African Union: Malabo Convention set to come into force
Nine years after its initial adoption, the African Union Convention on Cyber Security and Personal Data Protection (the “Malabo Convention”) is set to come into force after Mauritania became the 15th state to submit its ratification.
A recent AU status list on the Convention shows Mauritania submitted its instrument of ratification on 9 May 2023, meaning the Convention is likely to come into force by 8 June 2023, 30 days later.
Background to the Malabo Convention
This marks a significant milestone in the African continent’s efforts to address issues of cybersecurity and data protection. The Convention, which the AU Assembly adopted in 2014, aims to create a comprehensive legal framework for electronic commerce, data protection, and cybercrime and cybersecurity on the continent. Once the Malabo Convention is operational, all 55 AU member states are mandated to have domestic laws in each of these policy areas which conform to various standards and principles outlined in the Convention.
However, it has taken nine years for the Convention to attract the 15 domestic ratifications required to come into force, delaying its implementation. While the Convention has generally been regarded as an significant policy step for the African continent, it has also drawn criticism as a legal instrument. Points of concern include that the Convention lacks important detail, and does not provide for mechanisms to support its enforcement.
The way forward
With the Malabo Convention set to come into force, attention must shift to implementing it effectively and addressing its identified gaps. Recommendations include:
- The AU Commission should consider developing implementation guidelines for member states and a drafting a plan of action to address gaps in the Convention, including protections for human rights in the use of artificial intelligence, measures to ensure proper resourcing for domestic data protection frameworks, and the establishment of regional bodies to monitor implementation.
- The development of a model African data protection law could provide a roadmap for states to enact legislation in line with the Convention.
- Providing ongoing support for data protection authorities in Africa, including the Network of African Data Protection Authorities, is also essential to advance the implementation of the Convention and align efforts across the continent.
Countries that have ratified the Malabo Convention
The AU’s latest status list on the Malabo Convention, dated 12 May 2023, lists the following 15 states as having submitted ratification:
Angola (11 May 2020), Cape Verde (5 February 2022), Côte d’Ivoire (3 April 2023), Congo (23 October 2020), Ghana (3 June 2019), Guinea (16 October 2018), Mozambique (21 January 2020), Mauritania (9 May 2023), Mauritius (14 March 2018), Namibia (1 February 2019), Niger (16 March 2022), Rwanda (21 November 2019), Senegal (16 August 2016), Togo (19 October 2021), and Zambia (24 March 2021).
In addition, the following states are listed as having signed the Malabo Convention without yet ratifying it:
Benin, Cameroon, Chad, Comoros, Djibouti, Gambia, Guinea-Bissau, South Africa, Sierra Leone, Sao Tome and Principe, Sudan, and Tunisia.
- The AU Convention on Cyber Security and Personal Data Protection is available here.
- The Malabo Roadmap, a document exploring pathways to implementing the Malabo Convention, is available here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].