Legal Challenges of Harmonizing Cyber Laws in East African Community

In 2006 East Africa Community Council of Ministers met to discuss the need for regional integration with regard to e-Government and e-Commerce. As a result of this meeting, EAC Task Force on Cyberlaws in close collaboration with the EAC secretariat with support from UNCTAD recommended a modern and effective regional harmonized framework for cyberlaw. The first phase of the framework covered electronic transactions, electronic signatures and authentication, cybercrime, data protection and privacy. The second phase of the framework covered intellectual property, e-taxation, and information security.

The East African Community is a regional economic block comprising of five Partner States including the Republic of Kenya, the Republic of Rwanda, the Republic of Uganda, the Republic of Burundi and the United Republic of Tanzania with its headquarters in Arusha Tanzania. The principal source of EAC law is the EAC treaty which obliges the Partner States through their appropriate national institutions to take all the necessary steps to harmonize their national laws that relate to the Community. Partner States are expected to plan and direct their policies and resources with a view to creating favorable conditions for regional development.

In 2006 EAC Council of Ministers adopted e-Government program with the view of deepening East African regional integration through the provision of government information and services. This strategy was aimed at improving and enhancing delivery of public services through the use of Information and Communication Technologies (ICT). To successfully achieve operational efficiency of this strategy, there was a need for strong backup support in legislation related to data and network security, cybercrimes and information security as well as electronic transactions. In this regard, cyber laws were identified as a strong pillar that needs to be in place for the successful implementation of e-Government.

Adoption of e-commerce initiative by EAC is seen as having the potential to generate significant economic uplift for Partner States by promoting investor confidence and tapping into myriad business opportunities in almost all sectors. This calls for a modern framework of cyberlaw that will interface between the physical and electronic space.

Cyberlaw Reform in the EAC

The improved fiber-optic link connecting the Partner States to the rest of the world and the rapid expansion of mobile telephony and related services, particularly mobile money are some of the ICT developments that have sparked rapid economic growth in the EAC region. The laying of the first undersea fiber-optic cable in 2009 marked the beginning of an era of faster and cheaper Internet and increased mobile penetration. The increased online activities by the private sector as well as public administration precipitated the need to develop modern and harmonized cyber laws that could be benchmarked against international standards and best practices.

Legal Challenges of Harmonization

Different Legal Systems

Partner States in the EAC economic bloc use two different legal systems. While Kenya, Uganda, and Tanzania follow a common law system, Burundi and Rwanda both subscribe predominantly to civil law systems. This has led to contrasting legislation practices and procedures between the groups of EAC countries and has significantly contributed to slowing down the harmonization efforts in the region. When it comes to cybercrime, these historical legal differences for example in the context of criminal law often depend on the particular ‘legal family’ – be it civil or common law as well as prevailing socio-cultural and constitutional orders.

National laws are also written in different languages further complicating the harmonization process as it requires comprehensive research and review and huge financial resources to support the activities of the task force. Rwanda, after admission into the EAC economic bloc, has begun to move from their historical civil legal system towards a common law system in line with harmonization requirements.

 Legislative and Political Commitment

The most important factor in any reform project like cyber laws reform agenda is the recognition that there is an issue to be addressed by the process. There is a need for adoption of the draft measures by the Partner States’ national political institutions as well as implementation efforts that are geared towards the achievement of real business impact and administrative attitudes and practices. Therefore explicit political commitment is required at the highest level of the executive as well as the legislature.

The common problem among the Partner States is the ownership of reform projects by relevant ministries thereby devoting sufficient internal resources to liaise and coordinate activities with all stakeholders. This is compounded further by the lack of experienced policymakers with legal expertise related to cyber laws. Capacity building is therefore required to adopt and manage the reformed environment. The regulatory authority, law enforcement, and judiciary staff need to be trained to ensure that the reforms are effective.

Data Protection and Privacy

Personal data is sometimes said to be the fuel of the Internet economy. Companies use this data to strategize and for marketing purposes so that they know the viability of their different business products. However, within the EAC Partner States, the use of this data is not governed by any written law. Many service providers claim to have rights over the data they collect and can use this data according to their own policies.

In EAC, no Partner States have put in place any proper data protection and privacy laws. Kenya borrowed verbatim from the UK Data Protection Act 1998 but the process to enact that into law seems to have been halted. In Rwanda, data protection and privacy provisions are only present in Telecommunications Law but are concerned mainly with voice and data confidentiality. In the United Republic of Tanzania, there is still no legal framework for data protection and regulation. In Uganda, this provision is entrenched in the Data Protection Bill 2015 which still falls short of comprehensively protecting data and privacy as it lacks succinct clauses on Key areas such as notification of breach and data portability.

With the expansion of the information economy in the region data protection and privacy is becoming increasingly important as more business models and practices move onto the digital platform and sharing and exchanging regional data. It follows then that in the absence of proper data protection and privacy legislation, the harmonization process is difficult and there is strong need to strengthen the control over collection and use of personal data including the imposition of obligations on those processing such data. It is evident that this is still an area of vulnerability in EAC for which regulations need to be established since data protection has a direct effect on global as well as regional trade.

Cybercrime

With the implementation of phase 1 of the law reform framework by Partner, it expected that e-commerce will expand with more businesses moving their activities online. This also means criminal activities will as well be rampant in the region. The existing criminal laws in various Partner States may not be adequate in effectively addressing the new online criminal conducts such crimes perpetrated through the use of ICT. This calls for reforms in both substantive as well as procedural laws by the Partner States to provide adequate powers to law enforcement and the judiciary to investigate and adjudicate these new types of criminal activities.

Kenya has published the Computer and Cybercrimes Bill which seeks to provide for offenses relating to computer systems; to enable timely and effective collection of forensic material for use as evidence, and facilitate international co-operation in dealing with cybercrime matters, and for connected purposes. The Tanzania Cybercrimes Act of 2015 was enacted and signed into law 2015. The law makes provisions for criminalizing offenses related to computer systems and Information Communication Technologies, provides for investigation, collection, and use of electronic evidence in Tanzania Mainland and Zanzibar. Uganda passed the Computer Misuse Act 2011 that makes provision for the safety and security of electronic transactions and information systems, abuse or misuse of information systems including computers and to make provision for securing the conduct of electronic transactions.

The main challenge in relation to cybercrime legislation in EAC region springs from the fact they are not harmonized in terms of cybercrime offense penalties. They provide divergences in national approaches to cybercrime acts. For example, examination of just one crime, illegal access, shows a considerable difference in its perceived degree of seriousness amongst the Partner States. Also given that cybercrime has no boundary and it is a kind of crime that does not need the offender to travel across country borders to commit a crime, there are no well spelled jurisdictional authorities to punish cybercriminals for example where cybercrime is committed across the borders within the EAC Partner States. The other challenge is that cyber attacks are increasingly global in nature and as such, it is not always feasible to simply handle them at a national level.

“Cyber attacks have the potential to destabilize on a global scale. Cybersecurity must, therefore, be a matter of global concern. We need to work together to bolster confidence in our networks, which are central to international commerce and governance.

We need to strengthen national legislation … push for international frameworks for collaboration … and adopt the necessary measures to detect and defuse cyber threats”.

Mr. Ban Ki-moon, UN Secretary-General, Seoul Conference on Cyberspace, Seoul, Republic of Korea, October 2013

The EAC Partner States should ratify multilateral instruments like the Budapest Convention which provides a legal framework for international cooperation on cybercrime and electronic evidence. These instruments are designed to play a major role in the harmonization of cyber laws.

E-Taxation

With the advancement of e-commerce especially with respect to the consumption of online products and services, traditional taxation rules have been greatly challenged. In Burundi, tax reforms have provided conditions for establishing VAT and customs for electronic contracts and services provided electronically via the Internet. Kenya embarked on an exercise to uphold the integrity of the e-taxation platform by introducing the law that makes it an offense for a person to gain unauthorized access or improper use of a computerized tax system and outlaws interference with a computerized tax system. Reforms in e-taxation laws in the context of the EAC regional integration has still many challenges and slow as governments are careful to take risks with policies that might change their political, economic or social positions. There are however on-going discussions on how to formalize e-taxation within the regulatory framework.

In the wake of e-commerce, it is important that the Partner States review existing and related laws to ensure that they are harmonized and are consistent with the applicable tax regime. Regulations governing tax administration should be re-evaluated to ensure that online businesses are brought within the tax bracket and relevant tax authorities have the technical and secure means to collect taxes in an online environment.