President Ramaphosa signs Cyber Crimes Bill into law

Read time 4min 30sec
President Cyril Ramaphosa.
President Cyril Ramaphosa.

The Cyber Crimes Bill, which seeks to bring SA’s cyber security laws in line with the rest of the world, has just been signed into law by president Cyril Ramaphosa.

According to law firm Werksmans Attorneys, this Bill, which is now an Act of Parliament, creates offences for and criminalises, among others, the disclosure of data messages which are harmful.

In 2015, the Department of Justice and Constitutional Development initiated the process to establish decisive policy in the form of the Cyber Crimes Bill, responding to the country’s lack of legislation in this area.

The initial draft Bill was not well received, with critics saying it was too broad and open to abuse, and a threat to the fundamental spirit of the Internet, which is open and democratic.

Subsequent changes to the Bill, including the removal of some of the security obligations, saw it drop the “security” part of the originally named Cyber Crimes and Cyber Security Bill.

In November 2018, it was adopted by the National Assembly, and transferred to the National Council of Provinces for agreement, to eventually reach the president to be signed into law.

Harmful data messages

Werksmans Attorneys explains that examples of data messages deemed harmful by the new law include those which incite violence or damage to property; threaten persons with violence or damage to property; and those which contain an intimate image.

Ahmore Burger-Smidt, director and head of data privacy practice at Werksmans Attorneys, explains that other offences include cyber fraud, forgery, extortion and theft of incorporeal property.

She notes the unlawful and intentional access of a computer system or computer data storage medium is also considered an offence, along with the unlawful interception of, or interference with data.

“This creates a broad ambit for the application of the Cyber Crimes Act, which defines ‘data’ as electronic representations of information in any form. It is interesting to note the Act does not define ‘cyber crime’ but rather creates a number of offences such as those canvassed above,” says Burger-Smidt.

“There is no doubt that the Cyber Crimes Act will be of particular importance to electronic communications service providers and financial institutes, as it imposes obligations upon them to assist in the investigation of cyber crimes; for example, by furnishing a court with certain particulars, which may involve the handing over of data or even hardware on application.”

She points out there is also a reporting duty on electronic communications service providers and financial institutions to report, without undue delay and where feasible, cyber offences within 72 hours of becoming aware of them.

A failure to do so may lead to the imposition of a fine not exceeding R50 000, says Burger-Smidt.

“A person who is convicted of an offence under the Cyber Crimes Act is liable to a fine or to imprisonment for a period of up to 15 years, or to both a fine and such imprisonment, as may be ordered in terms of the offence.

“It is further interesting to note the impact this Act will have on businesses, especially considering its overlap with the Protection of Personal Information Act 4 of 2013 (POPIA), among other regulatory codes and pieces of legislation.”

She notes POPIA, which deals with personal information, aims to give effect to the right to privacy by protecting persons against the unlawful processing of personal information.

One of the conditions for lawful processing in terms of POPIA is security safeguards which prescribes that the integrity and confidentiality of personal information must be secured by a person in control of that information.

“This is prescribed by POPIA in order to prevent loss, damage or unauthorised access to or destruction of personal information. POPIA also creates a reporting duty on persons responsible for processing personal information, whereby they must report any unlawful access to personal information (data breach) to the Information Regulator within a reasonable period of time.”

Remote working implications

Law firm Michalsons says the Cyber Crimes Act comes at a crucial time, with many people working remotely.

“This brings additional security concerns. And we’re seeing an increase in the number of high-profile cyber attacks in the public and private sectors. These numbers have increased at an alarming rate during the COVID-19 pandemic. This law is needed to protect South Africans and their organisations from harm.”

Michalsons stresses the law impacts everyone in South Africa. “Depending on your roles (whether you are an electronic communications service provider or a financial institution) the Cyber Crimes Act might place some obligations on you and your organisation.

“The Cyber Crimes Act will affect the way we interact with data or use our electronic devices like a computer. The Cyber Crimes Act has a far-reaching impact and it is important you understand how to deal with this impact.”

See also