From 1 December 2021 certain sections of the Cybercrimes Act, 2020 will come in force and effect. In our earlier article, we summarised some of the key points of this Act and the overlap between this Act and the Protection of Personal Information Act, 2013 ("POPIA"). The Cybercrimes Act criminalises the following types of cyber activities, namely:
- unlawful access, interception and interference of data;
- unlawful acts in respect of software and hardware tools;
- cyber fraud, cyber forgery and cyber uttering; and
- malicious communications, which includes a form of "hate speech".
The Cybercrimes Act also seeks to, inter alia, regulate issues of jurisdiction in respect of cybercrimes, regulate aspects relating to mutual assistance in respect of the investigation of cybercrimes and establish cooperation with foreign states to promote measures aimed at detection, prevention, mitigation and investigation of cybercrimes.
The following sections of the Cybercrimes Act will commence on 1 December 2021:
- Chapter 1 – the definitions and interpretation section.
- Chapter 2 (excluding Part VI) – the section codifying the various crimes. Part VI dealing with the orders that can be granted to protect complainants from the harmful effect of malicious communications is not yet in force.
- Chapter 3 – dealing with issues of jurisdiction relating to cybercrimes.
- Chapter 4 (excluding section 38(1)(d), (e) and (f), 40(3) and (4), 41, 42, 43 and 44) – dealing with the powers of police officials to investigate, search, access or seizure. The sections not yet in force pertain to the offences emanating from a person who gives false information under oath in relation to:
- an expedited preservation of data direction (section 38(1)(d) including the corresponding provisions as to the issuing of these under section 41);
- a preservation of evidence direction (section 38(1)(e) including the corresponding provisions as to the issuing of these under sections 42 and 43), and
- a disclosure of data direction (section 38(1)(f) including the corresponding provisions as to the issuing of these under section 44).
In addition, the obligations on an electronic communications service provider to comply with a real-time communication-related direction, expedited preservation of data direction, preservation of evidence direction, disclosure of data direction or order from a designated judge to obtain and preservice real-time communication-related information or obtain and furnish traffic data is not yet in force (section 40(3)) as well as the related section dealing with foreign State orders (section 40(4)).
- Chapter 7 – which allows evidence to be provided by affidavit.
- Chapter 8 (excluding section 54) – providing for the reporting obligations and capacity building. Section 54 which creates the obligations on electronic communications service providers and financial institutions to monitor and report offences is not yet in force.
- Chapter 9 (excluding sections 11B, 11C, 11D and 56A(3)(c), (d) and (e) of the Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007 in the Schedule of laws repealed or amended in terms of section 58) – cover the general provisions. The repeal of the sections dealing with the Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007 is not yet in force.
Chapters 5 (dealing with mutual assistance of foreign states) and 6 (which deals with the establishment and powers of the designated Point of Contact) is also not yet in force.
All organisations need to be aware of their responsibilities under the Cybercrimes Act and consider what mechanisms need to be implemented to cater for these requirements.