Cybersecurity and Cybercrime Laws in the SADC Region https://zimbabwe.misa.org Convention sets a normative standard within the international legal framework, acknowledging the need to pursue a common criminal policy and procedural law in relation to cybercrimes. It promotes cooperation between State parties and the private sector. against cybercrime in the digital age. The Convention categorises cybercrimes into four broad types: the first involves “offences against the confidentiality, integrity and availability of computer data and systems”; the second are “computer-related offences”; the third are “content-related offences”; and the fourth are “offences related to infringements of copyright and related rights.” The first type of cybercrimes penalises activities that target and compromise the confidentiality, integrity and availability of computer data and systems. It clearly spells out five offenses: illegal access to computer systems (article 2); illegal interception of data (article 3); data interference (article 4); system interference (article 5); and misuse of devices (article 6). In spite of some of the progressive provisions, the Convention has received a fair share of criticism. For instance, some countries have raised sovereignty concerns over the Convention’s article 32 that raises the possibility for transborder access to data without the authorization of public authorities in the country where the data is being stored. The Convention has been criticized for being outdated, having been overtaken by technological and cybercrime developments that have occurred since its adoption in 2001. It does not cover a wide range of cybercrimes including identity theft, sexual grooming of children, and unsolicited emails and spam. It has limited enforcement because over two-thirds of States have not ratified the treaty. Overall, it is important to note that despite the aforementioned criticisms, the Convention remains the only i nternat ional ag reement t hat addresses cybercrime and is aimed at harmonising national laws and establishing international cooperation 16 The AU Convention on Cyber Security and Personal Data Protection In July 2014, the African Union adopted the Convention on Cyber Security and Personal Data Protection. The Convention aims to harmonise the laws of African States on electronic commerce, data protection, cyber security promotion and cybercrime control. The objective of this Convention was to propose the adoption at the level of the African Union, a Convention establishing a credible framework for cybersecurity in Africa through organisation of electronic transactions, protection of personal data, promotion of cyber security, e-governance and combating cybercrime. The AU Convention is broader than the Budapest Convention in that it covers: Chapter I – Electronic transactions Chapter II – Personal data protection Chapter III – Cyber security and cybercrime. The AU Convention unites different aspects related to information technology law, also including certain non-digital and non-criminal justice issues. It recognises that cybercrime “constitutes a real threat to the security of computer networks and the development of the Information Society in Africa”. In this regard, it imposes obligations on Member States to establish national legal, policy and institutional governance mechanisms on cyber security. According to Article 28 of the Convention, there is need for member states to facilitate international cooperation on cyber security. It also requires AU Member States to make use of existing channels of international cooperation (including intergovernmental or regional, or private and public partnerships arrangements) for the purpose of promoting cyber security and tackling cyber threats.