Milestone cybercrime and cybersecurity law on the cards for South Africa
The enactment of the Electronic Communications and Transactions Act 25 of 2002 ("ECTA") was South Africa's first real attempt at codifying a comprehensive description of what constitutes cybercrime and imposing penalties on prohibited practices such as hacking, identity theft and fraud.
While this has offered guidance when it comes to criminalising such activities, the development of effective cybersecurity practices is necessary to prevent and enable the investigation of cybercrimes. Accordingly, the Draft Cybercrimes and Cybersecurity Bill of 2015 ("the Bill") seeks to not only criminalise an array of prohibited activities, but also to establish and task various public and private bodies with the effective policing and reporting of cybercrimes.
The Bill regulates the investigation, search, access and seizure of items that are the fruits of cybercrimes, and has implications for the law of evidence. The Bill imposes various obligations on key players in the ICT sector and, most notably, establishes a 24/7 point of contact that is available to the public to enable the reporting of cybercrime. The Bill makes provision for the identification, declaration and protection of National Critical Information Infrastructure (such as the information housed by financial institutions and the Department of Home Affairs). The Bill furthermore seeks to centralise the coordination of cybersecurity activities both nationally and internationally.
In terms of the Bill, more than 20 activities will be considered as offences (for example, unlawful access and interference with personal and financial information, data, computer devices, computer networks, databases, critical databases, or electronic communications networks). The Bill contains a wide definition of what constitutes the commissioning of a cybercrime, and goes as far as stating what aggravating circumstances a court should consider prior to imposing a sentence. The Bill contains provisions that also make it an offence to harbour and conceal cybercrime offences, as well as facilitating one of these offences in one way or another.
The Discussion Document on the Bill, published by the Department of Justice and Constitutional Development, makes it clear, however, that the codification of these crimes does not preclude criminal liability in terms of the common law or other applicable legislation. The Bill does, however, propose repealing chapter XIII of the ECTA, which deals with cybercrimes.
The Bill employs mechanisms for the effective policing and reporting of cybercrimes, which are similar to the model deployed by the European Union. The Bill, in turn, recognises the need to establish international principles for dealing with cybercrime and cybersecurity, and introduces procedures for cooperation between South Africa and foreign states (for example, the preservation of an article or where interception is required to obtain data in cybercrime proceedings). The Bill empowers the President of the Republic to, among other things, enter into agreements with foreign states to promote cybersecurity.
The Bill caters for the establishment of numerous bodies to deal with, among other things, the coordination of cybersecurity activities and incident response management (for example, by the Minister of State Security, the Minister of Police, and the Minister of Telecommunications and Postal Services). These bodies will also be responsible for the operational coordination of cybersecurity incident response activities in order to maintain public order, securing the inhabitants of the Republic, facilitating information and technology sharing within the private sector, and establishing minimum security standards and best practices for the prevention, combating and investigation of cybercrime.
The Bill details specific obligations that Electronic Communication Service Providers ("ECPSs") must fulfil. ECPSs are required to take reasonable steps to inform their clients of cybercrime trends that affect or may affect them, and also of measures to protect themselves against cybercrime. ECPSs are also required to establish procedures for their clients to report cybercrimes to them. They are required to immediately report to the National Cybercrime Centre (one of the bodies to be established in terms of the Bill) upon becoming aware that their computer networks or electronic communications networks are being used to commit a cybercrime. The ECPSs will have to preserve any information that may assist law enforcement agencies in investigating offences, including information that shows the communication's origin, destination, route, time, date, etc.
A failure by ECPSs to observe these obligations may result in conviction with a fine of R10 000 for each day the failure to comply continues. ECPSs will therefore have to be prudent and alert when it comes to the management of their organisations' cybersecurity systems and policies, and are advised to start putting measures in place to ensure compliance.
Financial service providers are also affected by the Bill. The Discussion Document points out that financial information is a popular target in cyberspace and the Bill accordingly creates offences aimed at addressing this. For instance, the possession of another's financial information, where there is a reasonable suspicion that such information was or may be used, acquired, possessed, or provided to commit a cybercrime, may, in the absence of a satisfactory exculpatory explanation, constitute an offence in terms of the Bill. The processing or facilitation of a financial transaction that will, in turn, facilitate unlawful activity, such as child pornography or money laundering, is also prohibited.
The wide description of "financial information" (as "any information or data which can be used to facilitate a financial transaction") will require financial service providers, in particular, to be alert when handling financial information that may have been used to commit a cybercrime. The test here is merely whether there is reasonable suspicion. The penalty for non-compliance is either a fine not exceeding R5 million, or imprisonment for a period not exceeding five years.
The Bill also has implications for operators of National Critical Information Infrastructures, which are described in the Bill as information infrastructures that are of such a strategic nature, that any interference with them or their loss, damage, disruption or immobilisation; may prejudice the security, defence, law enforcement or international relations of the Republic, or the health or safety of the public; cause interference with or disruption of, an essential service; cause any major economic loss; cause destabilisation of the economy of the Republic; or create a public emergency situation. These infrastructures comprise organisations in both the private and public sector, and include those focused on communications, energy (such as electricity and fuel), commerce, transportation, water, food supplies, emergency services, law enforcement and so forth.
The Discussion Document highlights National Critical Information Infrastructures as being vulnerable to cyber-attacks and calls for such information structures to be identified and protected in accordance with the criteria detailed in the Bill. To give effect to this, the Bill establishes a National Critical Information Infrastructure Fund to, inter alia, implement disaster recovery measures in disaster situations.
The Bill set outs a balanced approach towards dealing with cybercrime and is generally in line with international trends. Constitutional issues may however arise. For instance, there is no mention at all in the proposed Bill of the right to freedom of expression. This is concerning given that a wider definition is given in the Bill to data messages that advocate, promote or incite hate, discrimination or violence than that found in the Constitution. Data messages of this nature are criminalised under the Bill, with the implication that speech that could be permissible under the Constitution may amount to an offence under the Bill. The Bill in its current form could thus be criticised for overreaching.
Please contact either of the writers if you are interested in commenting on the Bill before 30 November 2015, which is the closing date for submissions.
 The original version of this article was published in CRi 2015, 156 - 158.
 Cybercrimes and Cybersecurity Bill Draft for Public Comment 2015.