[kictanet] Online debate on African Union Convention on Cyber Security (AUCC)

Alice Munyua alice at apc.org
Sat Nov 23 19:18:55 EAT 2013


Great going GG

Appreciate it.

Best
Alice



On 22/11/2013 08:42, Grace Githaiga wrote:
>
> Good morning Listers
>
> We would like to propose an online discussion on the African Union 
> Convention on Cyber 
> Security(AUCC)http://pages.au.int/sites/default/files/AU%20Cybersecurity%20Convention%20ENGLISH_0.pdfon 
> multiple lists of KICTANet and ISOC-KE, in Kenya and onI-Network list 
> moderated by theCollaboration on International ICT Policy in East and 
> Southern Africa(CIPESA) and ISOC -Uganda,starting from Monday 25^th to 
> Friday 29^th November 2013. We will also share the concerns with the 
> best bits list http://bestbits.net/, the Internet Governance Caucus 
> list http://igcaucus.org/ and Access Now 
> https://www.accessnow.org/ since we would like to give as much input 
> as possible.
>
>
> We have been in discussion with AUC and the drafters have accepted to 
> receive our input despite having gone through this process two years 
> ago with African governments. In light of this window of opportunity, 
> we suggest we engage. AUC will discuss the convention during the AU 
> ICT week scheduled for December 1-6, 2013http://www.africanictweek.org/
>
>
> For Kenya, it is important that we engage, the reason being that if 
> Kenya signs into this convention in January 2014, it will become 
> binding as stipulated in Kenya's 2010 Constitution Article 2 (6)  
> which states:/Any treaty or convention ratified by Kenya shall form 
> part of the law of Kenya under this Constitution./The Convention is 
> thereforemore like a Bill of Parliament.
>
> *1.* *Background to the African Union Convention on Cyber Security (AUCC)*
>
> African Union (AU) convention (52 page document) seeks to intensify 
> the fight against cybercrime across Africa in light of increase in 
> cybercrime, and a lack of mastery of security risks by African 
> countries. Further, that one challenge for African countries is lack 
> of technological security adequate enough to prevent and effectively 
> control technological and informational risks. As such "African States 
> are in dire need of innovative criminal policy strategies that embody 
> States, societal and technical responses to create a credible legal 
> climate for cyber security".
>
> The Convention establishes a framework for cybersecurity in Africa 
> "through organisation of electronic transactions, protection of 
> personal data, promotion of cyber security, e-governance and combating 
> cybercrime" (Conceptual framework).
>
> *2.* *Division of the Convention*
>
> *Part 1 Electronic transactions*
>
> Section I:             Definition of terms
>
> Section II:            Electronic Commerce (Fields of application of 
> electronic commerce, Contractual responsibility of the electronic 
> provider of goods and services).
>
> Section III:           Publicity by electronic means.
>
> Section IV:          Obligations in electronic form (Electronic 
> contracts, Written matter in electronic form, Ensuring the security of 
> electronic transactions).
>
> *Part II    PERSONAL DATA PROTECTION*
>
> Section I:             Definition
>
> Section II:            Legal framework for personal data protection 
> (Objectives of this Convention with respect to personal data, Scope of 
> application of the Convention, Preliminary formalities for personal 
> data processing).
>
> Section III:           Institutional framework for protection of 
> personal data (Status, composition or organization, Functions of the 
> protection authority).
>
> Section IV:          Obligations relating to the conditions governing 
> the processing of personal data (basic principles governing the 
> processing of personal data, Specific principles governing the 
> processing of sensitive data, Interconnectionof personal data files).
>
> Section V:            The rights of the person whose personal data are 
> to be processed (Right to information, Right of access, Right of 
> opposition, Right of correction or suppression).
>
> Section VI:          Obligations of the personal data processing 
> official (Confidentiality obligations, Security obligations, 
> Conservation obligations, Sustainability obligations).
>
> **
>
> *PART III -- PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME*
>
> Section 1:            Terminology, National cyber security framework, 
> Legislative measures, National cyber security system, National cyber 
> security monitoring structures).
>
> Section II:            Material penal law (Offenses specific to 
> Information and Communication Technologies [Attack on, computerized 
> data, Content related offenses], Adapting certain information and 
> communication technologies offenses).
>
> Section II:            Criminal liability for corporate persons 
> (Adapting certain sanctions to the Information and Communication 
> Technologies, Other penal sanctions,Procedural law, Offenses specific 
> to Information and Communication Technologies).
>
> **
>
> * PART IV: COMMON AND FINAL PROVISIONS*
>
>  Section I:            Monitoring mechanism
>
> Section II:            Final responses
>
> **
>
> *The Proposed Discussion*
>
> We have picked on articles that need clarity, and would request 
> listers to kindly discuss them and provide recommendations where 
> necessary.Also, where necessary, listers are encouraged to identify 
> and share other articles that need clarifications that we may have 
> left out.
>
> *Day 1 Monday 25/ 11/2013*
>
> *We begin with Part 1 on Electronic transactions and pick on four 
> articles which we will discuss on Monday (25/11) and Tuesday (26/11). *
>
> *Section III: Publicity by electronic means*
>
> * Article I -- 7:*
>
> / Without prejudice to Article I-4 any advertising action, 
> irrespective of its form, accessible through online communication 
> service, shall be clearly identified as such. It shall clearly 
> identify the individual or corporate body on behalf of whom it is 
> undertaken./
>
> *Question:*Should net anonymity be legislated?If so, what measures 
> need to be or not be considered?
>
> *Question:*Should individuals or companies be obliged to reveal their 
> identities and what are the implications?
>
> *
> Article I -- 8:*
>
> /The conditions governing the possibility of promotional offers as 
> well as the conditions  for participating in promotional competitions 
> or games where such offers, competitions or games are electronically 
> disseminated, shall be clearly spelt out and easily accessible./
>
> *Question:*Should aninternational (or should we call it regional)law 
> legislate on promotional offers and competitions offered locally?
>
> *_Day 2 Tuesday 26/11/13_*
>
> *Article I -- 9:
> */Direct marketing through any form of indirect communication 
> including messages forwarded with automatic message sender, facsimile 
> or electronic mails in whatsoever form, using the particulars of an 
> individual who has not given prior consent to receiving the said 
> direct marketing through the means indicated, shall be prohibited by 
> the member states of the African Union./
>
> *
> *
>
> *Article I -- 10:*
>
> / The provisions of Article I -- 9 above notwithstanding, direct 
> marketing prospection by electronic mails shall be permissible where:/
>
> /1) The particulars of the addressee have been obtained directly from 
> him/her,/
>
> /2) The recipient has given consent to be contacted by the prospector 
> partners/
>
> /3) The direct prospection concerns similar products or services 
> provided by the same individual or corporate body./
>
> *Question:*Is this a realistic way of dealing with spam?
>
> *
> *
>
> *Article I -- 27*
>
> /Where the legislative provisions of Member States have not laid down 
> other provisions, and where there is no valid agreement between the 
> parties, the judge shall resolve proof related conflicts by 
> determining by all possible means the most plausible claim regardless 
> of the message base employed./
>
> *Question:*What is the meaning of this article and is it 
> necessary?Some clarity needed!
>
> *_Day 3 Wednesday  27 /11/13_*
>
> *_Today, we move onto PART II: PERSONAL DATA PROTECTION and will deal 
> with three questions._*
>
> *Objectives of this Convention with respect to personal data*
>
> *Article II -- 2:*
>
> /Each Member State of the African Union shall put in place a legal 
> framework with a view to establishing a mechanism to combat breaches 
> of private life likely to arise from the gathering, processing, 
> transmission, storage and use of personal data./
>
> /The mechanism so established shall ensure that any data processing, 
> in whatsoever form, respects the freedoms and fundamental rights of 
> physical persons while recognizing the prerogatives of the State, the 
> rights of local communities and the target for which the businesses 
> were established./
>
> *Question:*What is the relevance of this article?What are these state 
> prerogatives? And given the increased interest of state surveillance, 
> how can states balance respect of FOE while recognising state 
> prerogatives?
>
> *Article II-6, II-7, 11-8, II-11, II-12, II-13 refer to a Protection 
> Authority*which is meant to establish standards for data protection. 
> Article II -- 14///provides for each Member State of the African Union 
> to establish an authority with responsibility to protect personal 
> data.  It//shall be an independent administrative authority with the 
> task of ensuring that the processing of personal data is conducted in 
> accordance with domestic legislations./
>
> In article II-17 states that '/Sworn agents may be invited to 
> participate in audit missions in accordance with extant provisions in 
> Member States of the African Union'./
>
> *Question:*Considering that this article seems to be tied to the 
> Protection Authority, what is its relevance? And who is a 'sworn 
> agent?'What should this authority look like in terms of its composition?
>
> *
> *
>
> *Article II -- 20:*
>
> /...Members of the protection authority shall not receive instructions 
> from any authority in the exercise of their functions. /
>
> *
> *
>
> *Article II -- 21:*
>
> /Member States are engaged to provide the national protection 
> authority human, technical and financial resources necessary to 
> accomplish their mission./
>
> *Question:*It appears that this Data Protection Authority is envisaged 
> to be fully government supported. Therefore, should we be talking of 
> its independence? In what way should this article be framed so that it 
> ensures independence of the Authority?
>
> *
> *
>
> *Article II -- 28 to II-34*outlines six principles governing the 
> processing of personal data namely:
>
> Consent and of legitimacy,
>
> Honesty,
>
> Objective, relevance and conservation of processed personal data,
>
>  Accuracy,
>
> Transparency and
>
>  Confidentiality and security of personal data.
>
> Under each of the specific principles, detailed explanation of how 
> each should be undertaken is offered.
>
> *Question:*Is this explanation and detailing of how to undertake each 
> necessary in aninternational (regional) law necessary or needed?Is 
> this legislation overkill?
>
> *
> *
>
> *Day 4 Thursdsay  28/11/2013 Part III*
>
> *Day 4 will focus on PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME*
>
>
> *Article III -- 14: Harmonization*
>
> /1) Member States have to undertake necessary measures to ensure that 
> the legislative measures and / or regulations adopted to fight against 
> cybercrime enhance the possibility of regional harmonization of these 
> measures and respect the principle of double criminality./
>
> *Question*: What is the principle of double criminality here?
>
> **
>
> *Section II: Other penal sanctions*
>
> *Article III -- 48*
>
> /Each Member State of the African Union have to take necessary 
> legislative measures to ensure that, in the case of conviction for an 
> offense committed by means of digital communication facility, the 
> competent jurisdiction or the judge handling the case gives a ruling 
> imposing additional punishment./
>
> *Question:* What is the interpretation of additional punishment? Is 
> this not granting of absolute powers to judges?
>
> **
>
> *Day Five 29/11/2013*
>
> This will be dedicated to any other issue(s)that listers may want to 
> raise in regard to the Convention. Further, listers can go back to 
> issues of any other day and discuss them here.
>
> What other issue(s) would you like to raise?
>
> **
>
> *References*
>
> DRAFT AFRICAN UNION CONVENTION ON THE CONFIDENCE AND SECURITY IN 
> CYBERSPACEhttp://pages.au.int/sites/default/files/AU%20Cybersecurity%20Convention%20ENGLISH_0.pdf
>
> http://daucc.wordpress.com/
>
> http://www.thepetitionsite.com/takeaction/262/148/817/
>
> http://daucc.wordpress.com/2013/10/29/paper-review-basic-drawbacks-of-the-draft-african-union-convention-on-the-confidence-and-security-in-cyberspace/
>
> http://michaelmurungi.blogspot.com/2012/08/comments-on-draft-african-union.html
>
> Have a great weekend and see you on Monday.
>
>
> Rgds
>
> Grace
>
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/alice%40apc.org
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20131123/7491abbe/attachment.htm>


More information about the KICTANet mailing list