The new draft, set to be tabled before parliament soon, addresses many of the shortcomings of its predecessor. While it has given clarity on a number of questions and criticisms, it too has one or two unclear points.
Cyber terrorism, or terrorism facilitated by digital platforms, was one of the bill’s main selling points to the public, I argued in the initial report. The new draft however does not include a section dedicated to terrorism. The new version of the Cybercrimes and Cybersecurity Bill rather defines these crimes as an ‘aggravated offence’. It widens the scope for conviction as a result, but whether it would allow for greater legal application remains to be seen. An even stronger feature of the bill is an entire chapter dedicated to “Malicious Communications”.
This chapter looks specifically at incidents such as cyber bullying, revenge porn or incitement to violence. Crimes directed at individuals online. It offers various options to victims, including having the malicious content removed via a court order, and penalties imposed upon perpetrators. This can include a fine or prison sentence of up to three years, or both.
But my main concerns with the former draft were mostly about the state’s surveillance capabilities and crackdown on information leaks.
I found a particular clause alarming: “Any person who unlawfully and intentionally possesses; communicates, delivers or makes available; or receives data which is in the possession of the State and is classified as top secret, is guilty of an offence.” This does not appear in the draft.
Here the legal aspect becomes somewhat more complicated in the new draft. According to the bill, it is a crime to “unlawfully and intentionally” acquire (including copying or moving) data within a “computer system” or transfer to another system. This crime is then also considered an aggravated offence when it involves a financial institution, organ of the state, or Critical Information Infrastructure. Such a person, which could include hackers or whistle-blowers, could face up to 15 years behind bars.
Importantly however, cases would have to be considered individually as this only applies to individuals who obtained the information ‘unlawfully’. Even more importantly, the bill does not define exactly what might be included in the word ‘unlawful’ in a digital landscape. Should the definition amount to the mere absence of consent of the aggravated party, it could have severe consequences for whistle-blowers in general.
Not an aggravated offence is the person who is found in possession of the data – for example an investigative reporter. These individuals are only guilty of an offence if they are “unable to give a satisfactory exculpatory account of such possession.” But it is unclear whether the above mentioned section also applies to the reporter who publishes the leaked information.
But this only applies to a few individuals who often risk a lot to inform the public of transgressions by either the state, private businesses or individuals.
The Deputy Minister of Justice John Jeffery gave assurance during the press briefing that the bill does not extend the state’s surveillance powers – describing it as a ‘misconception’. Assuming that the state already has the capabilities to carry out its functions as outlined in the bill, the question should then perhaps be whether the bill gives further justification for the state to access or intercept data.
While the RICA judge expressed concern over the public perception that agencies or officials sometimes abuse interception methods, the bill criminalises such behaviour. Interception is only allowed upon approval from a judge, which ensures, at least officially, that communications are not monitored indiscriminately.
But the grounds for obtaining permission are somewhat vague. A judge might grant an order if there is enough evidence that a certain number of offences outlined in the bill was or is being committed, or will probably be committed. What the evidence for a probable crime includes could vary and possibly result in unwarranted interception.
Would the state not be able to argue that data is being or could be ‘acquired unlawfully’, thereby stopping a whistle-blower or a reporter, before they are able to reveal the importance of the information being disclosed to the public?
The bill might be intended to protect South Africa and all who live in it, but parliament surely has a responsibility to scrutinize the document and limit the possibilities of abuse before it is sent to Pretoria.
Hereby, the conclusion of my previous article:
Difficult questions lie ahead for South Africa. Not only the question of security, against cyber criminals and terrorists vs. privacy. But the bill could further ensure various political scandals or even crimes committed by the state never reach the public. All while the state could, hypothetically at least, become the very intruders we wish to be protected from. And not just for civilians, but for others like activists, whistle-blowers, politicians and lawmakers themselves – should they choose to approve it in its current form.