The Malabo Convention on Cybersecurity and Data Protection (hereinafter “the Convention”) entered into force in June 2023, nine years after its adoption by the African Union in 2014. Although this enormous delay in the Convention’s entry into force would merit particular questioning, the purpose of our discussion is limited to the relevance of such an instrument in the current African landscape of personal data protection.
A simple declaration of principles
Article 8 of the Convention, which is devoted to its purpose, clearly states that the States that have ratified the Convention – currently some fifteen out of fifty-four – are committed to introducing a specific national legal framework for the protection of personal data, aimed at protecting certain fundamental rights such as freedom of expression and the right to privacy. However, the Convention does not provide tangible guarantees against the violation of these rights, and leaves it up to the Member States to set up a legal framework and entrust its control to a national authority.
Thus, the aim of the Convention is not to confer a direct right on EU citizens. As a reminder, unless otherwise stated, the content of international conventions and treaties must be incorporated into the national legislation of the Member States, in order to become directly applicable to citizens and thus enable them to rely on them before the courts or competent authorities.
An outdated general framework
The Convention brings together data protection, cybercrime, cybersecurity and e-commerce under a single legal framework. In fact, only 12 pages are devoted to such an important subject, omitting essential definitions and processes. This generality can no doubt be explained by the fact that nine years ago the Convention was an urgent call to Member States to take up the issue of personal data protection.
Today, African states have to deal with the development and democratisation of information and communication technologies, which were not taken into account when the convention was drawn up. These include artificial intelligence, connected objects and, above all, the disappearance of physical borders, which means that the transfer of personal data to powerful companies based abroad needs to be better regulated.
The need for an update
The emphasis must be placed on updating the Malabo Convention, setting up a “Malabo +” or “Malabo 2.0”, like the Council of Europe’s Convention 108+, a modernised version of Convention 108 that proclaims the importance of human rights in the face of technological developments. Efforts to increase the number of ratifications of an outdated text should be directed towards more fundamental work to rectify the Convention’s shortcomings and anachronisms. A specific protocol on the protection of personal data, incorporating the issue of cross-border data flows, the protection of human rights in relation to artificial intelligence and surveillance, or the establishment of a central supervisory authority, would be useful.
To achieve this, African legislators would do well to draw on the experience of certain national data protection authorities. The positive momentum created by the recent entry into force of the Convention provides an unmissable opportunity to raise awareness of personal data protection among African states, organisations and citizens, thanks to the expertise of certain not-for-profit associations such as Africa Data Protection.
By Winnie Franck DONGBOU, Data Protection Lawyer
and Wissem SEMMAR-BELGHAZI, Compliance Executive.