Cybercrimes and Cybersecurity Bill: response to submissions; Committee Reports: Public Protector Removal; Deputy Public protector Inquiry; Executive Members’ Ethics Act review + Removal of Magistrates

This premium content has been made freely available

Justice and Correctional Services

15 November 2017
Chairperson: Dr M Motshekga (ANC)
Share this page:

Meeting Summary

The Department of Justice briefed the Committee on their responses to submissions relating to chapters 10 to chapter 13 of the Cybercrimes and Cybersecurity Bill. These chapters talked to structures to deal with cybersecurity; critical information infrastructure protection; agreements with foreign states; and general provisions. In addition, the Committee also considered various reports such as the request to remove the Public Protector, the inquiry into alleged misconduct by the Deputy Public Protector, the Executive Members’ Ethics Act review and the removal of Magistrates.

On chapter 10 that dealt with structures to deal with cybersecurity, Cell C, Telkom and Vodacom submitted that there was no clarity as to which organ of State ultimately held supreme authority to ensure that these entities all operated and interacted seamlessly and that the overall objectives of the Bill are achieved.

The Department responded that the coordinating role to ensure implementation of the measures provided for in the Bill was assigned to the Cyber Response Committee (CRC) as is provided for in clause 53. The CRC was chaired by the State Security Agency (SSA) and the Cabinet Member responsible for State Security was accountable to Parliament regarding the functioning of the CRC.

Professor Von Solms from the University of Johannesburg submitted that there was a massive shortage of ICT professionals which are required to address cybersecurity, internationally and locally. The Bill aimed to establish at least three Computer Security Incident Response Teams (CSIRTs) and extensive experience and technical expertise are required to man a CSIRT.  South Africa did not have this capacity and he proposed that the structures should be merged into a single structure and all available skills, which would have been deployed in the three

On a submission that the Information Regulator should also be included in the CRC, the Department responded that the powers of the Information Regulator are restricted to the ambit of POPIA. The protection of personal information, like all other data was important. The participation of the Information Regulator in such initiatives might create an adverse perception regarding the independence of the Information Regulator.

On Chapter 11 that dealt with critical information infrastructure protection, the Open Democracy Advice Centre (ODAC) said this chapter should be considered as a National Key Points Act for electronic communications systems. The National Key Points Act was a controversial law that was currently being revised. The chapter will also apply to government in the national, provincial and local sphere and it was argued that the Minimum Information Security Standards (MISS) should be adequate to deal with aspects provided for in this chapter.

Internet Solutions submitted that there was no definition of critical information infrastructure and this gave the Minister of State Security a wide discretion to declare any information infrastructure as a critical information infrastructure. Critical information infrastructure should only be such structures that are absolutely essential for the State to function.

The Department said clause 57(2) read with clause 57(12)(d), sufficiently and narrowly define “critical information infrastructure” to limit the discretion of the Cabinet Member responsible for State Security to declare critical information infrastructures. These infrastructures cannot be restricted to those that are necessary for the State to function, since the primary objective was to secure information infrastructures that are essential to the Republic as a whole.

Among their many submissions, IM Consultancy also submitted that the categorisation of critical information infrastructure as contemplated in section 57(2), should exclude critical information infrastructure holding or comprising personal information.

According to the Department, such an argument would mean that the databases of the Department of Home Affairs (DHA) and the Deeds Office should be excluded. It did not take into account the reality of cybersecurity and the need to protect systems that process and store this essential information and the information itself. During a recent

On chapter 12 that dealt with agreements with foreign states, Cell C, Telkom and Vodacom submitted that current procedures for mutual assistance between South Africa and foreign countries in the investigation of cybercrimes did not effectively take into account the transient nature of electronic evidence and the need to act expeditiously. Various other countries enacted legislation to provide for urgent action to preserve information and to provide expeditious assistance to identify the origin of communications involved in a cybercrime.

On chapter 13 that covered the general provisions in the Bill, the Internet Service Providers Association (ISPA) said the definition of “electronic communications service provider” to be inserted into the Sexual Offences and Related matters Amendment Act (SORMAA) should be aligned with the definition proposed in the body of the Bill.

On the report on the request that the National Assembly institute proceedings to have the Pubic Protector removed in terms of section 94 of the Constitution, Mr W Horne (DA) accused members of trying to sanitise the report by not including deliberations by the Committee on 10 October 2017 on this matter. These deliberations centred o whether the Committee or an ad hoc committee request. He also disagreed with the Committee decision to not include dissenting views by minority parties.

Members agreed that the report dealt with the decision that this Committee would deal with the matter and this report on how the Committee dealt with the matter was sufficient. On dissenting views, the Committee agreed that it should not be captured in the report, because parties still had the right to express their views in the House.

The report was adopted with amendments with six Members in favour and one against.

On the inquiry into alleged misconduct by the Deputy Public Protector, the Committee agreed that the wording in the Committee report needed to be redrafted so that it was understood that this investigation that was alleged to have been stopped was in fact ongoing. The recommendation of the Committee read “the Committee resolved that there was no basis for the National Assembly to conduct an inquiry into alleged misconduct by the Deputy Public Protector as requested.

The report was unanimously adopted with amendments.

On the Executive Members’ Ethics Act review, the recommendations are that “the National Assembly request the Minister of Justice and Correctional Services to investigate possible shortcomings in the legal framework regulating the conduct applicable to Executive Members, including the specific aspects of the remedial action in paragraph 8.9 of the ‘State of Capture’ report as it relates to the Executive Members’ Act of 1998, that may require legislative amendment and to introduce this to Parliament as a matter of urgency. The National Assembly refers consideration of the transversal code of conduct to the Department of Public Service and Administration (DPSA) for further investigation”.

The report was adopted with amendments and Mr Horne indicated that the DA reserved its position.

There was a recommendation from the Minister, through the Magistrates’ Commission, for the removal of three Magistrates, Stuurman, Hole and Gqiba. The Committee voted in favour of the removal of Magistrates Stuurman and Hole.In the case of Magistrate Gqiba, while the Committee had agreed in principle for her removal as with the others, a Notice of Motion had been received. Legal advice said the papers were not properly served on Parliament. The Committee agreed to keep the matter in abeyance until a legal opinion was sought.

Meeting report

Cybercrimes and Cybersecurity Bill: response to submissions

Adv Dingaan Mangena, State Law Adviser, DoJ&CD, highlighted the submissions received and the Department’s responses. On chapter 10 that dealt with structures to deal with cybersecurity, Adv Mangena said Mr Heyink submitted that the Bill took an authoritarian approach to cybersecurity.  Chapter 11 of the Bill must facilitate public-private partnerships which despite being addressed in the National Cybersecurity Policy Framework (NCFP), are absent from the Bill. He also submitted that the Bill did not take the status of privacy and protection of personal information into account as it undoubtedly should.

The Department responded that The NCPF dealt with public-private partnerships relating to cybersecurity and it was not necessary to provide for this in the Bill. Partnerships in essence meant that there must be a consensual basis of cooperation and the coercive basis of legislative obligations that must be adhered to was not necessary. The building blocks for cybersecurity are referred to in paragraph 1.25 and the aim of these principles was to ensure the confidentiality, integrity and availability of computer systems. The protection of personal information was provided for in the Protection of Personal Information Act (POPIA) and it was not necessary to specifically refer in other law to aspects that are already comprehensively dealt with in POPIA.

Cell C, Telkom and Vodacom submitted that there was no clarity as to which organ of State ultimately held supreme authority to ensure that these entities all operated and interacted seamlessly and that the overall objectives of the Bill are achieved.

The Department responded that the coordinating role to ensure implementation of the measures provided for in the Bill was assigned to the Cyber Response Committee (CRC) as is provided for in clause 53. The CRC was chaired by the State Security Agency (SSA) and the Cabinet Member responsible for State Security was accountable to Parliament regarding the functioning of the CRC.

Professor Von Solms from the University of Johannesburg submitted that there was a massive shortage of ICT professionals which are required to address cybersecurity, internationally and locally. The Bill did not take this skill shortage into account. The Bill aimed to establish at least three Computer Security Incident Response Teams (CSIRTs) and extensive experience and technical expertise are required to man a CSIRT.  South Africa did not have this capacity. He proposed that the structures should be merged into a single structure and all available skills, which would have been deployed in the three structures, should be consolidated.

The Department said the reason for not having one structure was to cater for the different constitutional mandates of the departments. The approach and technical expertise that needed to be acquired to address their objectives differed substantially and a one-size-fits-all approach cannot be used to address these different objectives. Clause 54 imposed obligations on different departments to obtain the required capacity in order to come to terms with their obligations imposed on them in terms of the Bill. 

Media Monitoring raised the concern that the Cabinet Member responsible for State Security was responsible for the oversight of the CRC. The role of the Cabinet Member for State Security was questionable in light of the general focus of the Bill. It was suggested that the oversight function should be allocated to the Cabinet Member responsible for the administration of justice and that the Director-General of DJCD should be the Chairperson of the CRC.

According to the Department, the CRC consisted of heads of various departments that have different constitutional mandates. The Director-General of State Security was the chairperson and responsible to ensure that the CRC fulfilled its function is assigned to it in terms of the Bill. The CRC cannot therefore be regarded as being under the control of the SSA.

The Western Cape submitted that provision should be made for provincial representatives on the CRC.

In response, DJCD said that telecommunications did not fall within the ambits of Schedule 4 or 5 of the Constitution that dealt with functional areas of concurrent national and provincial legislative competence and exclusive provincial legislative competence, respectively. The aim of the CRC was to deal with matters relating to ICTs that fell within the domain of exclusive national legislative competence.

The Minister of Finance submitted that clause 53 provided, among others that the CRC included National Treasury, the South African Reserve Bank (SARB) and the South African Revenue Services (SARS). Although any other department or public entity may be requested to assist the CRC, it was submitted that the word “public entity” may be limited to public entities as listed in Schedules 2 and 3 of the Public Finance Management Act (PFMA). It was proposed, in order to allow for the participation of the Prudential Authority to be established in terms of the Financial Sector Regulation Act (FSRA) in the CRC that the phrase “other department or public entity” be substituted for the phrase “any other organ of the state” as defined in section 239 of the Constitution.

The Department agreed and proposed an amendment to that effect.

On a submission that the Information Regulator should also be included in the CRC, the Department responded that the powers of the Information Regulator are restricted to the ambit of POPIA. The protection of personal information, like all other data was important. However, the Information Regulator should not be included in a decision making structure within government that was mandated to implement measures to deal with cybersecurity as it played a crucial oversight role. The participation of the Information Regulator in such initiatives might create an adverse perception regarding the independence of the Information Regulator.

Cell C, Telkom and Vodacom submitted that costs involved in the establishment of nodal points and the obligations of the nodal points are unclear. It was proposed that there should be a cost and impact assessment before implementation of the clause. Similarly, the Credit Bureau Association (CBA) submitted that the Bill placed onerous and costly obligations on the private sector to establish CSIRTs.

According to the Department, nodal points are essential for a cybersecure South Africa. Nodal points did not imply that service providers must establish CSIRTs to deal with cyber threats. Nodal points implied that a sector, for instance the mobile service providers, must bring into operation a contact point for the mobile cellular sector to impart information of, or receive information of cyber threats, which must be made known to other sector participants or the Cyber Hub (see clause 55(3)). In many sectors there was already information sharing of cyber threats and technical solutions that can be implemented to address such threats and cost implications would be minimal.

The South African Human Rights Commission (SAHRC) submitted that that because personal and other information may be shared, appropriate safeguards should be put in place. The Information Regulator and other entities should also have a say in this aspect.

 

The Department responded by saying information sharing was an essential building block in cybersecurity. Various countries provided for information sharing to deal with cyber threats. Information sharing was to ensure that other entities are timeously warned of a threat and to enable them to mitigate the threat. Regulations must among others address topics such as restriction of information that can be distributed; purpose for which it may be used; confidentiality; transparency; and quality and integrity of data that was distributed. In most instances, for purposes of information sharing, it was not necessary to identify the data with a person. The main objective was to bring cyber threats to the attention of other entities that needed it to protect themselves or their clients. The drafting of regulations will entail a process consultation in order to obtain the views of various persons and entities that have an interest in the subject matter.

The Chairperson asked for clarification on information that can be shared.

Mr Sarel Robertse, State Law Adiser, DoJ&CD, responded and said information sharing was necessary, but the right to privacy needed to be protected. Information that was sent from one structure to another was usually stripped from all personal information so that the receiving structure was only informed of the cyber threat and that information cannot be identified through a specific person. Regulations aimed to protect the privacy of the persons whose information was being divulged to the structures to take note of cyber threats.

The Chairperson asked if the fact that the information should not be harmful was made clear in the Bill.

Mr Robertse replied that there was no specific stipulation in clause 56 that the information that was being shared should not be harmful, but POPIA regulated information sharing through its own principles. Regulations must comply with POPIA.

Submissions were also made by Freedom of Religion, the South African Banking Risk Information Centre (SABRIC), and the Tourism Business Council of South Africa (TBCSA).

On Chapter 11 that dealt with critical information infrastructure protection, Mr Mangena said the Banking Association of South Africa (BASA) was of the view that the financial sector regulators and SARB should take the provisions of clauses 57 and 58 in this Bill into account when applying section 76 of the FSRA to ensure that consistency was maintained between the provisions of the Bill and the FSRA. Furthermore, there should be consistency between the standards to be issued in terms of section 108(i) of the FSRA and clauses 57 and 58 of the Bill.

The Department responded that clause 57(3)(h) and (5)(f) of the Bill provided for an extensive consultation process in the declaration of critical information infrastructure where a financial institution was involved. The imposition of measures to deal with the protection of critical infrastructures in terms of a direction in terms of clause 57(4) must take place in consultation with the financial sector regulators. These measures will ensure that sections 76 and 108(i) of the FSRA and the provisions of this chapter of the Bill are aligned.

The Open Democracy Advice Centre (ODAC) said this chapter should be considered as a National Key Points Act for electronic communications systems. The National Key Points Act was a controversial law that was currently being revised. The chapter will also apply to government in the national, provincial and local sphere and it was argued that the Minimum Information Security Standards (MISS) should be adequate to deal with aspects provided for in this chapter. The fact that the MISS was not updated since 1996 was criticised. The cost implications for compliance are further discussed and it was proposed that this chapter should be deferred.

It was correct that the Bill, similar to the National Key Points Act and the Critical Infrastructure Bill that has been introduced in Parliament, aimed to protect critical interests of the Republic. The National Key Points Act and the Critical Infrastructure Bill dealt with physical structures whilst chapter 11 of the Bill dealt with information infrastructures and data. The objectives of the MISS are to protect classified information in the national interest in both the public and private sphere. The MISS did not deal with the protection of data against vulnerabilities, the management of cybersecurity incidents, data contingency and recovery measures that needed to be implemented, and physical or technical security measures that are needed to protect information infrastructures, which are dealt with in Chapter 11 of the Bill. The MISS was therefore inadequate to deal with this aspect. The implementation of these measures may have cost implications which are in terms of the Bill placed on the owners of such information infrastructures. The measures are intended to offer a measure of protection against cybercrime and to protect essential information systems.

IM Consultancy and Liquid Telecom submitted that if a critical infrastructure did not comply with the directives, the Minister of State Security must take the required steps and recover costs from the person. It was unclear why the costs go directly to the Minister and not a fund as was previously proposed. It was further remarked that if the State wanted to secure a critical information infrastructure in private hands, the State must contribute to such costs since these measures may have severe financial implications for information infrastructures.

 

The Department responded the Minister will incur the costs for implementing the steps which the person failed to implement, in other words funds that were allocated to the budget of the SSA are used to pay for such costs, and the Minister should have the powers to recover such costs. In addition, similar to the declaration of Key Points, the argument was that certain activities must be protected for the good of the State as well as its inhabitants. Businesses have flourished under the protection of the State and from contributions of the citizens which made their activities profitable and they therefore have a social obligation to ensure that in the interest of society that their services are protected. The Bill also afforded additional protection to these structures that are declared critical information infrastructures by providing for elevated sentences that may be imposed if cybercrimes are committed against these information infrastructures.  An amendment wass also effected to the Disaster Management Act that entitled these critical information infrastructures to disaster funds in case of damage and disruption of their essential functions, which was the flipside of the social contract that the State had obligations to protect. Critical information infrastructure was sufficiently identified in relation to the consequences that may result if the infrastructure was damaged or interfered with (clause 57(2)).

The Western Cape was of the view that clause 57(3)(b) provided that the Cabinet Member responsible for State Security must consult with a Premier before an information infrastructure that related to or was incidental to a functional area listed in Schedule 4 or 5 of the Constitution or assigned to the province by legislation, was declared a critical information infrastructure. It was proposed that in light of the impact on and the constitutional mandate of provinces in the listed matters, the consultation requirement should require the concurrence of the Premier.  In addition, clause 57(11) authorised the Cabinet Member responsible for State Security to implement measures which the person in control of a critical information infrastructure failed to implement. Where a province was involved, section 100 of the Constitution will be applicable. This dealt with national intervention in provincial administration where a province did not fulfil an executive obligation. It was proposed that the clause should be amended to specifically include a reference to section 100 of the Constitution.

The Department agreed in terms of concurrence with the Premier, but to the extent that the critical information infrastructure falls within the ambit of clause 57(3)(b) of the Bill. An amendment was proposed to that effect.

Ms C Pilane-Majake (ANC) asked what normally happened in relation to other areas of work.

Mr Robertse replied that currently Schedule 4 and 5 per the Constitution amongst others, made certain areas of control under concurrent jurisdiction of national and provincial departments, but there are certain other areas where a province had exclusive jurisdiction. If the Constitution prescribed jurisdiction to the province only, it was completely within the province’s constitutional empowerment. In terms of concurrent jurisdiction, chapter 3 of the Constitution regulated how a decision needed to be implemented.  

Mr S Ncwabe (NFP) wanted clarity whether concurrency was required when the SSA might have certain critical operations in a province. He wanted to know if the Premier did not comply, would it not be frustrating the job that needed to be done.

Mr Robertse replied that the Constitution was quite clear that when something fell under provincial mandate, the province was a government on its own. The aim was mainly to deal with aspects under the National Executive as far as it related to information infrastructure. The Bill provided for the fact that certain infrastructure that belonged to a province can be declared critical information infrastructure. Currently that clause provided that the Premier must be consulted for such a declaration and the submission basically asked to ensure that such concurrency was obtained. It might to an extent frustrate the protection of critical information infrastructure, but the Constitution was quite clear.

The Chairperson asked if the actual provinces needed to be made clear in the Bill since all legislation was overridden by the Constitution.

Mr Robertse replied that it was probably not necessary to identify each province in the Bill.

In further response to Western Cape’s submission the Department noted the concern. Infrastructure that was to be declared a critical information infrastructure was defined in clause 57(12)(d) and meant “any data, computer program, computer data storage medium, computer system or any part thereof or any building, structure, facility, system or equipment associated therewith or part or portion thereof or incidental thereto”, which will include a “data base and data housed thereon”.

Submissions were also made by Zoelpha Carr, STRATE, CBA, SABRIC, the Information Regulator and Media Monitoring. 

Internet Solutions submitted that there was no definition of critical information infrastructure and this gave the Minister of State Security a wide discretion to declare any information infrastructure as a critical information infrastructure. Critical information infrastructure should only be such structures that are absolutely essential for the State to function.

The Department said clause 57(2) read with clause 57(12)(d), sufficiently and narrowly define “critical information infrastructure” to limit the discretion of the Cabinet Member responsible for State Security to declare critical information infrastructures. These infrastructures cannot be restricted to those that are necessary for the State to function, since the primary objective was to secure information infrastructures that are essential to the Republic as a whole.

Ms R Mothapo (ANC) asked that the phrase “narrowly defines critical information infrastructure” be clarified.

Adv Mangena said it confined the official to focus on the obligation that needed to be addressed. If it was left open, it would be a very broad mandate.

Ms Christine Silkstone, Content Advisor, Portfolio Committee on Justice and Correctional Services, said the Critical Information Protection Bill created a Critical Infrastructure Council and she asked to what extent would there be duplication and overlap.

In response to Ms Mothapo, Mr Robertse said if the State Security Minister was going to declare a critical information infrastructure, he would be bound by the definition in 57(2) that limited his discretion in declaring a critical information infrastructure. If a company or entity did not agree with their declaration as a critical information infrastructure, there was an appeal process that can be utilised. If there was no consensus after this process, it will go to formal arbitration and an arbiter will then make a ruling.

In response to Ms Silkstone, Mr Robertse replied that the Critical Infrastructure Bill that has been introduced in Parliament only dealt with physical infrastructure while the Critical Information Infrastructure Bill dealt with information communication and technology. There was a clause in the Critical Infrastructure Bill that stated that if a critical infrastructure has been identified and the Minister of Police was of the opinion that it should be dealt with in terms of the Cybercrimes and Cybersecurity Bill, he should bring it to the attention of the State Security Minister.

Among their many submissions, IM Consultancy also submitted that the categorisation of critical information infrastructure as contemplated in section 57(2), should exclude critical information infrastructure holding or comprising personal information.

According to DJCD, such an argument would mean that the databases of the Department of Home Affairs (DHA) and the Deeds Office should be excluded. It did not take into account the reality of cybersecurity and the need to protect systems that process and store this essential information and the information itself. During a recent incident personal information of between 20 million and 30 million South African citizens were leaked due to alleged negligence.

Ms Mothapo wanted clarity whether the Department agreed with IM Consultancy.

Adv Mangena confirmed that the Department did not agree with the submission. Those databases needed to be jealously guarded and loss of the information could probably be due to a deliberate act. The databases contained serious and critical information that should not even be easily accessible.

Ms Mothapo asked if the information would be under POPIA.

Adv Mangena replied in the affirmative.

Ms Mothapo asked in terms of the leaked information, if POPIA was applicable.

Mr Robertse replied that currently the only legislation identified that could be applicable was chapter 9 of the Electronic Communications and Transactions Act that related to critical databases.

On clause 58, Cell C, Telkom and Vodacom submitted that the obligation that the owner or person in control of the costs of an audit of a critical information infrastructure should be reviewed.

The Department responded that King III Code brought IT management into the domain of corporate governance (see Chapter 5). This by implication entails that IT Governance need to be audited in order to ensure that IT Governance was effective in an organisation. From this perspective cost of compliance was an integral part of the day to day running of a business and costs related thereto should be borne by the company in question.

According to IM Consultancy, there is a general shortage of skills and it the State Security Agency would probably not be in a position to monitor the adequacy and effectiveness of an audit. In addition, they asked whether it was possible to monitor an audit since the result will only be known at the end of an audit.

The Department responded that clause 58(3) provided for capacity constraints in that it also provided that the Director-General: State Security may appoint any other person to monitor the effectiveness of an audit. The actions taken during an audit and the extent of an audit can be monitored.

Mr G Skosana (ANC) wanted clarity on how the actions of an audit can be monitored.

Adv Mangena replied that a person can be present during an audit and observe.

The Chairperson asked if that would not be disruptive.

Mr Robertse replied that this related specifically to the Bill where there was an obligation to ensure that certain security measures are implemented. If there was any disruption, it was a necessity, because it was an obligation that must be complied with.

IM Consultancy further referred to clause 58(12) and said this provision was problematic. It ignored the complexity and highly technical nature of processing and the skills availability within the auditing community. It also ignored the audit time and costs involved. It referred to adequacy and effectiveness of an audit, something very few people can determine. The reason someone “fails to assist or provide technical assistance and support to a person authorized to carry out an audit” could be a lack of skill or confidence to offer assistance. Tremendous damage could happen if incorrect audit test procedures are followed. No one would want to be responsible for doing or saying something they are uncertain about. Therefore, the reason someone did not answer an auditors question could be because they did not have an answer. It would not be because they did not want to cooperate.

In response, the Department said the provision merely stated that a person committed an offence if he or she “hinders, obstructs or improperly attempts to influence any member of the State Security Agency, person or entity to monitor, evaluate and report on the adequacy and effectiveness of an audit”. Like all audits, a cyber audit must comply with certain criteria in order to ensure that the audit was adequate and effective. The directive issued in terms of clause 57(4) was the objective standards which must be covered during such an audit and standards were already adopted to deal with such audits. The provision in question will only be applicable where there was failure to comply with auditing requirements.

On chapter 12 that dealt with agreements with foreign states, Cell C, Telkom and Vodacom submitted that current procedures for mutual assistance between South Africa and foreign countries in the investigation of cybercrimes did not effectively take into account the transient nature of electronic evidence and the need to act expeditiously. The resultant effect was that essential evidence was lost. Various other countries enacted legislation to provide for urgent action to preserve information and to provide expeditious assistance to identify the origin of communications involved in a cybercrime. International cooperation in matters dealing with cybercrime was supported. It was assumed that the 24/7 Point of Contact will be commissioned to provide expert guidance should evidence be required in electronic format in a manner that will ensure that such evidence should not be rejected in a court of the Foreign State on grounds of misalignment with local prescripts to preserve and ensure the integrity of such electronic evidence.

The Department noted the submission and added that the format of the evidence that was required was usually specified in the request are aimed at ensuring the integrity of the information. Clause 46(6) of the Bill gave the designated judge wide powers to regulate aspects relating to the preservation of evidence as was specified in a request for mutual assistance and appropriate measures may be introduced to ensure that the evidence collected will comply with the legal system of the requested country. The fact that a member of the National Prosecuting Authority (NPA) must assist the 24/7 Point of Contact will further ensure that regard will be had to the requirements of admissibility of evidence in a foreign state.

On chapter 13 that covered the general provisions in the Bill, Mr Robertse said the Internet Service Providers Association (ISPA) said the definition of “electronic communications service provider” to be inserted into the Sexual Offences and Related matters Amendment Act (SORMAA) was aligned with the definition proposed in the body of the Bill.

The Department agreed and proposed an amendment to that effect.

ISPA and Liquid Telecom submitted that the proposed subsection 19A(9)(c), which required an electronic communications service provider to “take all reasonable steps to prevent access to child pornography by any person” where it was aware or becomes aware that its “electronic communications system” was being used or was involved in a criminal offence involving child pornography, may need to be reconsidered in light of current investigation practices by law enforcement agencies. Current practices may include that a webpage be kept alive in order to observe communications traffic to the webpage. In order to cater for this need, they drafted an amendment.

The Department responded that this aspect was considered during the drafting of the Bill. There are two views to be considered. There are compelling arguments that the material must under certain circumstances be kept in place to facilitate police investigations. It must be pointed out that the big international successful operations against child harm material were facilitated through the fact that the material was kept in place to monitor who visited the material. On the other hand there was also the right of the victims that must be considered. Once the material was made available on the internet it was copied and redistributed at a rapid rate. Early actions to ensure that the content was blocked will ensure or guard against further harm. The SAHRC was currently busy with an investigation relating to aspects of child harm material and the research may provide guidance on this aspect. In the revision of other legislation further attention was given to access of communications technologies for the detection and investigation of crime. A mechanism to deal with this aspect can more appropriately be dealt with in that legislation.

Ms Pilane-Majake referred to chapter 10 to Freedom of Religion’s submission that regulations in terms of clause 56 may be used to withhold information from the public and civil societies.

Mr Robertse replied that there was a clause that stated the Minister of Justice and Constitutional Development must make regulations to share information regarding cyber vulnerabilities. Information sharing would ensure that information that may infringe on privacy may not be distributed. Their concern was restrictions imposed on those regulations will strip shared information of identifiable properties which they feel might be a way of withholding information.

Mr K Mpumlwana (ANC) referred to his query from the previous day.

Mr Robertse replied that ordinary cybercrime can be reported irrespective of the amount involved. The reporting clause was ensuring that service providers and financial institutions had an obligation to report certain crimes to the police for statistical purposes and also an obligation on these companies to retain certain information to assist in the investigation. The current amount will probably be R50 000 for a reportable crime. The police will probably overrun with the reporting of each and every crime and in terms of low amounts, the Cyber Hub had a reporting facility that could also serve as an advice centre on how to deal with cyber crime and how to secure against cyber attacks.

Mr Mpumlwana said he feared an Act that seemed biased towards the rich while lower income people are more at risk. 

Mr Robertse explained that in terms of clause 54 of the Bill, the Cyber hub must be established with the Department of Telecommunications and Postal Services. The Cyber hub will function as a connection between government and the private sector, as well as to ensure that cyber irregularities are brought to the attention of the general public. A specific obligation can be included that each and every person that was a victim of a cybercrime, should report it to the Cyber Hub for statistical purposes. 

Chairperson commended the Department. and said the Committee will allow the Department to go back and effect the necessary changes. The Bill will be dealt with clause-by-clause early next year.

Committee Reports: Public Protector Removal

The Chairperson said the Committee would consider the report on the request that the National Assembly institute proceedings to have the Pubic Protector removed in terms of section 194 of the Constitution. He asked if Members needed time to go through the report.

Mr W Horn (DA) said the report was very short and it did not deal with the Committee’s deliberations and decisions on 10 October. It was the day the Committee first dealt with the matter and there had been discussions on whether an ad hoc committee or the Portfolio Committee would be the proper forum to deal with the request.

The Chairperson said that matter was settled.

Mr Horn said he understood, but it was part of the manner in which the Committee dealt with the request. It would be an incomplete report if it did not include the deliberations and decisions taken on 10 October as well.

The Chairperson said the report before the Committee detailed what has happened, as well as the recommendations by the Committee. He asked what else Mr Horne wanted.  

Ms Mothapo asked if what Mr Horne was referring to was not covered on page 2, item 3.

Mr Horne said he did read that section and in the spirit of the Committee he will not say that there was now selective amnesia in the Committee, but he really wanted to say that. On 10 October there was a view from the Chairperson that this Committee might not have the capacity in terms of time to deal with this matter. Ultimately some Members went out to caucus and voted on the decision whether this Committee or an ad hoc committee should deal with the request. None of that was encapsulated in this report.

Mr M Maila (ANC) said he understood what Mr Horne was saying, but the report dealt with the decision and the decision was that this Committee would deal with the matter. This was a report on how the Committee dealt with the matter and it was sufficient.

The Chairperson said when an issue was before the Committee it was debated with various views, but at the end the decision of the Committee was what mattered and not what individuals had to say. The report was on the outcome of deliberations, unless Mr Horne wanted a transcript of the deliberations.

Mr Horne said that the Committee did not need to regurgitate that the Chairperson at the time held a dissenting view from the rest of his party. It will not be a report if what transpired on 10 October was not recorded.

The Chairperson said every Member can express themselves on issues before the Committee, but the position of the majority was the position of the Committee. The Committee has taken a decision after full deliberations and this report duly reflected on that.

Ms Mothapo referred to paragraph 1 and said the year should be inserted.

The Committee agreed.

Ms Pilane-Majake pointed out some grammatical errors.

Ms Mothapo referred to paragraph 4 and she asked if it was proper for the Committee to give the dissenting view as it was done in judgment. Deliberations were done as the Committee and she asked if the majority of Members in the Committee decided on a certain route, if it was proper to indicate which party did not agree.

The Chairperson said the rules did not prohibit that.

Mr Horne said by not reporting where minority parties held a strong opposing view would not be proper reporting to the National Assembly.

The Chairperson said it was not correct to use the words “follow a rational process”, because when you disagreed it did not mean that other people are acting irrationally.

Mr Horne said in this instance the rational process was part of the argument that another step or two has to be taken before the Committee can decide whether there was a case to be answered.

The Chairperson said the process was either a due process or an undue process. Rational processes meant something else and ‘rational’ was not the right word to use, because a due process was followed.

Mr  Mpumlwana suggested it should be changed to ‘these parties did not agree with the decision of the majority’.

Ms Mothapo said this was not the first report the Committee dealt with and some parties did not agree on certain reports and it has never been stated. She wanted to know what made this report special to state those specifics, because in most cases the DA always reserved its judgment and that has never been stated.  It was setting a bad precedent.

The Chairperson agreed and said if there were 100 parties with opposing views it would not have been captured, because the parties still had the right to express their views in the House.

Mr Maila agreed with Ms Mothapo to just record the decision of the Committee.

Mr Horne said the Committee can sanitise the report, but everyone knew the travesty that happened on the day and it should be debated in the House.

The Committee agreed that the paragraph should be removed.

The Chairperson said the recommendation of the Committee read ‘having considered the request for the National Assembly to institute removal proceedings against the Public Protector in terms of section 194 of the Constitution, the Committee resolved that there was no basis for Parliament to institute removal proceedings against the Public Protector.

The report was adopted with amendments with six Members in favour and one against.

Committee Reports: Inquiry into the Deputy Public Protector

The Chairperson said the Committee would consider the report on the request that the National Assembly institute an inquiry into alleged misconduct by the Deputy Public Protector dated 15 November 2017.

Ms Mothapo referred to paragraph 3 and said it would be proper to mention which legislation.

The Committee agreed.

Mr Horne also referred to paragraph 3 where it stated that the “letter indicated that an internal investigation into the matter is at an advanced stage”. He understood the letter by the Public Protector to mean that the investigation into the complaint was at an advanced stage. The perception on the part of the complainant that the investigation was stopped was incorrect and “internal” should be removed.

The Committee agreed.

Mr L Mpumlwana asked for clarity on what was being investigated.

Mr Maila said this was clarified in item 2. The allegation was that the Deputy Public Protector unlawfully terminated an investigation.

Ms Mothapo asked what was in the letter.

The Committee Secretary confirmed that the letter stated that the “investigation into this matter was at an advanced stage”.

Ms Pilane-Majake said the letter was a response to the Speaker and the wording in the Committee report needed to be redrafted so that it was understood that this investigation that was alleged to have been stopped was in fact ongoing. She asked that item 4 be removed, because it was confusing.

The Chairperson said the recommendation of the Committee read “the Committee resolved that there was no basis for the National Assembly to conduct an inquiry into alleged misconduct by the Deputy Public Protector as requested pending the outcome of the Public Protector’s investigation.

The Committee agreed that “pending the outcome of the Public Protector’s investigation” should be deleted.

The report was unanimously adopted with amendments.

Committee Reports: Executive Members’ Ethics Act review

The Chairperson said the next report was on the remedial action in the Public Protector’s 2016 State Capture Report dated 17 November 2017.

Mr Mpumlwana said the report should be consistent with what the Committee decided earlier on whether to report on every single action.

The Chairperson said this was a story that unfolded and the National Assembly needed to see the journey the Committee undertook. He referred to paragraph 8 that stated “the Committee met on 1, 8 and 15 November 2017 to continue deliberating on the remedial action”. He said 15 November should be removed. The recommendations are that “the National Assembly request the Minister of Justice and Correctional Services to investigate possible shortcomings in the legal framework regulating the conduct applicable to Executive Members, including the specific aspects of the remedial action in paragraph 8.9 of the ‘State of Capture’ report as it relates to the Executive Members’ Act of 1998, that may require legislative amendment and to introduce this to Parliament as a matter of urgency. The National Assembly refers consideration of the transversal code of conduct to the Department of Public Service and Administration (DPSA) for further investigation”.

Ms Silkstone said it should be referred to the Public Service and Administration Ministry and not DPSA.

The Committee agreed.

The report was adopted with amendments and Mr Horne indicated that the DA reserved its position.

Removal of Magistrates

The Chairperson said there was a recommendation from the Minister, through the Magistrates’ Commission, for the removal of three Magistrates, Stuurman, Hole and Gqiba. The Committee in principle agreed with the recommendation, but some information had not come to hand. That information was subsequently made available and when considered, the Committee then had to take a final decision. As matters stood now, the Committee can only deal with Stuurman and Hole. He asked if there was a proposal for the removal of Stuurman and Hole.

Mr Maila proposed for the removal and it was seconded by Mr Horne.

The Committee voted in favour of the removal of Magistrates Stuurman and Hole.

The Chairperson said there was a letter relating to Magistrate Valerie Gqiba and while the Committee had agreed in principle for her removal as with the others, in the mean time a Notice of Motion had been received. Legal advice said the papers were not properly served on Parliament and the Committee cannot hold a client responsible for the negligence of her lawyers. It will be fair if the Committee keep the matter in abeyance until the process has been completed.

Mr Maila said the Committee should continue with its work and he suggested the Committee sought a legal opinion.

Mr Horne said if there was no interdict in place against the Committee’s previous resolutions to withhold remuneration and to suspend, he agreed with Mr Maila to get a legal opinion.

Ms Mothapo agreed and said the Committee should then move on the legal advice as soon as possible.

The Chairperson said the Committee will seek the legal opinion and take action from there.

The meeting was adjourned. 

Share this page: