South Africa’s cybercrimes Bill: Electronic communications service providers and financial institutions now have a reporting obligation

South Africa’s cybercrimes bill passed by both Houses and awaits presidential signature
Dec.05.2020 18:47 GMT

The Bill was introduced to National Assembly in 2017, and throughout the years, it was revised and amended by different institutions. (See the legislative process of the Bill)[1].
The Bill splits the offences into Cyber crimes such as Unlawful interception of data , cyber fraud and extortion and Malicious communications such as non-consensual disclosure of intimate images and data messages which incite damage or threaten persons with damage to property or violence.

What should you know

Under the Bill, the complainant of malicious communications can apply for a protection order pending the finalization of the criminal proceedings to prohibit any person to disclose the data message or to order to disable access to the data message.
Also, the Bill puts an obligation on electronic communications service providers and financial institutions to report immediately to the Police as soon as they become aware that their service is involved in the commission of any offence referred to in the Bill, as well as the obligation to preserve any information which may be of assistance to the Police Service in investigating the offence.
Failure to comply with the reporting obligation results according to section 54 (3) to a fine not exceeding R50 000. However, Section 54(4) specifies that the reporting obligation must not be interpreted as an obligation to impose on an electronic service provider or financial institution to monitor data; nor must it actively seek facts or circumstances indicating any unlawful activity.
The Bill sets out a system of graduated sanctions, as discussed hereinafter.

The Bill’s penalties

Cyber Crimes

- Fine or 5 years imprisonment or both: unlawful possession of data.
- Fine or 10 years imprisonment or both: unlawful interception and interference of data.
- Fine or 15 years imprisonment or both: unlawful interception or interference of data in a restricted computer system ( used by a financial institution or an organ of the state which is qualified as an aggravated offence).
However, when it comes to cyber fraud, forgery, uttering and extortion the section 276 of the Criminal Procedure Act applies but only if no penalty is prescribed for the offence in any other law.

Malicious communciations

In regard of Malicious communciations the Bill sentences the convict to a fine or to imprisonment for a period not exceeding three years or to both a fine and imprisonment.

Responsibility of electronic communications service providers

An electronic communications service provider whose electronic communications service is used to host or disclose the data message which relates to the charge, is liable on conviction to a fine or to imprisonment for a period not exceeding two years or to both, in the following cases:
- fails to comply with an order to remove or disable access to the data message
- fails to attend meetings or to provide any book, document or object, related to the offence
- fails to furnish the required information
- makes a false statement

link to South Africa Cybercrimes Bill 2020 - PDF
Notes :
🏷️ #2020, #FinancialInstitutions, #Southafrica, #Cybercrimes, #serviceprovider, #Bill