Cybercrime and Cybersecurity Bill

South Africa has drafted (and redrafted) the Cybercrime and Cybersecurity Bill. The Justice Portfolio Committee held hearings on this Bill last week, and I was there. If you’re interested in what the Bill means for SA, and how to keep up to date with the latest changes, the University of Cape Town is hosting a workshop on 29 September.  
While you decide whether to take this Bill seriously, here are some high-level things to consider: 

1. Cybercrime and Cybersecurity are different 

There is a good argument that the Cybercrime part should be separated from the Cybersecurity part.  
Although they are obviously related, the Cybercrime part aims to create criminal offences for things that aren’t currently illegal.  
In contrast the Cybersecurity part aims to create government cybersecurity apparatus to resist cyber-attacks (and doesn’t really look at criminal offences).  

 2. No public interest defence 

At present, there is ‘public interest’ defence. Like the Protection of Information Act (this is not POPI but sounds very similar) it is a big deal.  
If a journalist breaches a part of the Bill there may be a really good reason that that should allow civil society to keep everyone honest.  Well, to try, at least. For example, exposing corruption or exposing hackers. 

3. Over-broad definitions 

The definitions in the Bill are incredibly wide.  
So what? you ask? 
While the Bill makes sense in the abstract, it becomes much trickier when you apply specific situations to it. For example, we often come across situations where more than one person has access to a business email account. Even though this is prohibited by the business.  

The Cybercrime Bill makes the mere access to that email by the employees a criminal offence.  

Ironically, the people accessing the email address do so for the benefit of the business, rather than with malicious intent. For example, to provide redundancy so that they don’t miss a consumer complaint while a colleague is on leave.   
Not only could this result in a disciplinary offence, but the business ought to report this as a criminal offence to the police (‘Unlawful security of access – section 2)! Of course, reporting this would be an ‘own goal’ situation for the business, but if it has a zero tolerance approach to criminal activity, what must it do?

4. Oversight by Big Brother 

The current version of the Bill gives a lot of power to the State Security Agency. Any follower of South African politics will know why this would give most people pause.  
However, the Bill doesn’t incorporate the opposite perspective which would normally come from the Information Regulator (which was created in terms of the Protection of Personal Information Act).  
On the positive side, the Information Regulator pointed this out at the hearings last week, so hopefully this oversight will be corrected.  
This is just the tip of the iceberg.  

Obviously, there are too many things to consider in an article (such as jurisdiction, duties of electronic services providers, the interaction of other pieces of legislation with this Bill). 

If you would like to be part of this discussion, register for the UCT Law at Work Cybercrime and Information Security workshop. It takes place on the 29th September 2017 at the University of Cape Town where Dominic Cull (Ellipsis Regulatory Solutions), Commander Hiela Niemand (SAPS Cybercrime / Family division) and I will discuss what the Bill means for South Africa and how to keep abreast of the changes. Read more about this course here, or simply email paula.allen@uct.ac.za for more.  

Please Share!