 |
| Pix credit here |
In late January the African Union (AU) Peace and Security Council adopted the ‘Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace’ the Communique of which I discussed here (Communiqué: African Union Peace & Security Council adopting the Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace), and which was marvelously analyzed by Mohamed Helal, who served as the Special Rapporteur of the African Union on the Application of International Law in Cyberspace, in an article posted to SSRN in early February 2024 (HERE). The Common African Position was endorsed by the African Union on 18 February. Some of its text follows below with great thanks to International cyber law: interactive toolkit contributors who posted it originally HERE.
One small observation: Some quite important analysis focused on the issue of sovereignty and sovereign authority embedded in the Common African Position (see, e.g., here, here, and here). While important, it is to some extent an exercise in accounting for animals that now wander outside the barn in an enclosure the fences of which have gaps which few are interested in repairing (other than academic commentators and some members of the global techno-bureaucratic collectives. I do not mean to suggest that the concept remains critically important as a core foundational principle the tentacles of which inseminate themselves into the operations of the state system and its collective expression in the current state of international institutions and its law/norm projects. Quite the contrary. Nonetheless the discourse of sovereignty has at once become more primitive and more sophisticated. One might more usefully invoke it for its semiotics significance: the object and meaning of barriers. While the idea of sovereign cages has taken a particular direction among OECD states (for example) in ways that drive much international thinking, others have started considering the nature and utility of cages in quite contextually distinct ways (for one example here).
Cages, though, comes in many configurations; and that is the great ambiguity. TheIt is this cavea that the Common African Position seeks to build. It is a space where one can feed and be feed from and through the pathways of cyber or virtual spaces. Yet it is one in which before either consuming or producing in cyber-spaces, it is necessary to develop and protect the collective consciousness and autonomy of the producer/consumer collective. That is a requisite and fundamental nature of platforms; and it is especially important where one engages with and in virtual realities.
etymology of the word in Indo-European languages is revealing, and its subtext still powerful. At its base a cage is a hollow space. That is the word focuses on the interior of the space rather than its borders. But it focused not just on the space but the objects it was intended to contain. Thus the Latin cavea was understood as indicating hollow place, as well as an enclosure for animals, coop, hive, stall, and dungeon. But it could also reference the space within which populations were contained for the transmission of specific activity, for example of spectators’ seats in the theater. By the 12th century in its French form the cage described a broad range of enclosure—prisons, retreats, hideouts—spaces of confinement that was not normatively neutral. Modernity has reduced the core of the signification of the term to include a small subset of the objects within the spectrum of its description: to a focus on the borders rather than the space, and to focus on the objects contained within it. That concentration necessarily is meant to assign or signify meaning to objects and actions inside and outside the cage. That signification, importantly, is made by reference to the judgment inherent in the form of the cage and in the structures (normative and physical) of its judgments about what lies inside and outside its barriers.
And yet, post-modernity has seen a return to an older, broader, and more abstract signification of the term. Cages can be small and contain a small part of a larger space that is also caged; or they can extend to the entirely of the space itself—like the rationalizing concept of rule of
law itself. Cages can be constructed to separate—but separation may keep things out as well as confine what is within. Or they may be built to segregate spaces that have to be managed according to different regimes. Cages can be open—constraining with a set of bars inviting constant views of what lies outside-- or they can be closed, with no view of what lies outside. They may not even have bars—an abstract panopticon. The ‘bars’ of the cage of regulation may be constructed from out of traditional law/regulation. It need not be; the cage can be constructed out of a set of judgments and expectations activated through measurable action or inaction. That action or inaction defines both the means of constraint and the objects that constraint is meant to manage toward from set of macro-normative objectives. —or its confining structures may be a function of a construction of measures with consequences. Here, at last one returns to the hollow spaces of cavea. (The Imaginaries of Regulatory Spaces in an Age of Administrative Discretion: Social Credit ‘in’ or ‘as’ the Cage of Regulation of Socialist Legality; submission draft here).
Common position of the African Union (2024)
Introduction
This is the Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace, issued on 29 January 2024 by the African Union Peace and Security Council.[1]
The position paper includes the following preamble:
"1. Recalling the Constitutive Act of the African Union adopted in 2002, in particular Articles 3 and 4 of the Act and, the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) adopted in 2014.
2. Noting that information and communication technologies (ICTs) in cyberspace are an indispensable part of the lives of human beings throughout the world. ICTs are an instrument of human interaction, a vehicle for social development, and an engine of economic growth, poverty eradication, and sustainable development.
3. Further noting that it is in the interest of all States, societies, and present and future generations to develop a global legal architecture that ensures that ICTs are used for peaceful purposes, and that prevents the malicious and criminal use of these technologies, promotes greater cooperation between States, guarantees that cyberspace remains open, secure, stable, accessible, and peaceful, protects basic human rights and fundamental freedoms of individuals and peoples, and advances the common interests of humankind.
4. Reaffirming that international law applies in cyberspace and governs the use of ICTs in cyberspace, and underscoring that States are under an obligation not to engage in internationally wrongful acts such as those outlined in this Common Position and to combat malicious and criminal cyber operations by non-State actors. In this regard, it is necessary, in light of the unique technical characteristics of cyberspace and the distinctive nature of the threats posed by unlawful behavior in this domain, by both States and non-State actors, to further expand dialogue between States, regional organizations, and other relevant stakeholders as appropriate and within their respective roles and responsibilities through transparent, inclusive, and multilateral processes on how international law should further apply in this area.
5. Reiterating their commitment, consistent with their obligations under international law and in accordance with due diligence, to combat malicious and criminal cyber operations by non-State actors and emphasized that non-State actors, particularly those whose conduct is attributable to States, should refrain from engaging in malicious or criminal use of ICTs in the Cyberspace.
6. Emphasizing that the process of further clarifying how international law applies to the use of ICTs in cyberspace and, where necessary, further developing the rules of international law that are applicable in this area is a matter of common interest to all States. All States have an equal right to participate in the articulation of rules of international law that apply in cyberspace and the views of all States have equal weight and value in this process.
7. Noting that the process of articulating rules of international law that apply to the use of ICTs in cyberspace would benefit from the adoption of a United Nations declaration on this subject that would be negotiated with the participation of relevant stakeholders, as appropriate and within their respective roles and responsibilities, including other international and regional organizations.
8. Taking note of the ongoing meetings of the UN Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes. The African Union encourages its Member States which have not yet done so, to consider signing and ratifying the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention).
9. Commending the efforts undertaken by the United Nations to address issues relating to cybersecurity, especially the World Summit on Information Society hosted in Africa by a Member State of the African Union, Tunisia, and recalling, in this regard, the Tunis Commitment and the Tunis Plan of Action contained in U.N. Document A/60/687.
10. Highlighting that this Common African Position was adopted in the spirit of seeking to contribute to global debates on the application of international law to cyberspace. In this regard, given the continuous and rapid development of technology in this area, this Common African Position should be viewed as a non-exhaustive contribution to ongoing discussions in this field. The positions expressed herein may further evolve in light of technological developments and continuing engagement in discussions with the international community. The Member States of the African Union are also encouraged to issue national statements on the application of international law to the use of information and communication technologies in cyberspace. Moreover, there are aspects of the rules of international law as they apply in cyberspace that are not addressed in this statement, such as the immunities of diplomatic missions and international organizations, the inviolability of official State communications and diplomatic correspondences, the legality of countermeasures, and the restrictions on invoking necessity as a circumstance precluding wrongfulness, on which the African Union reserves its position[.]
11. Reaffirming that the adoption of this Common African Position confirms the commitment expressed by the African Union in the Digital Transformation Strategy for Africa to harness digital technologies and innovation to transform African societies and economies to promote Africa’s integration, generate inclusive economic growth, stimulate job creation, bridge the digital divide, and eradicate poverty for the continent’s socio-economic development and ensure Africa’s ownership of the modern tools of digital management."[2]
Applicability of international law
"4. Reaffirming that international law applies in cyberspace and governs the use of ICTs in cyberspace, and underscoring that States are under an obligation not to engage in internationally wrongful acts such as those outlined in this Common Position and to combat malicious and criminal cyber operations by non-State actors. [...]"[3]
Sovereignty
"12. Sovereignty is an attribute of States. By virtue of sovereignty, States enjoy, under international law, territorial sovereignty, and supremacy in their internal and external affairs. States are also under an obligation to uphold principles of international law including the duty not to infringe on the independence of other States or to violate their territorial sovereignty.
13. Territorial sovereignty is a corollary of State sovereignty. By virtue of territorial sovereignty, States are entitled, within the limits established by the applicable rules of international law, to exercise exclusive control over their land territory and its appurtenances, including the airspace and maritime zones that are subject to the sovereignty of the State. The obligation to respect the territorial sovereignty of States is a primary rule that is firmly established in international law, which applies to State conduct in cyberspace. This rule is reflected in several judicial decisions, including the judgment of the International Court of Justice in the Corfu Channel Case, which affirmed that “[b]etween independent States, respect for territorial sovereignty is an essential foundation of international relations,” and the judgment of the International Court of Justice in the Case Concerning Military and Paramilitary Activities in and against Nicaragua, which affirmed that “[t]he basic legal concept of State sovereignty in customary international law, expressed in, inter alia, Article 2 paragraph 1, of the United Nations Charter, extends to the internal waters and territorial sea of every State and to the air space above its territory.”
14. By virtue of territorial sovereignty, States are entitled to exercise jurisdiction, including legislative, adjudicative, and enforcement authority, over the components of cyberspace that are located on their territory. The jurisdiction of States also applies extraterritorially to ICTs located on aircraft and ships flying the State’s flag and satellites and other spacecraft in outer space registered by the State.
15. The African Union affirms that international law, as it applies to the use of ICTs in cyberspace, does not permit a State to exercise enforcement authority on the territory of a foreign State in response to unlawful cyber activities that emanate from the territory of that foreign State. This applies even if the exercise of such enforcement authority by a State does not have harmful effects, whether virtual or physical, on the territory of a foreign State.
16. The African Union affirms that by virtue of territorial sovereignty, any unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State is unlawful. Therefore, the African Union emphasizes that the obligation to respect the territorial sovereignty of States, as it applies in cyberspace, does not include a de minimis threshold of harmful effects below which an unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State would not be unlawful. The African Union further affirms that cyber operations that are attributable to a State against ICT infrastructure located on the territory of a foreign State that causes effects, such as loss or impairment of functionality, on the territory of a third State, may constitute a breach of the territorial sovereignty of that latter State.
17. The African Union underscores that seeking to codify rules of international law that apply in cyberspace that purport to permit States to exercise enforcement authority on the territory of a foreign State or that establish a threshold of harm that reduces the protective scope of the rule of the inviolability of the territorial sovereignty of States poses significant risks from a policy perspective. Given the vast disparities of technical capabilities between States, such rules would, as noted by the International Court of Justice in the Corfu Channel Case, “from the nature of things, be reserved for the most powerful States,” which could give rise to serious abuses that would undermine the principles of the independence and sovereign equality of States.
19. The obligation to respect the territorial sovereignty of States is a rule that applies in inter- State relations. Accordingly, only an internationally wrongful act that is attributable to a State in accordance with the applicable rules of international law, as outlined in Section 9 herein, could constitute a violation of the territorial sovereignty of a State. [...]
67. The African Union reiterates that capacity-building and technical assistance must respect State sovereignty, and should also be based on mutual trust and recognition of national ownership. The African Union emphasizes that capacity building and all cooperation in this area should respect the integrity and security of national ICT infrastructure, and correspond to nationally identified needs and priorities, and respect and protect the confidentiality of national policies and plans."[4]
Due diligence
"18. As a corollary of territorial sovereignty, States shall protect, in accordance with the applicable rules of international law, especially international human rights law and, when applicable, international humanitarian law, natural and legal persons located on their territory against unlawful uses of ICTs in cyberspace that are attributable to foreign States or non-State actors. [...]
20. Due diligence performs an important role in the area of cyberspace. Given the technical challenges relating to establishing attribution for internationally wrongful acts committed through ICTs in cyberspace and the fact that such acts are often committed by non-State actors, due diligence provides an important tool to promote the openness, accessibility, safety, and security of cyberspace.
21. The African Union recognizes that due diligence is an obligation that operates in the context of other primary rules of international law. In this regard, the African Union affirms that by virtue of territorial sovereignty, every State is under an obligation, as stated by the International Court of Justice in the Corfu Channel Case, “not to allow knowingly its territory to be used for acts contrary to the rights of other states.” This principle, which is a corollary of sovereignty is also confirmed by other judicial precedents, including the Pulp Mills Case and the Island of Palmas arbitral decision.
22. The African Union considers that due diligence, as it applies in cyberspace, establishes an obligation of conduct, not an obligation of result. Therefore, due diligence does not require a State to guarantee that its territory or territory under its control or jurisdiction is not used to commit an internationally wrongful act. Rather, due diligence establishes an obligation to take necessary measures that are feasible to the extent of a State’s capacity and the means available to it to prevent or halt an internationally wrongful act that a State knows or should have known is undertaken using ICTs in its territory or in territory under its control or jurisdiction.
23. The due diligence obligation to take necessary measures, to the extent of the capacity available to the State, to prevent or halt an internationally wrongful act is triggered only if a State has knowledge that such an act is originating from or transiting through ICTs located on its territory or in territory under its control or jurisdiction. Knowledge, however, is not to be presumed simply by virtue of the fact of territorial sovereignty or control. Indeed, in the Corfu Channel Case, the International Court of Justice stated that “it cannot be concluded from the mere fact of the control exercised by a State over its territory and waters that that State necessarily knew, or ought to have known, of any unlawful act perpetrated therein, nor yet that it necessarily knew, or should have known.” Therefore, whether a State knows or has reason to know that an internationally wrongful act is originating from or transiting through ICTs located on its territory or in territory under its control or jurisdiction is a matter that has to be determined on a case-by-case basis in light of the information available to a State, the technical and institutional capabilities, and financial resources available to that State.
24. Due diligence also reinforces the obligation of States not to permit another State to use ICTs located within its territory or under its jurisdiction or control to commit internationally wrongful acts against another State.
25. The African Union also recognizes the unique challenges faced by developing countries in implementing due diligence measures due to resource constraints, and challenges related to technical expertise. The African Union emphasizes the importance of international cooperation and information sharing, including through Computer Emergency Response Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs), to further enable States to fully uphold the obligation of due diligence. In this regard, the African Union underscores the importance of expanding international cooperation and capacity building as outlined in Section X, and further empowering and enabling the full participation of developing countries in policy making forums related to the governance of cyberspace. [...]
45. [T]he African Union reiterates that, by virtue of their territorial sovereignty, all States are under an obligation to exercise due diligence as reflected in Section III above and to ensure that their territory is not knowingly used to violate the rights of other States through acts that constitute a threat or use of force, whether such acts are undertaken by organs of the State or non-State actors acting under the direction, control, or instruction of the State."[5]
Prohibition of intervention
"26. The prohibition on intervention in the internal and external affairs of States is a principle of general international law that is also reflected in several multilateral treaties, including the founding instruments of regional organizations, such as the Constitutive Act of the African Union, the Charter of the Organization of American States, the Charter of the Organization of Islamic Cooperation, and the Charter of the Association of Southeast Asian Nations, in addition to other instruments, such as the 1975 Helsinki Final Act, and UN General Assembly resolutions, such as the 1970 Declaration on Principles of International Law concerning Friendly Relations and Cooperation among States.
27. The prohibition on intervention is a rule that applies to inter-State relations. Accordingly, only acts that are attributable to a State in accordance with the applicable secondary rules of international law could constitute a violation of the prohibition on intervention.
28. The prohibition on intervention protects against acts that impinge on matters within the domestic jurisdiction of States in relation to which each State is permitted, by the principle of State sovereignty, to decide freely. It is also established that, by virtue of their sovereignty, States have an inalienable right to choose their political, economic, social, and cultural systems, without intervention from any other States.
29. The prohibition on intervention applies to the use of any instrument, including armed, political, economic, or any other means, and instruments of information, that may be used by a State for the purposes of intervening in the internal or external affairs of a foreign State. The prohibition on intervention is especially pertinent in the context of cyberspace given the increasing connectivity between States and societies which provides greater opportunities for malicious actors, including States and non-State actors the acts of which are attributable to States, to misuse ICTs for the purpose of intervening in the internal and external affairs of States. Various codifications of the prohibition on intervention have also affirmed that this rule proscribes both direct intervention by de jure and de facto organs of a State and indirect intervention by persons or groups acting under the direction, instruction, or control of a State. This rule also proscribes the organizing, funding, or the provision of any form assistance to non-State actors engaged in acts of intervention against another State.
30. To constitute a violation of the prohibition on intervention, ICTs in cyberspace must be employed in a manner that amounts to coercion, which the International Court of Justice described, in the Case Concerning Military and Paramilitary Activities in and against Nicaragua, as the element that “defines, and indeed forms the very essence of prohibited intervention.”
31. The African Union is of the view that coercion, in the context of the prohibition on intervention, should be defined as a policy that is designed to impose restraints on the will of a foreign State. Assessing whether the use by one or more States of ICTs in cyberspace to influence the conduct of a foreign State amounts to coercion is a determination that should be undertaken on a case-by-case basis.
32. While the definition of coercion in this context requires further study and deliberation between States, the African Union is of the view that it is not necessary, in order to constitute coercion, that the conduct of a State must rise to the level of completely depriving a foreign State of its freedom of choice or to compel that State to either act or refrain from acting involuntarily. Coercion may also occur through threats of intervention. Furthermore, there is no requirement that, in order to constitute a violation of the prohibition on intervention, an act of coercion must actually succeed in compelling the State subjected to such acts to change its conduct. An unsuccessful attempt of intervention is unlawful under international law. The African Union stresses that offers or calls to peacefully settle disputes through negotiation, enquiry, mediation, conciliation, good offices, arbitration, and judicial settlement, and diplomatic discussions and communications are presumed not to constitute acts of coercion.
33. The African Union recalls that, by virtue of their territorial sovereignty, all States are under an obligation to exercise due diligence to prevent the use of their territory by other States or by non- State actors to engage in acts that constitute a violation of the prohibition on intervention in the internal or external affairs of States."[6]
Peaceful settlement of disputes
"34. The obligation to settle international disputes by peaceful means is a rule of customary international law that is also codified in international and regional treaties, including the U.N. Charter and the founding instruments of regional organizations, such as the Constitutive Act of the African Union.
35. The African Union recalls Article 4(e) on the peaceful resolution of conflicts and Article 4(f) on the prohibition of the use of force or the threat to use force of the Constitutive Act of the African Union, and reaffirms that in accordance with Article 2(3) and Article 33 of the U.N. Charter the obligation to settle international disputes peacefully applies to any dispute that may arise between States relating to acts, omissions, or any disagreement on a point of law or fact, that relates to the use of ICTs in cyberspace, or that relates to the application or interpretation of international law in this field. This obligation is not limited to disputes the continuance of which is likely to endanger the maintenance of international peace and security.
36. In accordance with the U.N. Charter, States are obligated to settle international disputes through peaceful means such as negotiation, enquiry, mediation, conciliation, good offices, arbitration, judicial settlement, resort to regional agencies or arrangements, or any other peaceful means of their own choice.
37. The African Union recognizes the potential of information and communication technologies (ICTs) to enhance the peaceful settlement of disputes and encourages the use of ICTs in the context of dispute settlement. The African Union also supports the development of ICT-based tools and platforms for the peaceful settlement of disputes, such as online mediation platforms and dispute resolution software, and urges states to invest in research and development of ICTs for the peaceful settlement of disputes in cyberspace."[7]
Use of force
"38. The prohibition on the threat or use of force is a rule of jus cogens and a fundamental and cardinal rule of general international law that is also a cornerstone of the U.N. Charter. This rule is also enshrined in many treaties and founding instruments of regional organizations, such as the Constitutive act of the African Union, and in bilateral agreements. This rule of international law applies in cyberspace and governs the conduct of States in relation to ICTs in cyberspace.
39. The prohibition on the use of force admits only two exceptions: the use of force in self-defense if an armed attack occurs, and the use of force that is authorized by the UN Security Council acting under Chapter VII of the UN Charter. The African Union affirm that this rule applies to the use of armed force by States. The African Union is of the view that cyber operations would fall within the scope of the prohibition of the use of force when the scale and effects of the operation are comparable to those of a conventional act of violence covered by the prohibition. In particular, a cyber operation, depending on its scale and effect, would amount to use of force if it is expected to cause physical damage, injury, or death, that is comparable to the use of force by an act covered by the prohibition.
40. For example, a cyber operation that destroys, inflicts damage, or permanently disables critical infrastructure or civilian objects within a State, may be considered as amounting to a use of force under international law. Similarly, a cyber operation that targets a military asset by destroying, damaging, or deactivating a missile defense system, could constitute a violation of the prohibition on the use of force. The determination of whether a cyber-operation or a cyber-operation that is executed in combination with the use of non-cyber weapons constitutes a use of force should be undertaken on a case-by-case basis.
41. The African Union underscores that there is a distinction between the gravest forms of the use of force that constitute an armed attack, which entitle the injured State to invoke the right to individual or collective self-defense in accordance with Article 51 of the U.N. Charter, and less grave forms of the use of force. Whether a particular cyber operation constitutes a use of force or amounts to an armed attack should be determined on a case-by-case basis. That determination should be thoroughly substantiated on the basis of an assessment of the scale and effects of the particular cyber operation. Generally, the criterion of scale requires an examination of elements such as the duration of the attack, the nature of the targets attacked, the locations of the targets attacked, and the types of weapons used, while the criterion of effects measures the extent of the damage caused by the attack.
42. The African Union takes note of the views that assert that States have a right to exercise self- defense against imminent threats of the use of force. This is a controversial question on which there is a paucity of judicial precedent and a lack of unanimity among highly qualified publicists. The African Union is of the view that this matter requires further study and deliberation between States taking into consideration both the unique characteristics of cyberspace and cyber-operations and the implications that any rules that may emerge in relation to this question may have for the integrity of the prohibitions on the threat or use of force. In this regard, the Member States of the African Union emphasize that, from a legal perspective, the Article 51 of the U.N. Charter permits States to use force in individual or collective self-defense “if an armed attack occurs” against a U.N. Member State. Furthermore, the African Union underscores that, from a policy perspective, the maintenance of international peace and security favors the continued adoption of a restrictive interpretation of the exceptions to the prohibition on the use of force.
43. The prohibition on the threat or use of force addresses States in their international relations. Therefore, this rule and the exceptions thereto do not apply to the conduct of non-State actors that is not attributable to States. Accordingly, the African Union affirms that the right of self-defense is triggered solely if an armed attack is attributable to a State according to the applicable rules of customary international law of State responsibility.
44. The African Union notes that arming and training non-State actors could amount to a violation of the prohibition on the threat or use of force. This applies to the provision of technical assistance or training to non-State actors that engage in acts amounting to the threat or use of force through ICTs against another State.
45. In this context, the African Union reiterates that, by virtue of their territorial sovereignty, all States are under an obligation to exercise due diligence as reflected in Section III above and to ensure that their territory is not knowingly used to violate the rights of other States through acts that constitute a threat or use of force, whether such acts are undertaken by organs of the State or nonState actors acting under the direction, control, or instruction of the State.
46. Conduct that does not amount to a violation of the prohibition on the threat or use of force may, depending on the circumstances, constitute a breach of other rules of international law, especially the obligation to respect the territorial sovereignty of States and the prohibition on intervention in the internal or external affairs of States."[8]
Attribution
"61. Subject to the emergence of specific rules of attribution, the African Union affirms that the customary rules on State responsibility, as reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts provide the applicable rules of the attribution to States of conduct undertaken through ICTs in cyberspace."[9]
International humanitarian law (jus in bello)
"47. The African Union affirms that International Humanitarian Law (IHL) applies in cyberspace. Despite the fact that most rules of IHL emerged before the appearance of cyberspace, IHL applies, concurrently with any other applicable rules of international law, to cyber-operations that may be undertaken in the context of an armed conflict. As noted by the International Court of Justice in its advisory opinion on the Legality of the Threat or Use of Nuclear Weapons, by virtue of its “intrinsically humanitarian character,” IHL applies to “all forms of warfare and to all kinds of weapons, those of the past, those of the present, and those of the future.”
48. In order to trigger the application of IHL, a situation must amount to an armed conflict. IHL recognizes two categories of armed conflict: international armed conflicts, in which the parties are States that are engaged in hostilities using armed force, and non-international armed conflicts, in which the parties are State armed forces engaged in hostilities against organized armed groups or a situation in which armed groups are engaged in hostilities amongst each other on the territory of a State."[10]
International armed conflict
"48. [...] IHL recognizes two categories of armed conflict: international armed conflicts, in which the parties are States that are engaged in hostilities using armed force, [...]
49. In an international armed conflict, the application of IHL commences whenever armed force is used between States regardless of the intensity of such activities. The application of IHL to an international armed conflict is unaffected by either the absence of a formal declaration of war or by the assessment of the legality, under the applicable rules of the U.N. Charter, of the use of force by the belligerent States. [...]"[11]
Non-international armed conflict
"48. [...] IHL recognizes two categories of armed conflict: [...] and non-international armed conflicts, in which the parties are State armed forces engaged in hostilities against organized armed groups or a situation in which armed groups are engaged in hostilities amongst each other on the territory of a State.
49. [...] The African Union is mindful of the possibility that cyberoperations as in itself may trigger a non-international armed conflict. The application of IHL commences in a non-international armed conflict when the intensity of the conflict amounts to protracted armed violence, which means that it is above the level of violence associated with internal disturbances, such as riots, isolated, and sporadic violence, and in situations where the armed groups engaged in hostilities reach a certain degree of organization."[12]
Conduct of hostilities
"50. The African Union reaffirms their commitment to the cardinal principles of IHL that govern all means and methods of warfare and reiterate that such principles apply to the use of ICTs in cyberspace as a means of warfare and afford protection to civilian ICTs during armed conflicts. In particular, the African Union recalls the principle that “the right of belligerents to adopt means of injuring the enemy is not unlimited” and the principle that belligerents are under an obligation to limit the suffering, injury, and destruction caused by an armed conflict."[13]
Attacks against persons
"51. On the basis of these general principles, the African Union underscores the importance of the principle of distinction, which prohibits attacks that are directed at civilians or civilian objects, including ICTs, whether such attacks are undertaken using kinetic or cyber means."[14]
Proportionality
"51. [...] The African Union also emphasizes the importance of the principle of proportionality, which prohibits attacks that are expected to cause incidental civilian harm that would be excessive to what is necessary to achieve a definite military advantage."[15]
Specially protected persons, objects and activities (international humanitarian law)
"52. The African Union emphasizes that certain civilians and civilian objects, including the related ICT infrastructure associated with them, enjoy additional specific protection under the relevant rules of IHL. These objects, which are indispensable to the survival of the civilian population, include hospitals, medical personnel, and facilities as well as humanitarian relief operations. Such objects must be respected and protected at all times and not be interfered with, attacked, destroyed, removed or rendered useless."[16]
International human rights law
"53. The African Union affirms that international human rights law (IHRL), whether codified in universal or regional conventions to which States are party or embodied in customary international law, applies in cyberspace, and also reaffirms the universality, indivisibility, interdependence, and interrelation of all human rights and fundamental freedoms, including the right to development. Accordingly, States shall respect, protect, and ensure the human rights of individuals and peoples on their territory or under their jurisdiction that relate to the peaceful use of ICTs in cyberspace, including by protecting such individual and collective rights against infringements by third parties and non-State actors.
54. The African Union further affirms that IHRL requires States to protect the freedom of expression online, including the right to seek, receive, and impart information and ideas and to disseminate opinions through ICTs. Any restrictions imposed by States on these rights must be provided by law and must be limited to what is strictly necessary in a democratic society to respect and protect the rights or reputations of others and to protect national security, public order, public health, or morals. The African Union also reaffirms that States shall ensure that ICTs are not misused for the purposes of inciting to violence, hate crimes, terrorism, violent extremism, organized crimes and trafficking in persons, or discrimination on any grounds, including race, ethnicity, color, sex, language, religion, political or any other opinion, national and social origin, fortune, birth or other status. In this regard, the African Union recalls that special regard should be to be paid to persons in vulnerable situations.
55. The African Union is of the view that responsible behavior in relation to the use of ICTs in cyberspace requires States to ensure that their conduct does not infringe on the human rights of individuals or peoples in other States. In particular, certain activities undertaken by States, such as the transnational interception of communications, indiscriminate surveillance and data misuse, may constitute a violation of the right to privacy of individuals who are subjected to such conduct, in addition to potentially violating the territorial sovereignty of States on the territory of which such interception occurs. Despite the existence of international and regional legal frameworks, the African Union expresses concern about the misuse of private data by malicious or criminal actors as well as its misappropriation and commodification by private actors.
56. The African Union affirms that States shall protect individuals and peoples within their territory or in areas under their jurisdiction against violations of human rights that are committed by third parties, especially business enterprises operating in the ICT sector. Moreover, business enterprises that operate in the ICT sector have a responsibility to respect and protect human rights, especially the right to privacy and the freedom of expression, including by exercising due diligence to identify, prevent, mitigate, and account for any adverse human rights impacts of their activities.
57. The African Union emphasizes the importance of keeping cyberspace open, secure, stable, accessible, and peaceful, which is an important element in promoting economic growth, attracting investment opportunities, and advancing sustainable development, especially in developing and least developing States. In this regard, The African Union underscores that, pursuant to the right to development under international law, States shall cooperate in good faith including as outlined in Section X on Capacity-Building and International Cooperation, to support developing countries in their efforts to expand their scientific and technological capacities, including in the area of ICTs, in order to accelerate the realization of the economic, social, and cultural rights of the peoples of those countries.
58. The African Union highlights the importance of bridging the digital divide to ensuring the full enjoyment of human rights. In this regard, States shall contribute to further empowering women and girls. States shall also further promote the full enjoyment of the benefits of ICTs by persons with disabilities by ensuring that the design, development, and production of ICTs incorporates assistive and adaptive technologies that are accessible to persons with disabilities.
59. The African Union calls for the responsible development and management of digital identity systems in a manner that will respect human rights of all individuals.
60. The African Union encourages States to consider the conclusion of agreements on mutual assistance in the area of combating all forms of cyber-crime, which would further contribute to the protection and full realization of individual human rights."[17]
State responsibility
"61. Subject to the emergence of specific rules of attribution, the African Union affirms that the customary rules on State responsibility, as reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts provide the applicable rules of the attribution to States of conduct undertaken through ICTs in cyberspace.
62. The African Union is of the view that, in conformity with the relevant rules of international law, the burden to substantiate a claim that a State has committed an internationally wrongful act through ICTs in cyberspace is on the State making such a claim. The African Union also underscores the importance of cooperation, including between national authorities, such as Computer Emergency Response Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs), to detect, investigate, prevent, and halt internationally wrongful acts undertaken through ICTs in cyberspace.
63. The African Union underscores that responses to internationally wrongful acts committed through ICTs in cyberspace should be in accordance with its obligations under the UN Charter, especially the obligations relating to the peaceful settlement of disputes, and the other applicable rules of international law, including the obligation to respect the territorial sovereignty of States."[18]
Appendixes
See also
Notes and references
- African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024) 10.
Bibliography and further reading
- Mohamed Helal, ‘The Common African Position on the Application of International Law in Cyberspace: Reflections on a Collaborative Lawmaking Process’, EJIL:Talk! (5 February 2024)
- Russell Buchan and Nicholas Tsagourias, ‘The African Union’s Statement on the Application of International Law to Cyberspace: An Assessment of the Principles of Territorial Sovereignty, Non-Intervention, and Non-Use of Force’, EJIL:Talk! (20 February 2024)
No comments:
Post a Comment