The Cybercrimes Bill was signed by President Cyril Ramaphosa on 26 May 2021. The Bill is now an act of Parliament, being the Cybercrimes Act No 19 of 2020 (“Cybercrimes Act”), and will come into effect on a date to be proclaimed in the Government Gazette. The Cybercrimes Act aims to align South Africa’s cybersecurity laws with the rest of the world and the objectives thereof include, inter alia, to criminalise the unlawful access, use and disclosure of data which may potentially be harmful by creating various new criminal offences, each with different penalties depending on the severity of the offence (“Offence”). In this article we will consider the various Offences, the penalties associated with each Offence and whether or not there are reporting responsibilities associated with such Offences.
What are the “Cybercrimes”?
Chapter two of the Cybercrimes Act stipulates that it is an Offence for any person, whether it be a juristic or natural person, to unlawfully and intentionally –
- access a computer system (“Computer”) or computer data storage medium (“Storage Device”);
- intercept data and/or be in possession of unlawfully and intentionally intercepted data;
- use or be in possession of a software or hardware tool for the purpose of committing an Offence;
- interfere with data or a computer program;
- interfere with a Storage Device or Computer;
- acquire, possess, provide to another person or use a password, access code or similar data or device for the purpose of committing an Offence;
- with the intention to defraud, make a misrepresentation by means of data or computer program or through any interference with data, a computer program, a Storage Device or a Computer cause actual or potential prejudice to another person;
- with the intention to defraud, make or passes off false data or a false computer program to the actual or potential prejudice of another person;
- commit or threaten to commit any Offence for the purpose of obtaining any advantage from another person or compelling another person to perform or abstain from performing any act;
- distribute a data message or intimate image of another person without consent; or
- disclose a data message which incites:
- the causing of damage to property belonging to; or
- violence against,
another person or which threatens a person with:
- damage to property; or
Offenders should be aware that along with the various new Offences that are created by the Cybercrimes Act there are also new penalties which are imposed upon conviction of one of these Offences. These penalties can range between 5 years for the unlawful access of a Computer or Storage Device to 15 years for the most severe of the offences listed in section 11(1) of the Cybercrimes Act. In addition, it should be noted that the Cybercrimes Act also makes provision for competent verdicts which mean that where evidence fails to prove the crime that was specified, and instead proves beyond reasonable doubt an alternative crime, the offender may be found guilty of such alternative crime.
Section 54 of the Cybercrimes Act sets out the reporting obligations of electronic communications service providers (“ECSP”) and financial institutions. This section provides that ECSPs and financial institutions must, within 72 hours after becoming aware of an Offence, report such Offence to the South African Police Service in the prescribed manner and form. Any ECSPs or financial institutions that fail to comply with such reporting obligations will be guilty of an offence and on conviction a fine not exceeding R50 000.
The impact which the Cybercrimes Act will have on businesses is still unknown, and to a large degree concerning, if one takes into account the considerable overlap which it has with legislation such as the Protection of Personal Information Act No 4 of 2013. It is therefore imperative that businesses and individuals educate themselves on the Cybercrimes Act and ensure that their adequate policies and procedures are in place to prevent businesses from falling foul of the provisions of the Cybercrimes Act.
VDMA’s team of experts are available to assist you and your business with conducting training on the Cybercrimes Act and/or any other Cybercrimes Act compliance needs you may have.
Published 22 June 2021