On 2 September 2015, government published a 128-page draft Cybercrimes and Cybersecurity Bill for public comment. The bill is part of a set of laws and policy initiatives in South Africa that aim to regulate the ever-expanding online economy, and the surge in cyber-related crimes from a South African (and global perspective).
The current legal framework to combat cybercrime is a hybrid of legislation and the common law. However, the common law, which develops on a case-by-case basis, has not kept pace with the dynamic nature of cybercrime.
The bill is a product of calls by various stakeholders for government to enact specialised legislation and to align South Africa with international practice. If passed, it will codify numerous offences or “cybercrimes” and related penalties. In essence, the bill:
- Criminalises unlawful access to, and interception of, data, broadly defined in this context to include personal and financial information.
- Provides authorities extensive powers of investigation, search, access and/or seizure.
- Imposes various obligations on electronic communications service providers regarding aspects which may impact on cybersecurity (discussed below).
- Regulates jurisdiction of the courts, specifically in relation to cross-border offences.
The bill will likely be the subject of intense scrutiny in the coming months. Some of the more notable aspects of the bill are assessed below.
First, the bill defines an electronic communications service provider (ESCP) as (a) a licensee or deemed licensee in terms of Electronic Communications and Transactions Act; (b) a “financial institution” in terms of the Financial Service Board Act; or (c) “any person or entity who or which transmits, receives, processes or stores data […] of any other person”.
This definition is broad and will regulate a wide range of activities in the IT and communications, retail, banking and financial sectors, to name a few. Such a broad definition may have unintended consequences and, if passed without carve-outs or safe harbours, will cover, for example, employers that process or store employee data, any retailer (both virtual and physical) that processes a purchaser’s credit card information or any website that stores its visitors’ cookie data, even if temporarily.
The unintended consequences of such a wide definition are particularly problematic considering the extensive obligations imposed on ECSPs.
Clause 64 of the bill provides that an ECSP must:
- Take reasonable steps to inform its clients of cybercrime trends which affect or may affect them.
- Establish procedures for its clients to report cybercrimes and inform its clients of measures which can be taken in order to safeguard itself against cybercrimes.
- Immediately report to the National Cybercrime Centre if it becomes aware that its computer network or electronic communications network is being used to commit a cybercrime.
- Preserve any information which may be of assistance to the law enforcement agencies in investigating the offence.
An ECSPs failure to comply constitutes an offence, which is punishable with a fine of R10 000 for each day of non-compliance.
Second, the bill includes controversial provisions concerning computer-related espionage and unlawful access to restricted data. Clause 16(5)(b) of the bill provides that “any person who unlawfully and intentionally — (i) possesses; (ii) communicates, delivers or makes available; or (iii) receives, data which is in the possession of the state and which is classified as confidential [by the state], is guilty of an offence”.
Clause 16(5)(b) is strikingly similar to the contentious Protection of State Information Bill, dubbed the “secrecy bill” by local commentators, which the president refused to sign into law because of concerns that it would not pass constitutional muster, as it restricts the constitutional rights to access to information and freedom of speech.
Third, clause 17 of the bill, which criminalises the “dissemination of [a] data message which advocates, promotes or incites hate, discrimination or violence”, while seemingly innocuous, even laudable, should be received with caution and scrutinised for further unintended consequences. At first glance, clause 17 emulates section 16(2) of the constitution. Clause 17 provides that “any person who unlawfully and intentionally — (a) makes available, broadcasts or distributes; (b) causes to be made available, broadcast or distributed; or (c) assists in making available, broadcasts or distributes […] to a specific person or the general public, a data message which advocates, promotes or incites hate, discrimination or violence against a person or a group of persons, is guilty of an offence”.
On its face, this section would make it unlawful to distribute, share or broadcast prohibited speech, even for the purposes of analysis, comment or public discourse. Moreover, it would constitute a criminal offence to share a link to an article or video which constitutes prohibited speech. Such an arrangement, while not patently unconstitutional, may constitute an unreasonable restriction on freedom of information.
Finally, clause 25(3), if passed, would effectively extend the powers of South African courts to “any act or omission” alleged to constitute an offence under the bill, even if committed outside South Africa. In short, South African courts would have jurisdiction over defined cybercrimes committed outside of South Africa, provided that the crime affects any person in South Africa. The meaning of “affects” in this context is unclear.
There are a number of other provisions which are bound to be the subject of further debate (notably, the interplay between existing legislation and the bill, the number of prosecuting authorities, jurisdiction and territoriality, and the proper delineation of powers and responsibilities vested in authorities).
Comments on the draft bill will close on 30 November 2015.
- Darryl Bernstein, Widaad Ebrahim and Sbo Cibane work for law firm Baker & McKenzie South Africa