[kictanet] Online debate on African Union Convention on Cyber Security (AUCC)
Grace Githaiga
ggithaiga at hotmail.com
Sun Nov 24 13:23:50 EAT 2013
Thanks Alice, Poncelet and Kivuva.
Looking forward to your active contribution to the debate starting tomorrow.
WarmlyGG
Date: Sat, 23 Nov 2013 22:26:57 +0000
From: pileleji at ymca.gm
Subject: Re: [kictanet] Online debate on African Union Convention on Cyber Security (AUCC)
CC: kictanet at lists.kictanet.or.ke
To: ggithaiga at hotmail.com
Great move indeed Regards Poncelet
On 23 November 2013 16:18, Alice Munyua <alice at apc.org> wrote:
Great going GG
Appreciate it.
Best
Alice
On 22/11/2013 08:42, Grace Githaiga wrote:
Good morning Listers
We would like to propose an online
discussion on the
African Union Convention on Cyber Security(AUCC)http://pages.au.int/sites/default/files/AU%20Cybersecurity%20Convention%20ENGLISH_0.pdf on multiple lists of
KICTANet and
ISOC-KE, in Kenya and on I-Network list
moderated by the Collaboration
on International ICT
Policy in East and Southern Africa (CIPESA)
and ISOC -Uganda, starting from Monday
25th to
Friday 29th November
2013. We will also share the concerns
with the best bits list http://bestbits.net/, the
Internet Governance Caucus list http://igcaucus.org/ and
Access Now https://www.accessnow.org/ since
we would like to give as much input as possible.
We have been in discussion with AUC and
the drafters have
accepted to receive our input despite having gone through
this process two
years ago with African governments. In light of this window
of opportunity, we
suggest we engage. AUC will discuss the convention during
the AU ICT week scheduled for December 1-6, 2013http://www.africanictweek.org/
For Kenya, it is important that we engage,
the reason being
that if Kenya signs into this convention in January 2014, it
will become
binding as stipulated in Kenya’s 2010 Constitution Article 2
(6) which
states: Any
treaty or
convention ratified by Kenya shall form part of the law of
Kenya under this
Constitution. The
Convention
is therefore more like a Bill of Parliament.
1. Background to the
African Union Convention
on Cyber Security (AUCC)
African Union (AU) convention (52 page
document) seeks to
intensify the fight against cybercrime across Africa in
light of increase in
cybercrime, and a lack of mastery of security risks by
African countries.
Further, that one challenge for African countries is lack of
technological
security adequate enough to prevent and effectively control
technological
and informational risks. As such “African States are in dire
need of innovative
criminal policy strategies that embody States, societal and
technical responses
to create a credible legal climate for cyber security”.
The Convention establishes a framework for
cybersecurity in
Africa “through organisation of electronic transactions,
protection of personal
data, promotion of cyber security, e-governance and
combating cybercrime”
(Conceptual framework).
2. Division of the
Convention
Part 1
Electronic transactions
Section I:
Definition
of terms
Section II:
Electronic
Commerce (Fields of application of electronic commerce,
Contractual
responsibility of the electronic provider of goods and
services).
Section III:
Publicity by electronic
means.
Section IV:
Obligations in electronic form
(Electronic contracts, Written matter in electronic form,
Ensuring the security
of electronic transactions).
Part II PERSONAL DATA PROTECTION
Section I:
Definition
Section II:
Legal framework
for personal data protection (Objectives of this Convention
with respect to
personal data, Scope of application of the Convention,
Preliminary formalities
for personal data processing).
Section III:
Institutional framework
for protection of personal data (Status, composition or
organization, Functions
of the protection authority).
Section IV:
Obligations relating to the
conditions governing the processing of personal data (basic
principles
governing the processing of personal data, Specific
principles governing the
processing of sensitive data, Interconnection of
personal data files).
Section V:
The rights of the
person whose personal data are to be processed (Right to
information, Right of access,
Right of opposition, Right of correction or suppression).
Section VI:
Obligations of the personal
data processing official (Confidentiality obligations,
Security obligations,
Conservation obligations, Sustainability obligations).
PART III – PROMOTING CYBERSECURITY AND
COMBATING CYBERCRIME
Section 1:
Terminology,
National cyber security framework, Legislative measures,
National cyber
security system, National cyber security monitoring
structures).
Section II:
Material penal law
(Offenses specific to Information and Communication
Technologies [Attack on,
computerized data, Content related offenses], Adapting
certain information and
communication technologies offenses).
Section II:
Criminal liability
for corporate persons (Adapting certain sanctions to the
Information and
Communication Technologies, Other penal sanctions, Procedural law,
Offenses specific to
Information and Communication Technologies).
PART IV: COMMON AND FINAL PROVISIONS
Section I:
Monitoring
mechanism
Section II:
Final responses
The Proposed Discussion
We have picked on articles that need
clarity, and would
request listers to kindly discuss them and provide
recommendations where
necessary. Also,
where
necessary, listers are encouraged to identify and share
other articles that
need clarifications that we may have left out.
Day 1 Monday 25/ 11/2013
We begin with Part 1 on Electronic
transactions and pick on
four articles which we will discuss on Monday (25/11) and
Tuesday (26/11).
Section III: Publicity by electronic
means
Article I – 7:
Without prejudice to Article I-4 any
advertising
action, irrespective of its form, accessible through
online communication
service, shall be clearly identified as such. It shall
clearly identify the
individual or corporate body on behalf of whom it is
undertaken.
Question: Should net
anonymity be legislated? If
so,
what measures need to be or not be considered?
Question: Should
individuals or companies be obliged to reveal their
identities and what are the
implications?
Article I – 8:
The conditions governing the
possibility of promotional
offers as well as the conditions for participating in
promotional
competitions or games where such offers, competitions or
games are
electronically disseminated, shall be clearly spelt out
and easily accessible.
Question: Should an international (or
should we
call it regional) law legislate on
promotional offers and competitions
offered locally?
Day 2 Tuesday 26/11/13
Article I – 9:
Direct marketing through any form of
indirect communication including messages forwarded with
automatic message
sender, facsimile or electronic mails in whatsoever form,
using the particulars
of an individual who has not given prior consent to
receiving the said direct
marketing through the means indicated, shall be prohibited
by the member states
of the African Union.
Article I – 10:
The provisions of Article I – 9 above
notwithstanding, direct marketing prospection by
electronic mails shall be
permissible where:
1) The particulars of the addressee
have been obtained
directly from him/her,
2) The recipient has given consent to
be contacted by the
prospector partners
3) The direct prospection concerns
similar products or
services provided by the same individual or corporate
body.
Question: Is this a realistic
way of dealing with spam?
Article I – 27
Where the legislative provisions of
Member States have not
laid down other provisions, and where there is no valid
agreement between the
parties, the judge shall resolve proof related conflicts
by determining by all
possible means the most plausible claim regardless of the
message base
employed.
Question: What is the
meaning of this article and is it necessary? Some
clarity needed!
Day 3 Wednesday 27 /11/13
Today, we move onto PART II:
PERSONAL DATA PROTECTION and
will deal with three questions.
Objectives of this Convention with
respect to personal data
Article II – 2:
Each Member State of the African Union
shall put in place a
legal framework with a view to establishing a mechanism to
combat breaches of
private life likely to arise from the gathering,
processing, transmission,
storage and use of personal data.
The mechanism so established shall
ensure that any data
processing, in whatsoever form, respects the freedoms and
fundamental rights of
physical persons while recognizing the prerogatives of the
State, the rights of
local communities and the target for which the businesses
were established.
Question: What is the
relevance of this article? What
are these state prerogatives? And given the increased
interest of state surveillance,
how can states balance respect of FOE while recognising
state prerogatives?
Article II-6, II-7, 11-8, II-11, II-12,
II-13 refer to a
Protection Authority which is
meant to establish standards for data protection. Article II
– 14 provides
for each Member
State of the African Union to establish an authority with
responsibility to
protect personal data. It shall
be an independent administrative authority with the task
of ensuring that the
processing of personal data is conducted in accordance
with domestic
legislations.
In article II-17 states that ‘Sworn agents may
be invited to
participate in audit missions in accordance with extant
provisions in Member
States of the African Union’.
Question: Considering
that this article seems to be tied to the Protection
Authority, what is its
relevance? And who is a ‘sworn agent?’ What
should this authority look like in terms of its composition?
Article II – 20:
…Members of the protection authority
shall not receive
instructions from any authority in the exercise of their
functions.
Article II – 21:
Member States are engaged to provide
the national
protection authority human, technical and financial
resources necessary to
accomplish their mission.
Question: It appears that this
Data Protection Authority is envisaged
to be fully government supported. Therefore, should we be
talking of its
independence? In what way should this article be framed so
that it ensures
independence of the Authority?
Article II – 28 to
II-34 outlines
six
principles governing the processing of personal data namely:
Consent and of legitimacy,
Honesty,
Objective, relevance and conservation of
processed personal
data,
Accuracy,
Transparency and
Confidentiality and security of personal
data.
Under each of the specific principles,
detailed explanation
of how each should be undertaken is offered.
Question: Is this
explanation and detailing of how to undertake each necessary
in an international
(regional) law
necessary or needed? Is
this
legislation overkill?
Day 4 Thursdsay 28/11/2013
Part III
Day 4 will focus on PROMOTING
CYBERSECURITY AND COMBATING
CYBERCRIME
Article III – 14: Harmonization
1) Member States have to undertake
necessary measures to
ensure that the legislative measures and / or regulations
adopted to fight
against cybercrime enhance the possibility of regional
harmonization of these
measures and respect the principle of double criminality.
Question: What is the
principle of double criminality here?
Section II: Other penal sanctions
Article III – 48
Each Member State of the African Union
have to take
necessary legislative measures to ensure that, in the case
of conviction for an
offense committed by means of digital communication
facility, the competent
jurisdiction or the judge handling the case gives a ruling
imposing additional
punishment.
Question: What is the
interpretation of additional punishment?
Is this not granting of absolute powers to judges?
Day Five 29/11/2013
This will be dedicated to any other
issue(s)that listers
may want to raise in regard to the Convention. Further,
listers can go back to
issues of any other day and discuss them here.
What other issue(s) would you like to
raise?
References
DRAFT AFRICAN UNION CONVENTION ON THE
CONFIDENCE AND
SECURITY IN CYBERSPACEhttp://pages.au.int/sites/default/files/AU%20Cybersecurity%20Convention%20ENGLISH_0.pdf
http://daucc.wordpress.com/
http://www.thepetitionsite.com/takeaction/262/148/817/
http://daucc.wordpress.com/2013/10/29/paper-review-basic-drawbacks-of-the-draft-african-union-convention-on-the-confidence-and-security-in-cyberspace/
http://michaelmurungi.blogspot.com/2012/08/comments-on-draft-african-union.html
Have a great weekend and see you on
Monday.
Rgds
Grace
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/alice%40apc.org
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/pileleji%40ymca.gm
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Poncelet O. Ileleji MBCS
Coordinator
The Gambia YMCAs Computer Training Centre & Digital Studio
MDI Road Kanifing South
P. O. Box 421 Banjul
The Gambia, West Africa
Tel: (220) 4370240
Fax:(220) 4390793
Cell:(220) 9912508
Skype: pons_utd
www.ymca.gm
www.waigf.org
www.aficta.org
www.itag.gm
www.npoc.org
http://www.wsa-mobile.org/node/753
www.diplointernetgovernance.org
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ggithaiga%40hotmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20131124/ffc52735/attachment.htm>
More information about the KICTANet
mailing list