E-Commerce, Cyber Security and Governance in Africa
by Alice Namuli Blazevic
Technology is at the forefront of our growth as a continent. Africa has witnessed phenomenal growth in the ICT sector in the past decades; internet use statistics indicate that Africa’s population of Internet users grew from about four and a half million people in 2000 to about 400 million people in December 2017.
We are experiencing exponential growth in e commerce driven by the high tech start-up scene on the continent, changing the way we live and do business. In spite of debates about its ‘Africanness’, the listing of the e-commerce start-up Jumia on the New York Stock Exchange proves that African markets aggregated by technology is as an attractive target for capital investment as any around the world. The e-commerce industry in Africa is also expected to expand to USD75bn by 2025. Meanwhile, fintech pioneers like M-Pesa (mobile money) and Bitpesa (blockchain-backed transfers) are moving enormous sums of money across the continent at very low costs.
However, the growth of e-commerce and the more people access data or the internet in Africa, the more concerns arise over misuse of the internet and the need to promote cybersecurity governance on the continent.
On an annual basis, we experience hundreds of millions of sophisticated cyber attacks on the continent. The market is saturated with cyber-hackers, who are adept at deploying the latest weaponised vulnerabilities in order to access valuable data for ransom, fraud, theft from financial institutions, governments to private companies. Many cyber security practitioners have warned that if the current statistics continue to grow, combined with the absence of a collaborative and strong defensive cyber mechanisms in place, cyber attacks have a high potential to cripple African economies.
The most recent cyber-attack on the continent took place on 3rd June 2019, when 18 Kenyan government websites were hacked. Luckily, according to the Kenyan authorities there was no critical data compromised. But it is worth noting that the number of cyber threats identified by Kenya’s government in the first quarter of 2019 almost tripled to 10.2m from the previous year. It is fortunate that the 18 hacked sites did not compromise citizen or national security data, but it is easy to imagine that new attacks will succeed to do so.
Such incidents can’t be ignored and they raise obvious questions. How prepared are African governments for cyber attacks?
According to the Global Cyber Security Index of the International Telecommunications Union, the African continent is performing poorly with the lowest level of commitment to cyber security found in its ranking.
Below is a breakdown of key statistics for most affected African countries:
Many African countries have no specific cyber legislation, for the few countries where cyber laws exist there is no strict adherence and there is a general lack of awareness of cyber security measures resulting in a conducive environment for cybercrime in Africa.
So far, 21 African countries including, Angola, Benin, Burkina Faso, Chad, Equatorial Guinea, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Malawi, Morocco, Niger, Senegal, South Africa, Tunisia, Zambia, and Uganda have enacted data protection and privacy laws. And 5 countries have laws in draft stages (including Kenya, Nigeria, Togo, Tanzania and Zimbabwe).
Uganda, for example, has a number of legislations in place which address internet misuse and these include: The Data Protection and Privacy Act 2019, The Computer Misuse Act, The Electronic Signatures Act, The Electronic Transactions Act, The Access to Information Act and The Regulation of interception of communications Act.
Uganda’s 2019 Data Protection and Privacy Act was benchmarked on the EU data protection regulations and has similar clauses to GDPR which require strict compliance. All data collectors are required to obtain consent from data subjects, and notify the regulator in case of any breach. For failure to comply or if found in breach of the law, the maximum penalty for companies is 2% of their annual gross earnings. For individuals, the fine is about USD 1280 and/or 10 years’ term of imprisonment.
Regionally, there are efforts to ensure data protection within regional blocs. For example, the Southern African Development Community (SADC) has developed a model law harmonising policies for the ICT Market in Sub Saharan Africa, which includes components on data protection. The Economic Community of West African States (ECOWAS) has created the Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS. And several Francophone countries (Benin, Burkina Faso, Ivory Coast, Gabon, Mali, Morocco, Senegal and Tunisia) are part of the French-Speaking Association of Personal Data Protection Authorities (AFAPDP) which promotes personal data protection principles and rules in French-speaking countries.
The African Union imposes obligations on member states to establish legal, policy and regulatory measures to promote cybersecurity governance and cybercrime through its regional cybersecurity treaty, known as the Convention of the African Union on Cybersecurity and Personal Data, passed in June 2014.
It covers a broad range of issues, including but not limited to e- commerce, data protection, cybercrime and national cybersecurity.
However, so far, only ten African countries (Benin, Chad, Comoros, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe and Zambia) have signed the convention and only two (Mauritius and Senegal) have ratified the convention.
Once a member states ratifies the convention, it is required to enact personal data protection laws as well as develop a national cybersecurity strategy, pass cybercrime laws, and ensure that e-commerce is exercised freely.
The adoption of the AU Cyber Security Convention underscores Africa’s efforts to promote cybersecurity and governance on the continent.
In spite of this progress, it is clear that additional investment in ICT and cybersecurity literacy, infrastructure development in both the public and the private sector, collaboration of African governments, enforcement and strict compliance of existing laws, as well as a shift towards a cybersecurity mind-set is needed to give force to the incipient legal framework on the continent.
Alice Namuli Blazevic is a Partner with Katende, Ssempebwa & Co based in Uganda. She specialises in Technology Law with a keen interest in Blockchain, Crypto currencies, Fintech and Artificial Intelligence.