ANALYSIS Nelson Otieno 23 April 2021
Every regional integration arrangement has its ups and downs. One example being the East African Community (EAC). Yet, the prospects and challenges of integration in the EAC are not static themselves but are rather influenced by the changing circumstances. The COVID-19 pandemic, for instance, has been both a redefining circumstance and an impulse for reflection of prospects of integration in EAC on many fronts. Notably, the pandemic has been associated with increase in internet uptake in most African states. The increased uptakes mean that most of the population is staring at multiplied cases of both actual and threatened cyber-attacks.
International and EAC Frameworks
Unfortunately, there is no specific one-stop instrument to provide assurances and safeguards against cybercrimes at the international scene. The prospects of such mud-needed reassurance are even dimmer since the African states have in one way of the other squandered chances of addressing the African-specific cybercrime challenges owing to the low ratification of the African Union Convention on Cyber Security and Personal Data Protection (2014). As such, the current arrangement is that African states rely on the fragmented state-specific domestic legislations to regulate cybercrimes.
At the EAC level, Article 124(5) of the Treaty for the Establishment of East African Community (EAC Treaty, 1999) provides for cybercrime regulation as an area of cooperation for the EAC member states. Pursuant to this provision, EAC has developed a robust framework including the EAC Development Strategy, EAC Framework for Cyberlaws (2008), EAC Model of ICT Framework (2015), Science Technology and Innovation Policy (2019), and EAC Vision 2050. Nevertheless, the impact of the legal framework can be described as an absolute minimum in cybercrime regulation and harnessing harmonization of control of cross-border cybercrime. Specifically, the existing EAC-wide framework stipulates various elements that must be covered by the state legislations. The framework does not, however, interfere with reliance on the domestic cybercrime legislations. This is to say, to the extent that EAC member states wish to address state-specific cybercrime concerns or other issues, they are free to legislate so long as they are within the bounds created under the EAC framework.
State Cybercrime Legislations
Uganda, United Republic of Tanzania, and Kenya are the fastest sprinters as far as concerned with the development of cybercrime legislations by EAC member states. Uganda’s Computer Misuse Act was developed in 2011, four years before Tanzania’s Cybercrimes Act was enacted in 2015. Three years later, Kenya has developed its Computer Misuse and Cybercrimes Act (2018). The respective laws adopt a structure that tends to address substantive cyber offences, and provide for due process on investigation procedures, international cooperation, and jurisdiction of courts. The recent steps by some EAC member states to develop legislations are obvious steps in the right direction. The Kenyan Act, for example, provides for robust mechanisms for international cooperation that were not provided for in the pre-2018 regime.Further, the Act’s provisions compliment the international cooperation mechanisms under the Ugandan and Tanzania’s cybercrime legislations. Comparatively, the commonality in the structure of the 2018 Act with the cybercrime laws in Uganda and Tanzania also undoubtedly point to a commendable path in ensuring that the laws are harmonized towards combating the cross-border cybercrimes.
Harmonizing Cybercrime Legislation
A more intense zooming at the specifics of the cybercrime legislations in the three EAC States beyond the structural commonalities is curious. The specific reveals that the cybercrime legislations do not inspire confidence in the prospects of convergence of the EAC cybercrime legislations. To begin with, Kenya’s list of cybercrimes states a total of 29 offences, a larger number compared to 10 and 13 in Uganda’s Computer Misuse Act (2011) and Tanzania’s Cybercrime Act (2015) respectively. The difference in number, typologies and the steepness of sanctions negatively impinge on the potential for harmonization of cybercrime legislation in EAC.
Further, glimpses on the extra-territorial jurisdiction shows that section 31 of Tanzania’s Cybercrime Act is more liberal and broader in nabbing cybercriminals outside Tanzania. Comparatively, the Kenyan and Ugandan legislations are more inward-looking and are very restrictive in the manner they donate extra-territorial jurisdiction to the relevant courts. Evidently, this phenomenon has a potential to sabotage achievement of the overall goal of prosecution of cross-border cybercrimes as contemplated under Article 124 of the EAC Treaty (1999).
Before 2018, Kenya had not implemented any cybercrime legislation despite its predisposition to cyber-attacks in various ways. The enactment of Kenya’s 2018 Act was thus a moment of reflection of the efforts made by the EAC in harmonizing cybercrime regulation approaches at state levels. From the analysis above, it has become evident that the cybercrime regulation harmonization journey is more intriguing than it appears on face value. All the EAC member state cybercrime legislations are embodiments of prospects and infirmities in various areas of cybercrime legislation. As such, no EAC member state can brag to be the role model on best practice of cybercrime regulation. This analysis urges a concerted effort of EAC member states that focuses on harmonizing the typologies of cybercrimes, expanding informal international cooperation, and ensuring similarity in the approach for extra-territorial jurisdiction. Should Somali and Democratic Republic of Congo be considered for membership in the EAC, EAC should consider rolling out a ‘No-State-is-left-Behind’ campaign akin to ILO’s to ensure all EAC states embrace modern cybercrime legislation.
Nelson Otieno is an Advocate of the High Court of Kenya and an Associate at MMK Advocates, Nairobi. His research interests are in cybersecurity and ICT law.