Information telecommunications technologies (IT) have emerged as an everyday human tool in the modern world. They are also an important means to develop the state and society. In other words, whoever has a grip on advanced IT has a grip on the world. There is no doubt that the advancement of IT is accompanied with a fast growth of artificial intelligence (AI), which has also become part of our everyday life. The African countries are not staying on the sidelines in this regard and are rapidly adapting their economies to new realities, including IT and AI.
Nevertheless, the development of IT and AI, while making people’s life easier, generates moral, ethical, and security problems. This brings about the need for legal regulation of the IT and AI sphere.
Doctrinal approaches to IT and AI regulation
The need for legal regulation of IT and AI has generated heated debates in both scientific and political circles. This is not only a moral, legal and ethical problem; it has much to do with personal data protection, state security, and therefore state sovereignty. So, it is logical that an article by Prof. Anatoly Kapustin, dedicated to the international legal dimension of state sovereignty in cyberspace (published in the Zhurnal Zarubezhnogo Zakonodatelstva I Sravnitelnogo Pravovedeniya in 2022), singles out three main doctrinal approaches to its regulation. The first approach to regulating the cyberspace is nihilistic and implies that states are totally against any legal regulation in the cyberspace. The second approach aligns with the idea that state sovereignty, though available, is not reason enough for an international legal regulation of cyberspace. The third approach recognizes state sovereignty as essential for achieving a satisfactory international legal regulation of relations between states in the cyberspace.
Judging by international trends, the doctrinal approach to state sovereignty prevails over other approaches, because states seek to regulate the IT and AI development both at the national level and in interstate relations.
A start in international legal regulation of the IT sphere
The Council of Europe was the first international organization to start regulating the IT area. In 1981, it passed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data . This was a logical and predictable step because Europe and North America were where IT began developing in the said period. This ushered in legal regulation of IT in the member-states of the Council of Europe. For example, the Russian Federation adopted, in 2006, the Federal Law On Personal Data .This trend also spread to other regional organizations, such as the African Union (AU), and to African states.
Legal regulation of IT by the AU
In 2014, the AU approved its own Convention on Cyber Security and Personal Data Protection similar to the CE document. The AU was certainly based on the European experience but it also took into consideration its own record and African realities. This explains why the African Convention includes 38 articles grouped into four large chapters, whereas the European Convention has only 27 articles and seven smaller chapters.
Unlike the European Convention, the African Convention focuses on cyber security and data protection terminology. While the European Convention defines only such notions as “personal data,” “automated data base,” “automated processing,” and “database controller,” the African Convention expands the list of terms by including additional notions, such as “critical cyber infrastructure,” “cryptology,” “e-commerce,” “electronic signature,” and others.
An important distinction of the African Convention is that it attempts to regulate e-commerce. There is an entire chapter dedicated to this subject (Chapter I. Electronic Transactions), which regulates electronic commerce (Section I), contractual obligations in electronic form (Section II), and security of electronic transactions (Section III).
Moreover, while the European Convention authorizes national legislators to devise personal data protection principles (Chapter 2), the African Convention establishes generally recognized principles (articles 13 and 14) as applied to all Parties on the continent (six basic principles and specific principles):
1) the principle of consent and legitimacy;
2) the principle of lawfulness and fairness;
3) the principle of purpose, relevance and storage;
4) the principle of accuracy;
5) the principle of transparency;
6) the principle of confidentiality and security.
The specific principles (specific principles for the processing of sensitive data) prohibit any data collection and processing revealing racial, ethnic and regional origin, parental filiation, political opinions, religious or philosophical beliefs, trade union membership, sex life and genetic information or, more generally, data on the state of health of the data subject. This convention-driven revolution in Africa can be explained by the fact that it is long since the approval of the European Convention and the world has seen many drastic changes in the realm of IT. For example, the UN estimates that the global e-commerce is worth over $26.7 trillion and its cost will only grow, given the rapid advances in IT. Therefore, we think that the African Convention is right to focus on regulating e-commerce.
Thus, the African Convention boasts many achievements with regard to IT regulation in Africa as a whole.
The evolution of national IT laws in Africa
The African Convention was a factor in African countries’ effort to devise domestic IT laws. Morocco, for one, adopted a national law relative to the protection of physical persons with regard to personal data treatment as early as in 2009. South Africa also passed the Protection of Personal Information Act (POPI Act) in 2013. With time, it was modified and amended. Today, the POPI Act also takes into account a number of recommendations arising from the African Convention. As of now, many African countries have their national IT regulation acts and national surveillance commissions in this area.
So, despite their lagging behind Europe in terms of technology, African countries are undertaking efforts to minimize the negative consequences of IT development and to consolidate their achievements in the area of legislative regulation mechanisms.
AI development and the need to regulate it in Africa
The rapid progress in information technologies facilitates advances in AI. The latter is certainly a follow-up on IT development and is determined by it. This course of events makes African countries adjust to the new realities and therefore it is not accidental that some countries already urge to regulate AI by legislative means across the continent.
In Morocco, for example, the Justice Ministry’s Department is drafting laws to regulate AI. Moroccan Minister of Justice Abdellatif Ouahbi believes that AI, in spite of its advantages, may become a threat to man and society as a whole.
In 2023, the South African Department of Communications and Digital Technologies issued a roadmap to regulate AI . The document consists of three parts. Part One is dedicated to the general international discourse and advances in AI regulation. Part Two considers AI’s impact on South African society. Part Three analyzes the priorities and actors in the AI area in South Africa.
Therefore, African countries are also trying to minimize as far as possible the AI impacts and consolidate conditions with a potential for benefit. Nevertheless, both the international community and individual countries are just beginning to focus on the AI regulation issue. The current international leaders in this regard are again the European countries and the European Union, which adopted, on March 15, 2024, the Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law. This Convention, like the 1981 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, can also become a model for African countries with regard to AI regulation, albeit with account taken of their own interests and realities.
Conclusion
In conclusion, we can say that IT and AI development requires that governments display a responsible attitude by adopting laws to regulate these areas. The purpose is not only to protect national interests and derive benefits but also to safeguard national morality and ethics and guarantee individual, state, and societal security.
There is no doubt that African countries remain vulnerable and inferior to other participants of the race for higher legal protection in the IT and AI areas. They lack the technological wherewithal for reaching their objectives. Besides, the majority of companies operating in this domain are Western or Asian conglomerates, for which reason African countries are just consumers of their IT and AI services. They are highly unlikely to have political and technological leverage to make them comply with local laws or withdraw their license. Unlike them, the European Commission fined a number of US companies (Google, Amazon, Apple, and others) in recent years for their activities in EU countries . Neither are the Africans able to influence the companies in other ways, including by controlling data in their cloud storages, etc.