The Department of Justice and Constitutional Development (DJCD) continued with the comments received on the Cybercrimes and Cybersecurity Bill, and the responses by the Department to those comments. This section focused on chapters 6-9 to that dealt with mutual legal assistance establishment of 24/7 point of contact, evidence and obligations on electronic communications service providers and financial institutions.
Questions and issues raised by Members of the Committee centred on the issue of mutual legal assistance; the constitutional challenge around the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) as iit impacted the Bill , particularly in relation to clause 38 of the Bill.
Members also asked on the applicability of clause 39 of the Bill to internet cafés; how the Bill would impact the grassroots; reasons behind the conditionality of the application of clause 39 to internet cafés; whether or not the delivery of justice should be subjected to the question of cost; how the Bill would allay the fears raised by service providers on the preservation of data that may bring about additional cost implications.
The Committee asked the Department to provide clarity on the extension of powers of the police in clauses 40 and 41 to approach a magistrate; the possibility of police abusing the seizure of publicly available data; clarity on the internet service providers association (ISPA), and its member-components.
Members focused on whether or not access to information can be declined, the difference between internet service providers and electronic communication service providers; clarification on how the court would be able to determine the qualification of experts; and clarification on how the South African Police Service (SAPS) would determine offences to be reported to it in terms of clause 52 of the Bill.
In addition, some members wanted to know whether or not the fine imposed for reporting would apply for every instance of failure to report or only for a period of noncompliance to reporting obligations by service providers; and explanation on section 10 of the South African Reserve Bank (SARB) Act in relation to clause 51 of the Bill.
The Chairperson welcomed the team from the Department of Justice and Constitutional Development (DJCD) and Mr M Buthelezi IFP who was representing Prof C Msimang (IFP).
He went on to inform Members of a letter from the Open Democracy Advise Centre (ODAC) stating that the questions posted by the Centre had not been responded to. However, there was no indication of which questions ODAC was referring to. It was decided that the Committee would ask ODAC to specify the exact questions being referred to and that will be referred to the Department for further clarifications.
Ms C Pilane-Majeke (ANC) was concerned about the possibility of having to entertain other organisations who have issues with the way their submissions were addressed. It was not necessary for the Committee to revert back to the questions being referred to by ODAC.
The Chairperson said civil society had the right to be heard and the Committee had a duty to ensure this was done.
Ms G Breytenbach (DA) agreed with the Chairperson.
Responses by DJCD on the Cybercrime and Cybersecurity Bill
Kalayvani Pillay, Deputy-Director-general, DJCD, gave a recap of where the Department stopped with its responses to submissions on the Cybercrime and Cybersecurity Bill.
Mr Sarel Robbertse, State Law Adviser, DJCD, began with clause 38 of the Bill that focused on the demarcation of the RICA legislation that dealt with interception vis a vis the Cybercrime Bill.
Clause 38 (1) provided that indirect communications can only be intercepted in terms of the RICA legislation while sub-section (2) provided that call-related information on an ongoing basis must be intercepted in terms of the RICA. Subsection 3 contained a clause that provided that certain service providers should comply with certain orders that can be given by the designated judge, one of which was to retain call-related information in RICA terms. This would include archive communication related information. Based on the RICA directives that were issued in section 32 of RICA, obligations have already been placed on service providers to be fully interceptable and store communication related information. However, based on the RICA directives, internet service providers were only obliged to intercept communications and not store communication related information.
Clause 38 was primarily aimed at addressing the law that ensured that communication/information over the internet was recorded and stored if it did not amount to indirect communication and core-related information.
The concern raised by service providers was, that the clause was not necessary since information could be obtained in terms of RICA and placed at the disposal of law enforcement agencies
The Department responded that service providers must adhere to the RICA obligations. The Bill did not provide for additional interception capabilities. Clause 38 was specifically inserted to ensure that the Bill could not be used to obtain information recorded and stored by cellular operators through search and seizures.
Service providers also complained about a possible duplication of costs.
The Department replied that no duplicate costs would be incurred if a service provider was RICA compliant. Internet service providers on the other hand, can proceed to institute clause 38(3) of the Bill or enforce the obligations in terms of the RICA directives.
It had been previously discussed that in terms of clause 37 of the Bill prohibited the divulging of any information. However, there were exceptions where such information could be divulged, especially in instances where certain measures have to be implemented within an electronic communications service provider.
Service providers requested that certain prescripts currently enacted in line with the RICA directives to regulate the storing of information should be made applicable to the section. Reference was also made to clause 46 of the Bill. It was pointed out that the Bill placed obligations on financial institutions and persons to intercept information contrary to the RICA directives.
The Department’s response was that service providers that were RICA compliant should adhere to their obligations. On the reference to clause 46 (6) of the Bill which gave effect to the fact that the RICA judge can impose obligations on service providers to obtain the result of interception of indirect communications, the Department said obligations have been placed on service providers to intercept communications based on the RICA directives but they were not expected to retain the results of such interception. The RICA directives provided for instances where such results of interception of indirect communication may be recorded and stored.
R2K raised certain criticisms against the RICA. The Department would not be discussing aspects that related to RICA in the Bill, because RICA was subject to a constitutional challenge and the Department was waiting for the outcome. Although there was a constitutional challenge, the Department was certain that the outcome of the challenge would not affect the Bill.
The Chairperson sought clarity on whether Parliament could pass a Bill, regardless of the existence of a constitutional challenge and on the basis of the Department’s promise that the outcome of a constitutional challenge would not affect the Bill.
Mr Robbertse replied that clause 38 kept RICA and the Bill apart. RICA interceptions had to be done separately from the Bill. The Bill would mainly provide for search and seizures. Therefore, the outcome of the court would not affect the Bill.
The Chairperson was concerned about the fact that the submission of the Department on the matter was still subject to the court’s decision on the matter.
Mr Robbertse said the only other option would be to take out clause 38 from the Bill.
Ms M Mothapo (ANC) said clause 38 created a serious challenge, especially when read in conjunction with RICA. The issue of mutual legal assistance also posed a challenge. Concerns were raised on clause 38 during the submissions and the Committee was unaware of the existence of a constitutional challenge in connection with RICA.
The Chairperson said the issues around clause 38 needed to be addressed. The Committee could not second guess the court decision as the court had the legitimate authority to give a position on the matter.
Ms Breytenbach asked Mr Robbertse to elaborate on the constitutional challenge in question.
Mr Robbertse said tapers had been filed and the constitutional challenge related to aspects such as notifications, access to courts, as well as certain procedures in terms of the approval of a RICA directive by the designated judge. The appointment of the office of the designated judge has been challenged, and the applicants have conceded in their submission that RICA was necessary. However, a few aspects of RICA have been specifically challenged. The case was pending in the Pretoria High Court. The Department was yet to file its final affidavit and it may take some time before the case was finalised.
The Chairperson asked if the Department expected the Committee to finalise the matter before it was finalised in court. He also referred to the law of interpretation that says the Statute should be read as a whole in order to derive the full meaning. He wondered how the meaning of the clause would be derived in full based on the circumstances on ground.
Mr Robbertse replied that there was an option to take out clause 38 from the Bill in order to ensure that no reference would be made to the RICA in the Bill except in the Schedule to the Bill where the ambit of the Bill was extended in terms of what can be subject to interception in certain circumstances. He however, advised the Committee not to go the route of removing clause 38 totally out of the Bill, as clause 38 was a safeguard on the one hand and the search and seizure provisions of the Bill cannot be used to obtain indirect communications or communication related information available to service providers. The latter served as the main reason behind the formulation of clause 38, which was to demarcate the operations of the RICA vis a vis the Bill.
Ms Breytenbach said that removing clauses from the Bill would result in having a Bill separate from what was advertised for public comments and the Committee would have to go through the entire process of advertising the Bill for public comments all over again. However, it would be irresponsible of the Committee to skip a clause requiring urgent attention in order to just move on with the rest of the process on the Bill. It was necessary for the Committee to have the details of the constitutional challenge in order to have a better understanding of the matter at hand.
Ms Mothapo expressed concern on the way the Department had warned the Committee not to remove clause 38 from the Bill, rather than plead with the Committee to accept the suggestion.
The Chairperson said the use of English must have been the problem in expressing the suggestion.
Ms Pilane-Majeke suggested that rather than doing away with an entire clause, reference could be made to the RICA only in relation to the amended provisions of RICA.
The Chairperson asked if the Department was in a hurry to finalise the Bill because there were constitutional matters that needed to be settled first and the Committee should not operate on the belief that the Constitutional Court would agree with the Committee.
Ms Pillay said that the Department introduced the Bill a while ago but it was in the hands of the Committee as far as the deliberations on the Bill were concerned. However, the Department would like the Committee to engage on all issues arising from the Bill, particularly the issues around constitutionality. She agreed with Ms Pilane-Majeke’s proposal as a way forward on clause 38. As for the constitutional challenge, she reiterated that the Bill had no effect on the provisions of RICA whatsoever. The constitutional challenge would be decided on merit and become applicable to the Bill.
Mr G Skosana (ANC) sought clarity on whether it would be advantageous or a positive step to do away with clause 38 in the Bill as suggested by Mr Robbertse. He wanted to know what the actual stance of the Department was on clause 38.
Ms Pillay replied that the Department’s proposal was not for the clause to be done away with, because taking out the clause would affect the application of the Bill.
The Chairperson said the Committee could not finalise the Bill until the court had decided on the said constitutional challenge.
The Centre for Constitutional Rights (CCR) raised a concern around clause 38(1) of the Bill noting that interception orders should only be granted in relation to data. Reference was made to the definition of data. It was also pointed out that it was unclear if the reference to data in the entire Bill was the same as the interception of indirect communications.
To the latter, the Department submitted that this was not the same. It was important to note that the interception of indirect communications in terms of RICA referred to communications that took place over a telecommunication line or over a communication system. Although reference was made to data in the definition provided in the RICA, the Bill did not deal with indirect communication still. As explained earlier, clause 38 ensured that RICA was dealt with separately from the Bill and no communications could be intercepted in terms of the Bill.
CCR also indicated that the definition of ‘serious offence’ in the RICA included terrorism and other serious offences. The Schedule to the Bill on the other hand, included certain cyber offences such as cyber fraud, cyber forgery, uttering, and cyber extortion as aggravated offences. CCR proposed that the ambit of the RICA should be extended.
The Department noted that the offences listed in Schedule 1 of the RICA included the offence for which imprisonment for a period of five years can be imposed without the option of a fine. Although cyber offences have been included in the Schedule to the RICA, the commentator did not refer to the fact that it was only offences involving an amount of R200 000 or more that was included in the offences. In other words, these offences were relatively serious and based on the use of the RICA threshold, it was submitted that most of the offences would give rise to the punishment of a five-year imprisonment or more without the option of a fine.
The Chairperson said that legal certainty was one of the hallmarks of legislation. He pointed out the continuous individual submissions made by Mr Robbertse may lead to the introduction of an argument that may not necessarily be shared by other lawyers. He asked the Department to present its specific stance on issues while leaving the interpretations to the courts and not the public. The public was expected to know the law as ignorance of the law was no excuse. If law makers then acted on assumptions, what should be expected of the public?
Mr Robbertse took note of the Chairperson’s comment. He also said it was possible to omit the offences from the Schedule to the Bill. However, the offences were included in the Schedule to emphasise the certainty around cyber fraud offences that amounted to R200 000 as a serious offence. Leaving the clause as it was would create a problem for persons that investigate cybercrime, as these persons were not legal or technical persons that could interpret the law. The role of the Department was to provide guidance for persons that investigate cybercrime in order to understand the category of seriousness of each offence and the applicable law to investigate such offence.
With regard to clause 39 that deals with expedited preservation of data, it was pointed out that a law enforcement agency may in terms of this clause, orders a service provider to preserve certain information for a period of 21 days. This preserved information cannot be made available to the law enforcement agency unless other direction contemplated in clause 42 of the Bill is obtained from a judicial officer. Although service providers acknowledged that the clause applied to archive communication related information, they recommended that similar processes and prescripts applicable to the RICA regime should be included in this clause.
The Department submitted that the proposed inclusion was not necessary but additional prescripts could be looked into. It was emphasised that clause 39 may only be applicable to internet service providers who do not currently have the obligation to store archive communication related information.
Service providers also reiterated that only ‘traffic data’ as was intended by the RICA can be recorded and stored in terms of this clause. However, a concern was raised about the additional procedures introduced in the Bill, which placed additional obligations and processes on service providers.
The Department responded that the additional procedures and obligations mainly related to instances where a service provider has the capacity to comply with these procedures. The clause provided that a service provider can approach a court and request that preservation of data direction should be set aside if such service provider does not have the necessary capacity to deal with the procedure. However, because most service providers were RICA compliant, they would in most instances, have the necessary capacity to deal with the preservation of data. Furthermore this procedure did not impose additional cost implications on service providers. The information that was recorded and stored was currently stored by most service providers in terms of RICA and it was to cater for instances where internet service providers dis not have the necessary capacity. Nonetheless, the same obligations could be imposed on internet service providers in terms of RICA directive. If this obligation was imposed, internet service providers would be expected to store information for a period of three to five years. This process should be seen as the least disruptive and would have less cost implications than the RICA directive. If the RICA directive was implemented, most service providers would have to forgo several millions.
Ms Mothapo asked if clause 39(1) was applicable to internet cafes.
Mr Robbertse said the clause can be made applicable to internet cafes. However, in terms of RICA, internet cafés were not categorised as internet service providers per se and there was no obligation on them. Nevertheless, there may be a need to store certain information at the internet café by the order of the designated judge telling such cafés to preserve all the emails sent. This would fall under the ambit of clause 39.
Ms Mothapo sought clarity on how the Bill would impact those at the grassroots.
The Chairperson agreed with Mr Robbertse that the clause could be made applicable. The Committee was however, concerned about making sure that general public understood what the Bill that was being passed as a law entailed and how it would affect them. The Department was expected to reach certainty on what it would like to achieve in order to ensure clarity. He asked that the Department elaborate on the reasons behind the conditionality of the application of clause 39 to internet cafes.
Mr Robbertse explained that if an email was sent from cybercriminal A to B that used the internet café and it comes to the attention of the police that this may be relevant to a cyber offence, the police can go to the internet café to serve an expedited preservation of data order on the internet café, and order such café to retain all emails for a period of 21 days in order for the police to further investigate a crime. It was however, not necessary to make this known to the police as a judicial authority can be acquired to order the internet café to provide information. In other words, the clause was aimed at collecting evidence from persons not under a statutory obligation to store certain information that may be relevant to an offence. In some instances, some people wipe information necessary for investigation off their computers. If that order is served on such persons, they must ensure that the needed information was kept intact until a police officer arrives with a warrant from a magistrate which orders a person to hand over the information or authorises the police official to investigate or access the computer and extract the relevant information.
The Banking Association of South Africa (BASA) noted clause 39 (2)(a) extended the current period prescribed in terms of the RICA to store communication related information (more currently referred to as archive communicated related information). It was proposed that the RICA directive should be amended in this regard.
The Department responded that the period for storage of information was three years. Extending this period based on the RICA directive would result in cost implications due to the fact that all information on the system would have to be stored rather than a single instance where data preservation directives are given to service providers. Also, extending the three-year period to a longer period may result in constitutional challenges, especially because the data retention period had already been challenged overseas for it to be shorter than three years. This was an aspect that the Department was currently grappling with the reconsideration of the RICA legislation. It was also submitted that it would be justifiable to request an extension if it was known that certain information was involved. However, request for extension could only be made on a case by case basis.
The Chairperson asked if the delivery of justice should be subjected to the question of cost.
Mr Robbertse replied that cost implication was probably not something that should be taken into account in relation to the fair administration of justice. However, it was important to note that the information recorded and stored by service providers would cover all customers of such service providers. The three-year period should be sufficient for law enforcement agencies to investigate most crimes. If it was suspected that some of the information that would be deleted at the end of the three years was still needed for a further period, service providers could then be approached. Extending the period of storage of information would affect other things such as delivery of service to underdeveloped areas. The cost implications might also be far reaching.
CCR sought clarity on whether the designated judge who granted an interception order has to be approached again or if the designated police official on the strength of the expedited preservation of data order can continue with an interception.
The Department replied that clause 38 did not allow for the interception of information referred to in clause 38 (1) and (2) or any information that aligns with such communication.
CCR also held the view that clause 39 extended the area of interception and this posed a threat to privacy.
The Department clarified that no extension of any interception measure existed under the RICA in terms of the Bill or clause 39.
CCR also referred to the issue of extension of the period for preservation of archive communication related information.
The Department indicated that information must be kept for 21 days based on a preservation order. If on the 21st day, no judicial authority was produced to extend the period, the preservation order would expire. In the interim, if it became necessary to further preserve evidence, a judicial officer should be approached in terms of clause 40 of the Bill to grant further extension for a period of 90 days.
The Chairperson asked for the rationale behind starting with a smaller period that can be extended to a longer period of 90 days instead of vice versa.
Mr Robbertse replied that since law enforcement agencies are given the power to preserve data, the initial period should be restricted. An extension of such preservation period could then be applied for to a judicial officer who would determine whether or not such extension should be granted.
CCR also raised a concern that clause 39 (1)(a) to (e) was vague, especially if one considered that a preservation of property order in terms of the Prevention of Organised Crimes Act only referred to the request for a preservation order of property, which on reasonable belief was an instrumentality of an offence.
The Department responded that clause 39 (1) required that the functionary must on reasonable grounds believe that the data was involved in the commission of the offence. The objective test would be used and could be challenged later on. Any institution can approach a judicial officer in terms of clause 39 to request the setting aside of the preservation order on various grounds.
The Information Regulator (IR) raised a concern that the preservation of data should be considered in the light of the eight principles relating to data protection.
The Department submitted that the Bill as a whole, contained sufficient protection measures to ensure that privacy was protected (see pages 173 to 178 of the attached document for more details).
Regarding clauses 40, 41 and 42 that deals with the preservation of evidence direction; oral application for preservation of evidence direction; and disclosure of data direction respectively, the concerns raised by service providers and the responses from the Department were highlighted (see page 178 of the attached document for details).
Still on clause 42, the Department noted that the disclosure of data direction was mainly used where certain information or evidence has been preserved and a person was required to approach a judicial officer to obtain a specific direction to make available such evidence and data that has been preserved.
A concern was raised around the application of a disclosure of data direction, which was given on a case by case basis. Service providers referred to instances where they may not be able to comply with this direction. To this the Department clarified that a service provider that cannot comply with the direction in a specific instance can approach a judicial officer to set aside the direction on the basis that such service provider cannot in a ‘reasonable fashion’ comply with the direction.
The Department emphasised that service providers do not need to acquire additional expertise to implement this clause.
Service providers also noted that clause 42 also covered the preservation of evidence. They were however, uncertain about how the direction would work if evidence other than data was under preservation.
The Department clarified that the evidence being referred to in clause 42 was only in relation to data. In other words, it was only data that can be made available in terms of a direction. No reference was made to what should happen to other real evidence. The intention of the Bill was for other evidence to be seized in terms of clause 27. Clause 42 cannot be used to take possession of real evidence.
To further clarify clause 42, the Department referred to a proposed amendment to the clause on page 180 of the attached document.
Mr M Maila (ANC) noted that service providers had raised certain fears, including the fact that some significant monetary value could be attached to the concerns being raised. The Department was asked to explain how those fears would be allayed.
Mr Robbertse restated the concerns raised by service providers, namely that the preservation of data may have additional cost implications on them, and any instance where they have to preserve other evidence that was not data. The Department reiterated that the preservation of data order was given on a case by case basis, as service providers were under no obligation to store all information. This also cuts down on the additional costs that would be incurred. As far as the preservation of data on a case by case basis was concerned, it should be noted that the data that would recorded and stored was in more instances, core related information or archive communication related information, which was typically what was received on a call record in a month. No general cost implication would be incurred on service providers on the preservation of data.
Preservation of evidence on the other hand, related to a computer. For example, if a person was in possession of a computer and needed the computer for his business, the effect thereof of the Anton Pillar order provided for in clause 40, was that the person would remain in control of the equipment subject to the conditions that the court imposes on him. Such person can make use of the computer but the use of the computer must not affect the necessary evidence. At a later stage, a police official would obtain a warrant with which the person would be approached and the computer seized for the purposes of investigation. Very limited cost implications would be incurred in this regard. However, the cost implications may be bigger if the computer was seized and kept in police custody for a long period of time for investigation, making it impossible for the person to use the computer. In terms of the clause however, where a service provider is in possession of the computer system, the service provider must provide certain assurances to the court that integrity of the system has been maintained, as well as data thereon.
The Department was of the view that this would actually ensure that no additional cost was obtained by a person in possession of that computer due to the fact that such person can use the computer for a certain period.
A comment was also made that clause 43 (1)(a) applied regardless of geographical location of the data. Clarity was therefore sought as to whether this would not be viewed as a contravention of foreign law, as well as have cross-border implications.
The Department responded that the clause related to public available data, which was defined as data that was available in the public domain without any restriction. If such data can be accessed by anybody else, it should be accessible to the police as well. The Department was however, concerned about the use of the word ‘seize’ in the clause. An amendment was therefore, proposed (see page 182 of the attached document for details).
A concern was raised that although public available data may be accessed by the police, there could be possible abuses by the police in accessing such information.
The Department submitted that it was difficult to see how the police can abuse public available data for unlawful purposes.
A proposal was made for clause 43 (b) to be amended. Clause 43 (b) provides for instances where a person approaches the police to provide information. IM Governance suggested that a phrase should be inserted to indicate that it must comply with the conditions of processing of personal information.
The Department responded that the protection of Personal Information Act (POPIA) would apply in any event and if such information is provided to SAPS, it must be done within the ambit of POPIA.
The IR requested that clause 43 should be considered in light of POPIA.
The Department submitted that POPIA cannot be applicable where data qualified as publicly available data. POPIA would however, apply to instances where a person handed over information to the police.
Ms Christine Silkstone, Parliamentary Legal Adviser, sought clarity on the rationale behind extending the powers of the police in clauses 40 and 41 to approach a magistrate as opposed to only a high court judge or a RICA judge.
Mr W Horn (DA) referred to the issue of the police seizing publicly available data, noting that it would no longer be publicly available once seized. In essence, it was still possible for the police to abuse their powers if ulterior motive or unlawful motive was behind the seizure.
Ms Breytenbach referred to the comments made by ISPA, and sought clarity on who comprised of ISPA, who the association represented, and if Cell-C, Telkom and Vodacom were members of the association.
Mr Skosana referred to page 183, paragraph c (see attached document) where it was stated that disclosure was voluntary. He sought clarity on whether this meant that a request for access to information could be declined and if so, what the implications would be for such a decline. He also noted that the response to this comment (as given by the Department (see page 183 of the attached document) was confusing. The Department was asked to clarify its response, particularly on the submission that access to information was addressed in the Promotion of Access to Information Act (PAIA), and once such information forms part of a police investigation, access cannot be acquired in terms of PAIA.
Mr Robbertse clarified that the Department’s submission on page 183 talked to the fact that access to information can be requested in terms of PAIA. Section 59(1) of PAIA contained provision to the effect that an information officer can refuse access to information on the ground that such information would prejudice the investigation. A consideration of all judgements to date gave effect to not making available information that was given during an investigation. The Department therefore, submitted that although information may be disclosed to the police at some stage, whatever happened to such information after such disclosure to the police was regulated by other legislation and was usually not made available to the public, as it may adversely affect the investigation of criminal matters.
On the issue of ISPA, Mr Robbertse said the association represented the majority of internet service providers in South Africa. MTN, Cell-C and Telkom were not part of the association. However, in the context of the comment made by ISPA, Telkom, MTN, Cell-C and Vodacom also provided internet services and some of the provisions under the relevant chapter of the Bill may be used to obtain core related information from those service providers.
Ms Breytenbach said the reason for her question was based on the fact that ISPA seemed to be comprised of a group of small businesses and in the bigger scheme of things, the relevance of its comment should be considered bearing in mind that the association had no objective.
Mr Robbertse said that ISPA also represented large internet service providers and not only the small ones. As indicated previously, the clauses in the Bill could be followed or resort be made to the RICA directives to make the obligation applicable to all service providers in terms of the RICA for a period of up to three to five years. Although ISPA did not represent all internet service providers, it represented some of the major ones.
The Chairperson asked if the obligation should be conditional, rather than being of general application.
Mr Robbertse replied that the Department previously tried to implement a prescription of general application that would cater for the storing of core related information. However, internet in South Africa was very essential and it was necessary to roll it out to far places in the Republic. Internet was essential for education, business and so many other things. During the stage of implementation of the directive, the Department was asked to restrict the directive to bans in order to prevent the undue influence of the development of internet in South Africa. The urgent need to roll out internet has been ongoing for ten years now. The RICA directive can be made applicable to internet service providers but the procedure in the Bill that provides for the preservation of archive communication related information seemed to be a better solution in catering for law enforcement on the one hand, and the needs of other people in South Africa in terms of rolling out internet and having affordable internet service.
On the question of abuse of publicly available data by the police, the Department reiterated that an amendment has been proposed to the clause to give effect to the fact that the use of the word ‘seize’ was irrelevant and incorrect in the clause. The proposed amendment prescribed that law enforcement agencies can access such information and use it for investigation. It was further reiterated that such information cannot be used for unlawful purposes.
On the issues raised around clause 40 and 41, the Department clarified that the clauses did not refer to a designated judge. The reference was made to an ordinary magistrate and ordinary judge of a high court. The clauses were aimed at catering for any circumstance that may arise. Any magistrate may issue warrants and section 205 orders but once an ICT or electronic communication was involved, things become more complicated and a lot of issues would have to be considered; hence the inclusion of the clause that either a magistrate or a judge of the high court may be approached to deal with various applications by law enforcement agencies.
Mr Robbertse continued with chapter 6 of the Bill which dealt with mutual legal assistance. Currently, there were no procedures in place to deal with mutual legal assistance in so far as it relates to cybercrime. This chapter was aimed at putting certain procedures in place to cater for the needs of mutual legal assistance in relation to cybercrime. It should be noted that most cybercrimes in South Africa originate from outside the country. This procedure was therefore, necessary. Also, the preservation of information and availability of certain information and investigation of cybercrime was essential. It was essential for the preservation of information, availability of certain information and investigation of cybercrime be carried out in an expedited manner.
It should also be noted that the clauses around mutual legal assistance were aimed at preserving evidence. The giving of evidence to other countries was subject to other processes in terms of the International Cooperation of Criminal Matters Act (ICCMA). In terms of the ICCMA, the court would receive application for international cooperation; consider it and if deemed necessary, make available such cooperation to the other country.
The first comment received was from IM Governance, where a proposal was made for the IR to be included in terms of clause 45(1).
The Department replied that POPIA had a certain area of application for the IR. It was further submitted that the IR should not be involved in decision making aspects due to the fact that this may be challenged at a later stage. The IR’s involvement may also adversely affect his integrity and impartiality.
With regard to clause 46 which dealt with foreign requests for assistance and cooperation, IM Governance also proposed that the IR be allowed to play a role here. The same response given by the Department above would apply here.
In terms of clause 48 that dealt with the need to inform a foreign State of the outcome of the request for mutual assistance and expedited disclosure of traffic data, service providers wondered if this was a deviation from the RICA process, especially because in terms of the RICA process, data was usually routed to the office for interception centre and the procedure in the Bill provides that such information must be handed over to a designated member of SAPS.
The Department replied that if the RICA process was applicable, service providers would have to route the information to the interception centre where the said information would be collected by police official. However, a designated police official would still have to execute the order of a designated judge.
Also, in terms of clause 46 of the Bill that sets out the various powers of the designated judge, powers given to the designated judge to specifically specify the orders may be executed. The designated judge may stipulate specific conditions for handing over the information.
Chapter 7 of the Bill dealt with the establishment of 24/7 point of contact. The Western Cape supported clause 50, and recommended that the point of contact should be adequately resourced and staffed in order to ensure effectiveness.
IM Governance recommended that deputy information officers should be appointed as part of the 24/7 point of contact, and to assist in dealing with the reporting of cybercrime.
The Department noted the comment from Western Cape but disagreed with the proposal from IM Governance for information officers to be part of the 24/7 point of contact structure.
Chapter 8 focused on evidence. In terms of clause 51, certain evidence may be proved by means of affidavit handed to the court. The first comment received was a recommendation from service providers for the Bill to take the South African Law Reform Commission (SALRC)’s report on evidence into account. To this, the Department replied that the said report was made available after the Bill had been introduced in Parliament. It was further submitted that the report would not influence the current clause in relation to the certificate that can be produced in court as prima facie evidence of certain facts.
DFIRLABS referred to the fact that the clause did not provide for a means of identification of the person who made the affidavit as an expert witness. It therefore proposed that the clause should be amended to make provision for relevant qualification, expertise and experience of a person that makes such affidavit.
The Department replied that clause 51 already addressed this aspect and provided that a person must state his competence. Also in terms of clause 24 of the Bill, only certain competent people would be able to investigate cybercrimes. The standard operating procedures (SOPs) identified the category of persons that would be regarded as experts to investigate cybercrime. One should be careful to specifically require relevant qualification, expertise and experience. A court judgement existed to the effect that certain persons may be regarded as experts despite not having the necessary qualifications. Generally, the clause provided the court with the discretion to identify a person as an expert or not.
Ms Mothapo asked if there was a difference between internet service providers (ISP) and electronic communication service providers.
Mr Robbertse replied that electronic communication service providers referred to all persons that provided electronic communication service. The term is defined in section 1 of the Bill. ISP was a sub-category of electronic communication service providers. The current electronic communication service providers in South Africa were mainly fixed line operators like Telkom or telephone services; mobile cellular operators; and internet service providers. Licenses were only granted to these categories in terms of the Electronic Communications Act.
A comment was made for the clause to be amended to specifically include digital forensic practitioners in the employment of a private body as prescribed by notice in the Gazette.
The Department replied that it may be convenient to do this, and to prescribe that certain persons that qualify as experts and who can make use of this clause should make an affidavit. The concern however, was that it would be impossible to identify each and every category of persons that must be regarded as experts and who would, in the field of electronic communication technology be experts to give evidence in terms of this clause. The Department therefore, submitted that it should be left in the discretion of the court to determine the qualification of a person as an expert rather than by way of a notice prescribed in the Gazette.
The Chairperson asked how the court would be able to determine the qualification for experts in the absence of experts on this matter.
Mr Robbertse replied that clause 51 provided for a certificate upon which a person may state facts and handover same to the court. The court would accept the certificate as prima facie proof of the content thereon. It has been stipulated in various court cases when a person would be regarded by the court. It might be problematic at this stage to determine the qualification criteria. However, such person has to produce evidence before the court that would enable the court to view him or her as an expert.
A proposal was made for clause 51 (1)(iii) to be amended to include a phrase to the effect that a person has established such facts by means of a scientifically validated and documented examination process, which is fully documented in the affidavit.”
The Department replied that investigations were usually fully documented as far as the SOPs and digital forensic evidence were concerned. The SOPs placed obligations on a person to be able to fully document and explain what has been done in an investigation. The Department therefore, opined that it would be unnecessary to include the proposed phrase in clause 51. Instead, it could be included in the SOPs, and become the yardstick to measure the adequacy of forensic investigation in order to evaluate digital evidence.
A proposal was also made for the insertion of a phrase to the effect that “the opposing party may request that the person who makes the affidavit should submit himself or herself for cross-examination.”
The Department replied that the clause already provided for this (see clause 51 (3) and 51 (5)(c). The clause provided that the court may use its discretion to subpoena a person who made the affidavit to come before the court to give evidence. Provision was also made for the clarification of the affidavit. In practice, and in relation to section 212 of the CPA that dealt with this same issue, where there was a concern about the certificate, the person who made the affidavit would be called to court to be cross-examined by the opposing party. Reference was made to a case that sets out the procedure in respect of section 212 of the CPA (see page 189 of the attached document for details).
Chapter 10 dealt with obligations on electronic communications service providers and financial institutions to report certain prescribed cybercrimes to SAPS and to retain certain information that may assist SAPS to investigate cybercrime. The Department pointed out that as a building stone of cybersecurity, it was important to know the offences committed against computer systems, and clause 52 may facilitate this. Chapter 10 would further facilitate an understanding of the nature and extent of cybercrime in South Africa and would assist in putting place measures to deal with cybercrime and cybersecurity.
BASA indicated that there were certain provisions currently in place that actively required some financial institutions to monitor their systems in order to detect criminal activities. BASA noted that the current clause excluded this obligation.
The Department replied that clause 52 (4) of the Bill specifically provided for this and no person would be required to monitor activities that take place on the system except that other laws have imposed such obligations on the person. If the banking sector has such obligations for an example, such obligations would prevail over the provisions of the Bill.
ISPA proposed that clause 52(3) should be amended (see page 190 of the attached document). The Department agreed with the comment and proposed wording (see page 190).
Western Cape was of the view that the penalty of R50 0000 was insufficient to compel institutions to give effect to their obligations in terms of the clause and should be revisited. The Department on the other hand held the view that the fine was sufficient and it was not the fine that actually deterred these persons from complying with statutory obligations (see pages 190 and 191 of the attached document for details).
A concern was raised by service providers that clause 52 should not be interpreted to impose an obligation on them where a computer system is involved in the commission of any category or class of offences provided in chapter 2. The Department replied that it would depend on the nature of the offence. Where computer systems are involved, it should be reported. Where there is no connection between the system and the offence, the service providers do not have to report.
Michalsons Attorneys raised a concern that electronic communication service providers (ECSPs) would like to address vulnerability before reporting same to SAPS. The Department agreed with this comment and noted that the Bill provided ECSPs with sufficient measures to address such vulnerability before reporting same to the police. The clause however, provides that they should report this to the police without undue delay, not later than within 72 hours.
Michalsons Attorneys further raised a concern that not all cybercrimes should be reported to SAPS. The banks currently deal with hundreds of cyber attacks against their systems on a daily basis. The Department responded that the clause did not provide that all cyber offences must be reported, instead, it specifically states that only certain prescribed offences that would be determined by SAPS must be reported to the police. The Department also indicated the type of offences that should be reported, namely offences involving a loss or damage exceeding R50 000.
A concern was also raised on the period for which information must be stored. To this the Department replied that although the clause did not prescribe a period for which the information must be stored, the obligations of service providers usually expire after handling the information to the SAPS. In many instances, some of the service providers usually store this information for other purposes, such as civil claims, compliance issues and so on.
MTN submitted that clause 52 (2) should provide that the manner in which the prescribed crimes should be reported to SAPS must be done on a confidential basis. The Department responded that all information relating to a criminal investigation was confidential. However, this aspect would receive further attention during the drafting of the notice contemplated in the said clause. It was also pointed out that clause 37 of the Bill prohibits the distribution of any information to somebody else unless it falls within the ambit where such information can be distributed to another person.
Deloitte raised a concern that the word ‘feasible’ should be defined. The Department replied that the word was clear enough and did not need to be redefined. In the context, it meant that information should be reported within 72 hours where practicable or reasonable.
Deloitte also said it was unclear when a fine should be imposed for a contravention of this clause, which is the failure to report the offence to the SAPS. The Department submitted that the clause clearly stipulated that each time an entity failed to report a prescribed offence, the entity would be contravening the provisions of the clause.
The Minister of Finance commented on clause 52 (5) which excluded certain financial entities from reporting obligations. The Department agreed with the proposed amendment, and also proposed wording to that effect (see page 195 of the attached document for details).
All Rise proposed that similar reporting requirements for malicious communications should be imposed, as this would assist in determining the extent of cyber harassment in South Africa. The Department responded that although the clause did not require service providers to report harmful communications, there were other avenues through which statistics regarding harmful communication could be obtained, one of which was through a protection order issued by court (see pages 195 to 196).
MTN raised a concern on the impact of the general obligations of service providers to ensure privacy and confidentiality of communications in relation to information that must be kept by service providers. Reference was made to RICA and it was argued that RICA only narrowly defined instances that allowed service providers to gain access to information. The Department responded that indirect communications cannot be intercepted or retained in terms of this clause. Reference was made to certain sections of the RICA that may be relevant to a cyber offence inter alia where a person reports a cyber offence to a service provider. RICA provided for instances where certain information may be accessed on permission of a person involved in a communication. It was further submitted that as far as archive communication related information was concerned, this clause was the authorising provision that may be used to retain such information that is brought to the attention of service providers.
IM Governance proposed that the POPIA structure should be specifically included alongside the reporting obligations. The Department submitted that POPIA had a specific application field and the IR cannot be involved in other things outside his empowering clause in terms of section 40 of the POPIA.
IM Governance also proposed that clause 52 (1)(b) should be amended to provide that information should not be preserved for longer than necessary. The Department responded that this proposal was implied and would be regulated by the POPIA.
SAFACT asked about what would happen if encryption was used in distributing a message through a computer system, especially since a service provider may not be able to track and store such information. The Department responded that no positive obligations are imposed on ECSPs to participate in an investigation. ECSPs are only required to preserve information that may be of assistance to law enforcement.
Bowline remarked that it should be mandatory for companies to report cyber breaches. The Department took note of this but pointed out that the ambit of clause 51 only covered ECSPs and financial institutions, with the exclusion of other entities. As for the reporting requirements, the Department submitted that in most instances, many companies would report cybercrime to SAPS based on certain requirements of the insurance taken out by such companies.
A concern was raised that the Bill should provide for fines where organisations in the private and public sphere deal with personal information without a dedicated information security officer. The Department replied that the Bill cannot deal with this aspect, but the POPIA comprehensively deals with it.
Bowline remarked that management of private and public companies should be held responsible in their personal capacity for cyber breaches within their organisations. The Department responded that sections 76 and 77 of the Companies Act dealt with compliance issues by the senior members of companies and if the senior members fail to comply with their fiduciary duties, they can be held personally liable for such breaches in terms of the Companies Act. One of such non-compliances could that they are not cyber secured.
In conclusion, the Department indicated the annexure to the submissions (see pages 201 to 205 of the attached document).
Ms Breytenbach asked for other reasons behind the non-distribution of the Socio-Economic Impact Assessment System (SEIAS) report for public comment, apart from the previous submission of the Department that there was no such requirement for distribution of the SEIAS report.
Ms Pillay replied that there was no reason for non-distribution of the SEIAS report. She clarified that the Department had an obligation to make the SEIAS report available once requested.
Ms Breytenbach restated her question and emphasised the need for other reasons behind the prohibition of the distribution of the report for public comment other than the fact that there was no requirement for such distribution.
The Chairperson said the Committee should be fair on the Department. If there was no requirement for the Department to distribute the report, the Committee should not make it mandatory for the Department to distribute it.
Ms Breytenbach clarified that she just wanted the Department to clarify if the distribution of the report for public comment was desirable or not.
The Chairperson said that if the distribution of the report was not a requirement, it would be discretionary for the Department to either distribute it or not.
Ms Pillay reiterated that there was no reason why the Department did not consult on the SEIAS, except for the fact that it was not required. The SEIAS contained the cost analysis of the Bill, which was dealt with during the extensive consultation on the Bill.
Mr L Mpulmwana (ANC) sought clarification on how SAPS would determine the offences that should be reported to it. He also sought clarity on the explanation of the fine for the offence referred to in paragraph 10.11 (see page 194 of the attached document). Would an entity be fined R50 000 for failure to report each offence or fined for a series of offences? He also asked for an explanation of section 10 of the South African Reserve Bank (SARB) Act in relation to the Department’s response in paragraph 10.12 (see pages 195 of the attached document).
On the issue of reporting fines imposed on service providers, Mr Robbertse said the fines relate to each and every incident of cybercrime. In other words, service providers must be able to identify these offences and report them to the SAPS, otherwise they would be fined.
With regard to section 10 of SARB Act, it was pointed out that clause 51 of the Bill placed certain obligations on financial institutions and ECSPs to report cybercrime to the SAPS. The problem however, was that the SARB and other entities referred to in this paragraph would qualify as financial service providers in terms of this current legislation, even though they do render financial services as a bank. It was for this reason that they have been excluded from the operation of clause 51. The phrase ‘any other legislation’ added to the proposed amendment to clause 55(5) refers to the Financial Sector Regulatory Act (FSRA), which was recently adopted by Parliament this year. This Act would have some consequential amendments in terms of the definition of financial service provider. In general, the clause only excluded financial sector regulators in terms of the FSRA.
With regard to the determination of offences to be reported by SAPS, it was pointed out that a lot of cyber offences are committed against service providers. If service providers have to report each and every cyber offence, the police would be flooded with reports. The police was not interested in every cyber offence, as there were other avenues where some cyber offences could be reported, namely the cyber hub of general cybercrime issues. However, in terms of the clause, there was provision for SAPS to prescribe certain categories of offences that must be reported to it. The clause was aimed at capturing the most serious offences being committed, as well as narrowing down the ambit of offences to be reported.
Mr Mpumlwana raised a concern on the determination of the offence to be reported to the police by the police as well. He also sought clarity on clause 52(2) that provided that the police would make a regulation for the determination of offences relating to fraud and involving R50 000 or more.
Mr Robbertse clarified that the clause under discussion placed obligations on certain persons to report specific offences to the SAPS. Generally, all offences can be reported to the SAPS. Clause 52 aimed to involve service providers in assisting SAPS. In most instances, offences are not committed against ECSPs or the bank in question, but the offences take place over their systems and their clients are involved. Usually, clients are the ones that report the offences to SAPS, but obligations have also been placed on service providers to report offences involving R50 000 or more which took place on their system to the police. Service providers also have a further obligation to keep evidence relating to that offence on their system. The general reporting of crimes to SAPS was not affected by clause 52. Clause 52 only imposes reporting obligations on persons that facilitate most financial transactions to report offences to the police, and also assist the police with investigation of crime.
The Chairperson said that further clarification would be given on the issue at the next meeting.
The meeting was adjourned.
No related documents