SA’s Cyber Crimes Bill edges forward amid increased attacks


With more South Africans now working from home, it has amplified the need for the country’s Cyber Crimes Bill, which has been years in the making, to become law.

This is the sentiment shared by legal experts commenting on the latest developments concerning SA’s legislation that deals with cyber crimes.

During a virtual meeting recently, the Select Committee on Security and Justice in the National Council of Provinces (NCOP) adopted the Cyber Crimes Bill with the proposed amendments.

The decision comes as the world, including SA, witnesses revved up cyber attacks in the wake of the disruption caused by the COVID-19 pandemic. Mimecast’s 100 Days of Coronavirus threat intelligence report shows the volume of cyber crime attacks increased by 33% from January to March.

Lisa Emma-Iwuoha, ICT attorney at law firm Michalsons, describes the development in the Cyber Crimes Bill process as an important step forward in making it law.

“What we have been saying from the moment the Cyber Crimes Bill was announced was that we need this law. We need a law that properly deals with cyber crime but that law needs to be effective and not have unintended consequences, which has been the main issue with this Bill since it was first introduced.

“The need for this law has increased with more people working remotely and the likelihood that criminals will take advantage of this to create more victims of cyber crimes. It is important that we have a law in place that can assist people should this happen.”

Amanda Manyame, tech law advisor at Endcode, points out that the increased number of people working from home means there is reduced security, as not every organisation is making use of virtual private networks, firewalls or other security measures that are used to ensure security when working online.

This, according to Manyame, adds to the already high levels of cyber attacks and cyber crimes in SA. “The Bill, when it becomes an Act, will hopefully deter cyber criminals and cyber crimes, as well as prompt organisations to reasonably provide for security measures for employees working remotely.”

Changing along the way

In 2015, the Department of Justice and Constitutional Development (DOJ) initiated the process to establish decisive policy in the form of the Cyber Crimes Bill, responding to the country’s lack of legislation in this area.

The initial draft Bill was not well received, with critics saying it was too broad and open to abuse, and a threat to the fundamental spirit of the Internet, which is open and democratic.

Subsequent changes to the Bill, including the removal of some of the security obligations, saw it drop the ‘security’ part of the originally named Cyber Crimes and Cyber Security Bill.

In November 2018, it was adopted by the National Assembly, and transferred to the NCOP for agreement, to eventually reach the president to be signed into law. However, last year’s general elections and newly proposed amendments to the Bill put the brakes on the finalisation of the process.

The NCOP committee has now agreed on the proposed amendments, which include altering the tone of the Bill to reflect non-binary language as required by considerations of gender-neutrality, equality, dignity and identity, and the restructuring of clause 16 to specifically reflect the impact of the considerations in criminalising the disclosure of data messages of intimate images.

Committee chairperson Shahidabibi Shaikh said all the concerns raised by the committee were addressed by the DOJ and the Parliamentary legal advisor in the Bill. “This Bill, once enacted, will be the first non-binary legislation to be passed in South Africa,” highlights the chairperson.

About the Bill, the committee explains: “The Bill aims to create offences that have a bearing on cyber crime, criminalise the distribution of harmful data messages and to provide for interim protection orders, further regulate jurisdiction in respect of cyber crimes, further regulate the powers to investigate cyber crimes, and also further regulate aspects relating to mutual assistance in respect of the investigation of cyber crime.

“It provides for the establishment of a designated point of contact, further provides for the proof of certain facts by affidavit, imposes obligations to report cyber crimes, provides for capacity-building, and provides that the executive may enter into agreements with foreign states to promote measures aimed at the detection, prevention, mitigation and investigation of cyber crimes.”

Moves in the right direction

Manyame welcomes the adoption of the Bill by the NCOP, saying it will provide much-needed legal clarity with regard to cyber crimes in the country.

Additionally, with the ongoing development of technology, it is crucial to provide descriptions of actions or inactions that are prohibited by law, as well as clear recourse for victims of cyber crimes, she says.

“The Bill provides for the powers to report cyber crimes, investigate cyber crimes, penalties and legal recourse, which is currently not adequately provided for, or difficult to prosecute.

“Also, the penalty clauses provide for up to 15 years imprisonment or a fine or both, depending on the offence. Furthermore, obligations are placed on electronic communications service providers and financial institutions to report offences within 72 hours of them becoming aware of the offence being committed on its computer system.

“The Bill also aligns cyber crimes with the Protection of Personal Information Act, 2013, which is ideal because of the amount of personal data that is being collected, processed and stored during the national lockdown period.”

In regards to the next step towards the Bill becoming a law of the land, it will have to go back to the National Assembly, according to Emma-Iwuoha.

The National Assembly will either accept or reject the Bill with the proposed amendments before it can go to the president to be signed into law, she concludes.