Legal Intersections between the Protection of Personal Information Act 4 of 2013 (POPIA) and the Cyber Crimes Act 19 of 2020

By Sizwe Snail

The Fourth Industrial Revolution (4IR) describes new ways in which we introduce and use technology into our societies (e.g. the use of cyber systems, artificial intelligence (AI) and nanotechnology). The increased internet activity on social networks, e-governance and commercial services, and the Internet of Things (IOT) has amplified the vulnerability of both citizens and governments to cyber criminals. These offences are currently being regulated by The Electronic Communications and Transactions Act 25 of 2002 (ECT Act). A legal framework has been set out for how different offences will be dealt with and also the sentencing of those offences. Any person who commits cyber-related crimes that are described in the sections below will be found guilty of an offence.

Section 85 of ECTA provides that anyone who is not authorised to access data or information system and becomes aware of such unauthorised access and remains accessing it is guilty of an offense. Section 86(1) provides that hacking, intentionally accessing a data subject’s data or personal information without their consent is unlawful and as such a person who commits such conduct is guilty of an offence. Section 86(2) provides that it is unlawful to intentionally interfere with data in a manner that results in disrupting the data or lead to the data becoming useless and ineffective. Section 86(3) makes it unlawful to obtain, sell, produce or distribute a device that will be used to overcome security measures that were used to protect data.

Section 86 (4) provides that it is unlawful to overcome copyright security measures protection. Section 86 (5) provides that it is unlawful to create a partial of total denial of service (denial of service attack). Sections 87, 88 and section 89 provide that it is unlawful to commit Cyber Fraud, Cyber Extortion, and Forgery and Uttering. Under the ECT Act, if someone is found to have committed an offence in relation to the above-mentioned sections, the maximum penalty would be a fine (unspecified) or imprisonment of not more than 5 (five) years.  

The New Cybercrimes Act

The advent of the COVID-19 Pandemic has brought a new reliance on electronic devices, and therefore, crimes related to Cyber Security Vulnerability and Breaches such as internet fraud, email hacks and having one’s privacy comprised by hackers and other entities has become commonplace. The spike in cyber crimes has made governments consider adapting existing Cyberlaws to deal with the on-going meta-morphosis to the 4IR. On 28 August 2015, the first Cybercrimes and Cyber Security Bill (2015) was published and later amended two years later, in 2017. However, the final Cyber Crimes Bill was introduced in Parliament on 22 February 2020, and was required to go through multiple public participation processes for comment during which extensive changes were made.

The President of South Africa signed the Cybercrimes Act 19 of 2020, on 1 June 2021. This Act has now established new procedures which specifically cater for the investigation and multinational law enforcement agencies and fostering multi-agency collaboration. The Cyber Crime Act has two substantive criminal law segments:

• Part 1 – Cyber crimes which has re-codified existing crimes and added new offences;
• Part 2 − Malicious communication crime.

The preamble of the Cyber Crimes Act 19 of 2020 states that its purpose, among other things, is ‘to create offences which have a bearing on Cyber Crime and to prescribe penalties for such crimes’.  Section 2 of the Act makes provision for the unlawful securing of access. This section regulates that any person who unlawfully and intentionally secures access to data, a computer programmer, a computer data storage medium or, a computer system is guilty of an offence.

Section 3 of the Act regulates the unlawful acquiring of data. Section 4 of the Act states that any person who unlawfully and intentionally overcomes any protection measure which is intended to prevent access to data and acquires data, within or which is transmitted to or from a computer system is guilty of an offence.

Section 5 of the Cyber Crimes Act makes a person who unlawfully and intentionally interferes with— (a) data; or (b) a computer program, guilty of an offence. Section 6 of the Cyber Crimes Act makes it unlawful for any person who unlawfully and intentionally interferes with a computer data storage medium or a computer system. For purposes of this section 2, therefore, to ‘‘interfere with a computer data storage medium or a computer system’’ means to permanently or temporarily —

(a) alter any resource; or

(b) interrupt or impair —

 (i) the functioning;

(ii) the confidentiality;

(iii) the integrity; or

(iv) the availability, of a computer data storage medium or a computer system. Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device.

Section 7 of the Cyber Crimes Act further makes it criminal for any person who unlawfully and intentionally— (a) acquires; (b) possesses; (c) provides to another person; or (d) uses, a password, an access code or similar data or device for purposes of contravening cyber fraud, cyber forgery and uttering as well as cyber extortion have like wisely been criminalised by section 8, 9 and section 10 of the Cyber Crimes Act. Section 11 of the Act has now introduced ‘aggravated offences’ by anyone who commits an offence referred to in:

(aa) a financial institution; or

(bb) an organ of state as set out in section 239 of the Constitution, including a court; and

(ii) which is protected by security measures against unauthorised access or use.

(aa) a financial institution; or

(bb) an organ of state as set out in section 239 of the Constitution, including a court; and

Any person who commits an offence referred to in section 5(1), 6(1) or 10, and who knows or ought reasonably to have known or suspected that the offence in question will:

(a) endanger the life or cause serious bodily injury to, or the death of, any person, or any number or group of persons;

(b) cause serious risk to the health or safety of the public or any segment of the public; or

(c) create a serious public emergency situation, is guilty of an aggravated offence.

In terms of Section 12, the common law offence of theft must be interpreted not to exclude the theft of an incorporeal object. Part 2 dealing with malicious communications commences with a definition of ‘damage to property’ in Section 13 which includes any corporeal and incorporeal property. In terms of the crimes defined in Section 14, 15 and 16, the word ‘disclose’ means to:

(a) send the data message to a person who is the intended recipient of the electronic communication or any other person;

(b) store the data message on an electronic communications network, where the data message can be viewed, copied or downloaded; or

(c) send or otherwise make available to a person, a link to the data message that has been stored on an electronic communication network, where the data message can be viewed, copied or downloaded.

Section 14 specifically provides that any person who discloses, by means of an electronic communications service, a data message to a person, group of persons or the general public with the intention to incite a number of unlawful violations such as damaging property that belongs to a person or group of persons. It is important to note that inciting violence against a person or group of persons is encompassed in this provision. It is also unlawful to send a data message which threatens persons with damage to property or violence. Section 15 outlaws the use of an electronic communications service to unlawfully and intentionally disclose a data message which threatens a person with damage to property belonging to that person or a related person; or violence against that person or a related person.

Furthermore, it is unlawful to send a data message that threatens a group of persons or any person forming part of, or associated with, that group of persons with damage to property belonging to that group of persons or any person. With revenge pornography becoming commonplace, it is important to note the provisions set out in section 16. The Act provides at section 16(1) that any person who unlawfully and intentionally discloses (by means of an electronic communications service) a data message of an intimate image of a person without such a person’s consent is guilty of an offence.

In terms of section 2(b) the image may be real or simulated, and made by any means in which the person is nude, or the genital organs or their anal region is displayed. The Act specifies that where the person whose image is used is a female person, genital or anal region transgender person or intersex person. The sexual exploitation threshold is passed where a female person’s breasts, whether covered or uncovered are displayed. The test laid out in sections 2(b)(ii)(aa) – (bb) is that the person whose image is used retains a reasonable expectation of privacy at the time that the data message was made in a manner that violates or offends the sexual integrity or dignity of the person; or amounts to sexual exploitation.

Section 17(a) – (c) provides that any person who unlawfully and intentionally attempts, conspires with any other person, or aids, abets, induces, incites, instigates, instructs, commands or procures another person, to commit an offence set out in terms of Part I or Part II of Chapter 2 of the Act is guilty of an offence and is liable on conviction to the punishment to which a person convicted of actually committing that offence would be liable. Section 18 deals with competent verdicts. Section 18(1) provides that if the evidence in criminal proceedings does not prove the commission of an offence that is charged but proves a contravention of section 17(a) in respect of the offence charged, or in respect of any other offence of which an accused may be convicted on the offence charged, the accused may be found guilty if the offence is proved.

The next important part of criminal proceedings in the context of cybercrimes is the aspect of sentencing. Section 19(1) provides that a contravention of sections 2(1) or (2), 3(3) or 7(2) renders a person liable on conviction to a fine or to imprisonment for a period not exceeding 5 (five) years, or to both a fine and such imprisonment. Section 19(2) provides that any person who contravenes the provisions of sections 3(1) or (2), 4(1), 5(1), 6(1) or 7(1) is liable on conviction to a fine or to imprisonment for a period not exceeding 10 (ten) years or to both a fine and such imprisonment. Section 19(3) provides that any person who contravenes the provisions of section 11(1) is liable on conviction to a fine or to imprisonment for a period not exceeding 15 (fifteen) years or to both a fine and such imprisonment.

Section 19(4) provides that where the court convicts a person of an offence in terms of sections 8, 9(1) or (2), 10 or 11(2), it may (where a penalty is not prescribed in respect of that offence by any other law) impose a sentence (as provided for in section 276 of the Criminal Procedure Act, 1977) which that court considers appropriate and which is within that court’s penal jurisdiction. Section 19(5) provides that where a court imposes any sentence in terms of this Section, or where a person is convicted of the offence of theft that was committed or facilitated by electronic means, it must do so having taken certain factors into consideration. The list of factors to be considered include the following, as set out in section 19(5)(a) – (d):

(a) the fact that the offence was committed by electronic means;

(b) the extent of the prejudice and loss suffered by the complainant or any other person as a result of the commission of such an offence;

(c) the extent to which the person gained financially, or received any favour, benefit, reward, compensation or any other advantage from the commission of the offence; or

(d) the fact that the offence was committed in concert with one or more persons.

Section 19(6)(a) provides that if a person is convicted of any offence provided for in sections 2(1) or (2); 3(1); 5(1); 6(1); 7(1); 8; 9(1) or (2), 10 or 11(1) or (2), a court imposing any sentence in terms of those sections must impose a period of direct imprisonment, with or without a fine, if the offence was committed by the person; or with the collusion or assistance of another person, who as part of their duties, functions or lawful authority were in charge of, in control of, or had access to data, a computer program, a computer data storage medium or a computer system belonging to another person in respect of which the offence in question was committed.

The exception to this rule is that the court should take this route unless substantial and compelling circumstances justify the imposition of another sentence. Section 19(7) provides that any person who contravenes the provisions of sections 14, 15 or 16 is liable on conviction to a fine or to imprisonment for a period not exceeding 3 (three) years or to both a fine and such imprisonment. Section 20(1) provides that a complainant who lays a charge with the South African Police Service (SAPS) that an offence contemplated in Section 14, 15 or 16 has allegedly been committed against them, may on an ex parte basis apply to a Magistrate’s Court for a protection order pending the finalisation of the criminal proceedings.

Such an application may be made to prohibit any person from disclosing or further disclosing the data message which relates to the charge; or order an electronic communications service provider whose electronic communications service is used to host or disclose the data message which relates to the charge, to remove or disable access to the data message. Section 20(2) provides that in determining such an Application, the court must consider any additional evidence it deems fit, including oral evidence or evidence by affidavit, which must form part of the record of the proceedings.

In accordance with section 20(3), if the court is satisfied that there is prima facie evidence that an offence referred to in section 14, 15 or 16, has allegedly been committed against the applicant; and indeed there exist reasonable grounds to believe that a person referred to in subsection (1)(a) disclosed the data message in question, the court may, subject to such conditions as it may deem fit, issue the order referred to in subsection (1). The Act has effectively repealed all the relevant provisions in the ECT Act relating to cybercrime offences. It will consolidate and systemise numerous existing offences relating to cybercrime while also creating a variety of new offences which do not currently exist in the South African law. The Act also creates structures such as a 24/7 point of contact to report, investigate and prosecute any cybercrime related offences the 24/7 point of contact will operate on a 24 hour, 7 days a week basis.

The Protection of Personal Information Act 4 of 2013 (POPIA) has brought into law new duties on processors of personal information to safeguard personal information and to ensure that processing complies with the 8 (eight) Conditions for Lawful Processing of Personal Information.  In terms of section 4 there are 8 (eight) conditions which can be found in sections 8 to 25 of the POPIA which is the supreme piece of legislation dealing with data protection. These terms are as follows: (a) accountability (section 8); (b) processing limitation (sections 9 to 12); (c) purpose specification (sections 13 and 14); (d) further processing limitation (section 15); (e) information quality (section 16); (f) openness (section 17 and 18); (g) security safeguards (section 19 to 22); and (h) data subject participation (section 23 to 25).

The POPIA also regulates fines for infringements of its provisions, The Office of the Presidency has also released a Gazette notice already signed by The President of the Republic of South Africa which has already come into force on the 1 of July 2020 under section 115. The remaining sections (section 110 and 114(4)) will be inaugurated on the  30 June 2021. In terms of the POPIA the Information Regulator will now have the ability to sanction serious fines of up R10 million in the case of breach of the Conditions for Lawful Processing of Personal Information or a Cyber Security Breach in terms of section 22 which will also be reportable to the affected data subject and the Information Regulator.

The POPIA contains a criminal provision in the event whereby one passes on account information without the request authority. Whilst the POPIA will regulate personal information and ensure a duty of safeguarding the same by way of technical and organisational means; as well as perform a duty to identify internal or external security threats and vulnerabilities. The new Cyber Crime Act will have robust substantive and procedural laws to pursue any Cyber Criminal offence that infringe on anyone’s personal information or theft of incorporeal things. The POPIA will also regulate any electronic direct marketer to get an ‘opt-In’ consent from the data subject that will allow consumers to ‘opt out’ electronic direct marketing.

Conclusions

In conclusion, the POPIA and the Cyber Crimes Act will have to work alongside each other to combat cybercrimes while also protecting personal information of data subjects. This collaboration will broaden the South African legislative framework relating to data protection and privacy, and therefore, bring South Africa in line with international standards, while also promoting the right to privacy that is found in section 14 of the Constitution.