https://zimbabwe.misa.org Cybersecurity and Cybercrime Laws in the SADC Region The Convention emphasises the need for States to adopt the principle of double criminality (dual criminality) when rendering cross-border assistance on cyber security issues without creating any mechanisms for Member States to fulfill extradition and mutual assistance requests in the absence of an extradition treaty or mutual assistance arrangement on the basis of dual criminality. Article 28: 1 of the Convention provides that: “State parties shall ensure that the legislative measures and/or regulations adopted to fight against cybercrime will strengthen the possibility of regional harmonisation of these measures and respect the principle of double criminal liability”. Article 11 of the Convention calls upon Member States to establish independent National Protection Authorities. It outlines the duties and powers of National Protection Authorities. In Article 13, it outlines the principles governing the processing of personal data. These include: consent and legitimacy of personal data processing, lawfulness and fairness in personal data processing, purpose, relevance and storage of processed personal data, accuracy of personal data, transparency of personal data processing, and confidentiality and security of personal data processing. It discusses the rights of the data subject such as right to information, right to access, right to object, and right of rectification or erasure. It outlines that the personal data controller has obligations to ensure that processed data is confidential, secure, sustainable, and that storage is not too long. Unlike the Budapest Convention, the Malabo Convention explicitly defines some of key terms such as child pornography, computer system, cryptology, cryptology tools, cryptology service provider, data controller, data subject, double criminality, electronic communication, electronic mail, electronic signature, encryption, personal data, racism and xenophobia in information and telecommunication, sensitive data, and third party. For the purposes of this report, Article 8 of the Convention which deals with personal data explicitly points out that: Each party shall commit itself to establishing a legal framework aimed at strengthening fundamental rights and public freedoms particularly the protection of physical data, and punish any violation of privacy without prejudice to the principle of free flow of personal data It adds that: The mechanism so established shall ensure that any form of data processing respects the fundamental freedoms and rights of natural persons while recognizing the prerogatives of the State, the rights of local communities and the purposes for which the businesses were established. Article 25 of the Convention empowers member states “to adopt legislative and/or regulatory measures as it deems necessary to confer specific responsibilities on institutions, either newly established or pre-existing, as well as on the designated officials of the said institutions, with a view to conferring on them a statutory and legal capacity to act in all aspects of cyber security application”. However there is a caveat to this provision as the Convention clearly explains that, “each State Party shall ensure that measures so adopted will not infringe on the rights of citizens guaranteed under the national constitution and internal laws, and protected by international conventions, particularly the African Charter on Human and Peoples’ Rights, and other basic rights such as freedom of expression, the right to privacy and the right to a fair hearing, among others.” The AU Convention provide for a sub-set of procedural powers that are also contained in the Budapest Convention and that are useful for investigating and prosecuting cybercrime 17