The Cybercrime Act that President Cyril Ramaphosa signed in May is impractical, over ambitious and can even make law-abiding citizens clash with the law, experts say.
The legislation is the first on South Africa’s law books that will explicitly combat online and internet crimes. Crimes such as the illegal use of a computer system, the interception of data, cyber-extortion and even the use of passwords or access codes without anyone’s knowledge will in future be liable to prosecution.
Those who are found guilty could be fined and/or imprisoned for up to 15 years.
The law firm Michalsons says it is concerned about the unintended consequences of the broad definitions in the legislation. An example is in section 3(3) of the law which deals with the possession of data.
“If you are in possession of data and is a ‘reasonable suspicion’ that such data was unlawfully intercepted, and you can’t give a good explanation why you possess such data, you are guilty of an offence.
“Because of the way it was drafted, an unintended consequence might be that an innocent person who didn’t know that the data was unlawfully intercepted might be guilty of a cyber crime.”
According to Michalsons, the man in the street risks prosecution for “ordinary things”. “It affects all of us who process data or use a computer – individuals, parents, journalists, banks and many others.”
Anna Collard, the managing director at KnowBe4 Africa, disagrees. “The legislation clearly states that the intention must be to harm someone. But there will have to be an awareness among South Africans of how the law can be violated. For example, what happens if someone shares an offensive joke on WhatsApp and you also forward and share it?
“Everyone who is part of such a group can get into trouble, because it’s on all our phones.”
In the same way, there are doubts about whether the South African Police Service has the staff and expertise to investigate and prosecute potential crimes properly.
Professor Bruce Watson, the head of information science at Stellenbosch University, says that although the legislation is a “brave and ambitious” attempt to catch up with the rest of the world, its workability is a problem because there is still no police capacity to deal with cybercrime specifically.
“Legislation must go hand in hand with capacity building. But some would say you first legislate and then worry about reality.”
In terms of the new legislation, the SAPS must establish a new department – the so-called “designated contact point” where cybercrimes must be reported and investigated.
The police will have extensive powers to investigate premises and seize equipment – in some cases even without a warrant.
The law firm Webber Wentzel warns in a note that electronic communications service providers and financial services companies will need to be well aware of the new legal obligations to report cybercrime. The legislation stipulates that this must happen within 72 hours of the company becoming aware of the crime.
Companies will also need to make sure they have processes and policies in place to meet the legal requirements for storing data and evidence of electronic communications.
Collard also doubts whether there are enough police officers to enforce the law. “South Africa has an existing cyber hub that must investigate cybercrime, but there are only three people!” She said these three people have to sift through streams of emails daily and decide what is a crime and what is not.
“We do not currently have a system, a budget or the workforce to prosecute people for cybercrime.”
Watson says it is unfortunate that snags in the legislation, such as vague terminology, were not ironed out when it was subjected to parliamentary processes.
“With software development, the technique is often to make the software available and then to fix program errors later – with ‘patches’. But tweaking a law is not a smart way of doing it.”
South African lawyers and the courts are also finding themselves in new territory because there is no existing legislation on cybercrime.
“It is difficult to know what kind of fines and imprisonment there would be for offenders. There will obviously be some test cases to decide on the severity of the crimes,” said Collard.
Watson says the “intangible” nature of cybercrime will further complicate criminal prosecution. “It is extremely difficult to record and trace activities in cyberspace. There are so many nooks and crannies where criminals can hide and cover their tracks.
“The police will therefore probably give priority to more serious crimes in cyberspace, such as the distribution of child pornography and other organised crime.”
Although Ramaphosa has signed the Cybercrime Act, it will only officially come into force when it is promulgated in the Government Gazette.
The legislation has come a long way since the Department of Justice and Constitutional Development introduced it in 2015. The national assembly and national council of provinces approved the bill in December last year.