[9 June 2021] The Cybercrimes Act 19 of 2020 has been signed by the President and will come into force on a date to be proclaimed in the Government Gazette. The period between assent and commencement will be spent develop standing operating procedures and other documented processes for the implementation of provisions of the Act.
The Act creates cybercrimes as new criminal offences under South African law. These relate to:
- Unlawful access to a computer system or computer data storage medium
- Unlawful interception of data and/or processing of unlawfully intercepted data
- Unlawful use or possession of a software or hardware tool
- Unlawful interference with data or computer program
- Unlawful interference with a computer data storage medium or computer system
- Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device
- Cyber fraud: where a person – unlawfully and with the intention to defraud – makes a misrepresentation by means of a data or computer program or through any interference with data, computer program, computer data storage medium, or computer system which causes actual or potential prejudice to another person
- Cyber forgery and uttering: where a person defrauds by making false data or a false computer program to the actual or potential prejudice of another person or passes off false data or a false computer program to the actual or potential prejudice of another person.
- Cyber extortion
- Theft of incorporeal property
- Malicious communications: data messages which incite damage to property or violence or which threaten persons with damage to property or violence and including unawlful distribution of intimate images.
The Act overhauls the interaction between law enforcement authorities and electronic communications service providers (ECSPs), introducing a variety of new mechanisms for SAPS to obtain or ensure the preservation of evidence held by ECSPs.
Section 54 sets out the reporting obligations to be imposed on ECSPs once the Act is in force and the necessary formalities have been completed:
Obligations of electronic communications service providers and financial institutions
54(1) An electronic communications service provider or ﬁnancial institution that is aware or becomes aware that its electronic communications service or electronic communications network is involved in the commission of any category or class of offences provided for in Part I of Chapter 2 and which is determined in terms of subsection (2), must—
(a) without undue delay and, where feasible, not later than 72 hours after having become aware of the offence, report the offence in the prescribed form and manner to the South African Police Service; and
(b) reserve any information which may be of assistance to the South African Police Service in investigating the offence.
(2) The Cabinet member responsible for policing, in consultation with the Cabinet member responsible for the administration of justice, must by notice in the Gazette, prescribe—
(a) the category or class of offences which must be reported to the South African Police Service in terms of subsection (1); and
(b) the form and manner in which an electronic communications service provider or ﬁnancial institution must report offences to the South African Police Service
(3) An electronic communications service provider or ﬁnancial institution that fails to comply with subsection (1), is guilty of an offence and is liable on conviction to a ﬁne not exceeding R50 000.
(4) Subject to any other law or obligation, the provisions of subsection (1) must not be interpreted as to impose obligations on an electronic service provider or ﬁnancial institution to—
(a) monitor the data which the electronic communications service provider or ﬁnancial institution transmits or stores; or
(b) actively seek facts or circumstances indicating any unlawful activity.
[23 June 2020] The finalisation of the Cybercrimes Bill is significantly closer after the Select Committee approved its amendments and report on 11 June 2020.
The next step is a vote in a plenary schedule of the National Council of Provinces, scheduled for 24 June 2020.
[19 February 2020] The Cybercrimes Bill remains with the Select Committee on Security and Justice in the National Council of Provinces (NCOP) which is processing responses to public submissions made. Outstanding issues relate to the powers of law enforcement agencies to conduct warrantless searches of computers and the capacity of the South African Police Service to implement a finalised Cybercrimes Act.
[6 February 2019] The Select Committee on Security and Justice in the National Council of Provinces (NCOP) has invited the public to submit written comments on the Cybercrimes Bill as part of the NCOP’s consideration of the Bill.
Comments can be emailed to Mr G Dixon (firstname.lastname@example.org) by no later than 8 March 2019.
[24 November 2018] The Cybercrimes Bill was adopted by the Portfolio Committee for Justice and Correctional Services on 7 November 2018 and will now go to the National Assembly for debate on 27 November 2018.
[30 October 2018] The Department of Justice and Constitutional Development presented a radically amended version of the Bill to the Portfolio Committee for Justice and Correctional Services on 23 October 2018. The biggest shift is the removal of provisions relating to cybersecurity, necessitating the renaming of the Bill from the “Cybercrimes and Cybersecurity Bill” to the “Cybercrimes Bill”.
The major changes are as follows:
- Removing Cybersecurity part of the Bill: provisions relating to Cybersecurity have been removed (another Bill would address cybersecurity).
- Definition of Unlawful: this has been more tightly defined and aligned with the Protection of Personal Information Act
- Malicious communications: the scope of this provision is now limited to data messages of an intimate image without consent that threaten people to violence and bodily harm.
- Removal of crimes relating to critical infrastructure
[24 March 2018] The Bill is still under consideration by the Portfolio Committee….
[18 November 2017] The Department of Justice and Constitutional Development has been presenting its responses to submissions received on the Cybercrimes and Cybersecurity Bill to the Portfolio Committee. This includes a set of consolidated written responses.
[11 September 2017] Submissions we have found:
[9 September 2017] Public hearings on the Bill have been scheduled for 13 and 14 September 2017.
The venue for the hearings is room M514, Marks Building, and proceedings will commence at 09h30 on each day.
[26 July 2017] The deadline for submissions in the Bill has been extended to 10 August 2017.
[4 July 2017] The Portfolio Committee on Justice and Correctional Services has issued an invitation to stakeholders and interested persons to submit written submissions on the Cybercrimes and Cybersecurity Bill 2017 [B6 – 2017].
The deadline for written submissions is 28 July 2017. Those submitting should indicate their interest in making a verbal presentation at subsequent public hearings to be held in Parliament.
Submissions and enquiries must be directed to Mr V Ramaano, Portfolio Committee on Justice and Correctional Services, 3rd Floor, 90 Plein Street, Cape Town, 8000 or emailed to email@example.com.
[30 May 2017] The Department of Justice and Constitutional Development today briefed the Parliamentary Portfolio Committee on Justice and Correctional Services on the Cybersecurity and Cybercrime Bill 2016. This should mark the commencement of the formal review of the Bill by the Portfolio Committee and we anticipate that the Bill will shortly be released for public comment following which public hearings will be held.
[22 February 2017]Below are links to a copy of the Cybercrimes and Cybersecurity Bill as introduced into Parliament, as well as the Parliamentary notice accompanying the introduction.
[19 January 2017] Below are links to the Bill and summary as they are to be introduced into Parliament later this month.
Statement by Deputy Minister Jeffery on the new proposed Cybercrimes and Cybersecurity Bill
[9 December 2016] A notice has been published in the Government Gazette setting out the intention of the Minister of Justice and Correctional Services to introduce the Cybercrimes and Cybersecurity Bill, 2017 (the Bill), in the National Assembly shortly.
The explanatory summary of the Bill published in the Notice reads as follows:
The Bill intends to –
(a) create offences which has a bearing on cybercrime and to prescribe penalties;
(b) criminalise the distribution of data messages which is harmful and to provide for interim protection orders;
(c) further regulate jurisdiction in respect of cybercrimes;
(d) further regulate the powers to investigate cybercrimes;
(e) further regulate aspects relating to mutual assistance in respect of the investigation of cybercrime;
(f) provide for the establishment of a 24/7 Point of Contact;
(g) further provide for the proof of certain facts by affidavit;
(h) impose obligations on electronic communications service providers and financial institutions to assist in the investigation of cybercrimes and to report cybercrimes;
(i) provide for the establishment of structures to promote cybersecurity and capacity building;
(j) regulate the identification and declaration of critical information infrastructures and measures to protect critical information infrastructures;
(k) provide that the Executive may enter into agreements with foreign States to promote cybersecurity;
(l) delete and amend provisions of certain laws; and (m) provide for matters connected therewith.
[7 September 2016] This Bill is expected to be presented to Cabinet this September and then introduced into Parliament early in 2017.
While we wait, the Department of Telecommunications and Postal Services has launched their new virtual cybersecurity hub website: https://www.cybersecurityhub.gov.za.
[9 March 2016] The Department of Justice has formed an expert panel to review a further version of the Bill which has been substantially amended following public submissions received. This review process is expected to conclude in the middle of 2016 and a new version of the Bill will thereafter be published.
[5 December 2015] An edited version of the National Cybersecurity Framework Policy (NCPF) was gazetted on 4 December 2015.
It is unfortunate that this was only made public after the period for submissions on the Draft Cybercrimes and Cybersecurity Bill 2015 had closed….
[4 December 2015] Submissions we have found:
- Centre for Constitutional Rights
- Electronic Frontier Foundation
- Internet Service Providers’ Association
- Right2Know-Preliminary Position
[21 November 2015] Reminder that submissions on the Cybercrimes and Cybersecurity Bill 2015 are due on Monday 30 November 2015.
[5 November 2015] The Minister of Telecommunications and Postal Services launched the Cybersecurity Hub on 30 October 2015. The Hub is situated at www.cybersecurityhub.gov.za.
In short the functions of the hub will be among others to:
- Receiving incident reports from stakeholders and establishing clear incident management processes.
- Disseminating information to stakeholders about threats and attacks as a pre-emptive measure as well as mitigating procedures against emerging attacks
- Creating an archive of lessons learnt to ensure ease of access in dealing with future threats and vulnerabilities
- In the case of cyberbullying involving Cybersecurity Hub legal entities and assisting with escalating attacks to the relevant authorities
- And chairing of scheduled meetings with reporting and trending attacks and incidents for the specific period.
The hub will become a point of reference for citizens in as far as cybersecurity issues are concerned providing a repository of information regarding the do’s and don’t s of Internet for children, best practice guide for parenting on the Internet and how the average South African can protect against malicious attacks, identity theft and online financial security. The hub will create platforms to allow parents to share information on how to manage their children online and also provide links to Internet resources to assist both children and parents.
For the very first time in South Africa, the hub will ensure collaboration between businesses and create a platform for partnership between government and the private sector on cybersecurity. It will also facilitate the leveraging of high end cybersecurity capacity which is scarce as we build confidence and trust among stakeholders and place our nation in a better position to respond to cybersecurity in a much more coordinated matter. The shared information also provides an opportunity for cost savings as the hub’s expertise will allow for quicker incident recovery, which can translate to less money spent on incident response.
Cybersecurity incidents are to be reported to firstname.lastname@example.org.
[11 September 2015] The link below is to a 45 minute presentation on cybercrime and the law in South Africa which was delivered during the Internet Service Providers’ Association iWeek Conference (so the focus is on how it impacts on ISPs).
[28 August 2015] The Department of Justice & Constitutional Development has published The Cybercrimes and Cybersecurity Bill and an accompanying Discussion Document for public comment.
The deadline for submissions is 30 November 2015. Comments can be sent by fax 012 406 4632 or email email@example.com marked for the atttention of Mr S J Robbertse.
The Bill aims to deal with various aspects relating to cybercrime and cybersecurity and to that extent the Bill –
- creates offences and prescribes penalties;
- further regulates jurisdiction;
- further regulates the powers to investigate, search and gain access to or seize items;
- further regulates aspects of international cooperation in respect of the investigation of cybercrime;
- provides for the establishment of a 24/7 point of contact;
- provides for the establishment of various structures to deal with cyber security;
- regulates the identification and declaration of National Critical Information Infrastructures and provides for measures to protect National Critical Information Infrastructures;
- further regulates aspects relating to evidence;
- imposes obligations on electronic communications service providers regarding aspects which may impact on cybersecurity;
- provides that the President may enter into agreements with foreign States to promote cybersecurity;
- repeals and amends certain laws; and
- provides for matters connected therewith.
Any person or entity, who wants to meet with the Department to discuss any aspect of the Bill must make the necessary arrangements with the Department. Any meeting with regard to the Bill will take place at the Department of Justice and Constitutional Development, unless expressly agreed to otherwise by the Department.
[22 May 2015] The Deputy Minister of Justice and Correctional Services indicated in his Budget Speech for the 2015/2016 financial year that the Cybercrimes and Related Matters Bill will be released for general comment in the near future. This confirms that there will be an opportunity for the public to comment prior to the Bill being introduced into Parliament.
The Cybercrimes and Related Matters Bill is aimed at strengthening the criminal justice system as envisaged in the National Development Plan, by introducing measures which are aimed at combatting cybercrime. It will be released for public comment by the Department in the near future before being introduced into Parliament.
Interestingly, in his Budget Speech, the Minister noted that a “conviction rate of 95% was achieved in respect of cybercrime”.
[6 May 2015] The Minister of State Security, Mr David Mahlobo, gave his Budget Vote Speech for the 2015/2016 financial year on the 05 May 2015. This included a section dedicated to cybersecurity and cybercrime. While for speech for the most part is taken from an earlier speech (see previous post below), the following is noteworthy:
Working with universities and other research institutes like the CSIR to build the cybersecurity pipeline through competitive scholarship, fellowship, and internship programs must be our preoccupation to attract top talent and develop systems that have command and control in our hands, national sovereignty.
This financial year, 2015/16 we plan to move with speed to:
a) Enhance the institutional cybersecurity capacity
b) Finalize the national cybersecurity policy and legislation
c) Working with the security cluster to present the Cyber Security Bill before Cabinet this year
d) Build on our first symposium work held this year to promote partnership and public cybersecurity awareness campaign designed to increase public understanding of cyber threats and promote simple steps the public can take to increase their safety and security online.
e) Strengthen our cooperation in this space with our SADC, AU and BRICS partners through existing mechanism.
f) Prioritize the establishment of the Cybersecurity Centre and the repositioning of the current Electronic Communications Security Computer Security Incident Response Team (ECS-CSIRT) to become a Government CSIRT
[12 March 2015] The Minister of State Security provided some insights into what is happening in South Africa regarding Cybersecurity in the course of a speech made at a Cybersecurity Symposium held in Johannesburg on 1 March 2015.
The express purpose of the speech was to lay the ground for the upcoming public consultation on the Cybercrimes and Related Matters Bill, currently the subject of a closed consultation but expected to be published in the Government Gazette in the next month.
There is a clear statement that cybersecurity is the domain of the security cluster.
“The Government’s approach in dealing with this matter is premised on the policy principle that National security, which includes the security of the Information and Communications Technologies in the country, is a responsibility of the structures responsible for security in the Republic.”).
This is in the context of statements from Department of Telecommunications and Postal Services and the Department of Communications that they also wish to play a role in these matters.
Information regarding the National Cybersecurity Policy Framework 2012 (NCPF) is hard to come by, so the following is of interest:
In March 2012, Cabinet approved a National Cybersecurity Policy Framework (NCPF) which seeks to, amongst others, deal with the following:
a. Centralize coordination of Cybersecurity activities within SA so as to have a coordinated approach to cybercrime, national security imperatives and enhance the information society and knowledge based economy;
b. Strengthen intelligence collection, investigation, prosecution and judicial processes, in respect of preventing and addressing cybercrime, cyber terrorism and cyber warfare;
c. Anticipate and confront emerging cyber threats, in particular threats to National Critical Information Infrastructure and coordinate responses thereto;
d. Foster cooperation and coordination between Government, the private sector and civil society including ensuring that South Africa becomes a critical contributor to international cooperation on Cybersecurity matters.
e. Develop skills, Research and Development capacity, promote Cybersecurity culture and promote compliance with appropriate technical and operational Cybersecurity standards.
The Cybersecurity Response Committee (CRC) – a strategic body chaired by the SSA – is responsible for priority setting and overseeing the implementation of the NCPF.