Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Africa: The Cybercrimes Act, its relationship with POPIA, and compliance

During December 2021, the South African President signed the Cybercrimes Act, 2020 (Act 19 of 2020) ('the Cybercrimes Act') into law. This legislation is the first in South Africa to consider cybercrimes explicitly, and forms part of South Africa's growing legislative framework on data management. But what impact does the Cybercrimes Act have on organisations operating in South Africa? In this Insight, the first on the topic of cybercrimes, PR de Wet and Davin Olën, from VDT Attorneys Inc, provide an overview and unpack how the new legislation slots into the existing South African regulatory universe, with specific reference to the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). The article also provides an overview of the applicable business processes which South African companies would need to consider in ensuring compliance with the Cybercrimes Act.

matejmo / Signature collection / istockphoto.com

What is the Cybercrimes Act?

In recent years, business lexicons have expanded to include phrases like 'augmented reality', 'Industry 4.0', 'quantum computing', and 'remote work' among a plethora of other terms which each emphasise the intensifying level of connection in business. While intensified connectivity and data sharing amongst clients and employees poses its own organisational challenges, the matter is drastically complicated by the potential infringements of third parties. Within this context, recent trends in cybersecurity statistics have proven to be particularly alarming. This drive has only strengthened in 2022, with malware increasingly targeting infrastructure, healthcare, technology, financial services, and manufacturing sectors, and from this unruly backdrop, smaller and medium-sized firms are particularly at risk, compelling the introduction of the Cybercrimes Act.

Within the South African context, the need for the Cybercrimes Act was acute because no prior legislation overtly regulated cybercrime. The Cybercrimes Act partially came into force on 1 December 2021, creating various cyber-related offences and criminalising the distribution of harmful data messages among other actions. While a 'cybercrime' is not defined by the Cybercrimes Act, a list of 11 actions or attempts which would amount to a cybercrime are included therein as well as three actions or attempts which could be considered malicious communication. In addition, the Cybercrimes Act further arranges the sentencing of contraveners and establishes orders to protect complainants.

Notably, the Cybercrimes Act extends the ordinary application of jurisdiction. As the legislator recognises that offences can be carried out beyond the South African territory, any acts amounting to a cybercrime, which is targeted at South Africa, are deemed to have been committed in South Africa should the offender be found in South Africa or extradited to South Africa in terms of Section 24(2) of the Cybercrimes Act. The Cybercrimes Act also grants authorities the power to respond to the potential infringements of any South African citizen, resident or person who carries on business in South Africa.

The Cybercrimes Act has a notable impact on the operations of financial institutions ('FIs') and Electronic Communications Service Providers ('ECSPs') as both are required to report specific offences to the South African Police Services within 72 hours after becoming aware of the offence or they themselves commit an offence and face a fine of up to ZAR 50,000 (approx. €2,990). Nevertheless, any fine awarded to FIs and ECSPs does not consider the potential reputational damage which the firms may experience due to non-compliance. Accordingly, the following portion of this article considers approaches towards compliance.

What do organisations need to do consider in ensuring compliance with the Cybercrimes Act?

In recent memory, POPIA caused significant disruption across business sectors by requiring specific compliance in terms of data processing and other factors. In the case of POPIA, businesses were advised to make use of a tailored approach to compliance, avoiding box-ticking to ensure substantive compliance. The Cybercrimes Act will require a similar tactic albeit somewhat less intense. The Cybercrimes Act obliges organisations to reconsider their data processing practices and requires them to adapt their processes to prevent the offences defined in the Cybercrimes Act.

On a more practical level, organisations will need to consider how their existing systems align with the Cybercrimes Act with regard to data management (particularly regarding data encryption and database security), as well as access and identity management, wireless and network access, and user passwords and privileges. Other aspects include how data is managed when staff leave the employ of an organisation, especially if the organisation makes use of a Bring Your Own Device ('BYOD') policy.

While the Cybercrimes Act has been signed into law, certain provisions are yet to become enforceable, the reporting requirement of FIs and ECSPs being one of these portions. Nevertheless, the essence of the Cybercrimes Act is enforceable, and organisations are already required to comply with the majority of the Cybercrimes Act. Organisations which are yet to implement compliance programs with the Cybercrimes Act are suggested to revise their compliance frameworks and incorporate the Cybercrimes Act within their existing compliance universe. One piece of legislation which organisations have already incorporated within their compliance universe is POPIA, and in order to grasp the variations in the two pieces of legislation, the final section of this article differentiates POPIA from the Cybercrimes Act.

How does the Cybercrimes Act interact with POPIA?

While both POPIA and the Cybercrimes Act consider data, the aims and intents of the acts differ. POPIA is geared towards protecting entities' data and privacy and establishes a set of minimum requirements to process data within South Africa for this purpose. POPIA does not create new cybercrimes but obliges organisations to ensure the integrity of the personal information they process. However, there are some parallels in terms of breach/offence reporting. Section 22 of POPIA requires responsible parties to report data breaches to the Information Regulator, and if beached information makes data subjects identifiable, then data subjects also need to be informed of any breaches. The Cybercrimes Act, on the other hand, requires reporting from FIs and ECSPs as discussed above.

Collectively, POPIA and the Cybercrimes Act provide both protection for data subjects and a mechanism to increase accountability inside, and potentially outside, of South Africa. Prior to the introduction of the Cybercrimes Act, cybercrimes were only subject to the South African common law, leaving data subjects vulnerable. The inclusion of the Cybercrimes Act within the South African legislative framework is therefore a necessary step towards the enforcement of data protection in the territory. As a first step towards compliance, organisations are recommended to further develop their own knowledge in this developing environment. Provided with the necessary background, firms should attempt to assess their landscapes and data frameworks to consider the key risks and susceptibility of their organisation. Additionally, organisations can consider approaching a commercial legal partner with experience in the field to assist an organisation in ensuring compliance.

PR de Wet Director
[email protected]
Davin Olën Candidate Attorney
[email protected]
VDT Attorneys Inc., Pretoria