Internet users were relieved by the partial commencement of the new Cybercrimes Act 19 of 2020 (“Act”) on 1 December 2021, as it aims to combat and prosecute cybercrime.
Cybercriminals target South Africa on a large scale due to the lack of infrastructure, legislation, security, understanding of online security and lack of enforcement.
Cyber crimes can thus now be more closely investigated and prosecuted due to legal authorities and the judiciary now having more concrete legal grounds, upon which to address the above issues.
The interpretation and application of the Act still, however, remains to be seen, especially considering the interrelation with the widely known Protection of Personal Information Act 4 of 2013 (“POPI”).
The Act clearly bolsters the position of POPI and different forms of liability are created under each section of legislation in terms of a similar breach of data.
A range of activities involving data, computers, networks and other electronic communications that will be impacted are included in a widely cast net.
There has been significant progress in criminalising certain online conduct such as inciting or threatening violence upon an individual or damage to property and distributing intimate images.
For companies, it is of vital importance to understand the impact of the Act and how it interplays with POPI, due to a company having certain obligations under both, to varying degrees.
It is important for companies to comply with both Acts, which impose numerous requirements.
To elaborate, the Act imposes a very specific duty on financial institutions and electronic communications service providers (such as providers of internet and telecommunications network operators) to report any and all cybercrime instances that they becomes aware of, within 72 hours, to the South African Police Service.
POPI on the other hand, clearly sets out stronger support to documentation, retention of records and reporting practices, in order to assist the authorities in combating cybercrime (to name but one reason).
The Cybercrimes Act is only partially operational and still in its infancy, but it is clear that South Africa has taken a giant leap forward in aligning itself with international conventions on the protection of information and on cybersecurity as a whole.
The intertwined relationship between the Act and POPI, may lead to extreme liability for companies, and those appointed on their behalf.
An office practice and internal process can be assessed or established.
Legal advice in this regard is suggested.
Written by Charlene Hefer (Candidate Attorney)