Subscribe
About

Revised cyber crimes Bill irons out sticking points

Admire Moyo
By Admire Moyo, ITWeb news editor.
Johannesburg, 12 Dec 2017
The Bill proposes revisions to the offences of unlawful access to data, incitement of violence and cyber bullying.
The Bill proposes revisions to the offences of unlawful access to data, incitement of violence and cyber bullying.

The Department of Justice and Constitutional Development has moved to address some sticking points that had tarnished the Cybercrimes and Cybersecurity Bill.

The Bill aims to give SA a co-ordinated approach to cyber security, as the country currently has no legislation that addresses cyber crimes.

There was an outcry over the initial draft Bill, with several critics saying it was too broad and open to abuse, and it threatened the fundamental democratic spirit of the Internet.

However, the Department of Justice and Constitutional Development recently published responses to the public comments received on the Bill, which was tabled in Parliament in February 2017.

Offence revision

Several further amendments to the Bill are proposed, including revisions to the offences of unlawful access to data, incitement of violence and cyber bullying.

The Bill also proposes a revised definition of "computer", in response to a comment that the definition should include technology that performs physical actions, such as self-driving cars, Internet of things devices and medical devices.

"Computer" now includes devices which are related to, connected with or used with programmable electronic devices.

Also suggested is a new definition of "electronic communications identity number", which includes a telephone number, mobile number, e-mail address, IP address, URL or other subscriber number.

Under the law, an electronic communications service provider may be required to give this information to a court, together with the identity of the subscriber, to assist in protecting the victim of revenge porn, cyber bullying or incitement of violence.

It also proposes discretion in the amount of the fine imposed on an electronic communications service provider or financial institution for failing to report certain cyber crimes to the South African Police Service or to preserve information relating to these crimes. The fine may not exceed R50 000, as opposed to being an automatic fine of R50 000.

The department will also consult with the Film and Publication Board (FPB) to ensure a consistent definition of "child pornography" in the Bill, the Sexual Offences Act and the Films and Publications Act. The FPB is responsible for classifying films, games and publications and must refuse classification of any containing child pornography.

If these proposals are accepted by the Portfolio Committee on Justice and Constitutional Development, they will be included in the Bill.

Final version

Kerri Crawford, senior associate at Norton Rose Fulbright.
Kerri Crawford, senior associate at Norton Rose Fulbright.

T"It seems that we may be getting close to a final version," says Kerri Crawford, senior associate at law firm Norton Rose Fulbright.

She notes many of the concerns that had been raised have been addressed in the revised draft of the Bill. For example, she says, the obligations on electronic communications service providers and financial institutions.

Crawford says the initially broad obligations in Chapter 9 to inform organisations of cyber crime trends and measures to secure themselves, as well as the penalty for failing to do so, have been removed.

She explains only those offences prescribed by the relevant ministers by notice in the Government Gazette must be reported to the South African Police Service within 72 hours where feasible

Failure to report will attract a single penalty of R50 000 and no longer a penalty of R10 000 per day while the failure continues.

"The revised draft explicitly states that electronic communications service providers and financial institutions are not required to monitor the data which they transmit or store, or actively search for unlawful activities.

"Chapter 9 no longer applies to any person who transmits, receives, processes or stores data on behalf of another person."

Instead of the eight proposed new government structures in the first draft Bill, the revised Bill provides for only two - a 24/7 point of contact to facilitate and speed detection, investigation and prosecution of cyber crimes; and a cyber response committee responsible for implementing government policy relating to cyber security.

Crawford states the remaining proposed structures have been replaced with obligations on the ministers of security, police, defence and telecommunications to establish and implement measures relating to security, policing, defence and communications.

Pending issues

She points out the revised Bill is much better in many respects than the first draft. "There are still a few issues that need to be ironed out, which will hopefully be done in the amendments proposed by the department.

"However, no piece of legislation - particularly in a new area - is ever immune to challenges, particularly when taken out of the academic world and put into practice."

According to Crawford, the department has proposed several amendments to the Bill, so if these are accepted by the Portfolio Committee, the Bill will be revised to include these amendments.

"It is unclear whether there will be another round of public comments, although this seems unlikely given that there have already been two rounds. If not, the Bill will go straight to the National Assembly once revised," she notes.

Crawford points out this Bill has moved through the legislative process more quickly than some of the others, like the Protection of Personal Information Act, for example. However, she says, even if it were to be passed in the next couple of months, commencement may be delayed.

Share