Cybercrimes and Cybersecurity Bill: deliberations

Meeting report

Report on Meeting

The Chairperson welcomed everyone. He commented that Kenya, another member of the African Union, had very recently passed a Cyber-crimes Act very similar to the South African Bill. Members had had sufficient time to go through the Bill. He noted that previous meetings to discuss the proposed law had been very difficult to understand as the Bill had been full of technicalities. He was sure that it would not be that difficult today. He asked Committee Members whether he should allow the Department to present or whether simply go through page-by-page and raise issues.

Mr W Horn (DA) recalled that at the previous meeting, the Committee had been in the process of hearing the presentation from the Department and should continue with that process. The Committee had been given a version of the Bill which contained additions and amendments and yet the discussion on the Departmental response to the submissions had not been completed. He was concerned that there had not yet been meetings with the related Departments and the Police Portfolio Committee and Telecommunications and Postal Services Portfolio Committee as it was even more relevant to those Committees than to the Justice Committee. He would be highly uncomfortable if the Committee suddenly skipped to dealing with proposed amendments.

The Chairperson informed the Committee that he had met with former Minister David Mahlobo on the aeroplane from Johannesburg to Cape Town who had reassured him about various aspects of the Bill. Had the Committee asked Mr Mahlobo, he would have been happy to clarify various issues as he had been involved in the conceptualisation of the Bill.

The Chairperson wondered if the Department of Justice and Constitutional Development (DoJ&CD) had met with its sister departments as the Committee did not have to be involved in consultation between departments.

Mr Sarel Robbertse, State Law Advisor, DoJ&CD, stated that after the Cyber Response Committee (CRC), the State Security Agency and the National Prosecuting Authority had addressed the Committee, there had been several engagements with different departments. Certain aspects that had been raised by departments had been addressed and he would refer to many of those in his presentation.  He and his colleagues had met with other departments and consulted extensively with them. All departments were involved in the drafting of the Bill. Drafting emanated from Cyber Response Committee which was a Committee put together by government to deal with cyber response in South Africa. The Bill was discussed in that Committee and inputs were obtained from all departments represented on the CRC. Some of the loose ends in the Bill had emanated from that Committee but all those loose ends had been addressed.

He noted that most other African countries had or were introducing cybercrime Bills. All had followed international best practices. The South African Bill had followed the same route. In public comment phase, certain inputs had looked at specific clauses and other inputs were proposed different ways of addressing how to operationalise the processes. A team of experts, including Ms Alison Tilley of Open Democracy who was an observer at the current meeting, had looked at the Bill. Although Ms Tilley did not agree with all aspects, the working group had felt that the Bill could address the current lacuna in South African legislation. A group of lower court judicial officers had also made a substantial input.

The Chairperson informed the Committee that he had been in discussion with the Minister and the Deputy Minister and he could confirm that those processes mentioned by Mr Robbertse had taken place and the Committee was in a better position to proceed without a joint meeting with sister departments, unless Members wanted to duplicate efforts.

Mr Horn declared that the point had been missed. He had never said that there were not multiple inputs from departments during the drafting process. The argument at the previous meeting had been that the Portfolio Committees of Police and Telecommunications and Postal Services had an interest, and quite possibly a duty to be involved, in the Bill because even though the Minister of Justice had introduced it, it was not purely a Justice Bill. To say Members had to be at ease because the departments were heavily involved in the drafting was negating the enrichment that could be brought to the process by fellow legislators serving on those Portfolio Committees.

The Chairperson suggested that there was a middle way: the Committee could go through the responses and then, in phase 2, consider sitting with other Committees. Members could not sit with other Committees before they themselves had dealt with the responses. That might be a way of running away from their responsibilities. He heard Mr Horn’s point.

Ms G Breytenbach (DA) stated that the Members could read the responses. It was not necessary to have the Department read them to the Committee. The Committee had taken a decision to work with other Portfolio Committees. On what basis were they deviating from that decision?

The Chairperson explained that the Committee was completing a process that had been started. Then the Committee could take a decision as to whether it was necessary to meet with the other committees, depending on the programme of Parliament and the programme of other committees.  He was just indicating that it was difficult to fit things in when Parliament would soon be in recess.

Ms Breytenbach asked whether the programme of Parliament was the problem. As far as she was concerned, the Committee had already made a decision to meet with the other Portfolio Committees.

Ms M Mothapo (ANC) proposed that the Committee hear the responses from the Department, ask clarity-seeking questions and then later meet with other Committees, as proposed.

The Chairperson said that the Members did not disagree but that the Committee was in the process of taking responses.

Mr Horn requested clarity. He had a document dated 26 February where he had marked that the Committee had got to page 37. There was now a document on his table dated both 26 February 2018 and 22 May 2018/ Final. He needed clarity as to why the Committee was not finishing the original document.

The Chairperson stated that it was a fair question. He noted that Mr Horn was following processes meticulously. He asked the Department to make a presentation on the Bill, starting with an explanation of the change in document.

Mr Robbertse replied that nothing had changed from the previous document but after the previous meeting with the Committee, he and his team had met with other departments but most of their input was still to be discussed by the Committee. The new comments were in clauses that he would be presenting. He was using a computer using a new operating system so the format of the document had changed.

The Chairperson told Mr Robbertse that where there were several options, he was to present only the preferred option. The Committee did not want to hear all the proposals.

Presentation on Amendments to the Cybercrimes and Cybersecurity Bill by the Department of Justice and Constitutional Development

Mr Robbertse began going through the Amended Bill according to changes proposed, pointing out that the page numbers on his screen and in the printed document might differ by a page or two.

Chapter 2: Unlawful securing of access

Picking up from where he had left off at the previous meeting, Mr Robbertse began with clause 14 of the Bill. It was proposed that the heading ‘Penalties’ be changed to ‘Sentencing’ as clause 14 did not only describe penalties but it also described circumstances to be taken into account when a person was sentenced.

It was proposed to add ‘theft’ in clause 14(5) as theft had to be considered as an aggravating circumstance since the Bill did not create an offence of cybertheft per se. The Department approved the proposed amendment to sub-clause 5.

In clause 14(7), a proposed addition dealt with an obligatory order of the court and an order that could be made by the court so that a person could be reimbursed if that person had suffered a loss. The victim would have to ask the prosecutor that he be reimbursed for losses suffered. Mr Robbertse had included, in footnote 48, other Acts that allowed for reimbursement of losses suffered. Public comments had been received asking that the bill allow for damages suffered to be paid back. The Department did not think that it was necessary to insert that point as Section 300 of the Criminal Procedure Act (CPA) dealt with that aspect, but the proposal could be considered.

Clause 15 set out competent verdicts that a court might impose if a person was charged with an offence. A cosmetic change had been affected to the clause as a whole to clarify that if a person were to be convicted of an offence not mentioned in the clause, the competent verdict would still apply. For example, a charge of attempted incitement would mean that a competent verdict would follow. It simply clarified the clause.

A contravention of clause 4(2) had been used to criminalise the use of listed equipment, but it had been decided not to criminalise that under clause 4, so clause 4(1) had been omitted and clause 4(2) became 4(1). That change meant that references to clause 4(2) in clause 15 had been changed.

In clause 15(5) certain further amendments had been added to clarify the clause. The clause had simply referred to software or hardware tools, but the amendment explained what type of software or hardware tools were being referred: “the use of a software or hardware tool to acquire or use a password, access code or similar data or devices”.

Clause 15(6) also related to passwords. Clause 15(5)(b)(iii) was omitted and 15(5)(c) was added which stated that ‘a contravention of section 7(1) or (2), in so far as the password, access code or similar data or device was acquired, possessed, provided to another person or used for purposes of contravening the provisions of section 8’. 15(5)(c) had been included as an offence because borrowed passwords were frequently used to commit cybercrime. Section 8 dealt with fraud, while 7(1) referred to passwords and 7(2) referred to the person in possession of a password who was unable to give a satisfactory account for being in possession of that password.

Clause 15(8) specified the contraventions and provided further clarification and defined the offences. The same change had been made to 15(9). According to the Department, it was not necessary to refer to clauses 3(1), 5(1), 6(1) or 7(1) as contemplated in clause 11(1) as that clause already referred to those sections.

In clause 15(9) certain prescriptions had been removed as they were already contained in clause 11(2).

The Department had added sub-clause 10, which had been an omission. There was a similar clause in the Criminal Procedure Act that provided that if a person were charged with an offence and there was no proof of the offence, but there was proof of elements of that offence, the person could be convicted of that offence.

Therefore, 15(10) had been added to the competent verdict clause. A person had to be informed beforehand that he could be convicted on the competent verdict clause but if he had not been warned, it was an irregularity, so the new clause ensured he could be convicted on a similar charge.

Chapter 3: Malicious Communications

Most comments received, and some criticism, had been about chapter 3. However, Mr Robbertse would be concentrating only on the messages.

A definition clause was proposed to clarify certain terminology that was used in respect of the offences.

In clause 16, which dealt with inciting damage to property, there was a proposal to add “and intentionally’. The clause had referred to a group of persons, but the word “identifiable” was added because an identifiable group of persons consisted of people who could be identified according to association, nationality, status, religion etc. The public had been concerned that the term “group of persons” was too wide.

Clause 17 dealt with a data message that was harmful. No amendments were proposed but additional options were proposed. It was mainly a redraft of the current clause 17 but it also unpacked the conduct as far as it related to threats made against the group of identifiable persons.

It was proposed that the word “encourages” in clause 17(2)(c) be replaced by the word “coerces” as it implied that a stronger action was required. It was also recommended that the word “harm” in clause 17(2)(c)(i) be replaced by “commit an act of violence against” (himself or another person).

The definitions clause at the commencement of chapter 3 defined violence as “bodily injury or unwanted conduct of a sexual nature or which intimidates or humiliates.”

Ms Mothapo asked a question about the definition of violence. Why were the words “conduct that is likely to cause” deleted from the Bill?

Mr Robbertse explained that it had to be read in context of the prescription which read: “threatens a person with violence” so violence could be defined as “bodily injury” or “conduct that is likely to cause bodily injury”. The change had been suggested in submissions. Either definition would be acceptable and so, he had not deleted it, but struck it through so that the Committee could determine which of the definitions it thought most appropriate. He personally would prefer “conduct that is likely to cause bodily injury”.

During public commentary, there had been lots of criticism of clause 17, the fake news clause. The Department had redrafted the clause to build in lots of belts and braces to ensure that that clause could not be unfairly used to prosecute a person. Public commentary had also suggested that the clause was very vague. The proposed new offence in clause 17 still criminalised the distribution or making available a false data message but in 17(2), the Department had defined a false data message. The first option provided in the document was similar to the original clause, but the Department had also offered an optional definition which included reference to artistic expression. The false data message would be subject to a contextual test as one had to consider whole message.

Clause 17(3)(a) indicated that the prosecution was subject to authorisation by the Director of Public Prosecutions. 17(3)(b) stated that even if the Director did not give consent, the victim could still apply for a protection order against harassment as set out in clause 19 of the Bill. Alternatively, the victim could apply for relief under Protection from Harassment Act, 2011.

Clause 18, which dealt with the distribution of a data message of intimate image without consent, had evoked a lot of public comment. The clause had to deal with new developments internationally and could not only criminalise nude images but should also criminalise other types of creep shots such as up-skirt images and down-blouse images, etc. The redraft did give effect to that imperative, but there were also other comments that had been made. Firstly, during the public comment process, the Department had been requested to change the wording regarding the person that distributed the data message. In the original draft that person was guilty of an offence, but it required that the person knew that consent had not been given. That had been changed to state that anyone distributing a message or image “without the permission of the person is guilty of an offence” 18(1). The other option was to write the clause as follows: “distributes, by means of a computer system, a data message of an intimate image of an identifiable person knowing that without the permission of the person depicted in the image did not give his or her consent to the making available, broadcasting or distribution of the data message, is guilty of an offence.” Mr Robbertse found it a little difficult to explain the exact wording and the nuances of the proposed changes to the Committee.

In clause 18(2)(aa) and (bb), the definition of an intimate image had been amended as discussed previously. There had been an amendment of the privacy expectation from “under circumstances that give rise to a reasonable expectation of privacy” to “in respect of which the person so depicted retains a reasonable expectation of privacy at the time the data message was made”. Public comment had raised the issue that sometimes a person could not ipso facto be identified but he could be identified from other information in the message. The proposed definition gave effect to those comments. Mr Robbertse pointed out that there was a definition of a person in clause 1 and he would have to check that the two definitions were not in conflict.

 Ms Breytenbach referred to clause 18(2)(a)(i)bb) “displayed in an unduly manner”, noting that ‘unduly’ was incorrectly used in that clause and therefore did not make sense. She recommended that the word be removed from the clause.

Mr Robbertse pointed out a second proposal to deal with intimate images. The option was to a large extent, similar to the first option discussed. There had been an attempt to clarify the reference to perpetrator and victim similar to the way it had been done in the Sexual Offences Act. A new type of offence was proposed and that was where the perpetrator threatened the family of the victim that intimate images would be distributed as contemplated in the Bill. That was an option that could be included. Harmful disclosure of pornography was included in the schedule in a way similar to 18(2). The Department would prefer the first option, with the omission of the word ‘unduly’. The second option was given as it expanded on the current prescription.

The rest of the chapter had evoked no real criticism against the procedural parts of the chapter during public commentary. There had been a concern regarding penalties in the Bill, but the Department believed that there was no need to change the penalties as they were adequate for the offence (Clause 22).

In order to protect complainants pending finalisation of criminal proceedings, clause 19 dealt with a complainant who applied for a protection order. To get to the real person, a complainant would have to apply for a number of protection orders at a cost of over R200 per order. Clause 19 aimed to ensure that if a person were convicted, the victim had to be reimbursed by the perpetrator. The perpetrator also had to compensate the service provider to remove the malicious communication because it sometimes involved substantial actions by the service provider.

Chapter 4: Jurisdiction

Chapter 4 dealt mainly with jurisdiction. The expanded jurisdiction was to deal with the international nature of cybercrime. The clause had been supported by the public but the South African Police Service (SAPS) had wanted amendments.

Clause 23(3)(a) contained the first amendment. The request was for the inclusion of a reference to a financial institution and to a critical information infrastructure and that had been included in clause 23(3)(a). SAPS also submitted a request for a clause stating that the National Director had to issue prescripts to instruct the police as to how an investigation should be conducted if it originated outside of the borders of the country. Their concern was that SAPS worked in regions but there was no region outside of the country. It had been included as clause 23(6) to accommodate SAPS, although the Department felt it was not a necessary sub-clause.

Ms Breytenbach asked how the National Director of Public Prosecutions was going to issue a prescript to the police. In terms of what legislation?

Mr Robbertse replied that under the International Criminal Courts Act there was a clause that dealt with prescripts concerning cybercrime that originated outside the boundaries of South Africa and affected, for example, an institution in the country. It would be difficult to investigate. The National Director of Prosecutions would give a prescript for that particular crime, i.e. how to investigate, which units to use, etc. The prescript would give direction to the police.

Ms Breytenbach suggested that the National Commissioner of Police could consult the National Director of Prosecutions, but the Police Commissioner had to issue the instructions. She was deeply uncomfortable with the National Director of Prosecutions giving instructions to the police. It was an anathema in the way that criminal law was practised.

Mr Robbertse stated that the Department agreed with her and the sub-clause would be reworked for the National Police Commissioner to issue the directive after consultation with National Director of Public Prosecutions.

Chapter 5: Powers to Investigate, Search and Access or Seize

The chapter dealing with the powers to investigate, search and access or seize was supported, in general, by the public comments. There were concerns about the right to privacy, but most people accepted that the Criminal Procedure Act was unsuitable for dealing with cybercrime. Some people saw it as a replication of RICA, but it was definitely not. One point made by SAPS was that the details of the Standard Operating Procedures (clause24(1)) should not be made public.

In reference to clause 24(1), “The Cabinet member responsible for policing, in consultation with the National Director of Public Prosecutions and the Cabinet member responsible for the administration of justice, must, after following a process of public consultation, within six months of the commencement of this Chapter, issue Standard Operating Procedures...”, Ms Breytenbach asked why the Commissioner of Police was not involved.

Mr Robbertse said that the National Commissioner could not be given the powers to enact subordinate legislation, only the Minister of Police, who had political oversight of the police, could enact the legislation. He was ipso facto the Head of the Department.

Ms Breytenbach could not see why the National Director of Prosecuting Authority was consulted but not the Commissioner of Police when it was police business.

Mr Robbertse stated that the Commissioner was ipso facto involved but he would add the Commissioner in clause 24(1) as Ms Breytenbach insisted. He asked if he should involve the DG of the Department of Justice and Constitutional Development, but they were not considered essential.

After further discussion between Ms Breytenbach and Mr Robbertse, the Chairperson asked what the Kenyan legislation stated. Ultimately, it was decided to include the Police Commissioner

Clause 27 related to the article to be searched for, accessed or seized or under search warrant. The Department proposed an amendment to clause 27(1) to link it to the core content of clause 38(1) and (2). That clause referred to real-time communication-related interception which RICA did not allow.

Mr Horn had a question on Footnote 74 which noted that the National Prosecuting Authority (NPA) had requested authority to deal with remote searches. For that to happen, the Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (RICA) needed an amendment. Parliament was not agile in amending Bills, so would it not cause a problem?

Mr Robbertse said that a remote access tool was the equivalent of a hacker where the state would use certain software on a device to access and retain information. It had international implications. He would be hesitant to include it in a Bill that dealt mainly with stored data. RICA was currently being addressed and that aspect was addressed in the amendments to RICA. It might help to investigate cybercrime. Some countries included remote tools in Cyber Bills, but extreme security measures were needed which made it preferable to have such legislation under the strict control of RICA. Members should also remember that the Bill had been subject to severe criticism, so it was best to leave remote access tools to the amendments to RICA.

The Chairperson informed Mr Horn that the Department was aware of the concerns by the NPA and was explaining how that request should be dealt with it.

Mr Horn was not convinced as he believed that the police would be severely hamstrung if they could only access data that could be physically accessed.

Mr Robbertse did not believe that the police were tied down. The police could conduct a remote search, such as accessing information stored in a Dropbox outside of the computer, but remote access was like surveillance. There was a huge potential for abuse. Even in other countries, interception legislation was not in their cybercrime legislation.

The Chairperson noted that there were international comparisons to guide the Department.

Mr Horn had a further question. If a person used one computer to access another, was that not a remote tool?

Mr Robbertse stated that was a “connected tool.”  Remote access tools were different. Remote access was simply cybercrime approved by the state.

The Chairperson believed that the explanation was adequate and asked Mr Robbertse to proceed.

Clause 30 dealt with Search for, access to, or seizure of article involved in the commission of an offence without a search warrant.

The Department was opposed to excising the oral application for a search warrant in clause 30(2)(b) even though SAPS had asked for it to be removed.

Clause 31 referred to the Criminal Procedure Act according to which police may arrest and search a person but cannot seize articles. It was a safeguard in the Act that a cellular device or laptop computer or such device could not be accessed unless there was an application for a warrant. However, there was also a provision for exigent circumstances, in that under certain exceptional circumstances, a device could be seized without a warrant being issued. The Police were opposed to oral applications for warrants and preferred the RICA application process, although that process had not been very successful. The Department recommended that the oral applications were necessary and should stay. Prescripts had to be issued by the Chief Justice as to how oral applications should be dealt with.

econdly, the police wanted to work as per the Criminal Procedure Act. Articles could only be seized if they provided evidence of a crime. Items not involved in a crime had to be put in custody, but police said that Section 23(1) gave them the powers to access any device such as a cell phone if there was a suspicion that it fell within the scope of CPA, i.e. was an article. The Department was opposed to allowing the police to access a device. An extensive footnote, running several pages, provided information on the procedure and international best practice. The Department recommended that the clause remained unchanged because a dual burden of proof was required.

Ms Breytenbach asked whether it was any police official that could access the device. If the local constable accessed a computer because he had the right to do so, he might destroy evidence. Was there a way of dealing with that?

Mr Robbertse said that the Standard Operating Procedure would go a long way towards addressing such a situation. The police could appoint an investigator to assist him with evidence.

Clause 32 addressed requirements for assisting a member of a law enforcement agency or investigator. An electronic communication provider had to assist police in investigating cybercrime. Providers had insisted on the addition of the word “reasonable” in clause32(1)(b) to manage the assistance that they might be required to render. The Department had no problem with that amendment.

Mr Robbertse told the Chairperson that he would not discuss the minor changes that had no substantive impact.

Clause 37 addressed the prohibition on disclosure of information. The amendment to clause 37(1)(d) emanated from discussions between departments. Some departments wanted to add “competent authorities” in that clause. Generally, the clause prohibited any release of information relating to an investigation into cybercrime. The reason was that in a case of cybercrime, a criminal could remotely wipe all evidence from his devices so there was a general prohibition of disclosure of such investigations, but certain clauses did allow sharing of information. The Department agreed with the insertion of competent authorities. Because there was a general obligation to monitor cybercrime, disclosure internationally was also important.

A definition of ‘competent authority’ was included.

Clause 38 (1) and (2) referred to content data that could only be intercepted in terms of RICA and one could not deviate from that.

Ms Mothapo asked about clause 38 and RICA. There did not seem to be much difference between clause 38 and RICA. Was she correct?

Mr Robbertse explained that the Bill dealt mostly with seizure. RICA talked about real time communication information between people. Such access was prohibited as an ongoing basis. The Bill could also not access archived data. RICA managed all archived information. The Bill catered for data on the computer and did not cater for interception.

Clause 39 related to the expedited preservation of data direction. Some service providers were subject to RICA while others were not. The amendment to clause 39(1) ensured that those service providers not subject to RICA also had to ensure expedited preservation of data for 21 days, but under sub-clause (6), the time period could be extended to a maximum of 90 days.

Clause 42 dealt with the disclosure of data direction. Service providers were uncertain as to what should be subject to data preservation, so the Department considered that it must have been a lacuna in the drafting of clause, therefore the content of the clause was extended to include “and search for, access to and seizure articles subject to preservation of evidence direction”. The Department had also added sub-clause 10: 10)(a) Articles subject to a preservation of evidence direction that is not “data” must be searched for, accessed or seized in terms of a warrant referred to in section 27(1) and 10(b) A police official may, at any time, apply for a search warrant in terms of section 27(1) to search for, access or seize an article (which includes “data”)  that is or was subject to a preservation of evidence direction.”

Clause 43 additions emanated from suggestions made in international fora. It was about how to deal with data in a cloud” and thus the contents were now described as “Obtaining and using publicly available data or receiving data from person who has the lawful authority to disclose data”. It was not always clear which country had to be approached for data in a cloud, but officials could access publicly available data. Some information might be accessed in a cloud that was publicly available so, the Bill merely had to allow investigators to “obtain and use”. There was no need to ‘access and seize’.

Clause 42(b) related to data that was not publicly accessible. Contracts that people signed with service providers always had a clause to allow the provider to give authorities access to data that was being used illegally. SAPS had raised a concern that it was restricting access to information given lawfully. Police usually initiated information unlawfully. For example, a hacker could break into a computer or closed circuit and he could give information found there to the police. The Bill did not prevent the police from using information obtained in such a way. The Department had not reached consensus with the police on the clause. The Department would propose a final clause to the police before returning to the Committee.

Chapter 6 Mutual Assistance

An amendment had been affected to clause 44 which dealt with the application of provisions in the chapter. The additions to clause 44 clarified what was required regarding preservation of evidence. It specified what evidence had to be preserved. The Department agreed with the insertion.

Clause 45 dealt with spontaneous information. When SAPS had addressed the Committee, the officials had explained that the Directorate for Priority Crime Investigation (DPCI) was a separate entity and did not report to the National Commissioner. That had been amended in amended in clause 45(1).

In Clause 45(2) the Bill had allowed the Director of Public Prosecutions to approve the provision of information to foreign countries. The police had wanted the clause removed. The Department agreed with that recommendation.

Clause 46 dealt with foreign requests for assistance and cooperation. The only amendment had been to take out words ‘in a foreign state’. Clause 49(6)(c).

Clause 49 dealt with the issuing of direction requesting foreign mutual assistance. Previously, an offence had to have been committed but the amendment did not restrict requests to instances where an offence had been committed but allowed requests where it was necessary to determine whether the offence had been committed.

Chapter 7: 24/7 Point of Contact

It was the responsibility of SAPS to equip, operate and maintain a 24/7 point of contact to coordinate investigations into cybercrime and to provide mutual assistance to foreign countries. The NPA had asked why it was necessary to specifically legislate for a 24/7 point of contact. According to the NPA. they were under an obligation in terms of section 17F(4) of the South African Police Services Act, 1995, to assist the South African Police Service and so it was not necessary to legislate for 24-hour contact. However, DoJ&CD had felt it was necessary to legislate.

In Clause 50(5)(c), the removal of the reference to Act No 39 of 1994 was merely a cosmetic change.

Chapter 8: Evidence

Clause 51(1)(f) was an amendment to give effect to the fact that the examination process had to be fully documented and extended the provision of an affidavit to the equally acceptable “solemn or attested declaration”.

Chapter 9: Obligations of Electronic Communications Service Providers and Financial Institutions

In clause 52(3), the amount of the fine is limited to R50 000.

Chapter 10: Structures to Deal with Cybersecurity

Clause 53(7)(b)(xiv) extended the departments or functionaries that should be involved or could be requested to assist the Cyber Response Committee(CRC). DoJ&CD agreed with the recommendation by CRC as cybercrime could occur anywhere.

Clause 54(3): The SANDF had requested that a clause that dealt with the establishment of the Cyber Command be reconsidered for possible insertion in the Bill. The SANDF had stated that the clause was necessary in that it defined the role of the SANDF in relation to cyber-related matters and provided guidance as to what the SANDF should implement to give effect to their mandate. In terms of that clause specific structures had been provided for each department. DoJ&CD informed the Committee that the Executive had instructed that the Bill should not specify the structures involved as that would tell the world what they did. Those structures did not need legislation as they could be established on an administrative basis. DoJ&CD was bound by the policy decision of the Executive not to incorporate the clause requested by SANDF.

The Chairperson queried the need for secretive structures. He was concerned that it was a secretive unit in a department.

Mr Robbertse repeated that the Department could not propose the clause or include it in the Bill, but he could inform the Committee of the request by SANDF.

The Chairperson stated that the Committee would consider it.

Clause 55 dealt with nodal points and private sector computer security incident response teams which were intended to give the country the necessary capacity to deal with cybercrime. It had been explained during consultations that nodal points were not the same as Cybersecurity Hubs which were very expensive to maintain.

Clause 55(1)(b)(i) was changed to indicate that a Cabinet member consulted only if he or she was not responsible for the administration of the sector. A Cabinet member could not consult with him or herself. It was a cosmetic change. That change was repeated throughout the clause.

Clause 55(1)(b)(ii) was added to cater for concerns raised about regulatory bodies. “...after consultation with any regulatory body, established in terms of any law, which exercises regulatory control over the entities of that sector.”

Chapter 11: Critical Information Infrastructure Protection

Public consultations raised questions about whether the Bill duplicated other information protection and the role of the security agency, but those concerns were addressed and accepted by the public. Consultation with provinces led to a request for approval of the premiers in relation to the need for provincial legislation or any functional areas assigned to a province. That resulted in an addition to clause 57.

Clause 57(3)(b)(cc) was expanded to include “and obtain the concurrence of” the Premier in matters relating to provinces.

Clause 57(7)(a) dealt with critical information infrastructure and was expanded to add “a financial sector regulator” to “financial institution” to deal with dispute mechanisms. DoJ&CD did not think it was necessary but had accommodated the request from the financial sector.

Clause 157(7)(i) had been extended to allow others involved in disputes, in addition to the Cabinet minister, to appeal the decision of the arbitrator to the High Court. It was a request emanating from public consultation.

Clause 57(11)(b) had been inserted following public consultations and referred to the constitutional process to follow in dealing with provinces if directives or obligations were not adhered to.

There were no other substantial changes to the Bill itself, but a significant number of additions had been made to Schedule 1 which dealt with laws to be repealed or amended as that had not been considered during the process.

The Chairperson indicated that Members could read through the proposed changes to the Schedule themselves. He thanked the Department for a detailed presentation that had been well-prepared, especially for such a technical Bill. Mr Robbertse had dealt with all comments, adverse and in favour. The document had tried to entertain some of the comments received. Something that did stand out was the critical information structure.

Mr Horn remained worried about the fact that, in the past, the Committee had worked with the Department on those submissions received with which the Department did not agree. What about those? The Committee had not seen those comments. The Committee had only seen submissions with which the Department had agreed.

Mr Robbertse stated that DoJ&CD had summarised all comments, both for and against the Bill, in a document and then, in drafting the document, DoJ&CD had entertained as many comments as possible. During the public engagement process, the Department had discussed reasons why certain comments could not be considered for inclusion in the Bill. He referred to the National Strategic Information Bill that had established certain fundamentals for the Bill.

The Chairperson explained that Mr Horne’s question was why that previous approach had not been taken.

Mr Robbertse stated that all viable proposals had been accepted and the Department had tried to accommodate most comments, except for those about critical information structures.

The Chairperson agreed that it was not possible to include things that were not viable.

Ms Breytenbach stated that Mr Robbertse was not answering the question and asked why he was not doing so.

The Chairperson was of the opinion that Mr Robbertse had answered but Ms Breytenbach did not accept that. The Committee was divided over the matter.

Ms Kallay Pillay, DDG: Legislative Development at DoJ&CD, explained that a long document in a tabular format had been circulated and had included a reference to each comment received. The document was in excess of 200 pages and had been circulated some weeks previously. The Department could summarise the comments that they had not agreed with and provide that to the Committee.

Ms Breytenbach requested a copy of the 200-page document with an indication showing which/ comments that DoJ&CD had not agreed with.

Mr Horn stated that his point was that the Committee had not looked at negative inputs. With the Traditional Courts Bill, the Committee had given directives to the Department to make certain changes because the Committee had not agreed with certain decisions by the Department. He felt that the Committee should have addressed the comments that the Department had not taken into consideration.

The Chairperson stated that it was a fair comment, but the Committee would follow the recommendation by Ms Breytenbach that the Committee consider the list of all submissions, specifically those noted by DoJ&CD as not having been included. The Committee would not meet the following day as they had to attend to that document while the Department would polish the Bill and the following week the Committee would consider whether to accept the Bill. The Committee had harassed the Department the previous time, but DoJ&CD had done very well and had performed beyond expectation.

Closing remarks

The Chairperson thanked Members for their patience.

The meeting was adjourned.