The impact of the Cybercrimes Act on electronic communication

and service providers

In addition, failure to comply with these obligations carries reputational and financial implications which could be hugely detrimental to ECSPs.

The Cybercrimes Act broadly defines ECSPs as any person who provides an electronic communications service in terms of an electronic communications service licence, or a person who has lawful authority to control the operation or use of a private electronic communications network used primarily for providing electronic communications services for the owner’s own use.

Several obligations are imposed on ESCPs which include: notifying the South African Police Service (“SAPS”) within 72 hours of being aware or becoming aware that their network or system is being used to commit a cybercrime; reserving, for an unspecified amount of time, any information that could assist the SAPS in investigating a cybercrime; and furnishing a court with certain particulars which may involve the handing over of information or hardware.

Further, ECSPs are obliged to report the unauthorised access of data or personal information within their possession to both the Information Regulator (being the regulatory body established in terms of the Protection of Personal Information Act, 2013 (“POPIA”) and the SAPS and are required to provide reasonably necessary assistance to the SAPS for them to search for, access or seize any data or computer that may be connected with a cybercrime. Failure to adhere to these obligations comes with severe consequences and could lead to the imposition of hefty fines on an ECSP, if found guilty of an offence.

However, it does not appear that ECSPs are obliged to monitor data stored or transmitted on computer systems or networks, or to actively look for unlawful activity on their networks but should, as a precautionary measure, build and adopt appropriate procedures and policies to ensure that they are continuously compliant with reporting obligations.

The Cybercrimes Act and POPIA have several provisions that interact with the other.

Section 19(1) of POPIA requires that an organisation secure the integrity and confidentiality of personal information in its possession or under its control by deploying appropriate, reasonable, technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information.

Section 22 of POPIA, imposes an obligation on a responsible party to report to the Information Regulator any actual or suspected instance where the personal information of a data subject is accessed or acquired by an unauthorised person. Section 54 of the Cybercrimes Act imposes similar reporting obligations on ECSPs who become aware that their electronic communications service or electronic communications network have been involved in the commission of an offence.

The Cybercrimes Act also places compliance obligations on organisations to comply with: (i) the provisions of chapter 3 of POPIA, which specifically deal with the 8 conditions or principles for the lawful processing of personal information; and (ii) section 72 of POPIA, which caters for the transfer of personal information outside the Republic of South Africa and any failure to comply with these provisions, shall be dealt with in accordance with the enforcement provisions contained in chapter 10 of POPIA.

Lots of attention has been given to POPIA since its implementation, but awareness of the Cybercrimes Act, the obligations and responsibilities imposed on ECSPs should also be of paramount importance to their compliance officers. ECSPs should be especially cognisant of the different procedures and time frames to be followed for reporting