Skip to main content
SpringerLink
Log in
Book cover

CyberBRICS pp 227–270Cite as

Cybersecurity in South Africa: Towards Best Practices

Abstract

Cybersecurity has been on the South African agenda for a number of years now. Great concern has been expressed over the proliferation of cybercrime, the lack of protection of personal information and the challenges that come with regulating of cybersecurity as a whole. To this end, the Government, working hand-in-hand with the private sector has been proactively drafting policies and legislation which attempt to address these concerns. This Chapter provides a brief overview of the South African cybersecurity landscape through short discussions of the core topics of data protection, consumer protection, cybercrime, interception of communication and cyberdefence. This provides the foundation upon which the best practices in the South African context are discussed. It is clear that South Africa still has a long way to go but the progress that has been made is encouraging as most of it is on par with international standards. 

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    See NCPF (2012) at 75.

  2. 2.

    See DTPS (2017) at 3.

  3. 3.

    See SABRIC (2018) at 1; Hubbard (2019) at 1.

  4. 4.

    See Baseline Cybersecurity readiness report (2017) at 3.

  5. 5.

    See Sutherland (2017) at 84.

  6. 6.

    See ITU (2018) at 1.

  7. 7.

    See ITU (2019) at 55.

  8. 8.

    See South Africa Government (2010) at 1.

  9. 9.

    See National Cybersecurity Policy Framework (2012) at 76.

  10. 10.

    See National Cybersecurity Policy Framework (2012) at 73.

  11. 11.

    See National Cybersecurity Policy Framework (2012) at 76.

  12. 12.

    See National Cybersecurity Policy Framework (2012) at 76

  13. 13.

    The 10th BRICS Summit: Johannesburg declaration was dedicated to the inclusivity and mutual prosperity in the context of technological developments and advancements. See The Presidency (2018) at 1.The President has appointed a commission on Fourth Industrial Revolution in April 2019. The commission is chaired by the President and will be responsible for identifying relevant policies, strategies and action plans to position South Africa as a competitive global player. See The Presidency (2018) at 1; Government Gazette General Notices (December 2018) at 18; DTPS (2019). Critics argue that South Africa is caught up in the hype of 4IR without giving due caution to the unfinished business of inequality and the preconditions that need to be created in order to have an inclusive digital economy and society. See Gillwald (2019) at 1.

  14. 14.

    See O’Keefe v Argus Printing and Publishing (Pty) Ltd. 1954 3 SA 247 (C). Second Line of Defence (2018) SANDF Way Ahead: Priorities and Challenges” <https://sldinfo.com/2018/06/sandf-way-ahead-priorities-and-challenges/> Accessed 13 June 2019.

  15. 15.

    Section 14 of the Constitution of the Republic of South Africa, 1996. Everyone has the right to privacy, which includes the right not to have

    1. (a)

      their person or home searched;

    2. (b)

      their property searched;

    3. (c)

      their possessions seized; or

    4. (d)

      the privacy of their communications infringed.

  16. 16.

    See Sutherland (2017) at 95.

  17. 17.

    Heyink (2011) at 2.

  18. 18.

    De Stadler (2013) & Tubbs (2014).

  19. 19.

    BusinessTech (June 2020) “This is when South Africa’s new personal information laws will come into effect – what you need to know” available at https://businesstech.co.za/news/technology/409567/this-is-when-south-africas-new-personalinformation-laws-will-come-into-effect-what-you-need-to-know/ (accessed 10 October 2020).

  20. 20.

    De Bruyn (2014) 1318.

  21. 21.

    IQ Business (2014) 37.

  22. 22.

    Greenleaf (2013) 224–5.

  23. 23.

    Greenleaf (2013) 225.

  24. 24.

    De Bruyn (2014) 1319. See Greenleaf (2013) 237.

  25. 25.

    De Bruyn (2014) 1319.

  26. 26.

    See Consumer Protection Act No 68 of 2008.

  27. 27.

    See Preamble of the CPA, (2011). <https://www.gov.za/sites/default/files/gcis_document/201409/321864670.pdf>. Accessed 30 October 2019.

  28. 28.

    Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, ECLI:EU:C:2014:317.

  29. 29.

    See Basson (2015).

  30. 30.

    See Section 11 of CPA.

  31. 31.

    These obligations may include, for example, being required to retain information for a prescribed time frame during an investigation.

  32. 32.

    See Section 68(1) of CPA. It is worth noting however, that this right too is limited as it applies only to the rights that are provided for in the Act. Should one wish to rely on this provision to claim a right to be forgotten, one would need to engage in a section 39(2) interpretation exercise.

  33. 33.

    See Longe (2009) at 155.

  34. 34.

    See Longe (2009) at 156.

  35. 35.

    See Stander (2009) at 217.

  36. 36.

    See Grobler (2012) at 1.

  37. 37.

    See National Cybersecurity Policy Framework (2012) at 81.

  38. 38.

    See Section 40(1)–(2) of RICA, (2002).

  39. 39.

    See Amabhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services (25,978/2017) [2019] ZAGPPHC 384 (Amabhungane).

  40. 40.

    See Amabhungane paras 18–9.

  41. 41.

    The Constitutional provisions are –

    Section 14. Privacy

    Everyone has the right to privacy, which includes the right not to have-

    1. (a)

      their person or home searched;

    2. (b)

      their property searched;

    3. (c)

      their possessions seized; or,

    4. (d)

      the privacy of their communications infringed.

    Section 16(1) Freedom of expression

    Everyone has the right to freedom of expression, which includes-

    1. (a)

      freedom of the press and other media;

    2. (b)

      freedom to receive or impart information or ideas;

    3. (c)

      freedom of artistic creativity; and,

    4. (d)

      academic freedom and freedom of scientific research.

    Section 34 Access to courts

    Everyone has the right to have any dispute that can be resolved by the application of law decided in a fair public hearing before a court or, where appropriate, another independent and impartial tribunal or forum.

    Section 35(5) Right to a fair trial

    Evidence obtained in a manner that violates any right in the Bill of Rights must be excluded if the admission of that evidence would render the trial unfair or otherwise be detrimental to the administration of justice.

  42. 42.

    The Constitutional provisions are –

    Section 36. Limitation of rights

    1. 1.

      The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including –.

      1. (a)

        the nature of the right;

      2. (b)

        the importance of the purpose of the limitation;

      3. (c)

        the nature and extent of the limitation;

      4. (d)

        the relation between the limitation and its purpose; and,

      5. (e)

        less restrictive means to achieve the purpose.

    2. 2.

      Except as provided in subsection (1) or in any other provision of the Constitution no law may limit any right entrenched in the Bill of Rights.

    Section 39 Interpretation of Bill of Rights

    1. 1.

      When interpreting the Bill of Rights, a court, tribunal or forum –-.

      1. (a)

        must promote the values that underlie an open and democratic society based on human dignity, equality and freedom;

      2. (b)

        must consider international law; and,

      3. (c)

        may consider foreign law.

    2. 2.

      When interpreting any legislation, and when developing the common law or customary law, every court, tribunal or forum must promote the spirit, purport and objects of the Bill of Rights.

    3. 3.

      The Bill of Rights does not deny the existence of any other rights or freedoms that are recognised or conferred by common law, customary law or legislation, to the extent that they are consistent with the Bill.

  43. 43.

    See Amabhungane at paras 2–3.

  44. 44.

    See Amabhungane at para 43.

  45. 45.

    The Court considered the jurisprudence of the European Court of Human Rights which recognises a post surveillance model that complies with article 8 of the European Convention of Human Rights. It also found that in Germany, as in the USA and Japan, a right to a notification is mandatory when it is safe to do. See Klass v Germany ECHR [1978] 5029/71 and Weber & Saravia v Germany [2008] 46 EHRR SES; [2006] ECHR 1173 at [51] and at [133–135]. In Russia however, there is no such right and so in the case of Zakharov, it was held to be in violation of Article 8. See Zakharov v Russia [2016] 63 EHRR 17 at [289]–[291] and [298]–[302].

  46. 46.

    See Amabhungane at para 51.

  47. 47.

    See Amabhungane at para 51.

  48. 48.

    See Amabhungane at para 53.

  49. 49.

    See Section 1 of RICA defines a designated judge as a “any judge of a High Court discharged from active service… or any retired judge, who is designated by the Minister [of the administration of justice or state security] to perform the functions of a designated judge for purposes of this Act.”

  50. 50.

    See Amabhungane at para 61.

  51. 51.

    See Amabhungane at para 70–1.

  52. 52.

    See Amabhungane at para 72.

  53. 53.

    See Amabhungane at para 82.

  54. 54.

    See Amabhungane at para 89.

  55. 55.

    See Amabhungane at paras 94–5.

  56. 56.

    See Amabhungane at para 26.

  57. 57.

    See Amabhungane at paras 110–2.

  58. 58.

    See Amabhungane at paras 114–128.

  59. 59.

    See Amabhungane at para 140.

  60. 60.

    See Department of Defence (2015a, b) <http://www.dod.mil.za/documents/annualreports/DoD%20Annual%20Performance%20Strat%20Plan%202403.pdf>. Accessed 30 September 2019.

  61. 61.

    See Second Line of Defence (2018) at 1

  62. 62.

    See National Cybersecurity Policy Framework (2012) at 94.

  63. 63.

    See National Cybersecurity Policy Framework (2012) at 76.

  64. 64.

    See Sutherland (2017) at 93.

  65. 65.

    See National Cybersecurity Policy framework (2012) at 25.

  66. 66.

    See Cybersecurity Hub at <https://www.cybersecurityhub.gov.za/>. Accessed 30 October 2019.

  67. 67.

    See National Cybersecurity Policy Framework (2012) at 18.

  68. 68.

    See National Cybersecurity Policy Framework (2012) at 19.

  69. 69.

    See Baseline Cybersecurity readiness report (2012) at 5.

  70. 70.

    See Baseline Cybersecurity readiness report (2012) at 10.

  71. 71.

    See Baseline Cybersecurity readiness report (2017) at 13.

  72. 72.

    See Baseline Cybersecurity readiness report (2017) at 5.

  73. 73.

    See Baseline Cybersecurity readiness report (2017) at 27.

  74. 74.

    The ISO 27001 family of standards set of best practices and recommendations for information security management and risk management through security controls. These standards have a wide scope which covers confidentiality, privacy and the technical aspects of cybersecurity. They can also be applied to organisations of different sizes and industries. See <https://www.iso.org/isoiec-27001-information-security.html>. Accessed 30 October 2019.

  75. 75.

    The NIST standards are also popular amongst international organisations. They were created in a collaborative effort between industry and governments. They entail guidelines, standards and practices which are aimed at protecting critical information infrastructure. See <https://www.nist.gov/cyberframework>. Accessed 30 October 2019.

  76. 76.

    The SANS institute serves as a resource for the security community. It seeks to aid in the development and implementation of security policies and guidelines for cybersecurity. It has a number of training programmes. See for example <https://cyber-defence.sans.org/>. Accessed 30 October 2019.

  77. 77.

    The South African Banking Risk Information Centre (SABRIC) is an example of an organisation that seeks to collect information and educate the financial services industry of the latest scams and fraudulent activities that affects them. See <https://www.sabric.co.za/>. Accessed 30 October 2019.

  78. 78.

    Cloud computing is defined as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage facilities, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Offshoring refers to “the storage and/or processing of data outside the borders so South Africa”.

  79. 79.

    No 94 of 1990.

  80. 80.

    See South African Reserve Bank Prudential Authority (2018a) at 1.

  81. 81.

    See Baseline Cybersecurity readiness report (2017) at 29.

  82. 82.

    See Baseline Cybersecurity readiness report (2017) at 31.

  83. 83.

    See Baseline Cybersecurity readiness report (2017) at 33.

  84. 84.

    See Baseline Cybersecurity readiness report (2017) at 32.

  85. 85.

    Employees can be threat actors either through a lack of skills and knowledge about cybersecurity or through active perpetration through fraud, leaking or theft of data.

  86. 86.

    See Baseline Cybersecurity readiness report (2017) at 41.

  87. 87.

    See Baseline Cybersecurity readiness report (2017) at 42.

  88. 88.

    See Baseline Cybersecurity readiness report (2017) at 42.

  89. 89.

    See Baseline Cybersecurity readiness report (2017) at 37.

  90. 90.

    See Baseline Cybersecurity readiness report (2017) at 37.

References

Download references

Author information

Authors and Affiliations

  1. Pan African Bar Association of South Africa (PABASA), Johannesburg, Gauteng, South Africa

    Sagwadi Mabunda

Authors
  1. Sagwadi Mabunda
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Technology and Society, FGV Rio de Janeiro Law School, Rio de Janeiro, Rio de Janeiro, Brazil

    Luca Belli

Annex

Annex

6.1.1 Country Report: South Africa

  1. 1.

    Data Protection

  • Scope

  • 1. What national laws (or other type of normative acts) regulate the collection and use of personal data?

The Electronic Communications and Transactions Act, 25 of 2002 (ECTA). The Protection of Personal Information Act 4 of 2013 (POPIA).

  • 2. Is the country a part of any international data protection agreement?

No.

  • 3. What data is regulated?

Section 4 of ECTA provides that it applies in respect of data relating to economic transactions which are defined as transactions of either a commercial or non-commercial nature, and includes the provision of information and e-government services. It also applies to data messages which are defined as data generated, sent, received or stored by electronic means.

POPI Act

Chapter 2, Section 3 “Application and interpretation of Act” explains that the POPI Act applies to the processing of personal information.

  • 4. Are there any exemptions?

ECTA does not apply to any data which falls outside the definition of electronic transactions and data messages.

Chapter VIII of the Act provides for the protection of personal information which is limited to personal information which has been obtained through electronic transactions. Section 51(2) provides that a data controller may not electronically request, collect, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

  • 5. To whom do the laws apply?

This law was created for the public interest. The Act seeks to regulate electronic transactions between consumers, private and public bodies, institutions and citizens (Section 2(1)(g) of ECTA).

It also seeks to promote SMMEs (Small, medium and Micro-sized Enterprises) within the electronic transactions environment. (Section 2(1)(p) of ECTA).

Chapter 2 section 3 of POPIA

Applies to responsible party domiciled in South Africa and if not domiciled in South Africa, which makes use of automated or non-automated means in South Africa.

  • 6. Do the laws apply to foreign entities that do not have physical presence in the country?

Not directly. According to the rules of jurisdiction of the courts, a foreign entity would only be held liable only as far as the effects of the conduct is felt in the Republic.

However, any service provider must be accredited and authenticated if they offer products or services in a foreign jurisdiction by the Minister.

  • Definitions

  • 7. How are personal data defined?

ECTA Definitions

“personal information” means information about an identifiable individual, including, but not limited to:

  1. (a)

    information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;

  2. (b)

    information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;

  3. (c)

    any identifying number, symbol, or other particular assigned to the individual;

  4. (d)

    the address, fingerprints or blood type of the individual;

  5. (e)

    the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual;

  6. (f)

    correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

  7. (g)

    the views or opinions of another individual about the individual;

  8. (h)

    the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual, but excluding the name of the other individual where it appears with the views or opinions of the other individual; and

  9. (i)

    the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual, but excludes information about an individual who has been dead for more than 20 years;

POPIA

Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person including, but not limited to:

  1. (a)

    information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

  2. (b)

    information relating to the education or the medical, financial, criminal or employment history of the person;

  3. (c)

    any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

  4. (d)

    the biometric information of the person;

  5. (e)

    the personal opinions, views or preferences of the person

  6. (f)

    correspondence sent by the person that is implicitly or explicitly of a private or confidential nature of further correspondence that would reveal the contents of the original correspondence;

  7. (g)

    the views or opinions of another individual about the person; and

  8. (h)

    the name of the person if it appears with other personal information relating to the person or if the disclosure if the name itself would reveal information about the person.

  • 8. Are there special categories of personal data (e.g. sensitive data)?

POPIA Part B: Processing of special personal information

Section 26 of POPIA provides:

A responsible party may, subject to section 27, not process personal information concerning:

  1. (a)

    the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

  2. (b)

    the criminal behaviour of a data subject to the extent that such information relates to:

    1. (i)

      the alleged commission by a data subject of any offence; or

    2. (ii)

      any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

  • Section 28: Authorisation concerning data subject’s religious or philosophical beliefs

  • Section 29: Authorisation concerning data subject’s race or ethnic origin

  • Section 30: Authorisation concerning data subject’s trade union membership

  • Section 31: Authorisation concerning data subject’s political persuasion

  • Section 32: Authorisation concerning data subject’s health and sex life.

  • Section 33: Authorisation concerning data subject’s criminal behaviour or biometric information.

  • 9. How is the data controller and the data processor/operator defined?

ECTA Definition

  • “data controller” means any person who electronically requests, collects, collates, processes or stores personal information from or in respect of a data subject;

  • “data subject” means any natural person from or in respect of whom personal information has been requested, collected, collated, processed or stored, after the commencement of this Act;

POPIA Definitions

Information officer of, or in relation to a:

  1. (a)

    public body means an information officer or deputy information as contemplated in terms of section 1 or 17; or

  2. (b)

    private body means the head of a private as contemplated in section 1

Of the Protection of Access to Information Act.

Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

  • 10. What are the data protection principles and how are they defined?

POPIA provides for eight conditions for lawful processing of personal information.

Condition 1: Accountability

  • Section 8: Responsible party to ensure conditions for lawful processing.

The responsible party must ensure that the conditions set out in this chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

Condition 2: Processing limitation

  • Section 9: Lawfulness of processing.

Personal information must be processed (a) lawfully and (b) in a reasonable manner that does not infringe the privacy of the data subject

  • Section 10: Minimality

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

  • Section 11: Consent, justification and objection

  • Section 12: Collection directly from data subject

Condition 3: Processing limitation

  • Section 13: Collection for specific purpose

  • Section 14: Retention and restriction of records

Condition 4: Purpose specification

  • Section 15: Further processing to be compatible with purpose of collection

Condition 5: Information quality

  • Section 16: Quality of information

Condition 6: Openness

  • Section 17: Documentation

  • Section 18: Notification to data subject when collecting personal information

Condition 7: Security safeguards

  • Section 19: Security measures on integrity and confidentiality of personal information

  • Section 20: Information processed by operator or person acting under authority

  • Section 21: Security measures regarding information processed by operator

  • Section 22: Notification of security compromises

Condition 8: Data subject participation

  • Section 23: Access to personal information

  • Section 24: Correction of personal information

  • Section 25: Manner of Access

  • 11. Does the law provide any specific definitions with regards to data protection in the digital sphere?

Chapter VIII of ECTA

Section 50(1) provides that these provisions only apply to personal information that has been obtained through electronic transactions.

  • Rights

  • 12. Is the data protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

The ECTA does not specify any fundamental rights as a legal basis.

 POPIA it is based on the right to privacy enshrined in Section 14 of the Constitution of the Republic of South Africa, 1996.

  • 13. What are the rights of the data subjects according to the law?

The rights of the data subject in POPIA are described in terms of the obligations of the data controller, therefore see below.

  • Section 5: Rights of the data subject

Chapter 8: Rights of Data subjects regarding Direct marketing by means of unsolicited electronic communications, directories and automated decision making

  • Section 69 Direct Marketing by means of unsolicited electronic communication italicise this piece about chapter 8.

  • Section 70 Directories

  • Section 71 Automated Decision making

  • 14. What are the obligations of the controllers and processors/operators?

Principles for electronically collecting personal information

Section 51 of ECTA

  1. (1)

    A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.

  2. (2)

    A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

  3. (3)

    The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.

  4. (4)

    The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

  5. (5)

    The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

  6. (6)

    A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

  7. (7)

    The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.

  8. (8)

    The data controller must delete or destroy all personal information which has become obsolete.

  9. (9)

    A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.

Chapter 3

(see above)

  • 15. Is notification to a national regulator or registration required before processing data?

ECTA does not require prior notification or registration. According to Chapter 6, section 57 of POPI Act one must obtain prior authorisation. Section 55(1) of POPI Act also establishes duties and responsibilities for the Information Regulator.

  • 16. Does the law require privacy impact assessment to process any category of personal data?

Not directly, however, section 40(1)(b)(vi) of POPIA provides that the duties, powers and functions of a Regulator include monitoring and enforcing compliance by conducting an assessment in respect of the the processing of personal information by that private or public body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information.

  • 17. What conditions must be met to ensure that personal data are processed lawfully?

See answer for question 10 above.

  • 18. What are the conditions for the expression of consent?

    • Section 11 of POPI Act provides for the measures to be taken regarding consent, justification and objection to collection of personal data.

    • Section 51(4) of ECTA: The express written permission of the data subject is required unless the data controller is required or permitted to handle the data subject’s data by law.

(4) The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

  • 19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

Sections 26–33 (Chapter 3, Part B) of POPI Act provide for the measures to be taken when processing special personal information.

  • 20. What are the security requirements for collecting and processing personal data?

Condition 7 in sections 19–22 (Chapter 3) of POPI Act provides for the security safeguards for processing personal information which includes protecting the confidentiality and integrity of personal information.

ECTA Definitions

(Chapter VIII) Section 51(5) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

(Chapter VIII) Section 51(8) The data controller must delete or destroy all personal information which has become obsolete.

  • 21. Is there a requirement to store certain types of personal data inside the jurisdiction?

Chapter 9 of POPI provides for transfers of personal information outside of the Republic. It provides in section 72 that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless it meets certain requirements set out in the section.

A responsible party may not transfer personal info outside South Africa to a foreign third party unless the third party is subject to law, corporate rules or binding agreements which afford the data subject protection:

  • Data subject consents;

  • Transfer is necessary for performance of a contract etc;

  • Transfer is for the benefit of the data subject.

  • 22. What are the requirements for transferring data outside the national jurisdiction?

See answer to question 21.

  • 23. Are data transfer agreements foreseen by the law?

Yes, Section 72: Binding corporate rules/binding agreements with an adequate level of protection.

  • 24. Does the relevant national regulator need to approve the data transfer agreements?

Yes, section 57 of POPIA provides for circumstances where a responsible party would be required to obtain prior authorisation from the Regulator in terms of section 58.

  • 25. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

Chapter 11 of POPIA provides for offences, penalties and administrative fines as contained in sections 100-109.

  • Actors

  • 26. What actors are responsible for the implementation of the data protection law?

The ECTA envisions cyber inspectors however, they are not specifically created for issues relating to data protection.

Section 39 of POPIA provides for the establishment of the Information Regulator

  • 27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g. independent authority, executive agency, judiciary)?

The Minister of the Department of Telecommunications and Postal Services.

Section 39 of POPIA

The Information Regulator is an in independent juristic person subject only to the Constitution and to the law. The Information Regulator must be impartial and perform its functions and exercise its powers without fear, favour or prejudice.

It must exercise and perform its functions in accordance with POPIA and the Promotion of Access to Information Act.

It is accountable to the National Assembly.

  • 28. What are the powers of the actors responsible for the implementation of the data protection law?

The Minister is responsible for overseeing all aspects of the ECT Act. His or her powers and duties are provided for in chapter II of ECTA.

Section 5–9: The minister must develop and implement a national e-strategy.

Section 40 of POPIA

The powers, of POPIA provides for duties and functions of the Regulator in terms of this Act are:

  1. (a)

    To provide education...

  2. (b)

    to monitor and enforce compliance...

  3. (c)

    to consult with interested parties…

  4. (d)

    to handle complaints…

  5. (e)

    to conduct research and to report to Parliament…

  6. (f)

    to administrate codes of conduct

  7. (g)

    to facilitate cross-border cooperation in the enforcement of privacy laws by participate in any initiative that is aimed at such cooperation

  8. (h)

    to perform any general functions incidental or conducive to the preceding functions

  1. 2.

    Consumer Protection

  • Scope

  • 29. What national laws (or other type of normative acts) regulate consumer protection?

Electronic Communications and Transactions Act, 2002.

National Consumer Protection Act, 68 of 2008.

  • 30. Is the country a party of any international consumer protection agreement?

No.

  • 31. To whom do consumer protection laws apply?

Chapter VII of the ECTA makes provision for consumer protection. Section 42 sets out the scope of of application. It applies mostly to suppliers of consumer goods and services as well as to the consumers.

  • 32. Do the laws apply to foreign entities that do not have physical presence in the country?

Section 47 of the ECTA provides that “the protection provided to consumers in this Chapter, applies irrespective of the legal system applicable to the agreement in question.”

Section 5(8) provides that the provisions in the CPA apply to a matter irrespective of whether the supplier resides or has principal office within or outside the Republic.

  • Definitions

  • 33. How is consumer protection defined?

It is not defined in the ECTA.

The term consumer protection is not defined.

  • 34. How are consumers defined?

    • “consumer” means any natural person who enters or intends entering into an electronic transaction with a supplier as the end user of the goods or services offered by that supplier;

    • “consumer”, in respect of any particular goods or services, means:

      1. (a)

        a person to whom those particular goods or services are marketed in the ordinary course of the supplier’s business;

      2. (b)

        a person who has entered into a transaction with a supplier in the ordinary course of the supplier’s business, unless the transaction is exempt from the application of this Act by section 5(2) or in terms of section 5(3);

      3. (c)

        if the context so requires or permits, a user of those particular goods or a recipient or beneficiary of those particular services, irrespective of whether that user, recipient or beneficiary was a party to a transaction concerning the supply of those particular goods or services; and

      4. (d)

        a franchisee in terms of a franchise agreement, to the extent applicable in terms of section 5(6)(b) to (e);

  • 35. How are providers and producers defined?

    • “certification service provider” means a person providing an authentication product or service in the form of a digital certificate attached to, incorporated in or logically associated with a data message;

    • “producer”, with respect to any particular goods, means a person who:

      1. (a)

        grows, nurtures, harvests, mines, generates, refines, creates, manufactures or otherwise produces the goods within the Republic, or causes any of those things to be done, with the intention of making them available for supply in the ordinary course of business; or

      2. (b)

        by applying a personal or business name, trademark, trade description or other visual representation on or in relation to the goods, has created or established a reasonable expectation that the person is a person contemplated in paragraph (a); “importer”, with respect to any particular goods, means a person who brings those goods, or causes them to be brought, from outside the Republic into the Republic, with the intention of making them available for supply in the ordinary course of business; “distributor”, in relation to any particular goods, means a person who, in the ordinary course of business— (a) is supplied with those goods by a producer, importer or other distributor; and (b) in turn, supplies those goods to either another distributor or to a retailer; There are no provisions specific to consumer protection in the definition. The CPA applies to all transactions therefore it would be understood that the rights enjoyed in the ‘terrestrial’ sphere would be enjoyed in the digital sphere.

  • 36. Does the law provide any specific definitions with regards to consumer protection in the digital sphere?

The focus of the provision is to protect consumers in the case of electronic transactions regardless of whether the goods or services sold or bought online.

There are no provisions specific to consumer protection in the definition. The CPA applies to all transactions therefore it would be understood that the rights enjoyed in the ‘terrestrial’ sphere would be enjoyed in the digital sphere.

  • Rights

  • 37. Is the consumer protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

The ECTA has not specified any fundamental rights.

The preamble of the CPA provides that it seeks to redress the injustices of Apartheid by developing and employing innovative means to:

  1. (a)

    fulfil the rights of historically disadvantaged people and to promote their full participation as consumers;

  2. (b)

    protect the interests of all consumers, ensure accessible, transparent and efficient redress for consumers who are subjected to abuse or exploitation in the marketplace; and

  3. (c)

    to give effect to internationally recognised customer rights;

  • 38. What are the rights of the consumer defined by the law with reference to digital good and services?

The ECTA makes provisions for goods and services purchased through electronic transactions.

Section 43(2)

The consumer has the right to review the entire electronic transaction; to correct any mistakes; to withdraw from the transaction, before finally placing any order.

Section 43(3)

If the consumer does not provide the consumer with the information provided for in section 43(1) and the opportunity provided for in section 43(2), the consumer has the right to cancel the right to cancel the transaction within 14 days of receiving the good or services under the transaction.

Section 44(1)

It provides that a consumer is entitled to a cooling off period which means that he or she has the right to cancel without reason and without penalty any transaction and any related credit agreement for the supply of goods or services within seven days of conclusion of the agreement.

The consumer is also entitled to a full refund within 30 days of cancellation if the consumer made the payment before he or she could exercise the right of a cooling off period.

However, these rights do not apply to electronic transactions specified in section 42.

The CPA does not have specific provisions for digital goods and services therefore it is understood that all the rights that are afforded in the terrestrial sphere will be afforded to digital services.

Chapter 2: Fundamental Consumer Rights

  • Part A: Right of equality in consumer market

  • Part B: Consumer’s right to privacy

  • Part C: Consumer’s right to choose

  • Part D: Right to disclosure and information

  • Part E: Right to fair and responsible marketing

  • Part F: Right to fair and honest dealing

  • Part G: Right to fair, just and reasonable terms and conditions

  • Part H: Right to fair value, good quality and safety

  • Part I: Supplier’s accountability to consumers

  • 39. Is consumer protection law applicable to users of zero price service i.e. free of charges?

ECTA does not provided for this.

The CPA speaks of free goods and services only within the context of “promotional offers”

“promotional offer” means an offer or promise, expressed in any manner, of any prize, reward, gift, free good or service, price reduction or concession, enhancement of quantity or quality of goods or services, irrespective of whether or not acceptance of the offer is conditional on the offeree entering into any other transaction.

  • Obligations and Sanctions

  • 40. Does the law establish specific security requirements to provide digital services or goods?

ECTA does not have specific security requirements but it does oblige the supplier to provide certain information provided for in section 43.

The CPA does not have specific provisions for digital goods and services therefore it is understood that all the rights that are afforded in the terrestrial sphere will be afforded to digital services.

  • 41. What are the sanctions and remedies foreseen by the law for complying with the obligations?

Penalties

Section 111 provided for in terms of the CPA.

  1. (1)

    Any person convicted of an offence in terms of this Act is liable:

(a) in the case of a contravention of section 107 (1), to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and imprisonment; or

(b) in any other case, to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.

  1. (2)

    Despite anything to the contrary contained in any other law, a Magistrate’s Court has jurisdiction to impose any penalty provided for in subsection (1).

Administrative fines

Section 112

  1. (1)

    The Tribunal may impose an administrative fine in respect of prohibited or required conduct.

  2. (2)

    An administrative fine imposed in terms of this Act may not exceed the greater of:

    1. (a)

      10% of the respondent’s annual turnover during the preceding financial year; or

    2. (b)

      R1 000 000.

  3. (3)

    When determining an appropriate administrative fine, the Tribunal must consider the following factors:

    1. (a)

      The nature, duration, gravity and extent of the contravention;

    2. (b)

      any loss or damage suffered as a result of the contravention;

    3. (c)

      the behaviour of the respondent;

    4. (d)

      the market circumstances in which the contravention took place;

    5. (e)

      the level of profit derived from the contravention;

    6. (f)

      the degree to which the respondent has co-operated with the Commission and the Tribunal; and

    7. (g)

      whether the respondent has previously been found in contravention of this Act.

  4. (4)

    For the purpose of this section, the annual turnover of a supplier at the time when an administrative fine is assessed, is the total income of that supplier during the immediately preceding year, as determined in the prescribed manner.

  5. (5)

    A fine payable in terms of this section must be paid into the National Revenue Fund referred to in section 213 of the Constitution.

  • Actors

  • 42. What bodies are responsible for the implementation of the consumer protection law?

ECTA does not provide for specific bodies but the CPA does.

Chapter 5: National Consumer Protection Institutions

Part B

Establishment of National Consumer Commission

Part C

Functions of Commission

  • 43. Is there a specific consumer protection body? If so, what is its administrative structure?

There is none under ECTA.

  • Section 85: (1) The National Consumer Commission is hereby established as an organ of state within the public administration, but as an institution outside the public service.

44. What are the powers of the bodies responsible for the implementation of the consumer protection law?

None are specified.

Chapter 5

Part C: Functions of Commission

  • Section 92: General provisions concerning Commission functions;

  • Section 93: Development of codes of practice relating to Act;

  • Section 94: Promotion of legislative reform;

  • Section 95: Promotion of consumer protection within organs of state;

  • Section 96: Research and public information;

  • Section 97: Relations with other regulatory authorities;

  • Section 98: Advice and recommendations to Minister.

  1. 3.

    Cybercrime

  • Scope

  • 45. What national laws (or other type of normative acts) regulate cybercrime?

The Electronic Communication and Transaction Act, 25 of 2002 regulate a handful of cybercrimes.

Cybercrimes Bill B6B-2017

  • 46. Is the country a part of any international cybercrime agreement?

Signatory/observer to the Budapest convention

  • 47. What cybercrimes are regulated?

ECTA provides for cybercrimes in sections 86, 87 and 88.

  • Section 86: Unauthorised access to, interception of or interference with data

  • Section 87: Computer-related extortion, fraud and forgery

  • Section 88: Attempt, and aiding and abetting

The Cybercrimes Bill provides for cybercrime in sections 2 to 16

  • Section 2: Unlawful access

  • Section 3: Unlawful interception of data

  • Section 4: Unlawful acts in respect of software or hardware tool

  • Section 5: Unlawful interference with data or computer program

  • Section 6: Unlawful interference with a computer data storage medium or computer system

  • Section 7: Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device

  • Section 8: Cyber fraud

  • Section 9: Cyber forgery and uttering

  • Section 10: Cyber extortion

  • Section 11: Aggravated offences

  • Section 12: Theft of incorporeal property

  • Section 13: Definitions

  • Section 14: Data message which incites damage to property or violence

  • Section 15: Data message which threatens persons with damage to property or violence

  • Section 16: Distribution of data message of intimate image

  • 48. To whom do the laws apply?

The provision refers to a person which is defined as including a public body.

Any person who commits offences in chapter 2.

  • 49. Do the laws apply to foreign entities that do not have physical presence in the country?

Yes, in accordance with ordinary criminal law and the principles of jurisdiction.

  • Definitions

  • 50. How is cybercrime generally defined by the national law?

A single definition for cybercrime is not provided in either the Cybercrimes Bill nor the ECTA.

  • 51. What are the cybercrimes provided for by the law and how are they defined?

ECTA defines

  • Section 85: “access” includes the actions of a person who, after taking note of any data, becomes aware of the fact that he or she is not authorised to access that data and still continues to access that data.

  • Section 86: Unauthorised access to, interception of or interference with data.

    • 86.

      1. (1)

        Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.

      2. (2)

        A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.

      3. (3)

        A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence.

      4. (4)

        A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.

      5. (5)

        A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.

  • Section 87: Computer-related extortion, fraud and forgery

    • 87.

      1. (1)

        A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence.

      2. (2)

        A person who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence.

  • Section 88: Attempt, and aiding and abetting

    1. (1)

      A person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 (1) or (2), as the case may be.

    2. (2)

      Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 (1) or (2), as the case may be.

NB These provisions are will be repealed by the Cybercrimes Bill if/when it comes into force.

As provided for in chapter 2.

  • 52. How is a computer system defined?

ECTA does not define it. The Cybercrimes Bill defines it in:

Chapter 1, Section 1:

“computer system” means:

  1. (a)

    one computer; or

  2. (b)

    two or more inter-connected or related computers, which allow these inter-connected or related computers to:

    1. (i)

      exchange data or any other function with each other; or

    2. (ii)

      exchange data or any other function with another computer or a computer system;

  • 53. How are computer data defined?

The definitions in the cybercrimes bill are: “data” means electronic representations of information in any form; “data message” means data generated, sent, received or stored by electronic means and includes-:

  • (a) voice, where the voice is used in an automated transaction; and (b) a stored record;

There is a definition of “computer data storage medium”

Chapter 1, Section 1:

“computer data storage medium” means any device or location from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored by a computer system, irrespective of whether the device is physically attached to or connected with the computer system;

  • 54. How are forensic data defined?

ECTA does not define Forensic Data.

It is not defined in the Cybercrimes Bill.

  • 55. How are service providers defined?

ECTA does not define service provider.

The Cybercrimes Bill only defines an electronic communication service provider.

Electronic communications service provider means any person who provides an electronic communications service under and in accordance with an electronic communications service licence issued to such person under Chapter 3 of the Electronic Communications Act, 2005 (Act No. 36 of 2005), or who is deemed to be licensed or exempted from being licensed as such in terms of the Electronic

Communications Act, 2005;

  • 56. Does the national law provide any other definitions instrumental to the application of cybercrime legislation?

    • “information system” means a system for generating, sending, receiving, storing, displaying or otherwise processing data messages and includes the Internet;

    • “Internet” means the interconnected system of networks that connects computers around the world using the TCP/IP and includes future versions thereof.

    • “computer” means any electronic programmable device used, whether by itself or as part of a computer system or any other device or equipment, or any part thereof, to perform predetermined arithmetic, logical, routing, processing or storage operations in accordance with set instructions and includes any data, computer program or computer data storage medium that are related to, connected with or used with such a device;

    • “computer data storage medium” means any device from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored, by a computer system, irrespective of whether the device is physically attached to or connected with a computer system;

    • “computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

    • “computer system” means:

      1. (a)

        one computer; or

      2. (b)

        two or more inter-connected or related computers, which allow these inter-connected or related computers to:

        1. (i)

          exchange data or any other function with each other; or

        2. (ii)

          exchange data or any other function with another computer or a computer system.

  • 57. Is there a way that cybercrimes can jeopardize the national security of a country?

An early version of the Cybercrimes Bill (the cybercrimes and cybersecurity bill) had provisions dedicated to addressing the natioal cybersecurity risks of cybercrime. See section on cyberdefence below.

  • Rights

  • 58. Is the cybercrime law based on fundamental rights (defined in Constitutional law or International binding documents)?

ECTA does not specify one.

The Cybercrimes Bill has not specified one nor is one immediately clear from the Constitution of the Republic of South Africa, 1996.

  • 59. What are the rights of the victim and the accused?

ECTA Act does not specify them.

The Cybercrime Bill provides for rights and protections as consistent with the criminal law of South Africa.

  • Procedures

  • 60. Is there a specific procedure to identify, analyse, relate, categorize, assess and establish causes associated with forensic data regarding cybercrimes?

The Cybercrimes Bill does not provide specific procedures for this however, it provides in section 55 that the cabinet minister responsible for policing must (a) establish and maintain sufficient human and operational capacity to detect, prevent and investigate cybercrimes; (b) ensure that members of the South African Police Service receive basic training in aspects relating to the detection, prevention and investigation of Cybercrimes.

  • 61. In case of transnational crimes, how is cooperation between the national law enforcement agency and the foreign agents regulated?

ECTA does not provide for that but it refers to the general provisions for jurisdiction of the courts (Section 90).

Chapter 6 of the Cybercrimes Bill provides for Mutual assistance.

  • 62. Are there any exceptions to the use of mutual legal assistance procedure to investigate the crime?

ECTA does not provide for Mutual Legal Assistance.

Chapter 5 of the Cybercrimes Bill provides for Mutual Assistance National Executive may enter into agreements

57. (1) The National Executive may enter into any agreement with any foreign State regarding:

(a) the provision of mutual assistance and cooperation relating to the investigation and prosecution of… [the offences provided for in the Cybercrimes Bill]

This includes exceptions in accordance with the ordinary principles of mutual assistance.

  • 63. Does the national law require the use of measures to prevent cybercrimes? If so, what are they?

Neither legislation provides for specific preventative measures that should be taken regarding cybercrime.

  • Obligations and Sanctions

  • 64. What obligations do law enforcement agencies have to protect the data of the suspect, the accused and the victim?

Chapter 5 of the Cybercrimes Bill provides for the powers to investigate, search an access or seize. The duties and responsibilities of law enforcement are outlined in this chapter.

  • 65. What are the duties and obligations of the National Prosecuting Authorities in cases of cybercrime?

The general rules pertaining to the National Prosecution Authority would apply. The prosecutor must carefully check the legality of the initiation of criminal cases and evaluate the submitted materials.

Section 52 (5) The National Director of Public Prosecutions must make available members of the

National Prosecuting Authority:

  1. (a)

    who have particular knowledge and skills in respect of any aspect dealt with in this Act; and

  2. (b)

    to whom a security clearance has been issued by the State Security Agency in terms of section 2A of the National Strategic Intelligence Act, 1994, to the satisfaction of the National Director of Public Prosecutions, to provide legal assistance to the designated Point of Contact as may be

National Director of Public Prosecutions must keep statistics of prosecutions

56. (1) The National Director of Public Prosecutions must keep statistics of the number of prosecutions instituted in terms of Part I or Part II of Chapter 2, the outcome of such prosecution and any other information relating to such prosecutions, which is determined by the Cabinet member responsible for the administration of justice. (2) The statistics or information contemplated in subsection (1) must be included in the report of the National Director of Public Prosecutions referred to in section 22(4)(g) of the National Prosecuting Authority Act, 1998.

  • 66. Does the law impose any obligations on service providers in connection with cybercrime?

Chapter 9

S54 Electronic communication service providers or financial institutions that become aware that their systems are involved in the commission of any offences in the Cybercrimes Bill are obligated to report offences no later than within 72 hours. They must also preserve evidence as far as possible.

  • 67. To which extent can a legal person be held liable for actions in connection with cybercrimes?

ECTA applies to “a person” which is defined to include a public body. Presumably, the ordinary meaning of a person is understood to apply, which is both a natural and a juristic person.

Person means a natural or juristic person, section 1. Penalties (section 14, 22) apply to persons.

  • Actors

  • 68. What bodies implement the cybercrime legislation?

Section 80–84 The Cyber Inspector provided for in chapter XII of ECTA.

s26 (1) The Cabinet member responsible for policing, in consultation with the National Commissioner, the National Head of the Directorate, the National Director of Public Prosecutions and the Cabinet member responsible for the administration of Justice.

  • 69. Is there a special public prosecutor office for cybercrime? If so, how is it organised?

There is no special public prosecutor office. The Cabinet member responsible for policing is required to work closely the National Director of Public Prosecutions for all matters relating to public prosecutions of cybercrime. For example, see –

  • 70. Does the cybercrime legislation create any specific body?

Chapter 10, Section 53

Cyber response committee

Chapter _ Section _ Designated Point of Contact

  1. 4.

    Public Order

  • Definitions

  • 71. How are public order, threats to public order and the protection of public order defined?

RICA concerns electronic communications surveillance. It does not refer to anything related to public order.

  • 72. Is the protection of public order grounded in constitutional norms?

------

  • 73. What kind of measures are foreseen limit constitutional and legal rights?

Cybersecurity incident management system…social management systems [e.g. social unrest management/monitoring or surveillance]

  • 74. What measures are taken by the government to control mass gatherings of people?

Regulation of Gatherings Act (note Section 12(1)(a) is declared unconstitutional/invalid)

Proposed: Regulation of Gatherings Act Amendment Bill (not related to cybersecurity)

  • 75. What public authorities are responsible for implementation of the surveillance techniques?

------

  • 76. What are the right and obligations of these public authorities?

------

  • 77. On what legal grounds non-governmental actors could perform mass surveillance?

A telecommunication service provider must store communication-related information (30(1) RICA).

  • 78. Is the execution of the measures adopted in cases of instances delegated to private intermediaries or implemented by public bodies what are the responsibilities of those private bodies?

------

  1. 5.

    Cyberdefence

  • Scope

  • 79. Is there a national cyberdefence strategy or is cyberdefence mentioned in the national defence strategy?

The Cyberwarfare Strategy is still being developed. Once developed, it will be presented to the Justice, Crime Prevention and Security (JCPS) Cluster Ministers for approval. It is earmarked for approval and partial implementation in the 2018/2019 fiscal year.

  • 80. What is the legal status of the national defence or cyberdefence strategy?

It is still being developed.

  • 81. What national laws or other normative acts regulate cyberdefence in the country?

None.

  • 82. Is the country party of any international cooperation agreement in the sphere of cyberdefence ?

No.

  • 83. Does the national cyberdefence strategy provide for retaliation?

The Department of Defence Annual Performance Plan (2017) states that it is aligned with the national policy regarding South Africa’s posture and capabilities related to offensive information warfare actions.

  • 84. Is there any specific framework regulating critical infrastructure?

The National Critical Infrastructure Bill.

  • Definitions

  • 85. How are national security and national defence defined?

Not defined in the NCPF.

  • 86. How are cybersecurity and cyberdefence defined?

    • “Cybersecurity” is the practice of making the networks that constitute cyberspace secure against intrusions, maintaining confidentiality, availability and integrity of information, detecting intrusions and incidents that do occur, and responding to and recovering from them.

    • “Cyberdefence” is not defined.

  • 87. How are threats to national security and cyberthreats defined?

There is no single definition.

  • 88. How is a cyberattack defined?

NCPF does not include a definition of cyberattack.

  • 89. Does the national law provide any other definitions instrumental to the application of cyberdefence legislation?

NCPF Definitions

  • “Cyber warfare” means actions by a nation/state to penetrate another nation’s computers and networks for purposes of causing damage or disruption

  • “Cyber espionage” means the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature), from individuals, competitors, rivals, groups, Governments and enemies for personal, economic, political or military advantage

  • “Cyber terrorism” means use of Internet based attacks in terrorist activities by individuals and groups, including acts of deliberate large-scale disruptions of computer networks, especially computers attached to the Internet, by the means of tools such as computer viruses

  • “Cyberspace” means a physical and non-physical terrain created by and/or composed of some or all of the following

  • National Framework

  • 90. Is cyberdefence grounded on the constitutional provisions and/or international law?

It is not stated.

  • 91. Which specific national defence measures are related to cybersecurity?

The Cybersecurity strategy is still being developed.

  • 92. Is there a national defence doctrine and does the law or strategy refer to it?

National cyber security framework, introduction 1.1.

  • 93. What measures are mentioned in the national law and strategy in order to implement cyberdefence ?

Cyber-warfare

“In order to protect its interests in the event of a cyber-war, a cyber defence capacity has to be built. The NCPF thus promotes that a Cyber Defence Strategy, that is informed by the National Security Strategy of South Africa, be developed, guided by the JCPS Cybersecurity Response Committee.”

It says nothing more on the issue of cyberdefence .

  • 94. How can Internet users’ online activities be limited for the reasons of protection of national security and cyberdefence ?

The NCPF does not specify this.

  • 95. Does the national law or strategy foresee any special regime to be implemented in case of emergency in the context of cyberdefence ?

The NCPF does not.

  • Actors

  • 96. What actors are explicitly mentioned as playing a role regarding cyberdefence in the law or national cyber defence strategy or defence strategy?

The Department of Defence and Military Veterans (DOD&MV) has overall responsibility for coordination, accountability and implementation of cyber defence measures in the Republic as an integral part of its National defence mandate. To this end, the Department will develop policies and strategies pursuant to its core mandate.

  • 97. Is there a specific cyber defence body?

The NCPF envisions the implementation of the JCPS Cybersecurity Response Committee.

  • 98. What are the tasks of aforementioned actors?

They will presumably be specified in the National Cybersecurity Strategy.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Mabunda, S. (2021). Cybersecurity in South Africa: Towards Best Practices. In: Belli, L. (eds) CyberBRICS. Springer, Cham. https://doi.org/10.1007/978-3-030-56405-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-56405-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-56404-9

  • Online ISBN: 978-3-030-56405-6

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

search

Navigation