The Cybercrimes Act 19 of 2020 (“the Act”) has become law, creating a number of new offences relating to the use of computers, data and the internet. The date of commencement of the Act is yet to be announced.
Offences and penalties
The Act creates offences and imposes penalties for the following:
- unlawful and intentional access to computer systems (hacking);
- unlawful interception of data – any unlawful and intentional acquisition, viewing, capturing, or copying of data of a non-public nature using a hardware or software tool;
- unlawful and intentional interference with data and data storage mediums or computer systems, by deleting or altering data or a computer program;
- unlawful and intentional acquisition, possession, provision, receipt or use of a password, access code or similar data or device;
- cyber fraud – any person who unlawfully and with the intention to defraud makes a misrepresentation by means of data or computer program, which causes actual or potential prejudice to another person;
- cyber forgery and uttering – any person who unlawfully and with the intention to defraud makes false data or false computer program, which causes actual or potential prejudice to another person.
Malicious and harmful communication is criminalised:
- In terms of section 14 of the Act, any electronic communication or a data message which is sent to a person, a group of persons, or the general public with the intention to incite damage to property belonging to or violence against a person or a group of persons.
- In terms of section 15 of the Act, data message which threatens persons or a group of persons with damage to property belonging to or violence against a person or a group of persons.
- In terms of section 16 of the Act, any person(“A”) who unlawfully and intentionally discloses, by means of an electronic communication services, a data message of an intimate image of a person(“B”), without the consent of person (“B”), is guilty of an offence.
The criminalisation of malicious communication will have a significant impact on individual computer users. Using email, WhatsApp or on any social media platform to send a text message that is inciteful, harmful, threatening or which discloses intimate images of a person without their consent can now result in a fine or imprisonment or both.
A person harmed (the complainant) can lay a charge with the South African Police Services that an offence in terms of the Act has been committed against them. The complainant may also apply to the Magistrates’ Court for a protection order, to prohibit any person to disclose the data message which relates to the charge, pending the finalisation of the criminal proceedings in the prescribed form and manner.
Obligation on electronic service provider and financial institution to report cybercrimes
The Act imposes obligations on electronic service providers and financial institutions who are aware or become aware that its electronic communications service or electronic communication network is involved in the commission of any cybercrime or malicious communication must, not later than 72 hours after becoming aware of the suspected offence, report the offence in the prescribed form and manner to the South African Police Service. Electronic communications services providers or financial institutions who fail to report any cybercrime or malicious communication will be guilty of an offence and liable on conviction for a fine of up to R 50 000.00.
Electronic service providers and financial institutions will have to preserve and provide any information which may be of assistance to the South African Police Service for investigating the office. Electronic service providers and financial institutions will have to acquaint themselves with the Act and create policies that comply with the Act.
The Act applies to both natural persons and juristic persons. Under section 19 of the Act any person who commits an offence under the Act or commits any of the abovementioned cybercrimes is liable on conviction for a fine or imprisonment for a period of up to 15 years or both.
Individual computer users and companies should acquaint themselves with the Act and be mindful and careful on how they deal with communication and data in business and everyday life.