Certain sections of the Cybercrimes Act commenced on 1 December 2021 in terms of a proclamation by President Cyril Ramaphosa in Government Gazette No. 45562, dated 30 November 2021. These are:
- Chapter 1.
- Chapter 2, with the exclusion of Part VI.
- Chapter 3.
- Chapter 4 with the exclusion of sections 38(1)(d), (e) and (f), 40(3) and (4), 41, 42, 43 and 44.
- Chapter 7.
- Chapter 8, with the exclusion of section 54.
- Chapter 9, with the exclusion of sections 11B, 11C, 11D and 56A(3)(c), (d) and (e) of the Criminal Law (Sexual Offences and Related Matters) Amendment Act 32 of 2007, in the Schedule of laws repealed or amended in terms of section 58.
The sections outlined below that are now in effect are of particular importance.
The Cybercrimes Act applies to both natural and juristic persons, and Part I of Chapter 2 makes the following offences punishable on conviction by fine or imprisonment:
- Unlawfully and intentionally performing an act in respect of such computer system or computer data storage medium which puts any person in a position to access, use, intercept data or interfere with data or a computer program, or computer system or computer data storage system.
- Unlawful interception of data such as the acquisition, viewing, capturing or copying of data, including the possession of data or the output of data with knowledge that it was intercepted.
- Unlawful acts in respect of a software or hardware tool, including the use and possession of these in order to access, intercept, or interfere with data or a computer program, or computer data storage medium or computer system, and the unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device.
- Cyber fraud, cyber forgery and uttering and cyber extortion.
The Cybercrimes Act also provides that the common law offence of theft should be interpreted to include the theft of incorporeal property and also makes provision for certain aggravated offences in relation to a restricted computer system.
The following malicious communications are criminalised in terms of Part II of Chapter 2:
- Disclosure of a data message which incites damage to property or violence.
- Disclosure of a data message which threatens persons with damage to property or violence.
- Disclosure of a data message of intimate image.
Finally, in terms of Part III of Chapter 2, any person who unlawfully and intentionally attempts, conspires with any other person, or aids, abets, induces, incites, instigates, instructs, commands or procures another person to commit any of the abovementioned offences is guilty of an offence and liable on conviction for the punishment to which a person committing that offence would be liable.
Chapter 3 of the Cybercrimes Act confirms that a court in South Africa has the jurisdiction to try any offence referred to in Part I or II of Chapter 2 under various circumstances, including where the offence was committed outside of South Africa against any citizen or resident of South Africa, or against a restricted computer system, or a company incorporated in South Africa, any body of persons in South Africa, or a government facility, including an embassy, diplomatic or consular premises or any other property of the Republic.
Under Chapter 4, the South African Police Service (SAPS) is granted the powers to investigate, search, access or seize articles under particular circumstances, and the Cabinet member responsible for policing, along with the National Commissioner, National Head of the Directorate, the National Director of Public Prosecutions and the Cabinet member responsible for the administration of justice must, following a process of consultation, within the next 12 months issue standard operating procedures which must be observed by both the SAPS and any other person or agency which is authorised in terms of any other law to investigate any offence.
Although it is currently unclear exactly how the above cybercrimes will be dealt with, under Chapter 8, the Cabinet minister responsible for policing is tasked with establishing and maintaining sufficient human and operational capacity to detect, prevent and investigate cybercrimes, ensuring that members of SAPS receive basic training in aspects relating to the detection, prevention and investigation of cybercrimes and, in co-operation with any institution of higher learning, in South Africa or elsewhere, developing and implementing accredited training programs for members of the SAPS primarily involved with the detection, prevention and investigation of cybercrimes.
It is at this stage unclear when the remaining sections of the Cybercrimes Act will come into operation, which include the following: orders to protect complainants from the harmful effects of malicious communications (sections 20 – 23), the preservation of evidence and matters related thereto (sections 38(1)(d), (e) and (f), 40(3) and (4), 41, 42, 43 and 44), matters relating to mutual assistance (Chapter 5), establishment and functions of a designated point of contact (Chapter 6) and the obligations of electronic communications service providers and financial institutions (section 54).