ACT

To create offences which have a bearing on cybercrime; to criminalise the
disclosure of data messages which are harmful and to provide for interim
protection orders;

to further regulate jurisdiction in respect of cybercrimes; to further regulate the powers to investigate cybercrimes;

to further regulate aspects relating to mutual assistance in respect of the investigation of cybercrimes;

to provide for the establishment of a designated Point of Contact; to further provide for the proof of certain facts by affidavit;

to impose obligations to report cybercrimes;

to provide for capacity building;

to provide that the Executive may enter into agreements with foreign States to promote measures aimed at the detection, prevention, mitigation and investigation of cybercrimes;

to delete and amend provisions of certain laws; and

to provide for matters connected therewith.

PARLIAMENT of the Republic of South Africa therefore enacts, as follows:—

 

Section 1 | Definitions and interpretation

(1) In this Act, unless the context indicates otherwise—

‘‘article’’ means any —

(a) data,
(b) computer program,
(c) computer data storage medium,
(d) or computer system,

which—

(i) is concerned with, connected with or is, on reasonable grounds, believed to be concerned with or connected with the commission or suspected commission;

(ii) may afford evidence of the commission or suspected commission; or

(iii) is intended to be used or is, on reasonable grounds, believed to be intended to be used in the commission, of—

(aa) an offence in terms of Part I or Part II of Chapter 2: or

(bb) any other offence in terms of the law of the Republic; or

(cc) an offence in a foreign State that is substantially similar to an offence contemplated in Part I or Part II of Chapter 2 or another offence recognised in the Republic;

‘‘computer’’ means any electronic programmable device used, whether by itself or as part of a computer system or any other device or equipment, or any part thereof, to perform predetermined arithmetic, logical, routing, processing or storage operations in accordance with set instructions and includes any data, computer program or computer data storage medium that are related to, connected with or used with such a device;

‘‘computer data storage medium’’ means any device from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored, by a computer system, irrespective of whether the device is physically attached to or connected with a computer system;

‘‘computer program’’ means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

‘‘computer system’’ means—

(a) one computer; or

(b) two or more inter-connected or related computers, which allow these inter-connected or related computers to—

(i) exchange data or any other function with each other; or

(ii) exchange data or any other function with another computer or a computer system;

‘‘Constitution’’ means the Constitution of the Republic of South Africa, 1996;

‘‘Criminal Procedure Act, 1977’’ means the Criminal Procedure Act, 1977 (Act No. 51 of 1977);

‘‘Customs and Excise Act, 1964’’ means the Customs and Excise Act, 1964 (Act No. 91 of 1964);

‘‘Customs Control Act, 2014’’ means the Customs Control Act, 2014 (Act No. 31 of 2014);

‘‘data’’ means electronic representations of information in any form;

‘‘data message’’ means data generated, sent, received or stored by electronic means, where any output of the data is in an intelligible form;

‘‘designated judge’’ means a designated judge as defined in section 1 of the Regulation of Interception of Communications and Provision of Communication related Information Act, 2002;

‘‘designated Point of Contact’’ means the office established or designated in terms of section 52;

‘‘Electronic Communications Act, 2005’’ means the Electronic Communications Act, 2005 (Act No. 36 of 2005);

‘‘electronic communications network’’ means an electronic communications network as defined in section 1 of the Electronic Communications Act, 2005, and includes a computer system;

‘‘electronic communications service’’ means any service which consists wholly or mainly of the conveyance by any means of electronic communications over an electronic communications network, but excludes broadcasting services as defined in section 1 of the Electronic Communications Act, 2005;

‘‘electronic communications service provider’’ means—

(a) any person who provides an electronic communications service to the public, sections of the public, the State, or the subscribers to such service, under and in accordance with an electronic communications service licence issued to that person in terms of the Electronic Communications Act, 2005, or who is deemed to be licenced or exempted from being licenced as such in terms of that Act; and

(b) a person who has lawful authority to control the operation or use of a private electronic communications network used primarily for providing electronic communications services for the owner’s own use and which is exempted from being licensed in terms of the Electronic Communications Act, 2005;

‘‘financial institution’’ means a ‘financial institution’ as defined in section 1 of the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017);

‘‘foreign State’’ means any State other than the Republic;

‘Intelligence Services Oversight Act, 1994’’ means the Intelligence Services Oversight Act, 1994 (Act No. 40 of 1994);

‘‘International Co-operation in Criminal Matters Act, 1996’’ means the International Co-operation in Criminal Matters Act, 1996 (Act No. 75 of 1996);

‘‘Justices of the Peace and Commissioners of Oaths Act, 1963’’ means the Justices of the Peace and Commissioners of Oaths Act, 1963 (Act No. 16 of 1963);

‘‘magistrate’’ includes a regional court magistrate;

‘‘Magistrates’ Courts Act, 1944’’ means the Magistrates’ Courts Act, 1944 (Act No. 32 of 1944);

‘‘National Commissioner’’ means the National Commissioner of the South African Police Service, appointed by the President under section 207(1) of the Constitution;

‘‘National Director of Public Prosecutions’’ means the person contemplated in section 179(1)(a) of the Constitution of the Republic of South Africa, 1996 and appointed in terms of section 10 of the National Prosecuting Authority Act, 1998;

‘‘National Environmental Management Act, 1998’’ means the National Environmental Management Act, 1998 (Act No. 107 of 1998);

‘‘National Head of the Directorate’’ means a person appointed in terms of section 17CA(1) of the South African Police Service Act, 1995 (Act No. 68 of 1995);

‘‘National Prosecuting Authority Act, 1998’’ means the National Prosecuting Authority Act, 1998 (Act No. 32 of 1998);

‘‘National Strategic Intelligence Act, 1994’’ means the National Strategic Intelligence Act, 1994 (Act No. 39 of 1994);

‘‘output of a computer program’’ means any—

(a) data or output of the data;

(b) computer program; or

(c) instructions,

generated by a computer program;

‘‘output of data’’ means by having data displayed or in any other manner;

‘‘person’’ means a natural or a juristic person;

‘‘police official’’ means a member of the South African Police Service as defined in section 1 of the South African Police Service Act, 1995;

‘‘Prevention of Organised Crime Act, 1998’’ means the Prevention of Organised Crime Act, 1998 (Act No. 121 of 1998);

‘‘Protection from Harassment Act, 2011’’ means the Protection from Harassment Act, 2011 (Act No. 17 of 2011);

‘‘Protection of Personal Information Act, 2013’’ means the Protection of Personal Information Act, 2013 (Act No. 4 of 2013);

‘‘publicly available data’’ means data which is accessible in the public domain without restriction;

‘‘Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002’’ means the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002 (Act No. 70 of 2002);

‘‘responsible party’’ means a responsible party as defined in section 1 of the Protection of Personal Information Act, 2013;

‘‘South African Police Service Act, 1995’’ means the South African Police Service Act, 1995 (Act No. 68 of 1995);

‘‘South African Reserve Bank’’ means the South African Reserve Bank, referred to in section 223 of the Constitution, read with the South African Reserve Bank Act, 1989;

‘‘South African Reserve Bank Act, 1989’’ means the South African Reserve Bank Act, 1989 (Act No. 90 of 1989);

‘‘specifically designated police official’’ means a police official of the rank of captain or above referred to in section 33 of the South African Police Service Act, 1995, who has been designated in writing by the National Commissioner and the National Head of the Directorate, respectively, to—

(a) make oral applications for a search warrant or an amendment of a warrant contemplated in section 30;

(b) issue expedited preservation of data directions contemplated in section 41; or

(c) serve or execute an order of the designated judge as contemplated in section 48(10);

‘‘Superior Courts Act, 2013’’ means the Superior Courts Act, 2013 (Act No. 10 of
2013);

‘‘Tax Administration Act, 2011’’ means the Tax Administration Act, 2011 (Act No. 28 of 2011); and

‘‘traffic data’’ means data relating to a communication indicating the communication’s origin, destination, route, format, time, date, size, duration or type, of the underlying service.

(2) For the purposes of section 2, 3(2) or (3), or 7(1) or (2) of this Act, any failure by a responsible party to comply with—

(a) the conditions for lawful processing of personal information referred to in Chapter 3;

(b) section 72; or

(c) the provisions of a code of conduct issued in terms of section 60,

of the Protection of Personal Information Act, 2013, must be dealt with in terms of Chapter 10 of that Act.

Section 2 | Unlawful access

  1. Any person who unlawfully and intentionally performs an act in respect of—
    1. a computer system; or
    2. a computer data storage medium,
      which places the person who performed the act or any other person in a position to commit an offence contemplated in subsection (2), section 3(1), 5(1) or 6(1), is guilty of an offence.
    1. Any person who unlawfully and intentionally accesses a computer system or
      a computer data storage medium, is guilty of an offence.
    2. For purposes of paragraph (a)—
      1. a person accesses a computer data storage medium, if the person—

(aa)  uses data or a computer program stored on a computer data storage medium; or

(bb)  stores data or a computer program on a computer data storage medium; and

(ii)    a person accesses a computer system, if the person—

(aa)  uses data or a computer program held in a computer system;

(bb)  stores data or a computer program on a computer data storage medium forming part of the computer system; or

(cc)  instructs, communicates with, or otherwise uses, the computer system.

(c)     For purposes of paragraph (b)—

(i)    a person uses a computer program, if the person—

(aa)  copies or moves the computer program to a different location in the  computer system or computer data storage medium in which it is held or to any other computer data storage medium;

(bb)  causes a computer program to perform any function; or

(cc)  obtains the output of a computer program; and

(ii)   a person uses data, if the person—

(aa)  copies or moves the data to a different location in the computer system or computer data storage medium in which it is held or to any other computer data storage medium; or

(bb)   obtains the output of data.

Section 3 | Unlawful interception of data

  1. Any person who unlawfully and intentionally intercepts data, including electromagnetic emissions from a computer system carrying such data, within or which is transmitted to or from a computer system, is guilty of an offence.
  2. Any person who unlawfully and intentionally possesses data, with the knowledge that such data was intercepted unlawfully as contemplated in subsection (1), is guilty of an offence.
  3. Any person who is found in possession of data, in regard to which there is a reasonable suspicion that such data was intercepted unlawfully as contemplated in subsection (1) and who is unable to give a satisfactory exculpatory account of such possession, is guilty of an offence.
  4. For purposes of this section ‘‘interception of data’’ means the acquisition, viewing, capturing or copying of data of a non-public nature through the use of a hardware or software tool contemplated in section 4(2) or any other means, so as to make some or all of the data available to a person, other than the lawful owner or holder of the data, the sender or the recipient or the intended recipient of that data and includes the—
    1. examination or inspection of the contents of the data; and
    2. diversion of the data or any part thereof from its intended destination to any other destination.

Section 4 | Unlawful acts in respect of software or hardware tool

  1. Any person who unlawfully and intentionally—
    1. uses; or
    2. possesses,
      any software or hardware tool for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1) or 7(1)(a) or (d), is guilty of an offence.
  2. For purposes of this section ‘‘software or hardware tool’’ means any electronic, mechanical or other instrument, device, equipment, apparatus or a substantial component thereof or a computer program, which is designed or adapted primarily for the purposes to—
    1. access as contemplated in section 2(1);
    2. intercept data as contemplated in section 3(1);
    3. interfere with data or a computer program as contemplated in section 5(1);
    4. interfere with a computer data storage medium or a computer system as contemplated in section 6(1); or
    5. acquire, make available or use a password, access code or similar data or devices as defined in section 7(3).

Section 5 | Unlawful interference with data or computer program

  1. Any person who unlawfully and intentionally interferes with—
    1. data; or
    2. a computer program,
      is guilty of an offence.
  2. For purposes of this section ‘‘interferes with data or a computer program’’ means to permanently or temporarily—
    1. delete data or a computer program;
    2. alter data or a computer program;
    3. render vulnerable, damage or deteriorate data or a computer program;
    4. render data or a computer program meaningless, useless or ineffective;
    5. obstruct, interrupt or interfere with the lawful use of, data or a computer program; or
    6. deny access to data or a computer program,

held in a computer data storage medium or a computer system.

Section 6 | Unlawful interference with computer data storage medium or computer system

  1. Any person who unlawfully and intentionally interferes with a computer data storage medium or a computer system, is guilty of an offence.
  2. For purposes of this section ‘‘interferes with a computer data storage medium or a computer system’’ means to permanently or temporarily—
    1. alter any resource; or
    2. interrupt or impair—
      1. the functioning;
      2. the confidentiality;
      3. the integrity; or
      4. the availability,

of a computer data storage medium or a computer system.

 

Section 7 | Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device

  1. Any person who unlawfully and intentionally—
    1. acquires;
    2. possesses;
    3. provides to another person; or
    4. uses,
      a password, an access code or similar data or device for purposes of contravening the provisions of section 2(1) or (2), 3(1), 5(1), 6(1), 8 or 9(1), is guilty of an offence.
  2. Any person who is found in possession of a password, an access code or similar data or device in regard to which there is a reasonable suspicion that such password, access code or similar data or device—
    1. was acquired;
    2. is possessed;
    3. is to be provided to another person; or
    4. was used or may be used,
      for purposes of contravening the provisions of section 2(1) or (2), 3(1), 5(1), 6(1), 8 or 9(1), and who is unable to give a satisfactory exculpatory account of such possession, is guilty of an offence.
  3. For purposes of this section ‘‘password, access code or similar data or device’’ includes—
    1. a secret code or pin;
    2. an image;
    3. a security token;
    4. an access card;
    5. any device;
    6. biometric data; or
    7. a word or a string of characters or numbers,
      used for financial transactions or user authentication in order to access or use data, a computer program, a computer data storage medium or a computer system.

Section 8 | Cyber fraud

  1. Any person who unlawfully and with the intention to defraud makes a misrepresentation—
    1. by means of data or a computer program; or
    2. through any interference with data or a computer program as contemplated in subsection 5(2)(a), (b) or (e) or interference with a computer data storage medium or a computer system as contemplated in section 6(2)(a),
      which causes actual or potential prejudice to another person, is guilty of the offence of cyber fraud.

Section 9 | Cyber forgery and uttering

  1. Any person who unlawfully and with the intention to defraud makes—
    1. false data; or
    2. a false computer program,
      to the actual or potential prejudice of another person is guilty of the offence of cyber forgery.
  2. Any person who unlawfully and with the intention to defraud, passes off—
    1. false data; or
    2. a false computer program,
      to the actual or potential prejudice of another person, is guilty of the offence of cyber uttering.