Although President Cyril Ramaphosa has signed the Cybercrimes Bill into law, only parts came into effect from 1 December 2021.

“It is important to spell out the dos and don’ts of the new Cybercrimes Act and it’s everyone’s interest to familiarise themselves the with changes,” says Ryan van de Coolwijk, product head at iTOO Cyber insurance division.

Spotlight falls on Chapter 2 of the Cybercrimes Act

Van de Coolwijk says under this chapter, activities that constitute cybercrimes include unlawful access, interception of data, and interference with data or computer program like hacking.

He says other unlawful acts in respect of software or hardware include unlawful interference with computer data storage medium or computer system; and unlawful acquisition, possession, provision, receipt or use of a password, access code or similar data or device.

Van de Coolwijk says cyber fraud, cyber forgery and uttering and cyber extortion; theft of incorporeal property, which was previously limited only to corporeal property at common law are also unlawful.

“Chapter 2 of the Act also makes it unlawful to send malicious data message communications, which include messages that are intimate in nature, which threaten or incite violence or damage to property. Part VI of Chapter 2 of the same Act which provides for protection orders to be granted for these types of malicious communications was not included in the proclamation and is yet to commence,” notes Van de Coolwijk.

“In addition, the Act recognises certain cybercrimes in section 11 as an aggravated offence, which is not defined, where a ‘restricted computer system’ is unlawfully accessed and where such data, computer program, computer data storage medium or computer system is under the control of, or exclusively used by, a financial institution such as a licensed bank or insurer or an organ of state and which is protected against unauthorised access or use by security measures.

Cybercrimes Act gives courts extra-territorial reach

Van de Coolwijk says the sections relating to jurisdiction set out under Chapter 3 have commenced, which empower a court in South Africa to try any offence listed under Part I and II of Chapter 2 of the Act.

“Notably, South African courts have extra-territorial jurisdiction to try any cybercrime if it was committed outside South Africa if that act was against or affects any person, public body, business residing or incorporated in South Africa or a restricted computer system within South Africa as contemplated in section 11(1)(b) of the Act,” adds Van de Coolwijk.

Police powers to investigate, search, access and seize

According to Van de Coolwijk, most sections under Chapter 4 are now effective and grant the South African Police Service (and its members and investigators) extensive powers to investigate, search, access and seize any computer, computer program, database or network or part thereof.

“Under section 34 of the Act, electronic communications service providers, financial institutions or any person in control of any data, computer program, computer data storage medium or computer system which is subject to a search authorised by a court in terms of section 29 are obligated to assist police officials and investigators with the provision of technical assistance such as data collection,” explains Van de Coolwijk.

He says a contravention of this section can render the offender liable for a period of imprisonment not exceeding two years and/or a fine.

“Section 39 prohibits the disclosure of information by any person, financial institution, electronic service provider, police official or investigator if obtained during the exercise of any duties in terms of Chapter 4 or 5 of the Act which relate to the investigation of any cybercrimes or mutual assistance with foreign states. Chapter 5 has, however, yet to come into force.”

Some sections of the Cybercrimes Act are not yet in effect

He says the Act requires the National Police Commissioner to establish a Point of Contact within the existing structures of the South African Police Service (SAPS) with the mandate to assist with proceedings and investigations relating to cybercrimes.

“Chapter 6, which imposes this obligation on the SAPS, has not yet entered into force and the reporting of offences will, until its commencement, have to go through ordinary reporting channels provided by the SAPS.”

However, Van de Coolwijk notes that no reporting obligations under the Cybercrimes Act for financial Institutions and electronic communications service providers – yet.

“A notable absence from the proclamation was the express exclusion of section 54 of the Act, which prescribes certain reporting obligations and capacity building under Chapter 8.

“This means that electronic service providers and financial institutions are not yet obligated to report cybercrimes set out in Part I of Chapter 2 of the Act within 72 hours to the SAPS after having become aware of the offence and to preserve any information that may assist the SAPS in their investigation of the alleged offence,” says Van de Coolwijk.

However, given that this provision will come into force at a later stage, it would be sensible for both electronic communications service providers and financial institutions to start implementing appropriate reporting procedures as failure to comply with this section after its commencement could result in an offence and a fine not exceeding R50 000.

Reporting procedures should align with existing reporting procedures adopted in terms of (amongst others) the Prevention of Organised Crime Act, 1998 (PoCA), the Financial Intelligence Centre Act, 2001, and the Prevention and Combating of Corrupt Activities Act, 2004 (PRECCA).