On July 10, 2023, Carnegie’s Technology and International Affairs Program and the Technology, Finance and Commerce Research Cluster of the University of Bradford’s School of Law hosted a virtual roundtable to discuss Continental Cyber Security Policymaking and the relevance of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) to Africa’s Digital Financial Ecosystems.

Carnegie convened this session to explore the significance of the entry into force of the Malabo Convention—the only cybersecurity convention in the world that combines cybersecurity, cyber crime, electronic transactions, and data protection in one legal instrument—with input from African cybersecurity and financial sector experts.

The African Union (AU) adopted the convention in June 2014. Nine years on, the convention finally received the minimum number of ratifications (fifteen) required for it to enter into force per Article 36 of the convention. For Africa, it marks the first legal instrument pertaining to digitalization to be enacted at the continental level. Once operational, the domestic laws of states that are party to the convention are required to conform to the standards and principles outlined in the convention, and to address each policy area therein.

Three key issues guided the discussion:

  1. The convention was initially drafted in 2011 and adopted in 2014 with significant diffusion of emerging digital technologies and digital financial services landscape in Africa happening since. In this context, is the convention still fit for purpose to address these and other developments?
  2. Considering it took almost a decade to reach the minimum number of signatures for the convention to enter into force, what will be the convention’s implementation value?
  3. Given that several member states already have laws addressing cybersecurity and data protection (often separately), will the instrument conform to the cybersecurity and data protection realities of national jurisdictions?

Key highlights from our expert panelists included:        

  • An oral history of how the Malabo Convention came about. Moctar Yedaly, who was previously the head of information society for the African Union Commission and a key coordinator of the process, walked us through the journey since the early 2000s to the adoption of the Convention in Malabo in 2014. Coincidentally, he—having since then become the minister for digital transformation and innovation in Mauritania—steered the process of the convention entering into force, by advocating for the fourteenth signature from The Gambia (in 2022) and the fifteenth from Mauritania (in 2023).
  • An appreciation of ‘why it took so long’ for the convention to enter into force. As Yedaly and Abdul-Hakeem Ajijola, chair of the African Union Cybersecurity Experts Group (AUCSEG), both pointed out, it was an uphill task from adoption to ratification by member states. Through AUCSEG’s informal engagements with member states and other stakeholders, they discovered significant challenges such as a lack of awareness on the convention’s significance and misunderstandings on its implications for local decisionmaking (for instance, many government representatives were unaware of the opt-out clauses available for where local sovereignty concerns arose). As the text of the convention aged, calls to abandon it altogether and draft a new one also emerged. In sum, bureaucracies at both the AU and country levels prolonged this journey.
  • However, it was noted that this is not unique to the African context. Ajijola pointed out that the Budapest Convention (The Convention on Cybercrime) was initially conceived in the 1990s, adopted in 2001, and only went into effect in 2004.
  • It was also pointed out that the Malabo Convention did receive input from the United States, European Commission, and other global actors, who registered appreciation for its conception. Furthermore, the Malabo Convention also aligns with the Budapest Convention (rather than competing with it).
  • How the convention will impact or be impacted by other continental-level digital developments, such as the Digital Transformation Strategy for Africa (2020-2030), Agenda 2063, and African Continental Free Trade Area (AfCFTA), where the latter two identify cybersecurity as a priority and flagship project, respectively:
  • As David Satola from the World Bank pointed out, the convention’s entry into force could be of significant bearing towards combatting cyber crime and bolstering cybersecurity, particularly in establishing dual criminality and streamlined enumeration of cyber crimes across jurisdictions to facilitate evidence generation.
  • He also noted that a prospective value addition of the convention being in enabling African Union member states to align “Africa positions” on ongoing global deliberations, such as on the ongoing negotiations on a UN cyber crime treaty.
  • African countries, in his view, can leverage the Malabo Convention to facilitate the establishment of mutual legal assistance treaties (MLATs) to exchange information on cyber incidents, and constant information exchange mechanisms/networks among member states, to enable traction from incident reporting to prosecution in the event of cyber crimes.
  • He also added that in all this, however, balancing cybersecurity and human rights remains an important consideration, and the importance of multistakeholder engagements such as the roundtable, toward the successful implementation and enforcement of the convention.
  • Given the discussion’s focus on the convention’s implications for digital financial services (DFS), important context was given to the e-commerce segment having been framed with e-government services in mind, rather than fintechs and mobile money, which have since grown to dominate the African digital finance ecosystem. In this regard, the perspectives from representatives of banks and fintechs offer important insights for what the convention will mean for the DFS landscape.
  • Laura Temesi of Standard Chartered Bank emphasized the potential of MLATs relating to cyber incidents and improved information sharing and knowledge exchange, including public-private partnerships (PPPs) that would also bolster protection of personal information, mitigate identity theft toward turbocharging e-commerce, notably through AfCFTA.
  • She also emphasized the need for whole-of-government approaches to tackling cybersecurity, a borderless, cross-sectoral issue, making it at once a concern for information and communications technology (ICT), finance, trade, and other line ministries in respective countries. She rightfully observed that an immediate challenge for the convention will be the different paces of adoption, compounded by individual countries’ laws on cybersecurity and data protection—including jurisdictions with data localization preferences, as well as other competing ICT concerns such as affordable internet access.
  • Professor Olayinka David-West of Lagos Business School observed that for fintechs, this convention could present yet another hurdle to understanding and complying with local and regional laws and regulations governing their sector. Fintechs, as she put it, tend to be “compliance-lite,” with a propensity to focus on fundraising and market growth, rather than regulatory compliance. Yet, given fintechs’ instrumental role in the continent’s DFS space, it is important to keep in mind the risk vectors they potentially can introduce, and how any compliance burdens can further increase such a risk. (Compliance concerns have been raised in several country perspectives featured in the CyberFI project so far.)
    • The question then becomes how to level the operational field for fintechs to minimize the burden of compliance at intra- and cross-jurisdictional levels. In comparison, banks tend to have the upper hand on compliance, including dedicated departments.
  • Rosemary Koech-Kimwatu of the Association of Fintechs in Kenya offered that the convention presents some predictability on legal requirements for fintechs, which typically operate in unpredictable legislative and regulatory environments. The convention, in this regard, serves as a prospective north star for what fintechs’ operational environment across the continent could look like, which is a significant milestone.
  • With regards to next steps for the convention, all panelists agreed that there is work ahead to update the instrument.
    • This could be through guidance notes and additional protocols for each of the areas it covers, as a way of adapting to the operational environments across the continent that have evolved significantly since the convention was first adopted. It was observed as well that getting more specific in the convention is unlikely to generate consensus across member states, a political reality that shouldn’t be overlooked. However, the spirit of the convention is widely appreciated across the AU member states, with a number of countries having developed their cybersecurity and data protection laws in line with the Malabo Convention.
      • Ghana—as Professor Nnenna Ifeanyi-Ajufo pointed out and has written about—presents a unique case study in this regard, having also ratified the Budapest Convention. The West African nation has made impressive steps in operationalizing this suite of laws, including toward its Digital Financial Services policy, a one-of-a-kind focus on the continent.
      • Mauritania is also streamlining relevant cyber crime laws and policies with the Malabo and Budapest Conventions.
    • How the instrument can be fit for purpose will require tailoring to the reality that the micro, small and medium-sized enterprises form the bulk of the continent’s businesses. There will likely be tensions in ensuring the convention caters to this reality, and its alignment with the global focus on cybersecurity, data protection, and e-commerce, where multinationals and larger institutions like banks may have more primacy.
    • Additionally, the convention still needs to be ratified by all African Union member states. Its entry into force means that all African Union member states must take the convention into consideration in drafting, revising, and even implementing their jurisdictional laws on cybersecurity and data protection.
    • Capacity and skills were mentioned often, with a particular emphasis on the capacity of political leaders to engage on cybersecurity matters. Yedaly pointed out that cybersecurity has barely featured in many African leaders’ speeches, including on digital transformation. Cybersecurity concerns especially in Africa’s DFS ecosystems straddle both the financial and telecommunication sectors, given the prevalence of mobile telephony to power mobile money and fintech innovations. The cyber vulnerabilities that then extend even to the infrastructure delivering digital financial services are an urgent and rather unique concern for the continent.

The roundtable recording can be accessed here.

(Special thanks to Professor Ifeanyi-Ajufo for co-convening this session).