The newly enacted cybercrimes act and what it means for South Africans

• Africa

• Media - e-briefings
• Technology - Articles
• Telecoms - ebriefings

15-06-2021

The newly enacted Cybercrimes Act (“Act”) not only creates offences but also codifies and imposes penalties on cybercrimes and defines cybercrime as including, but not limited to, acts such as: the unlawful access to a computer or device such as a USB drive or an external hard drive; the illegal interception of data; the unlawful acquisition, possession, receipt or use of a password; and forgery, fraud, and extortion online.

The Act criminalises the disclosure of data messages which are harmful and the disclosure of data messages that contain intimate images and seeks to implement an integrated cybersecurity legislative framework to effectively deal with cybercrimes and address aspects pertaining to cybersecurity.

The Act creates 20 new cybercrime offences and prescribes penalties related to cybercrime. It provides overarching legal authority on how to deal with cybercrimes, by regulating how these offences must be investigated which includes searching, and gaining access to, or seizing items in relation to cybercrimes.

Section 3 of the Act makes provision for offences relating to personal information (as defined in the POPI Act) including the abuse, misuse, and the possession of personal information of another person or entity where there is reasonable suspicion that it was used, or may be used, to commit a cybercrime.

It provides for the establishment of a 24/7 point of contact for all cybercrime reporting, the establishment of various structures to deal with cybersecurity (which includes a cyber response committee, a cyber security centre, and a national cybercrime centre).

The Act imposes an obligation on electronic communications service providers (“ECSPs”) and financial institutions, such as banks, to report cyber offences within 72 hours of becoming aware of them. They must preserve any information which may be of assistance in the investigation, and they are required to work with law enforcement, where applicable, in the investigation of cybercrimes. In certain instances, this may involve the handing over of data and hardware. ECSPs and financial institutions must report cyber offences without undue delay and within 72 hours of becoming aware of them, failing which, they may be liable to a fine of up to R50,000.

The Act provides the South Africa Police Services with the authority to not only investigate, search, access and seize but to also co-operate with foreign states to investigate cybercrimes. Further, the National Director of Public Prosecutions is obligated, in terms of the Act, to compile a report on the number, and results of prosecutions for cybercrimes for the National Prosecuting Authority.

The Act further affords South African courts with jurisdiction to adjudicate over any act or omission alleged to constitute an offence under the Act and affecting a person in South Africa, even in instances where such a defined cybercrime is committed outside of South Africa.

More importantly, the Act prescribes certain sentences for offenders, which entail fines ranging from R5 million to R10 million and/or imprisonment ranging from 5 to 10 years, with other more serious offences attracting imprisonment of up to 15 years and an imprisonment period not exceeding 25 years for computer related terrorist activity and related offences. The Act imposes lesser sentences for the dissemination of data messages which advocates, promotes, or incites hate, discrimination, or violence to imprisonment not exceeding 2 years, or a fine.

The courts have also been afforded with a discretion to impose any sentence that it deems appropriate under section 276 of the Criminal Procedure Act 51 of 1977 to anyone that is found guilty of cyber fraud, cyber forgery, and uttering.

Individuals will need to educate themselves and be very careful when corresponding, especially over social media. Companies, especially ECSPs and financial institutions, will need to initiate training and programmes to ensure compliance with the Act.