The impact of the Cybercrimes Act on electronic communication and service providers
Provided by Eversheds Sutherland
Eversheds Sutherland represents the coming together of two firms with a shared ethos and commitment to client service excellence. We are known for our business savvy and industry intelligence and for providing innovative and ... more
By Tyron Fourie and Sibulele Siyaya
Topics Criminal Law | Social Media Law | Technology Law
01 Oct 2021
The implementation of the Cybercrimes Act has imposed stringent obligations on electronic communication and service providers (“ECSPs”), and the Cybercrimes Act is of particular importance to ECSPs in ensuring that they are and remain compliant with these obligations in order to avoid accruing any fines or any liability being levied against them or being found guilty of an offence. In addition, failure to comply with these obligations carries reputational and financial implications which could be hugely detrimental to ECSPs.
The Cybercrimes Act broadly defines ECSPs as any person who provides an electronic communications service in terms of an electronic communications service licence, or a person who has lawful authority to control the operation or use of a private electronic communications network used primarily for providing electronic communications services for the owner’s own use.
Several obligations are imposed on ESCPs which include: notifying the South African Police Service (“SAPS”) within 72 hours of being aware or becoming aware that their network or system is being used to commit a cybercrime; reserving, for an unspecified amount of time, any information that could assist the SAPS in investigating a cybercrime; and furnishing a court with certain particulars which may involve the handing over of information or hardware.
Further, ECSPs are obliged to report the unauthorised access of data or personal information within their possession to both the Information Regulator (being the regulatory body established in terms of the Protection of Personal Information Act, 2013 (“POPIA”) and the SAPS and are required to provide reasonably necessary assistance to the SAPS for them to search for, access or seize any data or computer that may be connected with a cybercrime. Failure to adhere to these obligations comes with severe consequences and could lead to the imposition of hefty fines on an ECSP, if found guilty of an offence.
However, it does not appear that ECSPs are obliged to monitor data stored or transmitted on computer systems or networks, or to actively look for unlawful activity on their networks but should, as a precautionary measure, build and adopt appropriate procedures and policies to ensure that they are continuously compliant with reporting obligations.
The Cybercrimes Act and POPIA have several provisions that interact with the other.
Section 19(1) of POPIA requires that an organisation secure the integrity and confidentiality of personal information in its possession or under its control by deploying appropriate, reasonable, technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information.
Section 22 of POPIA, imposes an obligation on a responsible party to report to the Information Regulator any actual or suspected instance where the personal information of a data subject is accessed or acquired by an unauthorised person. Section 54 of the Cybercrimes Act imposes similar reporting obligations on ECSPs who become aware that their electronic communications service or electronic communications network have been involved in the commission of an offence.
The Cybercrimes Act also places compliance obligations on organisations to comply with: (i) the provisions of chapter 3 of POPIA, which specifically deal with the 8 conditions or principles for the lawful processing of personal information; and (ii) section 72 of POPIA, which caters for the transfer of personal information outside the Republic of South Africa and any failure to comply with these provisions, shall be dealt with in accordance with the enforcement provisions contained in chapter 10 of POPIA.
Lots of attention has been given to POPIA since its implementation, but awareness of the Cybercrimes Act, the obligations and responsibilities imposed on ECSPs should also be of paramount importance to their compliance officers. ECSPs should be especially cognisant of the different procedures and time frames to be followed for reporting
- The newly enacted Cybercrimes Act and what it means for South Africans
- Dealing with fraud as a result of identity theft
- Getting compliant with the Protection of Personal Information Act (POPIA)
- Popia compliance – Cyber-attacks, ransomware and data breaches
Tyron Fourie is a partner in the commercial department in Johannesburg. He acts for a range of clients including those in the IT, telecoms, consumer, banking and insurance sectors. His... Read more about Tyron Fourie
Sibulele Siyaya is an Associate in our TMT department at the Bryanston office. He graduated from the University of Johannesburg with an LLB degree in 2015, a Postgraduate Diploma in... Read more about Sibulele Siyaya
Social Media Law articles by Eversheds Sutherland
Social Media Law articles on GoLegal
- Maintaining compliance with the Protection of Personal Information Act – Part 1: Application and Exceptions
- Pointers for becoming famous on social media
- “Add to cart”: Doing business in a COVID-19 world part 3 – Strategies to protect your online brand
- John Cena refuses to cramp Sho Madjozi's creative style