that they pass legislation that ensures the protection of personal data,” said Alibateese. 

She says the African Union has set key indicators to monitor the harmonization of the regulatory framework. The Monitoring assesses states on the existence of personal data protection laws, the existence of the minimum requirements as provided for in the convention in the legislation, and the presence of a national authority for personal data protection.

On her part President of the Commission for Data Protection (CDP), Senegal, Senegal, Awa Ndiaya thinks that it’s time for the African Union to support member states towards ratification of the Malabo Convention.  

The Malabo Convention envisions Africa as a single entity in terms of data and privacy protection and calls for a harmonized, independent, and robust legal framework which protects all people from processors and data controllers. It, therefore, covers three main areas of public interest, including; electronic commerce (e-transactions), personal data protection, and cyber security.

The unified legal framework, therefore, aims at strengthening accountability from data controllers by defining the roles and responsibilities of state parties in precise terms as liable entities. This is rooted in its call for the establishment of a National Data Protection Authority (DPA) with an independent administrative role with the task of ensuring that the processing of personal data is duly regulated.

It charges the Authority with the power to set procedures to be followed in the collection, and processing of personal data —both general and sensitive — and gives it the mandate to permit or deny authorities the same. It dictates further that government and private actors within the business of information and communication technology sector cannot be members of the national protection authority.

It also provides for collaboration between public and private actors, civil society, and academia and encourages international partnerships in the promotion and enhancement of a culture of cybersecurity.

The Convention thus is a tool of collective good because it is motivated by an analysis of the dangers associated with unmitigated access to personal data by both state and private actors and the need to spur information and communication technology development that respects individual rights and freedoms.

Much as the African Union has issued this call-to-order to all partner states, only 50% have passed data protection and privacy laws. Analysts have argued that most data protection laws in Africa are primarily focused on giving governments powers to comfortably define data privacy rather than protecting data subjects. It has also been observed, that Data Protection offices across the continent are struggling to work as fully constituted independent entities, with the human and resource capital to operate.

In Uganda, the Personal Data Protection Office is an entity under the National Information Technology Authority-Uganda (NITA-U) struggling to mobilize for its own resources to operationalize the Data Protection and Privacy Act 2019, and the government-appointed Stella Alibateese as its Director in July 2021.

A threat to all

The common denominator on this subject at the Symposium was that the unpredictable data safety environment does not only threaten Africa’s nascent e-commerce industry but other sectors such as the Civil Society, Academia among others, which are crucial for the socio-economic growth and development in Africa. For the Civil Society, it poses a significant risk to local organizations working with marginalized communities or around sensitive subjects, leaving both themselves and the people they are protecting vulnerable. It also creates problems for international groups looking to partner with local agencies, raising questions about what information can safely be gathered and shared.

The lack of interest in the convention has made states negligent in setting up institutional and human capital investment in this area. At the Symposium, panelists presented that some of the reasons African states do not have laws and regulations in this very important part of our lives, amongst other things, lack of skills and capacity to appreciate the importance of such conventions, the absence of skill and will to evaluate the cost of cybercrime to national economies, and delays by African governments to prioritize ICT, and the fear by repressive governments, of being held accountable once committed by ratifying such conventions.

“Unfortunately, one of the things that we know about this area is that technology and data is moving very quickly and as a general challenge globally, regulations typically lack the technical advances … Even in cases where Data Protection Authorities have been established, there is going to be a need to expand and deepen that function … because the issue of privacy is becoming more complicated,” concluded Tunde Fufunwa.  

 For Awa Ndiaye, African states need to prioritize the ratification of this convention as a document of relevance to the lives of their people.