President Cyril Ramaphosa has signed the Cybercrimes Bill into law, bringing South Africa’s cybersecurity laws in line with the rest of the world.
The bill, which is now an act of parliament, creates offences for and criminalises, amongst others, the disclosure of data messages which are harmful, says Ahmore Burger-Smidt, director and head of Data Privacy Practice at Werksmans Attorneys.
Examples of such data messages include:
- Those which incite violence or damage to property;
- Those which threaten persons with violence or damage to property;
- Those which contain an intimate image sent without the subject’s consent.
Other offences include cyber fraud, forgery, extortion and theft of incorporeal property, said Burger-Smidt.
“The unlawful and intentional access of a computer system or computer data storage medium is also considered an offence along with the unlawful interception of, or interference with data.”
“This creates a broad ambit for the application of the Cybercrimes Act which defines ‘data’ as electronic representations of information in any form.”
A person who is convicted of an offence under the Cybercrimes Act is liable to a fine or to imprisonment for a period of up to fifteen years or to both a fine and such imprisonment as may be ordered in terms of the offence.
Impact on businesses
Burger-Smidt said that the Cybercrimes Act will be of particular importance to electronic communications service providers and financial institutes as it imposes obligations upon them to assist in the investigation of cybercrime.
This includes furnishing a court with certain particulars which may involve the handing over of data or even hardware on application.
“There is also a reporting duty on electronic communications service providers and financial institutions to report, without undue delay and where feasible, cyber offences within 72 hours of becoming aware of them.
“A failure to do so may lead to the imposition of a fine not exceeding R50,000,” she said.
Burger-Smidt said that the act will also have an impact on businesses, especially considering its overlap with the Protection of Personal Information Act (Popia), amongst other regulatory codes and pieces of legislation.
Popia, which deals with personal information, aims to give effect to the right to privacy by protecting persons against the unlawful processing of personal information.
“One of the conditions for lawful processing in terms of Popia is security safeguards which prescribes that the integrity and confidentiality of personal information must be secured by a person in control of that information,” she said.
“This is prescribed by Popia in order to prevent loss, damage or unauthorised access to or destruction of personal information.”
Burger-Smidt said that Popia also creates a reporting duty on persons responsible for processing personal information whereby they must report any data breach to the Information Regulator within a reasonable period of time.
“In light of the above, companies should be cognisant of their practices especially in dealing with data or information,” she said.