Questions are being raised over the feasibility of the establishment of the Cyber Commissioner Bill, officially known as the Constitution Twentieth Amendment Bill, in South Africa.
The Bill was introduced to Parliament in 2023 by Glynnis Breytenbach, a former prosecutor for the National Prosecuting Authority and an MP for the Democratic Alliance.
It seeks to amend the Constitution of the Republic of South Africa, to require national legislation to be enacted to establish a Cyber Commissioner as an independent Chapter 9 institution.
Furthermore, the Bill stipulates that the Cyber Commissioner would be key in safeguarding basic human rights as entrenched in the Constitution, and will possibly replace the role and responsibilities of the Information Regulator over time.
It states that South African government departments and critical infrastructure, at present, are not sufficiently protected against cyber threats, and state departments are also not properly equipped to protect sensitive public information against hacks.
According to the Bill, the current legislation dealing with cyber security is either insufficient, or only deals with the consequences.
Last week, the parliamentary portfolio committee on justice and constitutional development heard submissions from stakeholders on the proposed law.
Following the hearings, ITWeb asked some of the interested parties about their take on the Cyber Commissioner Bill.
Is it necessary?
Kgalalelo Masibi, spokesperson of the Department of Justice and Constitutional Development (DOJ&CD), says: “The question arises whether the fiscus will be able to fund the creation of an institution that will require vast financial and human resources, bearing in mind the very wide powers, functions and duties that the envisaged Cyber Commissioner will be exercising.”
She says SA already has laws that deal with cyber security, noting that the enactment of the Cyber Crimes Act, 2020 (Act No 19 of 2020) followed the approval of the National Cyber Security Policy Framework by Cabinet in 2012.
Masibi points out that a Cyber Security Hub has also been established under the mandate of the Department of Communications and Digital Technologies (DCDT).
She explains that the Cyber Security Hub is SA’s Security Incident Response Team, which is currently operational, and the State Security Agency has since undertaken work on the development of cyber security legislation.
“Part of this work includes an initiative to conduct an audit of all existing statutory structures and institutions exercising oversight over and performing powers, duties and functions in respect of cyber security.
“This work is being undertaken through the Cyber Response Committee, comprising several government departments, including the South African Police Service (SAPS), Department of International Relations and Co-operation and the DCDT. There are various structures exercising powers with regard to cyber crime and cyber security. The question may, therefore, be raised whether it is still necessary to amend the Constitution to establish a Cyber Commissioner as a Chapter 9 institution,” Masibi adds.
During the hearings, the DOJ&CD advised the portfolio committee to consider whether there is sufficient basis for creating a new constitutional entity, over and above existing efforts, especially where there is a lack of resources and expertise hampering current efforts. “It is unclear how the problem will be resolved with the creation of a new entity,” Masibi states.
The Information Regulator, an independent institution established in terms of section 39 of the Protection of Personal Information Act (POPIA), has also expressed some concerns over the Bill.
Headed by advocate Pansy Tlakula, the Information Regulator is empowered to monitor and enforce compliance by public and private bodies with the provisions of the Promotion of Access to Information Act (PAIA).
According to Nomzamo Zondi,spokesperson of the regulator, the Cyber Commission will not have positive value in regulating both POPIA and PAIA.
“The Cyber Commission does not fully encompass all aspects in the definition of processing of personal information, as it only confines itself to instances of cyber security and processing done through information technology infrastructure,” says Zondi.
“We propose that there be consideration to include the Information Regulator under Chapter 9 of the Constitution and expand its mandate to include cyber security. The regulator is already empowered by law to deal with some aspects of cyber security; its mandate should be expanded to include all aspects of cyber security.”
She notes that according to the Bill, the commission, among other powers and functions, is established to regulate cyber security incidents affecting public organisations by maintaining cyber security capabilities for all organs of state and entities dealing with public information.
“It is established to, over time, replace the role of the Information Regulator and there would be merging of entities dealing with matters related to cyber security and protection of personal information.
“We do foresee serious potential ofoverlapping in regulatory framework, which might obscure the regulatoryobjectives of the regulator and might hinder the development of both POPIA andPAIA,” Zondi adds.
Legal expert Lucien Pierce, partner at Phukubje Pierce Masithela Attorneys, also believes there will be a substantial overlap between the Information Regulator and Cyber Commissioner.
“In fact, the Bill is unequivocal in that it envisages the Cyber Commissioner eventually replacing the Information Regulator,” says Pierce.
He comments that the Cyber Commissioner Bill is different to the Cyber Crimes Act in that it creates an entity dedicated to addressing cyber crime proactively.
“Conversely, the Cyber Crimes Act defines what cyber crimes are and focuses more on the institutions that will investigate and prosecute cyber crime; eg, the SAPS and what is expected of them.”
Nonetheless, Pierce notes the concept of a Cyber Commissioner is a good one, saying at the moment, different pieces of legislation address different aspects of what the Cyber Commissioner Bill seeks to consolidate.
“For example, the State Security Agency is tasked with protecting and investigating cyber crime matters affecting the state.
“The Critical Infrastructure Act addresses protecting critical infrastructure and POPIA addresses privacy. At some point, even the Independent Communications Authority of South Africa conducted consultations on whether it should assume a ‘Cyber Commissioner’ type role.
“I also believe that consolidating responsibility for proactively protecting against cyber crime and empowering state entities to better protect citizens against, and fight, cyber crime, is a better use of state resources.
“The controversy though, is whether this means that if the Bill is ever passed into law, the Information Regulator’s days are numbered? Perhaps the solution is for the Information Regulator to be transformed into the Cyber Commissioner,” says Pierce.
Another legal expert, advocate Dirontsho Mohale of Baakedi Professional Practice, says the Information Regulator’s mandate extends to personal information, as defined in POPIA, and personal information of data subjects.
She explains that data subjects include private, public and other bodies that process personal information, and cyber security includes personal information and extends to the right to dignity, among other rights.
“When considering the cost of establishment and maintenance of a new institution and the overlapping mandates with the Information Regulator, it is not surprising that few members of the portfolio committee agree with the proposal of the Information Regulator.”
Mohale says that the commission's powers allow for the amendment of existing legislation.
"If the Information Regulator's mandate was extended to include that of the commission's, the Regulator would be a Chapter 9 institution and could, therefore, amend POPIA, PAIA, the Cyber Crimes Act 19 of 2020 and other related Acts to align accordingly.
“The Bill, however, does not delve into the details of cyber crimes or related matters. It is already implied in the transitional arrangements, that the Commission for Cyber Crimes would be the same body that regulates the protection of personal information and cyber crimes.”
Share