A revised draft of the Cybercrimes and Cybersecurity Bill will be tabled in Parliament in the first quarter of 2017. In a statement issued on 19 January 2017, the Deputy Minister of Justice and Constitutional Development confirmed that the public comments received on the first draft of the Bill published in August 2015 were taken into account in revising the Bill, as well as the advice of a working group of subject matter experts.
Changes made to the draft Bill include:
- Removal and revision of some offences
Section 3 of the first draft criminalised identity theft. According to the Deputy Minister, it was removed because of the unintended consequences that the widely drafted section might have. This issue will be further researched and may be considered at a later stage.
Child pornography is currently an offence under section 24B of the Films and Publication Act 1996. The revised Bill repeals section 24B and amends the Criminal Law (Sexual Offences and Related Matters) Amendment Act 2007 to include offences relating to child pornography, harmful disclosure of adult pornography without consent and pornography-related extortion.
See our previous blog on other offences contained in the draft Bill, some of which have been revised.
- Obligations on electronic communications service providers and financial institutions
The broad obligations in Chapter 9 to inform clients of cybercrime trends and measures to secure themselves, as well as the penalty for failing to do so, (see our previous blog) have been removed.
Only those offences prescribed by the relevant ministers by notice in the Government Gazette must be reported to the South African Police Service, within 72 hours where feasible. Failure to report will attract a single penalty of R50 000 and no longer a penalty of R10 000 per day while the failure continues. This is a serious threat to many people in the industry and will be considered carefully by us when the notice in the Gazette appears.
The revised draft explicitly states that electronic communications service providers and financial institutions are not required to monitor the data which they transmit or store, or actively search for unlawful activities.
Chapter 9 no longer applies to any person who transmits, receives, processes or stores data on behalf of another person.
- New structures to fight cybercrime
Instead of the eight proposed new government structures in the first draft Bill, the revised bill provides for only two:
1. 24/7 Point of Contact, to facilitate and speed detection, investigation and prosecution of cybercrimes; and
2. Cyber Response Committee, responsible for implementing government policy relating to cybersecurity.
The remaining proposed structures have been replaced with obligations on the ministers of security, police, defence and telecommunications to establish and implement measures relating to security, policing, defence and communications.
There will be a further opportunity to make submissions to Parliament on the draft Bill.