The beginning of an era: Certain sections of South Africa’s Cybercrimes Act have commenced and here’s what you need to know

There is no denying that rapid technological advancements and the use of various software, applications and data storage mechanisms have changed the way South Africans conduct themselves in business and on a personal level. These often indispensable technologies have exposed South Africans to a significant increase of ever-evolving cybercrime-related incidents which have, until the very recent commencement of certain sections of the Cybercrimes Act 19 of 2020 (Cybercrimes Act), gone without punishment. 

6 Dec 2021 4 min read Technology & Communications Newsletter Article

At a glance

  • The Cybercrimes Act 19 of 2020 commenced on 1 December 2021, addressing the increase in cybercrime incidents in South Africa.
  • The Act criminalizes various cybercrimes, including unlawful access, interception, and interference with data or computer systems, cyber fraud, forgery, uttering, and extortion, as well as malicious communications.
  • The Act grants jurisdiction to South African courts to try offenses committed both within and outside of the country, and provides powers to the South African Police Service (SAPS) for investigation and seizure of articles. The Act also emphasizes the need for capacity-building and training for law enforcement in cybercrime detection and prevention.

Certain sections of the Cybercrimes Act commenced on 1 December 2021 in terms of a proclamation by President Cyril Ramaphosa in Government Gazette No. 45562, dated 30 November 2021. These are:

  • Chapter 1.
  • Chapter 2, with the exclusion of Part VI.
  • Chapter 3.
  • Chapter 4 with the exclusion of sections 38(1)(d), (e) and (f), 40(3) and (4), 41, 42, 43 and 44.
  • Chapter 7.
  • Chapter 8, with the exclusion of section 54.
  • Chapter 9, with the exclusion of sections 11B, 11C, 11D and 56A(3)(c), (d) and (e) of the Criminal Law (Sexual Offences and Related Matters) Amendment Act 32 of 2007, in the Schedule of laws repealed or amended in terms of section 58.

The sections outlined below that are now in effect are of particular importance.

The Cybercrimes Act applies to both natural and juristic persons, and Part I of Chapter 2 makes the following offences punishable on conviction by fine or imprisonment:

  • Unlawfully and intentionally performing an act in respect of such computer system or computer data storage medium which puts any person in a position to access, use, intercept data or interfere with data or a computer program, or computer system or computer data storage system.
  • Unlawful interception of data such as the acquisition, viewing, capturing or copying of data, including the possession of data or the output of data with knowledge that it was intercepted.
  • Unlawful acts in respect of a software or hardware tool, including the use and possession of these in order to access, intercept, or interfere with data or a computer program, or computer data storage medium or computer system, and the unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device.
  • Cyber fraud, cyber forgery and uttering and cyber extortion.

The Cybercrimes Act also provides that the common law offence of theft should be interpreted to include the theft of incorporeal property and also makes provision for certain aggravated offences in relation to a restricted computer system.

The following malicious communications are criminalised in terms of Part II of Chapter 2:

  • Disclosure of a data message which incites damage to property or violence.
  • Disclosure of a data message which threatens persons with damage to property or violence.
  • Disclosure of a data message of intimate image.

Finally, in terms of Part III of Chapter 2, any person who unlawfully and intentionally attempts, conspires with any other person, or aids, abets, induces, incites, instigates, instructs, commands or procures another person to commit any of the abovementioned offences is guilty of an offence and liable on conviction for the punishment to which a person committing that offence would be liable.

Chapter 3 of the Cybercrimes Act confirms that a court in South Africa has the jurisdiction to try any offence referred to in Part I or II of Chapter 2 under various circumstances, including where the offence was committed outside of South Africa against any citizen or resident of South Africa, or against a restricted computer system, or a company incorporated in South Africa, any body of persons in South Africa, or a government facility, including an embassy, diplomatic or consular premises or any other property of the Republic.

Under Chapter 4, the South African Police Service (SAPS) is granted the powers to investigate, search, access or seize articles under particular circumstances, and the Cabinet member responsible for policing, along with the National Commissioner, National Head of the Directorate, the National Director of Public Prosecutions and the Cabinet member responsible for the administration of justice must, following a process of consultation, within the next 12 months issue standard operating procedures which must be observed by both the SAPS and any other person or agency which is authorised in terms of any other law to investigate any offence.

Although it is currently unclear exactly how the above cybercrimes will be dealt with, under Chapter 8, the Cabinet minister responsible for policing is tasked with establishing and maintaining sufficient human and operational capacity to detect, prevent and investigate cybercrimes, ensuring that members of SAPS receive basic training in aspects relating to the detection, prevention and investigation of cybercrimes and, in co-operation with any institution of higher learning, in South Africa or elsewhere, developing and implementing accredited training programs for members of the SAPS primarily involved with the detection, prevention and investigation of cybercrimes.

It is at this stage unclear when the remaining sections of the Cybercrimes Act will come into operation, which include the following: orders to protect complainants from the harmful effects of malicious communications (sections 20 – 23), the preservation of evidence and matters related thereto (sections 38(1)(d), (e) and (f), 40(3) and (4), 41, 42, 43 and 44), matters relating to mutual assistance (Chapter 5), establishment and functions of a designated point of contact (Chapter 6) and the obligations of electronic communications service providers and financial institutions (section 54).

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us