What does the new Cybercrimes Act 2020 cover?
We wrote recently about the Protection of Personal Information Act (POPIA). The need for such privacy legislation came about because of the explosion in electronic storage of personal information over the past two decades. Historically, personal information was held mostly by financial services companies, in paper records. These companies didn’t do much with your data except send you your monthly or annual statements. Now everything is electronic and online, including crime. In spite of POPIA, your data is not safe. Cybercrime is on the increase, and cybercriminals are becoming bolder. Ransomware attacks demand larger and larger amounts, and South Africa is not immune. We have the third highest number of cybercrime victims in the world, costing our economy R2.2 billion a year, according to business analysts Accenture. Not all cybercrime perpetrated in South Africa originates in South Africa, but the Cybercrimes Act 2021 is an attempt to crack down on online fraud and crime within our borders.
Cybercrimes Act 2020
President Ramaphosa signed the Cybercrimes Act 2020 into law in June last year. Certain sections came into effect on 1 December 2021, while other sections have yet to be made operational, because they require regulations that are not yet finalised. We look at what the new laws mean.
Purpose of cybersecurity law
Cybersecurity law exists to protect us on three physical levels:
- Personal data
- Devices
- Networks
From a rights perspective, it protects:
- The right to privacy
- The right to freedom of expression
- The right to access information
Specifically, the Cybercrimes Act aims to:
- Create offences which have a bearing on cybercrime
- Criminalise the disclosure of data messages that are harmful and provide for interim protection orders
- Further regulate jurisdiction in respect of cybercrimes
- Further regulate the powers to investigate cybercrimes
- Further regulate aspects relating to mutual assistance in respect of the investigation of cybercrimes
- Provide for the establishment of a designated point of contact
- Further provide for the proof of certain facts by affidavit
- Impose obligations to report cybercrimes
- Provide for capacity building
- Provide that the Executive may enter into agreements with foreign states to promote measures aimed at the detection, prevention, mitigation and investigation of cybercrimes
- Delete and amend provisions of certain laws
- Provide for matters connected therewith
The sections that have been prioritised for promulgation aim to ensure:
- SAPS is adequately capacitated and trained to deal with cybercrimes
- Verifiable statistics of the extent of cybercrime in South Africa are available
- The effectiveness and capacity of SAPS to investigate cybercrimes can be evaluated
- The capacity of the National Prosecuting Authority to prosecute cybercrimes can be evaluated
What does the Cybercrimes Act criminalise?
The Cybercrimes Act applies to both natural and juristic persons, and Part I of Chapter 2 makes the following offences punishable on conviction by fine or imprisonment:
- Unlawfully and intentionally performing an act in respect of such computer system or computer data storage medium which puts any person in a position to access, use, intercept data or interfere with data or a computer program, or computer system or computer data storage system
- Unlawful interception of data such as the acquisition, viewing, capturing or copying of data, including the possession of data or the output of data with knowledge that it was intercepted
- Unlawful acts in respect of a software or hardware tool, including the use and possession of these in order to access, intercept, or interfere with data or a computer program, or computer data storage medium or computer system, and the unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device
- Cyber fraud, cyber forgery and uttering and cyber extortion
A step in the right direction
Of course, the challenge with much cybercrime is that the perpetrators can hide their identity. They are hard to find, and they could be anywhere. Many are in Russia or North Korea, well beyond the reach of our law enforcement officers. Ransomware attacks demand payment in cryptocurrency, because it is untraceable. But South Africa is also home to a significant number of cybercriminals. Trend Micro, an IT security company, identified IP addresses in Africa used to transmit digital extortion spam messages from January to May 2021. The top sender countries include South Africa, Morocco, Kenya and Tunisia. The Cybercrimes Act will not resolve South Africa’s cyberthreat problem, but it is a step in the right direction. Unfortunately, it does not mean your data, device, or network is now safe.
You should still follow the guidance from the cybersecurity industry, which includes not re-using passwords, using two-factor authentication whenever possible, not opening links in emails if you don’t know the sender, ensuring you have up-to-date anti-virus software, etc., etc. We are not cybersecurity experts; if you are concerned about the security of your home or business network, we suggest you contact one of the many excellent cybersecurity firms in South Africa for advice.
We welcome the Cybercrimes Act, but cybercrime is a menace that is only likely to get worse. Keep your data and your devices safe!
Let SD Law help
If you have questions about the Cybercrimes Act or POPIA, or any other legal matter, give Cape Town attorney Simon Dippenaar a call on 076 116 0623.
The information on this website is provided to assist the reader with a general understanding of the law. While we believe the information to be factually accurate, and have taken care in our preparation of these pages, these articles cannot and do not take individual circumstances into account and are not a substitute for personal legal advice. If you have a legal matter that concerns you, please consult a qualified attorney. Simon Dippenaar & Associates takes no responsibility for any action you may take as a result of reading the information contained herein (or the consequences thereof), in the absence of professional legal advice.