caveat legal logo

The Cybercrimes Act, 2020: Be aware of the personal data you hold

The incidence and variety of cybercrimes are proliferating year on year and will continue to do so faster than any legislature is able to promulgate laws that provide for the criminalisation, investigation and prosecution of those crimes. Against this backdrop, President Ramaphosa signed into law the Cybercrimes Act, 2020, on 26 May 2021. This is a significant step for South Africa in its efforts to regulate cyberspace, but certainly not one that will miraculously reduce or remove the increasing challenges of curbing and prosecuting cybercrimes.

While the commencement date of the Cybercrimes Act is yet to be proclaimed and the implications and regulatory effects of the Act are yet to be determined and felt, there are some areas within the Act that have already sparked concern and debate and are likely to be the subject of litigation. Two of these areas relate to the rebuttable presumptions of guilt contained in the provisions criminalising the unlawful interception of electronic data (section 3(3)) and the unlawful acquisition, possession, receipt or use of passwords, access codes or similar data or devices (section 7(2). 

Section 3(3) of the Act, for example, provides that a person will be guilty of an offense if that person is:

  • Found in possession of electronic data of a non-public nature that is reasonably suspected of having been acquired, viewed, captured or copied unlawfully and intentionally within a computer system, or which is transmitted to or from a computer system, so as to make some or all of such data available to a person other than the lawful owner or holder, the sender, the recipient or the intended recipient of that data; and
  • Unable to give a satisfactory exculpatory account of such possession.

Section 7(2) of the Act provides, for example, that a person will be guilty of an offense if that person is:

  • Found in possession of a password, access code or similar data or device (e.g. a secret pin, an access card or biometric data) used for financial transactions or user authentication in order to access or use data, a computer program, a computer data storage medium or a computer system, which password, access code or similar data or device is reasonably suspected of having been acquired, possessed or used for the purposes of unlawfully and intentionally accessing a computer system; intercepting data; interfering with data, a computer program, a computer data storage medium or a computer system; or committing cyber fraud, forgery or uttering; and
  • Unable to give a satisfactory exculpatory account of such possession.

Let’s imagine that your organisation is found in possession of electronic biometric data of former employees, that it has no clear authority to retain and use, and for which your organisation is not able to convincingly explain why and how such possession complies with the requirements of the Protection of Personal Information Act (POPIA). In this scenario, your organisation, its directors and/or employees may be unable to counter any reasonable suspicion held by law enforcement authorities that such possession is unlawful and intentional and, in turn, may be found guilty of an offence in terms of section 3(3) of the Cybercrimes Act, and be liable on conviction to a fine and/or imprisonment.

Similarly, if your organisation is unable to demonstrate why such data is being retained for a lawful purpose and law enforcement authorities hold a reasonable suspicion that such data is being retained for the purpose of unlawfully and intentionally accessing a computer system; intercepting data; interfering with data, a computer program, a computer data storage medium or a computer system; or committing cyber fraud, forgery or uttering, your organisation, its directors and/or employees may be found guilty of an offence in terms of section 7(2) of the Cybercrimes Act and be liable on conviction to a fine and/or imprisonment.

To avoid similar scenarios from materialising within your organisation, careful work should be undertaken to ensure as a minimum that:

  • Clear policies governing the collection, processing and disposal of personal information of data subjects (including digital copies of such information) are in place and properly enforced in line with the requirements of the POPIA (with a clear delineation of roles and responsibilities of employees within the organisation);
  • A full review of all personal information held in any form by your organisation is undertaken on a regular basis to ensure that your organisation only collects, holds and processes that personal information for which it is authorised in law to process;
  • Clear records are kept detailing how, why and for how long such information came to be in the possession of your organisation;
  • All contracts with third-party suppliers of goods and services to your organisation are properly aligned to your organisation’s policies;
  • Effective measures are in place to monitor your organisation’s compliance with its obligations under the POPIA on a regular basis; and
  • All employees are properly trained on their roles and responsibilities in this regard

Mike Wilter

Mike was admitted as an attorney in 2009 and rose to the level of senior associate at Bowman Gilfillan before being appointed as the Head of the Education Ministry in the Western Cape Government. Mike has been working as a State Law Advisor in the Western Cape Government since 2014 and consults through Caveat Legal on IT law-related issues and as a specialist on education law.

Share this article on: 

Facebook
Twitter
LinkedIn
Optimized by Optimole