Many South Africans might not be aware, but as of 1 December 2021, certain sections of the Cyber Crimes Act (the “Act”) are in operation already. The effective parts of the Act create the definition of cybercrimes as an offence, and also confers jurisdiction on South African courts to deal with and prosecute such crimes. More specifically, Chapter 2, 3, 4, 7 and 8 of the Act are now in operation and may be enforced in South Africa.
Creation of Cybercrimes
Chapter 2 of the Act creates several new cybercrimes which are now enforceable as criminal offences including but not limited to the following:
Disclosure of data message of an intimate image without the consent of the person displayed in the image.
Transmission of a data message which threatens persons with damage to property or violence or which incites violence or damage to property.
Unlawful and intentional access to a computer system or data storage medium including the use or storage of data on same.
Unlawful and intentional interception of data and interference with data. In this regard, ‘interception of data' means the acquisition, viewing, capturing or copying of data of a private nature.
Unlawful and intentional use of software or hardware (i.e. devices or equipment) to access, intercept, interfere with data, a computer program or a computer data storage medium including to use a password, access code or similar data.
Unlawful and intentional interference with data, a computer system or computer data storage medium. In this regard, interference relates to the deletion, alteration, obstruction or interruption of data etc.
Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device.
Cyber fraud, cyber forgery and uttering. In this regard, the use of data or a computer system to create a misrepresentation which results in actual or potential prejudice to another person is a cybercrime.
Cyber extortion is the unlawful and intentional commitment or threat of commitment of a cybercrime for purposes of obtaining an advantage over another person.
Theft of incorporeal/intangible (i.e. date) property which is equated to the common law definition of theft in respect of corporeal/tangible objects.
Aggravated offences relate to cybercrimes committed in respect of a ‘restricted computer system’ under the control of a financial system or an organ of state.
Sentencing for the commitment of cybercrimes
Section 19 of the Act deals with the various sentences which a Court may impose for the commitment of the cybercrimes set out above. In respect of a person committing the cybercrime of transmitting a message which intends to incite violence, a sentence of imprisonment for a maximum of 3 years may be imposed with a fine. Same is applicable for disclosing a data message including an intimate image and a threatening data message.
A Court may impose a maximum of 15 years imprisonment for committing an aggravated offence in terms of a restricted computer system controlled by a financial institution or an organ of state. The unlawful possession and/or use of another persons’ password or access code may be subject to a maximum of 10-year imprisonment sentence or fine.
Jurisdiction of South African Courts in respect of cybercrimes
South African Courts have jurisdiction over an accused who is a natural person, a company or a body of persons in respect of the commitment of a cybercrime. In accordance with the act, it is only necessary for the victim of the cybercrime to be a citizen/resident of RSA or for the corporation to be registered in RSA for the foreign accused to be prosecuted in a South African Court. Importantly, Chapter 3 of the Act accommodates the transnational nature of a cybercrime through affording South African Courts with jurisdiction over cybercrimes committed internationally.
Powers afforded to the South African Police Services
Chapter 4 of the Act prescribes a time limit of 12 months from its commencement for a set of Standard Operating Procedures to be issued which will govern the procedure surrounding investigation of cybercrimes by the SAPS. The search and seizure of property and data by the SAPS is permissible under the Act with a warrant as well as without a warrant in the case of consent and the commission of a cybercrime.
Future obligations for certain institutions
Section 54 of the Act is not yet in operation which mandates that financial institutions and electronic service providers are obligated to report the cybercrimes in Part I of Chapter 2 to the South African Police Service within 72 hours of becoming aware thereof. Furthermore, this section creates an obligation to preserve data or information which may be of assistance to the investigation of the Police.
The Cybercrimes Act has been a work in progress in our law since 2015 and weathered extensive public comments, proposed changes and finalisation. Although there is limited precedent available in terms of South African court decisions relating to cybercrimes, the Act creates vast opportunities for the punishment of various cybercrimes. It is pertinent that all users of computers, electronic devices capable of transmitting or storing date, the internet, or data messages on platforms such as Whatsapp are aware of the new cybercrimes created by the Act in order to act in a lawful manner and to be cognisant of their rights created therein.
Should you require guidance on the legislative framework of cybercrimes and its impact on yourself or your business, as well as any other aspects relating to privacy and security law, please reach out to our team at Spence Attorneys at our Cape Town or Johannesburg branch. (firstname.lastname@example.org ; email@example.com).
Lara Gelderbloem (Candidate Legal Practitioner) and Pamela Orelowitz (Director)
Copyright. This article is for information purposes only and should not be regarded as legal advice. Always seek professional advice. Spence Attorneys will not be held liable under any acts and/or omissions arising from any person in relation to this article.