Contributions by DotConnectAfrica 2013 Africa Union Framework for Cyber security in Africa Comments to the DRAFT AFRICAN UNION CONVENTION ON THE ESTABLISHMENT OF A CREDIBLE LEGAL FRAMEWORK FOR CYBER SECURITY IN AFRICA
Executive Summary The rapid development of ICT and its penetration in all sectors of the economies and especially Africa is a progress that must be appreciated, catalyzed and encouraged. With the increase in online dependence of ICT, there also comes the proliferation of cyber crime and thus necessitating the strengthening of cyber security measures as well as establishment of cyber legislations. It s our hope that the proposed Convention on Cyber Security will be prepared in a multistakeholder model that will include all the voices in order to develop proper mechanism to contribute to the preservation of the institutional, human, financial, technological and informational assets and resources put in place by institutions to achieve their objectives and embraces important elements of electronic commerce and the protection of personal data. Introduction of DotConnectAfrica DotConnectAfrica (DCA) is a not-for-profit, non-partisan organization that has its base of operation in Nairobi, Kenya and headquartered in I/F River Court 6th Denis Street Port Louis, Mauritius, Africa, Reg.ID CT8710DCA90). Its main charitable objects are: (a) for the advancement of education in information technology to the African society; and (b) in connection with (a) to provide the African society with a continental Internet domain name to have access to Internet services for the people of Africa as a purpose beneficial to the public in general. DCA is well represented in Addis Ababa Ethiopia, Nigeria, South Africa, London United Kingdom, and California, USA. DotConnectAfrica (DCA) has been spearheading the proposed new Top Level Domain (TLD).africa (DotAfrica) Initiative since 2006. DotAfrica is one of the new generic Top Level Domains (gtlds) that will be delegated into the root zone of the Internet Domain Name Structure (DNS) by the Internet Corporation of Assigned Names and Numbers (ICANN), a US-based institution that is at the apex of Global Internet Governance. As an independent Non-Profit, non-partisan entity, DCA Trust intends to utilize surplus proceeds from the registry operation accruing to the Trust Fund for Charitable projects. Funds will be regularly allocated to different corporate social responsibility programs. Specific projects will be identified, and supported. As the first gtld for Africa, it will aim at bridging the digital divide that exists between other regions of the Internet community and Africa by promoting the use of ICT for development.
Preamble: The Draft Convention should lay a background for the African states to review their legislations on cyber security. ICT is becoming a key element and player in the development of a nation and more importantly day to day running of institutional mandates. Businesses play a key role in deriving and generating revenue that is used to run governmental affairs, this affects how tax regimes and systems must be properly instituted to match the changing commercial sector that is increasingly dependent on ICT and most importantly mobile online transactions. Africa is growing into this important technology, ICT comes with several critical issues that must be addressed for proper operations that can curb issues such as cyber crime that includes fraud, impersonation, spam among many others. Interventions that are of a continental or global levels that require signing of such conventions must be properly drafted and understood by all the stakeholders, this includes the governments, businesses, academia and citizens, this will provide a harmonized treaty that will at least not overlook critical existing individual government legislations nor contradict them. Electronic commerce organization, personal data protection, cyber security promotion and cyber crime control are the most important factors of the online economy and while it s critical to create harmonized continental legislation it s important that the personal data and privacy is protected as the bottom line.
Recommendations on select sections of the draft legislations. 3) Objective and goal The objective of the Convention on Cyber Security is to contribute to the preservation of the institutional, human, financial, technological and informational assets and resources put in place by institutions to achieve their objectives. The Convention embodies the treatment of cyber crime and cyber security in its strict sense, but is not confined solely to these elements. It also embraces important elements of electronic commerce and the protection of personal data. Its ultimate goal is eminently protective given that it is geared to protecting: Institutions against the threats and attacks capable of endangering their survival and efficacy; The rights of persons during data gathering and processing against the threats and attacks capable of compromising such rights. Similarly, the Convention seeks to: Reduce related institutional (and personal) intrusions or gaps in the event of disaster; Facilitate the return to normal functioning at reasonable cost and within a reasonable timeframe; Establish the legal and institutional mechanisms likely to guarantee normal exercise of human rights in cyber space. Comment 1 The bullet point needs to add the wording and personal in the verbatim for completeness Section II: Electronic Commerce Chapter 1: Field of application of electronic commerce Article I 2: Electronic commerce is an economic activity by which a person offers or provides goods and services by electronic means. Comment 2: Structure the statement so as to complete the entire transaction, i.e. Electronic commerce is an economic activity by which a person offers/provides or receives/solicits goods and services by electronic means. Article I 4: Without prejudice to other information obligations defined by extant legislative and regulatory texts in African Union Member States, any person/ (Add: persons) exercising the activities set forth in Article I 2 of this Convention shall provide to those for whom the goods and services are meant, easy, direct and uninterrupted access using an open standard in regard to the following information:
Comment 3: Define the terms open standard, is there a known universal meaning of the word open standard and what its implications are and or institutionalism Article I 8: Also the addition of the word Persons for completeness Any publicity action, irrespective of its form, accessible through on-line communication service, shall be clearly identified as such. It shall clearly identify the individual or corporate body on behalf of whom it is undertaken. Comment 4: Clearly outline the word identify in this case so as not to go against the online anonymity as a defined right of a user. Since online anonymity is not built into the cyberspace structures, and is also an avenue for individuall right to self-determination and privacy and therefore it may a breach of declaration of peoples unanimous freedom of the cyberspace Article I 9: Publicity actions, especially promotional offers such as price discounts, bonuses or free gift, as well as promotional competitions or games disseminated by electronic mail, shall upon receipt be clearly and unequivocally identified in the title of the message by their addressees or, where this is technically impossible, on the body of the message. Comment 5: This section though defined will not be very helpful because of the generality of the statement, further its perhaps unhelpful to the users, further its unnecessary for an international treaty, perhaps this could be covered in the country legislation if at all necessary. This portion over emphasizes unnecessary rationale Article I 14: Concealing the identity of the person on behalf of whom the communication is issued or mentioning a subject unrelated to the transaction or service offered, shall equally be prohibited in the African Union. Comment 6: There in need for more clarification required here in Identity concealing and third parties Section IV: Treaty obligations in electronic form Chapter 1: Contracts in electronic form Article I 16: Electronic means may be used to disseminate contractual conditions or information on goods or services. Comment 7: Define the role of the notary in this state for the purposes of contractual conditions
Article 1 18: Information meant for a professional may be addressed to him/her by electronic mail provided he/she has communicated his/her electronic professional address. Comment 8: The article may have the following phrase as an addition and given consent as to the use of the said address as proof of communication Article 1 18: Information meant for a professional may be addressed to him/her by electronic mail provided he/she has communicated his/her electronic professional address. Article I 19: 5) The means of electronic consultation of the professional and commercial rules by which the author of the offer intends to be guided, if need be. Article I 22: Agreements concluded between professionals may be exempted from the provisions of Articles I 20 and 21 of this Convention. Comment 9: There need for the definition of the broad scope of the word professional as implied in the draft in order to avoid ambiguity of the law. Article I 23: In the absence of legal provisions to the contrary, no person shall be compelled to take a legal action by electronic means. Article I 39: Subject to legal provisions to the contrary, no one shall be compelled to undertake a legal act by electronic means. Comment 10: There is repetition in this law, please consolidate these points Article I 35: Where the legal provisions of Member States have not laid down other provisions, and where there is no valid agreement between the parties, the judge shall resolve proof related conflicts by determining by all means possible the most plausible claim regardless of the message base employed The respective countries have to build their legislations to mitigate cross border/ international conflicts concerning cyber law. In this case, the notaries and all related parties have to be given their definitive mandate, however in this case Article 1-35 does not define its scope
**************** Article III 1 7: International cooperation Each Member State shall adopt such measures as it deems necessary to foster exchange of information and the sharing of quick, expeditious and reciprocal data by Member States organizations and similar organizations of other Member States with responsibility to cause the law to be applied in the territory on bilateral or multilateral basis. Comment 11: At this juncture it will be necessary to ensure the proper understanding of the legislations and their harmonization and upgrading of existing individual governmental laws to prevent a case of contradicting legislations that can break the existing laws. Before a continental ratification, individual government legislations must be used as the default, harmonization of such is therefore encouraged. Section II: Legal framework for personal data protection Chapter 1: Objectives of this Convention with respect to personal data Article II 14: Each Member State of the African Union shall establish an authority with responsibility to protect personal data. The body so established shall be an independent administrative authority with the task of ensuring that the processing of personal data is conducted in accordance with the provisions of this Convention. Article II 16: The protection authority shall comprise parliamentarians, deputies, senators, senior judges of the Tribunal of Accounts, Council of State, Civil and Criminal Appeal Court, personalities qualified as a result their knowledge of computer science, as well as professional networks or sectors. Article II 18: Members of the protection authority shall be subject to professional secrecy in accordance with the extant texts of each Member State. Each protection authority shall formulate rules of procedure containing, inter alia, rules governing deliberations, processing and presentation of cases. Comment 12: These articles define the membership and the constituting mandates of the said Protection authority however it should be left to the countries to define the authorities under inbuilt country contributions/laws or bylaws so as not to create a different center of power or parallel agency.
Article II 2: Page 21 Each Member State of the African Union shall put in place a legal framework with a view to establishing a mechanism to combat breaches of private life likely to arise from the gathering, processing, transmission, storage and use of personal data. The mechanism so established shall ensure that any data processing, in whatsoever form, respects the freedoms and fundamental rights of physical persons while recognizing the prerogatives of the State, the rights of local communities and the interest of enterprises. Comment 13: Should add an addendum, if so possible, the said individual states shall enact their legislations before the ratification of the aforementioned convention