A decisive step by Senegal towards accession to and ratification of the Budapest and Malabo Conventions [By Dr Papa Assange Touré, Legislative and Regulatory Affairs, Government of Senegal]

The information came as a bombshell: pursuant to legislative and regulatory texts, the council of 30 March 2016 adopted bills authorising the President of the Republic of Senegal to ratify the African Union Convention on Cyber Security and Protection of Personal Data of 27 June 2014, and the Budapest Convention on Cybercrime of 23 November 2001 and its additional protocol of 28 January 2013 concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.

The Senegalese government’s adoption of regulatory bills authorising the ratification of these two tools for the fight against cybercrime in the course of a single meeting of the Senegalese Council of Ministers, beyond the political will it reflects, reveals a clear cooperative approach on the part of the public authorities in the field of cybersecurity and cybercrime.

Indeed, Senegal has been committed since 2008 to a major project to reform the legal framework for Information and Communication Technologies (ICTs), which was reflected by the adoption of Law No. 2008-11 of 25 January 2008 concerning cybercrime. Senegal has also established, within the Criminal Investigation Division of the Senegalese Ministry of the Interior and Public Security, a Special Brigade for the Fight Against Cybercrime (BSLC), which has nationwide jurisdiction.

However, in spite of this legislative and institutional framework, there remain obstacles to dealing effectively with cybercrime linked in particular to the global nature of the phenomenon, which ignores State borders. This is a source of legal difficulties in conducting investigations[1].

Given these strategic challenges, it has seemed necessary to better involve Senegal in the international fight against cybercrime.

Already, on the sub-regional level, Directive C/DIR/1/08/11 of 19 August 2011 on fighting cybercrime within the Economic Community of West African States (ECOWAS), adopted during the 66th session of the ECOWAS Council of Ministers held in Abuja (Nigeria) from 17 to 19 August 2011, charged Member States with the obligation to adopt the necessary legislative, regulatory and administrative measures to fight against cybercrime activities (Art. 35)[2]. Senegal will not need to transpose this Directive, as the legal measure that it provides for was in fact inspired by Senegal’s Law No. 2008-11 of 25 January 2008.

The Heads of States and Governments of the African Union, who met on 26 and 27 June 2014 in Malabo (Equatorial Guinea) during the 23rd Ordinary Session of the Summit of the AU, adopted the African Union Convention on Cyber Security and Protection of Personal Data[3]. The Malabo Convention of 27 June 2014 represents a major innovation in the strategy for the fight against cybercrime in Africa. It takes a very broad approach to cybersecurity[4], involving the fight against cybercrime, protection of personal data and framework for electronic transactions[5].

The AU convention has the distinctive feature of integrating the approach to cybersecurity into the fighting strategy, involving in particular the promotion of a cybersecurity culture, development of a nationwide security policy, raising of populations’ awareness, training of players and establishment of cybersecurity organisations (computer emergency response teams, or CERTs; investigative organisations; etc.)[6].

The ratification of the African Union convention will promote a consolidation of the cooperation relations between Senegal and the Member States of the AU.

Despite the virtues with which this convention is adorned, Africans should, at the risk of committing sacrilege, resist the temptation of forming a “pan-African cult” of worship of this treaty to the point of assimilating it as the only tool for cooperation against cybercrime. In reality, the Malabo Convention represents a continental tool for cooperation, which only the Member States of the African Union may ratify.  It is a “closed convention.” Yet, cybercrime is not an African or European crime phenomenon, but a global scourge.

Thus, despite the innovation that this treaty represents, the States of the African Union still face the challenge of identifying an international legal tool for the fight against cybercrime.

However, it should be noted that there is not yet any legal tool specific to cybercrime on the level of the United Nations.

The only international tool for the fight against crime in cyberspace is the Budapest Convention of 23 November 2001, which entered into force on 1 July 2004[7]. This legal tool, while it was issued within the framework of the Council of Europe, no less represents the first international treaty to provide criminal-justice solutions to the problems raised by cybercrime. Indeed, the Budapest Convention, which is open to signing by non-Member States of the Council of Europe having participated in its development, is also open to other non-Member States, by accession (Art. 37).

In this regard, the Committee of Ministers of the Council of Europe, during its meeting held on 16 November 2011, taking into account Senegal’s leadership in Africa, decided to invite it to accede to the Budapest Convention[8]. Senegal responded favourably to this request, and the accession procedure has just led to the adoption of a draft text authorising the President of the Republic of Senegal to ratify (accede to) this convention.

The completion of the accession procedure has the merit of aligning Senegal with the international fight against the cybercrime that is defying State borders. Thanks to it, the legal and law-enforcement authorities will be able to obtain the assistance of the Member States of the Budapest Convention (the United States, France, South Africa, Japan, etc.), and of global Internet players (Facebook, YouTube, Google, Gmail, etc.), in their investigations, in addition to the technical and operational assistance of the Council of Europe[9]: securing the removal of a compromising video on YouTube; sending a requisition for identification of the holder of a Yahoo account involved in the commission of an offence; blocking a Facebook account disseminating fraudulent content; etc.

The choice to ratify the African Malabo Convention and accede to the European Budapest Convention brings to light the fact that the authorities have become aware of the strategic challenges tied to the diversification of mechanisms for cooperation in the field of cybercrime and cybersecurity.

Ultimately, the complexity of the cybercrime phenomenon calls for channelling all levels of cooperation: the sub-regional level (Abuja Directive of 19 August 2011), continental level (Malabo Convention) and international level (Budapest Convention).

In reality, all roads in the fight against the impunity that runs rampant in cyberspace lead to Budapest — with stopovers in Abuja and Malabo.

                     Dr Papa Assane Touré                             

Magistrate

Deputy Secretary-General in charge of Legislative and

Regulatory Affairs of the Government of Senegal

[1]H. GAUDEMET-TALLON, “L’internationalité, bilan et perspectives” (Internationality: Review and Outlook), Rev. dr. aff., February 2002, no. 46, p. 76; also, P. TRUDEL, “L’influence d’Internet sur la production du droit” (The Influence of the Internet on the Production of Law), in G. CHATILLON (ed.), Le droit International de l’Internet (International Law and the Internet), Bruylant, Brussels 2002, p. 91.

[2] On this subject, “Les pays de la CEDEAO s’engagent à lutter contre la cybercriminalité” (The ECOWAS Countries Commit to Fighting Against Cybercrime): http://www.ouestaf.com/Afrique-de-l-Ouest-les-pays-de-la-CEDEAO-s-engagent-a-lutter-contre-la-cybercriminalite_a2099.html

[3] Available at the following address: http://pages.au.int/sites/default/files/en_AU%20Convention%20on%20CyberSecurity%20Pers%20Data%20Protec%20AUCyC%20adopted%20Malabo.pdf

[4]N. ARPAGIAN, La cybersécurité (Cybersecurity), Que sais-je ?, PUF, Paris, 2010, p. 9-10.

[5] The Malabo Convention comprises four chapters: Chapter I, regarding electronic transactions (Arts. 2-7); Chapter II, on personal data protection (Arts. 8-23); Chapter III, on promoting cybersecurity and combatting cybercrime (Arts. 24-31); and Chapter IV, entitled “Final Provisions” (Arts. 32-38).

[6]“INTERNET : Adoption de la Convention de l’Union Africaine sur la Cybersécurité et la protection des données à caractère personnel” (INTERNET: Adoption of the African Union Convention on Cyber Security and Protection of Personal Data):http://www.cdp.sn/actu/202-convention-de-l-union-africaine-sur-la-cyber-securite-et-la-protection-des-donnees-a-caractere-personnel; D. BATTU, “La cybersécurité en Afrique” (Cybersecurity in Africa): http://www.smart-webzine.com/la-cybersecurite-en-afrique-4234

[7]S. LE GUILLAS, “Convention du conseil de l’Europe sur la cybercriminalité” (The Council of Europe’s Convention on Cybercrime), Gaz. Pal., 8 May 2002, p. 24; G. DE VEL, “La convention sur la cybercriminalité” (The Convention on Cybercrime), in G. CHATILLON (ed.), Le droit International de l’Internet (International Internet Law), Brussels, Bruyant, 2002, p. 237; by the same author, “Un instrument juridique pionnier : la convention sur la cybercriminalité du Conseil de l’Europe” (A Pioneering Legal Tool: The Council of Europe’s Convention on Cybercrime), in La délinquance électronique: Problèmes politiques et sociaux (Electronic Crime: Political and Social Problems), no. 953, October 2008, p. 707.

[8]VPA TOURÉ, Le traitement de la cybercriminalité devant le juge : l’exemple du Sénégal (The Treatment of Cyber Crime Before the Judge: The Example of Senegal), L’Harmattan, 2014, p. 478, no. 556.

[9]PA TOURÉ, Op. cit, p. 453.