Cybersecurity in South Africa: Towards Best Practices

Mabunda, Sagwadi

doi:10.1007/978-3-030-56405-6_6

CyberBRICS pp 227-270 | Cite as

Cybersecurity in South Africa: Towards Best Practices

Authors
Authors and affiliations

Sagwadi Mabunda

Chapter

First Online: 05 January 2021

121 Downloads

Abstract

Cybersecurity has been on the South African agenda for a number of years now. Great concern has been expressed over the proliferation of cybercrime, the lack of protection of personal information and the challenges that come with regulating of cybersecurity as a whole. To this end, the Government, working hand-in-hand with the private sector has been proactively drafting policies and legislation which attempt to address these concerns. This Chapter provides a brief overview of the South African cybersecurity landscape through short discussions of the core topics of data protection, consumer protection, cybercrime, interception of communication and cyberdefence. This provides the foundation upon which the best practices in the South African context are discussed. It is clear that South Africa still has a long way to go but the progress that has been made is encouraging as most of it is on par with international standards.

This is a preview of subscription content, to check access.

Annex

Country Report: South Africa

1.

Data Protection

Scope

1. What national laws (or other type of normative acts) regulate the collection and use of personal data?

The Electronic Communications and Transactions Act, 25 of 2002 (ECTA). The Protection of Personal Information Act 4 of 2013 (POPIA).

2. Is the country a part of any international data protection agreement?

No.

3. What data is regulated?

Section 4 of ECTA provides that it applies in respect of data relating to economic transactions which are defined as transactions of either a commercial or non-commercial nature, and includes the provision of information and e-government services. It also applies to data messages which are defined as data generated, sent, received or stored by electronic means.

POPI Act

Chapter 2, Section 3 “Application and interpretation of Act” explains that the POPI Act applies to the processing of personal information.

4. Are there any exemptions?

ECTA does not apply to any data which falls outside the definition of electronic transactions and data messages.

Chapter VIII of the Act provides for the protection of personal information which is limited to personal information which has been obtained through electronic transactions. Section 51(2) provides that a data controller may not electronically request, collect, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

5. To whom do the laws apply?

This law was created for the public interest. The Act seeks to regulate electronic transactions between consumers, private and public bodies, institutions and citizens (Section 2(1)(g) of ECTA).

It also seeks to promote SMMEs (Small, medium and Micro-sized Enterprises) within the electronic transactions environment. (Section 2(1)(p) of ECTA).

Chapter 2 section 3 of POPIA

Applies to responsible party domiciled in South Africa and if not domiciled in South Africa, which makes use of automated or non-automated means in South Africa.

6. Do the laws apply to foreign entities that do not have physical presence in the country?

Not directly. According to the rules of jurisdiction of the courts, a foreign entity would only be held liable only as far as the effects of the conduct is felt in the Republic.

However, any service provider must be accredited and authenticated if they offer products or services in a foreign jurisdiction by the Minister.

Definitions

7. How are personal data defined?

ECTA Definitions

“personal information” means information about an identifiable individual, including, but not limited to:

(a)

information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;
(b)

information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
(c)

any identifying number, symbol, or other particular assigned to the individual;
(d)

the address, fingerprints or blood type of the individual;
(e)

the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual;
(f)

correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g)

the views or opinions of another individual about the individual;
(h)

the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual, but excluding the name of the other individual where it appears with the views or opinions of the other individual; and
(i)

the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual, but excludes information about an individual who has been dead for more than 20 years;

POPIA

Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person including, but not limited to:

(a)

information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b)

information relating to the education or the medical, financial, criminal or employment history of the person;
(c)

any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d)

the biometric information of the person;
(e)

the personal opinions, views or preferences of the person
(f)

correspondence sent by the person that is implicitly or explicitly of a private or confidential nature of further correspondence that would reveal the contents of the original correspondence;
(g)

the views or opinions of another individual about the person; and
(h)

the name of the person if it appears with other personal information relating to the person or if the disclosure if the name itself would reveal information about the person.

8. Are there special categories of personal data (e.g. sensitive data)?

POPIA Part B: Processing of special personal information

Section 26 of POPIA provides:

A responsible party may, subject to section 27, not process personal information concerning:

(a)

the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
(b)
the criminal behaviour of a data subject to the extent that such information relates to:
1. (i)
  
  the alleged commission by a data subject of any offence; or
2. (ii)
  
  any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Section 28: Authorisation concerning data subject’s religious or philosophical beliefs
Section 29: Authorisation concerning data subject’s race or ethnic origin
Section 30: Authorisation concerning data subject’s trade union membership
Section 31: Authorisation concerning data subject’s political persuasion
Section 32: Authorisation concerning data subject’s health and sex life.
Section 33: Authorisation concerning data subject’s criminal behaviour or biometric information.

9. How is the data controller and the data processor/operator defined?

ECTA Definition

“data controller” means any person who electronically requests, collects, collates, processes or stores personal information from or in respect of a data subject;
“data subject” means any natural person from or in respect of whom personal information has been requested, collected, collated, processed or stored, after the commencement of this Act;

POPIA Definitions

Information officer of, or in relation to a:

(a)

public body means an information officer or deputy information as contemplated in terms of section 1 or 17; or
(b)

private body means the head of a private as contemplated in section 1

Of the Protection of Access to Information Act.

Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

10. What are the data protection principles and how are they defined?

POPIA provides for eight conditions for lawful processing of personal information.

Condition 1: Accountability

Section 8: Responsible party to ensure conditions for lawful processing.

The responsible party must ensure that the conditions set out in this chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

Condition 2: Processing limitation

Section 9: Lawfulness of processing.

Personal information must be processed (a) lawfully and (b) in a reasonable manner that does not infringe the privacy of the data subject

Section 10: Minimality

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

Section 11: Consent, justification and objection
Section 12: Collection directly from data subject

Condition 3: Processing limitation

Section 13: Collection for specific purpose
Section 14: Retention and restriction of records

Condition 4: Purpose specification

Section 15: Further processing to be compatible with purpose of collection

Condition 5: Information quality

Section 16: Quality of information

Condition 6: Openness

Section 17: Documentation
Section 18: Notification to data subject when collecting personal information

Condition 7: Security safeguards

Section 19: Security measures on integrity and confidentiality of personal information
Section 20: Information processed by operator or person acting under authority
Section 21: Security measures regarding information processed by operator
Section 22: Notification of security compromises

Condition 8: Data subject participation

Section 23: Access to personal information
Section 24: Correction of personal information
Section 25: Manner of Access
11. Does the law provide any specific definitions with regards to data protection in the digital sphere?

Chapter VIII of ECTA

Section 50(1) provides that these provisions only apply to personal information that has been obtained through electronic transactions.

Rights

12. Is the data protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

The ECTA does not specify any fundamental rights as a legal basis.

POPIA it is based on the right to privacy enshrined in Section 14 of the Constitution of the Republic of South Africa, 1996.

13. What are the rights of the data subjects according to the law?

The rights of the data subject in POPIA are described in terms of the obligations of the data controller, therefore see below.

Section 5: Rights of the data subject

Chapter 8: Rights of Data subjects regarding Direct marketing by means of unsolicited electronic communications, directories and automated decision making

Section 69 Direct Marketing by means of unsolicited electronic communication italicise this piece about chapter 8.
Section 70 Directories
Section 71 Automated Decision making

14. What are the obligations of the controllers and processors/operators?

Principles for electronically collecting personal information

Section 51 of ECTA

(1)

A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.
(2)

A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.
(3)

The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.
(4)

The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.
(5)

The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.
(6)

A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.
(7)

The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.
(8)

The data controller must delete or destroy all personal information which has become obsolete.
(9)

A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.

Chapter 3

(see above)

15. Is notification to a national regulator or registration required before processing data?

ECTA does not require prior notification or registration. According to Chapter 6, section 57 of POPI Act one must obtain prior authorisation. Section 55(1) of POPI Act also establishes duties and responsibilities for the Information Regulator.

16. Does the law require privacy impact assessment to process any category of personal data?

Not directly, however, section 40(1)(b)(vi) of POPIA provides that the duties, powers and functions of a Regulator include monitoring and enforcing compliance by conducting an assessment in respect of the the processing of personal information by that private or public body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information.

17. What conditions must be met to ensure that personal data are processed lawfully?

See answer for question 10 above.

18. What are the conditions for the expression of consent?
- Section 11 of POPI Act provides for the measures to be taken regarding consent, justification and objection to collection of personal data.
- Section 51(4) of ECTA: The express written permission of the data subject is required unless the data controller is required or permitted to handle the data subject’s data by law.

(4) The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

Sections 26–33 (Chapter 3, Part B) of POPI Act provide for the measures to be taken when processing special personal information.

20. What are the security requirements for collecting and processing personal data?

Condition 7 in sections 19–22 (Chapter 3) of POPI Act provides for the security safeguards for processing personal information which includes protecting the confidentiality and integrity of personal information.

ECTA Definitions

(Chapter VIII) Section 51(5) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

(Chapter VIII) Section 51(8) The data controller must delete or destroy all personal information which has become obsolete.

21. Is there a requirement to store certain types of personal data inside the jurisdiction?

Chapter 9 of POPI provides for transfers of personal information outside of the Republic. It provides in section 72 that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless it meets certain requirements set out in the section.

A responsible party may not transfer personal info outside South Africa to a foreign third party unless the third party is subject to law, corporate rules or binding agreements which afford the data subject protection:

Data subject consents;
Transfer is necessary for performance of a contract etc;
Transfer is for the benefit of the data subject.

22. What are the requirements for transferring data outside the national jurisdiction?

See answer to question 21.

23. Are data transfer agreements foreseen by the law?

Yes, Section 72: Binding corporate rules/binding agreements with an adequate level of protection.

24. Does the relevant national regulator need to approve the data transfer agreements?

Yes, section 57 of POPIA provides for circumstances where a responsible party would be required to obtain prior authorisation from the Regulator in terms of section 58.

25. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

Chapter 11 of POPIA provides for offences, penalties and administrative fines as contained in sections 100-109.

Actors

26. What actors are responsible for the implementation of the data protection law?

The ECTA envisions cyber inspectors however, they are not specifically created for issues relating to data protection.

Section 39 of POPIA provides for the establishment of the Information Regulator

27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g. independent authority, executive agency, judiciary)?

The Minister of the Department of Telecommunications and Postal Services.

Section 39 of POPIA

The Information Regulator is an in independent juristic person subject only to the Constitution and to the law. The Information Regulator must be impartial and perform its functions and exercise its powers without fear, favour or prejudice.

It must exercise and perform its functions in accordance with POPIA and the Promotion of Access to Information Act.

It is accountable to the National Assembly.

28. What are the powers of the actors responsible for the implementation of the data protection law?

The Minister is responsible for overseeing all aspects of the ECT Act. His or her powers and duties are provided for in chapter II of ECTA.

Section 5–9: The minister must develop and implement a national e-strategy.

Section 40 of POPIA

The powers, of POPIA provides for duties and functions of the Regulator in terms of this Act are:

(a)

To provide education...
(b)

to monitor and enforce compliance...
(c)

to consult with interested parties…
(d)

to handle complaints…
(e)

to conduct research and to report to Parliament…
(f)

to administrate codes of conduct
(g)

to facilitate cross-border cooperation in the enforcement of privacy laws by participate in any initiative that is aimed at such cooperation
(h)

to perform any general functions incidental or conducive to the preceding functions

2.

Consumer Protection

Scope

29. What national laws (or other type of normative acts) regulate consumer protection?

Electronic Communications and Transactions Act, 2002.

National Consumer Protection Act, 68 of 2008.

30. Is the country a party of any international consumer protection agreement?

No.

31. To whom do consumer protection laws apply?

Chapter VII of the ECTA makes provision for consumer protection. Section 42 sets out the scope of of application. It applies mostly to suppliers of consumer goods and services as well as to the consumers.

32. Do the laws apply to foreign entities that do not have physical presence in the country?

Section 47 of the ECTA provides that “the protection provided to consumers in this Chapter, applies irrespective of the legal system applicable to the agreement in question.”

Section 5(8) provides that the provisions in the CPA apply to a matter irrespective of whether the supplier resides or has principal office within or outside the Republic.

Definitions

33. How is consumer protection defined?

It is not defined in the ECTA.

The term consumer protection is not defined.

34. How are consumers defined?
- “consumer” means any natural person who enters or intends entering into an electronic transaction with a supplier as the end user of the goods or services offered by that supplier;
- “consumer”, in respect of any particular goods or services, means:
  (a)
  
  a person to whom those particular goods or services are marketed in the ordinary course of the supplier’s business;
  
  (b)
  
  a person who has entered into a transaction with a supplier in the ordinary course of the supplier’s business, unless the transaction is exempt from the application of this Act by section 5(2) or in terms of section 5(3);
  
  (c)
  
  if the context so requires or permits, a user of those particular goods or a recipient or beneficiary of those particular services, irrespective of whether that user, recipient or beneficiary was a party to a transaction concerning the supply of those particular goods or services; and
  
  (d)
  
  a franchisee in terms of a franchise agreement, to the extent applicable in terms of section 5(6)(b) to (e);
35. How are providers and producers defined?
- “certification service provider” means a person providing an authentication product or service in the form of a digital certificate attached to, incorporated in or logically associated with a data message;
- “producer”, with respect to any particular goods, means a person who:
  (a)
  
  grows, nurtures, harvests, mines, generates, refines, creates, manufactures or otherwise produces the goods within the Republic, or causes any of those things to be done, with the intention of making them available for supply in the ordinary course of business; or
  
  (b)
  
  by applying a personal or business name, trademark, trade description or other visual representation on or in relation to the goods, has created or established a reasonable expectation that the person is a person contemplated in paragraph (a); “importer”, with respect to any particular goods, means a person who brings those goods, or causes them to be brought, from outside the Republic into the Republic, with the intention of making them available for supply in the ordinary course of business; “distributor”, in relation to any particular goods, means a person who, in the ordinary course of business— (a) is supplied with those goods by a producer, importer or other distributor; and (b) in turn, supplies those goods to either another distributor or to a retailer; There are no provisions specific to consumer protection in the definition. The CPA applies to all transactions therefore it would be understood that the rights enjoyed in the ‘terrestrial’ sphere would be enjoyed in the digital sphere.
36. Does the law provide any specific definitions with regards to consumer protection in the digital sphere?

The focus of the provision is to protect consumers in the case of electronic transactions regardless of whether the goods or services sold or bought online.

There are no provisions specific to consumer protection in the definition. The CPA applies to all transactions therefore it would be understood that the rights enjoyed in the ‘terrestrial’ sphere would be enjoyed in the digital sphere.

Rights

37. Is the consumer protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

The ECTA has not specified any fundamental rights.

The preamble of the CPA provides that it seeks to redress the injustices of Apartheid by developing and employing innovative means to:

(a)

fulfil the rights of historically disadvantaged people and to promote their full participation as consumers;
(b)

protect the interests of all consumers, ensure accessible, transparent and efficient redress for consumers who are subjected to abuse or exploitation in the marketplace; and
(c)

to give effect to internationally recognised customer rights;

38. What are the rights of the consumer defined by the law with reference to digital good and services?

The ECTA makes provisions for goods and services purchased through electronic transactions.

Section 43(2)

The consumer has the right to review the entire electronic transaction; to correct any mistakes; to withdraw from the transaction, before finally placing any order.

Section 43(3)

If the consumer does not provide the consumer with the information provided for in section 43(1) and the opportunity provided for in section 43(2), the consumer has the right to cancel the right to cancel the transaction within 14 days of receiving the good or services under the transaction.

Section 44(1)

It provides that a consumer is entitled to a cooling off period which means that he or she has the right to cancel without reason and without penalty any transaction and any related credit agreement for the supply of goods or services within seven days of conclusion of the agreement.

The consumer is also entitled to a full refund within 30 days of cancellation if the consumer made the payment before he or she could exercise the right of a cooling off period.

However, these rights do not apply to electronic transactions specified in section 42.

The CPA does not have specific provisions for digital goods and services therefore it is understood that all the rights that are afforded in the terrestrial sphere will be afforded to digital services.

Chapter 2: Fundamental Consumer Rights

Part A: Right of equality in consumer market
Part B: Consumer’s right to privacy
Part C: Consumer’s right to choose
Part D: Right to disclosure and information
Part E: Right to fair and responsible marketing
Part F: Right to fair and honest dealing
Part G: Right to fair, just and reasonable terms and conditions
Part H: Right to fair value, good quality and safety
Part I: Supplier’s accountability to consumers
39. Is consumer protection law applicable to users of zero price service i.e. free of charges?

ECTA does not provided for this.

The CPA speaks of free goods and services only within the context of “promotional offers”

“promotional offer” means an offer or promise, expressed in any manner, of any prize, reward, gift, free good or service, price reduction or concession, enhancement of quantity or quality of goods or services, irrespective of whether or not acceptance of the offer is conditional on the offeree entering into any other transaction.

Obligations and Sanctions

40. Does the law establish specific security requirements to provide digital services or goods?

ECTA does not have specific security requirements but it does oblige the supplier to provide certain information provided for in section 43.

The CPA does not have specific provisions for digital goods and services therefore it is understood that all the rights that are afforded in the terrestrial sphere will be afforded to digital services.

41. What are the sanctions and remedies foreseen by the law for complying with the obligations?

Penalties

Section 111 provided for in terms of the CPA.

(1)

Any person convicted of an offence in terms of this Act is liable:

(a) in the case of a contravention of section 107 (1), to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and imprisonment; or

(b) in any other case, to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.

(2)

Despite anything to the contrary contained in any other law, a Magistrate’s Court has jurisdiction to impose any penalty provided for in subsection (1).

Administrative fines

Section 112

(1)

The Tribunal may impose an administrative fine in respect of prohibited or required conduct.
(2)
An administrative fine imposed in terms of this Act may not exceed the greater of:
1. (a)
  
  10% of the respondent’s annual turnover during the preceding financial year; or
2. (b)
  
  R1 000 000.
(3)
When determining an appropriate administrative fine, the Tribunal must consider the following factors:
1. (a)
  
  The nature, duration, gravity and extent of the contravention;
2. (b)
  
  any loss or damage suffered as a result of the contravention;
3. (c)
  
  the behaviour of the respondent;
4. (d)
  
  the market circumstances in which the contravention took place;
5. (e)
  
  the level of profit derived from the contravention;
6. (f)
  
  the degree to which the respondent has co-operated with the Commission and the Tribunal; and
7. (g)
  
  whether the respondent has previously been found in contravention of this Act.
(4)

For the purpose of this section, the annual turnover of a supplier at the time when an administrative fine is assessed, is the total income of that supplier during the immediately preceding year, as determined in the prescribed manner.
(5)

A fine payable in terms of this section must be paid into the National Revenue Fund referred to in section 213 of the Constitution.

Actors

42. What bodies are responsible for the implementation of the consumer protection law?

ECTA does not provide for specific bodies but the CPA does.

Chapter 5: National Consumer Protection Institutions

Part B

Establishment of National Consumer Commission

Part C

Functions of Commission

43. Is there a specific consumer protection body? If so, what is its administrative structure?

There is none under ECTA.

Section 85: (1) The National Consumer Commission is hereby established as an organ of state within the public administration, but as an institution outside the public service.

44. What are the powers of the bodies responsible for the implementation of the consumer protection law?

None are specified.

Chapter 5

Part C: Functions of Commission

Section 92: General provisions concerning Commission functions;
Section 93: Development of codes of practice relating to Act;
Section 94: Promotion of legislative reform;
Section 95: Promotion of consumer protection within organs of state;
Section 96: Research and public information;
Section 97: Relations with other regulatory authorities;
Section 98: Advice and recommendations to Minister.

3.

Cybercrime

Scope

45. What national laws (or other type of normative acts) regulate cybercrime?

The Electronic Communication and Transaction Act, 25 of 2002 regulate a handful of cybercrimes.

Cybercrimes Bill B6B-2017

46. Is the country a part of any international cybercrime agreement?

Signatory/observer to the Budapest convention

47. What cybercrimes are regulated?

ECTA provides for cybercrimes in sections 86, 87 and 88.

Section 86: Unauthorised access to, interception of or interference with data
Section 87: Computer-related extortion, fraud and forgery
Section 88: Attempt, and aiding and abetting

The Cybercrimes Bill provides for cybercrime in sections 2 to 16

Section 2: Unlawful access
Section 3: Unlawful interception of data
Section 4: Unlawful acts in respect of software or hardware tool
Section 5: Unlawful interference with data or computer program
Section 6: Unlawful interference with a computer data storage medium or computer system
Section 7: Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device
Section 8: Cyber fraud
Section 9: Cyber forgery and uttering
Section 10: Cyber extortion
Section 11: Aggravated offences
Section 12: Theft of incorporeal property
Section 13: Definitions
Section 14: Data message which incites damage to property or violence
Section 15: Data message which threatens persons with damage to property or violence
Section 16: Distribution of data message of intimate image

48. To whom do the laws apply?

The provision refers to a person which is defined as including a public body.

Any person who commits offences in chapter 2.

49. Do the laws apply to foreign entities that do not have physical presence in the country?

Yes, in accordance with ordinary criminal law and the principles of jurisdiction.

Definitions

50. How is cybercrime generally defined by the national law?

A single definition for cybercrime is not provided in either the Cybercrimes Bill nor the ECTA.

51. What are the cybercrimes provided for by the law and how are they defined?

ECTA defines

Section 85: “access” includes the actions of a person who, after taking note of any data, becomes aware of the fact that he or she is not authorised to access that data and still continues to access that data.
Section 86: Unauthorised access to, interception of or interference with data.
- 86.
  (1)
  
  Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.
  
  (2)
  
  A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.
  
  (3)
  
  A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence.
  
  (4)
  
  A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.
  
  (5)
  
  A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.
Section 87: Computer-related extortion, fraud and forgery
- 87.
  (1)
  
  A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence.
  
  (2)
  
  A person who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence.
Section 88: Attempt, and aiding and abetting
1. (1)
  
  A person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 (1) or (2), as the case may be.
2. (2)
  
  Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 (1) or (2), as the case may be.

NB These provisions are will be repealed by the Cybercrimes Bill if/when it comes into force.

As provided for in chapter 2.

52. How is a computer system defined?

ECTA does not define it. The Cybercrimes Bill defines it in:

Chapter 1, Section 1:

“computer system” means:

(a)

one computer; or
(b)
two or more inter-connected or related computers, which allow these inter-connected or related computers to:
1. (i)
  
  exchange data or any other function with each other; or
2. (ii)
  
  exchange data or any other function with another computer or a computer system;

53. How are computer data defined?

The definitions in the cybercrimes bill are: “data” means electronic representations of information in any form; “data message” means data generated, sent, received or stored by electronic means and includes-:

(a) voice, where the voice is used in an automated transaction; and (b) a stored record;

There is a definition of “computer data storage medium”

Chapter 1, Section 1:

“computer data storage medium” means any device or location from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored by a computer system, irrespective of whether the device is physically attached to or connected with the computer system;

54. How are forensic data defined?

ECTA does not define Forensic Data.

It is not defined in the Cybercrimes Bill.

55. How are service providers defined?

ECTA does not define service provider.

The Cybercrimes Bill only defines an electronic communication service provider.

Electronic communications service provider means any person who provides an electronic communications service under and in accordance with an electronic communications service licence issued to such person under Chapter 3 of the Electronic Communications Act, 2005 (Act No. 36 of 2005), or who is deemed to be licensed or exempted from being licensed as such in terms of the Electronic

Communications Act, 2005;

56. Does the national law provide any other definitions instrumental to the application of cybercrime legislation?
- “information system” means a system for generating, sending, receiving, storing, displaying or otherwise processing data messages and includes the Internet;
- “Internet” means the interconnected system of networks that connects computers around the world using the TCP/IP and includes future versions thereof.
- “computer” means any electronic programmable device used, whether by itself or as part of a computer system or any other device or equipment, or any part thereof, to perform predetermined arithmetic, logical, routing, processing or storage operations in accordance with set instructions and includes any data, computer program or computer data storage medium that are related to, connected with or used with such a device;
- “computer data storage medium” means any device from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored, by a computer system, irrespective of whether the device is physically attached to or connected with a computer system;
- “computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;
- “computer system” means:
  (a)
  
  one computer; or
  
  (b)
  
  two or more inter-connected or related computers, which allow these inter-connected or related computers to:
  (i)
  
  exchange data or any other function with each other; or
  
  (ii)
  
  exchange data or any other function with another computer or a computer system.
57. Is there a way that cybercrimes can jeopardize the national security of a country?

An early version of the Cybercrimes Bill (the cybercrimes and cybersecurity bill) had provisions dedicated to addressing the natioal cybersecurity risks of cybercrime. See section on cyberdefence below.

Rights

58. Is the cybercrime law based on fundamental rights (defined in Constitutional law or International binding documents)?

ECTA does not specify one.

The Cybercrimes Bill has not specified one nor is one immediately clear from the Constitution of the Republic of South Africa, 1996.

59. What are the rights of the victim and the accused?

ECTA Act does not specify them.

The Cybercrime Bill provides for rights and protections as consistent with the criminal law of South Africa.

Procedures

60. Is there a specific procedure to identify, analyse, relate, categorize, assess and establish causes associated with forensic data regarding cybercrimes?

The Cybercrimes Bill does not provide specific procedures for this however, it provides in section 55 that the cabinet minister responsible for policing must (a) establish and maintain sufficient human and operational capacity to detect, prevent and investigate cybercrimes; (b) ensure that members of the South African Police Service receive basic training in aspects relating to the detection, prevention and investigation of Cybercrimes.

61. In case of transnational crimes, how is cooperation between the national law enforcement agency and the foreign agents regulated?

ECTA does not provide for that but it refers to the general provisions for jurisdiction of the courts (Section 90).

Chapter 6 of the Cybercrimes Bill provides for Mutual assistance.

62. Are there any exceptions to the use of mutual legal assistance procedure to investigate the crime?

ECTA does not provide for Mutual Legal Assistance.

Chapter 5 of the Cybercrimes Bill provides for Mutual Assistance National Executive may enter into agreements

57. (1) The National Executive may enter into any agreement with any foreign State regarding:

(a) the provision of mutual assistance and cooperation relating to the investigation and prosecution of… [the offences provided for in the Cybercrimes Bill]

This includes exceptions in accordance with the ordinary principles of mutual assistance.

63. Does the national law require the use of measures to prevent cybercrimes? If so, what are they?

Neither legislation provides for specific preventative measures that should be taken regarding cybercrime.

Obligations and Sanctions

64. What obligations do law enforcement agencies have to protect the data of the suspect, the accused and the victim?

Chapter 5 of the Cybercrimes Bill provides for the powers to investigate, search an access or seize. The duties and responsibilities of law enforcement are outlined in this chapter.

65. What are the duties and obligations of the National Prosecuting Authorities in cases of cybercrime?

The general rules pertaining to the National Prosecution Authority would apply. The prosecutor must carefully check the legality of the initiation of criminal cases and evaluate the submitted materials.

Section 52 (5) The National Director of Public Prosecutions must make available members of the

National Prosecuting Authority:

(a)

who have particular knowledge and skills in respect of any aspect dealt with in this Act; and
(b)

to whom a security clearance has been issued by the State Security Agency in terms of section 2A of the National Strategic Intelligence Act, 1994, to the satisfaction of the National Director of Public Prosecutions, to provide legal assistance to the designated Point of Contact as may be

National Director of Public Prosecutions must keep statistics of prosecutions

56. (1) The National Director of Public Prosecutions must keep statistics of the number of prosecutions instituted in terms of Part I or Part II of Chapter 2, the outcome of such prosecution and any other information relating to such prosecutions, which is determined by the Cabinet member responsible for the administration of justice. (2) The statistics or information contemplated in subsection (1) must be included in the report of the National Director of Public Prosecutions referred to in section 22(4)(g) of the National Prosecuting Authority Act, 1998.

66. Does the law impose any obligations on service providers in connection with cybercrime?

Chapter 9

S54 Electronic communication service providers or financial institutions that become aware that their systems are involved in the commission of any offences in the Cybercrimes Bill are obligated to report offences no later than within 72 hours. They must also preserve evidence as far as possible.

67. To which extent can a legal person be held liable for actions in connection with cybercrimes?

ECTA applies to “a person” which is defined to include a public body. Presumably, the ordinary meaning of a person is understood to apply, which is both a natural and a juristic person.

Person means a natural or juristic person, section 1. Penalties (section 14, 22) apply to persons.

Actors

68. What bodies implement the cybercrime legislation?

Section 80–84 The Cyber Inspector provided for in chapter XII of ECTA.

s26 (1) The Cabinet member responsible for policing, in consultation with the National Commissioner, the National Head of the Directorate, the National Director of Public Prosecutions and the Cabinet member responsible for the administration of Justice.

69. Is there a special public prosecutor office for cybercrime? If so, how is it organised?

There is no special public prosecutor office. The Cabinet member responsible for policing is required to work closely the National Director of Public Prosecutions for all matters relating to public prosecutions of cybercrime. For example, see –

70. Does the cybercrime legislation create any specific body?

Chapter 10, Section 53

Cyber response committee

Chapter _ Section _ Designated Point of Contact

4.

Public Order

Definitions

71. How are public order, threats to public order and the protection of public order defined?

RICA concerns electronic communications surveillance. It does not refer to anything related to public order.

72. Is the protection of public order grounded in constitutional norms?

------

73. What kind of measures are foreseen limit constitutional and legal rights?

Cybersecurity incident management system…social management systems [e.g. social unrest management/monitoring or surveillance]

74. What measures are taken by the government to control mass gatherings of people?

Regulation of Gatherings Act (note Section 12(1)(a) is declared unconstitutional/invalid)

Proposed: Regulation of Gatherings Act Amendment Bill (not related to cybersecurity)

75. What public authorities are responsible for implementation of the surveillance techniques?

------

76. What are the right and obligations of these public authorities?

------

77. On what legal grounds non-governmental actors could perform mass surveillance?

A telecommunication service provider must store communication-related information (30(1) RICA).

78. Is the execution of the measures adopted in cases of instances delegated to private intermediaries or implemented by public bodies what are the responsibilities of those private bodies?

------

5.

Cyberdefence

Scope

79. Is there a national cyberdefence strategy or is cyberdefence mentioned in the national defence strategy?

The Cyberwarfare Strategy is still being developed. Once developed, it will be presented to the Justice, Crime Prevention and Security (JCPS) Cluster Ministers for approval. It is earmarked for approval and partial implementation in the 2018/2019 fiscal year.

80. What is the legal status of the national defence or cyberdefence strategy?

It is still being developed.

81. What national laws or other normative acts regulate cyberdefence in the country?

None.

82. Is the country party of any international cooperation agreement in the sphere of cyberdefence ?

No.

83. Does the national cyberdefence strategy provide for retaliation?

The Department of Defence Annual Performance Plan (2017) states that it is aligned with the national policy regarding South Africa’s posture and capabilities related to offensive information warfare actions.

84. Is there any specific framework regulating critical infrastructure?

The National Critical Infrastructure Bill.

Definitions

85. How are national security and national defence defined?

Not defined in the NCPF.

86. How are cybersecurity and cyberdefence defined?
- “Cybersecurity” is the practice of making the networks that constitute cyberspace secure against intrusions, maintaining confidentiality, availability and integrity of information, detecting intrusions and incidents that do occur, and responding to and recovering from them.
- “Cyberdefence” is not defined.
87. How are threats to national security and cyberthreats defined?

There is no single definition.

88. How is a cyberattack defined?

NCPF does not include a definition of cyberattack.

89. Does the national law provide any other definitions instrumental to the application of cyberdefence legislation?

NCPF Definitions

“Cyber warfare” means actions by a nation/state to penetrate another nation’s computers and networks for purposes of causing damage or disruption
“Cyber espionage” means the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature), from individuals, competitors, rivals, groups, Governments and enemies for personal, economic, political or military advantage
“Cyber terrorism” means use of Internet based attacks in terrorist activities by individuals and groups, including acts of deliberate large-scale disruptions of computer networks, especially computers attached to the Internet, by the means of tools such as computer viruses
“Cyberspace” means a physical and non-physical terrain created by and/or composed of some or all of the following
National Framework

90. Is cyberdefence grounded on the constitutional provisions and/or international law?

It is not stated.

91. Which specific national defence measures are related to cybersecurity?

The Cybersecurity strategy is still being developed.

92. Is there a national defence doctrine and does the law or strategy refer to it?

National cyber security framework, introduction 1.1.

93. What measures are mentioned in the national law and strategy in order to implement cyberdefence ?

Cyber-warfare

“In order to protect its interests in the event of a cyber-war, a cyber defence capacity has to be built. The NCPF thus promotes that a Cyber Defence Strategy, that is informed by the National Security Strategy of South Africa, be developed, guided by the JCPS Cybersecurity Response Committee.”

It says nothing more on the issue of cyberdefence .

94. How can Internet users’ online activities be limited for the reasons of protection of national security and cyberdefence ?

The NCPF does not specify this.

95. Does the national law or strategy foresee any special regime to be implemented in case of emergency in the context of cyberdefence ?

The NCPF does not.

Actors

96. What actors are explicitly mentioned as playing a role regarding cyberdefence in the law or national cyber defence strategy or defence strategy?

The Department of Defence and Military Veterans (DOD&MV) has overall responsibility for coordination, accountability and implementation of cyber defence measures in the Republic as an integral part of its National defence mandate. To this end, the Department will develop policies and strategies pursuant to its core mandate.

97. Is there a specific cyber defence body?

The NCPF envisions the implementation of the JCPS Cybersecurity Response Committee.

98. What are the tasks of aforementioned actors?

They will presumably be specified in the National Cybersecurity Strategy.

References

Amabhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services (25978/2017) [2019] ZAGPPHC 384.Google Scholar
Basson A (2015) “The Right to be forgotten: a South African perspective” Masters Dissertation, University of Pretoria.Google Scholar
De Bruyn, M (2014) The Protection of Personal Information (POPI) Act - Impact on South Africa International Business & Economic Research Journal 13(6) 1315-1340.Google Scholar
De Stadler, E. (2013) Intro to POPI (part 5): Rethinking privacy policies Juta’s Consumer Law Review (May/June) available at http://www.esselaar.co.za/legalarticles/intro-popi-part-5-rethinking-privacy-policies (accessed 15 September 2020)
Department of Defence. (2015a). South African defence review. Pretoria. Available at <http://www.dod.mil.za/documents/defencereview/Defence%20Review%202015.pdf>. Accessed 30 September 2019.
Department of Defence. (2015b). Department of Defence strategic plan for 2015 to 2020. Pretoria. Available at <http://www.dod.mil.za/documents/annualreports/DoD%20Annual%20Performance%20Strat%20Plan%202403.pdf. Accessed 30 September 2019.
Department of Telecommunications and Postal services “A baseline study on Cybersecurity readiness” (2017). Available at <https://www.cybersecurityhub.gov.za/images/docs/Cyber-Readiness-Report.pdf>. Accessed 30 September 2019.
Department of Telecommunications and Postal Services “Annual Performance Plan” (2019–2020) available at <https://www.dtps.gov.za/index.php?option=com_phocadownload&view=category&download=694:annual-performance-plan-2019-020&id=111:annual_performance_plans&Itemid=453>. Accessed 30 September 2019.
Gillwald A (2019) “South Africa caught up in the global hype of the Fourth Industrial Revolution” Mail & Guardian available at <https://mg.co.za/article/2019-08-26-south-africa-is-caught-in-the-global-hype-of-the-fourth-industrial-revolution>. Accessed 15 October 2019.
Global Cybersecurity Index (2019) 55. Available at <https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-EV5_print_2.pdf>. Accessed 30 September 2019.
Government Gazette General Notices (December 2018) available at <http://www.gpwonline.co.za/Gazettes/Gazettes/MonthyIndexDecember2018.pdf>. Accessed 15 October 2019.
Greenleaf, G. (2013). Chapter 10: Data protection in a globalised network. In Brown, I. [ed]. Research handbook on governance of the Internet. Northampton, MA: Edward Elgar. p 221–259.Google Scholar
Grobler M., van Vuuren J.J., Leenen L. (2012) Implementation of a Cyber Security Policy in South Africa: Reflection on Progress and the Way Forward. In: Hercheui M.D., Whitehouse D., McIver W., Phahlamohlaka J. (eds) ICT Critical Infrastructures and Society. HCC 2012. IFIP Advances in Information and Communication Technology, vol 386. Springer, Berlin, HeidelbergGoogle Scholar
Hubbard J (2019) “SA business underplaying the danger of cybercrime?” Fin24 available at <https://www.fin24.com/Finweek/Business-and-economy/sa-business-underplaying-the-danger-of-cybercrime-20190313 [accessed 15 October 2019].
Heyink, M. (2011). Protection of Personal Information Guidelines for Law Firms. Law Society of South Africa LSSA Guidelines 1-55 available at https://www.golegal.co.za/wp-content/uploads/2018/01/Protection-of-Personal-Information-for-South-African-Law-Firms-LSSA-Guidelines-2018.pdf (accessed 15 September 2019)
International Telecommunication Union’s (ITU) Global Cybersecurity Index (2018) 1. Available at https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx. Accessed 30 September 2019.
International Telecommunication Union’s (ITU) Global Cybersecurity Index (2019) 55. Available at https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-EV5_print_2.pdf accessed 30 September 2019.
IQ Business (2014) Are South African Companies Prepared for POPI? Accountancy SA available at https://www.accountancysa.org.za/influence-are-south-africancompanies-prepared-for-popi/ (accessed 15 September 2019).
Longe, O; Ngwa, O; Wada, F; Mbarika, V (2009). “Criminal Uses of Information & Communication Technologies in Sub-Saharan Africa: Trends, Concerns and Perspectives”. Journal of Information Technology Impact, vol. 9, n. 3, pp. 155–172. Available at <https://www.researchgate.net/profile/Lynette_Kvasny/publication/228876250_Criminal_Uses_of_Information_Communication_Technologies_in_Sub-Saharan_Africa_Trends_Concerns_and_Perspectives/links/00463524215d1ce6c7000000/Criminal-Uses-of-Information-Communication-Technologies-in-Sub-Saharan-Africa-Trends-Concerns-and-Perspectives.pdf>.
O’Keefe v Argus Printing and Publishing (Pty) Ltd 1954 3 SA 247 (C). Second Line of Defence (2018) SANDF Way Ahead: Priorities and Challenges” <https://sldinfo.com/2018/06/sandf-way-ahead-priorities-and-challenges/>. Accessed 13 June 2019.
South Africa Government (2010) Justice Crime Prevention and Security (JCPS) delivery agreement <https://www.gov.za/media-statement-justice-crime-prevention-and-security-jcps-delivery-agreement>. Accessed 14 June 2019.
South African Banking Risk Information Centre (SABRIC) “Annual Crime Stats” (2018) available at <https://www.sabric.co.za/media-and-news/press-releases/sabric-annual-crime-stats-2018/>. Accessed 15 October 2019.
South African Constitution Act 108 of 1996.Google Scholar
South African Cybercrimes Bill [B6B-2017] (2017).Google Scholar
South African Reserve Bank Prudential Authority (2018a) ‘Cloud computing and offshoring of data’ directive D3/2018.Google Scholar
South African Reserve Bank Prudential Authority (2018b) “Guidance Note on computing and offshoring of data.” (D3/2018) available at https://www.resbank.co.za/Publications/Detail-Item-View/Pages/Publications.aspx?sarbweb=3b6aa07d-92ab-441f-b7bfbb7dfb1bedb4&sarblist=21b5222e-7125-4e55-bb65-56fd3333371e&sarbitem=8749 accessed 15 October 2019
South African State Security Agency “National Cybersecurity Policy Framework” (2012) Government Gazette No. 39475. Available at <https://www.gov.za/sites/default/files/gcis_document/201512/39475gon609.pdf>. Accessed 30 September 2019.
Stander, A; Dunnet, A; Rizzo, J. “A Survey of Computer Crime in South Africa”, Proceedings of ISSA 2009 conference, pp. 217-226, (2009).Google Scholar
Sutherland E (2017) Governance of cybersecurity – the case of South Africa. The African Journal of Information and Communication (AJI) 20 at 93.Google Scholar
The Presidency (2018) “10th BRICS Summit: Johannesburg declaration” available at <http://www.thepresidency.gov.za/press-statements/10th-brics-summit%3A-johannesburg-declaration>. Accessed 15 October 2019.
The Presidency (2019) “President appoints commission on Fourth Industrial Revolution” available at http://www.thepresidency.gov.za/pressstatements/president-appoints-commission-fourth-industrial-revolution accessed 15 October 2019.
Tubbs, B. (2014) How companies can gear up for POPI IT Web Financial available at http://www.itweb.co.za/?id=71803:How-companies-can-gear-up-for-POPI (accessed 15 September 2019).Google Scholar

Copyright information

Authors and Affiliations

Sagwadi Mabunda
- 1
View author's OrcID profile

1.Pan African Bar Association of South Africa (PABASA)JohannesburgSouth Africa

Cybersecurity in South Africa: Towards Best Practices

Abstract

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite chapter