During December 2021 the South African President signed the Cybercrimes Act, 19 of 2020 into law. The legislation is the first in South Africa to consider cybercrimes explicitly, and forms part of South Africa’s growing legislative framework on data management. But what impact does the Cybercrimes Act 19 of 2020 have on organisations operating in South Africa? In this insight, the first on the topic of cybercrimes, PR de Wet and Davin Olën, from VDT Attorneys Inc, provide an overview and unpack how the new legislation slots into the existing South African regulatory universe, with specific reference to the Protection of Personal Information Act 4 of 2013. The article also provides an overview of the applicable business processes which South African companies would need to consider in ensuring compliance with the Cybercrimes Act, 19 of 2020.
What is the Cybercrimes Act, 19 of 2020?
In recent years, business lexicons have expanded to include phrases like ‘augmented reality’, ‘Industry 4.0’, ‘quantum computing’, and ‘remote work’ among a plethora of other terms which each emphasise the intensifying level of connection in business. While intensified connectivity and data sharing amongst clients and employees poses its own organisational challenges, the matter is drastically complicated by the potential infringements of third parties. Within this context, recent trends in cybersecurity statistics have proven to be particularly alarming. This drive has only strengthened in 2022, with malware increasingly targeting infrastructure, healthcare, technology, financial services and manufacturing sectors and from this unruly backdrop, smaller and medium sized firms are particularly at risk, compelling the introduction of South Africa’s Cybercrimes Act 19 of 2020 (the “Cybercrimes Act”).
Within the South African context, the need for the Cybercrimes Act was acute because no prior legislation overtly regulated cybercrime. The Cybercrimes Act partially came into force on 1 December 2021, creating various cyber related offences and criminalising the distribution of harmful data messages among other actions. While a “cybercrime” is not defined by the Cybercrimes Act, a list of 11 actions or attempts which would amount to a cybercrime are included therein as well as 3 actions or attempts which could be considered malicious communication. In addition, the Cybercrimes Act further arranges the sentencing of contraveners and establishes orders to protect complainants.
Notably, the Cybercrimes Act extends the ordinary application of jurisdiction. Because the legislator recognises that offences can be carried out beyond the South African Territory, any acts amounting to a cybercrime, which is targeted at South Africa, are deemed to have been committed in South Africa should the offender be found in South Africa or extradited to South Africa in terms of Section 24(2) of the Cybercrimes Act. The Cybercrimes Act also grants authorities the power to respond to the potential infringements of any South African citizen, resident or person who carries on business in South Africa.
The act has a notable impact on the operations of Financial Institutions (FIs) and Electronic Communications Service Providers (ECSPs) as both are required to report specific offences to the South African Police Services within 72 hours after becoming aware of the offence or they themselves commit an offence and face a fine of up to R50,000.00. Nevertheless, any fine awarded to FIs and ECSPs does not consider the potential reputational damage which the firms may experience due to non-compliance. Accordingly, the following portion of this article considers approaches towards compliance.
What do organisations need to do consider in ensuring compliance with the Cybercrimes Act?
In recent memory, the Protection of Personal Information Act, 4 of 2013 (the “POPI Act”) caused significant disruption across business sectors by requiring specific compliance in terms of data processing and other factors. In the case of the POPI Act, businesses were advised to make use of a tailored approach to compliance, avoiding box-ticking to ensure substantive compliance. The Cybercrimes Act will require a similar tactic albeit somewhat less intense. The Cybercrimes Act obliges organisations to reconsider their data processing practices and requires them to adapt their processes to prevent the offences defined in the Cybercrimes Act.
On a more practical level, organisations will need to consider how their existing systems align with the Cybercrimes Act with regard to data management (particularly regarding data encryption and database security), as well as access and identity management, wireless and network access, and user passwords and privileges. Other aspects include how data is managed when staff leave the employ of an organisation, especially if the organisation makes use of a Bring Your Own Device (BYOD) policy.
While the Cybercrimes Act has been signed into law, certain provisions are yet to become enforceable, the reporting requirement of FIs and ECSPs being one of these portions. Nevertheless, the essence of the Cybercrimes Act is enforceable, and organisations are already required to comply with the majority of the Cybercrimes Act. Organisations which are yet to implement compliance programmes with the Cybercrimes Act are suggested to revise their compliance frameworks and incorporate the Cybercrimes Act within their existing compliance universe. One piece of legislation which organisations have already incorporated within their compliance universe is the POPI Act and in order to grasp the variations in the two pieces of legislation, the final section of this article differentiates the POPI Act from the Cybercrimes Act.
How does the Cybercrimes Act interact with POPIA?
While both the POPI Act and the Cybercrimes Act consider data, the aims and intents of the acts differ. The POPI Act is geared towards protecting entities’ data and privacy and establishes a set of minimum requirements to process data within South Africa for this purpose. The POPI Act does not create new cybercrimes but obliges organisations to ensure the integrity of the personal information they process. However, there are some parallels in terms of breach/offence reporting. Section 22 of the POPI Act requires Responsible Parties to report data breaches to the Information Regulator, and if beached information makes data subjects identifiable, then data subjects also need to be informed of any breaches. The Cybercrimes Act, on the other hand, requires reporting from FIs and ECSPs as discussed above.
Collectively the POPI Act and the Cybercrimes Act provide both protection for data subjects and a mechanism to increase accountability inside, and potentially outside, of South Africa. Prior to the introduction of the Cybercrimes Act, cybercrimes were only subject to the South African common law, leaving data subjects vulnerable. The inclusion of the Cybercrimes Act within the South African legislative framework is therefore a necessary step towards the enforcement of data protection in the territory. As a first step towards compliance, organisations are recommended to further develop their own knowledge in this developing environment. Provided with the necessary background, firms should attempt to assess their landscapes and data frameworks to consider the key risks and susceptibility of their organisation. Additionally, organisations can consider approaching a commercial legal partner with experience in the field to assist an organisation in ensuring compliance.
 see for example the following Data guidance article on the vulnerability of SMEs https://www.dataguidance.com/news/eu-enisa-issues-cybersecurity-recommendations-smes
 As defined and detailed within Chapter 2 of the Cybercrimes Act.
 In terms of the Act, FIs are defined as per Section 1 of the Financial Sector Regulation Act 9 of 2017 and ECSPs are defined in terms of the Electronic Communications Act 36 of 2005.
 See, for example https://www.onetrust.com/forms/popia-request-demo/