On June 8, 2023, the Malabo Convention entered into force. As the pan-African instrument for data protection and cybersecurity, it has been a long time in the making. It was initially drafted in 2011 at the 17^th Ordinary African Union Summit in Malabo, Equatorial Guinea. Following several postponements, it was finally adopted by the African Union (AU) in June 2014.

Since then, member states have been slowly ratifying the Malabo Convention, with Mauritania becoming the 15^th ratifying member on May 9, 2023.

While also addressing e-commerce, the Malabo Convention primarily focuses on the commitments of AU Member-States to adopt legislation on data protection and cybersecurity. These commitments include, but are not limited to, the following:

• formal definitions of key concepts on data protection;
• formalities applicable to data processing;
• the status, composition, and organization of national data protection authorities;
• powers and responsibilities assigned to these authorities;
• principles governing data processing, such as legitimacy, lawfulness, transparency, fairness, purpose and relevance, accuracy, confidentiality, and security;
• specific principles on the processing of sensitive data;
• data subject rights, including information, access, objection, rectification, and erasure;
• data controller obligations; and
• adoption of national cybersecurity strategies, policies, legislation, and regulation, including the protection of critical infrastructures, the establishment of a legal framework for cybercrime and related offenses, the promotion of a cyber-secure culture, and the implementation of cybersecurity governance and dispute settlement mechanisms.

While the Malabo Convention draws inspiration from various sources for its cybersecurity stance, its data protection provisions are aligned with the principles set forth in the EU Data Protection Directive, which has been since replaced by General Data Protection Regulation (GDPR). These provisions aim to establish a legal framework applicable to countries within a specific community, promoting transparency, consistency, cooperation, and clarity in data protection matters.

Globally, the Malabo Convention aims to establish a harmonized and comprehensive legal framework for Africa by mandating members to develop laws aligned with the Convention, primarily focusing on data protection and cybersecurity, and e-commerce.

Indeed, the primary objective of the Malabo Convention is to establish a clear and uniform approach to fields as ever-evolving and dynamic as data protection and cybersecurity. This goal is driven by the recognition that legal voids or differing approaches can burden businesses, especially those involved in international activities, which must comply with varying frameworks. Furthermore, such discrepancies can impact the international movement of people and the interaction between legislative and judicial authorities and civil society. Moreover, they can lead to legal liability and substantial financial and reputational costs.

In this context, the Malabo Convention is bound to bring both opportunities and challenges. The fast and complex evolution of data protection and cybersecurity, as well as the status of implementation in AU member states, represent a significant challenge that the Malabo Convention must face.

On the first point, it is crucial to acknowledge that markets and technologies have undergone significant evolution since the inception of the Malabo Convention. Africa has been particularly targeted by cyber threats and the misuse of personal information, which the Internet Society and the African Union Commission jointly tried to address in 2018 with the Personal Data Protection Guidelines for Africa.

Furthermore, it is important to note that non-African legal frameworks have also experienced changes. One notable example is the replacement of the EU Data Protection Directive by the GDPR. Additionally, other jurisdictions have enacted data protection and cybersecurity legislation. This may result in an increased burden on stakeholders who are subject to both Malabo-inspired legal frameworks in Africa, and other legal frameworks. For example, entities involved in processing personal data within the EU will have to comply with criteria that may not entirely align with the Malabo Convention or its African counterparts.

On the second point, it is important to highlight that 18 countries in Africa do not yet have formal data protection and/or cybersecurity laws. Furthermore, the remaining 36 countries that have ratified the Malabo Convention still face challenges in implementing its provisions.

In this context, it is worth noting the situation in the Portuguese-speaking countries (PALOPs). Among these countries, the Convention was signed and ratified by Angola, Cape Verde, Mozambique, and Equatorial Guinea. Additionally, Sao Tomé and Principe and Guinea-Bissau have signed the Convention but have not yet ratified it.

Not all of these countries have legislation on data protection and cybersecurity, and even among those that do have existing legislation, it may not necessarily align with the provisions of the Malabo Convention:

Angola

Angola's Personal Data Protection Law (Law No. 22/11) was enacted around the same time as the Malabo Convention's pre-approved draft and is aligned with the then-applicable EU Data Protection Directive. Consequently, it aligns globally with the Malabo Convention.

This law establishes data subject rights, outlines formalities to be followed when dealing with the data protection authority, specifies requirements for international transfers, regulates direct marketing initiatives, and includes other relevant provisions. The law is complemented by data protection provisions in Law No. 23/11, which focuses on electronic communications and information society services, and Law No. 7/17, which addresses the protection of computer networks and systems.

Angola's National Data Protection Agency (APD) was created through Presidential Decree 214/16 and has been active since 2019. The APD has issued decisions and has approved data protection guidelines, templates, and notification forms. Additionally, it has entered joint assistance protocols with the data protection authority of Cape Verde.

In May 2023, the Angolan Government announced that it is developing a National Cybersecurity Strategy, including measures to safeguard critical systems and infrastructures against cyber-attacks. However, it is currently unclear to what extent this strategy will align with the provisions of the Malabo Convention.

Cape Verde

Cape Verde's data protection legal framework, currently governed by Law No. 121/IX/2021, is very similar to the GDPR. The law includes concepts such as pseudonymization, data protection officer, and the principles of Privacy by Design and by Default. Notably, none of these concepts are currently addressed in the Malabo Convention.

Cape Verde also has a data protection authority National Commission of Data Protection (CNPD). In early June 2023, the chairman of the CNPD publicly noted that the market should prioritize innovative technological solutions that do not compromise data protection.

In 2021, Cape Verde introduced a Cybersecurity regime aligned with the Malabo Convention through Law No. 9/2021. This law sets the foundation for the establishment of a National Cybersecurity Centre, which is expected to be created in 2023. Additionally, there has been an ongoing discussion in both the public and political spheres regarding the importance of digital literacy and cyber-maturity for public and private entities.

Mozambique

Mozambique currently does not have specific data protection or cybersecurity laws in place. However, there are constitutional provisions and sector-specific regulations that address certain aspects related to data protection.

In recent years, there has been an increase in public and political discussion surrounding data protection and cybersecurity in Mozambique. The entry into force of the Malabo Convention may further enhance these discussions and promote the development of legislation. Indeed, a public consultation has been launched by the National Institute of Information and Communication Technologies (INTIC), regarding the draft law aimed at establishing the legal framework for cybersecurity in the country.

While the draft law does not specifically reference the Malabo Convention, it appears to be in alignment with its principles. The draft covers additional fields that are not regulated by the Malabo Convention, such as intermediary network providers, cloud services, and digital platforms.

Equatorial Guinea

Equatorial Guinea's Personal Data Protection Law, Law No. 1/2016, is aligned with the Malabo Convention. The law encompasses equivalent concepts and data subject rights, and it establishes conditions for data processing and notification obligations, as well as obligations for controllers and processors. However, it is important to note that the data protection authority foreseen by law is not yet operational in Equatorial Guinea.

São Tomé and Príncipe

São Tomé and Príncipe's Data Protection Law (Law No. 03/2016) is indeed aligned with the Malabo Convention and establishes fundamental principles for data protection, including data subject rights and formalities for the processing, including data transfers.

The country's data protection authority National Data Protection Agency (ANPDP) has approved notification forms for monitoring telephone/email/internet use, CCTV, vehicle geolocation, and biometric data. Furthermore, the ANPDP has issued exemptions from certain notification obligations.

São Tomé and Príncipe's Law on Cybercrime (Law No. 15/2017) aligns with the general principles of the Malabo Convention. It aims to establish material and procedural provisions related to cybercrime and addresses international cooperation in combating cybercrime and collecting electronic evidence, particularly in the context of attacks against information systems.

Guinea-Bissau

Guinea-Bissau has no specific legislation on data protection or cybersecurity, and there is no available public information regarding any potential legislative, parliamentary, or regulatory initiatives in this respect.

Conclusion

It is important to note that, while the aforementioned countries provide a snapshot of the challenges faced in implementing the Malabo Convention, they represent only a fraction of the nations subject to the commitments of the Malabo Convention. Overall, the implementation of the Convention poses challenges, both in what concerns the varying status of legislative initiative and implementation. Furthermore, some recently approved laws seem to align more closely with concepts related to the GDPR rather than specifically with the Malabo Convention.

The approach that AU member states will adopt in addressing the principles outlined in the Malabo Convention, and the resulting impact on the market, is yet to be determined. The Convention being in full force signifies the need for additional clear guidelines on the interpretation and updating of the practicalities of the Convention and its integration into domestic legislative frameworks.

While only time will tell, one thing is certain: the entry into force of the Malabo Convention marks a significant milestone in Africa's data protection and cybersecurity journey.

Magda Cocco Partner
[email protected]
Inês Antas de Barros Partner
[email protected]
Isabel Ornelas Managing Associate
[email protected]
Maria de Lurdes Gonçalves Managing Associate
[email protected]
Vieira de Almeida & Associados, Lisbon