Malabo Convention

African Union Convention on Cyber Security and Personal Data Protection

Flag of AOFlag of BJFlag of TD+12
African Union member statesOpt-inSupranational
Back to Regulations Guide

Key Facts

Effective Date
June 8, 2023
Enacted
June 27, 2014
Enforcing Authority
None at continental level; requires member states to establish independent national DPAs
Consent Model
Opt-in
Applies To
AU member state governments (obligation to legislate); indirectly affects organizations in ratifying states

Overview

The Malabo Convention is the African Union's continental framework treaty bundling data protection, cybercrime, cybersecurity, and e-commerce into one instrument. It entered into force on June 8, 2023, after taking 9 years to reach the required 15 ratifications. It sets minimum standards for national data protection laws but does not directly regulate websites.

What This Means for Your Website

  • The Convention requires member states to enact national data protection laws
  • Member states must establish independent DPAs
  • The Convention itself does not directly regulate websites — national laws do
  • 15 African countries have ratified; more national laws are expected as implementation progresses
  • South Africa notably has NOT ratified

Key Requirements

No continental-level enforcement exists — enforcement is deferred to national implementing legislation. Each member state must establish an independent DPA. Criminal sanctions are required for cyber-related offences. Cross-border transfers are restricted to countries with adequate protection.

How ConsentStack Handles This

ConsentStack applies the consent requirements of national implementing legislation in each ratifying member state rather than the Convention directly.

Penalties

Deferred to national implementing legislation; convention requires criminal sanctions for cyber offences.

Key Requirements

  • Member states must enact comprehensive data protection legislation
  • Each state must establish an independent national DPA
  • Personal data processing requires consent or lawful basis
  • Cross-border transfers restricted to adequate-protection countries
  • Criminal sanctions required for cyber offences

Notable Provisions

  • Took 9 years to reach 15-ratification threshold
  • Lacks enforcement mechanisms at continental level
  • South Africa notably has NOT ratified
  • Bundles four domains: DP, cybercrime, cybersecurity, e-commerce

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.

Frequently Asked Questions

What is the Malabo Convention?

The AU's continental framework treaty on cybersecurity and data protection, entered into force June 2023 after 15 countries ratified it.

Does the Malabo Convention directly regulate websites?

No. It sets minimum standards that member states must implement through national legislation. National laws directly regulate websites.

Has South Africa ratified the Malabo Convention?

No. South Africa is a notable non-ratifier, relying instead on its own POPIA for data protection.

Stay compliant with Malabo Convention

ConsentStack helps you implement Opt-in consent for African Union member states automatically.

Get started