Cybercrimes Act

| 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 |

[6 October 2023] The Minister of Police has published final Standard Operating Procedures under the Cybercrimes Act.

Cybercrimes Act Standard Operating Procedures 6 October 2023

___

[25 July 2022] The Draft SAPS Standard Operating Procedures under section 26 of the Cybercrimes Act have been published for public comment. Submissions are due on 15 August 2022 and can be emailed to Captain Marlize Jooste / joosteme@saps.gov.za.

Draft SAPS Standard Operating Procedures under section 26 of the Cybercrimes Act

Invitation to comment

___

[30 November 2021] Cybercrimes Act Commencement of certain sections 19 November 2021

___

[9 June 2021] The Cybercrimes Act 19 of 2020 has been signed by the President and will come into force on a date to be proclaimed in the Government Gazette. The period between assent and commencement will be spent develop standing operating procedures and other documented processes for the implementation of provisions of the Act.

Cybercrimes Act, 19 of 2020

The Act creates cybercrimes as new criminal offences under South African law. These relate to:

• Unlawful access to a computer system or computer data storage medium
• Unlawful interception of data and/or processing of unlawfully intercepted data
• Unlawful use or possession of a software or hardware tool
• Unlawful interference with data or computer program
• Unlawful interference with a computer data storage medium or computer system
• Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device
• Cyber fraud: where a person – unlawfully and with the intention to defraud – makes a misrepresentation by means of a data or computer program or through any interference with data, computer program, computer data storage medium, or computer system which causes actual or potential prejudice to another person
• Cyber forgery and uttering: where a person defrauds by making false data or a false computer program to the actual or potential prejudice of another person or passes off false data or a false computer program to the actual or potential prejudice of another person.
• Cyber extortion
• Theft of incorporeal property
• Malicious communications: data messages which incite damage to property or violence or which threaten persons with damage to property or violence and including unlawful distribution of intimate images.

The Act overhauls the interaction between law enforcement authorities and electronic communications service providers (ECSPs), introducing a variety of new mechanisms for SAPS to obtain or ensure the preservation of evidence held by ECSPs.

Section 54 sets out the reporting obligations to be imposed on ECSPs once the Act is in force and the necessary formalities have been completed:

Obligations of electronic communications service providers and financial institutions

54(1) An electronic communications service provider or financial institution that is aware or becomes aware that its electronic communications service or electronic communications network is involved in the commission of any category or class of offences provided for in Part I of Chapter 2 and which is determined in terms of subsection (2), must—

(a) without undue delay and, where feasible, not later than 72 hours after having become aware of the offence, report the offence in the prescribed form and manner to the South African Police Service; and

(b) reserve any information which may be of assistance to the South African Police Service in investigating the offence.

(2) The Cabinet member responsible for policing, in consultation with the Cabinet member responsible for the administration of justice, must by notice in the Gazette, prescribe—

(a) the category or class of offences which must be reported to the South African Police Service in terms of subsection (1); and

(b) the form and manner in which an electronic communications service provider or financial institution must report offences to the South African Police Service

(3) An electronic communications service provider or financial institution that fails to comply with subsection (1), is guilty of an offence and is liable on conviction to a fine not exceeding R50 000.

(4) Subject to any other law or obligation, the provisions of subsection (1) must not be interpreted as to impose obligations on an electronic service provider or financial institution to—

(a) monitor the data which the electronic communications service provider or financial institution transmits or stores; or

(b) actively seek facts or circumstances indicating any unlawful activity.

___

[23 June 2020] The finalisation of the Cybercrimes Bill is significantly closer after the Select Committee approved its amendments and report on 11 June 2020.

Committee statement on adoption of Cybercrimes Bill 11 June 2020

Cybercrimes Bill Committee Report 11 June 2020

NCOP proposed amendments to Cybercrimes Bill

The next step is a vote in a plenary schedule of the National Council of Provinces, scheduled for 24 June 2020.

___

[19 February 2020] The Cybercrimes Bill remains with the Select Committee on Security and Justice in the National Council of Provinces (NCOP) which is processing responses to public submissions made. Outstanding issues relate to the powers of law enforcement agencies to conduct warrantless searches of computers and the capacity of the South African Police Service to implement a finalised Cybercrimes Act.

Presentation by the Directorate for Priority Crime Investigation

___

[6 February 2019] The Select Committee on Security and Justice in the National Council of Provinces (NCOP) has invited the public to submit written comments on the Cybercrimes Bill as part of the NCOP’s consideration of the Bill.

Comments can be emailed to Mr G Dixon (gdixon@parliament.gov.za) by no later than 8 March 2019.

__

[24 November 2018] The Cybercrimes Bill was adopted by the Portfolio Committee for Justice and Correctional Services on 7 November 2018 and will now go to the National Assembly for debate on 27 November 2018.

___

[30 October 2018] The Department of Justice and Constitutional Development presented a radically amended version of the Bill to the Portfolio Committee for Justice and Correctional Services on 23 October 2018. The biggest shift is the removal of provisions relating to cybersecurity, necessitating the renaming of the Bill from the “Cybercrimes and Cybersecurity Bill” to the “Cybercrimes Bill”.

Cybercrimes Bill 23 October 2018 (clean version)

Cybercrimes Bill 23 October 2018 (showing changes from previous draft)

The major changes are as follows:

• Removing Cybersecurity part of the Bill: provisions relating to Cybersecurity have been removed (another Bill would address cybersecurity).
• Definition of Unlawful: this has been more tightly defined and aligned with the Protection of Personal Information Act
• Malicious communications: the scope of this provision is now limited to data messages of an intimate image without consent that threaten people to violence and bodily harm.
• Removal of crimes relating to critical infrastructure

___

[24 March 2018] The Bill is still under consideration by the Portfolio Committee….

Cybercrimes and Cybersecurity Bill [28 Feb 2018] showing proposed amendments

___

[18 November 2017] The Department of Justice and Constitutional Development has been presenting its responses to submissions received on the Cybercrimes and Cybersecurity Bill to the Portfolio Committee. This includes a set of consolidated written responses.

Responses to submissions: Chapters 1-9

Responses to submissions: Chapters 10-13

___

[11 September 2017] Submissions we have found:

• South African Human Rights Commission
• Centre for Constitutional Rights
• Right 2 Know

___

[9 September 2017] Public hearings on the Bill have been scheduled for 13 and 14 September 2017.

Programme for Hearings 13 14 September

The venue for the hearings is room M514, Marks Building, and proceedings will commence at 09h30 on each day.

___

[26 July 2017] The deadline for submissions in the Bill has been extended to 10 August 2017.

___

[4 July 2017] The Portfolio Committee on Justice and Correctional Services has issued an invitation to stakeholders and interested persons to submit written submissions on the Cybercrimes and Cybersecurity Bill 2017 [B6 – 2017].

The deadline for written submissions is 28 July 2017. Those submitting should indicate their interest in making a verbal presentation at subsequent public hearings to be held in Parliament.

Submissions and enquiries must be directed to Mr V Ramaano, Portfolio Committee on Justice and Correctional Services, 3rd Floor, 90 Plein Street, Cape Town, 8000 or emailed to vramaano@parliament.gov.za.

___

[30 May 2017] The Department of Justice and Constitutional Development today briefed the Parliamentary Portfolio Committee on Justice and Correctional Services on the Cybersecurity and Cybercrime Bill 2016. This should mark the commencement of the formal review of the Bill by the Portfolio Committee and we anticipate that the Bill will shortly be released for public comment following which public hearings will be held.

Cyber Bill Parliament Presentation – May 30 2017

___

[22 February 2017] Below are links to a copy of the Cybercrimes and Cybersecurity Bill as introduced into Parliament, as well as the Parliamentary notice accompanying the introduction.

Cybercrimes and Cybersecurity Bill [B6-2017]

Parliamentary notice

___

[19 January 2017] Below are links to the Bill and summary as they are to be introduced into Parliament later this month.

Cybercrimes and Cybersecurity Bill 2017

Summary of Cybercrimes and Cybersecurity Bill 2017

Statement by Deputy Minister Jeffery on the new proposed Cybercrimes and Cybersecurity Bill

___

[9 December 2016] A notice has been published in the Government Gazette setting out the intention of the Minister of Justice and Correctional Services to introduce the Cybercrimes and Cybersecurity Bill, 2017 (the Bill), in the National Assembly shortly.

Publication of the Explanatory Summary of the Cybercrimes and Cybersecurity Bill 2017

The explanatory summary of the Bill published in the Notice reads as follows:

The Bill intends to –

(a) create offences which has a bearing on cybercrime and to prescribe penalties;

(b) criminalise the distribution of data messages which is harmful and to provide for interim protection orders;

(c) further regulate jurisdiction in respect of cybercrimes;

(d) further regulate the powers to investigate cybercrimes;

(e) further regulate aspects relating to mutual assistance in respect of the investigation of cybercrime;

(f) provide for the establishment of a 24/7 Point of Contact;

(g) further provide for the proof of certain facts by affidavit;

(h) impose obligations on electronic communications service providers and financial institutions to assist in the investigation of cybercrimes and to report cybercrimes;

(i) provide for the establishment of structures to promote cybersecurity and capacity building;

(j) regulate the identification and declaration of critical information infrastructures and measures to protect critical information infrastructures;

(k) provide that the Executive may enter into agreements with foreign States to promote cybersecurity;

(l) delete and amend provisions of certain laws; and (m) provide for matters connected therewith.

___

[7 September 2016] This Bill is expected to be presented to Cabinet this September and then introduced into Parliament early in 2017.

While we wait, the Department of Telecommunications and Postal Services has launched their new virtual cybersecurity hub website: https://www.cybersecurityhub.gov.za.

___

[9 March 2016] The Department of Justice has formed an expert panel to review a further version of the Bill which has been substantially amended following public submissions received. This review process is expected to conclude in the middle of 2016 and a new version of the Bill will thereafter be published.

___

[5 December 2015] An edited version of the National Cybersecurity Framework Policy (NCPF) was gazetted on 4 December 2015.

National Cybersecurity Policy Framework 2012 (Public Edit)

It is unfortunate that this was only made public after the period for submissions on the Draft Cybercrimes and Cybersecurity Bill 2015 had closed….

___

[4 December 2015] Submissions we have found:

• Centre for Constitutional Rights
• Electronic Frontier Foundation
• Internet Service Providers’ Association
• Right2Know-Preliminary Position

___

[21 November 2015] Reminder that submissions on the Cybercrimes and Cybersecurity Bill 2015 are due on Monday 30 November 2015.

___

[5 November 2015] The Minister of Telecommunications and Postal Services launched the Cybersecurity Hub on 30 October 2015. The Hub is situated at www.cybersecurityhub.gov.za.

In short the functions of the hub will be among others to:

• Receiving incident reports from stakeholders and establishing clear incident management processes.
• Disseminating information to stakeholders about threats and attacks as a pre-emptive measure as well as mitigating procedures against emerging attacks
• Creating an archive of lessons learnt to ensure ease of access in dealing with future threats and vulnerabilities
• In the case of cyberbullying involving Cybersecurity Hub legal entities and assisting with escalating attacks to the relevant authorities
• And chairing of scheduled meetings with reporting and trending attacks and incidents for the specific period.

The hub will become a point of reference for citizens in as far as cybersecurity issues are concerned providing a repository of information regarding the do’s and don’t s of Internet for children, best practice guide for parenting on the Internet and how the average South African can protect against malicious attacks, identity theft and online financial security. The hub will create platforms to allow parents to share information on how to manage their children online and also provide links to Internet resources to assist both children and parents.

For the very first time in South Africa, the hub will ensure collaboration between businesses and create a platform for partnership between government and the private sector on cybersecurity. It will also facilitate the leveraging of high end cybersecurity capacity which is scarce as we build confidence and trust among stakeholders and place our nation in a better position to respond to cybersecurity in a much more coordinated matter. The shared information also provides an opportunity for cost savings as the hub’s expertise will allow for quicker incident recovery, which can translate to less money spent on incident response.

Cybersecurity incidents are to be reported to incident@cybersecurityhub.co.za.

___

[11 September 2015] The link below is to a 45 minute presentation on cybercrime and the law in South Africa which was delivered during the Internet Service Providers’ Association iWeek Conference (so the focus is on how it impacts on ISPs).

iWeek 2015 – Cybercrime and the Law

___

[28 August 2015] The Department of Justice & Constitutional Development has published The Cybercrimes and Cybersecurity Bill and an accompanying Discussion Document for public comment.

Cybercrimes and Cybersecurity Bill 2015

Discussion Document 2015

Invitation to comment

The deadline for submissions is 30 November 2015. Comments can be sent by fax 012 406 4632 or email cybercrimesbill@justice.gov.za marked for the atttention of Mr S J Robbertse.

The Bill aims to deal with various aspects relating to cybercrime and cybersecurity and to that extent the Bill –

• creates offences and prescribes penalties;
• further regulates jurisdiction;
• further regulates the powers to investigate, search and gain access to or seize items;
• further regulates aspects of international cooperation in respect of the investigation of cybercrime;
• provides for the establishment of a 24/7 point of contact;
• provides for the establishment of various structures to deal with cyber security;
• regulates the identification and declaration of National Critical Information Infrastructures and provides for measures to protect National Critical Information Infrastructures;
• further regulates aspects relating to evidence;
• imposes obligations on electronic communications service providers regarding aspects which may impact on cybersecurity;
• provides that the President may enter into agreements with foreign States to promote cybersecurity;
• repeals and amends certain laws; and
• provides for matters connected therewith.

Any person or entity, who wants to meet with the Department to discuss any aspect of the Bill must make the necessary arrangements with the Department. Any meeting with regard to the Bill will take place at the Department of Justice and Constitutional Development, unless expressly agreed to otherwise by the Department.

___

[22 May 2015] The Deputy Minister of Justice and Correctional Services indicated in his Budget Speech for the 2015/2016 financial year that the Cybercrimes and Related Matters Bill will be released for general comment in the near future. This confirms that there will be an opportunity for the public to comment prior to the Bill being introduced into Parliament.

The Cybercrimes and Related Matters Bill is aimed at strengthening the criminal justice system as envisaged in the National Development Plan, by introducing measures which are aimed at combatting cybercrime. It will be released for public comment by the Department in the near future before being introduced into Parliament.

Interestingly, in his Budget Speech, the Minister noted that a “conviction rate of 95% was achieved in respect of cybercrime”.

___

[6 May 2015] The Minister of State Security, Mr David Mahlobo, gave his Budget Vote Speech for the 2015/2016 financial year on the 05 May 2015. This included a section dedicated to cybersecurity and cybercrime. While for speech for the most part is taken from an earlier speech (see previous post below), the following is noteworthy:

Working with universities and other research institutes like the CSIR to build the cybersecurity pipeline through competitive scholarship, fellowship, and internship programs must be our preoccupation to attract top talent and develop systems that have command and control in our hands, national sovereignty.
This financial year, 2015/16 we plan to move with speed to:
a) Enhance the institutional cybersecurity capacity
b) Finalize the national cybersecurity policy and legislation
c) Working with the security cluster to present the Cyber Security Bill before Cabinet this year
d) Build on our first symposium work held this year to promote partnership and public cybersecurity awareness campaign designed to increase public understanding of cyber threats and promote simple steps the public can take to increase their safety and security online.
e) Strengthen our cooperation in this space with our SADC, AU and BRICS partners through existing mechanism.
f) Prioritize the establishment of the Cybersecurity Centre and the repositioning of the current Electronic Communications Security Computer Security Incident Response Team (ECS-CSIRT) to become a Government CSIRT

___

[12 March 2015] The Minister of State Security provided some insights into what is happening in South Africa regarding Cybersecurity in the course of a speech made at a Cybersecurity Symposium held in Johannesburg on 1 March 2015.

Remarks by Minister of State Security on Cybersecurity Symposium 1 March 2015

The express purpose of the speech was to lay the ground for the upcoming public consultation on the Cybercrimes and Related Matters Bill, currently the subject of a closed consultation but expected to be published in the Government Gazette in the next month.

There is a clear statement that cybersecurity is the domain of the security cluster.

“The Government’s approach in dealing with this matter is premised on the policy principle that National security, which includes the security of the Information and Communications Technologies in the country, is a responsibility of the structures responsible for security in the Republic.”).

This is in the context of statements from Department of Telecommunications and Postal Services and the Department of Communications that they also wish to play a role in these matters.

Information regarding the National Cybersecurity Policy Framework 2012 (NCPF) is hard to come by, so the following is of interest:

In March 2012, Cabinet approved a National Cybersecurity Policy Framework (NCPF) which seeks to, amongst others, deal with the following:
a. Centralize coordination of Cybersecurity activities within SA so as to have a coordinated approach to cybercrime, national security imperatives and enhance the information society and knowledge based economy;
b. Strengthen intelligence collection, investigation, prosecution and judicial processes, in respect of preventing and addressing cybercrime, cyber terrorism and cyber warfare;
c. Anticipate and confront emerging cyber threats, in particular threats to National Critical Information Infrastructure and coordinate responses thereto;
d. Foster cooperation and coordination between Government, the private sector and civil society including ensuring that South Africa becomes a critical contributor to international cooperation on Cybersecurity matters.
e. Develop skills, Research and Development capacity, promote Cybersecurity culture and promote compliance with appropriate technical and operational Cybersecurity standards.

The Cybersecurity Response Committee (CRC) – a strategic body chaired by the SSA – is responsible for priority setting and overseeing the implementation of the NCPF.