Concerns raised over SA cybersecurity law


ON 2 September 2015, local authorities published a 128-page draft Cybercrimes and Cybersecurity Bill ("Bill") for public comment.

The Bill is part of a set of laws and policy initiatives in South Africa that aim to regulate the ever-expanding online economy, and the surge in cyber-related crimes from a South African (and global perspective).

The current legal framework to combat cybercrime is a hybrid of legislation and the common law. However, the common law, which develops on a case-by-case basis, has not kept pace with the dynamic nature of cybercrime.

READ: Cybercrime costs SA firms billions

The Bill is a product of calls by various stakeholders for government to enact specialised legislation and to align South Africa with international practice. If passed, it will codify numerous offences or "cybercrimes" and its related penalties. In essence, the Bill:

-  criminalises unlawful access to, and interception of, data, broadly defined in this context to include personal and financial information;

- provides (local authorities) extensive powers of investigation, search, access and/or seizure;

- imposes various obligations on electronic communications service providers  regarding aspects which may impact on cyber security (discussed below);

- regulates jurisdiction of the courts, specifically in relation to cross-border offences.

The Bill will likely be the subject of immense scrutiny in the coming months. We assess some of the more notable aspects of the Bill below.

First, the Bill defines an "electronic communications service provider" (ESCP) as (a) a licensee or deemed licensee in terms of Electronic Communications and Transactions Act, (b) a "financial institution" in terms of the Financial Service Board Act or (c) "any person or entity who or which transmits, receives, processes or stores data […] of any other person". This definition is broad and will regulate a wide range of activities in the IT and communications, retail, banking and financial sectors, to name a few. Such a broad definition may have unintended consequences and, if passed without carve outs or safe harbours,  will cover, for example, employers that process or store employee data, any retailer (both virtual and physical) that processes a purchaser's credit card information or any website that stores its visitors' cookie data, even if temporarily.

The unintended consequences of such a wide definition are particularly problematic considering the extensive obligations imposed on ECSPs. Clause 64 of the Bill provides that an ECSP must:

- take reasonable steps to inform its clients of cybercrime trends which affect or may affect them;

- establish procedures for its clients to report cybercrimes; inform its clients of measures which can be taken in order to safeguard itself against cybercrimes;

- immediately report to the National Cybercrime Centre if it becomes aware that its computer network or electronic communications network is being used to commit a cybercrime; and

- preserve any information which may be of assistance to the law enforcement agencies in investigating the offence.

An ECSP's failure to comply constitutes an offence, which is punishable with a fine of R10 000 for each day of non-compliance.

What are your views on this? Click here to let us know and you could get published.

Second, the Bill includes controversial provisions concerning computer-related espionage and unlawful access to restricted data. Clause 16(5)(b) of the Bill provides that, "Any person who unlawfully and intentionally—(i) possesses; (ii) communicates, delivers or makes available; or (iii) receives, data which is in the possession of the State and which is classified as confidential {by the State}, is guilty of an offence." From a South African perspective, Clause 16(5)(b) is strikingly similar to the contentious Protection of State Information Bill, dubbed the "Secrecy Bill" by local commentators, which the President refused to sign into law because of concerns that it would not pass constitutional muster, as it restricts the constitutional rights to access to information and freedom of speech.

Third, Clause 17 of the Bill, which criminalises the "dissemination of [a] data message which advocates, promotes or incites hate, discrimination or violence," while seemingly innocuous, even laudable, should be received with caution and scrutinised for further unintended consequences. At first glance, Clause 17 emulates Section 16(2) of the Constitution. Clause 17 provides that, "Any person who unlawfully and intentionally—(a) makes available, broadcasts or distributes; (b) causes to be made available, broadcast or distributed; or (c) assists in making available, broadcasts or distributes […] to a specific person or the general public, a data message which advocates, promotes or incites hate, discrimination or violence against a person or a group of persons, is guilty of an offence."

SA's cybercrime bill could impact free speech, say experts.

On its face, this section would make it unlawful to distribute, share or broadcast prohibited speech, even for the purposes of analysis, comment or public discourse. Moreover, it would constitute a criminal offense to share a link to an article or video which constitutes prohibited speech. Such an arrangement, while not patently unconstitutional, may constitute an unreasonable restriction on freedom of information.

Finally, Clause 25(3), if passed, would effectively extend the powers of South African courts to "any act or omission" alleged to constitute an offence under the Bill, even if committed outside South Africa. In short, South African courts would have jurisdiction over defined cybercrimes committed outside of South Africa, provided that the crime affects any person in South Africa. The meaning of "affects" in this context is unclear.

There are a number of other provisions which are bound to be the subject of further debate (notably, the interplay between existing legislation and the Bill, the number of prosecuting authorities, jurisdiction and territoriality, and the proper delineation of powers and responsibilities vested in authorities).

Stakeholders will have the opportunity to influence the final text of the Bill as comments will close on 30 November 2015.

*Darryl Bernstein, Widaad Ebrahim and Sbo Cibane represent law firm Baker & McKenzie South Africa.

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Voting Booth
Should government have assigned a majority shareholding in SAA to the private sector?
Please select an option Oops! Something went wrong, please try again later.
Yes, It's a good decision
70% - 594 votes
Not a good move
9% - 74 votes
Too early to tell
22% - 185 votes