The Department of Justice and Constitutional Development invited interested persons to comment on the draft Cybercrimes and Cybersecurity Bill (the “Bill”).
The Department stated that the draft Bill aims to put in place a coherent and integrated cybersecurity legislative framework to address various shortcomings which exist in dealing with cybercrime and cybersecurity in the country.
Most of us have been affected by cybercrime in some form or another. It is a fast-growing area of crime, with more and more criminals exploiting the speed, convenience and anonymity of the internet to commit a diverse range of criminal activities. There is no doubt that we need proper legislation to govern cybercrime, but getting it right might not be that easy. Cybercrime is ever-evolving, so the legislation needs to be wide enough to cover all potential threats, but not so wide that it becomes ineffective and overly burdensome.
One example of this is found in section 4 of the Bill, which states that any person who unlawfully and intentionally access data is guilty of an offence and on conviction can be liable for a fine of up to R5 million or imprisonment of up to 5 years. On the face of it, we all agree, no one should unlawfully access data, but the consequences of such a widely drafted provision can be far-reaching. The term “access”, amongst others, includes: to make use of, view, store, copy or remove data. “Unlawful” includes any action where a person exceeds his lawful authority to access data. Read with Protection of Personal Information Act (“POPI”) (and once POPI is fully operational) this section of the Bill will criminalise any access to data which goes beyond a person or entity’s authority. In other words, if you do not have someone’s consent to user or store his data in a certain manner or for a certain purpose, as contemplated in POPI, you will be accessing his data unlawfully, as contemplated in section 4 of the Bill.
Similar provisions apply to any person that manufactures, sells, advertise, uses or possesses software that can be used for the purpose of contravening the provisions of section 4. In other words, the developers and users of software that operates like cookies or other similar technologies used for advertising, research and analytics, will have to ensure that the software does not collect data beyond what it is authorised to do, or face a fine of up to R5 million or imprisonment of up to 5 years.
The Bill also imposes potentially onerous obligations on electronic communications service providers, which are defined so wide that it will include any person or entity which transmits, receives, processes or stores data on behalf of any other person.
The Bill, in its current form, can have far-reaching consequences for any company that stores data, uses data, collects data for advertising or analytics or even broadcast or report on certain information. Although there is no doubt that we need cyberlaws, legislation can only be effective if it is practical and enforceable, it is therefore important for industry experts and interested parties to get involved in this process.
This is not an in-depth overview of the Bill, but merely illustrated some of the difficulties that the legislator will have to address.
The Bill can be found here and comments on the Bill should reach the Department by 30 November 2015.