Laws Regulating Cloud Computing in Cameroon
Information and communication technology is a point of focus in the development of Cameroon. This sector has attracted a great deal of foreign investment in the country. Looking at the improving levels of technological advancement in Cameroon, businesses tend to drive towards the use of information and communication technology systems for sustainability, development and growth.
Telecommunications is administered by the Ministry of Post and Telecommunications. There also exist regulatory bodies such as ANTIC (Agence Nationale des Technologies de L’information et de la Communication) as well as ART (Agency de Regulation Des Telecommunications au Cameroun). These regulatory bodies see to it that service providers meet the standards set by the Ministry of Post and Telecommunications.
Although there is no specific law which is geared towards the regularisation of cloud computing wholly, aspects of cloud computing are encapsulated in some laws and regulations regarding information and communication technology. There follows a list of legal instruments for a better appraisal of cloud computing in this jurisdiction:
There also exist legislation issued by the Central African Economic and Monetary Community (CEMAC), of which Cameroon is a member, which are equally applicable in the country:
Although not specifically covered in a particular law, certain sectors of the economy require that cloud computing systems be resident in Cameroon (that is, the hosting of the cloud computing system must be in Cameroon). This is to ensure that the data in the system are easily supervised for security reasons and compliance. This is put in place due to the sensitivity of the banking sector since it deals with finance. For instance, Article 63(3) of COBAC Regulation R/2016/04, Relating to the Internal Control of Credit Establishments and Financial Holdings, requires credit establishments and banking institutions to make available all data in the territory of their head office. COBAC has supervisory competence over credit and financial institutions.
Specific Issues Regarding the Processing of Personal Data
There is currently no legislation as to blockchain in Cameroon. Software meant for the codification, safeguarding and transmission of personal data must be secured and always available. According to Section 26(1) of Law No 2010/012 of 21 December 2010, Relating to Cybersecurity and Cybercriminality, operators of information systems have to take strict administrative and technical measures in the processing of data in order to ensure the security of services offered. Their systems are to be standardised in order to at all times identify, process or manage associated risks.
With regard to the banking sector and on the storage of personal data, Article 10 of the CEMAC Payment Systems Regulation provides that, in opening a bank account, the customer must provide their personal data. Article 218 of the same regulation provides that the Bank of Central African States (Central Bank) shall take necessary precautions to prevent personal data that has been recorded from being distorted, damaged or accessed by unauthorised parties.
In order to avoid privacy and data breach, the CEMAC Payment Systems Regulation has laid down the following provisions:
Risk and Liability
In considering the potential benefits of blockchain, service providers are to consider the associated risks and how they can be contained. Some of these risks include jurisdictional challenges, crypto-assets, privacy and data protection as well as "double spending" (ie, where a digital currency can be spent twice). Service providers have legal obligations in relation to privacy and electronic transactions. Information technology risks range from hardware and software failure to human error, viruses, as well as natural disasters. Some of these risks have been identified and contained, such as the commercialisation of the internet and cloud computing.
Blockchain is greatly valued and, as such, ownership of intellectual property in it will be of great concern since it involves a great deal of investment. Blockchain as a software will generally be protected by copyright. The owner/service provider will have to register such technology at the Ministry of Arts and Culture.
Privacy and blockchain technology is a much-discussed issue. It is even said that blockchain technology is incompatible with most regional laws. The purpose of blockchain is to facilitate peer-to-peer transactions without the interference of any third party. Many blockchain systems are operated by users in a peer-to-peer network environment, which makes it difficult to define whether users are controllers or processors. It is of the utmost importance to define each person’s responsibilities and sphere of influence in a blockchain system.
In a blockchain system whereby there is no restriction, there is no single party that takes responsibility for the availability or security of a particular blockchain network. As such, all users of the system may have access to the information on the network. This is in violation of the privacy provision, which requires the service provider to ensure the safety and confidentiality of information in its network.
It is paramount that the information of service users be kept out of the reach of third parties. Content providers are to be responsible for the data transmitted through their information systems. The non-respect of the user's privacy of information amounts to a breach of that user’s fundamental right.
Given that there is no law directly regulating blockchain in Cameroon, it is worth mentioning that all other activities carried out with blockchain technology are subject to regulations specific to that particular sector.
The zeal of providers of telecommunication services to respect performance assurances is based on a number of considerations, including their risk/reward profile, the service delivery model, the multiplication factor of accepting significant liability for multiple customers on a one-to-many approach at the same time. By this, the service providers prefer to offer their services on an "as is" basis, with a limited availability service level, while excluding warranties regarding the performance of the services – thereby leaving service users without any assurance or guarantee that the services/technology will function as described or be reliable and available. The balance of performance therefore becomes a key issue, especially when it comes to clients using the technology for business purposes.
The operators of information systems are required to take strict administrative measures to ensure the steady availability of the service. Operators of information systems are to set up technical mechanisms to avoid hitches that may be prejudicial to the steady functioning of their systems. Information system platforms shall be protected against any intrusion that may impair the integrity of data transmitted and any other external attack, notably through intrusions detection systems as stipulated in Section 26(4) of Law No 2010/012 of 21 December 2010, Relating to Cybersecurity and Cybercriminality.
Cameroonian law does not specifically regulate blockchain. As a result, there are no courts or specific bodies put in place to handle any blockchain issues.
With regard to jurisdictional problems or risks, it is often very difficult to know which jurisdiction’s laws apply to a given blockchain application. There is a possible risk that transactions carried out by an organisation could fall in multiple jurisdictions in which some elements of the blockchain cut across.
The principles of contract and title differ across jurisdictions, therefore identifying the appropriate jurisdiction is important.
If transactions go through multiple jurisdictions it will thereby result in an overwhelming number of laws and regulations that might apply to transactions in a blockchain-based system. This situation is even worse when it comes to a public blockchain system, as compared to a permissioned or private system which is much easier to contain.
It is of utmost importance that organisations and service providers understand the risks associated in blockchain systems and their legal implications. In the event of a breach of contract that involves blockchain, there are both criminal and civil liabilities which can result.
When dealing with big data projects, the providers of the information systems have as obligation to preserve the information within their system and keep it out of the reach of third parties. Law No 96/06 of 18 January 1996 guarantees the privacy of communication in its preamble. Therefore, a breach of the privacy of data amounts to a breach of the fundamental right of the user.
In dealing with big data projects, consent is a fundamental principle which must be adhered to at all times. Before a user’s information is shared with a third party, the service providers must seek the consent of the user.
Although machine learning is used to boost the functionality of the system, the principle of consent must still be respected. The consent of the user must be obtained before it is used. The non-obtainment of consent results in a breach of the user's fundamental right as per the constitution of Cameroon.
Artificial Intelligence (AI)
The issue of consent is a fundamental principle in the use of artificial intelligence. As above, where the consent of the user is not sought, it amounts to a breach of the user's fundamental right.
The security and privacy of information is paramount in projects with connected devices. According to Law No 2010/012 of 21 December 2010, Relating to Cybersecurity and Cybercriminality, the providers of information systems are to have standardised systems enabling them to identify, assess, process or manage any risk relating to the information systems of the services provided directly or indirectly.
A major concern about machine-to-machine communications is related to security. The machines are expected to operate independently without human direction, which increases the potential of security threats and makes the safety of information paramount. These threats could range from data-hacking to unauthorised monitoring.
Any information shared during the project must be used for its intended purpose and only within the system of operation.
IT Service Agreements
The greatest challenge encountered by organisations entering into an IT service agreement in Cameroon is the fact that there is no clear legal framework to enforce such agreements.
Although there is no specific law governing IT service agreements, Decree No 2019/150 of 22 March 2019, on the Organisation and Functioning of the National Information and Communication Technology Agency (ANTIC), gives ANTIC the powers to oversee the regulation of IT-related transactions. ANTIC has as its mission the following:
Law No 98/014 of 14 July 1998, Regulating Telecommunications in Cameroon, Section 5(1), prohibits actions and practices which may prevent, restrict or compromise competition in the telecommunications market, especially when they limit access to the market or free competition from other service providers.
There are no outright restrictions in drafting IT service agreements under Cameroonian law. Parties are free to determine the terms of agreement from location to privacy to data storage and duration. The only exceptions to the rule are banks: the CEMAC regulations on banks require that they have their data storage location in the headquarters of the host country (ie, within the CEMAC region).
Restriction on Data Storage
Although there are no restrictions in drafting IT service agreements under Cameroonian law, when it comes to data storage, there are some industry-specific restrictions. The location of data storage will depend on how sensitive the data is or on the industry in question. For example, the COBAC Regulations requires banking institutions and financial establishments to make available all data in the territory of their head office.
Core Rules Regarding Data Protection
The increase in the use of digital platforms requires the collection and storage of data. Most organisations and individuals nowadays hold valuable data in digital forms. The sensitivity of certain data makes it more problematic in terms of where and how it is to be stored and protected. The storing of such data has become an issue of legislative concern in Cameroon.
As mentioned earlier, this jurisdiction does not have a specific law on data privacy as yet. With the increased demand for data privacy, the government is working on proposals by actors within the technology and media sector to have a comprehensive data privacy law. As things stand, there are only laws generated from the constitution to protect the fundamental right of privacy. That said, individuals or companies handling data are expected to process or manage third-party data with a duty of care, mindful not to breach fundamental rights of privacy.
An in-depth analysis will lead us to Article 41 of Law No 2010/012 of 21 December 2010, Relating to Cybersecurity and Cybercriminality, which guarantees every individual the right to the protection of their privacy. The courts will take any protective measures – notably sequestration or seizure – to prevent the invasion of privacy.
Article 42 of the same law requires that content providers be responsible for information transmitted through their systems, especially if such content may entail infringement of human dignity, injury to character and invasion of privacy.
Article 46(1) of the above law requires service providers of information systems to safeguard any data in their system for a period of ten years. If any information is lost before the end of this ten-year period, the service providers may be held liable.
The Constitution provides for freedom of expression, freedom of the press and of communication. Issues of data protection are represented in Law No 96/06 of the Constitution, which guarantees the privacy of communication in its preamble.
The core principles involving data protection in Cameroon are privacy, confidentiality, non-interference and preservation of data via information systems.
Distinction between Company/Individual Data
There is no distinction between a company's and an individual's data when it comes to data protection. Physical and moral persons both have a right to the protection of their data. The law frowns on anyone that intercepts the traffic of data, be it companies or individuals, without obtaining the consent of the user.
General Processing of Data
The technical storage of data before transmission of any communication is authorised for electronic communications networks and information system operators without prejudice to the principle of confidentiality.
Processing of Personal Data
The processing of personal data is governed by the principle of confidentiality. Personal data is not to be transmitted to third parties without the consent of the user.
According to Article 49 of Law No 2010/012 of 21 December 2010, Relating to Cybersecurity and Cybercriminality – notwithstanding the dispositions of the Penal Code which punishes the interception or transfer of electronic communication without prior consent of the user – in case of an investigation, a judicial police officer can intercept, transfer or record all electronic communication with respect to the particular case in hand.
Generally, the law forbids the interception of data without the consent of the user, except where such is legally authorised (Article 49 of Law No 2010/012 of 21 December 2010, Relating to Cybersecurity and Cybercriminality).
The monitoring and limitation of employee usage of company computer resources is not specifically outlined under Cameroonian law. However, the company can monitor and limit the employee's use of company computer resources when it has to do with their working relationship. This may occur in situations whereby the company tries to minimise and avoid data loss and web trafficking. In such situations, the employee must be aware of such monitoring and limitation. Consent is key in this case.
With regard to the employee's private data, the employer is not allowed to monitor, as this will be against the right to privacy of information Article 42 of Law No 2010/012 of 21 December 2010, Relating to Cybersecurity and Cybercriminality.
The provision of technology involving electronic communication falls under the scope of Law No 2010/013 of 21 December 2010, Relating to Electronic Communications. Telecommunication is strictly managed by the state in terms of legislation and regulations, as per Article 6 of the law on telecommunications. The state, however, authorises the involvement of the private sector in telecommunication activities by either issuing a concession or a licence to the person or persons who so demands, as per Article 8 of the law on electronic communications.
In order to offer RFID tags, the technology provider will have to obtain a licence, as per Article 10 of Law No 2010/013 of 21 December 2010, Relating to Electronic Communications; this licence can be granted within 90 days.
The provision of voice-over IP (VoIP) and instant messaging are subject to a declaration at the Telecommunication Regulatory Board; this can be granted within a period of 30 days.
VoIP, instant messaging and social media content-hosting service providers are all regulated by the law on cybersecurity and cybercriminality.
Law No 2015/007 of 20 April 2015 regulates the provision of audio-visual services in Cameroon. The law aims to define the legal regimes applicable to audio-visual activities, determine the rights and obligations of operators of audio-visual activities, and to fix the requirement for the provision of audio-visual services.
Generally, audio-visual communication is without charge but subject to fundamental principles such as national defence, territorial integrity, the dignity of the human person, bilingualism, equality of citizens and non-discrimination.
In order to provide audio-visual services, the service provider has to obtain a licence from the Ministry of Post and Telecommunications, as specified in Article 24 of the audio-visual law (Law No 2015/007 of 20 April 2015).
Foreigners seeking to provide audio-visual services in Cameroon must register a company in Cameroon, as per Article 26 of the above-cited law. There is also the requirement for local content, wherein the shareholding should be at least 50% held by Cameroon nationals.
The cost is variable and is established based upon the different category of licence applied for. The ministry determines the cost after deliberation by the Audio-visual Committee.
Procedure for the Provision of Audio-Visual Services
The procedure for providing audio-visual services is regulated by Law No 2000/158 of 3 April 2000, fixing the conditions and modalities for the creation and exploitation by private companies for audio-visual communication. This law requires that a file be constituted and deposited at the ministry in charge of communication, comprising of the following:
The fees charged differ from producers to transporters and to transmitters.
It is also worth noting that these requirements do not specifically apply to companies with online video channels.
Legal Requirements Governing the Use of Encryption
The use of encryption is regulated by Decree No 2013/0400 PM of 27 February 2013, Relating to the Modalities of Declarations and Authorisation and the conditions for obtaining a certificate of approval for the exportation, importation and use of encryption tools.
Under the law, encryption as a method of securing electronic communication is without charge but for the fact that a declaration of such must be made at the National Agency for Technology, Information and Communication.
Encryption in Cameroon is not inviolable as there are circumstances that may warrant it to be broken. This is very common with judicial proceedings or investigations – in such a situation, the providers of the encryption services may be requested to provide backdoors or to unlock software to access data relevant to the proceedings.
There is currently no legislation in Cameroon with regard to technology, media and telecommunication in view of COVID-19. The government does not see the telecommunications and media technology as a risky sector wherein the pandemic might greatly affect activities within the sector. Other than the regular reduction in manpower, we have not witnessed major changes in the sector except for the drop in the quality of service.
With regard to working remotely, the government lifted the lockdown in Cameroon while recommending its citizens to respect the barrier measures put in place. Government offices have remained opened and operating at full capacity. The private sector, with a few exceptions, has continued to implement and encourage working remotely. A good number of multinationals operating in Cameroon have maintained remote working practices.
Most companies have provided adequate support to their employees working remotely, with guidelines for the use of company data as required by internal policies. The majority of companies have now introduced internal policies and set up appropriate infrastructures to facilitate working remotely, such as providing secured VPN whereby every action carried out by an employee can be traced. So much so that, should there be a breach of data protection, the source of such a breach can be easily identified. As a general rule, most employees are subject to their company's respective internal policy on handling and managing data.