[kictanet] Online debate on African Union Convention on Cyber Security (AUCC)
Kivuva
Kivuva at transworldafrica.com
Sun Nov 24 09:54:35 EAT 2013
This is a good and timely discussion GG, and the analysis is thorough.
I would wish to see
1. how cross-border crimes are prosecuted,
2. where this draft is in contradiction to local laws, which one will
take precedence?
Regards
On 23/11/2013, Poncelet Ileleji <pileleji at ymca.gm> wrote:
> Great move indeed
>
> Regards
>
> Poncelet
>
>
> On 23 November 2013 16:18, Alice Munyua <alice at apc.org> wrote:
>
>> Great going GG
>>
>> Appreciate it.
>>
>> Best
>> Alice
>>
>>
>>
>> On 22/11/2013 08:42, Grace Githaiga wrote:
>>
>> Good morning Listers
>>
>> We would like to propose an online discussion on the African Union
>> Convention on Cyber Security(AUCC)
>> http://pages.au.int/sites/default/files/AU%20Cybersecurity%20Convention%20ENGLISH_0.pdf
>> on multiple lists of KICTANet and ISOC-KE, in Kenya and on I-Network
>> list moderated by the Collaboration on International ICT Policy in East
>> and Southern Africa (CIPESA) and ISOC -Uganda, starting from Monday
>> 25th
>> to Friday 29th November 2013. We will also share the concerns with the
>> best bits list http://bestbits.net/, the Internet Governance Caucus list
>> http://igcaucus.org/ and Access Now https://www.accessnow.org/ since we
>> would like to give as much input as possible.
>>
>>
>> We have been in discussion with AUC and the drafters have accepted to
>> receive our input despite having gone through this process two years ago
>> with African governments. In light of this window of opportunity, we
>> suggest we engage. AUC will discuss the convention during the AU ICT week
>> scheduled for December 1-6, 2013http://www.africanictweek.org/
>>
>>
>> For Kenya, it is important that we engage, the reason being that if
>> Kenya signs into this convention in January 2014, it will become binding
>> as
>> stipulated in Kenya’s 2010 Constitution Article 2 (6) which states: *Any
>> treaty or convention ratified by Kenya shall form part of the law of
>> Kenya
>> under this Constitution. *The Convention is therefore more like a Bill of
>> Parliament.
>>
>>
>>
>> *1.* *Background to the African Union Convention on Cyber Security
>> (AUCC)*
>>
>> African Union (AU) convention (52 page document) seeks to intensify the
>> fight against cybercrime across Africa in light of increase in
>> cybercrime,
>> and a lack of mastery of security risks by African countries. Further,
>> that
>> one challenge for African countries is lack of technological security
>> adequate enough to prevent and effectively control technological and
>> informational risks. As such “African States are in dire need of
>> innovative
>> criminal policy strategies that embody States, societal and technical
>> responses to create a credible legal climate for cyber security”.
>>
>> The Convention establishes a framework for cybersecurity in Africa
>> “through organisation of electronic transactions, protection of personal
>> data, promotion of cyber security, e-governance and combating cybercrime”
>> (Conceptual framework).
>>
>>
>>
>> *2.* *Division of the Convention*
>>
>> *Part 1 Electronic transactions*
>>
>> Section I: Definition of terms
>>
>> Section II: Electronic Commerce (Fields of application of
>> electronic commerce, Contractual responsibility of the electronic
>> provider
>> of goods and services).
>>
>> Section III: Publicity by electronic means.
>>
>> Section IV: Obligations in electronic form (Electronic
>> contracts,
>> Written matter in electronic form, Ensuring the security of electronic
>> transactions).
>>
>>
>>
>> *Part II PERSONAL DATA PROTECTION*
>>
>> Section I: Definition
>>
>> Section II: Legal framework for personal data protection
>> (Objectives of this Convention with respect to personal data, Scope of
>> application of the Convention, Preliminary formalities for personal data
>> processing).
>>
>> Section III: Institutional framework for protection of personal
>> data (Status, composition or organization, Functions of the protection
>> authority).
>>
>> Section IV: Obligations relating to the conditions governing the
>> processing of personal data (basic principles governing the processing of
>> personal data, Specific principles governing the processing of sensitive
>> data, Interconnection of personal data files).
>>
>> Section V: The rights of the person whose personal data are to
>> be processed (Right to information, Right of access, Right of opposition,
>> Right of correction or suppression).
>>
>> Section VI: Obligations of the personal data processing official
>> (Confidentiality obligations, Security obligations, Conservation
>> obligations, Sustainability obligations).
>>
>>
>>
>> *PART III – PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME*
>>
>> Section 1: Terminology, National cyber security framework,
>> Legislative measures, National cyber security system, National cyber
>> security monitoring structures).
>>
>> Section II: Material penal law (Offenses specific to
>> Information and Communication Technologies [Attack on, computerized data,
>> Content related offenses], Adapting certain information and communication
>> technologies offenses).
>>
>> Section II: Criminal liability for corporate persons (Adapting
>> certain sanctions to the Information and Communication Technologies,
>> Other
>> penal sanctions, Procedural law, Offenses specific to Information and
>> Communication Technologies).
>>
>>
>>
>> * PART IV: COMMON AND FINAL PROVISIONS*
>>
>> Section I: Monitoring mechanism
>>
>> Section II: Final responses
>>
>>
>>
>> *The Proposed Discussion*
>>
>> We have picked on articles that need clarity, and would request listers
>> to
>> kindly discuss them and provide recommendations where necessary. Also,
>> where necessary, listers are encouraged to identify and share other
>> articles that need clarifications that we may have left out.
>>
>>
>>
>> *Day 1 Monday 25/ 11/2013*
>>
>> *We begin with Part 1 on Electronic transactions and pick on four
>> articles
>> which we will discuss on Monday (25/11) and Tuesday (26/11). *
>>
>> *Section III: Publicity by electronic means*
>>
>> * Article I – 7:*
>>
>> * Without prejudice to Article I-4 any advertising action, irrespective
>> of
>> its form, accessible through online communication service, shall be
>> clearly
>> identified as such. It shall clearly identify the individual or corporate
>> body on behalf of whom it is undertaken.*
>>
>> *Question:* Should net anonymity be legislated? If so, what measures need
>> to be or not be considered?
>>
>> *Question:* Should individuals or companies be obliged to reveal their
>> identities and what are the implications?
>>
>>
>> * Article I – 8:*
>>
>> *The conditions governing the possibility of promotional offers as well
>> as
>> the conditions for participating in promotional competitions or games
>> where such offers, competitions or games are electronically disseminated,
>> shall be clearly spelt out and easily accessible.*
>>
>> *Question:* Should an international (or should we call it regional) law
>> legislate on promotional offers and competitions offered locally?
>>
>> *Day 2 Tuesday 26/11/13*
>>
>>
>> *Article I – 9: **Direct marketing through any form of indirect
>> communication including messages forwarded with automatic message sender,
>> facsimile or electronic mails in whatsoever form, using the particulars
>> of
>> an individual who has not given prior consent to receiving the said
>> direct
>> marketing through the means indicated, shall be prohibited by the member
>> states of the African Union.*
>>
>>
>> *Article I – 10:*
>>
>> * The provisions of Article I – 9 above notwithstanding, direct marketing
>> prospection by electronic mails shall be permissible where:*
>>
>> *1) The particulars of the addressee have been obtained directly from
>> him/her,*
>>
>> *2) The recipient has given consent to be contacted by the prospector
>> partners*
>>
>> *3) The direct prospection concerns similar products or services provided
>> by the same individual or corporate body.*
>>
>> *Question:* Is this a realistic way of dealing with spam?
>>
>>
>> *Article I – 27*
>>
>> *Where the legislative provisions of Member States have not laid down
>> other provisions, and where there is no valid agreement between the
>> parties, the judge shall resolve proof related conflicts by determining
>> by
>> all possible means the most plausible claim regardless of the message
>> base
>> employed.*
>>
>> *Question:* What is the meaning of this article and is it necessary? Some
>> clarity needed!
>>
>>
>>
>> *Day 3 Wednesday 27 /11/13*
>>
>> *Today, we move onto PART II: PERSONAL DATA PROTECTION and will deal with
>> three questions.*
>>
>> *Objectives of this Convention with respect to personal data*
>>
>> *Article II – 2:*
>>
>> *Each Member State of the African Union shall put in place a legal
>> framework with a view to establishing a mechanism to combat breaches of
>> private life likely to arise from the gathering, processing,
>> transmission,
>> storage and use of personal data.*
>>
>> *The mechanism so established shall ensure that any data processing, in
>> whatsoever form, respects the freedoms and fundamental rights of physical
>> persons while recognizing the prerogatives of the State, the rights of
>> local communities and the target for which the businesses were
>> established.*
>>
>> *Question:* What is the relevance of this article? What are these state
>> prerogatives? And given the increased interest of state surveillance, how
>> can states balance respect of FOE while recognising state prerogatives?
>>
>> *Article II-6, II-7, 11-8, II-11, II-12, II-13 refer to a Protection
>> Authority* which is meant to establish standards for data protection.
>> Article II – 14 *provides for each Member State of the African Union to
>> establish an authority with responsibility to protect personal data. It*
>> *shall
>> be an independent administrative authority with the task of ensuring that
>> the processing of personal data is conducted in accordance with domestic
>> legislations.*
>>
>> In article II-17 states that ‘*Sworn agents may be invited to participate
>> in audit missions in accordance with extant provisions in Member States
>> of
>> the African Union’.*
>>
>> *Question:* Considering that this article seems to be tied to the
>> Protection Authority, what is its relevance? And who is a ‘sworn agent?’
>> What
>> should this authority look like in terms of its composition?
>>
>>
>> *Article II – 20:*
>>
>> *…Members of the protection authority shall not receive instructions from
>> any authority in the exercise of their functions. *
>>
>>
>> *Article II – 21:*
>>
>> *Member States are engaged to provide the national protection authority
>> human, technical and financial resources necessary to accomplish their
>> mission.*
>>
>> *Question:* It appears that this Data Protection Authority is envisaged
>> to be fully government supported. Therefore, should we be talking of its
>> independence? In what way should this article be framed so that it
>> ensures
>> independence of the Authority?
>>
>>
>> *Article II – 28 to II-34 *outlines six principles governing the
>> processing of personal data namely:
>>
>> Consent and of legitimacy,
>>
>> Honesty,
>>
>> Objective, relevance and conservation of processed personal data,
>>
>> Accuracy,
>>
>> Transparency and
>>
>> Confidentiality and security of personal data.
>>
>> Under each of the specific principles, detailed explanation of how each
>> should be undertaken is offered.
>>
>> *Question:* Is this explanation and detailing of how to undertake each
>> necessary in an international (regional) law necessary or needed? Is this
>> legislation overkill?
>>
>>
>> *Day 4 Thursdsay 28/11/2013 Part III*
>>
>> *Day 4 will focus on PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME*
>>
>>
>> *Article III – 14: Harmonization*
>>
>> *1) Member States have to undertake necessary measures to ensure that the
>> legislative measures and / or regulations adopted to fight against
>> cybercrime enhance the possibility of regional harmonization of these
>> measures and respect the principle of double criminality.*
>>
>> *Question*: What is the principle of double criminality here?
>>
>>
>>
>> *Section II: Other penal sanctions*
>>
>> *Article III – 48*
>>
>> *Each Member State of the African Union have to take necessary
>> legislative
>> measures to ensure that, in the case of conviction for an offense
>> committed
>> by means of digital communication facility, the competent jurisdiction or
>> the judge handling the case gives a ruling imposing additional
>> punishment.*
>>
>> *Question: * What is the interpretation of additional punishment? Is this
>> not granting of absolute powers to judges?
>>
>>
>>
>> *Day Five 29/11/2013*
>>
>> This will be dedicated to any other issue(s)that listers may want to
>> raise
>> in regard to the Convention. Further, listers can go back to issues of
>> any
>> other day and discuss them here.
>>
>> What other issue(s) would you like to raise?
>>
>>
>>
>> *References*
>>
>> DRAFT AFRICAN UNION CONVENTION ON THE CONFIDENCE AND SECURITY IN
>> CYBERSPACE
>> http://pages.au.int/sites/default/files/AU%20Cybersecurity%20Convention%20ENGLISH_0.pdf
>>
>> http://daucc.wordpress.com/
>>
>> http://www.thepetitionsite.com/takeaction/262/148/817/
>>
>>
>> http://daucc.wordpress.com/2013/10/29/paper-review-basic-drawbacks-of-the-draft-african-union-convention-on-the-confidence-and-security-in-cyberspace/
>>
>>
>> http://michaelmurungi.blogspot.com/2012/08/comments-on-draft-african-union.html
>>
>>
>>
>> Have a great weekend and see you on Monday.
>>
>>
>> Rgds
>>
>> Grace
>>
>>
>> _______________________________________________
>> kictanet mailing
>> listkictanet at lists.kictanet.or.kehttps://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/alice%40apc.org
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and
>> development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>>
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/pileleji%40ymca.gm
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and
>> development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and
>> bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>
>
>
> --
> Poncelet O. Ileleji MBCS
> Coordinator
> The Gambia YMCAs Computer Training Centre & Digital Studio
> MDI Road Kanifing South
> P. O. Box 421 Banjul
> The Gambia, West Africa
> Tel: (220) 4370240
> Fax:(220) 4390793
> Cell:(220) 9912508
> Skype: pons_utd
>
>
>
>
>
>
> *www.ymca.gm <http://www.ymca.gm>www.waigf.org
> <http://www.waigf.org>www.aficta.org <http://www.aficta.org>www.itag.gm
> <http://www.itag.gm>www.npoc.org
> <http://www.npoc.org>http://www.wsa-mobile.org/node/753
> <http://www.wsa-mobile.org/node/753>*www.diplointernetgovernance.org
>
--
______________________
Mwendwa Kivuva, Nairobi, Kenya
twitter.com/lordmwesh
kenya.or.ke | The Kenya we know
More information about the KICTANet
mailing list