Photo by Nasa on Unsplash.

Alle Artikel anzeigen

Divergent Digital Futures

A Comparative Analysis of the AU and EU Approaches to International Law in Cyberspace

17.01.2025

In the last decade, countries have made efforts at both regional and international levels to clarify their positions regarding the application of international law to information and communication technology in cyberspace. These initiatives are vital for addressing fundamental questions: are all international norms applicable in cyberspace, how should they be implemented, whether adaptations are necessary, and if new norms are needed to tackle the challenges posed by international law in this area? In November, 2024 , the European Union (“EU”) issued its statement on the application of international law to cyberspace, following a similar statement from the African Union (“AU”) earlier that year. Both statements contribute to the ongoing effort to elucidate how international law governs information communication technologies (“ICT”).

In particular, the AU’s statement is crucial, as the positions of African states have been less represented in international mechanisms, such as the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (“ GGE on Responsible State Behaviour in Cyberspace”) and the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security. This blog seeks to analyse the AU and EU positions, with particular attention to their perspectives on due diligence and human rights. It demonstrate how the AU statement is shaped by developmental challenges, socio-economic considerations, capacity-building imperatives, and the specific needs and obstacles faced by the region.

Human Rights in Cyberspace: A Comparative Analysis of EU and AU Approaches 

Dror-Shpoliansky and Shany have categorised digital human rights into three “generations”:

  • The application of existing norms of international law to the digital sphere;
  • The development of new norms specific to the cyberspace context, such as the right to access the Internet, the right to be forgotten, and the right not to be subjected to automated decisions; and
  • The introduction of new rights-and-duty-bearers, such as digital platforms.

Regarding the first generation, both the EU and AU endorse the principle that the same rights people have offline must also apply online. This aligns with the approach outlined in the Global Digital Compact 2024 and the Report of the GGE on Responsible State Behaviour in Cyberspace, 2021.

However, in contrast to the EU, the AU goes beyond merely declaring that human rights apply online. The AU statement highlights key concerns specific to cyberspace, particularly those faced by African states and, to an extent, the broader Global South. It draws attention to issues such as: “certain activities undertaken by States, such as the transnational interception of communications, indiscriminate surveillance, and data misuse;” and “[t]he misuse of private data by malicious or criminal actors, as well as its misappropriation and commodification by private actors.”

One reason why the AU highlights these issues may be that states in the Global South disproportionately bear the impact of such practices. For example, following the Snowden revelations, it was uncovered that the Five Eyes Alliance, comprising developed nations, collaborated  with or pressured  their companies to provide access to their vast repository of subscriber data. Elebi and Scasserra, based on their analysis of 13 different EU free trade agreements, demonstrate how their approach to digital trade—particularly over the last decade—has enabled its companies to operate freely and maximize their profits in the digital economy. While, at the same time limiting the ability of host states to regulate the sector, redistribute profits, or pursue local technological development strategies to ensure domestic competitiveness. Similarly, Brännström explains how the EU’s position in trade agreements since 2015 has supported unimpeded cross-border data flows while simultaneously allowing the EU to place restrictions on data flows from the EU in line with its personal data protection framework.

Moreover, in the AU statement there is a specific focus on vulnerable groups, like women, children, older adults, and people with disabilities who face challenges that impair their ability to access the online environment. The AU statement also reiterates the right to development and how digital divides limit “the full enjoyment of human rights.” This framing permeates almost the entire length of the statement, which is notable since most states in their declaration provide little, if any, attention to socio-economic rights.

The AU statement fails to outline specific second-generation rights, while the EU declaration does not offer any insights into such rights at all. Shany and Ayalew have criticised this gap in the AU statement. They noted that the AU missed an opportunity to become a trailblazer in developing international human rights law in cyberspace, grounded in Africa’s unique values and experiences. The AU statement adopts a tone of progressive realisation rather than firmly advocating for the establishment of second-generation rights, such as the right to Internet access. Nonetheless, it makes a noteworthy contribution by emphasising how the digital divide hampers the exercise of human rights and underscoring the importance of promoting Internet access, especially for marginalised groups. While there is room to build upon and concretize this declaration, it represents a meaningful step forward.

Regarding third-generation rights, the AU statement emphasises both the responsibility of states to ensure that third parties under their jurisdiction do not commit human rights violations and the accountability of “business enterprises that operate in the ICT sector.” Thus, the AU statement reiterates states’ duty to protect human rights and digital businesses’ responsibility to respect them. In contrast, the EU declaration is silent on this issue. The EU has introduced several laws with a rights-centric framework for the governance of digital privacy, including the GDPR, DMA, DSA, and the AI Act. However, the EU has simultaneously advanced its strategic objectives and the interests of domestic companies through its foreign policy, coupled with the unequal application of its domestic regulations. As noted above, the EU’s digital trade policy promotes an unbalanced approach to cross-border data flows by leveraging the GDPR. Similarly, the recently released Draghi Report on the future of EU competitiveness advocates for the selective application of legal regulations, such as competition law, to foster the growth of domestic big tech companies.

Overall, both the EU and AU acknowledge the importance of applying existing human rights norms to the digital realm, yet the AU uniquely emphasises the specific challenges faced by African states and vulnerable populations in cyberspace. This distinction highlights the need for a more nuanced approach that considers regional contexts and the socio-economic factors influencing access and equity in the online environment as barriers to exercising human rights.

Emerging Developmentalist Approach to Due Diligence

Both the EU and AU statements reaffirm the established position that due diligence applies under international law and reiterate its basic elements:

  • Ensuring that third parties do not use their territory to commit internationally wrongful acts;
  • due diligence as an obligation of conduct, not result;
  • The knowledge element: actual or presumed based on the state’s capacity and circumstances (objective test); and
  • Undertaking “all appropriate and reasonably available and feasible measures, in the given context.”

The AU statement, in particular, focuses on the fourth element. It emphasises that the “due diligence obligation to take necessary measures” should be proportionate to “the extent of the capacity available to the State.” Furthermore, the statement acknowledges the “unique challenges faced by developing countries in implementing due diligence measures due to resource constraints and challenges related to technical expertise.”

These observations are critical and, while inherent to the concept of due diligence, are often overlooked in literature and countries’ statements. The differential capacities of states mean that what is expected of them should be proportionate to their technical, legal, and institutional capabilities. For instance, Lemnitzer outlines basic baseline requirements for states in cyberspace, which include developing cybercrime legislation and establishing a Cyber Incident Response Team (“CIRT”). In contrast, Lakra and Shrivastava provide evidence that establishing and maintaining a functional National or Sectoral CIRT can be particularly challenging for many developing and less developed countries.

Similarly, scholars have argued that due diligence includes an obligation for capacity building. This ensures that states cannot consistently rely on the defence of insufficient capacity to justify their failure to meet due diligence obligations. Capacity building serves another critical purpose: to establish the ‘minimum’ institutional capacity required for states to effectively fulfil their due diligence responsibilities.

The AU statement acknowledges the challenges that developing and least-developed countries face in achieving this ‘minimum’ institutional capacity. Consequently, it places significant emphasis on the importance of international cooperation for capacity building. The statement advocates for multi-stakeholder cooperation involving governments, international bodies, and private sector entities to strengthen regional and national cyber capabilities, reduce digital divides and inequalities, and improve coordination across technical and regulatory domains.

In conclusion, the AU’s position on due diligence emphasises a developmental lens, acknowledging the differing capacities of states and the challenges faced by developing and least-developed nations. Its focus on international partnerships aims to address these issues. In contrast to the EU, the AU’s approach reflects an awareness of the institutional and technical capacity deficits of its member states.

Conclusion

The AU and EU positions reveal different approaches to digital governance, shaped by their distinct regional contexts and priorities. Both organisations affirm the fundamental principles of human rights and due diligence in cyberspace. However, the AU’s position, with its material caveats, is distinguished by its emphasis on developmental challenges. It incorporates socio-economic considerations, capacity building, and the specific needs of the Global South. Notably, the AU’s statement in the conclusion calls for “clarifying and developing the rules of international law that apply to cyberspace, in a manner that fully integrates the development dimension in the future elaboration of these rules.” This highlights a crucial perspective often overlooked in global digital governance discussions. This developmental approach, combined with its focus on vulnerable groups and capacity constraints, presents an inclusive and equitable vision for the application of international law to cyberspace.

Autor/in
Rudraksh Lakra

Rudraksh Lakra is an advocate based in Delhi and a B.A., LL.B. (Hons.) graduate from Jindal Global Law School.

Profil anzeigen
Artikel drucken

Schreibe einen Kommentar

Wir freuen uns, wenn Du mit den Beiträgen auf dem Völkerrechtsblog über die Kommentarfunktion interagierst. Dies tust Du jedoch als Gast auf unserer Plattform. Bitte habe Verständnis dafür, dass Kommentare nicht sofort veröffentlicht werden, sondern von unserem Redaktionsteam überprüft werden. Dies dient dazu, dass der Völkerrechtsblog ein sicherer Ort der konstruktiven Diskussion für alle bleibt. Wir erwarten, dass Kommentare sich sachlich mit dem entsprechenden Post auseinandersetzen. Wir behalten uns jederzeit vor, hetzerische, diskriminierende oder diffamierende Kommentare sowie Spam und Kommentare ohne Bezug zu dem konkreten Artikel nicht zu veröffentlichen.

Deinen Beitrag einreichen
Wir begrüßen Beiträge zu allen Themen des Völkerrechts und des Völkerrechtsdenkens. Bitte beachte unsere Hinweise für Autor*innen und/oder Leitlinien für Rezensionen. Du kannst uns Deinen Text zusenden oder Dich mit einer Voranfrage an uns wenden:
Abonniere den Blog
Abonniere den Blog um regelmäßig über neue Beiträge informiert zu werden, indem Du Deine E-Mail-Adresse in das unten stehende Feld einträgst.
[newsletter]