President Cyril Ramaphosa has recently signed into effect the new Cybercrimes Act 19 of 2020 (“The Cybercrimes Act”) . This development in South African law is a welcomed move towards the fight against the increasing rise in online and internet-based crimes, as it has been reported that South Africa has the third-highest number of cybercrime victims worldwide, losing approximately R2.2 billion a year to cyber-attacks. Although this Act is a step in the right direction, it has been met with hesitation.
The Cybercrimes Act is the product of an interesting legislative process whereas the previous Cybercrimes and Cybersecurity Bill (“The Old Bill”) was subjected to a great deal of scrutiny. The Old Bill was essentially divided into two parts, namely a “cybercrimes” section and a “cybersecurity” section. The criticism that the Old Bill faced was mainly aimed at its cybersecurity section, which raised concerns regarding the government’s extensive powers, including the fear that it violated the right to freedom of expression which is found in Section 16 of the Constitution . Due to these concerns, the clauses dealing with cybersecurity in the Old Bill were completely removed and its name was changed to the ‘Cybercrimes Bill’ which only deals with cybercrimes. South Africa’s first attempt at legislating for the codification of cybercrimes and related penalties was chapter 13 of the Electronic Communications and Transactions Act of 2002 (“ECTA”). However, the new Cybercrimes Act contains a wider range of cyber offenses than what was contained in ECTA.
The main objectives of the Cybercrimes Act are to deal with offenses relating to cybercrimes, powers of investigation, criminalization of the distribution of data messages which are harmful, to provide for interim protection orders, evidence gathering, regulating the jurisdiction of courts, the establishment of a specified point of contact and the reporting of obligations and penalties.
The Cybercrimes Act criminalizes various types of cybercrimes, including illegally accessing a computer system or intercepting data, cyber extortion, unlawfully acquiring a password, cyber fraud, and theft of incorporeal property. Any person who violates this Act could face a fine, imprisonment of up to 15 years, or both. The wide scope of jurisdiction created by this Act essentially means that the South African courts will have the power to try persons that aren’t South African citizens, as well as persons that commit crimes in other countries, where this affects a person or business in South Africa. The South African Police Services (“SAPS”) have been given extensive search and seizure powers under the Cybercrimes Act, including the power to search and seize information held within a private database or network without a search warrant, this could potentially give rise to many Constitutional rights being infringed such as the right to privacy and freedom of expression.
This Act is particularly important for electronic communication service providers and financial institutions as it places an obligation on them to familiarize themselves with the reporting and other obligations imposed on them by the Act. Such obligations include the reporting of cybercrime to the SAPS within 72 hours of becoming aware of it; and providing technical and other assistance to a police official or investigator carrying out a search and seizure. Moreover, electronic communications services and financial institutions will need to put in place various processes and policies to ensure compliance with the Cybercrimes Act, including the preservation of data and evidence if there has been a cybercrime committed. Institutions who fail to comply with the reporting and preservation of evidence requirements set out in the Act could render such institutions liable for an offense and/or fine of up to R50 000. The Cybercrimes Act and the global trend of increased cyber regulations may be motivation for companies and institutions to consider cyber risk insurance cover to preserve their economic welfare. It is therefore important for businesses to start prioritizing information security and assessing their levels of risk and exposure.
The introduction of this Act couldn’t have come at a better time now that most businesses have transitioned to working from home during the Covid-19 pandemic. This new Cybercrimes Act will ultimately change the way we interact with data and electronic devices during this time when working from home has become the new norm.
Although the introduction of this Act has addressed South Africa’s lack of legislation in this area, many have criticized it as being rushed without giving full consideration to practical implications. The language used in the Act has been criticized as being broad and vague which could lead to a significant amount of interpretation. The Act could potentially have far-reaching powers.
Even though South Africa lags behind in certain aspects of cybersecurity, the steps that the government is taking to solve these issues should not be ignored, it should be noted that South Africa is one of only 28 countries globally to have a cybersecurity policy in place. The new Cybercrimes Act has imposed new responsibilities on institutions and businesses to comply with far more stringent security requirements in managing the data of citizens and employees which will play a key role in protecting South Africa against cybercrimes.
Written by Jess Koster
This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.