Cyber regulation: a better approach

Rabelani Dagada
By Rabelani Dagada, Professor, University of Johannesburg
Johannesburg, 09 Mar 2016

In his response to the debate on the 2016 State of the Nation Address, president Jacob Zuma reiterated Parliament will consider the promulgation of the Cyber Crimes and Related Matters Bill during the first half of this year. The South African Institute of Race Relations (IRR) has concerns with this Bill.

Government has been slow in enforcing some of the prescriptions of the ECT Act of 2002.

There are already several pieces of policy, legislation, and regulation in SA, which already address cyber crime and related e-transactions. These include, among others, the Constitution of the Republic of South Africa (specifically the right to privacy); the Electronic Communications and Transactions Act number 25 of 2005; the Promotion of Access to Information Act number two of 2000; the Regulation of Interception of Communications and Provision of Communication-related Act number 70 of 2002; the King Reports on corporate governance for SA; and the Protection of Personal Information Act number four of 2013.

Existing policy has often not been effectively or timeously implemented. For example, government has been slow in enforcing some of the prescriptions of the Electronic Communications and Transactions Act of 2002, including the appointment of the cyber inspectors. The registration of mobile phone SIM cards (a policy with which the IRR has concerns) was only done seven years after the promulgation of the Regulation of Interception of Communications and Provision of Communication-related Act of 2002.

Defence under construction

Provisions to fight against such IT-related crimes are contained in chapter 8 of the ECT Act (2002), but have yet to be properly implemented. Hacking, industrial espionage, viruses, spam e-mails and other cyber-related crimes characterised by an unauthorised access to, interception of, or interference with data are supposed to be tackled by cyber inspectors.

Chapter 10 of the ECT Act, 2002 advocated for the establishment of the cryptography providers/authentication service providers, and the use of reliable electronic signatures. Nearly 11 years after this law was enacted, the government eventually appointed a South African-based cryptographic security provider. While the government should be commended for the aforesaid appointment, the delay in doing so could have exposed individuals and companies to cyber crime.

Unsolicited e-mails are addressed in chapter 7 of the ECT Act, 2002 - the chapter that deals with consumer protection.

Spam alert

Clause 45 of that chapter prohibits unsolicited commercial communications to consumers. A study I have been undertaking found this prohibition is not effective, as sellers of goods, products and services use a loophole in the Act to send chains of unsolicited messages to consumers. The Act requires the sender give the recipient a choice to stop receiving such e-mails.

Many consumers remain uninformed about the Act and are swamped with spam e-mails. In reality, the first e-mail that is sent is unsolicited, but it is legal because it gives the recipient an option to opt out. Because few recipients opt out, subsequent e-mails cannot be defined as unsolicited, because the consumer is deemed to have opted to receive the adverts.

South African cyber-policymakers should avoid overregulation of the cyber space, while watchdog and cyber analysts must ensure cyber regulation is not used to undermine civil liberties. Instead of introducing another law to address cyber crime, government would be well advised to rather ensure existing legislation is properly enforced.