Combating Computer Crime in Africa, Proposal for a Pan-African Cyber Crime Legal Framework
F. Franklin Akinsuyi (LL.B, BL, MSc, LLM) MBCS
African countries are at various stages in their implementation of e-government and
e-commerce environments. This is being undertaken with a view to utilise technology not only to reduce costs, but also to save time and energy on activities that can be done using reduced human interaction.
These initiatives while slightly behind in relation to time frames against the developments that have been implemented in other parts of the globe are a worthy step to bring Africans up to speed with the benefits of harnessing information technology.
The introduction of the Internet has seen a vast change in the way individuals lead their commercial and social lives. It has led to innovative ways of conducting business and new ways in which government services can be channelled. It has also been responsible for providing easier ways of interacting and keeping in contact with relatives and friends through social networking websites.
It is to be noted however that criminals have used these same technologies and have become more adept in their ways, taking advantage of the ease of use of technology to exploit vulnerabilities left behind by under pressure developers who forget to test and remove known vulnerabilities in their haste to roll out new systems.
We are constantly being reminded of the attempts criminals have made to hack or and gain access to systems and their ingenuity to keep one step ahead of the law.
We are familiar with the rise in Phishing, Identity theft and Virus attacks and are perplexed that new risks, threats and vulnerabilities are being conjured before we can get an effective handle on already existing ones.
We are also aware that certain countries have allegedly been proactive in spying on and attempting to hack into sensitive, confidential and critical systems of other countries.
E-commerce and e-government environments are constantly targeted, making it necessary for them to beef up information security to remove the possibility of their systems being compromised. They are obliged to perform regular penetration tests on their networks as well as indentifying and removing exploitable application vulnerabilities such as, cross-site scripting, buffer overflow, SQL injection before systems go live.
The information security landscape has changed significantly over the last 15 years. Indeed, we have seen the shift in regards to information security responsibility moving from a technical issue to one that now resides in the legal domain. We are seeing a new trend where astute organisations and government institutions are transferring information security responsibility from their technical departments and placing them under the wings of their legal teams. This is not surprising given that new security breach legislations and data protection laws have made the onus of ensuring data subjects information is secure is placed firmly at the feet of organisations that process such data.
This article is aimed at enlightening African Law makers and Legal drafters of the types of computer crime legislations that need to be enacted in Africa to provide recourse to governments, corporations and individuals in the event that they fall victim to computer crime. It highlights legislations that can be used to prosecute criminals who perpetrate computer related criminal activity. The article also recommends and also looks at the benefit of developing and implementing a computer crime legislative framework for African countries with a suggestion for a re-vamp of the law faculties and advanced legal institute’s syllabus to cater for new technology laws.
Status of African Cyber Crime Laws and the Call for an African Cybercrime Legislative Framework
There are a number of African Countries that are in the have developed or are in the development stages of implementing computer crime related legislations.
- East African Countries are in the process of formulating unified computer crime legislations
- Ghana has passed its Electronic Transactions Act and National Information Technology Agency Act and is in the process of developing its Data Protection Laws
- Nigeria is in the process of developing its Critical Infrastructure Laws
- Senegal has passed legislation to govern the development of ICT. The legislation includes law on cyber law, law on protection of private data and the law dealing with electronic transactions
- South Africa has implemented Electronic Transactions Act
- Tunisia has implemented the Electronic Exchanges and Electronic Commerce Act
- Zambia has drafted its Computer Misuse and Cyber Crime Bill
A common thread in relation to some of these laws is the proposal for a single law to deal with cybercrime. It is to be noted from a preview of these laws that these single legislations will not go far enough to deal with the width of computer crime in the 21st century.
There is a risk that if these laws are passed in their current state they may not cover relevant aspects of computer crime thereby leaving loopholes for the criminals to exploit. We also have a long winded process for passing laws in Africa, this could have the impact that by the time these laws are passed, technological developments may have moved on making them inadequate and redundant in their quest to deal with the issues they have been enacted for.
It is also noted that many of these legislations are tilted towards individuals committing criminal acts without addressing the fact that governments and corporations can be involved in computer related criminal activities. For example Data Protection is primarily geared towards providing organisations that collect our personal information with strict principles as to how that data is to be processed.
It is important to note that Data Protection affords redress against breaches to these principles and as such more organisations are taking heed that they could be liable to penalties in the event of such contraventions. In the UK, the limit of such fines has recently been raised from £5000 to £500,000.
Several banks in the UK were criticised for dumping customers’ personal information in bins outside their premises.
Also in the UK, Her Majesties Revenue and Customs (Tax Office) were pilloried for losing the details of over 2.4 million people.
African Cyber Crime Legislative Framework Proposal
While review and amendment of current African laws may be an option, I believe we will need to develop a common list of legislations that will form Africa’s Cybercrime Framework to replace the current proposed laws of individual countries.
This is necessary so that we generate similarly worded legislations. This will provide for generic and understandable laws across the board. It will in its inception allow for the anticipation of the effects of new technologies on the horizon so that the laws that constitute the framework are not obsolete and ineffective when passed.
I will now introduce and explain laws that must as a minimum be considered to constitute this framework, by explaining what they are, why they are necessary and giving examples of how they have been enacted in other countries.
Identity Theft Laws
Identity theft has taken up new grounds in the debate about the protection of personal information. High profile successful unauthorised and fraudulent access to databases where personal information is stored have more recently also called for speedy enactment of stringent legislation to assist in the curtailment of the phenomenon.
Identity theft was initially thought to only affect the individuals whose personal information has been hijacked. It can however be seen that organisations whose primary business involves obtaining and selling personal information are falling prey to sophisticated criminals. These criminals are willing to go the extra length to obtain as many instances of personal information at one fell swoop, rather than having to hunt for individual pieces of information risking being caught out at each attempt.
An example of an Identity theft law is the Identity Theft Act US 1998
Following testimony by the Federal Trade Commission in front of the US Senate, federal officials deemed it necessary to address growing concerns over identity theft scams.
The Identity Theft Act was passed in the United States to offer identity theft protection for individuals and businesses that can or have been victims to identity thieves. Fully entitled The Identity Theft and Assumption Deterrence Act, it was passed by the US Congress and signed into law by President Bill Clinton in 1998. An amendment to the law was enacted in 2003.
The law came into being due to the exponential rate in which consumer’s personal information was being exploited in the United States due to the advent of the Internet and the rise in large consumer databases. It was also fuelled by the increased access to computers which now housed detailed information about individuals and their financial records.
The Identity Theft Act identifies crimes involving loans, mortgages, credit cards and lines of credit that can be prosecuted. It also includes additional crimes to which people can be prosecuted should they be caught. US Code Title 18 was amended to include any fraud committed using identification documents or personal information. It also made it illegal to knowingly transfer this information to other people without authorisation, regardless of intent.
The identity thief needs to have the intention of defrauding a person, business or government agency within the country. Criminals can be charged if they commit identity theft either through the mail, across state lines or internationally.
The Identity Theft Act allows for punishments of 5, 15, 20 or 30 years depending on the crime. It also calls for fines determined by certain factors such as the extent of financial disparity caused.
In extreme cases, there is also a statute that defines certain incidents as “Aggravated Identity Theft” which allows for consecutive sentences to be enforced upon criminals.
Data Protection and Privacy Laws
Data Protection involves the protection of personal data, which covers both facts and opinions about an individual. It includes the implementation of administrative, technical and or physical measures to guard against unauthorised access to personally identifiable data.
In Europe, Data Protection stems from legislative requirements such as the European Convention of Human Rights, and has with the advancement in automated processing of data been influenced by new legislations such as the European Data Protection Directive and the Directive on Privacy and Electronic Communications.
It involves the protection of personal data, which covers both facts and opinions about an individual.
Anyone who processes personal information must comply with the following eight data protection principles:
Personal Information must be processed:
- Fairly and lawfully
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept- longer than necessary
- Processed in accordance with the data subject’s rights
- Not transferred to countries without adequate protection.
Note on the last Principle
The last Principle should not be taken likely; this is due to the fact that many African countries want to partake in outsourcing. Now given the fact that a lot of outsourcing involves the processing of personal data, African countries who wish to be considered as outposts for outsourcing services should note that it is the development of sufficient laws and practices similar to those of the European Union that need to be put in place prior to trying to figure out what technologies are relevant for outsourcing.
US Privacy laws
In the US, the Personal Data Privacy and Security Act US (2005 updated 2009) was enacted after security breaches at ChoicePoint and LexisNexis.
The Act provides criminal penalties for identity theft involving electronic personal data by: increasing penalties for computer fraud when such fraud involves personal data. It also adds fraud involving unauthorised access to personal information as a predicate offence. The Act also makes it a crime to intentionally or wilfully conceal a security breach involving personal data.
It gives individuals access to, and the opportunity to correct, any personal information held by data brokers; and
- Requires entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data;
- Requires entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data;
- Limits the buying, selling or displaying of a social security number without consent from the individual whose number it is, prohibits companies from requiring individuals to use social security numbers as their account numbers and places limits on when companies can force individuals to turn over those numbers in order to obtain goods or services, and bars government agencies from posting public records that contain Social Security numbers on the Internet;
- Requires the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and imposes penalties on government contractors that fail to meet data privacy and security requirements.
Consumer data broker ChoicePoint, Inc., which in 2005 year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026
Related to the Data Protection Directive is the Privacy of Electronic Communications Directive (EU 2002) which lays certain obligations on telecommunications companies and service providers. A new development within this Directive is that it extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones.
The Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community.
A brief introduction of the salient points reveals the following in the Directives aims in ensuring fundamental human rights and freedoms particularly the right to privacy for subscribers of electronic communications:
· Security Measures
The Directive provides that communication service providers should adopt adequate security measures both from a technical and organisational point of view that are commensurate with the risks that can accrue. With the spate of recent high profile security breaches that have occurred it is paramount that telecommunications providers implement adequate logical and physical security measures to ensure data under their control is safe from unauthorised access, which may lead to loss of privacy. It goes further to provides that users should be made aware of risks that are beyond the control of the service provider.
· Confidentiality of Communications
In its attempt to maintain privacy of personal information, the directive requires service providers to ensure confidentiality of communications. This the directive states can be attained by making sure that communication over public telecommunications lines are free from interception and tapping save in the instance of lawful interception. The article also provides that where communication networks are used in the processing of data, the data subject shall be informed why this is being carried out. The data subject has a right to refuse such processing.
· Caller and Called Line Identification
It is to be noted that an individual’s telephone number is personal data going by the meaning given to data protection legislation. In order to protect this, the directive further provides privacy rules in relation to caller and connected line identification. Here the directive states that subscribers must be issued with the possibility of withholding the identification of their telephone numbers when making a call along with being able to reject incoming calls where the incoming caller has refused showing their number.
- Location Data Restrictions
Where the repealed telecommunications privacy directive only related to calls in circuit switched connections such as is found in traditional voice telephony, the new directive covers all kinds of traffic data as generated by users of mobile communication devices.
Location data is a valuable tool that can be used in the mobile phone sector to identify the location of an individual its use can be illustrated in the Danielle Jones case in the hunt for a missing child in the UK it was identified that calls purportedly from the girls phone to her uncle (later convicted for her murder) were in fact being made by her uncle from one location.
- Emergency and Nuisance Calls
An exception to the privacy of caller line and location data is provided for in article 10 where the elimination of calling line identification and location data is sanctioned to trace nuisance calls and in relation to location data for it to be revealed on a temporary basis only to emergency services.
Unsolicited mail (also known as Spam) has become a major problem it causes loss of work productivity and also is an invasion of privacy.
The directive in recognising the harmful effects of Spam provides that there shall be no automated communication using electronic mail or faxes for the purpose of direct marketing without the consent of the data owner. The purpose of the directive in relation to SPAM is to make sure that EU member states strengthen data protection measures in relation to SPAM. The EU legislation supports the opt-in rather than the opt-outapproach.
- National Security
There are certain situations that may lead to events that make safeguarding privacy of communications a secondary issue. Such situations are where national security is at risk and where criminal investigations are being carried out. Where these are determined to be taking place, law enforcement agencies may on having obtained permission by appropriate bodies breach the data subjects’ right to privacy of communications in their investigations of such events. It is to be noted that the legislation also allows for data to be retained for limited periods of time during the investigation of such situations.
Lawful Interception Laws
While the privacy laws above stipulate that privacy must be guaranteed during communications, there are certain instances where law enforcement agencies are allowed to gain access to communications data without the consent of the data subject.
These instances occur when law enforcement agencies are investigating serious criminal activities or activities that may constitute a risk to national security.
In the process of undertaking these investigations, communication service providers will invariably be asked to allow these law enforcement agencies to either intercept the data or gather information about the individual’s activity from data that has been retained by their systems in relation to the individual’s communication.
Lawful interception in the UK is primarily governed by the Regulation of
Investigatory Powers Act 2000 (RIPA) and the Telecommunications Lawful business
Practice Interception of Communications Regulations 2000.
In the United States interception of communications is illegal unless authorised by stringent rules that have been designed to protect privacy and allow the investigation of crime.
There are two basic pieces of Federal legislation: Electronic Communications Privacy
Act (ECPA), which concerns criminal investigations, and the Foreign Intelligence
Surveillance Act (FISA), which concerns intelligence and counter intelligence operations.
Data Retention Laws
Data retention laws are designed to ensure a uniform approach to keeping communications data across the telecommunications industry.
Data Retention laws are also implemented to ensure law enforcement agencies have a reliable log of mobile and fixed-line phone calls. This is done in order that data, which can identify the caller, the time and the type of communication made, is available for the purpose of the investigation, detection and prosecution of serious crime
It should be noted that the retention does not relate to the content of calls but only to records of their occurrence.
In Europe, the Data Retention Directive states that telecommunication companies must keep details necessary to identify the caller, sender or recipient of telephone calls and e-mails for between 6 to 24 months. The UK requires data to be kept for 12 months, this replaces the 6 months for email data in the current voluntary code of conduct. The data must also be stored in such a way that it can be accessed and transmitted without delay.
Under the Directive, all European countries are required to adopt measures that ensure the data can only be used by competent national authorities. Given the nature of this data, consumers and telecoms companies would expect safeguards so that it can only be obtained to fight crime or safeguard national security
Listed below are the headings of some of the salient articles within the Directive:
- Obligations to retain data
- Access to data
- Categories of data to be retained
- Periods of Retention
- Data Protection and Security
- Storage Requirements
- Supervisory Authority
Information Security Laws
Information security relates to the protection of data to ensure its confidentiality, integrity and availability.
Increasing attention is being bought to the adequacy of information security measures deployed by corporate organisations and government institutions. This is being driven by the increasing number of successful breaches to customer information in corporate customer databases.
These incidents have led to a flurry of legislations and regulations, which, mandate appropriate information security measures being adopted. The legislations tend to influence information security management practices within these environments.
A key feature of these legislations is that they have sections in them that require organisations to adopt measures that will make it difficult for criminals to be successful in their attempts at breaching their environments. The net effect of which is that organisations that have had their systems breached now come under scrutiny and have to prove that they were not partly responsible for the breach due to their lapse or ineffective controls.
An example of some information security legislations are outlined below.
Security Breach Legislation US (2002)
In the United States, security breach notification laws have been enacted in most states since 2002. These laws were enacted in response to the escalating number of breaches to personally identifiable information located in consumer databases.
The first of such laws, the California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. This law requires state agencies, businesses or people who conduct business in California that own or license computerised data which includes personal information to disclose in specified ways, any breach of the security of such data, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorised person.
In general, most state laws follow the basic principles of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.
Federal Information Security Management Act US (2002)
FISMA requires federal agencies to develop, document, and implement agency wide programs to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by other agencies, contractors, and other third parties.
FISMA has been responsible for bringing attention within the federal government to computer security. It explicitly emphasises a risk-based policy for cost-effective security. FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB).
The Gramm Leach Bliley Act 1999 (US) also makes requirements for appropriate security programs to be implemented by organisations.
To comply with the Gramm Leach Bliley Act, all financial institutions must develop a comprehensive written information security program that specifies exactly how their customer data is being protected. The information security program must include the following elements:
- Involve the Board of Directors: The board is responsible for approving and overseeing all aspects of the information security program.
- Identify & Assess Risks: Identify internal and external threats to customer data. Assess the probability that such threats could occur and the potential damage envisioned. Assess how well existing policies, systems and procedures address the identified risks.
- Manage & Control Risks: Develop appropriate security measures to control the identified risks. Examples of such measures include data encryption, employee background checks, intrusion detection, and intrusion response programs.
- Oversee Service Providers: Insure security measures are in place to reduce risks from outside vendors.
- Employee Training: Once an information security program has been designed all employees must receive appropriate training so that they are better able to recognize and respond to security threats.
- Test the Program: The information security program must be tested on a regular basis. Testing should be conducted by independent third parties or staff independent from those who develop and maintain the program.
- Adjust the Program: The program should be reviewed on a regular basis and adjusted as needed to meet the changing demands of the institutions business environment. Report to the Board: The board should be kept informed on a regular basis regarding all matters pertinent to the program.
Computer Misuse Laws
This law makes it illegal to gain unauthorised access to computers and computer material.
An example of such is the UK Computer Misuse of Act 1998.
The UK Computer Misuse Act of 1990 has been enacted to secure computer material against unauthorised access or modification: and for connection purposes. Prior to 1990, there were no laws in the UK relating to Computer Misuse. The Act identifies three main computer misuse offences:
· Unauthorised access to computer material.
- Unauthorised access with intent to commit or facilitate commission of further offences.
- Unauthorised modification of computer material.
Unauthorised access offences are typically punished upon conviction with up to 6 months imprisonment and or a maximum fine of £5000.
The other two offences are taken more seriously with jail terms of up to 5 years and unlimited fines.
Cybercrime Convention (EU 2004)
This is a Treaty entered into force on 1st July 2004 with an additional Protocol for the criminalisation of racist and xenophobic material through computer systems coming into force on 1st March 2006. It has been adopted by member states of the European Union along with the United States and South Africa, to address computer related crime by harmonising national laws.
The Computer Crime Convention defines a number of offences which members can include in their national laws. Examples of such computer related offences include but are not limited to the following:
- Offences against the confidentiality, integrity and availability of computer data and systems
- Illegal access
- Illegal interception
- Data interference
- System interference
- Misuse of devices
- Computer-related offences
- Computer-related forgery
- Computer-related fraud
- Content-related offences
- Offences related to child pornography
- Offences related to infringements of copyright and related rights
- Offences related to infringements of copyright and related rights
- Computer-related offences
- Attempt and aiding or abetting
- Corporate liability
- Expedited preservation of stored computer data
- Expedited preservation and partial disclosure of traffic data
A key feature of the Treaty is identifying that Legal persons can be held liable for a computer crime related criminal offence established in accordance with the convention. Such criminal activity may be committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person. This takes into account industrial espionage and other corporate illegal activity.
It would be ideal if more African Countries sign up this Treaty, as at present only South Africa has done the honours.
Impact of the Framework on Judges, Lawyers and Law Schools
African lawyers are undoubtedly losing out on the opportunity to represent clients on lucrative cases due to the lack of legislation on cybercrime. For example, in Nigeria a number of opportunities to challenge financial institutions for negligence in the implementation of online banking and the roll out of ATM cards which has led to customers losing money have not been taken due to either a lack of understanding of the issues as well as lawyers and judges not being adequately trained in information technology related issues. The same may be said of other African nations.
With the advent of these legislations will come the need for universities, schools of higher learning and academic institutions to devise specific courses designed to allow the next generation of Judges and Lawyers become skilled in what is a challenging but lucrative area.
It is the authors’ opinion that technology law needs to be on the curriculum of all African law faculties, as a minimum the following modules need to be mandatory to enable law students grasp the basics of the issues when dealing with the laws relating to technology:
Technology Law Syllabus:
- Computer Misuse
- Data Protection
- Data Retention
- Electronic Commerce
- Information Security
- Information Technology
- IT Contract Negotiations
- Lawful Interception
Current Judges and Lawyers will also need to become familiar with these issues through cross training, in order to be able get up to speed with the intricacies of computer crime so that they can take on cases and pronounce effective judgements. This cross-training should ideally be spearheaded by the ministries of Justice.
Benefits of implementing this Framework:
The implementation of these laws will allow us to tackle computer related criminal activity in a more structured manner. The laws will allow defined guidelines as to what constitutes illegal activities while using computers.
From an economic perspective, a lot of discussion has been made on the impact technology will have in providing initiatives that can provide economic growth and stability. It must be mentioned however that current legal frameworks will need to be overhauled to meet the changes and challenges that technology will bring, and for that purpose the need for us to revamp our technology related laws for us to meet growth forecasts.
We have seen the impact of telecommunications and the interest it has received from foreign telecommunications companies and investors. The development and implementation of these laws can allow the same response from technology companies and investors. The offshoot of this is job opportunities for Africans and the development of new services and technology related products.
With the development of these laws, we will be seen as a continent that wants to embrace and diversify into the new areas of technology.
We are aware that IP addresses belonging to some African countries have been blocked by credit card companies. Putting these laws in place shows that we understand and are dealing with credit card fraudsters and other cyber criminals. The implementation of the framework can be used as a tool for negotiations to remove such IP blocks. This in turn will allow more Africans to partake both as suppliers and consumers in the billion dollar e-commerce trade.
Individuals and organisations tasked with combating computer crime in Africa must take this issue to the forefront of their initiatives with a view to enacting as soon as possible. This should be done ensuring that the best brains on the issue from a legal and technical point of view are involved in the process. This is necessary so that we generate appropriate sections and wordings as well as anticipate the effects of new technologies so that the laws that constitute the framework are not obsolete and ineffective when passed.
African governments will need to look at the content of these legislations as a guide when formulating their Framework, bearing in mind that they will be computerising their government systems and moving into the realms of e-government and e-commerce.
As mentioned in the section on Data Protection and Privacy laws, African countries are being eyed as potential outsourcing posts. It should be noted that it is the absence of appropriate computer crime and privacy legislation rather than the lack of technology that prevents us partaking in this area.
The implementation of these laws will allow us to be in line with countries around the globe and be viewed as proactive in tackling cybercrime. The development of these laws will also mean that cybercrime technologies and information security awareness initiatives will be adopted by governments and corporate institutions. This knowledge will trickle down to members of staff who will by osmosis assimilate the trends on their home pc’s thereby ultimately providing for a more aware society on the issues.
 F. Franklin Akinsuyi is Founder and Course Director at DataLaws a UK based Information Technology Law Consultancy. Franklin can be contacted by email at email@example.com visit www.datalaws.com
 See http://www.timesonline.co.uk/tol/news/world/europe/article2332130.ece
 See Combating Identity theft article by F. Franklin Akinsuyi http://www.datalaws.com/common/pdf/Combating%20Identity%20Theft.pdf
 According to European law, electronic communications service means a service normally provided for the remuneration which wholly or mainly in the conveyance of signals on electronic communications networks used for broadcasting, but exclude services providing, or exercising editorial control over content transmitted using electronic communications networks and services. Article 2 (c) Directive 2002/21/EC
 According to European law, public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. Article 2 (d) Directive 2002/21/EC
 Article 4 (1&2) Directive on Privacy and Electronic Communications
 Article 5 (1)
 Article 5 (2)
 Article 8
 See Location Data is as sensitive as content data Alberto Escuardo Pascual Royal Insitute of Technology 22nd November 2001 available at www.it.kth.se/~aep/publications/EU-forum/20011127/EU-forum-locationdata.pdf
 See bbc.news.co.uk/2/low/technology/2593653.stm
 Article 13 Directive on Privacy and Electronic Communications
 In an opt-in regime, the consumer must affirmatively give permission to be sent information about new products or sales, or to share the consumer’s information with other companies in a business relationship with the company where that consumer has an opt-in agreement. Generally, a consumer must click on web site boxes or send an e- mail request to the company, or its affiliates in order to authorise consumer e-mail.
 Article 15 (2) Directive on Privacy and Electronic Communications
 SI 2000/2699
 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986).
 Article 3
 Article 4
 Article 5
 Article 6
 Article 7
 Article 8
 Article 9
 For full List of signatories see www.coe.int
 Title One
 Article 2
 Article 3
 Article 4
 Article 5
 Article 6
 Title Two
 Article 8
 Title Three
 Article 9
 Title 4
 Article 10
 Title 5
 Article 11
 Article 12
 Article 16
 Article 17
Tags: African computer cime legislations, african cybercrime, african cyberlaws, african security laws, computer crime laws, cybercrime, cybercrime africa, cybercrime laws, Data Protection Africa, information security laws africa, security laws africa