African Union Draft Convention on Cyberspace and Cybersecurity


Welcome to an open forum on the discussion of The Draft African Union Convention on the Confidence and Security in Cyberspace. The Draft Convention has been developed jointly by the African Union Commission (AUC) the United Nations Economic Commission for Africa (UNECA).

With little or no Consultation from stakeholders in African Union Member States, the Draft is now in its final stage of development. It has been approved by the 22nd Ordinary session of the AU Executive Council (January 2013). Legal validation by the AU Ministers of Justice Conference scheduled to take place in October 2013. Thereafter, it will be adopted during an AU Summit in January 2014. Afterwards, the ratification process will start.

Given that the Draft Convention is teeming with anomalies that have an adverse effect on business, individual rights and freedoms, the social and economic sphere, it is crucial to discourage the passage of this piece of legislation as it is here.

What is your take?



Filed under African Union

3 responses to “African Union Draft Convention on Cyberspace and Cybersecurity

  1. Ken

    Notes on AU Cybersecurity Convention:

    Article I is quite useful. I only see three problems with it that could be fixed.

    Article II and III, however, could have some disastrous effects if actually implemented as law. Signing the Budapest Convention would probably be a more effective and less dangerous way to achieve these goals.


    – Article I – 4 requires the retailer to give out too much info, particularly their Tax ID number, which can be used to commit various types of identity crime.

    – Article I – 12 must disclose identity for all electronic communications – can be applied to websites, political speech. This will criminalize whistleblower or otherwise anonymous speech for legitimate purposes.

    – Article I – 26
    Retailer must accept any/all state-approved electronic payment methods. Multiple problems with this. Cost, security, finality, etc. All payment systems are not created equal.

    This clause requires all retail businesses in every country of africa to accept every legal electronic payment method in their country, regardless of the costs of doing so. Many businesses selling high value goods such as electronics, jewelry or precious metals cannot accept reversible payments such as credit cards. Small kiosks cannot afford the high cost of accepting credit cards. There should be no mandate that businesses have to accept any government-approved electronic payment method.

    Businesses will accept the payment method that works best for their situation. They have a built-in incentive to accept payment systems used by their customers, so it does not make sense to get the government involved in forcing businesses to take certain payment methods.

    ARTICLE II – Privacy Protection

    Article II tries to standardize and regulate consumer data privacy. While this is a noble and needed effort, the convention establishes a government data privacy bureau in every country of Africa. I believe this will do the opposite of achieving data privacy, and the resulting regulations will effectively shut down the growth of the Internet in Africa. It would be better to achieve this by establishing principles of law that can be pursued as tort claims rather than creating a government bureaucracy to force privacy. Governments always want to know everything about their citizens. They will not and cannot protect anyone’s privacy. Why? Because the tax man has an interest in knowing everything in order to collect more money. Therefore government has a conflict of interest when it comes to protecting privacy. Instead give individuals the legal tools to protect their own privacy via lawsuits.

    – Article II – 10 seems to indicate any business such as a bank that processes personal data including national id number must be authorized in advance by a government department of privacy?

    This basically means that you will need a license from every country in Africa in order to create a website with username and password that collects email address, name and any other identifying info. This will either be laughed at and ignored, or it will ensure that no websites are ever hosted in Africa. This will simply create a law that cannot be enforced, but can be used as an excuse by corrupt officials to extort businesses for money.


    Article III tries to standardize crime relating to the internet, however it goes far beyond crime and intrudes into the area of freedom of speech, freedom of religion, and regulating permissable views and discussions about history. This article is very likely to be abused by countries with religious states such as any African country that follows Sharia Law.

    Article III also tries to force governments to use best security practices. Governments have their own incentives to do this and do not need AU dictating this to them.

    – Article III – 34 criminalizes ideas or theories of racist or xenophobic nature, represented electronically.
    This would include Holy Bible and Quran? Quran calls the Jews dogs. Bible records the history of genocide of Canaanites required by God. Is this email now illegal?

    All religions have exclusive truth claims. Ironically, in the name of protecting religion, this section effectively outlaws public discussion or promulgation of religion. Who gets to decide what is racist or xenophobic? If a Kenyan site discusses Somalians in a way that Somalians find offensive, who decides if that is racist – the Kenya government or the Somalia government?

    – Article III – 37 – Criminalize denial of genocide? Outlawing debate and discussion about history? Who gets to decide if a particular historical event or atrocity was genocide or not, if it cannot be discussed?

    See also the disupte between Turkey and Armenia over the 1915-1919 genocide of Armenians. Turkey officially tries to suppress the history of the genocide. So which government gets to decide what is the true story?

    One can easily see where in Rwanda the government has imposed one side of the Tutsi-Hutu conflict as official and unquestionable history. It is probably not entirely unbiased. It is important that discussion about such events be protected speech. Otherwise whichever group holds power at the moment gets to dictate history of their particular conflict to everyone else in Africa and use the AU convention to suppress dissent.

    – Article III – 55 Key escrow mandatory???

    If interpreted as requiring Key Escrow, this clause effectively destroys the the privacy protection provisions of the rest of this treaty.

    “Key Escrow” means the government requires all users or providers of encryption services to keep a copy of the master key for the government. This allows the government to read all encrypted communications. However, it also allows anyone else who can get a copy of the keys to do the same. Government employees seem to have a much higher likelihood of abusing such information for personal gain.

  2. muthoni

    Looking at the history of the DAUCC drafting process, there does not seem to have been any consultation with key industry players. can the convention be suitable as it is?

  3. KG

    As a Kenyan, I object to the AU Cybersecurity Draft Convention.

    Kenya is the only country in Africa that has achieved a really successful mobile payments system which has revolutionized the Kenyan economy. It does not make any sense at all for Kenya to let the African Union, who have zero experience in this area, regulate their digital payments systems, e-commerce and IT industry. If anything, the AU should be imitating Kenya, not trying to tell us how to do it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s