The South African Cybersecurity Act

We promised to let you have a summary of the new Act: much of which came into effect on 1 December 2021. We will be holding a “fireside chat” on the new law which will be on our website in the coming weeks. Here we explain the purpose and aim of the Act, the overall structure of the Act, and, finally, key sections that you need to know to meet your obligations under the Act and how it relates to the POPIA.

Purpose of the Act: The Act modernizes existing criminal offenses to cater to the nature with which many cyber-crimes are committed, while also creating new offenses to criminalize certain behaviour – such as theft and interference of data. Other objectives include:

• criminalise the dissemination of harmful data messages and provide interim protection
• further regulate law enforcement’s jurisdiction over cybercrime by granting extensive powers to investigate, search, access, and seize articles used in committing an offense, such as computers, databases, networks, etc.
• impose obligations to report cybercrimes.

Specific offenses created under the Cybercrimes Act include a person’s unlawful access – is the unlawful and intentional access to a computer system or a computer data storage medium (“hacking”) and the unlawful interception, interference, or acquisition of data, a computer program, a computer data storage medium or a computer system.

The criminal offenses include:

1.  cyber fraud – fraud committed by means of data or a computer program or through any interference with data or a computer program.
2. cyber forgery –the passing-off of false data or a false computer program with the intention to defraud.
3. cyber extortion – being, amongst other things, the unlawful and intentional interception of data for the purpose of obtaining any advantage from another person or compelling another person to perform or to abstain from performing any act (also known as ransomware).
4. the theft of incorporeal property.

The Act also criminalises malicious or harmful communications. This touches upon any form of digital communication as the Act uses the term “data messages” which could:

• incite or threaten damage to property or violence.
• threaten persons with damage to property or violence.
• and disclose an intimate image.

By defining ‘person’ as both a natural and a juristic person (like POPIA), the Act casts a very wide ambit as to who it applies to. Both individuals and companies may be subject to the protection as well as the offenses.

Structure of Act: The Act is divided into various chapters. You can read the Cybercrimes Act and the full text here. Not all the sections of the Act have commenced.  These sections have commenced:

• Chapter 1 – definitions to help us understand and apply the relevant sections.
• Chapter 2 – specifics regarding cybercrime have commenced – these are the modernised cybercrimes described above, malicious communications, assisting or instructing someone to commit a crime, competent verdicts, and sentencing.
• Chapter 3 – South African courts and their jurisdiction to try cybercrimes.
• Chapter 4 – The Act grants very wide powers to the Police Service to investigate, search, access or seize anything digital wherever they are located. The police MUST have a search warrant.

• 1. All sections of this Chapter commence except sections 38(1)(d) -(f), 40(3)-(4), and 41-44.
• Chapter 7: evidence – how people admit evidence in relation to cybercrime.
• Chapter 8: reporting obligations and capacity building – all sections commence except section 54 (which relates to the obligations, including reporting obligations, of electronic communications service providers and financial institutions) – this is an extremely critical aspect of the Act as it impacts the primary controllers of exceptionally substantial amounts of data that are prone to frequent cybercrimes; and
• Chapter 9: general provisions (including a schedule of laws that are repealed or amended). All sections commence except for certain amendments to the Criminal Law (Sexual Offences and Related Matters) Amendment Act 32 of 2007.

POPIA connection: The Cybercrimes Act has several provisions that interact with certain aspects of POPIA. POPIA specifically regulates the manner in which the lawful processing and protection of personal information of both natural and juristic persons should be carried out.  The definition of ‘processing’ in section 1 of POPIA includes a wide range of activities such as the collection, receipt, modification, retrieval, alteration, transmission, degradation, erasure, or destruction of personal information.

Where any personal information is subject to unauthorised access or possession, POPIA addresses the obligations of the lawful holder of such personal information (as defined under POPIA) to have taken reasonable and appropriate measures to secure and safeguard the personal information in the first place and, if such data breach occurs (or is suspected) to take reasonable steps to address it, including a report of the occurrence to the Information Regulator. Now, the perpetrators of such unauthorised access or possession of personal information would also be charged with an offense under the Cybercrimes Act.

Section 54 of the Cybercrimes Act imposes similar reporting obligations on electronic communications service providers and financial institutions (when it is proclaimed) who become aware that their electronic communications service or electronic communications network have been involved in the commission of any category or class of offence/s as outlined above.  Consequently, they will be obliged to report the unauthorised access of the data/personal information within their possession to both the Information Regulator and the South African Police Service (SAPS), respectively.

POPIA mandates that such a data breach must be reported ‘as soon as reasonably possible, while the Cybercrimes Act specifically mandates that such an offense must be reported to the SAPS ‘not later than 72 hours after having become aware of the offense.

If you want to know more about the Practical Impact of the Cybercrime Act, you can read more about it here https://www.michalsons.com/blog/the-practical-impact-of-the-cyber-bill-on-you/25300. And here: https://www.cliffedekkerhofmeyr.com/en/news/publications/2021/TMT/technology-media-and-telecommunications-sector-newsletter-9-june-regulating-the-fourth-industrial-revolution-south-africas-cybercrimes-bill-is-signed-into-law.html

Many thanks to our Legal Affairs Committee Chair, Rieka van Wyk for this article.