The Department of Justice and Constitutional Development (DOJCD) responded to the submissions on the Cybercrimes and Cybersecurity Bill dealing with general comments and Chapters 1 and 2 of the Bill.
Questions of clarity arising from the submissions and responses covered the current capacity for the 24/7 point of contact; the capacity within the South African Police Service (SAPS) to investigate cybercrime; the involvement of the South African National Defence Force (SANDF) intelligence in ensuring the protection of national security; requirements for appointing private persons to assist with the investigation of cybercrimes and whether security checks were carried out on them; general concerns around the appointment of private persons to assist SAPS in investigating cybercrime and the rationale behind the inclusion of such a provision in the Bill; the link between the provision of private persons assisting cybercrime investigation as a contributing factor to the continued incapacitation of SAPS in investigating this crime; who would be responsible for monitoring cyber activities for private entities since it was submitted that the Bill did not provide the state with powers to carry out such monitoring; clarity on the existence of constitutional infringements in cybercrime investigation; explanation for the limited cost implications of the Bill; the need for cybercrime and cybersecurity to be properly defined; if the Bill provided for the interception of communications and how this should be dealt with; whether the Critical Infrastructure Bill had been considered in drafting the Bill and how it impacted on the Cybercrime and Cybersecurity Bill.
Cybercrimes and Cybersecurity Bill: Department responses to submissions
Ms Kalay Pillay, DOJCD Deputy Director General: Legislative Development, said DOJCD thought it necessary to respond to every comment made on the Bill, hence the bulky document. The Bill contained five major sections focusing on cybercrimes: malicious communications; processes (focusing on search and seizure, and international cooperation); structures (focusing on the cyber response committee); and the schedule (containing amendments to other legislation such as the Sexual Offences Act, particularly the provision on pornography).
One of the key points emanating from the comments was the Bill encroaching on the right to privacy. The Department dealt extensively with this. It referred to case law and international case law. Other points raised were the constitutionality of the search and seizure provisions; the cost of implementing the Bill; as well as the interaction of the Bill with other legislation such as the Critical Infrastructure Draft Bill, Hate Crimes Draft Bill, Protection from Harassment Act, Sexual Offences Act, and Film and Publication Act where it dealt with child pornography.
Mr Sarel Robbertse, DOJCD State Law Advisor, noted 40 submissions were received. Responses would be given on both oral and written submissions.
• On the capacity of forensic investigators, as well as capacity shortcomings foreseen by some people, the DOJCD response was that the National Cybercrimes Policy Framework (NCPF) and the Bill have made provision for the necessary development of capacity. Paragraph 12 of the NCPF specifically states that South Africa must develop the necessary capacity. Clause 54 of the Bill imposed obligations on various departments to acquire the necessary capacity and give effect to the mandate of such capacities. It imposed obligations on departments to develop specific training courses in cooperation with higher education institutions to train their members.
It should be noted that highly developed countries in the world suffer from capacity challenges for dealing with cybercrime and cybersecurity. Both America and the United Kingdom only recently came to terms with the capacity shortage. Chapter 5 of the Bill that dealt with these investigations provides that the police may make use of investigators (different from police officials) to assist with the investigation of cybercrimes. Reference was made to clauses 27(3), 30(3) and 31(4) of the Bill.
• The Open Democracy Advice Centre (ODAC) expressed a concern that the Bill gives significant powers to the Minister of State Security. DOJCD responded that no powers have been handed over to the Minister of State Security to infringe on privacy or communications per se. In terms of the National Strategic Intelligence Act, the State Security Agency (SSA) has a mandate to deal with critical infrastructure protection in South Africa. Although this empowerment was vague in that Act, Chapter 11 of the Bill dealt with critical information infrastructure and sets out the powers of the SSA in securing critical information infrastructure in South Africa. Clause 5 of the Bill established a Cyber Response Committee (CRC) that was given the task to implement the National Cybersecurity Policy Framework (NCPF). The CRC was chaired by the Director General of State Security and was made up of various departments with different constitutional mandates. Decisions are taken in the CRC on a consensus basis, due to departments having to protect their different constitutional mandates, which would in effect balance the operations of the CRC.
DOJCD therefore submitted that the Bill did not hand any powers to the Minister of State Security to interfere with communications, provide backdoors into systems or to intercept communications. Where any of these was done, it would amount to an offence by the SSA. However, the Regulation of Interception of Communications Act (RICA) existed to ensure that interception of communications only took place in terms of judicial authorisation.
• Media Monitoring Africa (MMA) raised concern about the lack of an overarching internet governance policy in South Africa to deal with how information rights could be infringed upon by other legislation. DOJCD replied that the Department of Telecommunications and Postal Services (DTPS) has enacted a comprehensive policy on this, known as the National Integrated ICT Policy. The policy dealt with the protection of information rights. The policy recognised the need to address cybercrime and to protect certain essential critical information infrastructure.
• Comments were received about the need for the Bill to deal with copyright infringement. DOJCD replied that the Bill was not aimed at dealing with copyright infringement at all. South Africa had a Copyright Act that dealt with copyright infringement. DOJCD submitted that the current Copyright Amendment Bill before Parliament should cater for copyright infringement, and not this Bill. This was because it was impossible to criminalise copyright infringement alone, as there were various policy issues that should be taken into consideration before dealing with such infringements.
• One of the service providers raised a concern about the cost of compliance of the Bill, as well as the capacity of the state to deal with structures established in Chapter 10 of the Act. The service provider said the Bill infringed the Protection of Personal Information Act (POPIA). DOJCD replied that the Bill would have cost implications for government and the private sector. However, it was important to take into account the current cost of cybercrime in South Africa, the negative results of it and the losses that have been suffered. Although there might be some cost implications for implementing the Bill, such costs would be very limited.
• On the concerns raised about right to privacy, DOJCD noted that the right to privacy was protected by POPIA. Although privacy was a constitutional right, courts have ruled that this right was not absolute and it lapsed with the expectation of society to be protected against crime. DOJCD therefore submitted that although POPIA provided for the right to privacy, this cannot be interpreted to override a criminal investigation.
• Deloitte raised a concern on the significant increase in cybercrime. This has been noted by DOJCD.
• On the comment that the Bill was not subject to a Socio-Economic Impact System (SEIAS) process, the certificate was signed off by the Department of Planning, Monitoring and Evaluation (DPME) that SEIAS had been done and this was considered.
Ms Pillay clarified that the Socio-Economic Impact System was approved by Cabinet for implementation in 2015. It required all legislation to be subject to a socio-economic impact assessment, which meant that a Bill should be tested against its socio-economic impact. It required that the cost of compliance should be considered and a cost benefit analysis carried out. It was a new system that has been implemented, with which DOJCD fully complied. This had replaced the regulatory impact assessment done through National Treasury. A lot of departments had not complied fully with the regulatory impact assessment and government wants to avoid a repeat of putting legislation in place that cannot be implemented as its socio-economic impact is not fully understood. The SEIAS considered alignment with the National Development Plan (NDP), strategic goals and policy. The assessment was carried out based on a template already prepared by DPME that considered: cost benefit analysis; whether consultations have been done; and whether concerns raised during the consultation phase have been addressed. A document would be prepared with answers to those issues and a signed off certificate would be received from DPME. The process was two-fold: a preliminary SEIAS and a final SEIAS after the consultation phase. A sign off certificate would be received for each of those phases. The sign off certificate was similar to the certification of a Bill given by a state law adviser. Stringent mechanisms have been put in place to ensure compliance by all departments, and no Bill can pass through Cabinet without the SEIAS.
Mr Robbertse noted that it was part of the SEIAS requirement that public consultation be carried out on the Bill. The Bill was extensively consulted upon over a period of more than a year. Concerns had been raised about onerous standards and the regulatory impact assessment. This has been addressed by Ms Pillay.
• All Rise welcomed the development on cyber harassment and recommended that public education should take place. DOJCD responded that the usual process after a Bill has been implemented was to embark on public awareness campaigns on the Bill as a whole, as well as on specific clauses in which the public has interest. Awareness campaigns were carried out on the Domestic Violence Act and the Protection of Harassment Act. DOJCD would engage in extensive awareness particularly on malicious communications.
• A concern was raised that the Bill had many dependencies as various departments were involved and this may affect the implementation of the Bill as it may be difficult for all departments to come to terms with their obligations in the Bill. DOJCD responded that the Bill had three focus areas. The first was cybercrime (Chapters 1 to 9). Subordinate legislation has to be made on these chapters. Some of the subordinate legislation has been drafted while some were in the process of being drafted pending the final adoption of the Bill, one of which was standard operating procedures and extensive regulations that need to be enacted on the malicious communications clauses of the Bill.
The second focus area was capacity building. DOJCD responded that there was current capacity to implement the Bill. This was the first time in South Africa that government would be dealing with cybercrime and cybersecurity comprehensively. The Bill has placed obligations on DOJCD to ensure that capacity was developed.
The third focus area dealt with critical information infrastructure protection and was dependent on identification of critical information infrastructure, as well as issuing directives which would prescribe the means by which critical information infrastructures should implement measures to protect themselves. Some steps have been taken on this pending the finalisation of the Bill. The Bill makes provision for an incremental implementation in the case where it becomes necessary. DOJCD can in terms of the Bill, put other sections of the Bill in operation if it becomes necessary.
• On the concern about cost implications for electronic communication service providers, DOJCD noted that there would be some cost implications but they would not be significant.
• A comment was made that the Bill threatens digital rights in significant ways. DOJCD responded that although freedom of expression and confidentiality of communications were the primary considerations and users of telecommunications must have a guarantee that their privacy and freedom of expression would be respected, such guarantee cannot be absolute and must yield on occasion to other legitimate imperatives, such as the protection of the rights and freedom of others. The Bill had necessary checks and balances in place to ensure that rights are not infringed upon in an unconstitutional manner.
• A concern was raised that the Bill provided powers to the state to monitor business and private cyber activities. DOJCD responded that the Bill does not in any way authorise the monitoring of any communications. It should be remembered that the RICA legislation was in place to deal strictly with monitoring and interception of communications. Any person or entity that intercepts or monitors communications outside the ambit of RICA would be committing a serious offence.
• The concern that the Bill would impact on other legislation has been dealt with. Other legislation would only relate to the Bill to the extent that such legislation focused on putting in place other measures aimed at protecting persons against cybercrime. DOJCD emphasised that the Bill would not impact on POPIA.
• A concern was raised that the Bill gave the South African Police greater powers to arrest persons. Investigation and arrests were regulated by the Criminal Procedure Act (CPA). In essence, measures have already been put in place to arrest persons that commit cybercrimes. The CPA however has various shortcomings in the investigation of cybercrime. The CPA did not have the necessary safeguards in place to deal with the invasion of privacy during investigations. Although the Bill vetoes this position, it does not give the police additional extraordinary powers of arrest.
• A concern was raised that the Bill should have taken into account new developments on electronic evidence. A report from the South African Law Reform Commission (SALC) made certain recommendations regarding the reform of digital evidence. The Bill was introduced in Parliament before that report was finalised, and so the proposed recommendations were not taken into account. Currently, the Electronic Communications and Transactions Act (ECTA) deals with electronic evidence. The SALC report would be taking into account a revision of the ECTA and possibly, the enactment of a comprehensive Bill to deal with digital evidence. This would be considered at a later stage.
• There was a concern that the Bill provided a framework that undermined internet freedom overall and enabled the state to interfere with devices, data and networks. DOJCD’s response was that the main aim of the Bill was to rationalise all current fragmentary cyber offences already on the statute book in a single coherent chapter that would deal with all cybercrimes. Since cybercrimes were already on the statute book, it cannot be regarded as interference as the Bill mainly aims to rationalise existing law.
• On concerns about malicious communications, DOJCD responded that malicious communications has been criminalised on the statute book. To include it in a Bill that specifically deals with cyber offences cannot be seen as an additional interference. Page 16 of the document was referred to listing countries that have put in place specific legislation to deal with malicious communications. All offences in Chapter 2 of the Bill are recognised by most constitutional democracies in the world, as well as various countries in Africa. It was part of the SADC model law. The AU Convention on Cybercrime and Protection of Personal Information proposed that the conduct contained in Chapter 2 of the Bill should be criminalised. DOJCD said that from the perspective of criminalisation and investigation, there was no real infringement of any rights.
• Right2Know (R2K) remarked that the wrong approach has been taken on cybersecurity in South Africa as it was a top-down and state-centric approach. It said that this made cyberspace less secure to ordinary users. DOJCD replied that various states all over the world were prime role players in ensuring that cyberspace was secure. States had the obligation to protect their citizens and sovereignty. Government usually has the necessary resources to call together role players that would deal with aspects of cybersecurity. DOJCD therefore held the view that the approach adopted was not wrong or incorrect.
• Reference was made to three levels of protection against which the Bill has been evaluated. The first category of protection is the protection of information. Commentators held the view that clause 2 of the Bill (that dealt with unlawful access) undermined and overlapped with POPIA. Persons who act contrary to the provisions of POPIA in accessing data would be regarded as criminals by the Bill. Reference was made to the fact that the POPIA already contained measures to deal with the infringement of POPIA.
DOJCD responded that unlawful access or any other cyber offence in Chapter 2 of the Bill should not be equated with non-compliance with the provisions of POPIA. POPIA aimed to protect personal information processed by public and private bodies such as introducing certain conditions for the lawful processing of personal information (see pages 17 to 19 of document for further responses). DOJCD general response on this matter was that POPIA cannot deal with unlawful access of computer systems.
• The second level of protection referred to was the securing of networks. A concern was raised that government may through the Bill, ensure backdoors into networks to get access to information. DOJCD responded that the Bill cannot in any way authorise the state to resort to such measures. It seemed this concern was made about Chapter 11 of the Bill that deals with the protection of critical information infrastructure. An evaluation of this chapter, along with other provisions of the Bill, would show that no authority or empowerment has been given to the SSA or the state in general to access any information.
• The Information Regulator indicated that the Bill was drafted before the Office of the Information Regulator was established. It said it would like to meet with relevant departments to discuss aspects that may impact on its powers. The discussion would deal with any concerns raised by the Information Regulator.
• R2K submitted that the cybercrime provisions of the Bill should be redrafted to prevent any possible misuse that would enable online censorship or stifle online public participation or infringe on legitimate online activities. This concern has been previously addressed by DOJCD. It reiterated that the aim of the Bill was not to infringe on information and communication rights of citizens.
• The concern raised on the implementation of the NCPF and the powers of the SSA to implement the cybersecurity initiative was addressed (see page 22 of document).
• The Centre for Constitutional Rights (CCR) indicated that the Bill adversely affects certain constitutional rights. To this DOJCD replied that the Bill was in line with international norms and principles, and the perceived infringements were wrong.
• A suggestion was given by Mr Mark Heyink from Information Governance Consultancy, that the Committee should consider whether the state had the necessary skills to mandate the proposed structures in the Bill, as well as general skills available to the state.
DOJCD noted that the general capacity requirement has been addressed. However, one of the structures that should be established by the Bill was the 24/7 point of contact established by the South African Police Service (SAPS). The 24/7 point of contact was aimed at providing international cooperation, as well as to ensure the creation of a central point for the investigation of cybercrime. DOJCD said that SAPS currently made use of the Interpol link to facilitate international cooperation. To an extent, the 24/7 point of contact would help SAPS to develop specific capacity on cyber offences. Current capacity existed to man the 24/7 point of contact. Other structures to be established included the Cyber Response Committee (established in section 53 of the Bill and already functioning); and the cyber hub (established in Chapter 10 of the Bill and already functioning). Currently, there was a government set that dealt with cybersecurity in South Africa, situated in the SSA. DOJCD noted that the current capacity can be used to expand on the current set in state security. There was current capacity to investigate cybercrime.
• Mr Heyink suggested that the Bill should be split into two to deal with cybercrime and cybersecurity separately. In response, DOJCD outlined the necessary building blocks of cybersecurity, and noted that the Bill complied with those building blocks. Splitting the Bill in two would not address all the building blocks of cybersecurity simultaneously, as a part of the Bill can be delayed. Therefore DOJCD said that the Bill should not be split into two.
• Mr Heyink raised a concern that the normal research and consultative process was not followed on the Bill. This was contrary to the view of other commentators on the extensive consultation process that took place.
• Mr Heyink was concerned about the broad wording used in the Bill. DOJCD noted that the Bill was a technical one that cannot be drafted in non-technical terms. A consideration of legislation of other countries shows the use of technical terms. There were specific concepts that must be used in the Bill. DOJCD therefore responded that it was impossible to tone down on the technicality of the wording in the Bill.
• On the concern that the Bill amends various other laws and unintended consequences may result from such amendment. The schedule of the Bill contains amendments to other Bills, and certain other legislation is repealed. As mentioned earlier, the aim of the Bill was to rationalise all offences and procedures in other Bills into a single Bill. This had been thoroughly done and for this reason, DOJCD responded that no unintended consequences can arise from those amendments.
Ms G Breytenbach (DA) asked for details on the current capacity that existed for the 24/7 point of contact services.
Mr Robbertse replied that the 24/7 point of contact depended on the extent to which it would be implemented. Currently in the Bill, the 24/7 point of contact was a structure that would mainly help to facilitate international cooperation on an extrajudicial basis. Other chapters of the Bill would discuss the importance of affording such powers to the structure. The current capacity was firstly the use of Interpol to deal with international cooperation in cybercrimes. Secondly, there was current capacity in the South African Police that specifically dealt with cybercrime.
Ms Breytenbach sought further clarity on the capacity that existed within SAPS.
Mr Robbertse replied that some investigations were currently carried out by SAPS as there was forensic capacity in the Police to an extent. As previously indicated, this capacity had to be improved upon. Nonetheless, there was some capacity currently in SAPS to deal with cybercrime investigations. Further information can be obtained from SAPS on this.
Ms Breytenbach asked if the SEIAS can be provided to the Committee.
Mr Robbertse said the certificate signed off by DPME was attached to the document but the SEIAS can be made available to MPs.
Mr S Mncwabe (NFP) asked about the involvement and submissions of the SANDF intelligence on the Bill, as cybercrime occurred between states. He therefore wanted to know if national security in relation to international relations has been addressed in the Bill. He asked if the reference to the capacity within SAPS was the Crime Intelligence Unit (CIU) of SAPS, especially because this unit seemed to be more relevant in dealing with cybercrime.
On SANDF involvement in the cyber initiative of South Africa, Mr Robbertse replied that clause 53 of the Bill referred to the fact that SANDF must get the necessary capacity to fulfil the constitutional mandate to defend the Republic of South Africa. The NCPF was a policy document that prescribed what various departments had to do. Specific obligations have been placed on the SANDF to come to terms with cyberwarfare, as well as to obtain and develop the necessary capacity to defend South Africa in cyberspace. This was in line with what obtained currently in other countries throughout the world. Other countries had cyberwarfare and cyber defence policies. All these have been catered for in South Africa’s cybersecurity initiative.
On the investigation of criminal offences and the reference to SAPS Crime Intelligence division to investigate cybercrime, Mr Robbertse replied that it was left to SAPS to decide on the approach for the investigation of cybercrime. SAPS could appoint members at will, as long as cybercrime is investigated regardless of what unit carries out the investigation. However, to address current capacity issues in the investigation of cybercrime, the Bill provides that private persons can be appointed as investigators to assist SAPS. This clause was present in most cyber laws of other countries. It is acknowledged worldwide that one department cannot fully come to terms with the knowledge needed to investigate all kinds of cybercrime, and there would always be a need to involve private persons.
Mr Mncwabe raised a concern on whether the Bill provided requirements to be followed in appointing private persons as cybercrime investigators, particularly the requirement for security checks on such persons.
Mr Robbertse noted that what happens in other countries was that a suitably qualified person would be appointed and certain restrictions were usually placed on what such person can do, access and the information that such person can divulge. Similarly, the police would use the same modus operandi if it appoints persons. It was inherent in cyber forensics for confidentiality to be attached to an investigation. It should be noted that in clause 24 of the Bill, standard operating procedures may be issued to further regulate the investigation of crime. International standard operating procedures address confidentiality. This would be catered for in the standard operating procedure or by means of internal policies.
Mr L Mpumlwana (ANC) was concerned about the appointment of private persons as provided for by the Bill. He asked why such provision existed in the first place, noting that if the police were incapacitated to carry out investigations on cybercrime, training could be conducted to capacitate the police rather than appoint private persons. He asked for details of the countries that international cooperation has been entered into regarding the Bill.
Mr T Mulaudzi (EFF) referred to the MTN comments on constitutional rights and POPIA. He asked what tests were carried out to ensure that the Bill could not be challenged in terms of the Constitution and POPIA.
He asked who would be responsible for monitoring cyber activities for business and private entities since DOJCD has responded that the Bill did not afford any powers to the state to monitor business activities.
On private persons appointed to assist the police with cybercrime investigation, Mr Robbertse emphasised that such private persons did not have the primary obligation to investigate. The Bill mainly provides that the police must investigate cybercrime but that it may be assisted by persons with the necessary expertise. The problem with cybercrime was that it was impossible for a single person without added expertise to keep abreast of it. The techniques used presently become outdated fast. It was therefore impossible for government to train persons on all aspects of cybercrime and cyber forensics. The police were the responsible party that investigates cybercrime, while the Bill provided that it could be assisted by other persons.
On the rationale for the appointment of private persons in the Bill, Mr Robbertse pointed out that recent Supreme Court of Appeal (SCA) judgments gave effect to the fact that if a warrant was to be issued, such warrant must specifically stipulate that only specific persons mentioned in it must participate in the search and seizure. The Bill gives effect to this by stating that necessary powers are given to the police to appoint investigators. However, such powers were subject to the control of the police, and the use of such investigators must be authorised by the search warrant. It could therefore be seen that the inclusion of this provision and recognition of the use of such investigators in the Bill was necessary.
Mr Mpumlwana asked if it was not generally accepted that the police could request persons to assist with investigations at any given time, and why such request was specifically stated in the Bill.
Mr Robbertse restated that a recent SCA judgement outlined the persons that can assist with investigations and that such persons must be specifically mentioned. Although the CPA contains a provision to the effect that SAPS may request persons to assist with investigations, it was still necessary to indicate who an investigator was in terms of the Bill, and to explain that such person must have the necessary expertise to assist SAPS with investigations. Such investigator must be a qualified person.
Mr Mncwabe raised a concern about the appointment of private persons to assist SAPS with investigations. His concern was that this may lead to SAPS not attaining the level of training or special skills needed for investigations, as this kind of investigation may end up being outsourced to independent experts. The provision for the appointment of persons may therefore have an adverse effect in enhancing the incapacitation of the police to investigate cybercrime.
Mr Mncwabe was concerned about qualified private investigators operating in the country but who were foreign-owned. In such cases, the agreement regarding confidentiality has to be done away with, especially since no control can be exerted on such person once he returns to his country. This was a critical type of investigation that could only be submitted to SAPS. It would be better to train the police on the investigation of cybercrime, rather than outsourcing such services and including this provision in the Bill. He cited the example of a certain private investigator that destabilises SAPS sometimes, by investigating every SAPS commander and he had more than five passports. This on its own was a threat to the country as the person could not be controlled.
Ms Breytenbach said the Committee should be careful in saying that the use of outside assistance for the police in investigating cybercrime should be done away with. This was because there could be many matters requiring investigation at the same time, and it took a lot of human resources to investigate. The police cyber unit was historically not very large, and a need could arise for more than six people to carry out investigation per site. The inability to investigate sites simultaneously had its own negative effect. It would be better to set out requirements for who the private investigators should be rather than exclude the use of private persons totally as this would damage the ability of the police to effectively investigate cybercrime.
Mr Mpumlwana said the issue was not that the police should not be assisted by other persons. The issue was the rationale for the inclusion of such a provision in the Bill.
Ms Pillay proposed that this be flagged as there were some very critical policy issues for private persons getting involved in investigations, security of information, capacity building within the police and so on. Further proposals may come from the Committee on this. These proposals would be dealt with after the DOJCD engagement with SAPS and further research has been carried out.
On the proposal to split the Bill in two, Ms M Mothapo (ANC) asked that cybercrime and cybersecurity be clearly defined in the Bill to address the confusion that existed. On benchmarking, she asked what countries regionally or continentally could assist in shedding light on the matter.
Mr M Maila (ANC) referred to the DOJCD response to the Legal Aid SA comment about the Bill threatening digital rights and lacking important checks and balances. He noted that DOJCD did not deny that the Bill threatened digital rights; instead it alluded to the rights not being infringed in an unconstitutional manner, which meant that an element of infringement existed. DOJCD had replied that the necessary checks and balances were in place. He asked if there were indeed the necessary checks and balances.
Ms C Pilane-Majeke (ANC) was interested in DOJCD’s response to the South African Communications Forum (SACF) on the Bill having a limited cost. She asked what the limited cost implication of the Bill was.
Mr Robbertse replied that the cybercrime part of the Bill did not require any real costs for businesses. The only real cost implications resulting from investigating cybercrime were certain orders for the preservation of data. Other than this, there were no real cost implications for carrying out such investigations. Most electronic communication service providers were currently RICA compliant and they had extensive obligations to deal with the storing of data and other obligations. The provisions of the Bill do not impose additional costs in a case where service providers are involved.
However, the cybersecurity part of the Bill which dealt with critical information infrastructure required certain measures to be put in place to protect data and networks against infringements. This may result in cost implications for that infrastructure. This has been addressed comprehensively in Chapter 11 of the Bill. Most of the big service providers have already implemented the necessary measures to ensure that their systems and data are secured. Imposing additional measures on these service providers would require that such measures were in line with international standards. It was high time South Africa came to terms with cybersecurity, especially as the citizenry suffer from under-protected systems. Nonetheless, cost implications that may result from this would be authorised in the interest of the public.
On the Bill affecting digital rights adversely and lacking necessary checks and balances, Mr Robbertse replied that there was a five-page discussion that dealt with the extent to which infringements were authorised under a constitutional dispensation. The cybercrimes in Chapter 2 infringed on privacy or digital rights to an extent, but it was necessary to criminalise that type of conduct. The same argument can be made for malicious communications but it was necessary to address digital communications or criminalise certain reprehensible conduct in cyberspace. Although this was infringement, it was a lawful one under the Constitution.
This is further discussed under search and seizure. In terms of the constitutional issues that relate to search and seizure and how the Bill addresses those in Chapter 5, Mr Robbertse pointed out that judicial authorisation was usually always a requirement before a search and seizure can take place. Also, judicial authorisation was required before any data or information could be accessed. Although Chapter 5 followed the same trend of lawful infringements necessary for the investigation of crimes, it required that judicial authorisations be gotten. The necessary checks and balances would be discussed further in greater detail.
On constitutional rights and POPIA, Mr Robbertse pointed out that the intention was to have a POPIA aimed at protecting the privacy of personal information on the one hand, and on the other hand, to get criminal assistance to authorise that certain personal information must be made available to the state to investigate crimes. Public interest overrides POPIA on this. The right to privacy was not one that could not be limited by other rights.
The Chairperson said that the Committee should accept the complexity of the Bill, which may require inputs by other departments. Hence, answers to all the issues should not be expected now. The important thing was for all critical questions to be raised and be followed up until the Committee is satisfied.
On benchmarking, Ms Pillay replied that South Africa has signed the AU Convention but was yet to ratify it. Plans were ongoing to have a global convention and the Department of International Relations and Cooperation (DIRCO) was engaged in that process. However, no other regional convention existed at this time.
On having two separate Bills, and to properly define cybercrime and cybersecurity, Ms Pillay replied that DOJCD was of the view that cybercrime and cybersecurity were closely linked to each other and should be in one single Bill. It did not see any conflict arising from placing both in one Bill. International precedence existed for the two to be dealt with in the fashion that DOJCD had adopted.
Ms Mothapo clarified that her request was for the two terms, cybercrime and cybersecurity, to be clearly defined in the definition section of the Bill for a better understanding by the public.
Mr Robbertse replied that in considering cybersecurity from an academic point of view, showed that it encompasses all necessary things to ensure that systems and users of communication systems were secured against unauthorised interference. Cybercrime was part of cybersecurity. In other words, cybercrime was a subpart of cybersecurity. It was difficult to get a comprehensive definition that clearly differentiates between cybercrime and cybersecurity.
Ms Pilane-Majeke asked if the Bill provided for the interception of communications or information and how this would be dealt with.
Mr Robbertse replied that clause 38 of the Bill provided for the interception of communications stating that the interception of communications can only take place in terms of RICA. Procedures stipulated in Chapter 5 cannot be used to obtain indirect communications or communication related information on an ongoing basis. Doing this would contravene RICA. Hence the provision of clause 38 uses RICA to intercept communications. The criminalising provision of RICA was in section 45 while penalties were prescribed in section 55 of the RICA. Receiving information without proper authorisation was an offence punishable by RICA. Penalties began from ten-year sentences upward and fines were in the millions. Therefore, interception of communications was criminalised not in the Bill but outside the Bill through RICA.
Ms Pillay added that the interception of communications was dealt with extensively in the rest of the document because of the interplay that existed between this issue and the Bill.
Ms Pilane-Majeke asked for how interception of communications was dealt with in the Bill.
Ms Pillay replied that the purpose of the Bill was not to deal with interception of communications as this was primarily dealt with in RICA.
Ms Christine Silkstone, Committee Content Advisor, asked the extent to which the Critical Infrastructure Bill had been considered and how it impacts on the Cybercrimes and Cybersecurity Bill.
Mr Robbertse replied that the Critical Infrastructure Bill (CIB) drafted by SAPS has been introduced in Parliament. The Bill dealt with the protection of information infrastructure. DOJCD looked into the Bill, consulted with the drafters of the Bill and was involved in the drafting of the Bill to an extent. There was however, a clear difference between the Bill and the Cybercrimes and Cybersecurity Bill (CCB). The CCB was aimed at securing mainly communication systems and data, while the CIB dealt with physical infrastructure such as buildings, places and installations. However, the CIB contained a clause that stipulates requirements for the South African Police to declare a critical infrastructure which should be dealt with in terms of the CIB or the CCB, and that the relevant ministers should be consulted to decide under what Bill the matter would be addressed.
Chapter 1 Definitions
• ‘access’ – a concern was raised about the broad wording of ‘without limitation’ in the definition. Mr Robbertse clarified that the definition of ‘access’ related to Chapter 5 that prescribed one of the powers of the police to access articles that need to be investigated. DOJCD’s response was it was necessary to set out wide powers in legislation that empower the investigation of cybercrime. The use of the phrase cannot be changed. There is however a proposed amendment to the section which would be discussed when the Bill is revised.
• ‘article ’– a concern was raised about the use of the word ‘article’. Although this was usually not an acceptable drafting style, it has been done in the past. DOJCD acknowledged this and proposed linguistic corrections (see page 34 of document).
Legal Aid SA had a concern about the definition as well (see page 35). To this DOJCD responded that the Bill tried to stay as close as possible to the CPA in the investigation of cybercrime. The same wording contained in section 20(b) of the CPA was used.
MTN said that the definition of ‘article’ that refers to data, computer, program, computer data storage medium or computer system was not in line with international best practice. DOJCD replied that the definition was in line with international benchmarks. The five categories of objects stipulated in the definition constituted the essentials against which cybercrime was committed or which were used in committing cybercrime.
South African Human Rights Commission (SAHRC) raised a concern on the definition in relation to privacy could be infringed on. Mr Robbertse pointed out that judicial authority was usually necessary before privacy can be infringed or any other right in terms of the Bill. He referred to recent judgments by the courts on such procedures. It indicated that search and seizure were aligned with the provisions of the CPA and additional safeguards existed to deal with possible infringement of privacy.
• ‘computer’ – service providers raised a concern that computers were no longer the usual computers. The service providers asked if the definition of ‘computer’ was wide enough to cater for other devices of programs that simulate the functions of a computer. They raised a concern that the definition should be wide enough to cater for smart phones and tablets that function as computers.
A similar concern was raised by Deloitte on the possible exclusion of new inventions or technologies in the definition of computer.
DOJCD responded that the definition was wide enough and caters for new technologies, as well as virtualisation of computer functions. The definition captured all programmable devices used and considered to be computers. However, it proposed an amendment to the definition (see page 40).
MTN raised a concern that the definition of computer to include devices that are related to, connected or used with a computer, was not in line with international best practice. DOJCD replied that in some instances, computer devices comprised of peripherals that were extremely closely associated. During the consultation process on the Bill, DOJCD received many requests for the expansion of the definition. It believed that the proposed amendment would cater for all devices.
• ‘computer storage device’ – There was a concern that computer storage device location should be included. DOJCD pointed out that the international benchmark for this definition varied from country to country but it was generally recognised that it must be a medium on which data is stored. Cloud computing influences the definition of a computer system where various servers were available to distribute information and a cloud of information would be made available to persons that can access it. DOJCD agreed that it was necessary to include location in the definition.
• ‘electronic communications identity number‘ – A new definition was proposed by Banking Association of South Africa (BASA). DOJCD agreed and admitted that the exclusion of the definition was an oversight. A definition was therefore proposed (see page 43).
• ‘electronic communications service provider’ – All Rise gave extensive comments on malicious communications and requested that persons that render social media services should be included in this definition and that the current definition restricted this to only electronic communication service providers to which a licence has been issued. DOJCD responded that it was not necessary to expand on the definition since the clauses that deal with malicious communications in Chapter 3 of the Bill do expand further to include persons that render blogging services, etc.
• ‘financial institution’ – The Minister of Finance requested that the definition should be amended as a result of the Financial Sector Regulation Act (FSRA) that was recently enacted. DOJCD agreed with the comment and proposed an amendment to the definition (see page 44).
• ‘National Strategic Intelligence Act’ – A proposal was received for a definition of that Act as references were made to the Act in the Bill. DOJCD agreed with the proposal and proposed the insertion of a definition for the Act in the Bill (see page 45).
• ‘output of data’ – This definition in related to the offence in clause 2 of the Bill that dealt with unlawful access. MTN said that the definition was not comprehensive enough and that the definition was based on foreign legislation. The concern was raised that ‘output of data’ in this context did not need any further definition since it relates to the manner in which data can be displayed or obtained. DOJCD was of the opinion that the definition did not need an amendment.
• ‘person’ – BASA suggested that the definition should be expanded to include the state. DOJCD responded that this was not necessary.
• ‘public available data’ – DOJCD agreed with the correction and has effected an amendment on this.
• ‘seize’ – A similar contextual proposed amendment was made (see page 46).
• ‘traffic data’ – A concern was that this was being broadly defined and not in line with international best practice. DOJCD responded that the definition was in line with international best practice (see page 46).
• There was a general concern around the absence of a definition for ‘cybercrimes’ in the Bill. DOJCD responded that no general accepted definition existed for cybercrimes. Setting a definition for cybercrimes might lead to interpretational problems.
Chapter 2 Cybercrimes
• The first concern was that the Bill did not recognise the use of digital tracking and analytical software used for commercial purposes, and that this may be criminalised by the Bill. DOJCD responded that the Bill does not criminalise the use of analytical software. However, analytical software can be used outside the aims and purposes for which they are used and in the event that the use of such software contravenes the provisions of the Act, it would amount to cybercrime.
• SACF noted that the Bill failed to deal with identity theft and phishing offences. DOJCD was of the view that it was unnecessary to criminalise phishing in the Bill, as there were other offences criminalised in the Bill such as forgery, uttering and computer related fraud that adequately deals with phishing. Identity theft had been included in the Bill that was originally developed. Service providers have raised this concern as there was a recent scare when personal information of between 33 and 66 million South Africans was made publically available. Identity theft was therefore a possible issue that could be included in the Bill.
• Another concern was raised about POPIA and DOJCD reiterated that POPIA was not relevant in criminal investigations. It cannot adequately address the crimes contained in Chapter 2 of the Bill.
• There was a suggestion that the Bill needed to deal with offences relating to personal and financial information. Currently, in terms of POPIA, the mere enquiry of personal information may be classified as an administrative offence if a person was under obligation to deal with personal information. However, hackers were not subject to POPIA and there was nothing that criminalised conduct in cyberspace except section 105 or 106 which deals with account number and not other personal information that may be involved.
• Service providers have proposed that a clause be inserted in the Bill to state that they would not be criminally liable for offences committed on the system. DOJCD responded that it was unnecessary to include such clause in the Bill.
• Michalsons Attorneys referred to the wrong use of ‘unlawfulness’ and that it was tautology to refer to unlawfulness in a proscription that made it seem unlawful in itself. DOJCD explained that excluding the term ‘unlawfulness’ from the Bill would lead to the court reading the requirements of unlawfulness (reference was made to the State v Selebi – see page 52). Unlawfulness did not translate to criminalisation or proscription in the act. Instead, it meant the absence of any possible ground of justification for the act. Unlawfulness played an important role with regard to intention. When offences are committed, it was necessary to appreciate the wrongfulness or unlawfulness of the offence committed, hence the need for the requirement of unlawfulness.
• A concern was raised around the broadness of offences, particularly in clauses 2, 3, 5 and 7 of the Bill. It was pointed out that certain elements of the offences were similar. DOJCD responded that the offences were clearly defined and were substantially in line with legislation of other countries and the offences were not vague or overly broad. It was important for cyber legislation to be in line with international benchmarks as this would facilitate the interpretation of the Bill in South Africa, as well as facilitate international cooperation.
• Ms Zoelpha Carr raised the use of biometric images as a security tool, and asked if this was criminalised. DOJCD responded that it was criminalised in the clause 7 (1) and (2) of the Bill that dealt with password related matters and offences.
• A concern was raised on how the intention element was dealt with in the Bill, with reference to clauses 2 to 7 and clauses 8 to 10 of the Bill that deal with cyber fraud, forgery and uttering (see page 55), with the latter approach being the preferred one. DOJCD responded that this was unnecessary. Even while dealing with fraud, there was always a kind of double intention to the effect that persons must have the intention to commit an offence and the other intention would be the subjective/objective one to defraud another person. DOJCD therefore said that it was unnecessary to include such a double intention element in those clauses.
• On the comment that the Bill dealt with other cyber related criminal activities in the statute book, DOJCD explained that all other related laws have been repealed.
• The absence of the public interest defence in the Bill was commented on. This was specifically in clauses 2 and 3 that dealt with unlawful access and overcoming security measures to obtain data unlawfully. Reference was made to the fact that journalists may be held accountable for obtaining information illegally. DOJCD referred to various cases in South Africa that deal with journalists and the extent of entitlement to information (see page 56). The crux of the judgments was to the effect that journalists were not entitled to special protection. The Bill could therefore, not provide for special protection of journalists. The public interest defence cannot be dealt with in the Bill. It can probably be dealt with outside the Bill but DOJCD was of the view that this was unlikely to happen since various circumstances need to be taken into account.
• Telkom, Vodacom and Cell C recognised that the offence of unlawful access was in line with the international position, but they suggested that the offence should be amended to align with the Budapest Convention. DOJCD drafted an amendment to give effect to this (see page 58).
• Deloitte noted that the element of negligence was not addressed in the Bill and said that negligent access should be criminalised. DOJCD responded that the Bill aimed only to criminalise intentional conduct. Negligence as an appropriate form of intent was rarely criminalised in criminal law in South Africa. Direct intent should be applicable for general purposes.
• A concern was raised by SAHRC on the use of ‘intentionally’ in clause 2(1) having adverse consequences on whistle blowers and journalists. DOJCD’s response was that journalists were generally not entitled to protection and whistleblowers were protected to the extent provided for in the Protected Disclosures Act.
• Internet Solutions (IS) referred to the broadness of the offence of unlawful access and remarked that the use of the word ‘securing’ in clause 2 may be interpreted to mean ‘to safeguard or to protect’. According to IS, the clause was drafted too broadly or incoherently. DOJCD replied that the word ‘securing’ cannot be interpreted to mean the act of making safe or protecting a computer system. The word is used here to mean a time when a person has control or access or can do something relating to data, computer or computer systems. The offence in that clause was based on the UK Computer Misuse Act.
• It was remarked that clause 2 lacked the essential criminal elements to make it an offence. DOJCD disagreed and suggested that the commentator overlooked one of the essential ingredients of unauthorised access.
• A comment was made that the clause should ensure that harm or damage is committed. DOJCD replied that the harm that the offence intends to address was the mere accessing of a computer system without authorisation, which was similar to house breaking.
• It was remarked that other legislation required that access should be temporary or permanent. DOJCD replied that it was unnecessary to specify this in the Bill, as the mere access was the offence.
• It was recommended that the clause be deleted since unauthorised access has been criminalised elsewhere. DOJCD disagreed with this and stated that the offences in clauses 3, 4, 5 and 6 dealt with other aspects of cybercrime while clause 2 contained the first essential offence that was criminalised.
• MNet said that the Bill did not define what constitutes unlawfulness. DOJCD noted that various submissions have been made on this. It reiterated that unlawfulness cannot be defined for the purposes of the Bill as there were no limited number of offences that may exclude unlawfulness under South African law.
• MNet referred to software for market purposes, as well as other software that may be used to investigate cybercrime. It said there was the need to link unlawful access of data and other offences to a specific intention to commit a serious offence. DOJCD responded that creating this link was unnecessary. MNet referred to the Australian Cybercrime Act. DOJCD clarified that the Australian legislation made provision for the serious offence of access.
• Freedom of Religion remarked that clause 2 may have unintended consequences for ordinary internet users who through ignorance mishandle other people’s data. DOJCD’s response was that ordinary internet users have access to publicly available data and access was only prohibited in clause 2 to non-publicly available data. In any case, the offence of access was usually committed by technical means which meant that certain software or hardware would be used to overcome restriction measures. On the concern of ignorance, DOJCD noted that the intent requirement in the Bill was direct intention and negligence was not criminalised.
• A comment was made that the offence in clause 3(1) should be brought in line with the international position that criminalises the interception of communications from or within a computer system. DOJCD agreed with this and proposed an amendment (see page 64).
• A concern was raised on the Bill’s failure to define ‘satisfactory exculpatory account of possession’, which may lead to undue arrests until the courts interpret the expression. DOJCD’s response was that the offence of possession of data would be interpreted in accordance with legal precedents developed on the interpretation of section 36 of the General Law Amendment Act that creates a similar offence (see page 65).
• Michalsons Attorneys was concerned about the reverse onuses creating a situation where the accused could be convicted in situations where reasonable doubt existed and that where probability existed, a breach of presumption of innocence would take place. DOJCD referred to clause 3(3) as a response to this concern. It noted that during the extensive consultation process on the Bill, the team of experts dealt with the reverse onuses and DOJCD held the view that this has been sufficiently dealt with.
• SAHRC commented on the requirement of inability to give satisfactory exculpatory account. It raised a concern that the offence may involve an element of subjectivity in evaluating whether the account was satisfactory. DOJCD replied that it has already explained the rationale for the lack of definition of the expression and reference was made to case law that existed on this (see page 67).
• On the criminalisation of anyone that knowingly, unlawfully and intentionally possesses data which was acquired unlawfully, Internet Solutions remarked that it was imperative for government to take necessary measures to protect sensitive information stored in computer systems, considering the value of sensitive information. It said that the clause was drafted in a manner that failed to provide for a public interest defence. Further submissions made on this were highlighted (see page 68).
In response, DOJCD noted that the issue of journalists has been dealt with around public interest defence.
• Services providers noted that the offence in this clause criminalised the tools used in committing cybercrimes. It was recommended that training should be given to law enforcement to ensure that they are cognisant of the fact that the clause can only be contravened when specific intent was present such as use of tools with intention to commit an offence. DOJCD took note of this submission.
• Mr Eatwell said the state must prove that the tools were used for unlawful purposes. DOJCD responded that the clause specifically ensures that tools are criminalised if used to commit a cyber offence.
• Internet Solutions expressed its disagreement with the criminalisation of the tools and recommended that the tools be criminalised only during the commission of an offence. DOJCD already discussed this and suggestions have been made to give effect to this recommendation.
• Open Democracy Advice Centre (ODAC) noted that these tools were needed by IT specialists to ensure that networks were protected against vulnerabilities. It was noted that the clause criminalises various conduct using such tools if used to commit an offence. A concern was raised that the clause may criminalise the conduct of cyber experts. DOJCD has addressed this concern (see page 69).
• MNet raised a concern that the tools used for marketing purposes may be criminalised. DOJCD replied that the tools would not be criminalised if they are not used to commit an offence.
• MNet raised a concern that the current focus of the Bill only related to computer networks. The ECTA legislation contained a provision that may have aided copyright infringement but this clause has been repealed by the Bill and has been substituted with the clause on the use of tools to commit an offence. The concern raised was that the Bill should undo the measure that was previously used to successfully prosecute persons that overcame security measures in respect of copyright measures. DOJCD responded that it should be dealt with in the Copyright legislation and not this Bill.
DOJCD proposed an amendment to clause 4 (see page 72) where the use or possession of tools to commit any offence was criminalised.
• Internet Solutions proposed that the clause should include intention to cause harm. DOJCD responded that this would not be necessary due to the fact that reference to harm in this cause referred to interference with data or a computer system, and no additional harm was required.
• Generally, this clause was supported by service providers but MTN was concerned that this offence may criminalise interference in the ordinary course of system maintenance, upgrades and testing . DOJCD disagreed with this concern.
• Internet Solutions proposed that a conduct should only be criminalised if it causes serious impairment. DOJCD responded that this was unnecessary as the principle of de minimus non curat lex already applied in South African law. The principle ensured that certain insignificant contraventions were not criminalised.
• A concern was raised about the lack of clarity on what constitutes unlawful interference in respect of system upgrades. DOJCD responded accordingly (see pages 74).
• Western Cape raised a technical concern about what constituted passwords or access codes. DOJCD explained that it was not necessary to amend the clause to accommodate the concern since it was merely a prescription of the various types of conduct that can take place in respect of passwords or access codes.
• A concern was raised by service providers on the use of ‘satisfactory exculpatory account of possession’. This had been previously addressed by DOJCD.
• Western Cape commented on the phrase ‘passes off’. DOJCD responded that it was in line with the current definition of forgery and uttering in South African law (see page 76).
• On the concern about the definition of cyber extortion, DOJCD clarified that cyber extortion currently deferred from the elements of extortion in South African law and it mainly relates to the requirement of common law that was dealt with in a different manner in its criminalisation (see page 77).
• Service providers indicated a need for the criminalisation of aggravated offences. DOJCD proposed certain amendments to the clause (see page 78).
• Western Cape made a remark on the use of ‘incorporeal’. DOJCD agreed with the comment and proposed an amendment (see page 79).
• A concern was raised that the penalties might be too lenient but DOJCD replied that the penalties were adequate.
• Telkom expected the Bill to specify maximum penalties in order to act as a deterrent. DOJCD responded that the clause prescribed maximum penalties but no monetary fines were provided due to the incorporation of Adjustment of Fines Act that provided that courts could impose a fine as long as years of imprisonment could be imposed by the courts.
• Service providers referred to the offence in clause 18 of the Bill and remarked that it should attract equal punishment to other offences in relation to which such participation was committed. DOJCD responded that clause 12 already provided for this and it was not necessary to insert it in clause 14.
• Mr Jamie Band raised a concern about the harshness of the sentences prescribed for teenage hackers. DOJCD noted that this had been taken into account. In the schedule to the Bill, an amendment was made to the Child Justice Act to the effect that other sentencing options were available for cases where persons under the age of 18 were involved in the commission of an offence.
Mr Band remarked that hacking had been dealt with in clause 2(1) and there was no need for a separate offence as in clause 11 of the Bill that dealt with aggravated offences. DOJCD responded that the offence in clause 11 was a specific offence that affected certain critical objectives that needed enhanced protection.
• A concern was raised about attorney and litigation fees incurred by a business if certain information was unlawfully obtained from the business. The commentator referred to the various adverse effects. DOJCD replied that the resultant damage caused by any crime was taken into account during the imposition of a sentence.
• SAHRC proposed that mitigating factors should specifically be included in clause 14. DOJCD did not deem this necessary, as sentencing guidelines were extensively being developed by South African courts, and extenuating circumstances and mitigating factors were part of the process.
The Chairperson said that DOJCD would continue with its responses to comments at the next meeting.
He went on to inform Members of an invitation to attend a symposium on land, heritage and human rights at the University of Johannesburg on 15 November 2017. The invitation was from Prof Quinton Johnson, the campus principal of Nelson Mandela University and the symposium would address the critical question of land claims and the attendant delays and problems.
Members consented to honouring the invitation.
The meeting was adjourned.