The Cybercrime Bill is now Law

Technological advances have led the path for new digital markets, but it also accounts for a new realm of criminality. South Africa has seen a boom in international cybercrime trends in recent years. Thus, the need to be informed and aware of what is considered criminal and what can be done legally to remedy the harm caused by such criminal activity, has become a pressing topic for parliament. In light of the aforementioned, the new Cybercrime Bill has been passed to aid those who are victims to cybercrime daily.  

When will the new Bill be law?

The Cyber Bill has been undergone significant exploration however, the Bill has no effective date in place. The National Council of Provinces passed the Cybercrime Bill on 1 July 2020 however the President has assented to the Bill and it is now an Act. The Bill was subjected to a great deal of public participation and parliament has added several amendments to the Bill. The Bill has received presidential assent and thus far not constitutional inconsistencies have been found. Initially, Bill was divided into two parts, “Cybersecurity” and “Cybercrimes”. Cybersecurity was particularly problematic as it seemed to exacerbate the scope of governmental powers and limited the constitutional right to privacy as outlined by section 16 of the Constitution. Interestingly, the whole section of the original Bill on Cybersecurity has now been removed and the new Act has been renamed to the “Cybercrime Act” which now only refers to cybercrimes.

What is considered criminal under the new Act?

The new Act has some overlap with the already existent Electronic Communications and Transactions Act of 2002 however modern-day cybercrimes have demanded a new approach and scope in the law. The Act criminalises the following;

  • Unlawful Access: the unlawful and international access to data, including a computer program, a computer data storage medium or a computer system. This is more commonly known as “hacking.”
  • Unlawful interception: the acquisition, viewing, capturing or copying of data of a non-public nature through the use of the hardware or software tools used in the commission of cybercrime. 
  • Unlawful acts the software and hardware tools: Being the unlawful and intentional use or possession of the software and the hardware tools that are used in the commission of the cybercrimes (such as hacking and an unlawful interception)
  • Unlawful interference: with data, computer programs, storage mediums and computer systems – this would be considered unlawful and intentional interference with data or device containing personal information.
  • Cyber Fraud: this is a fraud that is committed using data, a computer program, data storage device or a computer storage medium that is used to intercept data.
  • Cyber Forgery: designing fraudulent computer programs or false data with the intent to defrauding others.
  • Cyber Uttering:  refers to the presentation of fictitious data or computer programs to defraud.
  • Malicious communications: which refers to the distribution of data messages with the intent to encourage the causing of damage to any property belonging to, or to encourage violence against, or to threaten a person or persons, including the distribution of “revenge porn.”

What are the Penalties for contravening the Cybercrimes Act?

The Act is clear on the seriousness of cybercrimes and therefore punishment is prescribed upon conviction. Offenders risk fines and imprisonment that could range from five to 10 years and aggravated offences could lead to imprisonment of up to 15 years. In the case of the offences of Cyber fraud, Cyber forgery and Uttering, the new Act provides for a broad scope of penalties. These penalties could be imposed on anyone convicted of these cybercrimes. The courts have the discretion to impose a penalty that it deems fit under section 276 of the Criminal Procedure Act 51 of 1977. These penalties could then vary from an unspecified fine, a term of imprisonment, correctional supervision and even the declaration of the offender as a habitual criminal.

How will the Bill affect your Organisations?

Organisations have been some of the most affected by cybercrime. Although organisations have been the victims of cybercrime it has become clear how important their participation in cybercrime prevention is. The Cybercrime Act, therefore, places an onus on businesses, Electronic Communication Service Providers (ECPS) and financial institutions such as banks, in curtailing the commission of cybercrimes. ECPS’s and financial institutions will have an obligation to report cybercrimes and persevere evidence relating to the commission of cybercrimes. If financial institutions and ECPS’S fail to comply with this obligation they would risk conviction and a fine of up to R50 000. Additionally, organisations who fall victim to cybercrimes must be cooperative and transparent about the commission of the crime and the information they are privy to surrounding the crime. There are instances in which the offenders of cybercrime are employees of organisations. There then exists an onus on such organisations to cooperate with lawful investigations, as necessary. This includes compliance with search warrants and court orders as directed by law enforcement.

The Act allows a morden-day approach to modern day crimes. The Cybercrimes Act cannot be seen in isolation to other pieces of legislation such as POPI and regulatory codes also deal with the subject. Questions arise as to how effectively the state will be able to respond to crimes reported, especially if local SAPS is tasked with policing the Act. Nevertheless, the Cybercrime Act is a necessary step in cybercrime prevention and is greatly welcomed.

This article was written by Candice Belang. Candice is a candidate attorney at Mayet & Associates