Since 2015, the South African government has been working on cybercrime legislation, with the stated aim of bringing South African law in line with international standards and create specific offences for cyber-related crime such as online fraud, forgery, extortion and terrorism. Chapter XIII of the Electronic Communications and Transactions Act, 2002 was South Africa’s first attempt at defining cybercrimes and the related penalties.

In 2015, a Cybercrimes and Cybersecurity draft Bill drew significant opposition from civic groups, the public, and many parts of industry voiced significant opposition to the bill, on the basis that the draft Bill would infringe on internet freedom and expand the state’s surveillance powers.

In October 2018, Parliament began deliberations on a significantly revised version of the Bill, now called the Cybercrimes Bill, which the justice department tabled. All provisions relating to cybersecurity have been removed from the Bill, and the provisions around ‘malicious communications’ narrowed.

The Bill was adopted on June 1 2021 as The Cybercrimes Act Nr. 19 of 2020.

The Government of South Africa has implemented various pieces of legislation that touch on cybercrime and substantive law provisions of the Budapest Convention. Most notable in this regards is the Electronic Communications and Transactions Act 25 of 2002 (ECT Act) and The Cybercrimes Act Nr. 19 of 2020. South Africa has also drafted and partially implemented the Protection of Personal Information Act 4 of 2013. Other South African legislation has cyber security aspects and are mentioned below.

Cybercrimes Act Nr. 19 of 2020

In terms of substantive criminal law provisions, Chapter II, p. I of the Cybercrimes Act (“Act”) not only creates offences but also codifies and imposes penalties on cybercrimes and defines cybercrime as including, but not limited to, acts such as:

• the unlawful access to a computer or device such as a USB drive or an external hard drive;
• the illegal interception of data;
• the unlawful interference with data or computer program
• the unlawful acquisition, possession, receipt or use of a password;
• forgery, fraud, theft, and extortion online.

The Act criminalizes the disclosure of data messages which are harmful and the disclosure of data messages that contain intimate images and seeks to implement an integrated cybersecurity legislative framework to effectively deal with cybercrimes and address aspects pertaining to cybersecurity.

The Act creates 20 new cybercrime offences and prescribes penalties related to cybercrime. It provides overarching legal authority on how to deal with cybercrimes, by regulating how these offences must be investigated which includes searching and gaining access to or seizing items in relation to cybercrimes.

Section 3 of the Act makes provision for offences relating to personal information (as defined in the POPI Act) including the abuse, misuse and the possession of personal information of another person or entity where there is reasonable suspicion that it was used, or may be used, to commit a cybercrime.

It provides for the establishment of a 24/7 point of contact for all cybercrime reporting, the establishment of various structures to deal with cybersecurity (which includes a cyber response committee, a cyber security centre and a national cybercrime centre).

Electronic Communications and Transactions Act 25 of 2002 (ECT Act)

South Africa has adopted specific cybercrime legislation through the Electronic Communications and Transaction Act. Chapter 13 of this Act criminalizes certain conduct such as:

• Unauthorized access to information or interception of information (section 86(1));
• Unauthorized intentional interference resulting in modification, rendering ineffective or destruction of information (section 86(2));
• Overcoming security measures which protect data, including the sale, distribution or possession of a device that is meant to be used to overcome security measures (sections 86(3) and 86(4));
• A complete or partial denial of service attack (section 86(5));
• Computer-related extortion, fraud and forgery (section 87); and
• Attempt, and aiding and abetting in any of the abovementioned acts (section 88)

Chapter XI of the ECT Act limits the liability of Internet Service Providers (ISPs) for illegal content on condition that the Service Provider is a member of an industry representative body and has adopted and implemented the code of conduct of that representative body, one example of such a body is the Internet Service Providers’ Association (ISPA). ISPs who are mere conduits, or providing caching or hosting services are not liable for illegal content under certain conditions as set out below:

A mere conduit will not be liable if it does not initiate the transmission, does not select the addressee, performs the functions in an automatic, technical manner without selection of the data and does not modify the data contained in the transmission.

A service provider that provides caching services is not liable if it does not modify the data, complies with conditions on access to the data, complies with rules regarding the updating of the data (specified in a manner widely recognised and used by industry), does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain information on the use of the data and removes or disables access to the data it has stored upon receiving a take-down notice. Take Down Notifications of unlawful activity are addressed to service providers upon finding illegal content.

A service provider that provides a hosting service is not liable if it does not have actual knowledge that the data message or an activity relating to the data message is infringing the rights of a third party; or is not aware of facts or circumstances from which the infringing activity or the infringing nature of the data message is apparent and upon receipt of a take-down notification, acts quickly to remove or to disable access to the data.

Critical Databases, declared important for the protection of national security of the Republic or the economic and social well-being of citizens are regulated in Chapter IX of the ECT Act and are to be registered and administered in light of the security of the databases and the physical safety of persons in control of them according to Ministerial provisions. Such critical database management is audited by the Director-General, and if non-compliance if found the critical database administrator is notified of remedial action – if he or she fails to incorporate the remedial action, he or she is guilty of an offence.

Cryptography providers are regulated in Chapter V of the ECT Act and must be registered at the Director General in order to provide cryptography services and/or products in South Africa. Application for registration must be in the prescribed manner. Cryptography providers are obligated to keep confidential trade secrets and confidential information. Information concerning cryptography providers that is contained in the register is confidential to Department employees.

Together with the Consumer Protection Act 68 2008, the ECT Act regulates unsolicited communications (SPAM). These provisions will, however, be overturned with the implementation of newer SPAM provisions as per the Protection of Personal Information Act 4 of 2013, which has not yet fully come into effect.

Films and Publications Act 65 of 1996

The Films and Publications Act imposes a statutory responsibility on Internet Service Providers to prevent the distribution of child pornography in South Africa.

The main legislative acts of South Africa that touch upon the procedural law provisions of the Budapest Convention are listed below.

Cybercrimes Act Nr. 19 of 2020

In terms of procedural law provisions, Chapter IV of Cybercrimes Act (“Act”) refers to powers to investigate, search, access or seize, such as:

• Search for, access to, or seizure of certain articles
• Article to be searched for, accessed or seized under or without search warrant
• Search for, access to, or seizure of article on arrest of person
• Assisting, obstructing or powers conferred to police official or investigator
• Interception of indirect communication and obtaining of real-time communication-related information
• Expedited preservation of data direction
• Preservation of evidence direction
• Disclosure of data direction and search for, access to, and seizure of articles subject to preservation
• Obtaining and using publicly available data or receiving data from person who is in possession of data.

The Act imposes an obligation on electronic communications service providers (“ECSPs”) and financial institutions, such as banks, to report cyber offences within 72 hours of becoming aware of them. They must preserve any information which may be of assistance in the investigation, and they are required to work with law enforcement, where applicable, in the investigation of cybercrimes. In certain instances, this may involve the handing over of data and hardware. ECSPs and financial institutions must report cyber offences without undue delay and within 72 hours of becoming aware of them, failing which, they may be liable to a fine.

The Act provides the South Africa Police Services with the authority to not only investigate, search, access and seize but to also co-operate with foreign states to investigate cybercrimes.

Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002 (RIC Act)

RICA implements state surveillance (data collection) as an investigatory method for serious crime committed on the Internet. Both direct and indirect communication is included. Interception, data retention, decryption and monitoring are included as methods of surveillance.

Electronic Communications and Transactions Act 25 of 2002 (ECT Act)

The ECT Act makes provision for the appointment of cyber inspectors to monitor and inspect, search and seize upon warrant, any premises or information system with regards to cybercrime investigation (section 82). However, no such inspectors have been assigned.

The ECT Act also gives evidential weight to data messages that reach certain criteria (section 15).

Financial Intelligence Act 38 of 2001 (FIC Act)

This Act is aimed at financial fraud and money laundering prevention. An obligation is place upon companies to keep certain records (records may be in electronic form) in order to prevent criminal fraudulent activity. The Act prohibits the failure to keep certain records as well as the destruction or tampering of such records. Movement of cash to and from the Republic is also regulated, particularly the electronic transfer of money to and from the republic, also for the purpose of preventing fraud.

Prevention of Organised Crime Act 121 of 1998

Section 71 on Access to information, states that the National Director may require any person employed in or associated with a Government Department or statutory body to produce all information reasonably required for any investigation of organised crime and includes electronically stored information.

Electronic Communications Security (Pty) Ltd 68 Act 2002

The main purpose of this Act is to provide for the establishment of a company that will create electronic communications security products and services for organs of state.

The functions of the company (Comsec) are as follows:

• Protect and secure critical electronic communications against unauthorized access or technical, electronic or other related threats;
• Provide verification services for electronic communications security systems, products and services used by organs of state with the concurrence of the National Intelligence Agency (of the Intelligence Services Act 38 of 1994);
• Coordinate research and development with regard to electronic communications security systems, products, services and other related services;
• Perform any other function not inconsistent wit this Act necessary for the effective functioning of Comsec.

State Information Technology Agency Act 88 of 1998 Including Amendments of 2002

This Act establishes a company that is responsible for information technology services to the public administration. Objects of the Agency (SITA) are to improve service delivery to the public through information technology, information systems and related services in a secure environment to departments and public bodies, and to enable the efficiency of departments and public bodies through the use of information technology.

To reach its objectives, SITA must provide or maintain a private telecommunication network or a value-added network service in accordance with the Telecommunications Act of 1996, transversal information systems and data-processing or associated services for transversal information systems on behalf of a department and (possibly) public bodies.

Other functions may include:

• specialised training in information technology or information systems;
• application software development;
• maintenance services for information technology software or infrastructure;
• data-processing for department-specific information technology applications or systems;
• technical, functional or business support or research relating to information technology

Cryptography Regulations (GN R216 in GG 28594 of 10 March 2006)

In accordance with section 94 of the ECT Act, these regulations describe the prescribed format that an application for registration as a cryptography provider must follow, in order to identify and locate the cryptography provider and his or her products or services. An application for registration in terms of the Act must be made to the Director-General by completing and submitting the relevant form.

Electronic Communications and Transactions Amendment Bill 2012

The amendment bill seeks to re-write parts of The Electronic Communications and Transactions Act 25 of 2002. Once effective, this amendment will provide a right to remedy upon receipt of a take-down notice by ISPs and also provides provisions for the creation and aims of Cyber Security Hub.

South Africa’s Bill of Rights, which is part of the Constitution of the Republic, protects the fundamental rights of its citizens. All cases, and thus all cyber security cases, are to be viewed in light of the Bill of Rights.

Protection of Personal Information Act 4 of 2013 (POPI Act)

This Act places obligations on any organisation or person (‘Responsible Party’), which collects personal information from what the Act terms ‘Data Subjects’.

Eight conditions for the collection and processing of personal information are described:

• Accountability of the Responsible Party;
• Processing Limitation (which limits the amount and type of information collected to the purpose of collection);
• Purpose Specification (which requires the Data Subjects to consent to the specific purpose for which his or her information will be used);
• Further Processing Limitation (which limits secondary processing of personal information which is inconsistent with the original purpose of collection);
• Information Quality (which places the onus on the Responsible Party to ensure accuracy of the information);
• Openness (which requires the Responsible Party to be transparent with regards to the personal information that it collects);
• Security Safeguards (which imposes obligations on the Responsible Party to maintain the personal information in a reasonably secure manner);
• Data Subject Participation (which allows the Data Subject to request from the Responsible Party the particulars of the personal information that it has in its possession belonging to the Data Subject and correct it if necessary).

The Act contains provisions for the safety and integrity of personal information if it is moved across the border of the Republic and includes rules regarding direct marketing and unsolicited communications.

• Cybercrimes Act Nr. 19 of 2020
• Criminal Procedure Act 1977 with 2008 Amendments
• Cryptography Regulations
• State Information Technology Agency Act 88 of 1998 Including Amendments of 2002
• Telecommunications Act of 1996
• Consumer Protection Act 68 of 2008
• Electronic Communications Act 36 of 2005
• Electronic Communications and Transactions Act 25 of 2002
• Electronic Communications and Transactions Amendment Bill 2012
• Films and Publications Act 65 of 1996
• Financial Intelligence Centre Act 38 of 2001
• National Gambling Amendment Act 10 of 2008
• Prevention of Organised Crime Act 121 of 1998
• Promotion of Access to Information Act 2 of 2002 (PAIA)
• Protection of Personal Information Act 4 of 2013 (POPI)
• Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002
• Copyright Act, 1978 (Act No. 98 of 1978, as amended up to Copyright Amendment Act 2002)

Competent authorities and channels

Section 39(1) of the Constitution of South Africa states that when interpreting the Bill of Rights, a court, tribunal or forum must take note of international law and may consider foreign law.

The Southern African Development Community (SADC) Model Law on Computer Crime and Cybercrime provides for the harmonisation of SADC region country policies towards cybercrime by primarily identifying cybercrime offences.

The Department of Justice and Constitutional Development is the primary institution involved in Mutual Legal Assistance and Extradition issues, receiving the extradition request from a foreign state via diplomatic channels.

• The Mutual Assistance Act and the Extradition Act
• International Co-operation in Criminal Matters Act, 1996
• Extradition Act 67 of 1962