Business Law Focus
PODCAST | What are the implications of the recently enacted Cybercrimes and Cybersecurity Act?
Baker McKenzie experts discusses the weak levels of data privacy protection in Africa
In this episode of the Business Law Focus podcast, Editor Evan Pickworth interviews Janet MacKenzie and Darryl Bernstein, experts from global law firm Baker McKenzie, on the implications of the recently enacted Cybercrimes and Cybersecurity Act. The criminalisation of harmful data messages and the intersection between this act and the Protection of Personal Information Act (POPIA) is explored. The interview also discusses the weak levels of data privacy protection in Africa, with data privacy laws, which govern issues such as data security and breaches, currently present in less than half of African countries.
Join the discussion here:
The Context
Global cybersecurity firm Kaspersky recently noted that cyberattacks are set to rise in African countries, especially in the key financial centres of SA, Kenya and Nigeria. The cybersecurity firm noted that rapidly evolving digital techniques had led to an increased risk of advanced persistent threats and hacking-for-hire events in Africa.
In SA, the Cybercrimes and Cybersecurity Act was signed into law by President Cyril Ramaphosa in early June 2021, bringing the country’s cybersecurity legislation in line with global standards. Data security is also governed by the Protection of Personal Information Act. On 1 July 2021, the substantive implementation of key provisions of POPIA became enforceable.
The act compels electronic communications service providers and financial institutions to act when they become aware that their computer systems have been involved in a cyber security breach, as defined by the act. They must, according to the act, report such offences to the SA Police Service within 72 hours of becoming aware of the offence, and preserve any information which may be of assistance in the investigation. Non-compliance with this provision is a criminal offence and huge fines can be imposed.
The Cybercrimes and Cybersecurity Act further criminalises harmful data messages, such as those that invite or threaten violence or damage to property, as well as those that contain intimate images. Data is broadly defined in the act as “electronic representations of information in any form.” The act also criminalises cyber fraud, extortion, forgery and the theft of incorporeal property. Also listed as an offence is the unlawful accessing of a computer system, data storage medium or personal data. Those found guilty of a cybersecurity offence face hefty fines and lengthy prison sentences of up to 15 years.
One of the conditions for lawful processing in terms of POPIA is the use of security safeguards, which prescribes that the integrity and confidentiality of personal information must be secured by a person in control of that information. This is prescribed by POPIA in order to prevent loss, damage or unauthorised access to, or destruction of, personal information.
POPIA also creates a reporting duty on persons responsible for processing personal information, whereby they must report any unlawful access to personal information (a data breach) to the Information Regulator within a reasonable period of time. Like the Cybersecurity Act, POPIA brings SA in line with international data protection laws by regulating the processing of the personal information of natural and juristic persons and placing more onerous obligations on “responsible parties” that process such information.
In terms of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party has to notify the Information Regulator, as well as the data subject, unless that person’s identity cannot be established.