Cross-Border Data Forum Bannner

How African Countries Can Benefit from the Emerging Reform Initiatives of Cross-Border Access to Electronic Evidence


How do African law enforcement authorities access African data held by US companies for the purpose of legitimate criminal investigations? How―and to what extent― can African countries benefit from the cross-border data access reform initiatives emerging in Europe and the US? How should African stakeholders approach the internet’s increasing cross-border legal challenges? These are some of the questions raised at one of the sessions of the recent virtual conference hosted by the Internet & Jurisdiction Policy Network (I&J) in partnership with the African Union Commission (AUC).[1] The conference brought more than 130 participants of key regional stakeholders together to discuss a range of transnational and regional challenges in cyberspace, including cross-border access to electronic evidence.

This short article tries to answer these questions in four parts. Part I presents a brief overview of the increasing challenges in cross-border access to electronic evidence. In part II, the article considers emerging global initiatives and policy responses to these challenges. Part III examines the cross-border data access problem from the African context. It argues that African interests and concerns are not addressed by either the existing approaches or the emerging initiatives towards the modernisation of the international system of access to electronic evidence by law enforcement. This part makes four simple claims: that the mutual legal assistance system is not relevant for African countries to obtain data held by US service providers; that African countries do not make use of voluntary direct cooperation with US service providers; that African countries have neither the jurisdictional leverage to compel US providers nor the means to enforce their laws in an extraterritorial manner; and that the new framework introduced by the CLOUD Act is not scalable to include African countries. Part IV concludes and offers some possible ways forward.

I. Background: the cross-border data access problem

As most of the world’s information is now stored digitally, it is hard to imagine a criminal investigation that does not involve digital evidence. Criminal evidence today is not only digital but also defies traditional notions of geography and territorial jurisdiction.[2] Due to the ubiquity of cloud computing, where local storage in end-user equipment has given way to remote storage, data that was once stored locally and accessible under domestic procedures is now often in the hands of private companies in jurisdictions outside the investigating country.

When cross-border access to electronic evidence becomes the norm, it gives rise to what Andrew K. Woods calls an ‘odd jurisdictional conflict’[3]—a situation where an otherwise exclusively domestic criminal investigation necessitates international cooperation. Even where the criminal investigation concerns a local crime with local suspects and local victims, and the sought-after data belongs to one of the citizens of the investigating country, authorities may be required to follow a diplomatic channel of cross-border legal cooperation, mainly the Mutual Legal Assistance Treaty (MLAT) system. The MLAT system is ill-suited to the increasing demand for law enforcement access to data across borders, however. Designed for the pre-internet era, for a different set of social and technological reality, the MLAT system has become slow, cumbersome, bureaucratic, ineffective, and at times practically irrelevant.[4]

Compounding the MLAT problem is the proliferation of domestic and regional laws that prohibit service providers from directly disclosing data to foreign governments. Prominent among these laws is the US Electronic Communications Privacy Act (ECPA) of 1986, which is often regarded as the main source of frustration for foreign governments and US service providers alike.[5] Even though it allows US service providers to voluntarily comply with lawful foreign law enforcement requests regarding non-content data (such as subscriber information), the statute prohibits the disclosure of content data (such as email content and text messages) to foreign governments outside the MLAT structure.

The inability to access data stored outside their territorial jurisdiction in a timely and effective manner has frustrated a growing number of governments, and prompted them to pursue unilateral measures based on their respective local sensibilities and leverages. These measures range from compelling companies to provide technical means of access in cases of encryption, to arresting employees of the service provider; from imposing hefty fines and seizing provider’s assets, to blocking of services altogether.

Two intuitively appealing legal trends have become particularly troubling. At one extreme is an unrestrained extraterritorial assertion of jurisdiction without, or even against, existing international legal frameworks. The most common form of this approach is to compel the disclosure of user data stored overseas or held by service providers established in foreign jurisdictions. It is now a global reality that more and more governments have already adopted, or are considering unilateral laws that empower their respective judicial authorities to order service providers to handover data located extraterritorially.[6]

At the other extreme is the global trend to reassert territorial control by erecting borders for data, commonly known as ‘data localisation’. Data localisation measures may take different forms with a wide range of policy objectives, both declared and undeclared. From the perspective of law enforcement access to user data, data localisation policies are perceived to play both facilitative and preventive roles— they enable the government to access data within the imposing country using domestic procedures, and at the same time, prevent foreign governments from having such straightforward access.

The result is the proliferation of disjointed and conflicting policy responses that would serve no one’s interest.[7] The I&J has aptly described such unilateralist trends as a ‘dangerous path’ that could ‘lead to a legal arms race and additional conflicts.’[8]

This concern has sparked a global debate, both at the academic and the policy level, on how to improve cross-border access to electronic evidence in criminal matters, while at the same time upholding fundamental rights protections and respecting the territorial sovereignty of other countries. Most importantly, a growing consensus has emerged that the existing legal and institutional frameworks for international cooperation are unsustainable and need to be reformed or replaced with new instruments and processes that fit the current technological reality.[9]

II. An international moment for cross-border data access reform

The past few years have seen several initiatives seeking to reform the international system that governs law enforcement access to electronic evidence across borders. Even though most of the reform efforts focus on short-term fixes such as streamlining and digitalising the MLAT procedures, a few promising new alternatives have also started to emerge slowly.

Recent initiatives, one each by the United States, European Union, and the Council of Europe are notable, with significant global implications. The United States has pioneered the cross-border data access reform agenda by introducing the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in 2018. The European Union and the Council of Europe are also negotiating the e-Evidence Regulation and the Second Additional Protocol to the Convention on Cybercrime, respectively.[10]

The CLOUD Act is particularly relevant for this article as it seeks to address the challenges that law enforcement authorities around the world are facing when investigating criminal activities involving data held by US providers. Portrayed by the US government as a ‘model for international cooperation’[11], Part II of the CLOUD Act introduces a new framework to address the tension between US law and foreign law. It does so by lifting the blocking provisions of the ECPA to a foreign government that enters into a bilateral agreement with the US government and is ‘qualified’ as having, among other requirements, ‘robust substantive and procedural protections for privacy and civil liberties.’[12] Once an executive agreement is in place, US providers would be able to directly disclose content data in response to a lawful order issued by the qualified foreign government under its domestic law.

After more than two years of negotiation, the United States and the United Kingdom entered into the world’s first data sharing agreement envisioned by CLOUD Act.[13] The EU and Australia are expected to be the next to get the status of ‘qualifying foreign government’ under the CLOUD Act as formal negotiations are underway.[14] Should the new framework introduced by the CLOUD Act prove to be successful and scalable, a series of similar bilateral agreements are expected to emerge.

III. Where does Africa fit?

Africa is among the fastest growing regions both in terms of internet penetration and cybercrime activities.[15] As the continent is primarily on the receiver side of internet services, much of its data is stored in foreign jurisdictions, predominantly in the US and Europe. This would likely make the issue of cross-border data access more challenging for African governments than any other region. This challenge is best described by the I&J Global Status Report 2019, which is perhaps the most comprehensive study that maps internet jurisdiction related policy trends, actors, and initiatives around the world. The report analogised the cross-border legal challenge of the internet, including cross-border data access, to the challenge of climate change ‘that affects developing countries most acutely’.[16]

Unfortunately, the issue is yet to draw the attention of African policymakers, academia, and other stakeholders. Despite intense debates and proliferation of initiatives elsewhere, there is hardly any academic or policy discourse addressing the issue in the African context – even though cross-border data access is important for Africa for all sorts of crimes (whether cybercrimes or traditional crimes). Tellingly, no Africa-specific initiative exists on this matter, save brief discussions in some internet-related conferences.[17]

This inattention makes it hard to understand the specific legal and practical challenges that African governments face in their effort to obtain electronic evidence across borders. Two things are clear, however. First, sooner or later, cross-border data access will become a pressing public policy issue for Africans, as law enforcement authorities will increasingly find themselves in a difficult situation. Second, neither the existing approaches used for cross-border data access nor the emerging initiatives will address African interests and concerns. The latter assertion holds for the following reasons:

1. The MLAT system—slow, cumbersome, bureaucratic, and ineffective as it is— remains the dominant channel of cross-border legal cooperation in criminal matters. For this reason, one hardly finds a debate regarding cross-border data access that does not emphasise the importance of fixing the MLAT problem. Several practical and operational measures have been undertaken to that end. However, even if the MLAT system were to be perfect, it would be irrelevant for African countries since most electronic evidence relevant to African law enforcement is held by US providers. African countries, with the exception of South Africa, Egypt, and Nigeria, do not have MLATs with the US.[18]

2. As highlighted above, US law allows service providers to disclose non-content data in response to legitimate foreign law enforcement requests on a voluntary basis. For this reason, the informal model of direct cooperation between law enforcement authorities around the world and US service providers has de facto become the main channel for obtaining non-content data, and this matters because non-content data has become the most often sought-after type of data.[19] This does not explain the African reality, however. It is evident from the transparency reports of major service providers that African governments hardly employ the voluntary mechanisms for cross-border data access. In 2019, for instance, African governments made only 63 requests (including emergency cases) for user data from the major US service providers (Microsoft, Facebook, Google, Twitter), and even then, most of the requests were rejected.[20] Compared to the dramatic increase in the number of requests for data around the world, this is rare to non-existent. For instance, in the same time period, Facebook, Microsoft, Google and Twitter respectively received 128,617, 45,956, 75,650, and 7,300 user data requests from law enforcement authorities around the world.[21]

Why do African governments not make use of the existing tools of cross-border data access, such as voluntary cooperation with foreign service providers? This is an empirical question that exceeds the scope of this article. Nonetheless, one can think of at least three possible explanations. First is the lack of awareness of African law enforcement authorities about the existence of the alternative channels, or despite the awareness, the lack of knowledge regarding who and how to contact a foreign service provider. The second possible explanation is that even those who are aware of the alternative channels may think that their request will be either ignored (as attested by most requests reported in 2019 being rejected) or take too long to get a response.[22] Finally, it may also have to do with the lack of suitable national substantive and procedural laws that govern cross-border data access. In some instances, national laws may prohibit informal cooperation with foreign service providers or put restrictions on the admissibility of evidence obtained from foreign jurisdictions.

3. Mandatory production orders are also less viable options for most African governments. Basically, extraterritorial production orders are only feasible for countries or regions that enjoy personal jurisdiction over major service providers based on different connecting factors. However, most African governments enjoy neither the jurisdictional leverage to compel US providers nor the means to enforce their laws in an extraterritorial manner.

4. It is unlikely for African countries to participate in the new generation of bilateral agreements envisioned by the CLOUD Act. The CLOUD Act is designed for high priority countries and countries that most closely share American values, and is thus unlikely to be scalable to all the 193 countries in the world today. Therefore, most African countries will be left out of the emerging system of law enforcement access to electronic evidence across borders.[23] It is also less likely that African countries satisfy the stringent requirements of the CLOUD Act, at least in the eyes of the US Attorney General and the Secretary of State which are tasked with determining and certifying the eligibility of foreign governments for bilateral data-sharing agreements.

In the final analysis, it seems that African governments are left without viable options. This is what Mailyn Fidler described as ‘double marginalisation’[24]—African governments neither have MLATs with the US nor the ability to participate in emerging frameworks.

A hypothetical case, typical in cross-border data access discussions, may help illustrate. Imagine that Ethiopian authorities are investigating a homicide crime committed by an Ethiopian suspect against another Ethiopian citizen. Further, the authorities have found reasonable suspicion that the crime was planned through email exchanges between the suspect and a co-conspirator. Obtaining that email exchange would be essential for the investigation and prosecution of the crime. However, the contents of the emails happen to be stored with a US cloud service provider, on US soil. This is where the problem of cross-border data access arises. As discussed above, there is hardly any way for the Ethiopian authorities to get access to the content of the emails stored with the US provider. Even though the crime has taken place in Ethiopia, in violation of Ethiopian law, and only involves Ethiopian citizens, the investigating authorities will not get access to the evidence only due to the suspect having incidentally chosen to use a cloud service based in the US.

IV. Concluding remarks and some possible ways Forward

As internet use and digitalisation continue to grow in Africa, cross-border data access plays an indispensable role in ensuring public safety, security, and the rule of law. The inability to get timely access to electronic evidence held by foreign service providers for a legitimate law enforcement purpose means that perpetrators of serious crimes may go free. This would generate further frustration and reinforce the desire of governments to have control over data through troubling measures such as data localisation and internet shutdowns. In fact, in its recently released Digital Transformation Strategy for Africa (2020-2030), the AU envisions ‘data sovereignty’ as one of its policy priorities. ‘Even though Africa is at the moment less restrictive, soon it will be necessary to ensure localization of all personal data of Africa’s citizens.’[25]

Addressing this problem requires regional coordination and international cooperation. The African Union (AU) should take the lead in helping its Member States act en bloc in international cooperation and negotiations. To this end, the AU could expand the mandate of the recently established African Union Cybersecurity Expert Group (AUCSEG)[26] or establish a dedicated expert group to explore an African approach that ought to govern or guide law enforcement access to electronic evidence across borders.

Such an African approach should combine legislative, institutional, diplomatic, and capacity building components.

At the legislative front, the starting point should be for the AU, in collaboration with regional and international key stakeholders, to review and identify national frameworks and practices related to cross-border data access. This would help map best practices, articulate legal and practical challenges, and further the exploration of alternative avenues for reform informed by the concerns and reflective of African interests and priorities.

The AU should also encourage its Member States to ratify the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), which is yet to enter into force.[27] Despite the promises to harmonise cyber legislation in Africa and facilitate regional and international cooperation, it is regrettable that most African governments are unable to demonstrate the political will and commitment to ratify and implement the  Convention. Due to this lack of political commitment, the AU’s vision to see the entry into force of the Malabo Convention by 2020 remains highly unlikely.[28]

Considering this lack of regional cooperation framework, and given that most African data is stored outside the continent, African countries should prioritise participating in the Council of Europe’s Convention on cybercrime (Budapest Convention) and its impending Second Additional Protocol.[29] The Budapest Convention remains the only comprehensive and binding international treaty on cybercrime, which is open for accession by any country. The draft Second Additional Protocol (if adopted in its current format) will also align this Convention with the rise of cloud computing and address the resulting jurisdictional and territorial sovereignty challenges. As of the writing of this article, 76 countries (39% of UN Member States) are either Parties or Signatories to the Budapest Convention or are invited to accede.[30] Four African countries (Ghana, Mauritius, Morocco, and Senegal) have acceded to, and six (Benin, Burkina Faso, Nigeria, South Africa, Tunisia, and Niger) are in the process of joining the Budapest Convention.[31] If more African countries follow suit, the Budapest Convention will help address, at least partially, the African problems identified above in a number of ways. For instance:

    • The Budapest Convention sets up mutual assistance procedures applicable even in the absence of mutual legal assistance treaties. This means that, upon accession, African countries can make mutual assistance requests to the 64 (and increasing) Parties to the Convention, including the US. African countries could greatly benefit from the streamlined mutual assistance procedures envisaged under the draft Second Additional Protocol such as ‘Emergency Mutual Assistance’ (Art.3) for all categories of data, and ‘Giving Effect to Orders From Another Party for Expedited Production of Data’ (Art.5) for subscriber and traffic data.[32]
    • Most importantly, acceding African countries could request the production of subscriber information (such as the subscriber’s identity and physical address) held by service providers in another participating country, without going through the mutual legal assistance process and regardless of where the sought-after data is located.[33] This would address, at least partially, the legal uncertainties that African governments are now facing in their efforts to obtain data from US-based service providers.
    • Acceding African countries would also benefit from the extensive capacity-building programmes of the Council of Europe and its partners. For instance, the Global Action on Cybercrime (GLACY+) aims at strengthening the capacities of States worldwide to apply legislation on cybercrime and electronic evidence and enhance their abilities for effective international cooperation in this area.[34]
    • Furthermore, participating in the Budapest Convention would place African countries in a better position to negotiate future international agreements on cross-border data access. In fact, the adequacy of substantive and procedural laws on cybercrime and electronic evidence required under the CLOUD Act can be demonstrated by being a party to the Budapest Convention. [35]

One of the reasons that US service providers reject law enforcement requests from African countries is that the service providers may not have a mechanism to determine whether a request is legitimate and satisfies privacy protections and due process standards. To address this problem, the AU should explore an institutional framework that could be vested with the authority to receive, review, and authenticate cross-border data requests from Member States. This would help build trust and facilitate voluntary cooperation between African authorities and foreign service providers. In this regard, the two possible institutional designs— the INTERPOL Model and the Correspondent Banking Model— proposed by Peter Swire and Debrae Kennedy-Mayo are worth pursuing.[36]

The AU should also strengthen its engagement and cooperation with international institutions and other stakeholders. In this regard, the AU’s partnership with the Council of Europe and the Internet & Jurisdiction Policy Network is a commendable step forward.[37]

As discussed above, African countries do not often make requests to US service providers partly because they are not aware of the existence of such channels. Better training for law enforcement officials could reduce this problem. The AU, through the AUCSEG and in partnership with other stakeholders, should coordinate and provide continuous training to relevant authorities of Member States.

Finally, it should be noted that the inability of African governments in investigating and prosecuting serious crimes because of challenges in cross-border access to electronic evidence affects US interest directly or indirectly. For instance, short of other options, African governments may introduce mandatory data localisation measures that would impact the global competitiveness of US companies. The US should, therefore, consider the legitimate interests of African countries in its effort to modernise the international system of law enforcement access to electronic evidence across borders. One possible option could be for the US to allow specific African governments to obtain electronic content data directly from US providers, when such governments honour baseline privacy protections and due process standards, and when the request pertains to an exclusively domestic matter of the requesting country.


[1] African Union Commission and Internet & Jurisdiction Policy Network Regional Conference, May 27, 2020. Available at <>.

[2] Jennifer Daskal, Peter Swire and Théodore Christakis, ‘The Globalization of Criminal Evidence’ (International Association of Privacy Professionals, 16 Oct 2018), available at <>.

[3] Andrew K. Woods, ‘Against Data Exceptionalism: Jurisdictions in the Cloud’ (2016)68 Sandford LR 746.

[4] See for instance, Cybercrime Convention Committee (T-CY), Assessment report on Mutual Legal Assistance: Follow up given by Parties and Observers Draft prepared by the T-CY Bureau for consideration by T-CY 17 (June 2017). The MLAT system is designed based on the categorical presumption that the investigating authorities always know where the required evidence is located and hence to which foreign authorities the MLA request is to be made. However, because of the way some cloud services work, the investigating authorities may not be able to determine the exact location of the targeted data at a given moment, which makes MLAT practically irrelevant.

[5] Andrew Keane Woods and Peter Swire, ‘The CLOUD Act: A Welcome Legislative Fix for Cross-Border Data Problems’ (LAWFARE, Feb 6, 2018), available at <>.

[6] Winston Maxwell and Christopher Wolf, ‘A Global Reality : Governmental Access to Data in the Cloud’ (2012) A Hogan Lovells White Paper [The ten countries covered in the study are Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, the United Kingdom, and the United States].

[7] Bertrand de La Chapelle and Paul Fehlinger, ‘Jurisdiction on the Internet: From Legal Arms Race to Transnational Cooperation’ (2016) Global Commission on Internet Governance Paper Series 1.

[8] Ibid. see also Internet & Jurisdiction Global Status Report 2019, available at <>.

[9] For instance, of the 150 respondents participated in the Global Status Report 2019,  no less than 79% agreed that there is insufficient international coordination and coherence to address cross-border legal challenges on the internet and 95% warned that the cross-border legal challenges on the internet will become increasingly acute in the next three years.

[10] See Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European Production and Preservation Orders for electronic evidence in criminal matters COM/2018/225 final – 2018/0108 (COD), available at <>; Council of Europe Protocol negotiations, available at <>.

[11]Deputy Assistant Attorney General Richard W. Downing Delivers Remarks at the Academy of European Law Conference on ‘Prospects for Transatlantic Cooperation on the Transfer of Electronic Evidence to Promote Public Safety’, April 5, 2019, available at <>.

[12]  CLOUD Act s 105(a) (codified at 18 USC. s 2523(b)(1)).

[13] Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering serious Crime (Oct 3, 2019), available <>.

[14] Joint US-EU Statement on Electronic Evidence Sharing Negotiations (Sep 26, 2019); Joint Statement Announcing United States and Australian Negotiation of a CLOUD Act Agreement by U.S. Attorney General William Barr and Minister for Home Affairs Peter Dutton (Oct 7, 2019), available <>.

[15] ITU releases 2018 global and regional ICT estimates ( 07 December 2018) Available at <>; Nir Kshetri , ‘Cybercrime and Cybersecurity in Africa’(2019) 22 Journal of Global Information Technology Management 77-81. Available at <>; According to Africa Cybersecurity Report 2018, cybercrimes cost African economies $3.5 billion in 2017. Available at<>.

[16] Internet & Jurisdiction Global Status Report 2019, supra (8) (emphasis added).

[17] See for instance, Forum on Internet Freedom in Africa 2016, available at <>; Cyber Security and Cybercrime Policies for African Diplomats, Available at <>

[18] List of United States Mutual Legal Assistance Treaties, available at <>.

[19] IMPACT ASSESSMENT: Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters and Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (17 April 2018) SWD (2018) 118 final.

[20] See Transparency Reports of Facebook, Microsoft, Google and Twitter.

[21] Ibid.

[22] In the Forum on Internet Freedom in Africa 2016, for instance, some participants criticized US service providers about the fairness of limited African access to data.

[23] Mailyn Fidler, ‘Africans Want Cross-Border Data Access Reform, But They Might Get Left Out’ (Council on Foreign Relations, Oct 26, 2016), available at <>.

[24] Ibid.

[25] The Digital Transformation Strategy For Africa (2020-2030) Available at <>.

[26] See <>.

[27] As of the writing of this article, only 5 of the 55 AU Member States have ratified and 14 signed the African Union Convention on Cybersecurity and Personal Data Protection. 15 AU Member States must ratify the Convention to enter into force. See List of countries which have signed, ratified/acceded to the African Union Convention on Cyber Security and Personal Data Protection, Available at <>.

[28] Digital Transformation Strategy For Africa (n 25).

[29] For a discussion of the Second Additional Protocol, see Jennifer Daskal & DeBrae Kennedy-Mayo, ‘Budapest Convention: What Is It and How Is It Being Updated?’ Cross-Border Data Forum (July 2, 2020), available at

[30]Acceding to the Budapest Convention on Cybercrime: Benefits, Version 18 June 2020, Available at <>; see also Chart of signatures and ratifications of Treaty 185, Available at <>.

[31] Ibid.

[32] See Provisional text of provisions, Preparation of a 2nd Additional Protocol to the Budapest Convention on Cybercrime, Council of Europe’s Cybercrime Convention Committee (T-CY), November 8, 2019, Available at <>.

[33] Ibid, Art.4.

[34] See for instance, Global Action on Cybercrime , Form GLACY to GLACY+, Available at <>.

[35] See CLOUD Act s 105(a) (codified at 18 USC. s 2523(b)(1)(B)(i)).

[36] Peter Swire And Debrae Kennedy-Mayo, ‘Two Ways That Smaller Countries Could Participate In Emerging Global Systems For Transfer Of Electronic Evidence’ May 30, 2019, available at <>.

[37] Cyber Security and Cybercrime Policies for African Diplomats, Available at

Funding information
This work is financed by the ESSENTIAL project (Evolving Security SciencE through Networked Technologies, Information policy And Law), which is funded by the European Union as part of the Marie Sklodowska-Curie Innovative Training Networks Programme, grant No 722482.

Halefom H. Abraha is a PhD candidate and Marie Curie Research Fellow at the Department of Information Policy and Governance, University of Malta. His research focuses on how to reconcile the practical needs of law enforcement agencies for cross-border access to data and the corresponding threats to the right to privacy and territorial sovereignty.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.