The Cabinet’s recent approval of accession to the African Union Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention, marks a significant milestone. Furthermore, the Office of the Data Protection Commissioner (ODPC) called for stakeholder submissions, signalling a new phase in the country’s digital governance journey. This is not a symbolic gesture; it is a decisive move that will alter how data is managed, how cybercrime is prosecuted, and how digital trade transpires across borders.

What the Malabo Convention Aims to Accomplish

Adopted by the African Union in 2014, the Malabo Convention is the continent’s first comprehensive treaty on digital governance. It covers three critical pillars: electronic transactions, personal data protection, and cybersecurity.

The Convention officially came into force in 2023 after years of slow ratification. Unlike narrow privacy statutes, it lays down broad principles. It obligates Member States to establish independent data protection authorities, criminalise a wide range of cyber offences, and regulate electronic commerce to foster trust and security.

Domestic Foundations and the Road to Alignment

The country already has two key laws in place: the Data Protection Act of 2019 and the Computer Misuse and Cybercrimes Act of 2018. Both have substantial overlap with the treaty’s requirements. While accession does not mean starting from scratch, domestication is essential. The process will involve amending current laws where gaps exist, empowering bodies such as the ODPC and national cybersecurity response teams, and reinforcing the primacy of constitutional protections for privacy and free expression.

Lessons from Regional Peers

South Africa has yet to ratify the Convention, instead choosing to develop its domestic frameworks through the Protection of Personal Information Act (POPIA) and a comprehensive cybersecurity strategy.

Nigeria, on the other hand, has aligned many of its practices with the treaty even without full ratification, through the Nigeria Data Protection Regulation and the Cybercrimes Act. These two approaches demonstrate the range of options available: one driven by comprehensive domestic frameworks, the other by incremental alignment.

In formally acceding, Nairobi signals its intention to base its governance within a continental framework, while still refining local institutions to make it effective.

Implications for the Private Sector

For corporates, two dimensions stand out:

• Personal data protection: The Convention mandates lawful processing, accountability, and regulatory approval for cross-border transfers. This will impact companies in the telecommunications, finance, and digital platforms operating across multiple jurisdictions. While harmonisation offers efficiency, it raises the stakes of compliance and predictability.
• Cybersecurity: The treaty requires states to criminalise offences including unauthorised access, system interference, cyber-enabled fraud, and misuse of personal data. It also foresees corporate criminal liability, meaning companies could face sanctions if their systems are exploited due to negligence. Businesses would therefore need to invest in stronger safeguards, conduct regular audits, and develop incident response strategies as part of a new standard of accountability.

The Risk of Overreach

The Convention has faced criticism for its broad provisions, particularly regarding cybercrime, which could be misused to restrict freedom of expression or increase surveillance. Without careful drafting during domestication, there is a risk of weakening constitutional rights. Stakeholders should utilise the ODPC consultation window to promote proportionality, judicial oversight, and precise definitions of offences to prevent ambiguity that could threaten digital freedoms.

Strategic Importance within the Continental Context

Beyond compliance, accession carries strategic weight. With the African Continental Free Trade Area (AfCFTA) gaining momentum, digital trade will be a pillar of integration. Harmonised rules on data and cybersecurity are essential for trust in cross-border commerce. By joining the Convention, the country will position itself as a thought leader in shaping continental norms, enhancing its standing as a hub for financial services, technology, and innovation.

For business leaders, this is the time to engage. Submissions to the ODPC should map overlaps between existing national laws and the Convention, highlight compliance challenges, and propose workable pathways for implementation. Internally, companies should review their cross-border data flows, update data-sharing agreements, and strengthen their cybersecurity systems.

Policymakers should prioritise embedding strong human rights protections, building institutional capacity, and establishing clear, phased guidance to prevent regulatory uncertainty. Implementation must promote trade and trust, rather than creating bottlenecks or expanding unchecked state discretion.

Conclusion

Accession to the Malabo Convention is more than a diplomatic move. It is a strategic moment that will shape how the state manages security, privacy, and innovation in the digital era. When domestication is based on evidence and inclusivity, the country can position itself as a leader in continental digital governance. Conversely, if rushed or politicised, there is a risk of overreach, regulatory fragmentation, and reduced competitiveness. The ODPC consultation is therefore a vital opportunity, providing a chance for businesses, civil society, and experts to influence the framework that will steer the nation’s digital future.