This blog was co-authored by: Victoria Pillay, Associate

The President has proclaimed that, from 1 December 2021, certain sections of the Cybercrimes Act, 2020 will come into full force. The Cybercrimes Act aims to:

  • regulate and harmonise legislation in respect of offences committed using electronic mediums, and creates offences which have a bearing on cybercrime including criminalising the disclosure of data messages which are harmful and providing for interim protection orders.
  • regulate international foreign requests for assistance in respect of cybercrimes committed within South Africa’s jurisdiction and vice versa.

What went live on 1 December 2021?

 These are the parts of the Act that are now in operation:

  • Chapter 1 – this chapter sets out the definitions used in the Act
  • Chapter 2 (excluding Part VI) – this chapter sets out all the new cybercrimes that have been created by the Act. However, the part that deals with obtaining orders to protect the complainant pending finalisation of criminal proceedings is not yet in operation.
  • Chapter 3 – refers to the jurisdiction of the Act. It is interesting that a court in South Africa will have the jurisdiction to try any offence created in the Act if the offence affects any person or any business in South Africa, or if the offence was committed outside of South Africa against any person who is a citizen or ordinarily resident in South Africa.
  • Chapter 4 (excluding 38(1)(d), (e) and (f), 40(3) and (4), 41, 42, 43 and 44) – this chapter deals with the authorities powers to investigate, search, access or seize. The excluded sections deal with preservation of data directions.
  • Chapters 5 and 6 which refer to mutual assistance with foreign requests and the establishment of a designated Point of Contact within the South African Police Services (SAPS) are not yet in operation)
  • Chapter 7 – deals with the ability to prove facts by submission of an affidavit by a suitably qualified individual.
  • Chapter 8 (excluding section 54) – this chapter deals with reporting obligations and capacity building in order to investigate and prosecute cybercrimes. The reporting obligations for electronic communications service providers and financial institutions are not yet in operation.
  • Chapter 9 (excluding sections 11B, 11C, 11D, and 56A(3)(c), (d) and (e) of the Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007, from the Schedule of laws repealed or amended in terms of section 58) – this section deals with the general provisions and sets out which other laws are repealed or amended by this Act. The Act replaces sections of the Electronic Communications and Transactions Act, 25 of 2002 dealing with the unlawful accessing, interception or interference with data messages. A number of proposed amendments related to prosecution of harmful disclosure to pornography (“revenge porn”) are not yet in operation, however, the offence of “revenge porn” is in operation.

 New offences

In terms of the proclamation, all of the offences created under the Act are now operational, and if individuals are found to have committed such offences, they will be charged under the Act. The Act provides a statutory direction to include the theft of incorporeal property within the scope of the common law offence of theft. The Act also aims to provide greater protection to victims of intimate violence and cyberbullying by creating separate offences for this.

Be aware of your social media habits! You can now be found guilty of a cybercrime if you Whatsapp a nude photo of someone without their permission, or post a Tweet inciting or threatening violence or damage to property.

Still to come – new obligations for electronic communications service providers and financial institutions

Electronic communications service providers will soon be required under section 20, and in terms of a court order, to disclose data messages which relate to charges of intimate violence or cyberbullying, and to remove or disable access to the data message which they host and which are related to the offence. In addition to this, electronic communications service providers will be required, in terms of a court order, to assist with the investigation of cybercrimes, the seizure of data messages, and preservation of evidence and interception of communications when chapters 5 and 6 come into operation. The failure of an electronic communications service provider to do so will be guilty of an offence and liable for a fine and/or imprisonment of a period not exceeding 2 years. Electronic communications service providers should take note of the new obligations that will soon be imposed on them, and prepare for an increase in requests from individuals and the courts to assist in this regard.

In terms of the upcoming section 54, electronic communication service providers and financial institutions will have an obligation to report any offences that occur on its services or networks to SAPS within 72 hours of becoming aware of the offence. Failure to do so will result in a fine of up to R50,000.

Electronic communications services providers and financial institutions should be aware of the possible consequences and reputational harm of non-compliance with these sections that are soon to be in operation. No date has yet been announced.