What is the Malabo convention?

Published on 29 January 2025

By Diplo alumni Andrew Gakiria and Tevin Mwenda Gitonga

The African Union (AU) Convention on Cyber Security and Personal Data Protection, commonly known as the Malabo Convention, was adopted on 27 June 2014, in Malabo, Equatorial Guinea. This landmark treaty aims to establish a comprehensive legal framework for cybersecurity, electronic transactions, and personal data protection across the African continent.

After ten years of its adoption, the Malabo Convention is now in effect. Article 36 of the Malabo Convention states that the treaty would come into effect once 15 ratifications were achieved. In May 2023, Mauritania ratified the convention, bringing it into effect 30 days later, on 8 June 2023.

The image shows the flag of the African Union — Flag of the African Union (Wikimedia).

Key provisions and benefits of the Malabo Convention

The Malabo Convention encompasses several critical areas:

Cybersecurity and cybercrime: The convention criminalises a wide range of cyber offences, including hacking, identity theft, and cyber fraud. It also outlines procedures for the investigation and prosecution of such crimes, promoting international cooperation among African nations.
Personal data protection: Recognising the right to privacy, the convention mandates that member states establish legal frameworks to ensure the secure collection, processing, and storage of personal data. It requires the creation of data protection authorities to oversee compliance.
Electronic transactions: The convention sets out guidelines to facilitate electronic commerce by providing legal recognition for electronic communications and signatures, thereby fostering a secure digital environment for economic activities.
International cooperation: The convention highlights the importance of international cooperation in combating cybercrime and protecting personal data.

Ratification status

As of 8 June 2023, the Malabo Convention officially entered into force following its ratification by 15 AU member states, including Angola, Benin, Chad, Congo, Egypt, Gabon, Gambia, Guinea-Bissau, Lesotho, Mauritania, Namibia, Niger, São Tomé and Príncipe, Senegal, and Zambia. Notably, some prominent countries, such as South Africa, have yet to ratify the convention, citing concerns about its compatibility with existing national laws and regulations.

The entry into force of the Malabo Convention marks a significant step towards harmonising cybersecurity and data protection laws across Africa. However, the varying pace of ratification underscores the need for continued efforts to align national legal frameworks with continental objectives, ensuring a cohesive and secure digital future for the region.

Why has it taken long to have the convention ratified?

The adoption of the Malabo Convention has been notably slow, with several factors contributing to this hesitancy:

Firstly, many African countries have already enacted national data protection laws that are more modern and robust than the Malabo Convention. These laws often align with global advancements in data governance, including international standards such as the European Union’s General Data Protection Regulation (GDPR). Additionally, regions like the East African Community (EAC) and the Economic Community of West African States (ECOWAS) have been developing or implementing region-specific data protection frameworks tailored to their unique needs and priorities.
Secondly, the African Continental Free Trade Agreement (AfCFTA) and its forthcoming Digital Protocol, which includes annexes on data flows and data protection, offer an attractive alternative. Countries may prioritise these newer, trade-oriented frameworks over the Malabo Convention, seeing them as more relevant to the continent’s economic integration goals.
Thirdly, political will to push for the convention’s adoption has been lacking. The dual focus of the Malabo Convention on cybersecurity and data protection has complicated its implementation, as African countries often approach these topics with differing regulatory strategies. Furthermore, the convention is criticised for being outdated, particularly for its lack of provisions on critical issues such as cross-border data flows, which are vital in today’s digital economy.
Finally, the AU has not established a robust mechanism to steer the implementation of the convention. Without a dedicated oversight body to facilitate ratification, guide national adoption, and promote convergence, the convention has struggled to gain traction.

In summary, the slow adoption of the Malabo Convention reflects a combination of outdated provisions, competing frameworks, and insufficient political and institutional support. As African nations navigate the evolving landscape of digital governance, the convention’s relevance will depend on significant updates and a stronger push for its implementation.

Browse through our alumni blog posts at Diplo Alumni Blog.

Geoeconomics Takes Center Stage at Davos: Five takeaways

Tech at Trump’s inauguration: Visible presence, loud absence

Is AI taking over communications roles?

Diplo Academy 2024: Innovation and milestones

Trump and tech: More of the same, but with a twist

The year of AI clarity: 10 AI Forecasts for 2025

From algorithms to Armageddon: The rise of AI in nuclear decision-making

AI Apprenticeship: 10 transformative lessons from learning AI by building it

How can you check if AI will endanger your job?

Part 8: ‘Maths doesn’t hallucinate: Harnessing AI for governance and diplomacy’

Early origins of AI in Islamic and Arab thinking traditions